Re: Buy SSL Certificates for PEAP
Hi ! Are you sure your certificate isn't already in PEM format? How can I verify which format the certificate is in ? # openssl x509 -in somecertificate.cer -text Certificate: Data: Version: 3 (0x2) Serial Number: 69:4c:8a:74:b7:45:cd:7f:cd:47:71:b8:c0:f2:60:6a Signature Algorithm: sha1WithRSAEncryption Issuer: C=ZA, ST=FOR TESTING PURPOSES ONLY, O=Thawte Certification, OU=TEST TEST TEST, CN=Thawte Test CA Root Validity Not Before: Jun 27 20:00:54 2006 GMT Not After : Jul 18 20:00:54 2006 GMT Subject: C=XX, ST=X, L=X, O=XX, OU=XX, CN= Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (1024 bit) Modulus (1024 bit): 00:ce:0c:00:a5:88:d5:f7:f2:b8:c5:7d:f3:9d:0a: 0e:44:28:ee:fc:b0:78:c9:d0:1e:f2:cf:cf:2f:cc: 6f:bc:87:06:f4:eb:aa:a3:3d:8d:d5:d8:60:54:8e: 78:c3:2b:a5:fc:f5:fa:97:ea:d3:17:20:00:07:62: 25:1a:8f:cf:41:9e:ba:59:a7:c3:75:a0:ae:4c:9c: 69:4f:52:c3:7c:51:d7:2e:70:63:1e:d5:79:97:d7: b3:81:94:d8:4f:cf:f1:5c:9c:ab:c5:e2:f5:82:70: 34:f0:8b:e8:70:a0:ce:27:b4:26:fc:16:b5:6c:64: fd:f5:99:94:f8:ad:63:a7:41 Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Basic Constraints: critical CA:FALSE X509v3 Extended Key Usage: TLS Web Server Authentication, TLS Web Client Authentication X509v3 CRL Distribution Points: URI:http://crl.thawte.com/ThawtePremiumServerCA.crl Authority Information Access: OCSP - URI:http://ocsp.thawte.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
radwho doesnt work - complains about missing radutmp file
This is the error I'm getting:radwho: Error reading /var/log/freeradius/radutmp: No such file or directoryradutmp indeed doesn't exist in /var/logDoes anyone know why is freeradius not creating the radutmp file? Thanks. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
LDAP related questions
Hello to everyone.
I have a question regarding a configuration I am trying to achieve. I
have users stored in an ldap database. An example user entry looks
like this:
dn: uid=kzorba,ou=people,dc=company,dc=gr
cn: ZORBADELOS KONSTANTINOS
uid: kzorba
clearTextPwd: mypassword
radiusProfile: PSTN_STATIC
radiusAccountStatus: activated
radiusMaxLogins: 1
radiusExpDate: 2030/12/31 00:00:00
Framed-IP-Address: 62.103.176.39
objectClass: account
objectClass: MyRadiusAccount
objectClass: top
Tha attribute radiusProfile groups the users. For each group we have a
corresponding profile
# PSTN_STATIC, radiusProfiles, company.gr
dn: cn=PSTN_STATIC,ou=radiusProfiles,dc=company,dc=gr
cn: PSTN_STATIC
objectClass: freeradiusProfile
objectClass: top
radiusNASPortType: Async
radiusFramedProtocol: PPP
radiusCisco-AVPair: lcp:interface-config#1=ip vrf forwarding STATIC_USER
radiusCisco-AVPair: lcp:interface-config#2=ip unnumbered Loopback1001
radiusServiceType: Framed
Now, I want to authorize the user according to this information. I
have read and tried the configuration described in ldap_howto.txt
shipped in the freeradius distribution. It uses the Ldap-Group
attribute and the users file. This configuration is sub-optimal
because it generates many ldap queries trying to figure out in which
group a user belongs. If we have many entries in the users file, one
for each group, each entry will generate a couple of queries until the
matching entry is found. So if we have, for example, a hundred groups
and the last one in the users file matches, we will have generated ~200
ldap queries, just to find the group the user belongs to.
I try the following alternative approach:
#ldap.attrmap
checkItem Group radiusProfile
#users file
...
DEFAULT Group == PSTN_STATIC, User-Profile :=
cn=PSTN_DYNAMIC,ou=radiusProfiles,dc=company,dc=gr
Fall-Through = no
DEFAULT Auth-Type := Reject
Reply-Message = Unauthorized access.
#radiusd.conf
authorize {
preprocess
chap
mschap
suffix
ldap
files
ldap
}
In the first pass through the ldap module I want to set the Group
attribute, then in users file set the User-Profile and I use one more
pass through the ldap module to get the profile attributes. However
this is what I get when testing with radclient:
rad_recv: Access-Request packet from host 127.0.0.1:41392, id=167, length=52
User-Name = kzorba
User-Password = XX
NAS-IP-Address = 62.103.0.99
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 0
modcall[authorize]: module preprocess returns ok for request 0
modcall[authorize]: module chap returns noop for request 0
modcall[authorize]: module mschap returns noop for request 0
rlm_realm: No '@' in User-Name = kzorba, looking up realm NULL
rlm_realm: Found realm NULL
rlm_realm: Adding Stripped-User-Name = kzorba
rlm_realm: Proxying request from user kzorba to realm NULL
rlm_realm: Adding Realm = NULL
rlm_realm: Authentication realm is LOCAL.
modcall[authorize]: module suffix returns noop for request 0
rlm_ldap: - authorize
rlm_ldap: performing user authorization for kzorba
radius_xlat:
'((uid=kzorba)(objectClass=MyRadiusAccount)(radiusAccountStatus=activated))'
radius_xlat: 'ou=people,dc=company,dc=gr'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: attempting LDAP reconnection
rlm_ldap: (re)connect to ldapserver.company.gr:489, authentication 0
rlm_ldap: bind as cn=Directory Manager/XX to ldapserver.company.gr:489
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind was successful
rlm_ldap: performing search in ou=people,dc=company,dc=gr, with filter
((uid=kzorba)(objectClass=MyRadiusAccount)(radiusAccountStatus=activated))
rlm_ldap: Added password XX in check items
rlm_ldap: looking for check items in directory...
rlm_ldap: Adding radiusProfile as Group, value PSTN_STATIC op=21
^^
rlm_ldap: Adding radiusMaxLogins as Simultaneous-Use, value 1 op=21
rlm_ldap: looking for reply items in directory...
rlm_ldap: Adding Framed-IP-Address as Framed-IP-Address, value 62.103.176.39
op=11
rlm_ldap: user kzorba authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
modcall[authorize]: module ldap returns ok for request 0
users: Matched entry DEFAULT at line 82
^^^(?)
Here, the files module does not match the line with the Group == PSTN_STATIC
condition, but the last DEFAULT line that rejects the user
modcall[authorize]: module files returns ok for request 0
rlm_ldap: - authorize
rlm_ldap: performing user authorization for kzorba
radius_xlat:
'((uid=kzorba)(objectClass=MyRadiusAccount)(radiusAccountStatus=activated))'
radius_xlat: 'ou=people,dc=company,dc=gr'
rlm_ldap: ldap_get_conn: Checking Id: 0
using radius with samba
Hello, I have freeradius version 1.1.2 and a samba installation with version 3.0.23. My Samba works as a Windows NT 4.0 PDC. Now I want that the radius sends authentication requests to the samba. So that I can logon on on the radius server with my samba domain login. What parameter in radiusd.conf I have to change that this function works? Thank you very much for your help Josef - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: mpd+freeradius+AD
This is Framed-IP-Address in radius dialect.
Thanks for explaining freeradius basic concepts. I understood, that to assign
IP to user I should use users freeradius file. But I couldn't configure it
correctly. Now I have only one line in this file
DEFAULT Auth-Type := MS-CHAP
I've add another string (for user test), but it doesn't correct
test Auth-Type := MS-CHAP,
Framed-IP-Address = 192.168.10.65,
Fall-Through = Yes
That should I fix?
-Original Message-
From: Nikos Vassiliadis [mailto:[EMAIL PROTECTED]
Sent: Monday, June 26, 2006 5:09 PM
To: freeradius-users@lists.freeradius.org
Cc: Егоров Сергей
Subject: Re: mpd+freeradius+AD
On Monday 26 June 2006 14:04, Егоров Сергей wrote:
Thanks for reply.
You can use one of the three firewalls avaliable in the base system(ipfw,
ipf and pf), however mpd comes with a small dictionary that uses
ipfw(8) and you can easily define some filter bound to an interface
(bound to a username) via a radius reply attribute, let filter be a
pipe(for bandwidth control) or a packet filtering expression.
That's fine for filtering vpn users access to local net. But how could I
assign specific IP for specific user in AD?
Your questions don't clearly tell where your problem is.
Active Directory? mpd? or FreeRADIUS? You should define
them better in order to get help from the list.
My goal is to replace VPN server, based on win2003, with FreeBSD one. WIN
2003 can do 1 and 2 in my questions, so I have to realize how to setup this
in mpd + freeradius. I already authenticate users from AD group:
ntlm_auth = /usr/bin/ntlm_auth --request-nt-key
--username=%{Stripped-User-Name:-%{User-Name:-None}}
--challenge=%{mschap:Challenge:-00}
--nt-response=%{mschap:NT-Response:-00}
--require-membership-of=EXAMPLE+VPN_Allowed.
But I have several vpn groups and need to setup timeouts on each one.
setup timeout? This looks like Session-Timeout in radius dialect.
Also
I need to I assign specific IP for specific user in AD.
This is Framed-IP-Address in radius dialect.
Looks like
FreeRadius should respond for this.
Yes, you have to have basic understanding of what radius is. All of these
are very basic setup. I don't know how FreeRADIUS interacts with AD and
what info it should get from AD. So, try searching (or asking) for active
directory and FreeRADIUS. Keep the mpd part out of it, since it will
add unneeded complexity. Or perhaps start from setting up mpd and
FreeRADIUS. And then you could add AD.
A few suggestions, Nikos
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: LDAP related questions
On Wed, Jun 28, 2006 at 11:56:27AM +0300, Kostas Zorbadelos wrote: I have a few suspicions where the problem might be. Is there a way to define the operator in the radius check attributes of ldap (without using the generic radiusCheckItem attribute)? -- Kostas Zorbadelos [EMAIL PROTECTED] contact: kzorba (at) otenet.gr Out there in the darkness, out there in the night out there in the starlight, one soul burns brighter than a thousand suns. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Fixed IP
Thanks for the guidance. how can i use the post-auth section?? Regards Thanks Mahesh S Kudva -Original Message- From: Phil Mayers [EMAIL PROTECTED] To: FreeRadius users mailing list freeradius-users@lists.freeradius.org Date: Tue, 27 Jun 2006 10:30:37 +0100 Subject: Re: Fixed IP Mahesh S Kudva wrote: Hi I am running Freeradius on Mac OS X. How do i assign fixed IP address to my wireless clients who are authenticating under Apple BAse stations?? You can't with radius. 802.11 clients assign IP addresses by DHCP after the link, so you would need to configure the DHCP server appropriately. (In theory one could push an IP from FreeRadius into the DHCP server e.g. in the post-auth section with an exec module, but that would be a custom solution you'd have to make yourself) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html --- Robosoft Technologies - Come home to Technology - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: LDAP related questions
On Wed, 28 Jun 2006, Kostas Zorbadelos wrote: On Wed, Jun 28, 2006 at 11:56:27AM +0300, Kostas Zorbadelos wrote: I have a few suspicions where the problem might be. Is there a way to define the operator in the radius check attributes of ldap (without using the generic radiusCheckItem attribute)? radiusSessionTimeout: += value -- Kostas Zorbadelos [EMAIL PROTECTED] contact: kzorba (at) otenet.gr Out there in the darkness, out there in the night out there in the starlight, one soul burns brighter than a thousand suns. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: LDAP related questions
On Wed, 28 Jun 2006, Kostas Zorbadelos wrote: Hello to everyone. I have a question regarding a configuration I am trying to achieve. I have users stored in an ldap database. An example user entry looks like this: dn: uid=kzorba,ou=people,dc=company,dc=gr cn: ZORBADELOS KONSTANTINOS uid: kzorba clearTextPwd: mypassword radiusProfile: PSTN_STATIC radiusAccountStatus: activated radiusMaxLogins: 1 radiusExpDate: 2030/12/31 00:00:00 Framed-IP-Address: 62.103.176.39 objectClass: account objectClass: MyRadiusAccount objectClass: top Tha attribute radiusProfile groups the users. For each group we have a corresponding profile Why not put the full profile DN in radiusProfile? Then you can use the profile_attribute mechanism -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Fixed IP
Hi Mahesh, This is *totally* independent of the authentication process. You don't need to do anything to the RADIUS server to do this. You need a DHCP server. When your client (the PC) is attached to a particular subnet, it will request a DHCP address by sending a broadcast to find a DHCP server. The DHCP server will see the MAC address from which the request was sent and, if a one-to-one mapping between that MAC address and an IP address exists in the config files for the DHCP server, it will return that IP address. The RADIUS server's job is over well before that happens (except for any accounting it may do). Rgds, Guy On 28/06/06, Mahesh S Kudva [EMAIL PROTECTED] wrote: Thanks for the guidance. how can i use the post-auth section?? Regards Thanks Mahesh S Kudva -Original Message- From: Phil Mayers [EMAIL PROTECTED] To: FreeRadius users mailing list freeradius-users@lists.freeradius.org Date: Tue, 27 Jun 2006 10:30:37 +0100 Subject: Re: Fixed IP Mahesh S Kudva wrote: Hi I am running Freeradius on Mac OS X. How do i assign fixed IP address to my wireless clients who are authenticating under Apple BAse stations?? You can't with radius. 802.11 clients assign IP addresses by DHCP after the link, so you would need to configure the DHCP server appropriately. (In theory one could push an IP from FreeRadius into the DHCP server e.g. in the post-auth section with an exec module, but that would be a custom solution you'd have to make yourself) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html --- Robosoft Technologies - Come home to Technology - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: LDAP related questions
On Wed, Jun 28, 2006 at 02:11:00PM +0300, Kostas Kalevras wrote: On Wed, 28 Jun 2006, Kostas Zorbadelos wrote: Hello to everyone. I have a question regarding a configuration I am trying to achieve. I have users stored in an ldap database. An example user entry looks like this: dn: uid=kzorba,ou=people,dc=company,dc=gr cn: ZORBADELOS KONSTANTINOS uid: kzorba clearTextPwd: mypassword radiusProfile: PSTN_STATIC radiusAccountStatus: activated radiusMaxLogins: 1 radiusExpDate: 2030/12/31 00:00:00 Framed-IP-Address: 62.103.176.39 objectClass: account objectClass: MyRadiusAccount objectClass: top Tha attribute radiusProfile groups the users. For each group we have a corresponding profile Why not put the full profile DN in radiusProfile? Then you can use the profile_attribute mechanism That would be perfect, however we already have the users database and we use a different Radius software. Our data are in the form I described. Any modifications would require migration and this is what I am trying to avoid. -- Kostas Zorbadelos [EMAIL PROTECTED] contact: kzorba (at) otenet.gr Out there in the darkness, out there in the night out there in the starlight, one soul burns brighter than a thousand suns. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Freeradius advocacy needed for convincing corporate management
My greetings to the list. The company I work is one of the largest ISPs in Greece. We are evaluating the possibility to move away from our current radius software (FUNK Radius now Juniper) in favour of freeradius. We as technical people understand all the benefits of the move (and it would also give us opportunity to contribute to the project). However management would like to hear stuff like - Any large installations that use freeradius effectively today (commercial environments preffered). This would give us arguments in favour of freeradius scalability and reliability - Possibility to have commercial support Anyone who can contribute arguments or facts is more than welcome. Kostas -- Kostas Zorbadelos [EMAIL PROTECTED] contact: kzorba (at) otenet.gr Out there in the darkness, out there in the night out there in the starlight, one soul burns brighter than a thousand suns. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius advocacy needed for convincing corporate management
- Any large installations that use freeradius effectively today (commercial environments preffered). This would give us arguments in favour of freeradius scalability and reliability http://www.eduroam.org Non-commercial, sorry. - Possibility to have commercial support http://www.freeradius.org/business/ Greetings, Stefan Winter -- Stefan WINTER Stiftung RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche Ingenieur Forschung Entwicklung 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg E-Mail: [EMAIL PROTECTED] Tel.: +352 424409-1 http://www.restena.lu Fax: +352 422473 pgpCwfihHpLYT.pgp Description: PGP signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: LDAP related questions
On Wed, Jun 28, 2006 at 02:09:15PM +0300, Kostas Kalevras wrote: On Wed, Jun 28, 2006 at 11:56:27AM +0300, Kostas Zorbadelos wrote: I have a few suspicions where the problem might be. Is there a way to define the operator in the radius check attributes of ldap (without using the generic radiusCheckItem attribute)? radiusSessionTimeout: += value I meant in ldap.attrmap. When I define for example checkItem Group-Name radiusProfile what is the operator implied ( op=21 in the debugging output)? Can this be changed? -- Kostas Zorbadelos [EMAIL PROTECTED] contact: kzorba (at) otenet.gr Out there in the darkness, out there in the night out there in the starlight, one soul burns brighter than a thousand suns. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: LDAP related questions
On Wed, 28 Jun 2006, Kostas Zorbadelos wrote: On Wed, Jun 28, 2006 at 02:09:15PM +0300, Kostas Kalevras wrote: On Wed, Jun 28, 2006 at 11:56:27AM +0300, Kostas Zorbadelos wrote: I have a few suspicions where the problem might be. Is there a way to define the operator in the radius check attributes of ldap (without using the generic radiusCheckItem attribute)? radiusSessionTimeout: += value I meant in ldap.attrmap. When I define for example checkItem Group-Name radiusProfile what is the operator implied ( op=21 in the debugging output)? Can this be changed? In the cvs version at least an extra field is supported in ldap.attrmap which sets the operator to be used. Dont know if it's supported in the stable versions. -- Kostas Zorbadelos [EMAIL PROTECTED] contact: kzorba (at) otenet.gr Out there in the darkness, out there in the night out there in the starlight, one soul burns brighter than a thousand suns. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius advocacy needed for convincing corporate management
On Wed, 28 Jun 2006, Kostas Zorbadelos wrote: My greetings to the list. The company I work is one of the largest ISPs in Greece. We are evaluating the possibility to move away from our current radius software (FUNK Radius now Juniper) in favour of freeradius. We as technical people understand all the benefits of the move (and it would also give us opportunity to contribute to the project). However management would like to hear stuff like - Any large installations that use freeradius effectively today (commercial environments preffered). This would give us arguments in favour of freeradius scalability and reliability http://www.freeradius.org/testimonials.html - Possibility to have commercial support Anyone who can contribute arguments or facts is more than welcome. Kostas -- Kostas Zorbadelos [EMAIL PROTECTED] contact: kzorba (at) otenet.gr Out there in the darkness, out there in the night out there in the starlight, one soul burns brighter than a thousand suns. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Mysql Tribox(Asterisk)
Hello, I have installed FreeRadius server on Trixbox Server. My problem is mysql is not letting FreeRadius to login either locally or remotely. I also insert proper entries in HOST and USERS tables. But it does not work I always get ERROR 1045 (28000); Access Denied for user 'root'@'localhost' Thanks Wazb - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Buy SSL Certificates for PEAP
By default, OpenSSL uses PEM format, so if you didn't specify a certificate format of DER, then its a PEM encoded cert. If you look at the cert in a text viewer/editor, you'll see lines that have --- BEGIN CERTIFICATE--- and ---END CERTIFICATE--- if its PEM encoded. --Mike On Jun 28, 2006, at 2:53 AM, VannMann32 . wrote: Hi ! Are you sure your certificate isn't already in PEM format? How can I verify which format the certificate is in ? # openssl x509 -in somecertificate.cer -text Certificate: Data: Version: 3 (0x2) Serial Number: 69:4c:8a:74:b7:45:cd:7f:cd:47:71:b8:c0:f2:60:6a Signature Algorithm: sha1WithRSAEncryption Issuer: C=ZA, ST=FOR TESTING PURPOSES ONLY, O=Thawte Certification, OU=TEST TEST TEST, CN=Thawte Test CA Root Validity Not Before: Jun 27 20:00:54 2006 GMT Not After : Jul 18 20:00:54 2006 GMT Subject: C=XX, ST=X, L=X, O=XX, OU=XX, CN= Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (1024 bit) Modulus (1024 bit): 00:ce:0c:00:a5:88:d5:f7:f2:b8:c5:7d:f3:9d:0a: 0e:44:28:ee:fc:b0:78:c9:d0:1e:f2:cf:cf:2f:cc: 6f:bc:87:06:f4:eb:aa:a3:3d:8d:d5:d8:60:54:8e: 78:c3:2b:a5:fc:f5:fa:97:ea:d3:17:20:00:07:62: 25:1a:8f:cf:41:9e:ba:59:a7:c3:75:a0:ae:4c:9c: 69:4f:52:c3:7c:51:d7:2e:70:63:1e:d5:79:97:d7: b3:81:94:d8:4f:cf:f1:5c:9c:ab:c5:e2:f5:82:70: 34:f0:8b:e8:70:a0:ce:27:b4:26:fc:16:b5:6c:64: fd:f5:99:94:f8:ad:63:a7:41 Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Basic Constraints: critical CA:FALSE X509v3 Extended Key Usage: TLS Web Server Authentication, TLS Web Client Authentication X509v3 CRL Distribution Points: URI:http://crl.thawte.com/ThawtePremiumServerCA.crl Authority Information Access: OCSP - URI:http://ocsp.thawte.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/ list/users.html smime.p7s Description: S/MIME cryptographic signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Mysql Tribox(Asterisk)
Wasif wrote: I have installed FreeRadius server on Trixbox Server. My problem is mysql is not letting FreeRadius to login either locally or remotely. I also insert proper entries in HOST and USERS tables. But it does not work I always get ERROR 1045 (28000); Access Denied for user 'root'@'localhost' 1. Did you FLUSH PRIVILEGES in MySQL? 2. Don't use root. Create a new user in MySQL that only has the specific access to the db's, tables, and/or columns needed. If you use the GRANT command to create the user and privs you won't need to flush the privs afterwards. See the MySQL docs. They are very good. -- Dennis Skinner Systems Administrator BlueFrog Internet http://www.bluefrog.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radwho doesnt work - complains about missing radutmp file
liran tal [EMAIL PROTECTED] wrote: Does anyone know why is freeradius not creating the radutmp file? The NAS isn't sending accounting packets. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius advocacy needed for convincing corporate management
Kostas Zorbadelos [EMAIL PROTECTED] wrote: - Any large installations that use freeradius effectively today (commercial environments preffered). This would give us arguments in favour of freeradius scalability and reliability Most commercial installations won't publicly say they're using it. I know of multiple national ISP's with millions of users who've replaced commercial servers with FreeRADIUS. But they don't want me to mention their names, sorry. An alternative is to see who's subscribed to this list. Past posts include people from DHL, among other large companies. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Please help !!!
Using the same FR, authenticating wireless client sagainst the Active directory
using PEAP and TLS and now trying to authenticate the PPTP clients against the
Active directory thru Dlink FW. The first part works like charm...and the
second one i have issue with and here is the MSCHAP configuration on
radiusd.conf
mschap {
authtype = MS-CHAP
use_mppe = no
require_encryption = yes
require_strong = yes
with_ntdomain_hack = yes
ntlm_auth = /usr/bin/ntlm_auth --request-nt-key
--username=%{mschap:User-Name} --domain=%{mschap:NT-Domain}
--challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}
}
Here is the log when pptp client dials into the pptp server (ie. Dlink FW,
parameters are configured as MPPE 128 bit encryption and MSCHAPV2).
rad_recv: Access-Request packet from host 192.168.0.1:2838, id=68, length=151
User-Name = TEST\\kartthikr
MS-CHAP2-Response =
0x200038088c81bfc0e2d29944dc15551174ab231accd16d14cd2691a3d4ebc78d51577067db9138eaf627
MS-CHAP-Challenge = 0xfb3fee292c917043d609ddf16c97b78c
NAS-Identifier = Clavister
NAS-Port = 0
NAS-Port-Type = Virtual
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 0
modcall[authorize]: module preprocess returns ok for request 0
modcall[authorize]: module chap returns noop for request 0
rlm_mschap: Found MS-CHAP attributes. Setting 'Auth-Type = MS-CHAP'
modcall[authorize]: module mschap returns ok for request 0
rlm_realm: No '@' in User-Name = TEST\kartthikr, looking up realm NULL
rlm_realm: No such realm NULL
modcall[authorize]: module suffix returns noop for request 0
rlm_eap: No EAP-Message, not doing EAP
modcall[authorize]: module eap returns noop for request 0
users: Matched entry DEFAULT at line 152
modcall[authorize]: module files returns ok for request 0
modcall: leaving group authorize (returns ok) for request 0
rad_check_password: Found Auth-Type MS-CHAP
auth: type MS-CHAP
Processing the authenticate section of radiusd.conf
modcall: entering group MS-CHAP for request 0
rlm_mschap: No User-Password configured. Cannot create LM-Password.
rlm_mschap: No User-Password configured. Cannot create NT-Password.
rlm_mschap: Told to do MS-CHAPv2 for kartthikr with NT-Password
radius_xlat: Running registered xlat function of module mschap for string
'User-Name'
radius_xlat: Running registered xlat function of module mschap for string
'NT-Domain'
radius_xlat: Running registered xlat function of module mschap for string
'Challenge'
mschap2: fb
radius_xlat: Running registered xlat function of module mschap for string
'NT-Response'
radius_xlat: '/usr/bin/ntlm_auth --request-nt-key --username=kartthikr
--domain=TEST --challenge=ee58ce24154980e8
--nt-response=231accd16d14cd2691a3d4ebc78d51577067db9138eaf627'
Exec-Program: /usr/bin/ntlm_auth --request-nt-key --username=kartthikr
--domain=TEST --challenge=ee58ce24154980e8
--nt-response=231accd16d14cd2691a3d4ebc78d51577067db9138eaf627
Exec-Program output: NT_KEY: 67F102C088FF660F615D1F9236DF9797
Exec-Program-Wait: plaintext: NT_KEY: 67F102C088FF660F615D1F9236DF9797
Exec-Program: returned: 0
modcall[authenticate]: module mschap returns ok for request 0
modcall: leaving group MS-CHAP (returns ok) for request 0
Sending Access-Accept of id 68 to 192.168.0.1 port 2838
MS-CHAP2-Success =
0x20533d36333943444337363042443142463535393941334136453634453645364430343545333138363336
Finished request 0
Going to the next request
--- Walking the entire request list ---
Waking up in 6 seconds...
--- Walking the entire request list ---
Cleaning up request 0 ID 68 with timestamp 44a2cf37
Kartthik
I have freeradius setup for wireless client access againt the active
directory and its working good. Now using the same FR trying to
authenticating pptp clients against AD using Dlink firewall. While
the pptp client connect to the dlink fw, getting this error message
the remote server doesnt support the support the encryption
type.
So it's a DLINK problem.
The dlink support guys told that the encryption on the freeradius
server is not correct. Do you guys think this makes sense ?
Since you didn't show any of the RADIUS logs, there's no way to tell.
Note: In dlink fw, the mppe encryption has been enabled. Does
freeradius support this encryption type too ?
Yes.
Alan DeKok.
--
___
Search for businesses by name, location, or phone number. -Lycos Yellow Pages
http://r.lycos.com/r/yp_emailfooter/http://yellowpages.lycos.com/default.asp?SRC=lycos10
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Please help !!!
Kartthik Raghunathan [EMAIL PROTECTED] wrote:
Using the same FR, authenticating wireless client sagainst the Active
directory using PEAP and TLS and now trying to authenticate the PPTP clients
against the Active directory thru Dlink FW. The first part works like
charm...and the second one i have issue with and here is the MSCHAP
configuration on radiusd.conf
mschap {
authtype = MS-CHAP
use_mppe = no
Why did you change that? The default is to use MPPE, which you say
you need.
Since you turned MPPE off, I don't understand why you're surprised
that MPPE doesn't work.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radwho doesnt work - complains about missing radutmp file
I don't think it's because of that since I do have records on radacct table.On 6/28/06, Alan DeKok [EMAIL PROTECTED] wrote:liran tal [EMAIL PROTECTED] wrote: Does anyone know why is freeradius not creating the radutmp file?The NAS isn't sending accounting packets.Alan DeKok.-List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
PEAP MSCHAP2 Freeradius Active Directory
Hi, I have a question on configuring freeradius to return vlan attributes base on a user group membership or ou. I have a windows client xp sp2 using peap mschap2 to authenticate off radius. How do I set radius to return a vlan id of 10 if the user belongs to the student group and if the user belongs to the teacher group the user get a vlan id of 20? I have freeradius to authenticate of Active Directory but its only returning one vlan.. DEFAULT NAS-Port-Type == Wireless-802.11 Tunnel-Medium-Type = IEEE-802, Tunnel-Private-Group-Id = 10, Tunnel-Type = VLAN Do I have add something else in the user file? __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Installation on SuSE 10 x64
Hi, I keep getting the following error when building freeRADIUS on SuSE 10 x64. /usr/lib/libltdl.so: could not read symbols: File in wrong format I have tried to configure with the flag --disable-ltdl-install and without and get the same message each time. Is there something else I need to do to get this built on x64 Linux? Trying to install freeradius-1.1.2. Thank you, Roger Rhody Programmer / Analyst burton + BURTON [EMAIL PROTECTED] (706) 548-1588 Notice: This e-mail (including attachments) is covered by the Electronic Communications Privacy Act, 10 U.S.C. 2510-2521, is confidential and may be legally privileged. If you are not the intended recipient, you are hereby notified that any retention, dissemination, distribution, or copy of this communication is strictly prohibited. Please reply to the sender that you have received the message in error and then delete it. Thank you. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PEAP MSCHAP2 Freeradius Active Directory
fvt3 wrote: Hi, I have a question on configuring freeradius to return vlan attributes base on a user group membership or ou. I have a windows client xp sp2 using peap mschap2 to authenticate off radius. How do I set radius to return a vlan id of 10 if the user belongs to the student group and if the user belongs to the teacher group the user get a vlan id of 20? I have freeradius to authenticate of Active Directory but its only returning one vlan.. DEFAULT NAS-Port-Type == Wireless-802.11 Tunnel-Medium-Type = IEEE-802, Tunnel-Private-Group-Id = 10, Tunnel-Type = VLAN Do I have add something else in the user file? You will need to configure the LDAP module to fetch groups from ADs LDAP server. See copious documentation or posts to the list. Broadly, once the LDAP module is setup correctly: DEFAULT NAS-Port-Type == Wireless-802.11, Ldap-Group == Students Tunnel-Medium-Type = IEEE-802, Tunnel-Private-Group-Id = 10, Tunnel-Type = VLAN DEFAULT NAS-Port-Type == Wireless-802.11, Ldap-Group == Staff Tunnel-Medium-Type = IEEE-802, Tunnel-Private-Group-Id = 20, Tunnel-Type = VLAN Alternatively if you fill AD in from some external system e.g. SQL database you can pull from there, or dump the groups to a file like so: username:groupname ...and use the (poorly-named) passwd module to add the group. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: PEAP MSCHAP2 Freeradius Active Directory
I thought the ldap module wouldn't work with PEAP and AD unless you store the LM and NT password hashes for each user in AD?! Because you can't get the cleartext password back from AD... I don't think that extending AD to store this info would be difficult, I just think having those hashes updated when I user changes his/her password would be a pain, but I don't know. -- Chris Liles -Original Message- From: freeradius-users- [EMAIL PROTECTED] [mailto:freeradius- [EMAIL PROTECTED] On Behalf Of Phil Mayers Sent: Wednesday, June 28, 2006 4:20 PM To: FreeRadius users mailing list Subject: Re: PEAP MSCHAP2 Freeradius Active Directory fvt3 wrote: Hi, I have a question on configuring freeradius to return vlan attributes base on a user group membership or ou. I have a windows client xp sp2 using peap mschap2 to authenticate off radius. How do I set radius to return a vlan id of 10 if the user belongs to the student group and if the user belongs to the teacher group the user get a vlan id of 20? I have freeradius to authenticate of Active Directory but its only returning one vlan.. DEFAULT NAS-Port-Type == Wireless-802.11 Tunnel-Medium-Type = IEEE-802, Tunnel-Private-Group-Id = 10, Tunnel-Type = VLAN Do I have add something else in the user file? You will need to configure the LDAP module to fetch groups from ADs LDAP server. See copious documentation or posts to the list. Broadly, once the LDAP module is setup correctly: DEFAULT NAS-Port-Type == Wireless-802.11, Ldap-Group == Students Tunnel-Medium-Type = IEEE-802, Tunnel-Private-Group-Id = 10, Tunnel-Type = VLAN DEFAULT NAS-Port-Type == Wireless-802.11, Ldap-Group == Staff Tunnel-Medium-Type = IEEE-802, Tunnel-Private-Group-Id = 20, Tunnel-Type = VLAN Alternatively if you fill AD in from some external system e.g. SQL database you can pull from there, or dump the groups to a file like so: username:groupname ...and use the (poorly-named) passwd module to add the group. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PEAP MSCHAP2 Freeradius Active Directory
You will need to configure the LDAP module to fetch groups from ADs LDAP server. See copious documentation or posts to the list. Broadly, once the LDAP module is setup correctly: DEFAULT NAS-Port-Type == Wireless-802.11, Ldap-Group == Students Tunnel-Medium-Type = IEEE-802, Tunnel-Private-Group-Id = 10, Tunnel-Type = VLAN DEFAULT NAS-Port-Type == Wireless-802.11, Ldap-Group == Staff Tunnel-Medium-Type = IEEE-802, Tunnel-Private-Group-Id = 20, Tunnel-Type = VLAN The doc. states that LDAP only supports PAP. Is this a problem given he said he's using PEAP/MSCHAPv2? How would LDAP do the authentication if it doesn't have a clear text password? Or is the approach to use MSCHAPv2 for authentication and then LDAP for authorization?? Thanks for helping me better understand... - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: PEAP MSCHAP2 Freeradius Active Directory
I never though about splitting the authentication and authorization between ntlm and ldap. I don't see why that wouldn't work, but I really have no idea. But that would be pretty slick, coupled with some hacked wrt54g's to support the vlans a pretty cheap enterprise level solution! -- Chris Liles -Original Message- From: freeradius-users- [EMAIL PROTECTED] [mailto:freeradius- [EMAIL PROTECTED] On Behalf Of Neal S. Garber Sent: Wednesday, June 28, 2006 4:44 PM To: FreeRadius users mailing list Subject: Re: PEAP MSCHAP2 Freeradius Active Directory You will need to configure the LDAP module to fetch groups from ADs LDAP server. See copious documentation or posts to the list. Broadly, once the LDAP module is setup correctly: DEFAULT NAS-Port-Type == Wireless-802.11, Ldap-Group == Students Tunnel-Medium-Type = IEEE-802, Tunnel-Private-Group-Id = 10, Tunnel-Type = VLAN DEFAULT NAS-Port-Type == Wireless-802.11, Ldap-Group == Staff Tunnel-Medium-Type = IEEE-802, Tunnel-Private-Group-Id = 20, Tunnel-Type = VLAN The doc. states that LDAP only supports PAP. Is this a problem given he said he's using PEAP/MSCHAPv2? How would LDAP do the authentication if it doesn't have a clear text password? Or is the approach to use MSCHAPv2 for authentication and then LDAP for authorization?? Thanks for helping me better understand... - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Buy SSL Certificates for PEAP
Hello !
By default, OpenSSL uses PEM format, so if you didn't specify a
certificate format of DER, then its a PEM encoded cert. If you look at
the cert in a text viewer/editor, you'll see lines that have --- BEGIN
CERTIFICATE--- and ---END CERTIFICATE--- if its PEM encoded.
The certificate is in PEM format.
Isn't there anybody that can verify how the eap.conf file should be ?
tls {
# private_key_password = X
# private_key_file =
${raddbdir}/certs/somecertificate.cer
certificate_file =
${raddbdir}/certs/somecertificate.cer
CA_file = ${raddbdir}/certs/demoCA/cacert.pem
dh_file = ${raddbdir}/certs/dh
random_file = ${raddbdir}/certs/random
# fragment_size = 1024
# include_length = yes
# check_crl = yes
# check_cert_issuer =
/C=GB/ST=Berkshire/L=Newbury/O=My Company Ltd
# check_cert_cn = %{User-Name}
# cipher_list = DEFAULT
}
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Windows 2000 ignoring Access-Accept
Hello All. I'm having a rather odd problem and can no longer afford to bang my head on the desk. I have Freeradius 1.1.1 working for winXP clients and Intermec CK30 bar code scanners using EAP-TLS authentication. The issue I'm having is with win2k. According to my radius log an accesss-accept packet is being sent to the client, but the client seems to be ignoring it by continuing to send access-request packets. Maybe a fresh pair eyes looking over my log will catch something I'm missing. Again, the client is win2k with SP4. Authentication method is EAP-TLS. The machine uses a Cisco Aironet 350 11b PCI card with the latest drivers. Freeradius is version 1.1.1. I have 16 of these system that I need to get working. Any solution will get you big hug ;o) -Doug Here's the output of Freeradius: Ready to process requests. rad_recv: Access-Request packet from host 172.18.138.20:1645, id=252, length=160 User-Name = OIT07.plydex.decoma.com Framed-MTU = 1400 Called-Station-Id = 0016.4631.fdb0 Calling-Station-Id = 000b.5feb.e378 Service-Type = Login-User Message-Authenticator = 0xfa2fc8d43ca72a7493037b4063809fdc EAP-Message = 0x0202001c014f495430372e706c796465782e6465636f6d612e636f6d NAS-Port-Type = Wireless-802.11 NAS-Port = 798 NAS-IP-Address = 172.18.138.20 NAS-Identifier = AP1 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module preprocess returns ok for request 0 modcall[authorize]: module chap returns noop for request 0 modcall[authorize]: module mschap returns noop for request 0 rlm_realm: No '@' in User-Name = OIT07.plydex.decoma.com, looking up realm NULL rlm_realm: No such realm NULL modcall[authorize]: module suffix returns noop for request 0 rlm_eap: EAP packet type response id 2 length 28 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module eap returns updated for request 0 users: Matched DEFAULT at 152 modcall[authorize]: module files returns ok for request 0 modcall: group authorize returns updated for request 0 rad_check_password: Found Auth-Type EAP auth: type EAP Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 0 rlm_eap: EAP Identity rlm_eap: processing type tls rlm_eap_tls: Requiring client certificate rlm_eap_tls: Initiate rlm_eap_tls: Start returned 1 modcall[authenticate]: module eap returns handled for request 0 modcall: group authenticate returns handled for request 0 Sending Access-Challenge of id 252 to 172.18.138.20:1645 EAP-Message = 0x010300060d20 Message-Authenticator = 0x State = 0x7d80c12e86b5280fc6bbb43135d7a0f6 Finished request 0 Going to the next request --- Walking the entire request list --- Waking up in 6 seconds... rad_recv: Access-Request packet from host 172.18.138.20:1645, id=253, length=262 User-Name = OIT07.plydex.decoma.com Framed-MTU = 1400 Called-Station-Id = 0016.4631.fdb0 Calling-Station-Id = 000b.5feb.e378 Service-Type = Login-User Message-Authenticator = 0x7b11ea00e1a1ef7ae92d8b85d32d1fad EAP-Message = 0x020300700d8000661603010061015d0301449c3941ac4e798194917f3a2ece3387637476b85e300b991aba12ab10cb2133201031998c0256343a7436ce53f69c84559c2c72bd37d5b85b246e4887ebcbbcf7001600040005000a000900640062000300060013001200630100 NAS-Port-Type = Wireless-802.11 NAS-Port = 798 State = 0x7d80c12e86b5280fc6bbb43135d7a0f6 NAS-IP-Address = 172.18.138.20 NAS-Identifier = AP1 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 1 modcall[authorize]: module preprocess returns ok for request 1 modcall[authorize]: module chap returns noop for request 1 modcall[authorize]: module mschap returns noop for request 1 rlm_realm: No '@' in User-Name = OIT07.plydex.decoma.com, looking up realm NULL rlm_realm: No such realm NULL modcall[authorize]: module suffix returns noop for request 1 rlm_eap: EAP packet type response id 3 length 112 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module eap returns updated for request 1 users: Matched DEFAULT at 152 modcall[authorize]: module files returns ok for request 1 modcall: group authorize returns updated for request 1 rad_check_password: Found Auth-Type EAP auth: type EAP Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 1 rlm_eap: Request found, released from the list rlm_eap: EAP/tls rlm_eap: processing type tls rlm_eap_tls: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Length Included eaptls_verify returned 11 (other): before/accept initialization TLS_accept: before/accept
RE: PEAP MSCHAP2 Freeradius Active Directory
Are you suggesting that do not use MSCHAP module and
use ldap module to do group lookup? If you using LDAP
module, that would mean stripping the user name
because the user name will be in this format
domain\\username. Then in radius config file I
would have
ldap student {
}
ldap staff {
}
user file
DEFAULT NAS-Port-Type ==
Wireless-802.11,Autz-type=LDAP1, Auth-Type := MSCHAP
Ldap-Group == Students
Tunnel-Medium-Type = IEEE-802,
Tunnel-Private-Group-Id = 10,
Tunnel-Type = VLAN
DEFAULT NAS-Port-Type ==
Wireless-802.11,Autz-type=LDAP2, Auth-Type := MSCHAP
Ldap-Group == Staff
Tunnel-Medium-Type = IEEE-802,
Tunnel-Private-Group-Id = 20,
Tunnel-Type = VLAN
Does this config sound right or am I off? Thanks for
the suggestion..
--- Chris Liles [EMAIL PROTECTED] wrote:
I never though about splitting the authentication
and authorization between ntlm and ldap.
I don't see why that wouldn't work, but I really
have no idea.
But that would be pretty slick, coupled with some
hacked wrt54g's to support the vlans a pretty
cheap enterprise level solution!
--
Chris Liles
-Original Message-
From: freeradius-users-
[EMAIL PROTECTED]
[mailto:freeradius-
[EMAIL PROTECTED]
On Behalf Of
Neal S. Garber
Sent: Wednesday, June 28, 2006 4:44 PM
To: FreeRadius users mailing list
Subject: Re: PEAP MSCHAP2 Freeradius Active
Directory
You will need to configure the LDAP module to
fetch groups from ADs LDAP
server. See copious documentation or posts to
the list. Broadly, once
the
LDAP module is setup correctly:
DEFAULT NAS-Port-Type == Wireless-802.11,
Ldap-Group == Students
Tunnel-Medium-Type = IEEE-802,
Tunnel-Private-Group-Id = 10,
Tunnel-Type = VLAN
DEFAULT NAS-Port-Type == Wireless-802.11,
Ldap-Group == Staff
Tunnel-Medium-Type = IEEE-802,
Tunnel-Private-Group-Id = 20,
Tunnel-Type = VLAN
The doc. states that LDAP only supports PAP. Is
this a problem given he
said he's using PEAP/MSCHAPv2? How would LDAP do
the authentication if it
doesn't have a clear text password? Or is the
approach to use MSCHAPv2
for
authentication and then LDAP for authorization??
Thanks for helping me better understand...
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
__
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
