Re: EAP-TLS problem
Hello, I'm new in Linux world, and I don't know if my problem is related with running Freeradius with only user permissions? Any advice? --- Ester Urueña [EMAIL PROTECTED] escribió: --- Nick Hall [EMAIL PROTECTED] escribió: Does freeradius run as a user with permissions to /home/uruena/ ? I run it as a user from /home/uruena/downloadrad/monradius/sbin/ - Original Message - From: Ester URUEÑA [EMAIL PROTECTED] Date: Mon, 2 Aug 2004 23:21:40 +0200 Subject: Re: EAP-TLS problem To: [EMAIL PROTECTED] I am trying to authenticate Windows XP clients (using EAP-TLS) through a Lucent WavePoint-II AP with freeradius (the third pre-release of version 1.0.0) in a Linux Red Hat machine. The version of the openssl I am using is 0.9.7d. You've probably got two differnet versions of OpenSSL on your machine. You've compiled FreeRADIUS against one, but at run-time, it's using another. Because the internal data structures in OpenSSL don't match, it dies. Ensure you're using ONE version of OpenSSL. See the ./configure flags. Alan DeKok. Yes, I've got two versions of OpensSSL on my machine : an old version (0.9.6b) and a new one, installed to be used by FreeRADIUS (0.9.7d). OpenSSL 0.9.7d was compiled with: ./config shared --prefix=/home/uruena/dwnld_openssl/monssl For FreeRADIUS I've run ./configure with these options: --with-openssl-includes=/home/uruena/dwnld_openssl/monssl/include --with-openssl-libraries=/home/uruena/dwnld_openssl/monssl/lib (the lib and include directories of my OpenSSL 0.9.7 version) I see in the config.log file: configure:7077: checking for OpenSSL version = 0.9.7 (so it really takes into account my new version of OpenSSL and not the old one) My certificates were created with the 0.9.7 version. And finally, I run freeradius with the following definition of environment variables inside a script: LD_LIBRARY_PATH=/home/uruena/monopenssl/lib If I define LD_PRELOAD=/home/uruena/monopenssl/lib/lybcrypto.so when I run my script I have an error: error while loading shared libraries: /home/uruena/monopenssl/lib/lybcrypto.so: cannot open shared object file: No such file or directory Maybe this is the problem, isn't it? If it is really the problem I don't know how to solve it, because /home/uruena/monopenssl/lib/lybcrypto.so exists (and points to libcrypto.so.0 that points to libcrypto.so.0.9.7). Could somebody help me, please? Thank you! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html __ Renovamos el Correo Yahoo!: ¡100 MB GRATIS! Nuevos servicios, más seguridad http://correo.yahoo.es - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: LDAP authentication needs read access to userPassword?
On Wed, 4 Aug 2004, Thomas -Balu- Walter wrote: Hi all, I'm fairly new in the radius business and need to set up a machine to support user authentication via LDAP. The best way by now seems to use freeradius :). However while flying through the documentations, howtos, etc. I've noticed that freeradius seems to need read-access to the userPassword attribute. Is that correct? (which could be the reason why it is not working here yet ;). Or does freeradius use the usual LDAP-search_entry-bind method to authenticate users? If you use the ldap module for authentication it will use the ldap bind method for authentication. If you use another module for authentication (pap,chap,mschap,eap-md5 etc) you will need read access to the password attribute. Balu... crawling back into the pile of documentation. BTW - http://www.freeradius.org/radiusd/doc/ is missing... - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Modify packet type in rlm_exec?
James Nedila [EMAIL PROTECTED] wrote: Can I modify the packet type in my exec module? (ie/ change an Access-Accept to an Access-Reject) You can return 1 from the script, which will cause the module to return RLM_MODULE_FAIL, and should reject the user. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Rewriting User-Name attribute without rewrite_attr
Steve Chan [EMAIL PROTECTED] wrote: In previous tests with exactly the same configuration, the auth-type was eventually matched against the local files configuration and authentication worked properly. I stand by my assertion that it doesn't work - do you have reason to believe that section of code SHOULD work? Nope. I've never used it. See the patches to the module on bugs.freeradius.org. I don't know if they'll help, but they might. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Forcing Auth-Method to LEAP
Dietmar Romer [EMAIL PROTECTED] wrote: I tried this, but it does not work. The files-module is called before the eap-module; it always returns ok, regardless of the EAP-Type := LEAP. Did you try it in 1.0.0-pre3? The feature was added, and tested by me (though not recently). Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Status Server Reply Message
David [EMAIL PROTECTED] wrote: I am testing with FreeRADIUS version 1.0.0-pre3. I was wondering if the Reply-Message in the status server was configurable or if it was hardcoded? It's hard coded. It wouldn't be too hard to make it configurable, though. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem with Huntgroups
Geoffrey Cauchi [EMAIL PROTECTED] wrote: Did you have any reply re. this? We are facing a very similar problem and it would be greatly appreciated if you could tell us how you solved the problem. So far, I don't think he has. I've taken a quick look at the problem, but I'm not sure what's going wrong, so I'm not sure I can suggest any fix or work-around. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: RADZAP
Geoffrey Cauchi [EMAIL PROTECTED] wrote: We are running Free Radius 1Pre3 and wanted to delete a user entry from radutmp using radzap. The user entry is not being deleted though! Other people have said the same thing. Anyone knows about issues with radzap? Not really. i.e. Set up a *tiny* test system. Use radclient to send a fake accounting start packet, to create a radutmp entry. Use radwho to check that the user is marked as logged in. Then, use radzap to zap their session. You can also use radclient to send a fake accounting stop packet. That should cause the entry to be deleted. That will give you not only simple debugging output, but you will be able to see what *does* cause the entry to be deleted, and that will give you an indication as to what's wrong with radzap. In the long run, radzap should probably be moved to a shell script around radclient, and the server should be updated to accept those zap sessions from a trusted client, like localhost. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem with Huntgroups
On Wed, Aug 04, 2004 at 10:52:28AM -0400, Alan DeKok wrote:
Geoffrey Cauchi [EMAIL PROTECTED] wrote:
Did you have any reply re. this? We are facing a very similar problem and
it would be greatly appreciated if you could tell us how you solved the
problem.
So far, I don't think he has.
I've taken a quick look at the problem, but I'm not sure what's
going wrong, so I'm not sure I can suggest any fix or work-around.
Alan DeKok.
OK, I have looked at the rlm_ldap documentation and here is what I have.
I have restarted radiusd and everyone is still able to log into each
device successfully. I only want certain people with matching
radiusGroupName attributes to be able to log into the respective device
and anyone else to be rejected. What am I doing wrong here:
1) In the users file, I have the following (pay attention to the
Ldap-Group entry):
DEFAULT Huntgroup-Name == Cisco
Auth-Type := LDAP,
Service-Type := 6,
Ldap-Group == cisco,
Fall-Through = Yes
DEFAULT Huntgroup-Name == Juniper-E-series
Auth-Type := LDAP,
Ldap-Group == junipere,
Fall-Through = Yes
DEFAULT Huntgroup-Name == Juniper-M-Series
Auth-Type := LDAP,
Ldap-Group == juniperm,
Fall-Through = No
2) My LDAP schema has the following (pay attention to radiusGroupName):
dn: uid=homer, ou=people, dc=test, dc=net
objectclass: person
objectclass: radiusprofile
objectclass: uidObject
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: extensibleObject
cn: Homer Simpson
sn: Simpson
loginShell: /bin/bash
userpassword: {SSHA}vFGHHGJxzesR5Y/rodHeQbF9yiAAxbMP
uidnumber: 2001
gidnumber: 20
homeDirectory: /home/homer
uid: homer
shadowLastChange: 10877
shadowMin: 0
shadowMax: 99
shadowWarning: 7
shadowInactive: -1
shadowExpire: -1
shadowFlag: 0
radiusAuthType: LDAP
radiusReplyItem: Juniper-Local-User-Name := tier3
radiusReplyItem: ERX-Cli-Initial-Access-Level := 15
radiusReplyItem: ERX-Alternate-Cli-Access-Level := 15
radiusReplyItem: ERX-CLI-Allow-All-VR-Access := 1
radiusReplyItem: Cisco-AVPair := shell:priv-lvl=15
radiusGroupName: cisco
radiusprofileDN: uid=homer, ou=people, dc=test, dc=net
3) In my radiusd.conf file, I have groupname_attribute = radiusGroupName
and groupmembership_attribute = radiusGroupName.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Modify packet type in rlm_exec?
- Original Message -
From: Alejandro Galue [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Wednesday, August 04, 2004 5:37 PM
Subject: RE: Modify packet type in rlm_exec?
To reject users:
print Reply-Message := 'You can not login now';
exit 1;
BUT, Reply-Message on Access-Reject is not modified.
I'm having the same problem with Exec-Program-Wait which after successful
lookup in the database, returns a reject with an error message.
The problem is that when the external script returns exit code 1,
src/main/auth.c always adds a Reply-Message stating that the external check
failed, causing the reply-message returned by the external program not to be
interpreted by the NAS.
My solution was to edit the source code in src/main/auth.c not to include a
reply message by itself, but only the one returned by the external program.
I already submitted this issue 3 times, but it never got changed in a
release.
Below is my fix for this:
--- freeradius-0.9.3/src/main/auth.c.orig 2004-05-19 16:43:15.0
+0200
+++ freeradius-0.9.3/src/main/auth.c 2003-06-24 16:22:19.0 +0200
@@ -805,21 +805,17 @@
* had a non-zero exit status.
*/
if (umsg[0] == '\0') {
-/* Don't tell that auth failed by external check */
-user_msg = NULL;
+user_msg = \r\nAccess denied (external check failed).;
} else {
user_msg = umsg[0];
}
request-reply-code = PW_AUTHENTICATION_REJECT;
- /* Only add reply-message when one is available */
- if (user_msg != NULL) {
-tmp = pairmake(Reply-Message, user_msg, T_OP_SET);
-pairadd(request-reply-vps, tmp);
- }
+ tmp = pairmake(Reply-Message, user_msg, T_OP_SET);
+
+ pairadd(request-reply-vps, tmp);
rad_authlog(Login incorrect (external check failed),
- /* Log attributes of reject packets */
- request, 1);
+ request, 0);
return RLM_MODULE_REJECT;
}
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Using groups to allow certain engineers access to certain switches??
On Wed, Aug 04, 2004 at 02:14:41PM +0300, Kostas Kalevras wrote:
On Tue, 3 Aug 2004, Robert Banniza wrote:
Guys,
I'm using Freeradius-0.9.3 with the rlm_ldap module (OpenLDAP backend)
and have most everything configured except this last little bit. I would
like to allow only certain users to have the ability to log in to only
certain switches. i.e. Cisco group will manage cisco devices and juniper
group can only manage juniper devices.
I thought I could do this by placing:
Group = operator
in the huntgroups file under each individual huntgroup and then adding a
radiusReplyItem: Group := operator
The correct radius group attribute Ldap-Group. And you don't set group
membership in this way. Please read the ldap documentation in the doc folder.
OK, I have looked at the rlm_ldap documentation and here is what I have.
I have restarted radiusd and everyone is still able to log into each
device successfully. I only want certain people with matching
radiusGroupName attributes to be able to log into the respective device
and anyone else to be rejected. What am I doing wrong here:
1) In the users file, I have the following (pay attention to the
Ldap-Group entry):
DEFAULT Huntgroup-Name == Cisco
Auth-Type := LDAP,
Service-Type := 6,
Ldap-Group == cisco,
Fall-Through = Yes
DEFAULT Huntgroup-Name == Juniper-E-series
Auth-Type := LDAP,
Ldap-Group == junipere,
Fall-Through = Yes
DEFAULT Huntgroup-Name == Juniper-M-Series
Auth-Type := LDAP,
Ldap-Group == juniperm,
Fall-Through = No
2) My LDAP schema has the following (pay attention to radiusGroupName):
dn: uid=homer, ou=people, dc=test, dc=net
objectclass: person
objectclass: radiusprofile
objectclass: uidObject
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: extensibleObject
cn: Homer Simpson
sn: Simpson
loginShell: /bin/bash
userpassword: {SSHA}vFGHHGJxzesR5Y/rodHeQbF9yiAAxbMP
uidnumber: 2001
gidnumber: 20
homeDirectory: /home/homer
uid: homer
shadowLastChange: 10877
shadowMin: 0
shadowMax: 99
shadowWarning: 7
shadowInactive: -1
shadowExpire: -1
shadowFlag: 0
radiusAuthType: LDAP
radiusReplyItem: Juniper-Local-User-Name := tier3
radiusReplyItem: ERX-Cli-Initial-Access-Level := 15
radiusReplyItem: ERX-Alternate-Cli-Access-Level := 15
radiusReplyItem: ERX-CLI-Allow-All-VR-Access := 1
radiusReplyItem: Cisco-AVPair := shell:priv-lvl=15
radiusGroupName: cisco
radiusprofileDN: uid=homer, ou=people, dc=test, dc=net
3) In my radiusd.conf file, I have groupname_attribute = radiusGroupName
and groupmembership_attribute = radiusGroupName.
in my ldap schema. However, this has managed to seg fault the radiusd
process. Is this the correct way to go about adding tiered access to my
routers/switches? If not, I would appreciate any help out there.
Robert
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
--
Kostas Kalevras Network Operations Center
[EMAIL PROTECTED] National Technical University of Athens, Greece
Work Phone: +30 210 7721861
'Go back to the shadow' Gandalf
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Cisco 1721 + MLPPP + MySQL
Title: Message Hi I have a Cisco 1721 with 2 x ADSL wics and trying to setup MLPPP. I can see the user authenticate twice, but I am getting about 50% packets loss!!! I have: Port-limit = 2 Simultaneous-Use := 2 in the Group reply. Has anyone had this problem/got it working?
auth-detail file in freeradius 1.0.0pre3
Hello - I am currently testing freeradius 1.0.0pre3 and encountering an issue. The User-Password attribute showed up in the auth-detail file! (No reason I need to store password in the log) auth-detail-20040804 Packet-Type = Access-Request Wed Aug 4 11:25:31 2004 User-Name = testabc User-Password = 123test NAS-IP-Address = 255.255.255.255 NAS-Port = 111 Client-IP-Address = 192.168.1.100 That's the output when I used the radiusd.conf file from the source, edited the ldap configuration and turn on the detail auth_log feature. I tested it again with radiusd.conf file from my production freeradius093 radiusd.conf file, and it output the same result. My freeradius 0.9.3 version auth-detail output looks like this, Wed Aug 4 13:02:06 2004 User-Name = testabc NAS-IP-Address = 255.255.255.255 NAS-Port = 111 Client-IP-Address = 192.168.1.100 Timestamp = 1091642526 No User-Password attribute logged. Is it a bug? If not, would somebody give me some pointer how to fix it? Thank you very much. -Casey - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem with Huntgroups
Robert Banniza [EMAIL PROTECTED] wrote: 1) In the users file, I have the following (pay attention to the Ldap-Group entry): DEFAULT Huntgroup-Name == Cisco Auth-Type := LDAP, Service-Type := 6, Ldap-Group == cisco, You are putting check items into the reply list. See man 5 users. The above configurtion WILL NOT work, and WILL result in large warning messages in the debug logs. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: So close....yet so far
That looks like some kind of shell expansion. Putting \ character in front of the ! character, is called escaping, and it is used to prevent the shell from using that character as part of an expansion. [EMAIL PROTECTED] wrote: Hello, When last i posted, I was having problems getting radius and LDAP to talk using TLS. Ive fixed my problem, but in this process Ive come across another issue. When testing I tried using a ! in a test user's password. On the radius server it came across as %21 instead of !. EXAMPLE: radtest testradius ta!ters radius testing123 gets a access-denied and the log files on radius server: rlm_ldap: login attempt by testradius with password ta%21ters but radtest testradius ta\!ters radius testing123 gets an access-accept Any ideas what is going on?? Thanks! David SSG - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Compile bug on AIX
Attempting to compile freeradius-1.0.0-pre3 on AIX 5.1 using IBM compiler. The following error occurs. Making static dynamic in rlm_unix... make[6]: Entering directory `/work/work/radius/freeradius-1.0.0-pre3/src/modules/rlm_unix' cc -O3 -I/usr/local/ssl/include -D_REENTRANT -D_POSIX_PTHREAD_SEMANTICS -DO PENSSL_NO_KRB5 -DNDEBUG -I../../include -c rlm_unix.c -o rlm_unix.o compat.h, line 66.49: 1506-277 (S) Syntax error: possible missing ';' or ','? compat.h, line 66.8: 1506-485 (S) Parameter declaration list is incompatible with declarator for inline. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Modify packet type in rlm_exec?
Alan DeKok wrote: James Nedila [EMAIL PROTECTED] wrote: Can I modify the packet type in my exec module? (ie/ change an Access-Accept to an Access-Reject) You can return 1 from the script, which will cause the module to return RLM_MODULE_FAIL, and should reject the user. Thanks, that works... Now a slightly different question: Can I change an access-reject to an access-accept using the exec module in the post-proxy section? James - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem with Huntgroups
On Wed, Aug 04, 2004 at 02:41:09PM -0400, Alan DeKok wrote: Robert Banniza [EMAIL PROTECTED] wrote: 1) In the users file, I have the following (pay attention to the Ldap-Group entry): DEFAULT Huntgroup-Name == Cisco Auth-Type := LDAP, Service-Type := 6, Ldap-Group == cisco, You are putting check items into the reply list. See man 5 users. The above configurtion WILL NOT work, and WILL result in large warning messages in the debug logs. I'm confused. Why does it state to use '==' in the rlm_ldap file in the doc directory? Thanks Robert Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
AEGIS client with freeRADIUS
To test a 802.1x authentication setup, I am using Andreas Wolf's WPA Enterprise network document at: http://homepage.mac.com/andreaswolf/public/wpaeap.html I have also added modifications to enable EAP-TTLS + Kerberos authentication, which work fine with Mac OS X 10.3 and Xsupplicant 802.1x clients. However, I cannot get AEGIS (WinXP) 802.1x clients to authenticate and I suspect it has to do with the root and server certificates, based on the debug traffic. Has anyone successfully connected AEGIS clients to freeRADIUS (esp. using self-signed certificates)? Are there extra steps involved? Thanks, Alex --- Alex ReynoldsV: +1 215 573.2818 Sr IT Specialist F: +1 215 898.8780 15 Mudd Building / 6013 E: mailto:[EMAIL PROTECTED] Department of BiologyW: http://www.bio.upenn.edu/computing/ University of Pennsylvania Philadelphia, PA 19104 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
