Re: 802.1x
On Tue, Nov 01, 2005 at 09:27:57PM -0500, Alex M wrote: What is the difference between plain Radius identification compare to 802.1x? Basically 802.1x is between client and NAS, and radius is between NAS and AAA server. So how would you compare them? Oliver. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PEAP MS_CHAP V2: problem with tunnel attributes on enterasys V2 switch
Yes ,i know that The V2 switches (and all Enterasys switches) support EAP-MD5 but i want to implement EAP-PEAP with ms-chapv2 and VLAN assignment It wasn´t a problem to configure EAP-PEAP with freeradius server (running on suse) and Enterasys switches. I want to implement VLAN assignment at a enterasys switch. Any tips ?? Is it necessary to active or configure something on FreeRADIUS to use tunnel parameters ??? thank you in advance. Best regards Stephane Selon Zoltan Ori [EMAIL PROTECTED]: On Friday 28 October 2005 10:40, [EMAIL PROTECTED] wrote: I am new to this list and would like to know if someone out there has been successfull in implementing eap-PEAP user authentication and VLAN assignment with freeradius and Enterasys V2 switches ? The V2 switches (and all Enterasys switches) support EAP-MD5. Zoltan Ori - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
using ldap, sql and pam for user authentification
hi all! i want to configure the freeradius server (1.0.5) to use ldap, sql and pam as source for user authentification. i only get the first two to work at the same time (ldap and sql) but not together with pam. if i use this in /etc/raddb/users: # users wlanAuth-Type = EAP testuser Auth-Type := Local, User-Password == secret -- all user in ldap and sql (and of course the testusers in the users file) can be authorized, but if users in pam can not, radiusd says: # radiusd debug output auth: No authenticate method (Auth-Type) configuration found for the request: Rejecting the user auth: Failed to validate the user. - with the following in /etc/raddb/users: # users DEFAULT Auth-Type = Pam Fall-Through = Yes wlanAuth-Type = EAP testuser Auth-Type := Local, User-Password == secret - users in pam get an access-accept message, but not those in ldap and sql (nor the testuser in users. the debug output for a user in sql says: # radiusd debug output (only important parts as i assume) modcall: entering group authorize for request 6 modcall[authorize]: module preprocess returns ok for request 6 users: Matched entry DEFAULT at line 1 modcall[authorize]: module files returns ok for request 6 rlm_ldap: - authorize rlm_ldap: performing user authorization for nig49594 radius_xlat: '(uid=nig49594)' radius_xlat: 'dc=mogli,dc=de' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in dc=mogli,dc=de, with filter (uid=nig49594) rlm_ldap: object not found or got ambiguous search result rlm_ldap: search failed rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module ldap returns notfound for request 6 radius_xlat: 'nig49594' rlm_sql (sql): sql_set_user escaped user -- 'nig49594' [snipp sql queries] rlm_sql (sql): Released sql socket id: 2 modcall[authorize]: module sql returns ok for request 6 rlm_sqlcounter: Entering module authorize code rlm_sqlcounter: (Check item - counter) is greater than zero rlm_sqlcounter: Authorized user nig49594, check_item=1, counter=0 rlm_sqlcounter: Sent Reply-Item for user nig49594, Type=Session-Timeout, value=1 modcall[authorize]: module onedayaccounts returns ok for request 6 modcall: group authorize returns ok for request 6 rad_check_password: Found Auth-Type Pam auth: type PAM Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 6 pam_pass: using pamauth string radiusd for pam.conf lookup pam_pass: function pam_authenticate FAILED for nig49594. Reason: User not known to the underlying authentication module modcall[authenticate]: module pam returns reject for request 6 modcall: group authenticate returns reject for request 6 auth: Failed to validate the user. - same for an ldap user: # radiusd debug output (snipped again) rlm_ldap: - authorize rlm_ldap: performing user authorization for ldapuser radius_xlat: '(uid=ldapuser)' radius_xlat: 'dc=mogli,dc=de' [snipp] rlm_ldap: user ldapuser authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module ldap returns ok for request 0 radius_xlat: 'ldapuser' rlm_sql (sql): sql_set_user escaped user -- 'ldapuser' [snipp] rlm_sql (sql): User ldapuser not found in radcheck rlm_sql (sql): User ldapuser not found in radgroupcheck rlm_sql (sql): User not found rlm_sql (sql): Released sql socket id: 4 modcall[authorize]: module sql returns notfound for request 0 rlm_sqlcounter: Entering module authorize code rlm_sqlcounter: Could not find Check item value pair modcall[authorize]: module onedayaccounts returns noop for request 0 modcall: group authorize returns ok for request 0 rad_check_password: Found Auth-Type Pam auth: type PAM Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 0 pam_pass: using pamauth string radiusd for pam.conf lookup pam_pass: function pam_authenticate FAILED for ldapuser. Reason: User not known to the underlying authentication module modcall[authenticate]: module pam returns reject for request 0 modcall: group authenticate returns reject for request 0 auth: Failed to validate the user. Login incorrect: [ldapuser] (from client wlan port 0) - it seems that the pam returns reject if a user is not found by pam, sql and ldap reutrn nofound. how can i set up the pam part to return notfound and not overwrite the ok request by the other modules? thanx in advance for your help! regards markus -- Markus Krause email: [EMAIL PROTECTED] Computing CenterTel.: 089 - 89 40 85 99 Group Lottspeich / Proteomics Fax.: 089 - 89 40 85 98 - This message was sent using https://webmail.biochem.mpg.de If you encounter any problems please report to [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See
Re: New to List - First Time Set-up
Hi, Start with: http://www.oreilly.de/catalog/radius/chapter/ch05.html It was very helpful for me. Pierre Forget -- Original Message Date: Tue, 1 Nov 2005 15:12:19 -0800 From: Mark Sarria [EMAIL PROTECTED] Subject: New to List - First Time Set-up -- Hello List, I have been reading about freeradius and would like to set it up in my sandbox environment for testing. Can you point me to the right direction on how to go about setting this service up. Also can you give me a brief list down of the items I will need on my server. At the moment I have been working with Fedora Core 3 running as my Samba-LDAP server, on my sandbox environment. Thanks for your help --mark - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: 802.1x
Now im totally lost... Can u give me an example what 802.1x does? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alan DeKok Sent: Wednesday, November 02, 2005 11:04 AM To: FreeRadius users mailing list Subject: Re: 802.1x Alex M [EMAIL PROTECTED] wrote: So then such features as bandwidth and port blocking could be controlled via 802.1x? No. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius with static IP
On Tue, 1 Nov 2005, Daniel Torres wrote: Hi, First of all excuse my englis it is not very well, i wanted to know if somebody has been able to set a freeradius server to assign static IP or if it is possible to assign static IP with freeradius1.0.5. Thanks for the information. Yes, I do it. I return Framed-IP-Address and Framed-IP-Netmask back to the NAS. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: 802.1x
Alex, Features such as 'bandwidth and port blocking" (if any) are allocated/configured on the _NAS_ (in this case a NAS port) via AV pair/s provided by RADIUS...the '802.1x Supplicant" (Client/Endpoint) in simple terms... provides a secure/standardconduit which facilitates the communication of credentials (from the Supplicant to the Authenticator). The '802.1x Authenticator" (or NAS) _MAY_provision/enforce Authorization for the specific endpoint in the context of a user or group... The management granularity of this functionality verifies greatly by switch vendorÂ… as a result providing this functionality across a multi-vendor environment... in a large scale deployment... is often too complex to seriously consider. jmr Original Message Subject: RE: 802.1xFrom: "Alex M" [EMAIL PROTECTED]Date: Wed, November 02, 2005 9:10 amTo: "'FreeRadius users mailing list'"freeradius-users@lists.freeradius.orgNow im totally lost...Can u give me an example what 802.1x does?-Original Message-From: [EMAIL PROTECTED][mailto:[EMAIL PROTECTED] On Behalf Of AlanDeKokSent: Wednesday, November 02, 2005 11:04 AMTo: FreeRadius users mailing listSubject: Re: 802.1x "Alex M" [EMAIL PROTECTED] wrote: So then such features as bandwidth and port blocking could be controlledvia 802.1x?No.Alan DeKok.- List info/subscribe/unsubscribe? Seehttp://www.freeradius.org/list/users.html- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: 802.1x
Ok I got it By the way what is AV pair? And how do you get NAS related attributes to control bandwidth from vendors? Like if im using D-Link how could I get attributes from them? Thanks! From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jeff Reilly Sent: Wednesday, November 02, 2005 11:53 AM To: FreeRadius users mailing list Subject: RE: 802.1x Alex, Features such as 'bandwidth and port blocking (if any) are allocated/configured on the _NAS_ (in this case a NAS port) via AV pair/s provided by RADIUS...the '802.1x Supplicant (Client/Endpoint) in simple terms... provides a secure/standardconduit which facilitates the communication of credentials (from the Supplicant to the Authenticator). The '802.1x Authenticator (or NAS) _MAY_provision/enforce Authorization for the specific endpoint in the context of a user or group... The management granularity of this functionality verifies greatly by switch vendor as a result providing this functionality across a multi-vendor environment... in a large scale deployment... is often too complex to seriously consider.? jmr Original Message Subject: RE: 802.1x From: Alex M [EMAIL PROTECTED] Date: Wed, November 02, 2005 9:10 am To: 'FreeRadius users mailing list' freeradius-users@lists.freeradius.org Now im totally lost... Can u give me an example what 802.1x does? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alan DeKok Sent: Wednesday, November 02, 2005 11:04 AM To: FreeRadius users mailing list Subject: Re: 802.1x Alex M [EMAIL PROTECTED] wrote: So then such features as bandwidth and port blocking could be controlled via 802.1x? No. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Patches
Hi i need to ask is there any patch for PPPD to send this MAC adress to RADIUS ??? and what about rp-pppoe is there any patch let pppoe server is probrably rp-pppoe to send Mac address to pppd ? Yahoo! FareChase - Search multiple travel sites in one click. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: 802.1x
Which Vendor Specific Attributes are implemented by a Vendor are, as the name suggests, specific to the vendor and totally up to them to choose. I would not be surprised if DLink implement *NO* VSAs. Given the market into which they're pitching their kit, I doubt very much that their kit will do bandwidth control. Authenticating access to the port is the basic function of 802.1x so ifDLink claim 802.1x support, then you can configure your NAS so that you don't get any access without authenticating first. Rgds, Guy From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alex MSent: 02 November 2005 17:04To: 'FreeRadius users mailing list'Subject: RE: 802.1x Ok I got it By the way what is AV pair? And how do you get NAS related attributes to control bandwidth from vendors? Like if im using D-Link how could I get attributes from them? Thanks! From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jeff ReillySent: Wednesday, November 02, 2005 11:53 AMTo: FreeRadius users mailing listSubject: RE: 802.1x Alex, Features such as 'bandwidth and port blocking" (if any) are allocated/configured on the _NAS_ (in this case a NAS port) via AV pair/s provided by RADIUS...the '802.1x Supplicant" (Client/Endpoint) in simple terms... provides a secure/standardconduit which facilitates the communication of credentials (from the Supplicant to the Authenticator). The '802.1x Authenticator" (or NAS) _MAY_provision/enforce Authorization for the specific endpoint in the context of a user or group... The management granularity of this functionality verifies greatly by switch vendor as a result providing this functionality across a multi-vendor environment... in a large scale deployment... is often too complex to seriously consider.? jmr Original Message Subject: RE: 802.1xFrom: "Alex M" [EMAIL PROTECTED]Date: Wed, November 02, 2005 9:10 amTo: "'FreeRadius users mailing list'"freeradius-users@lists.freeradius.orgNow im totally lost...Can u give me an example what 802.1x does?-Original Message-From: [EMAIL PROTECTED][mailto:[EMAIL PROTECTED] On Behalf Of AlanDeKokSent: Wednesday, November 02, 2005 11:04 AMTo: FreeRadius users mailing listSubject: Re: 802.1x "Alex M" [EMAIL PROTECTED] wrote: So then such features as bandwidth and port blocking could be controlledvia 802.1x?No.Alan DeKok.- List info/subscribe/unsubscribe? Seehttp://www.freeradius.org/list/users.html- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html This e-mail is private and may be confidential and is for the intended recipient only. If misdirected, please notify us by telephone and confirm that it has been deleted from your system and any copies destroyed. If you are not the intended recipient you are strictly prohibited from using, printing, copying, distributing or disseminating this e-mail or any information contained in it. We use reasonable endeavours to virus scan all e-mails leaving the Company but no warranty is given that this e-mail and any attachments are virus free. You should undertake your own virus checking. The right to monitor e-mail communications through our network is reserved by us. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: 802.1x
Ok, thanks From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Guy Davies Sent: Wednesday, November 02, 2005 12:38 PM To: FreeRadius users mailing list Subject: RE: 802.1x Which Vendor Specific Attributes are implemented by a Vendor are, as the name suggests, specific to the vendor and totally up to them to choose. I would not be surprised if DLink implement *NO* VSAs. Given the market into which they're pitching their kit, I doubt very much that their kit will do bandwidth control. Authenticating access to the port is the basic function of 802.1x so ifDLink claim 802.1x support, then you can configure your NAS so that you don't get any access without authenticating first. Rgds, Guy From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alex M Sent: 02 November 2005 17:04 To: 'FreeRadius users mailing list' Subject: RE: 802.1x Ok I got it By the way what is AV pair? And how do you get NAS related attributes to control bandwidth from vendors? Like if im using D-Link how could I get attributes from them? Thanks! From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jeff Reilly Sent: Wednesday, November 02, 2005 11:53 AM To: FreeRadius users mailing list Subject: RE: 802.1x Alex, Features such as 'bandwidth and port blocking (if any) are allocated/configured on the _NAS_ (in this case a NAS port) via AV pair/s provided by RADIUS...the '802.1x Supplicant (Client/Endpoint) in simple terms... provides a secure/standardconduit which facilitates the communication of credentials (from the Supplicant to the Authenticator). The '802.1x Authenticator (or NAS) _MAY_provision/enforce Authorization for the specific endpoint in the context of a user or group... The management granularity of this functionality verifies greatly by switch vendor as a result providing this functionality across a multi-vendor environment... in a large scale deployment... is often too complex to seriously consider.? jmr Original Message Subject: RE: 802.1x From: Alex M [EMAIL PROTECTED] Date: Wed, November 02, 2005 9:10 am To: 'FreeRadius users mailing list' freeradius-users@lists.freeradius.org Now im totally lost... Can u give me an example what 802.1x does? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alan DeKok Sent: Wednesday, November 02, 2005 11:04 AM To: FreeRadius users mailing list Subject: Re: 802.1x Alex M [EMAIL PROTECTED] wrote: So then such features as bandwidth and port blocking could be controlled via 802.1x? No. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html This e-mail is private and may be confidential and is for the intended recipient only. If misdirected, please notify us by telephone and confirm that it has been deleted from your system and any copies destroyed. If you are not the intended recipient you are strictly prohibited from using, printing, copying, distributing or disseminating this e-mail or any information contained in it. We use reasonable endeavours to virus scan all e-mails leaving the Company but no warranty is given that this e-mail and any attachments are virus free. You should undertake your own virus checking. The right to monitor e-mail communications through our network is reserved by us. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: SV: rlm_sql module won't compile under Solaris 10
SUCCESS!! I already had /usr/ccs/bin in my path, however, it was listed BEFORE /usr/sfw/bin, which apparantly makes all the difference in the world. Here are the PATH and LD_LIBRARY_PATH environment variable settings I used, just in case someone else runs into the same issue: PATH=/bin:/usr/bin:/usr/ccs/bin:/usr/ucb:/usr/sbin:/usr/local/bin:/usr/sfw/bin LD_LIBRARY_PATH=/usr/lib:/usr/include:/usr/ccs/lib:/usr/ccs/include:/usr/local/lib:/usr/local/include:/usr/sfw/lib:/usr/sfw/include Thanks again for your assistance. Best Regards, Mike McNeil Sr. Network Engineer Communications Network Services University of California Berkeley Leon Kyneur wrote: also you will need the mysql client libraries, download the full source and ./configure --without-server ; make make install On Mon, 31 Oct 2005, Torkel Mathisen wrote: Hi Add /usr/ccs/bin to your PATH. Regards, Torkel -Opprinnelig melding- Fra: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] P vegne av M.McNeil Sendt: 28. oktober 2005 22:55 Til: freeradius-users@lists.freeradius.org Emne: rlm_sql module won't compile under Solaris 10 Viktighet: Hy Hello, I'm trying to get FreeRadius 1.0.5 to compile with MySQL / RLM_SQL, under Solaris 10. Configure works just fine, however, after running "make", I get the following: gmake[7]: Entering directory `/export/home/freeradius-1.0.5/src/modules/rlm_sql' Making static in drivers... gmake[8]: Entering directory `/export/home/freeradius-1.0.5/src/modules/rlm_sql/drivers' /usr/sfw/bin/gmake -w WHAT_TO_MAKE=static common gmake[9]: Entering directory `/export/home/freeradius-1.0.5/src/modules/rlm_sql/drivers' Making static in rlm_sql_iodbc... gmake[10]: Entering directory `/export/home/freeradius-1.0.5/src/modules/rlm_sql/drivers/rlm_sql_iodbc' gmake[10]: Nothing to be done for `static'. gmake[10]: Leaving directory `/export/home/freeradius-1.0.5/src/modules/rlm_sql/drivers/rlm_sql_iodbc' Making static in rlm_sql_mysql... gmake[10]: Entering directory `/export/home/freeradius-1.0.5/src/modules/rlm_sql/drivers/rlm_sql_mysql' gcc -g -O2 -D_REENTRANT -D_POSIX_PTHREAD_SEMANTICS -DOPENSSL_NO_KRB5 -Wall -D_GNU_SOURCE -g -Wshadow -Wpointer-arith -Wcast-qual -Wcast-align -Wwrite-strings -Wstrict-prototypes -Wmissing-prototypes -Wmissing-declarations -Wnested-externs -W -Wredundant-decls -Wundef -I../.. -I../../../../include -I/usr/local/mysql/include -xO3 -mt -D_FORTEC_ -xarch=v8 -xc99=none -c sql_mysql.c -o sql_mysql.o gcc: language c99=none not recognized gcc: sql_mysql.c: linker input file unused because linking not done /export/home/freeradius-1.0.5/libtool --mode=link ld -module -static -g -O2 -D_REENTRANT -D_POSIX_PTHREAD_SEMANTICS -DOPENSSL_NO_KRB5 -Wall -D_GNU_SOURCE -g -Wshadow -Wpointer-arith -Wcast-qual -Wcast-align -Wwrite-strings -Wstrict-prototypes -Wmissing-prototypes -Wmissing-declarations -Wnested-externs -W -Wredundant-decls -Wundef -I../.. -I../../../../include -I/usr/local/mysql/include -xO3 -mt -D_FORTEC_ -xarch=v8 -xc99=none sql_mysql.o -o rlm_sql_mysql.a mkdir .libs (cd . ln -s sql_mysql.lo sql_mysql.o) ar cru rlm_sql_mysql.a sql_mysql.o ar: cannot open sql_mysql.o No such file or directory ar: sql_mysql.o not found gmake[10]: *** [rlm_sql_mysql.a] Error 1 gmake[10]: Leaving directory `/export/home/freeradius-1.0.5/src/modules/rlm_sql/drivers/rlm_sql_mysql' gmake[9]: *** [common] Error 2 gmake[9]: Leaving directory `/export/home/freeradius-1.0.5/src/modules/rlm_sql/drivers' gmake[8]: *** [static] Error 2 gmake[8]: Leaving directory `/export/home/freeradius-1.0.5/src/modules/rlm_sql/drivers' gmake[7]: *** [common] Error 2 gmake[7]: Leaving directory `/export/home/freeradius-1.0.5/src/modules/rlm_sql' gmake[6]: *** [static] Error 2 gmake[6]: Leaving directory `/export/home/freeradius-1.0.5/src/modules/rlm_sql' gmake[5]: *** [common] Error 2 gmake[5]: Leaving directory `/export/home/freeradius-1.0.5/src/modules' gmake[4]: *** [all] Error 2 gmake[4]: Leaving directory `/export/home/freeradius-1.0.5/src/modules' gmake[3]: *** [common] Error 2 gmake[3]: Leaving directory `/export/home/freeradius-1.0.5/src' gmake[2]: *** [all] Error 2 gmake[2]: Leaving directory `/export/home/freeradius-1.0.5/src' gmake[1]: *** [common] Error 2 gmake[1]: Leaving directory `/export/home/freeradius-1.0.5' *** Error code 2 The following command caused the error: /usr/sfw/bin/gmake WHAT_TO_MAKE=all common make: Fatal error: Command failed for target `all' I dowloaded the binary MySQL package from mysql.com and added /usr/local/mysql to my PATH
RE: 802.1x
Ok, will call Dlink to see if that have something (the hotspot itself has that functionality internally though) Also do you know if opensources such as NoCAT and ChillBox support such features? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jeff Reilly Sent: Wednesday, November 02, 2005 1:08 PM To: FreeRadius users mailing list Subject: RE: 802.1x AV = ATTRIBUTE VALUE ? D-Link what? D-Link makes lots of stuff... generally great price... but not the most feature rich products. To get the features you desire you'll likely need a higher-end box. I'm not a big proponent of pitchingspecific productsin this forum. Suffice it to say there are vendors that will (or attempt) to provide CoS / filtering on Wireless... jmr Original Message Subject: RE: 802.1x From: Alex M [EMAIL PROTECTED] Date: Wed, November 02, 2005 10:04 am To: 'FreeRadius users mailing list' freeradius-users@lists.freeradius.org Ok I got it By the way what is AV pair? And how do you get NAS related attributes to control bandwidth from vendors? Like if im using D-Link how could I get attributes from them? Thanks! From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jeff Reilly Sent: Wednesday, November 02, 2005 11:53 AM To: FreeRadius users mailing list Subject: RE: 802.1x Alex, Features such as 'bandwidth and port blocking (if any) are allocated/configured on the _NAS_ (in this case a NAS port) via AV pair/s provided by RADIUS...the '802.1x Supplicant (Client/Endpoint) in simple terms... provides a secure/standardconduit which facilitates the communication of credentials (from the Supplicant to the Authenticator). The '802.1x Authenticator (or NAS) _MAY_provision/enforce Authorization for the specific endpoint in the context of a user or group... The management granularity of this functionality verifies greatly by switch vendor as a result providing this functionality across a multi-vendor environment... in a large scale deployment... is often too complex to seriously consider.?? jmr Original Message Subject: RE: 802.1x From: Alex M [EMAIL PROTECTED] Date: Wed, November 02, 2005 9:10 am To: 'FreeRadius users mailing list' freeradius-users@lists.freeradius.org Now im totally lost... Can u give me an example what 802.1x does? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alan DeKok Sent: Wednesday, November 02, 2005 11:04 AM To: FreeRadius users mailing list Subject: Re: 802.1x Alex M [EMAIL PROTECTED] wrote: So then such features as bandwidth and port blocking could be controlled via 802.1x? No. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: 802.1x
Chillispot certainly does! M0n0wall almost ;) Dont know about nocat J. Van: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Namens Alex M Verzonden: woensdag 2 november 2005 19:19 Aan: 'FreeRadius users mailing list' Onderwerp: RE: 802.1x Ok, will call Dlink to see if that have something (the hotspot itself has that functionality internally though) Also do you know if opensources such as NoCAT and ChillBox support such features? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jeff Reilly Sent: Wednesday, November 02, 2005 1:08 PM To: FreeRadius users mailing list Subject: RE: 802.1x AV = ATTRIBUTE VALUE ? D-Link what? D-Link makes lots of stuff... generally great price... but not the most feature rich products. To get the features you desire you'll likely need a higher-end box. I'm not a big proponent of pitchingspecific productsin this forum. Suffice it to say there are vendors that will (or attempt) to provide CoS / filtering on Wireless... jmr Original Message Subject: RE: 802.1x From: Alex M [EMAIL PROTECTED] Date: Wed, November 02, 2005 10:04 am To: 'FreeRadius users mailing list' freeradius-users@lists.freeradius.org Ok I got it By the way what is AV pair? And how do you get NAS related attributes to control bandwidth from vendors? Like if im using D-Link how could I get attributes from them? Thanks! From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jeff Reilly Sent: Wednesday, November 02, 2005 11:53 AM To: FreeRadius users mailing list Subject: RE: 802.1x Alex, Features such as 'bandwidth and port blocking (if any) are allocated/configured on the _NAS_ (in this case a NAS port) via AV pair/s provided by RADIUS...the '802.1x Supplicant (Client/Endpoint) in simple terms... provides a secure/standardconduit which facilitates the communication of credentials (from the Supplicant to the Authenticator). The '802.1x Authenticator (or NAS) _MAY_provision/enforce Authorization for the specific endpoint in the context of a user or group... The management granularity of this functionality verifies greatly by switch vendor as a result providing this functionality across a multi-vendor environment... in a large scale deployment... is often too complex to seriously consider.?? jmr Original Message Subject: RE: 802.1x From: Alex M [EMAIL PROTECTED] Date: Wed, November 02, 2005 9:10 am To: 'FreeRadius users mailing list' freeradius-users@lists.freeradius.org Now im totally lost... Can u give me an example what 802.1x does? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alan DeKok Sent: Wednesday, November 02, 2005 11:04 AM To: FreeRadius users mailing list Subject: Re: 802.1x Alex M [EMAIL PROTECTED] wrote: So then such features as bandwidth and port blocking could be controlled via 802.1x? No. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: 802.1x
I have no experience with the opensouce efforts you mention below... Original Message Subject: RE: 802.1xFrom: "Alex M" [EMAIL PROTECTED]Date: Wed, November 02, 2005 11:19 amTo: "'FreeRadius users mailing list'"freeradius-users@lists.freeradius.org Ok, will call Dlink to see if that have something (the hotspot itself has that functionality internally though) Also do you know if opensources such as NoCAT and ChillBox support such features? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jeff ReillySent: Wednesday, November 02, 2005 1:08 PMTo: FreeRadius users mailing listSubject: RE: 802.1x AV = ATTRIBUTE VALUE ? D-Link what? D-Link makes lots of stuff... generally great price... but not the most feature rich products. To get the features you desire you'll likely need a higher-end box. I'm not a big proponent of "pitching"specific productsin this forum. Suffice it to say there are vendors that will (or attempt) to provide CoS / filtering on Wireless... jmr Original Message Subject: RE: 802.1xFrom: "Alex M" [EMAIL PROTECTED]Date: Wed, November 02, 2005 10:04 amTo: "'FreeRadius users mailing list'"freeradius-users@lists.freeradius.org Ok I got it By the way what is AV pair? And how do you get NAS related attributes to control bandwidth from vendors? Like if im using D-Link how could I get attributes from them? Thanks! From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jeff ReillySent: Wednesday, November 02, 2005 11:53 AMTo: FreeRadius users mailing listSubject: RE: 802.1x Alex, Features such as 'bandwidth and port blocking" (if any) are allocated/configured on the _NAS_ (in this case a NAS port) via AV pair/s provided by RADIUS...the '802.1x Supplicant" (Client/Endpoint) in simple terms... provides a secure/standardconduit which facilitates the communication of credentials (from the Supplicant to the Authenticator). The '802.1x Authenticator" (or NAS) _MAY_provision/enforce Authorization for the specific endpoint in the context of a user or group... The management granularity of this functionality verifies greatly by switch vendor as a result providing this functionality across a multi-vendor environment... in a large scale deployment... is often too complex to seriously consider.?? jmr Original Message Subject: RE: 802.1xFrom: "Alex M" [EMAIL PROTECTED]Date: Wed, November 02, 2005 9:10 amTo: "'FreeRadius users mailing list'"freeradius-users@lists.freeradius.orgNow im totally lost...Can u give me an example what 802.1x does?-Original Message-From: [EMAIL PROTECTED][mailto:[EMAIL PROTECTED] On Behalf Of AlanDeKokSent: Wednesday, November 02, 2005 11:04 AMTo: FreeRadius users mailing listSubject: Re: 802.1x "Alex M" [EMAIL PROTECTED] wrote: So then such features as bandwidth and port blocking could be controlledvia 802.1x?No.Alan DeKok.- List info/subscribe/unsubscribe? Seehttp://www.freeradius.org/list/users.html- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
attributes handling
Hi Guys, I want to get some idea about how to manipulate attributes before we respond to NAS. For example, before I send Access-Accept packet to the NAS, I want to add two additional attributes (let's say S and T) to NAS-1 and add X, Y, and Z to NAS-2. In short, I want to add some attributes differently based on the NAS IP or Client IP. How can I do that? Thanks, Kevin - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: 802.1x
Wikipedia well, can it show me how to block ports like port 88 on user side? Yea I should learn how to use goggle he he -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Seferovic Edvin Sent: Wednesday, November 02, 2005 4:42 PM To: 'FreeRadius users mailing list' Subject: RE: 802.1x Maybe you should learn how to do a research with google ;) or just use an encyclopedia... http://en.wikipedia.org/wiki/802.1x have fun ! Regards, Edvin -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alex M Sent: Mittwoch, 02. November 2005 22:34 To: 'FreeRadius users mailing list' Subject: RE: 802.1x That what I started with... but it returns me all very very expansive enterprise equipment, and other junk... well I maybe I'm using wrong keyword but goggle doesn't give me anything I'm looking for -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Oliver Graf Sent: Wednesday, November 02, 2005 4:14 PM To: freeradius-users@lists.freeradius.org Subject: Re: 802.1x On Wed, Nov 02, 2005 at 11:10:20AM -0500, Alex M wrote: Now im totally lost... Can u give me an example what 802.1x does? Can u use google? Oliver. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: 802.1x
I hate quoting but IEEE 802.1X is an IEEE standard for port-based network access control, part of the IEEE 802 (802.1) group of protocols. It provides authentication to devices attached to a LAN port, establishing a point-to-point connection or preventing access from that port if authentication fails. It is used for certain closed wireless access points, and is based on the EAP, Extensible Authentication Protocol (RFC 2284). RFC 2284 has been obsoleted by RFC 3748 Says it is a standard for port-based network access control, and as far as I know - is has nothing to do with PORTS on a user machine. by port-based it is not meant the port on a user machine, but the ports on an access hardware like a switch. I hope I could help you out of dilemma ! Regards, Edvin -Original Message- From: Alex M [mailto:[EMAIL PROTECTED] Sent: Mittwoch, 02. November 2005 23:07 To: [EMAIL PROTECTED]; 'FreeRadius users mailing list' Subject: RE: 802.1x Wikipedia well, can it show me how to block ports like port 88 on user side? Yea I should learn how to use goggle he he -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Seferovic Edvin Sent: Wednesday, November 02, 2005 4:42 PM To: 'FreeRadius users mailing list' Subject: RE: 802.1x Maybe you should learn how to do a research with google ;) or just use an encyclopedia... http://en.wikipedia.org/wiki/802.1x have fun ! Regards, Edvin -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alex M Sent: Mittwoch, 02. November 2005 22:34 To: 'FreeRadius users mailing list' Subject: RE: 802.1x That what I started with... but it returns me all very very expansive enterprise equipment, and other junk... well I maybe I'm using wrong keyword but goggle doesn't give me anything I'm looking for -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Oliver Graf Sent: Wednesday, November 02, 2005 4:14 PM To: freeradius-users@lists.freeradius.org Subject: Re: 802.1x On Wed, Nov 02, 2005 at 11:10:20AM -0500, Alex M wrote: Now im totally lost... Can u give me an example what 802.1x does? Can u use google? Oliver. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: return ALL the AVPs for a username that belongs multiple groups
Here's the rest of my config. Notice, that username 3000 belongs to group Dialin and Dialin2. The user can register fine, however in this case the Access-Accept packet only returns the AVPs related to group Dialin (I'm guessing is because it's the first one that it matches). mysql select * from radcheck; ++--+---++--+ | id | UserName | Attribute | op | Value| ++--+---++--+ | 1 | Jhassell | Password | == | changeme | | 2 | Rneis| Password | == | changeme | | 3 | 1000 | Password | == | 1000 | | 4 | 2000 | Password | == | 2000 | | 5 | 3000 | Password | == | 3000 | ++--+---++--+ 5 rows in set (0.00 sec) mysql select * from radreply; Empty set (0.00 sec) mysql select * from usergroup; ++--++ | id | UserName | GroupName | ++--++ | 1 | Jhassell | Dialin | | 2 | Rneis| Staticdial | | 3 | 1000 | Dialin | | 4 | 2000 | Dialin | | 5 | 3000 | Dialin | | 6 | 3000 | Dialin2| ++--++ 6 rows in set (0.00 sec) mysql select * from radgroupcheck; Empty set (0.00 sec) mysql select * from radgroupreply; ++---+---++--+-- ---+ | id | GroupName | Attribute | op | Value| prio | ++---+---++--+-- + | 1 | Dialin| Reply-Message | = | Authenticated by group Dialin | 0 | | 2 | Dialin2 | SIP-AVP | = | Cust-AVP:feat_2 | 0 | | 3 | Dialin| SIP-AVP | = | Cust-AVP:feat_1 | 0 | ++---+---++--+-- + 3 rows in set (0.00 sec) mysql select * from radpostauth; Empty set (0.00 sec) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alan DeKok Sent: Friday, October 28, 2005 1:34 PM To: FreeRadius users mailing list Subject: Re: return ALL the AVPs for a username that belongs multiple groups Lenir [EMAIL PROTECTED] wrote: Radius replies with the AVPs of the first group that it matches that the user belongs to. Instead of returning all the AVPs for all the groups that the user belongs to. The example you posted didn't include groups or reply AVP's. So I guess the question is, can a user belong to multiple groups? If so, how can radius reply with all the AVPs that correspond to ALL the groups that the user belongs to? Yes, and you configure the server to do that. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Problem with EAP/TLS and XP SP2
Radius Server: Freeradius 1.0.5 on Solaris 8 (Sparc) Client:Windows XP (SP2), Intel PRO/Wireless 2915 (a/b/g) Access Point: DLink DI-784 I'm having trouble getting my laptop (running Windows XP SP2) to authenticate to my access point using EAP/TLS. XP shows the wireless interface hung forever in Attempting to authenticate state. I've been beating my head against this all day without success, although I think I'm close and just missing something stupid and obvious. In the debugging log from radiusd -X below, I can see my laptop communicating with the radius server. I'm definitely seeing the correct username (HalPomeranz) from the certificate I installed on the laptop. The radius server is finding the username entry in my users file. The only thing that looks like an error is the lines that read: rlm_eap_tls: TLS 1.0 Handshake [length 005e], CertificateRequest TLS_accept: SSLv3 write certificate request A TLS_accept: SSLv3 flush data TLS_accept:error in SSLv3 read client certificate A I Googled a bit for this error message and turned up some mailing list traffic describing similar problems, but no solutions. Perhaps this is a red herring, however. Note that I am successfully using this same radius server to authenticate some older clients which use LEAP to connect via a different access point, so I'm thinking my radius config is basically sound. Does anybody have any suggestions for how to resolve my problem? Anybody seen anything like this before? Thanks in advance... -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Hal Pomeranz, Founder/CEO Deer Run Associates [EMAIL PROTECTED] Network Connectivity and Security, Systems Management, Training -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Starting - reading configuration files ... reread_config: reading radiusd.conf Config: including file: /var/freeradius/etc/raddb/proxy.conf Config: including file: /var/freeradius/etc/raddb/clients.conf Config: including file: /var/freeradius/etc/raddb/snmp.conf Config: including file: /var/freeradius/etc/raddb/eap.conf Config: including file: /var/freeradius/etc/raddb/sql.conf main: prefix = /var/freeradius main: localstatedir = /var/freeradius/var main: logdir = /var/freeradius/var/log/radius main: libdir = /var/freeradius/lib main: radacctdir = /var/freeradius/var/log/radius/radacct main: hostname_lookups = no main: max_request_time = 30 main: cleanup_delay = 5 main: max_requests = 1024 main: delete_blocked_requests = 0 main: port = 1812 main: allow_core_dumps = no main: log_stripped_names = no main: log_file = /var/freeradius/var/log/radius/radius.log main: log_auth = no main: log_auth_badpass = no main: log_auth_goodpass = no main: pidfile = /var/freeradius/var/run/radiusd/radiusd.pid main: user = radiusd main: group = radiusd main: usercollide = no main: lower_user = no main: lower_pass = no main: nospace_user = no main: nospace_pass = no main: checkrad = /var/freeradius/sbin/checkrad main: proxy_requests = yes proxy: retry_delay = 5 proxy: retry_count = 3 proxy: synchronous = no proxy: default_fallback = yes proxy: dead_time = 120 proxy: post_proxy_authorize = yes proxy: wake_all_if_all_dead = no security: max_attributes = 200 security: reject_delay = 1 security: status_server = no main: debug_level = 0 read_config_files: reading dictionary read_config_files: reading naslist Using deprecated naslist file. Support for this will go away soon. read_config_files: reading clients read_config_files: reading realms radiusd: entering modules setup Module: Library search path is /var/freeradius/lib Module: Loaded exec exec: wait = yes exec: program = (null) exec: input_pairs = request exec: output_pairs = (null) exec: packet_type = (null) rlm_exec: Wait=yes but no output defined. Did you mean output=none? Module: Instantiated exec (exec) Module: Loaded expr Module: Instantiated expr (expr) Module: Loaded PAP pap: encryption_scheme = crypt Module: Instantiated pap (pap) Module: Loaded CHAP Module: Instantiated chap (chap) Module: Loaded MS-CHAP mschap: use_mppe = yes mschap: require_encryption = no mschap: require_strong = no mschap: with_ntdomain_hack = no mschap: passwd = (null) mschap: authtype = MS-CHAP mschap: ntlm_auth = (null) Module: Instantiated mschap (mschap) Module: Loaded System unix: cache = no unix: passwd = (null) unix: shadow = (null) unix: group = (null) unix: radwtmp = /var/freeradius/var/log/radius/radwtmp unix: usegroup = no unix: cache_reload = 600 Module: Instantiated unix (unix) Module: Loaded eap eap: default_eap_type = tls eap: timer_expire = 60 eap: ignore_unknown_eap_types = no eap: cisco_accounting_username_bug = no rlm_eap: Loaded and initialized type md5 rlm_eap: Loaded and initialized type leap gtc: challenge = Password: gtc: auth_type = PAP rlm_eap: Loaded and initialized type gtc tls:
