Unknown Auth-Type eap in authenticate section.
Title: Unknown Auth-Type eap in authenticate section. Hi, After doing the configure stuff on a Solaris 9 machine ./configure \ --prefix=/usr/local/freeradius-1.0.5 \ --sysconfdir=/usr/local/freeradius-1.0.5/conf \ --localstatedir=/usr/local/freeradius-1.0.5/var \ --sharedstatedir=/usr/local/freeradius-1.0.5/com \ --bindir=/usr/local/freeradius-1.0.5/bin \ --sbindir=/usr/local/freeradius-1.0.5/sbin \ --libdir=/usr/local/freeradius-1.0.5/lib \ --libexecdir=/usr/local/freeradius-1.0.5/libexec \ --includedir=/usr/local/freeradius-1.0.5/include \ --mandir=/usr/local/freeradius-1.0.5/man \ --datadir=/usr/local/freeradius-1.0.5/share \ --with-raddbdir=/usr/local/freeradius-1.0.5/etc \ --with-rlm_ldap-lib-dir=/usr/local/openldap2/lib \ --with-rlm_ldap-include-dir=/usr/local/openldap2/include \ --with-openssl-includes=/usr/local/ssl/include \ --with-openssl-libraries=/usr/local/ssl/lib \ --without-rlm_sql_mysql \ --without-rlm_sql_oracle \ --without-rlm_sql_unixodbc \ --without-rlm_sql_iodbc \ --without-rlm_sql_postgresql \ --without-rlm_x99_token \ --without-rlm_krb5 \ --with-gnu-ld I tried ./radiusd -x Starting - reading configuration files ... Using deprecated naslist file. Support for this will go away soon. Module: Loaded MS-CHAP Module: Instantiated mschap (mschap) radiusd.conf[64] Failed to link to module 'rlm_ldap': ld.so.1: ./radiusd: fatal: libldap_r-2.2.so.7: open failed: No such file or directory [EMAIL PROTECTED]8 bash bash-2.05# export LD_LIBRARY_PATH=/usr/local/openssl/lib:/usr/local/openldap/lib bash-2.05# ./radiusd -x Starting - reading configuration files ... Using deprecated naslist file. Support for this will go away soon. Module: Loaded MS-CHAP Module: Instantiated mschap (mschap) Module: Loaded LDAP rlm_ldap: Registering ldap_groupcmp for Ldap-Group rlm_ldap: Registering ldap_xlat with xlat_name ldap rlm_ldap: reading ldap-radius mappings from file /usr/local/freeradius-1.0.5/etc/ldap.attrmap rlm_ldap: LDAP radiusCheckItem mapped to RADIUS $GENERIC$ rlm_ldap: LDAP radiusReplyItem mapped to RADIUS $GENERIC$ rlm_ldap: LDAP radiusAuthType mapped to RADIUS Auth-Type rlm_ldap: LDAP radiusSimultaneousUse mapped to RADIUS Simultaneous-Use rlm_ldap: LDAP radiusCalledStationId mapped to RADIUS Called-Station-Id rlm_ldap: LDAP radiusCallingStationId mapped to RADIUS Calling-Station-Id rlm_ldap: LDAP sambalmPassword mapped to RADIUS LM-Password rlm_ldap: LDAP sambantPassword mapped to RADIUS NT-Password rlm_ldap: LDAP acctFlags mapped to RADIUS SMB-Account-CTRL-TEXT rlm_ldap: LDAP radiusExpiration mapped to RADIUS Expiration rlm_ldap: LDAP radiusServiceType mapped to RADIUS Service-Type rlm_ldap: LDAP radiusFramedProtocol mapped to RADIUS Framed-Protocol rlm_ldap: LDAP radiusFramedIPAddress mapped to RADIUS Framed-IP-Address rlm_ldap: LDAP radiusFramedIPNetmask mapped to RADIUS Framed-IP-Netmask rlm_ldap: LDAP radiusFramedRoute mapped to RADIUS Framed-Route rlm_ldap: LDAP radiusFramedRouting mapped to RADIUS Framed-Routing rlm_ldap: LDAP radiusFilterId mapped to RADIUS Filter-Id rlm_ldap: LDAP radiusFramedMTU mapped to RADIUS Framed-MTU rlm_ldap: LDAP radiusFramedCompression mapped to RADIUS Framed-Compression rlm_ldap: LDAP radiusLoginIPHost mapped to RADIUS Login-IP-Host rlm_ldap: LDAP radiusLoginService mapped to RADIUS Login-Service rlm_ldap: LDAP radiusLoginTCPPort mapped to RADIUS Login-TCP-Port rlm_ldap: LDAP radiusCallbackNumber mapped to RADIUS Callback-Number rlm_ldap: LDAP radiusCallbackId mapped to RADIUS Callback-Id rlm_ldap: LDAP radiusFramedIPXNetwork mapped to RADIUS Framed-IPX-Network rlm_ldap: LDAP radiusClass mapped to RADIUS Class rlm_ldap: LDAP radiusSessionTimeout mapped to RADIUS Session-Timeout rlm_ldap: LDAP radiusIdleTimeout mapped to RADIUS Idle-Timeout rlm_ldap: LDAP radiusTerminationAction mapped to RADIUS Termination-Action rlm_ldap: LDAP radiusLoginLATService mapped to RADIUS Login-LAT-Service rlm_ldap: LDAP radiusLoginLATNode mapped to RADIUS Login-LAT-Node rlm_ldap: LDAP radiusLoginLATGroup mapped to RADIUS Login-LAT-Group rlm_ldap: LDAP radiusFramedAppleTalkLink mapped to RADIUS Framed-AppleTalk-Link rlm_ldap: LDAP radiusFramedAppleTalkNetwork mapped to RADIUS Framed-AppleTalk-Network rlm_ldap: LDAP radiusFramedAppleTalkZone mapped to RADIUS Framed-AppleTalk-Zone rlm_ldap: LDAP radiusPortLimit mapped to RADIUS Port-Limit rlm_ldap: LDAP radiusLoginLATPort mapped to RADIUS Login-LAT-Port conns: 56318 Module: Instantiated ldap (ldap) Module: Loaded eap rlm_eap: Loaded and initialized type tls rlm_eap: Loaded and initialized type ttls rlm_eap: Loaded and initialized type peap rlm_eap: Loaded and initialized type mschapv2 Module: Instantiated eap (eap) radiusd.conf[124] Unknown Auth-Type eap in authenticate section. What does radiusd.conf[124] Unknown Auth-Type eap in authenticate section. mean? Wulf Kaiser IT Services Web
choosing userprofile by NAS
Hi, how can I serve different information to the same user depending on the Huntgroup having all information stored in a LDAP-server? meaning: userA logging in NAS_A: receives IP-A supplied by LDAP userA logging in NAS_B: receives IP-B supplied by LDAP -- -- Dipl. Inf. Florian Prester Network Administration Regionales RechenZentrum Erlangen Universitaet Erlangen-Nuernberg Germany Tel.: +499131 8527813 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Transmitted data to radius server.
Firstly, thanks to all of you with being this patient with me.
I think I've got a handle on the method. Please correct me if I'm wrong in
either terminology or content.
For the purpose of this mail, please use the following meanings:
Server = RADIUS Server
Client = The thing that sends information to the server.
OK,
To construct a message that is received by the sever from the client, I can
create a structure of the
following type:
typedef struct radius_packet{
int id,
unsigned int code,
uint8_t vector[16],
VALUE_PAIR *vps;
}RADIUS_PACKET
The VALUE_PAIR struct is as defined currently.
The radius server will receive the transmitted packet by passing a file
descriptor and a data array to
a system function call recvfromto.
Data then holds the received data in the following uint8_t format.
data[0] - code
data[1] - identifier
data[2] - length (HSB)
data[3] - length (LSB)
data[4] - vector[0] (16 octect authenticator)
data[5]
..
data[19]- vector[15]
data[20]- start of value_pair sequence.
...
If that is correct so far, radius than re-alignes to evaluate the
value_pairs.
This is where, again my understanding of the code is a bit hazy.
Any help appreciated. :-)
Therefore data[20] is mapped to a pointer attr.
attr[0] - holds vp-attribute
attr[1] - holds vp-length
The server sanity checks the sum of the lengths of the attributes against
the data length of the mesage.
Once this happens, the servers mem copies the data array to RADIUS_PACKET
- data and treats
it as it will.
Many thanks and a promise to buy you a drink or three if I see you ;-)
Ian Davies {02476 564662}
Internal (x740 4662)
IMS-SIPAC
Software Development Engineer
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Erratic EAP/TLS authentication problems
Hi all, I've got a debian freeradius (1.0.3 with EAP compiled in) server which is being erratic - I can't really identify where the problem is, in that it works fine for about 90% of requests, and fails the rest - I know this is very vague, but has anyone else had similar experiences, or would anyone who has this running successfully be prepared to send me a copy of their config files. thanks in advance Jim Potter -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
PEAP Public_key_exchange padding
Hi, I am using a freeRadius 1.0.4 and I would like to know something about client_key_exchange(). Into this function it is necessary to specify a padding system that the server accepts. My question is, which of these paddings: RSA_PKCS1_PADDING RSA_PKCS1_OAEP_PADDING RSA_SSLV23_PADDING RSA_NO_PADDING is accepted by freeRadius 1.0.4? Thank you very much. Juan Daniel MORENO - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: choosing userprofile by NAS
I'm looking for the same thing but then with an SQL backend instead of LDAP J. -- Jonathan De Graeve Network/System Administrator Imelda vzw Informatica Dienst 015/50.52.98 [EMAIL PROTECTED] - Always read the manual for the correct way to do things because the number of incorrect ways to do things is almost infinite - -Oorspronkelijk bericht- Van: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Namens Florian Prester Verzonden: donderdag 22 september 2005 10:33 Aan: FreeRadius users mailing list Onderwerp: choosing userprofile by NAS Hi, how can I serve different information to the same user depending on the Huntgroup having all information stored in a LDAP-server? meaning: userA logging in NAS_A: receives IP-A supplied by LDAP userA logging in NAS_B: receives IP-B supplied by LDAP -- -- Dipl. Inf. Florian Prester Network Administration Regionales RechenZentrum Erlangen Universitaet Erlangen-Nuernberg Germany Tel.: +499131 8527813 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
howto reset rlm_sqlcounter
Hi All, I'm authenticating users who can buy a specified amount of time to go online. I'm using the rlm_sqlcounter module with a reset=never option because there is no specified amount of time in which users have to use their minutes. A user can also buy additional minutes or when his minutes are depleted, a new subscription. two possible options I think of to reset the counter are: 1. write a program to manipulate the gdbm file. Where is this file stored? 2. keep adding the minutes to the allready existing value for the session-time. I was wondering if there was an 'easy' way to reset the counter for a user. thanks, kind regards, Bart van Daal Bart van Daal Network Operations Van Landeghemstraat 20 9100 SINT-NIKLAAS [EMAIL PROTECTED] www.edpnet.be T +32 (0)3 265 67 00 F +32 (0)3 265 67 01 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
is this possible ?
hi :
I am not sure that anyone have done this before ::
We have a customer using Steelbelt radius that forward accounting
information to the freeradius server. We can receive the accounting
packet and stored it successfully.
But the problem is we have another application that will do a mapping
from IP address to MSISDN. In order to do the mapping from IP to
MSISDN , the application need to talk?? to a radius server that have
the information (that means freeradius that receive the accounting
packet). The flow is below ::
handset -- authenticated successfully -- Steelbelt radius forward
accounting packet to Freeradius and the application will the a lookup
for MSISDN that match the IP address before allow the handset to use
the services.
Is this possible ?? The application managed to authenticate itself
successfully with Freeradius but I just cannot send the matching
MSISDN back to the application.
I have tried to use the variable such as %{Calling-Station-Id} in the
access-repky message but no values assign.
Any helps ?
Thanks
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
accounting analysis
Hello do you a free tool to generate analysis from freeradius accounting ? --- Marc - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Realm extraction
Hi all,
I am new in free radius , so I have one question: How can I exctract Realm
attribute in
radiusd.conf name?
So, I need to use it in LDAP filter to make search like :
ldap{
server = localhost
identity = uid=pr,ou=Staff,dc=domain,dc=com
password = secret
basedn = ou=People,dc=ivoho,dc=com
filter = (uid=%{User-Name},ou=%{Realm-Name})
# base_filter = (objectclass=radiusprofile)
...
how can I get Realm-Name variable ?
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PEAP Public_key_exchange padding
This is dictated by TLS (actually OpenSSL's TLS). For the RSA key exchange TLS uses RSA_PKCS1_PADDING. Juan Daniel Moreno wrote: Hi, I am using a freeRadius 1.0.4 and I would like to know something about client_key_exchange(). Into this function it is necessary to specify a padding system that the server accepts. My question is, which of these paddings: RSA_PKCS1_PADDING RSA_PKCS1_OAEP_PADDING RSA_SSLV23_PADDING RSA_NO_PADDING is accepted by freeRadius 1.0.4? Thank you very much. Juan Daniel MORENO - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Using NAS-Port-Type to allow or disallow?
Hi all, I have succumbed and purchased the RADIUS book from O'Reilly, but it'll be a few days in coming so I going to have to bug you all again. I'm still having problems understanding if I can allow some users access to some equipment and others to other kit. I thought I could do it but I'm having real problems, probably with my lack of understanding... I have a wireless LAN switch which has access points ( APs ) connected to it. When a laptop first connects to an AP that AP sends a RADIUS request through the WLAN switch to the RADIUS server, passing the MAC address of the laptop as the User-Name and also as the User-Password. I have a simple flat file with all the allowed MAC addresses in it, and the passwd module is being used to verify that the MAC address is in that flat file. This works well. Now because the WLAN switch is configured to use RADIUS to authenticate laptops, it also uses it to authenticate logins to the switch itself, I haven't found a way around this and don't think there is one. This means that you can gain access to the WLAN switch by using the MAC address of your laptop as the user name and password, albeit with fairly high restrictions on what you can do. This is a security problem for two reasons: 1. Obviously anyone figuring this out can gain access to kit they should not have access to (there are other ways of stopping this, but you'll excuse me if I don't mention them here). 2. The proper administrators, and the default administration login itself, have to be put in to the flat file I mentioned above to allow the administrators access to the switch. The switch won't use its own internal user and password list. This causes another security breach as we would have to leave administrator logins and passwords lying around in flat files, which is extremely insecure and just begging to be broken. I have been trying to get administrator access to authenticate via the Unix module since the RADIUS server is on a Linux box. Alas I have been unable to get this to work. Investigation reveals that when the AP passes the RADIUS request in, the request sets 'NAS-Port-Type = Wireless-802.11' and the NAS-Port-ID to the correct port value, while when the switch requests a login to be authenticated the request contains 'NAS-Port-Type = Virtual', and doesn't have the NAS-Port-ID or NAS-Indentifier parameters set. So, it seems I have lots of information to help me define if a RADIUS request is coming from an access point (which requires MAC address validation) or from the switch (which requires login username and password validation), but I can't find a way of verifying via passwd OR Unix module, only via both. Is what I am after possible, or do I just not understand the way RADIUS servers work? |\/|artin -- Senior Network Administrator, NEC (Europe) Ltd. Acton extension: 3379 NEC*Net: 800-44-21-3379 Direct: +44 20 8752 3379 Fax: +44 20 8752 3389 Mobile: +44 7721 869 356 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: cannot return access accept from proxy to client
Wilson Lie [EMAIL PROTECTED] wrote: I suspect that the freeradius will return failed at once when username attribute is not found and because the username attribute won't be included in the access-accept' packet . No. FreeRADIUS doesn't care about User-Name's in Access-Accept. The sql can be executed successfully when host B acts as authentication server.=20 Look at the differences between the two queries. They ARE different. So maybe I should ask can freeradius be configured as both authentication server and proxy server at the same host ? Yes. Many, many people have configured this successfully. If your site doesn't work, it's because something is going wrong in your local config, and debug mode will tell you. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Unknown Auth-Type eap in authenticate section.
Wulf Kaiser [EMAIL PROTECTED] wrote: rlm_eap: Loaded and initialized type mschapv2 Module: Instantiated eap (eap) radiusd.conf[124] Unknown Auth-Type eap in authenticate section. That error is a bit misleading, and should be fixed. What's happening is that the EAP module is failing to start properly, and exiting. The module handling code doesn't properly detect the difference between no EAP and failed EAP. But the EAP module *should* print out messages saying why it failed. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: accounting analysis
On Thu, 2005-22-09 at 13:58 +0200, Marc-Henri Boisis-delavaud wrote: Hello do you a free tool to generate analysis from freeradius accounting ? --- Marc We account to an SQL database and write queries to generate monthly reports. When we are looking for other trends or are trying to track something down we write one off queries. If you are not using SQL for accounting, you might want to look at radreport. I may be able to do what you want or customized to do what you want. Whatever you use, it will likely need hands on knowledge and tweaking, because very few circumstances are the same. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: cannot return access accept from proxy to client
Hi , Thanks for your help. I'm not sure that I can tell the case clear enough.
But I'm afraid that you misunderstood the question.
Kindly help me again or correct me if I'm really wrong.
No. FreeRADIUS doesn't care about User-Name's in Access-Accept.
Yes, for normal Access-Accept if Host B act as server , the access-accept can
be sent back to client
But when access-accept is sent from host A - Host B , from host B debug log,
it can be seen that
as user-name is missing, the [sql] module cannot be run , freeradius return
failed in [sql]
where [sql] refers to post-auth query in this case and the statement contains
User-name attribute
(e.g. update xxx set xxx where username=attribute )
So I would like to ask if any special handling by freeradius in this case ?
As the post-auth [sql] section is configured in sql.conf and it should be same
because only one post-auth query
can be configured.
Or user-name attribute can never be included in the post-auth query in this
case ? ( i.e. Host B acts as both proxy and auth-server)
Many thanks!
Processing the post-auth section of radiusd.conf
modcall: entering group post-auth for request 3
radius_xlat:
'/usr/local/var/log/radius/radacct/xxx.xxx.xxx.xxx/reply-detail-20050921'
rlm_detail:
/usr/local/var/log/radius/radacct/%{Client-IP-Address}/reply-detail-%Y%m%d
expands to
/usr/local/var/log/radius/radacct/xxx.xxx.xxx.xxx/reply-detail-20050921
modcall[post-auth]: module reply_log returns ok for request 3
rlm_sql (sql): Processing sql_postauth
radius_xlat: ''
modcall[post-auth]: module sql returns fail for request 3
modcall: group post-auth returns fail for request 3
Delaying request 3 for 1 seconds
Finished request 3
=
-Original Message-
From: Alan DeKok [mailto:[EMAIL PROTECTED]
Sent: 2005/9/22 [星期四] 下午 11:19
To: FreeRadius users mailing list
Cc:
Subject: Re: cannot return access accept from proxy to client
Wilson Lie [EMAIL PROTECTED] wrote:
I suspect that the freeradius will return failed at once when
username attribute is not found and because the username attribute
won't be included in the access-accept' packet .
No. FreeRADIUS doesn't care about User-Name's in Access-Accept.
The sql can be executed successfully when host B acts as
authentication server.=20
Look at the differences between the two queries. They ARE different.
So maybe I should ask can freeradius be configured as both
authentication server and proxy server at the same host ?
Yes. Many, many people have configured this successfully. If your
site doesn't work, it's because something is going wrong in your local
config, and debug mode will tell you.
Alan DeKok.
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
(c) 2005 Interactive Technology Holdings Limited Group.
All rights reserved.
CONFIDENTIALITY: This communication and any attachment(s)
is intended solely for the person or organisation to which
it is addressed and it may be confidential. This
communication may contain confidential or legally privileged
material and may not be copied, redistributed or published
(in whole or in part) without our prior written consent.
This communication may have been intercepted, partially
destroyed, arrive late, incomplete or contain viruses and no
liability is accepted by any member of the Interactive
Technology Holdings Limited Group as a result. If you are
not the intended recipient, employee or agent responsible
for delivering the message to the intended recipient you
must not copy, disclose, distribute or take any action in
reliance on it. If you have received this communication in
error, please immediately reply and highlight the error to
the sender immediately and destroy the original from your
computer.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
EAP-TLS authentication problem
hi All ! i have one problem for wireless connection after authentication procedure using EAP-TLS authentication method through a radius server . i have not solved this problem for about two week .. :-) wondering is that after xsupplicant print out AUTHENTICATED message , my wireless card even can't connect to AP or other links i cant get a any ping reply from other host ! but during athentication prcedure, radius server sent Access-Accept message with MS-MPPE-Recv-Key and MS-MPPE-Send-Key to AP, then xsupplicant display authentication success message like below -[ALL] Got EAP-Success! -Authenticated! [ testbed ] WN(192.168.1.2)-- wireless network -- AP (192.168.1.1) - LAN - Authentication Server (192.168.1.3) - WN [hardware] : thinkpad R52 [OS]: debian3.1, kernel 2.6.11.11 [software] : xsupplicant 1.2pre and 1.2.1 configuration file - openssl 0.9.7a ieee802 v1.0.3 ipw2200 v1.0.6 ( intel pro/wireless 2915ABG ) xsupplication configuration : http://jhpark.guideline.co.kr/project/mds/xsupplicant/xsupplicant-tls.conf - AP [hardware] : ASUS wl500g, firmware v 1.9.4 configuration info : http://jhpark.guideline.co.kr/project/mds/AP/ap_config_info.txt - Authentication Server [hardware] : toshiba tecra m3 [OS]: debian3.1, kernel 2.6.13 [software]: freeradius v1.0.4, openssl v0.9.7e ( /usr/lib is base install path ) freeradius configuration : radiud.conf - http://jhpark.guideline.co.kr/project/mds/freeradius/radiusd.conf eap.conf - http://jhpark.guideline.co.kr/project/mds/freeradius/eap.conf other config - http://jhpark.guideline.co.kr/project/mds/freeradius/ 1. association command with iwconfig [EMAIL PROTECTED] eth1 essid asus key [x: 26 hex key which was setup in AP wep key] open 2. xsupplicant exec command [EMAIL PROTECTED]/usr/local/sbin/xsupplicant -i eth1 -d 7 -f -c /root/xsupplicant-tls.conf 3. interface up [EMAIL PROTECTED] eth1 92.168.1.3 netmask 255.255.255.0 up and as a result, i got this xsupplicant result message -snip Stats for Interface eth1 : EAPOL Frames RX: 8 EAPOL Frames TX: 8 EAPOL Starts TX: 1 EAPOL Logoff TX: 0 EAPOL Resp. ID TX : 1 EAPOL Resp. TX : 6 EAPOL Req. ID RX : 1 EAPOL Req. RX : 6 EAPOL Invalid Frame: 0 EAP Length Error : 0 Last EAPOL Version : 1 Last EAPOL Src.:00 11 D8 24 69 AA EAPOL Success : 1 EAPOL Failure : 0 [STATE] Backend State : RECEIVE - SUCCESS [STATE] Backend State : SUCCESS - IDLE [ALL] Got Frame : snip - Processing EAPoL-Key! [INT] Key Descriptor = 1 [INT] Key Length = 13 [INT] Replay Counter = 83 AA 80 92 94 9F 62 2A [INT] Key IV = B9 11 F5 37 D3 57 75 DB C4 F7 F1 47 98 BB 55 58 [INT] Key Index (RAW) = 83 [INT] Key Signature= C2 76 90 CD 97 20 AA CF 8A EB 12 C8 DD 45 BC B9 [INT] EAPoL Key Processed: unicast [4] 13 bytes. [INT] Using peer key! *WARNING* This AP uses the key generated during the authentication process. If reauthentication doesn't happen frequently enough your connection may not be very secure! [INT] Successfully set WEP key [4] [INT] Successfully set the WEP transmit key [4] [INT] Got an RTM_NEWLINK! [INT] Wireless event: cmd=0x8b2a len=12 [INT] Encryption key set [STATE] AUTHENTICATING - AUTHENTICATED [ALL] Canceled timer for 'authentication timer'! [INT] Got an RTM_NEWLINK! [INT] Wireless event: cmd=0x8b2a len=12 [INT] Encryption key set -- Full xsupplicant message is this ( http://jhpark.guideline.co.kr/project/mds/xsupplicant/xsupplicant.result ) above all, i can't sure AP and WN (client) have successed in making a right pairwise transient key. if pairwise transient key was made perfectly, why Wn node can't connect other network links ? here is radiusd message during processing above client request. [EMAIL PROTECTED] -X Starting - reading configuration files ... reread_config: reading radiusd.conf Config: including file: /usr/local/etc/raddb/proxy.conf Config: including file: /usr/local/etc/raddb/clients.conf Config: including file: /usr/local/etc/raddb/snmp.conf Config: including file: /usr/local/etc/raddb/eap.conf Config: including file: /usr/local/etc/raddb/sql.conf main: prefix = /usr/local main: localstatedir = /usr/local/var main: logdir = /usr/local/var/log/radius main: libdir = /usr/local/lib main: radacctdir = /usr/local/var/log/radius/radacct main: hostname_lookups = no main: max_request_time = 30 main: cleanup_delay = 5 main: max_requests = 1024 main: delete_blocked_requests = 0 main: port = 0 main: allow_core_dumps = no main: log_stripped_names = no main: log_file = /usr/local/var/log/radius/radius.log main: log_auth = yes main: log_auth_badpass = yes main: log_auth_goodpass = yes main: pidfile
WPA with freeradius
Hello i want to configure freeradius with hardware adsl router ... could you sugest me some? i've got linksys wag54g which doesnt support pure radius but WPA radius.. is it posible to make them work together with my freeradius server? any hints, links (!), anything... i've searchd faqs and lists but i haven't found anything special (or i didn't search enough) thanks wasyl - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: cannot return access accept from proxy to client
Wilson Lie [EMAIL PROTECTED] wrote: But I'm afraid that you misunderstood the question. I understood it fine. My response should have been clear. Yes, for normal Access-Accept if Host B act as server , the access-accept can be sent back to client The problem has NOTHING to do with host B or Access-Accept. But when access-accept is sent from host A - Host B , from host B debug log, it can be seen that as user-name is missing, the [sql] module cannot be run , No, the SQL module *is* run, but it is telling you that the query YOU CONFIGURED did not return any matches. freeradius return failed in [sql] where [sql] refers to post-auth query in this case and the statement contains User-name attribute (e.g. update xxx set xxx where username=attribute ) The post-auth query is updating the SQL database with data from the Access-Request packet. If that Access-Request packet does not contain a User-name, then the SQL query will not work. This has nothing to do with Access-Accept, or host A, or host B. So I would like to ask if any special handling by freeradius in this case ? I can't parse that sentence. As the post-auth [sql] section is configured in sql.conf and it should be same because only one post-auth query can be configured. You can configure multiple SQL modules, where one has a postauth_query and the other does not. See the documentation. Or user-name attribute can never be included in the post-auth query in this case ? ( i.e. Host B acts as both proxy and auth-server) It's up to YOU to decide that. That's why the queries are configurable. If the queries aren't doing what you want, edit them. If the server isn't doing what you want, edit the configuration files. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Realm extraction
Dmitry Alekhin [EMAIL PROTECTED] wrote: I am new in free radius , so I have one question: How can I exctract Realm attribute in radiusd.conf name? Use the Realm attribute. The debug log will show you that the realm module is adding this attribute. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: howto reset rlm_sqlcounter
Bart van Daal [EMAIL PROTECTED] wrote: two possible options I think of to reset the counter are: 1. write a program to manipulate the gdbm file. Where is this file stored? If you're using rlm_sqlcounter, it's not in a GDBM file. It's in SQL. If you're using rlm_counter, the location of the GDBM file is set in the configuration file. 2. keep adding the minutes to the allready existing value for the session-time. You can't do that. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Transmitted data to radius server.
Iandc Davies [EMAIL PROTECTED] wrote: Therefore data[20] is mapped to a pointer attr. attr[0] - holds vp-attribute attr[1] - holds vp-length And attr[2], if it exists, is vp-strvalue or vp-lvalue. *Please* read the RFC's. They describe the format of RADIUS packets and attributes. They answer a LOT of these questions. Many thanks and a promise to buy you a drink or three if I see you ;-) If you're ever in California... Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: WPA with freeradius
[EMAIL PROTECTED] wrote: i want to configure freeradius with hardware adsl router ... could you sugest me some? i've got linksys wag54g which doesnt support pure radius but WPA radius.. is it posible to make them work together with my freeradius server? Yes. WPA RADIUS is so called WPA Enterprise which covers among others EAP-TTLS, PEAP etc. Linksys WRT54G works quite nicely with FreeRADIUS. Please follow this document to get FreeRADIUS configured http://www.tldp.org/HOWTO/8021X-HOWTO/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Implementation advice needed.
Hello, I'm looking for a couple of suggestions as how to implement some specifics. I've set up a FreeRADIUS server to do AAA primarily in a SIP enviornment. I've got a B2BUA which attempts to authorize outgoing calls. I want to use this to do Least Cost Routing. Upon an INVITE packet, the B2BUA sends the following attributes User-Name = 1234 User-Password = . NAS-IP-Address = 10.10.17.5 NAS-Port = 1000 Called-Station-Id = 5551212 Calling-Station-Id = 1234 This is enough information for me to authorize the phone call. Here are my questions 1) I have tariff tables stored in a back-end database. What would be the best way to go about looking up this information? Is there some way to execute a custom SQL lookup to pull this information back? Or should I be calling exec to say a custom script? 2) If exec is the best way to go about doing this, am I correct in reading the documentation that my script should be returning 0 (Access-Accept) or 1 (Access-Reject)? 3) I can customize my B2BUA so it accepts an IP address to forward a SIP request along. Is there a way either from exec or another method to add Radius attributes to the reply packet? That way I can do true LCR and tell the B2BUA which Gateway to forward the request. Thanks. -Daniel - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Bus error - core dumped on freeradius 1.0.5
Rohaizam Abu Bakar [EMAIL PROTECTED] wrote: So seems the problem happen only to FreeBSD 4.X.. not to all FreeBSD.. Sounds to me like a problem with FreeBSD. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Serializing database requests
Mike Chamberlain [EMAIL PROTECTED] wrote: But the authorize procedure takes longer to process than the stop accounting procedure, meaning that the stop procedure completes before the authorize. This means that in effect the two messages get processed back to front. In our scenario this leaves a call open in the database that will never be closed. How do other people cope with this? Post-processing the logs, and looking for these cases. Or, delayed logging data to the SQL database. i.e. in the CVS head, there's an rlm_sql_log module that logs SQL queries to a file. You can later post-process the logs. Is there some way of forcing FreeRadius to serialize requests from the same username so it won't issue a new one until it has received a response for an existing one? Not really. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: proxy EAP/PAP ?
Tim Winders [EMAIL PROTECTED] wrote: So, now, if I am running a non-EAP aware radius on the Tru64, and freeradius on a Linux box proxying to the Tru64 box, will I be able to do EAP/PAP authentication? I'm ready the proxy doc, but, I don't see anything about that, or if it's even applicable. For EAP-TTLS with tunneled PAP, you can do: DEFAULTFreeRADIUS-Proxied-To == 127.0.0.1, Proxy-To-Realm := tru64 And the inner session will be proxied. Alan Dekok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: stdout on startup
Duane Cox [EMAIL PROTECTED] wrote: Is there anyway to prohibit (without editing the source or redirecting the output to /dev/null) freeradius from displaying the following message to stdout on startup. No. Edit the source. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Transmitted packet
Iandc Davies [EMAIL PROTECTED] wrote: So, if I was to sent a packet to the radius server what format would it be Ideally, you use the API's, and don't worry about the format. That's what API's are for. I was running under the understanding that I needed to populate the contents of the RADIUS_PACKET structure, therefore :- Yes. See rad_send(), which uses these fields to create a RADIUS packet. Apart from the above is there anything else that needs filling in ? The socket to use? packet-sockfd is used to send the packet. And the IP addresses to use, including ports. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: is this possible ?
TK Lew [EMAIL PROTECTED] wrote:
handset -- authenticated successfully -- Steelbelt radius forward
accounting packet to Freeradius and the application will the a lookup
for MSISDN that match the IP address before allow the handset to use
the services.
Is this possible ??
Yes, You can execute any program you want from FreeRADIUS, and that
program can return add any RADIUS attribute to the reply.
I have tried to use the variable such as %{Calling-Station-Id} in the
access-repky message but no values assign.
See the debug log for why.
Also, it might help if you posted the configuration. Saying I did
stuff and it didn't do what I expect means that it's impossible for
anyone to help you.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Using NAS-Port-Type to allow or disallow?
[EMAIL PROTECTED] wrote:
I have a wireless LAN switch which has access points ( APs ) connected to
it. When a laptop first connects to an AP that AP sends a RADIUS request
through the WLAN switch to the RADIUS server, passing the MAC address of
the laptop as the User-Name and also as the User-Password. I have a simple
flat file with all the allowed MAC addresses in it, and the passwd module
is being used to verify that the MAC address is in that flat file. This
works well.
OK...
Now because the WLAN switch is configured to use RADIUS to authenticate
laptops, it also uses it to authenticate logins to the switch itself, I
haven't found a way around this and don't think there is one.
The access point login packets will be different from the mac
address login packets. Use those differences as a key to decide when
to allow MAC address authentication.
2. The proper administrators, and the default administration login itself,
have to be put in to the flat file I mentioned above to allow the
administrators access to the switch. The switch won't use its own internal
user and password list. This causes another security breach as we would
have to leave administrator logins and passwords lying around in flat
files, which is extremely insecure and just begging to be broken.
So use crypt'd passwords in FreeRADIUS.
Investigation reveals that when the AP passes the RADIUS request in, the
request sets 'NAS-Port-Type = Wireless-802.11' and the NAS-Port-ID to the
correct port value, while when the switch requests a login to be
authenticated the request contains 'NAS-Port-Type = Virtual', and doesn't
have the NAS-Port-ID or NAS-Indentifier parameters set.
There you go.
So, it seems I have lots of information to help me define if a RADIUS
request is coming from an access point (which requires MAC address
validation) or from the switch (which requires login username and password
validation), but I can't find a way of verifying via passwd OR Unix module,
only via both.
See doc/Autz-Type
In the users file, do:
DEFAULT NAS-Port-Type == Virtual, Auth-Type := System
DEFAULT NAS-Port-Type == Wireless-802.11, Autz-Type := bar
DEFAULT Auth-Type := Reject
Then in radiusd.conf, authorize section, add at the bottom:
Autz-type bar {
passwd
}
And it should work.
Is what I am after possible, or do I just not understand the way RADIUS
servers work?
It's possible. You've described the problem and the information you
have well. All you need is pointers to the docs sample configurations.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: is this possible ?
Yes, You can execute any program you want from FreeRADIUS, and that program can return add any RADIUS attribute to the reply. Stealing someone else's thread... OK! I've looked through the docs and don't see how to do this. I can really use this capability. Very cool! Can you point me to a /doc or URL where this is explained? --- Tim Winders Associate Dean of Information Technology South Plains College Levelland, TX 79336 Problem replying to my email? Click the Sign button in the OE toolbar or, better yet, get your own FREE Personal E-Mail Digital ID: http://www.thawte.com/email/index.html BEGIN:VCARD VERSION:2.1 N:Winders;Tim FN:Tim Winders ORG:South Plains College TITLE:Associate Dean of Information Technology TEL;WORK;VOICE:(806) 894-9611 x2369 ADR;WORK:;;1401 College Ave.;Levelland;TX;79336;United States of America LABEL;WORK;ENCODING=QUOTED-PRINTABLE:1401 College Ave.=0D=0ALevelland, TX 79336=0D=0AUnited States of America KEY;X509;ENCODING=BASE64: MIICZzCCAdCgAwIBAgIDDcuZMA0GCSqGSIb3DQEBBAUAMGIxCzAJBgNVBAYTAlpBMSUwIwYD VQQKExxUaGF3dGUgQ29uc3VsdGluZyAoUHR5KSBMdGQuMSwwKgYDVQQDEyNUaGF3dGUgUGVy c29uYWwgRnJlZW1haWwgSXNzdWluZyBDQTAeFw0wNTAxMTIyMTU5MjdaFw0wNjAxMTIyMTU5 MjdaMFExHzAdBgNVBAMTFlRoYXd0ZSBGcmVlbWFpbCBNZW1iZXIxLjAsBgkqhkiG9w0BCQEW H3R3aW5kZXJzQHNvdXRocGxhaW5zY29sbGVnZS5lZHUwgZ8wDQYJKoZIhvcNAQEBBQADgY0A MIGJAoGBAK95IcXhktSwBA0pRzTx4UJH2ABtErVe6Uakhlzu1XeXPouDnUw21yOnAiss20D5 u0HDE7PaLimye+RFaT6JjAzuz9AheH7MX2g9B4cEVQ3+AsX+B3k9Yqef0T/H46IF306cf79g eTVXSxOQwrPQ3L+CV9QQ8tLM/62pSTYQ8V7vAgMBAAGjPDA6MCoGA1UdEQQjMCGBH3R3aW5k ZXJzQHNvdXRocGxhaW5zY29sbGVnZS5lZHUwDAYDVR0TAQH/BAIwADANBgkqhkiG9w0BAQQF AAOBgQBQXIfReTLlLERWofc+VbGENyywIA/RvCwGrPC/ae045v3QxvXRFswePX14DRUjED9s z4/EYEMUXFr12yBMhtaBbXxZTDKchBx8RQVXi4LI1GAwb0YTSleAyN1VYzw7CtuW7bKy9yMa mihfhxfccH5TvZm6HhBX7Gqmp8geUn3tEg== EMAIL;PREF;INTERNET:[EMAIL PROTECTED] REV:20050112T232001Z END:VCARD smime.p7s Description: S/MIME cryptographic signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Realm extraction
Thanks for help :)
But it does not work :(
Here is my radiusd.conf
---
ldap{
server = localhost
identity = uid=Admin,ou=Staff,dc=example,dc=com
password = secret
basedn = ou=People,dc=example,dc=com
filter =
(uid=%{Stripped-User-Name:-%{User-Name}},ou=%{Realm})
Realm section is still untouched
#
# Using this entry, IPASS users have their realm set to IPASS.
realm IPASS {
format = prefix
delimiter = /
ignore_default = no
ignore_null = no
}
#
realm suffix {
format = suffix
delimiter = @
ignore_default = no
ignore_null = no
}
# 'username%realm'
#
realm realmpercent {
format = suffix
delimiter = %
ignore_default = no
ignore_null = no
}
#
# 'domain\user'
#
realm ntdomain {
format = prefix
delimiter = \\
ignore_default = no
ignore_null = no
}
Below is debug:
modcall: entering group authorize for request 0
rlm_realm: Looking up realm example.com for User-Name = example.com
rlm_realm: No such realm example.com
modcall[authorize]: module suffix returns noop for request 0
modcall[authorize]: module preprocess returns ok for request 0
modcall[authorize]: module attr_filter returns noop for request 0
rlm_realm: Looking up realm example.com for User-Name =
[EMAIL PROTECTED]
rlm_realm: No such realm example.com
modcall[authorize]: module suffix returns noop for request 0
modcall[authorize]: module chap returns noop for request 0
modcall[authorize]: module mschap returns noop for request 0
rlm_eap: No EAP-Message, not doing EAP
modcall[authorize]: module eap returns noop for request 0
modcall[authorize]: module files returns notfound for request 0
rlm_ldap: - authorize
rlm_ldap: performing user authorization for [EMAIL PROTECTED]
radius_xlat: '([EMAIL PROTECTED],ou=)'
radius_xlat: 'ou=People,dc=example,dc=com'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: attempting LDAP reconnection
rlm_ldap: (re)connect to localhost:389, authentication 0
rlm_ldap: bind as uid=Admin,ou=Staff,dc=example,dc=com/secret to
localhost:389
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind was successful
rlm_ldap: performing search in ou=People,dc=example,dc=com, with filter
([EMAIL PROTECTED],ou=)
rlm_ldap: object not found or got ambiguous search result
rlm_ldap: search failed
rlm_ldap: ldap_release_conn: Release Id: 0
modcall[authorize]: module ldap returns notfound for request 0
...
As you can see ou is empty.
- Original Message -
From: Alan DeKok [EMAIL PROTECTED]
To: [EMAIL PROTECTED]; FreeRadius users mailing list
freeradius-users@lists.freeradius.org
Sent: Thursday, September 22, 2005 9:34 PM
Subject: Re: Realm extraction
Dmitry Alekhin [EMAIL PROTECTED] wrote:
I am new in free radius , so I have one question: How can I exctract
Realm attribute in
radiusd.conf name?
Use the Realm attribute. The debug log will show you that the
realm module is adding this attribute.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Realm extraction
Dmitry Alekhin [EMAIL PROTECTED] writes:
rlm_realm: Looking up realm example.com for User-Name = [EMAIL
PROTECTED]
rlm_realm: No such realm example.com
Maybe you should add something like this to proxy.conf?
realm example.com {
type= radius
authhost= LOCAL
accthost= LOCAL
}
Bjørn
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: choosing userprofile by NAS
Jonathan De Graeve wrote: I'm looking for the same thing but then with an SQL backend instead of LDAP J. Search for my previous post listed by the subject Authenticate/Attributes based on NAS-IP-Address. I did this same thing - it requires modifying the SQL SELECT statements in sql.conf, and in my case, adding several columns to the radgroupcheck, radreply, and radgroupreply tables (one fo reach NAS/Client). Let me know if you need further help. -- --- | Nick White | | Network Administrator | | Tele-NET Internet | | http://www.tele-net.net | | [EMAIL PROTECTED] | --- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: howto reset rlm_sqlcounter
Bart van Daal wrote: Hi All, I'm authenticating users who can buy a specified amount of time to go online. I'm using the rlm_sqlcounter module with a reset=never option because there is no specified amount of time in which users have to use their minutes. A user can also buy additional minutes or when his minutes are depleted, a new subscription. two possible options I think of to reset the counter are: 1. write a program to manipulate the gdbm file. Where is this file stored? 2. keep adding the minutes to the allready existing value for the session-time. I was wondering if there was an 'easy' way to reset the counter for a user. thanks, kind regards, Bart van Daal Bart van Daal Network Operations Van Landeghemstraat 20 9100 SINT-NIKLAAS [EMAIL PROTECTED] www.edpnet.be T +32 (0)3 265 67 00 F +32 (0)3 265 67 01 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html I use this for hotspot customers - whenever their time runs out they purchase more time via a webpage, and the page updates their Max-All-Session in the SQL database(adds time). -- --- | Nick White | | Network Administrator | | Tele-NET Internet | | http://www.tele-net.net | | [EMAIL PROTECTED] | --- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
No appropriate error message (rlm_ldap: could not start TLS Connect error)
Hi!
I've tried to establish a TLS-secured connection between
freeradius-1.0.1-3 (Red Hat Enterprise Linux 4) and a openldap server. I
tried every combination of tls_mode, start_tls and tls_require_cert, but
I never got more than this error:
(/etc/raddb/radiusd.conf)
---8
ldap {
server = MYLDAPSERVER.ira.uka.de
port = 389
identity = uid=MYUSERNAME, ou=MYUNIT, dc=ira, dc=uka, dc=de
password = MYPASSWORD
basedn = ou=MYUNIT,dc=ira,dc=uka,dc=de
filter = (uid=MYPREFIX-%u)
start_tls = yes
tls_mode = no
tls_cacertdir = /etc/raddb/cacerts/
tls_require_cert = demand
dictionary_mapping = ${raddbdir}/ldap.attrmap
ldap_connections_number = 5
timeout = 4
timelimit = 3
net_timeout = 1
# No useful error msg w/o 0x
ldap_debug = 0x
}
---8
(/var/log/radius/radius.log)
---8
Error: rlm_ldap: could not start TLS Connect error
Error: rlm_ldap: (re)connection attempt failed
---8
The problem was:
(/usr/sbin/radiusd -X)
---8
TLS trace: SSL_connect:before/connect initialization
TLS trace: SSL_connect:SSLv2/v3 write client hello A
TLS trace: SSL_connect:SSLv3 read server hello A
TLS certificate verification: depth: 1, err: 0, subject:
/C=DE/ST=Baden/L=Karlsruhe/O=Universitaet Karlsruhe/OU=ATIS, Fakultaet
fuer Informatik/CN=MYCACERTIFICATE/[EMAIL PROTECTED],
issuer: /C=DE/ST=Baden/L=Karlsruhe/O=Universitaet Karlsruhe/OU=ATIS,
Fakultaet fuer Informatik/CN=MYCACERTIFICATE/[EMAIL PROTECTED]
TLS certificate verification: depth: 0, err: 0, subject:
/C=DE/ST=Germany/L=Karlsruhe/O=Universitaet
Karlsruhe/OU=ATIS/CN=MYLDAPSERVER.ira.uni-karlsruhe.de/[EMAIL PROTECTED],
issuer: /C=DE/ST=Baden/L=Karlsruhe/O=Universitaet Karlsruhe/OU=ATIS,
Fakultaet fuer
Informatik/CN=MYCACERTIFICATE/[EMAIL PROTECTED]
TLS trace: SSL_connect:SSLv3 read server certificate A
TLS trace: SSL_connect:SSLv3 read server done A
TLS trace: SSL_connect:SSLv3 write client key exchange A
TLS trace: SSL_connect:SSLv3 write change cipher spec A
TLS trace: SSL_connect:SSLv3 write finished A
TLS trace: SSL_connect:SSLv3 flush data
TLS trace: SSL_connect:SSLv3 read finished A
TLS: hostname (MYLDAPSERVER.ira.uka.de) does not match common name in
certificate (MYLDAPSERVER.ira.uni-karlsruhe.de).
rlm_ldap: ldap_start_tls_s()
ldap_err2string
rlm_ldap: could not start TLS Connect error
ldap_free_connection
ldap_send_unbind
ldap_free_connection: actually freed
TLS trace: SSL3 alert write:warning:close notify
rlm_ldap: (re)connection attempt failed
rlm_ldap: search failed
---8
The importent one is:
TLS: hostname (MYLDAPSERVER.ira.uka.de) does not match common name in
certificate (MYLDAPSERVER.ira.uni-karlsruhe.de).
MYLDAPSERVER.ira.uka.de is an alias for
MYLDAPSERVER.ira.uni-karlsruhe.de (hostname used in the certificate).
After I set
server = MYLDAPSERVER.ira.uni-karlsruhe.de
in my radiusd.conf the TLS connection worked without any problem.
Maybe this mail will save someone the amount of time I had to waste,
figuring it out.. :-/
_And_ maybe this mail inspires some of the developers to report the
appropriate error message instead of rlm_ldap: could not start TLS
Connect error.
Linus van Geuns.
PS:
Every certificate of an certificate authority in tls_cacertdir needs
to be accessable by it's openssl-hash as filename. This can be achieved
as follows:
In tls_cacertdir run: CERT=CACERTFILENAME;ln ${CERT} `openssl x509
-noout -hash -in ${CERT} `.0 -s
signature.asc
Description: OpenPGP digital signature
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: is this possible ?
Tim Winders [EMAIL PROTECTED] wrote: OK! I've looked through the docs and don't see how to do this. I can really use this capability. Very cool! Can you point me to a /doc or URL where this is explained? rlm_exec, and scripts/exec-program-wait Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: No appropriate error message (rlm_ldap: could not start TLS Connect error)
Linus van Geuns [EMAIL PROTECTED] wrote: _And_ maybe this mail inspires some of the developers to report the appropriate error message instead of rlm_ldap: could not start TLS Connect error. You just volunteered to write the patch. Please mail it to the list when it's ready. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
