RE: Active Directory authentication question
What I mean is that EAP-TLS is easier to me than AD authentication at this point, because I've just put it to work...and if I want to use AD auth I have to take EAP-TLS out and start again with NTLM / AD authenticationis it OK ??? Roberto, you don't have to remove EAP-TLS to support NTLM/MS-CHAPv2 authentication. What you can do in eap.conf is specify which EAP type you want to use by default. If you prefer EAP-TLS, you can specify default_eap_type = tls. But if the client does not support that and asks for EAP-TTLS or PEAP instead, then, if your server is configured correctly, it can support those additional types too. For NTLM authentication, what you *do* need is to add your FreeRADIUS machine to the Windows 2012 domain. Since you're on a flavour of Unix/Linux, you need to install Samba on your Linux box and configure it to talk to the Windows 2012 domain controller (via Kerberos). You may want to read this page, which describes how we've made authentication against Active Directory work with PEAP (specifically PEAP with EAP-MSCHAPv2) and EAP-TTLS with EAP-MSCHAPv2: http://confluence.diamond.ac.uk/display/PAAUTH/Using+Active+Directory+as+authentication+source We don't use PEAP and don't have any test clients that support PEAP, but EAP-TTLS/EAP-MSCHAPv2 works splendidly (which is good enough for our purposes and is widely supported by Windows clients). You can use rad_eap_test (there is information about this on the link above, including how to build the binary) to specify which EAP method you want to use and then which inner authentication to use (where applicable). So you can leave your existing setup (I assume default_eap_type is 'tls') alone and still test your NTLM authencation. Folks, feel free to correct... but that's what worked here. Stefan -- This e-mail and any attachments may contain confidential, copyright and or privileged material, and are for the use of the intended addressee only. If you are not the intended addressee or an authorised recipient of the addressee please notify us of receipt by returning the e-mail and do not use, copy, retain, distribute or disclose the information in or attached to the e-mail. Any opinions expressed within this e-mail are those of the individual and not necessarily of Diamond Light Source Ltd. Diamond Light Source Ltd. cannot guarantee that this e-mail or any attachments are free from viruses and we cannot accept liability for any damage which you may sustain as a result of software viruses which may be transmitted in or with the message. Diamond Light Source Limited (company no. 4375679). Registered in England and Wales with its registered office at Diamond House, Harwell Science and Innovation Campus, Didcot, Oxfordshire, OX11 0DE, United Kingdom - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ipad ssl error in free radius
Hi, is the firmware on that iPad particularly old? Or maybe your OpenSSL on the server side? Things like mismatching cipher requirements or force secure renegotiation might cause some of these issues. Greetings, Stefan Winter Am 19.09.13 06:27, schrieb val john: hi guys we are getting follwong error in our radius log when ipad trying to connect to our WIFI network , our WIFI network using EAP-TTLS + LDAP authentication , All other devices (linux , windows, mac os 10.8 , Suse , android ) are working fine apart from ipads .. Error === Tue Sep 17 13:36:25 2013 : Error: TLS Alert read:warning:close notify Tue Sep 17 13:36:25 2013 : Error: TLS_accept: failed in SSLv3 read client certificate A Tue Sep 17 13:36:25 2013 : Error: rlm_eap: SSL error error:140940E5:SSL routines:SSL3_READ_BYTES:ssl handshake failure Tue Sep 17 13:36:25 2013 : Error: SSL: SSL_read failed in a system call (-1), TLS session fails. Tue Sep 17 13:36:25 2013 : Auth: Login incorrect (TLS Alert read:warning:close notify): [u...@ihk.com mailto:u...@ihk.com] (from client ManagementAPs port 1 cli 00-88-65-42-50-88) Do you guys any idea what cause this issue Thank you John - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html 0x8A39DC66.asc Description: application/pgp-keys signature.asc Description: OpenPGP digital signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ipad ssl error in free radius
val john wrote: Tue Sep 17 13:36:25 2013 : Error: TLS Alert read:warning:close notify This means that the *other* end shut down the TLS connection. To be polite, it sent a notification that it was doing so. Do you guys any idea what cause this issue Maybe there's something in the CA / server cert which the iPad doesn't like. Much of SSL is magic... Try it with the test certificates created by the server. If the problem doesn't happen, then the problem really is the certificates. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
DHCP relaying
Hi, I would like to ask how we can direct FR dhcp server (using an ldap backend) to relay to another dhcp server. The idea is that we have a db of known MAC addresses which have an associated VLAN (assigned during MAC Auth) and a static IP address (assigned through FR dhcp server). If a MAC address is unknown, we would like to be able to relay to another dhcp server which will be responsible for dynamic IP address allocation (because, as I understand, FR does not support dynamic IP address allocation) on a private IP address range, with limited access. What will be the command to use for relaying? Thanks in advance, Nick - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: ipad ssl error in free radius
John, The IPhone Configuration Utility can do remote debugging with iPads, it helped me diagnose some EAP-TLS issues. John. From: freeradius-users-bounces+jcarter=identitynetworks@lists.freeradius.org [mailto:freeradius-users-bounces+jcarter=identitynetworks.com@lists.freeradi us.org] On Behalf Of val john Sent: 19 September 2013 05:28 To: FreeRadius users mailing list Subject: ipad ssl error in free radius hi guys we are getting follwong error in our radius log when ipad trying to connect to our WIFI network , our WIFI network using EAP-TTLS + LDAP authentication , All other devices (linux , windows, mac os 10.8 , Suse , android ) are working fine apart from ipads .. Error === Tue Sep 17 13:36:25 2013 : Error: TLS Alert read:warning:close notify Tue Sep 17 13:36:25 2013 : Error: TLS_accept: failed in SSLv3 read client certificate A Tue Sep 17 13:36:25 2013 : Error: rlm_eap: SSL error error:140940E5:SSL routines:SSL3_READ_BYTES:ssl handshake failure Tue Sep 17 13:36:25 2013 : Error: SSL: SSL_read failed in a system call (-1), TLS session fails. Tue Sep 17 13:36:25 2013 : Auth: Login incorrect (TLS Alert read:warning:close notify): [u...@ihk.com] (from client ManagementAPs port 1 cli 00-88-65-42-50-88) Do you guys any idea what cause this issue Thank you John - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: DHCP relaying
Nikolaos Milas wrote: I would like to ask how we can direct FR dhcp server (using an ldap backend) to relay to another dhcp server. ... update control { DHCP-Relay-To-IP-Address := 192.2.3.4 } ... The idea is that we have a db of known MAC addresses which have an associated VLAN (assigned during MAC Auth) and a static IP address (assigned through FR dhcp server). If a MAC address is unknown, we would like to be able to relay to another dhcp server which will be responsible for dynamic IP address allocation (because, as I understand, FR does not support dynamic IP address allocation) on a private IP address range, with limited access. In 2.2.1, it can handle dynamic IP allocation. See raddb/sites-available/dhcp. Look for pool. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: DHCP relaying
On 19/9/2013 3:40 μμ, Alan DeKok wrote: In 2.2.1, it can handle dynamic IP allocation. See raddb/sites-available/dhcp. Look for pool. Thanks. I guess it is supported in 3.0.0 as well ? Nick - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: DHCP relaying
Nikolaos Milas wrote: Thanks. I guess it is supported in 3.0.0 as well ? Yes. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Looking for help with DHCP
Not many people know that FreeRADIUS implements DHCP. I'd like to change that. I'm therefore offering to pay for some work on the feature. As background, the current version does DHCP, and DHCP relaying. It allocates IPs from an SQL pool. The git master branch has a script to import an ISC lease file into the SQL database. We need more. I'm looking for the following: - detailed documentation on how to get it working. Ideally a step-by-step guide, in the style of the EAP docs on http://deployingradius.com/ - the documentation should include examples of an ISC configuration, and how it maps to a FreeRADIUS configuration - the documentation should include simple tests, and common problems to check - it should include any new scripts, etc. necessary to get it working. - any code / configuration will become part of the main FreeRADIUS releases - the documentation and worked examples will get hosted on the FreeRADIUS web site, and prominently linked from the main page - your name will go on everything - since my company is paying for it, all copyright will belong to Network RADIUS SARL. This is a request for *paid* work. I'm prepared to pay reasonable rates for this. And not the $100 bounty for 6 days work kind of nonsense, either. Please send email to me with your proposal, background, and price. I'll pick someone in the next week, and work behind the scenes to get this done. The hope is to crush that pesky ISC server. It's been frustrating people world-wide for years. :) Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Active Directory authentication question
Thanks Stepahn for all your important help. Regards, Roberto 2013/9/19 stefan.pae...@diamond.ac.uk: What I mean is that EAP-TLS is easier to me than AD authentication at this point, because I've just put it to work...and if I want to use AD auth I have to take EAP-TLS out and start again with NTLM / AD authenticationis it OK ??? Roberto, you don't have to remove EAP-TLS to support NTLM/MS-CHAPv2 authentication. What you can do in eap.conf is specify which EAP type you want to use by default. If you prefer EAP-TLS, you can specify default_eap_type = tls. But if the client does not support that and asks for EAP-TTLS or PEAP instead, then, if your server is configured correctly, it can support those additional types too. For NTLM authentication, what you *do* need is to add your FreeRADIUS machine to the Windows 2012 domain. Since you're on a flavour of Unix/Linux, you need to install Samba on your Linux box and configure it to talk to the Windows 2012 domain controller (via Kerberos). You may want to read this page, which describes how we've made authentication against Active Directory work with PEAP (specifically PEAP with EAP-MSCHAPv2) and EAP-TTLS with EAP-MSCHAPv2: http://confluence.diamond.ac.uk/display/PAAUTH/Using+Active+Directory+as+authentication+source We don't use PEAP and don't have any test clients that support PEAP, but EAP-TTLS/EAP-MSCHAPv2 works splendidly (which is good enough for our purposes and is widely supported by Windows clients). You can use rad_eap_test (there is information about this on the link above, including how to build the binary) to specify which EAP method you want to use and then which inner authentication to use (where applicable). So you can leave your existing setup (I assume default_eap_type is 'tls') alone and still test your NTLM authencation. Folks, feel free to correct... but that's what worked here. Stefan -- This e-mail and any attachments may contain confidential, copyright and or privileged material, and are for the use of the intended addressee only. If you are not the intended addressee or an authorised recipient of the addressee please notify us of receipt by returning the e-mail and do not use, copy, retain, distribute or disclose the information in or attached to the e-mail. Any opinions expressed within this e-mail are those of the individual and not necessarily of Diamond Light Source Ltd. Diamond Light Source Ltd. cannot guarantee that this e-mail or any attachments are free from viruses and we cannot accept liability for any damage which you may sustain as a result of software viruses which may be transmitted in or with the message. Diamond Light Source Limited (company no. 4375679). Registered in England and Wales with its registered office at Diamond House, Harwell Science and Innovation Campus, Didcot, Oxfordshire, OX11 0DE, United Kingdom - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ubuntu postgresql unknown client
rich carroll wrote: I am having problems getting freeradius with ubuntu and postgres to work. I have set up this setup on freebsd several time successfully. I believe that it is not checking the database at all. Below is my radtest command and my debug command. It's not using Postgresql because you haven't told it to use SQL. Notice that there's no sql in the debug output. My configs are identical to my configs on a working freebsd server. No, they're not. I would be happy to share what ever ones would be helpfull. The debug output is all that's needed. I can uncomment the client.conf file out of the radiusd.conf and set my nas in it and get a password error. Which you would expect if it wasn't reading from accounts from the db also. Because you didn't tell it to read user information from SQL. I installed freeraduis-postgresql normally I would have just installed freeradius and configured it to use postgres. Really? If you configure sql.conf, then that *isn't* enough. Read raddb/sites-available/default, and look for sql. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ubuntu postgresql unknown client
On Thu, Sep 19, 2013 at 12:00:47PM -0500, rich carroll wrote: I am having problems getting freeradius with ubuntu and postgres to work. I have set up this setup on freebsd several time successfully. I believe that it is not checking the database at all. Below is my radtest command and my debug command. ... listen { type = auth ipaddr = 127.0.0.1 port = 18120 } Listening on authentication address * port 1812 Listening on accounting address * port 1813 Listening on authentication address 127.0.0.1 port 18120 as server inner-tunnel Listening on proxy address * port 1814 Ready to process requests. Ignoring request to authentication address * port 1812 from unknown client 127.0.0.1 port 52834 ^^ Make sure there is an entry for 127.0.0.1 in your clients.conf. Matthew -- Matthew Newton, Ph.D. m...@le.ac.uk Systems Specialist, Infrastructure Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, ith...@le.ac.uk - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ubuntu postgresql unknown client
That was the trick. Thanks, uncommented a couple sql's and its working like it should. Really? If you configure sql.conf, then that *isn't* enough. Read raddb/sites-available/default, and look for sql. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Richard Carroll - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
ubuntu postgresql unknown client
I am having problems getting freeradius with ubuntu and postgres to work. I have set up this setup on freebsd several time successfully. I believe that it is not checking the database at all. Below is my radtest command and my debug command. My configs are identical to my configs on a working freebsd server. I would be happy to share what ever ones would be helpfull. I can uncomment the client.conf file out of the radiusd.conf and set my nas in it and get a password error. Which you would expect if it wasn't reading from accounts from the db also. I installed freeraduis-postgresql normally I would have just installed freeradius and configured it to use postgres. my sql.conf radtest command root@radius1:/etc/freeradius# radtest test test 127.0.0.1 1812 test Sending Access-Request of id 158 to 127.0.0.1 port 1812 User-Name = test User-Password = test NAS-IP-Address = 127.0.1.1 NAS-Port = 1812 Server Debug: root@radius1:/etc/init.d# freeradius -X FreeRADIUS Version 2.1.10, for host i686-pc-linux-gnu, built on Sep 24 2012 at 17:53:32 Copyright (C) 1999-2009 The FreeRADIUS server project and contributors. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License v2. Starting - reading configuration files ... including configuration file /etc/freeradius/radiusd.conf including files in directory /etc/freeradius/modules/ including configuration file /etc/freeradius/modules/policy including configuration file /etc/freeradius/modules/sradutmp including configuration file /etc/freeradius/modules/smbpasswd including configuration file /etc/freeradius/modules/always including configuration file /etc/freeradius/modules/mac2vlan including configuration file /etc/freeradius/modules/passwd including configuration file /etc/freeradius/modules/smsotp including configuration file /etc/freeradius/modules/expr including configuration file /etc/freeradius/modules/sql_log including configuration file /etc/freeradius/modules/ldap including configuration file /etc/freeradius/modules/mschap including configuration file /etc/freeradius/modules/krb5 including configuration file /etc/freeradius/modules/files including configuration file /etc/freeradius/modules/dynamic_clients including configuration file /etc/freeradius/modules/detail.example.com including configuration file /etc/freeradius/modules/expiration including configuration file /etc/freeradius/modules/radutmp including configuration file /etc/freeradius/modules/attr_filter including configuration file /etc/freeradius/modules/opendirectory including configuration file /etc/freeradius/modules/perl including configuration file /etc/freeradius/modules/wimax including configuration file /etc/freeradius/modules/inner-eap including configuration file /etc/freeradius/modules/preprocess including configuration file /etc/freeradius/modules/sqlcounter_expire_on_login including configuration file /etc/freeradius/modules/attr_rewrite including configuration file /etc/freeradius/modules/counter including configuration file /etc/freeradius/modules/echo including configuration file /etc/freeradius/modules/ippool including configuration file /etc/freeradius/modules/logintime including configuration file /etc/freeradius/modules/unix including configuration file /etc/freeradius/modules/pap including configuration file /etc/freeradius/modules/linelog including configuration file /etc/freeradius/modules/otp including configuration file /etc/freeradius/modules/exec including configuration file /etc/freeradius/modules/chap including configuration file /etc/freeradius/modules/cui including configuration file /etc/freeradius/modules/realm including configuration file /etc/freeradius/modules/ntlm_auth including configuration file /etc/freeradius/modules/detail.log including configuration file /etc/freeradius/modules/mac2ip including configuration file /etc/freeradius/modules/checkval including configuration file /etc/freeradius/modules/etc_group including configuration file /etc/freeradius/modules/pam including configuration file /etc/freeradius/modules/digest including configuration file /etc/freeradius/modules/acct_unique including configuration file /etc/freeradius/modules/detail including configuration file /etc/freeradius/eap.conf including configuration file /etc/freeradius/sql.conf including configuration file /etc/freeradius/sql/postgresql/dialup.conf including configuration file /etc/freeradius/sql/postgresql/counter.conf including configuration file /etc/freeradius/policy.conf including files in directory /etc/freeradius/sites-enabled/ including configuration file /etc/freeradius/sites-enabled/default including configuration file /etc/freeradius/sites-enabled/inner-tunnel main { user = freerad group = freerad allow_core_dumps = no } including dictionary file /etc/freeradius/dictionary main {