Re: Windows Vista doing PEAP
Hi On 10/10/06, King, Michael <[EMAIL PROTECTED]> wrote: I'm assuming it built it that way. Anways, here's what I got following those direcitons (Which is what leads me to think the symbols go stripped) If you look at or around line 188, there should be dh_strip, which normally does live up to its name, i.e. stripping binaries off what it considers "unneeded symbols". For building a "debugging" package let DEB_BUILD_OPTIONS contain "nostrip". Uh, on a side note the ifeq/endif construct around seems unneeded to me, as dh_strip should honor "nostrip" internally. regards K. Hoercher - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Accounting-Response Log ??
Hi,I have two radius servers. (Freeradius and Juniper SBR).Freeradius server be a radius proxy to proxy all auth/acct requests to Juniper SBR.Then I sometimes found there are some accounting-stop request don't arrival to Juniper SBR. Because Freeradius server and Juniper SBR is in the different subnet and through firewall.I think this problem may cause by firewall.In the radius accounting communication model there should have request and response. Is freeradius log the accounting-response result ?How to enable it ?I want to this log to identify the problem.Thanks.Rio Yang - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Decisionmaking in FreeRADIUS & Check/Reply Items
Hello list, I am trying to use the 'files' module of Freeradius to do decisionmaking, based on information pulled in from the sql module, and the sqlcounter thing. First off, is this the right way of doing this? I want to assign users a different Pool-Name for each assigned speed, and send Max-Download-Speed and Max-Upload-Speed vendor-specific variables to the client on each request. My actual problem relates to the following errors, pulled from radiusd -X: Module: Loaded files files: usersfile = "/etc/raddb/users" files: acctusersfile = "/etc/raddb/acct_users" files: preproxy_usersfile = "/etc/raddb/preproxy_users" files: compat = "no" [/etc/raddb/users]:214 WARNING! Check item "Pool-Name" ?found in reply item list for user "DEFAULT". ?This attribute MUST go on the first line with the other check items [/etc/raddb/users]:214 WARNING! Check item "Max-Download-Rate" ?found in reply item list for user "DEFAULT". ?This attribute MUST go on the first line with the other check items [/etc/raddb/users]:214 WARNING! Check item "Max-Upload-Rate" ?found in reply item list for user "DEFAULT". ?This attribute MUST go on the first line with the other check items [/etc/raddb/users]:220 WARNING! Check item "Pool-Name" ?found in reply item list for user "DEFAULT". ?This attribute MUST go on the first line with the other check items [/etc/raddb/users]:220 WARNING! Check item "Max-Download-Rate" ?found in reply item list for user "DEFAULT". ?This attribute MUST go on the first line with the other check items [/etc/raddb/users]:220 WARNING! Check item "Max-Upload-Rate" ?found in reply item list for user "DEFAULT". ?This attribute MUST go on the first line with the other check items [/etc/raddb/users]:226 WARNING! Check item "Pool-Name" ?found in reply item list for user "DEFAULT". ?This attribute MUST go on the first line with the other check items [/etc/raddb/users]:226 WARNING! Check item "Max-Download-Rate" ?found in reply item list for user "DEFAULT". ?This attribute MUST go on the first line with the other check items [/etc/raddb/users]:226 WARNING! Check item "Max-Upload-Rate" ?found in reply item list for user "DEFAULT". ?This attribute MUST go on the first line with the other check items [/etc/raddb/users]:232 WARNING! Check item "Pool-Name" ?found in reply item list for user "DEFAULT". ?This attribute MUST go on the first line with the other check items [/etc/raddb/users]:232 WARNING! Check item "Max-Download-Rate" ?found in reply item list for user "DEFAULT". ?This attribute MUST go on the first line with the other check items [/etc/raddb/users]:232 WARNING! Check item "Max-Upload-Rate" ?found in reply item list for user "DEFAULT". ?This attribute MUST go on the first line with the other check items Module: Instantiated files (files) radiusd.conf: "files" modules aren't allowed in 'post-auth' sections -- they have no such method. radiusd.conf[327] Failed to parse post-auth section. [EMAIL PROTECTED] [/etc/raddb]# The offending rules are in users: DEFAULT User-Bytes-Used < 21474836480 , Group == "512k" # user gets high speed service if under 20gb Pool-Name := "512k_high", Max-Download-Rate := 524288, Max-Upload-Rate := 262144 DEFAULT User-Bytes-Used > 21474836480 , Group == "512k" # user gets low speed service if under 20gb Pool-Name := "512k_low", Max-Download-Rate := 262144, Max-Upload-Rate := 131072 DEFAULT User-Bytes-Used < 53687091200 , Group == "10m" # user gets high speed service if under 50gb Pool-Name := "10m_high", Max-Download-Rate := 10485760, Max-Upload-Rate := 10485760 DEFAULT User-Bytes-Used > 53687091200 , Group == "10m" # user gets low speed service if over 50gb Pool-Name := "10m_low", Max-Download-Rate := 1048576, Max-Upload-Rate := 1048576 But... but... the bottom 3 attributes *aren't* check attributes! I want to *set* them! Or am I getting entirely the wrong end of the stick here? Can somebody point out how these rules are meant to be arranged, and perhaps how I could do this in sql? It's all quite confusing. # radiusd.conf - important bits ## sqlcounter monthlybytecounter { counter-name = User-Bytes-Used check-name = Max-User-Bytes sqlmod-inst = sql key = User-Name reset = monthly # this query is awesome in every way. # it selects the traffic used by the user since they last paid for their subscription # and adds up the input and output bytes together to get a composite usage figure. query = "SELECT SUM(AcctInputOcte.. } instantiate { monthlybytecounter } authorize { preprocess sql } authenticate { pap } preacct { preprocess # acct_unique } accounting { #acct_unique #detail
mac auth help please
Hello guys, Im on FreeBSD6.1-R, freeradius, mysql4.1, and using chillispot to authentication users. its wired network not a wireless. The problem is some users are using "phone adapters" such like motorola or cisco on my network so instead of plugin the cat5 (ethernet) cable to thier laptop they are plugin the cable to the phone adapter. the adapter is not working ofcourse because its expecting an internet.. in the time that chillispot will expect the adapter to "authenticate" which adapter will not So I have been advised to add the MAC adress to some allow list.. Is there a any way, that I can make 1 MAC adress only to not authenticate ? and keep the rest of the network authenticate using chillispot? Thank you. Marwan Sultan _ Express yourself instantly with MSN Messenger! Download today it's FREE! http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Adding proxying to our EAP setup
Dave Mussulman wrote: The catch I ran into involved the mschap section not authenticating off the User-Password in the users file if I had ntlm_auth line configured. This is my test system, and I don't have samba/winbindd configured so those attempts always failed, but it never seemed to fall back to figuring out itself. That made troubleshooting difficult when I couldn't get the simple users file entry to work. Commenting out the ntlm_auth line did the trick. I haven't changed anything on our production servers, but it must do things differently as we have ntlm_auth configured and authenticating from the AD or a sql database with local passwords. Maybe FreeRADIUS handles different ntlm_auth failures differently (cannot bind versus bad user password?) You need something like this: alocaluser User-Password := "astring", MS-CHAP-Use-NTLM-Auth := 0 ...which lets you use ntlm_auth for some users, but override it on a case-by-case basis. Until the upstream server gets the functionality I'm looking for, there were a few possible future issues I wanted to document before I lost them. If I set copy_request_to_tunnel in peap to yes, my NAS-IP-Address == 127.0.0.1 trick doesn't work. I was also concerned that proxying Hmm. Yes, that would occur, and in many cases copy_request_to_tunnel is highly desirable. Not sure how to handle that. seems to keep the NAS-IP-Address set to 127.0.0.1, and I didn't know if the upstream provider would be concerned about that. I put a setting in the preproxy_users file to set that to an allowed NAS IP, but didn't get to fully test/confirm that worked. Yes again. Hmm. Not really optimal - the ideal situation would be copy_request_to_tunnel to give the original NAS IPs/ports/etc. to the upstream server, but as you say that breaks the match for the inner eap. I guess inner/outer should really be a FreeRadius internal attribute. From the look of the code however, fake requests will have Client-IP-Address set to 127.0.0.1 by the "preprocess" module, and that's a FreeRadius internal/not-on-the-wire attribute - you should be able to replace matching on NAS-IP-Address with Client-IP-Address and set copy_request_to_tunnel and all would be well Thanks again for the help, and great product! Dave - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: EAP-TLS Certificate problems.
Got it up and running. Partially your help, and partially me going and forcefully breaking something to see what errors cropped up. Renamed the original PEM directory in OpenSSL and all sorts of errors popped up that led me to the discovery it was still using the DemoCA's CA to make the client and server certs, and not the CA created by the script. I've since got that fixed and it all works perfect now. Best way to fix a noncritial is to break it and see what goes really wrong! ;) Thanks, Brian. > -Original Message- > From: [EMAIL PROTECTED] > [mailto:freeradius-users- > [EMAIL PROTECTED] On Behalf Of Jason- > Wittlin-Cohen > Sent: Monday, October 09, 2006 1:45 PM > To: freeradius-users@lists.freeradius.org > Subject: RE: EAP-TLS Certificate problems. > > > Date: Mon, 9 Oct 2006 11:26:51 -0400 > > From: "Brian vb" <[EMAIL PROTECTED]> > > Subject: RE: EAP-TLS Certificate problems. > > To: "'FreeRadius users mailing list'" > > > > Message-ID: <[EMAIL PROTECTED]> > > Content-Type: text/plain; charset="us-ascii" > > > > Recreated certs, same issue came with the Issuer field. XPExtensions are > > used. Password is the same in this file an what Freeradius has just > changed > > to protect it. > > > > > > Here is the batch file I'm using to create the certs. I don't see > anything > > amiss between it and the page you sent.. any ideas? > > > > > > PATH=C:\openssl\bin;C:\ssl1;%path% > > export LD_LIBRARY_PATH=C:\openssl\lib > > > > > > CD\SSL1 > > > > REM CA Creation > > C:\openssl\bin\openssl req -new -x509 -keyout newreq.pem -out newreq.pem > > -days 730 -passin pass:PassCodeRemoved -passout pass:PassCodeRemoved > > > > C:\openssl\bin\openssl pkcs12 -export -in newreq.pem -out root.p12 - > cacerts > > -passin pass:PassCodeRemoved -passout pass:PassCodeRemoved > > > > C:\openssl\bin\openssl pkcs12 -in root.p12 -out root.pem -passin > > pass:PassCodeRemoved -passout pass:PassCodeRemoved > > > > C:\openssl\bin\openssl x509 -inform PEM -outform DER -in root.pem -out > > root.der > > I'm not sure what you're doing here. First, "> C:\openssl\bin\openssl > req -new -x509 -keyout newreq.pem -out newreq.pem > > -days 730 -passin pass:PassCodeRemoved -passout pass:PassCodeRemoved" > > You're outputting the private key and public key to the same file. I'm > not sure if this will include both in the same file, or only create > one. Regardless, it's not what you want to do. Give the files unique > names. The clients and server need the public key and only the > certificate signing machine needs the private key. You don't want to > combine the keys. > > To create a CA: > > openssl req -new -x509 -keyout private/cakey.pem -out cacert.pem -days > 365 -config openssl.cnf > > Also, why are you creating a p12 file for the CA? You certainly don't > want to hand out the private key to clients, and for certificate > signing, you only need the private key which can be stored in > cakey.pem for example. Clients should be given cacert.pem or > cacert.der depending on the format you use. The p12 format should only > be used for client certs because those need to combine private key + > certificate (at least for the MS supplicant). > > > > > REM Client cert Create > > C:\openssl\bin\openssl req -new -keyout newreq.pem -out newreq.pem -days > 730 > > -passin pass:PassCodeRemoved -passout pass:PassCodeRemoved > > Again, -keyout is used to creaate the private key, and -out to create > the certificate signing request which is then passed on to the CA > later. You're using the same filename, so I have no idea what's > happening. Either you have a certificate signing request and no key, > or a key without a signing request. Either way, it won't work. > > > You need to do something like this: > > openssl req -new -keyout client_key.pem \ > -out client_req.pem -days 730 -config ./openssl.cnf > > Notice that the key and the signing request are given different names. > > > > > C:\openssl\bin\openssl ca -policy policy_anything -out newcert.pem - > passin > > pass:PassCodeRemoved -key PassCodeRemoved -extensions xpclient_ext - > extfile > > xpexts -infiles newreq.pem > > > > C:\openssl\bin\openssl pkcs12 -export -in newcert.pem -inkey newreq.pem > -out > > cert-clt.p12 -clcerts -passin pass:PassCodeRemoved -passout > > pass:PassCodeRemoved > > > > C:\openssl\bin\openssl pkcs12 -in cert-clt.p12 -out cert-clt.pem -passin > > pass:PassCodeRemoved -passout pass:PassCodeRemoved > > > > C:\openssl\bin\openssl x509 -inform PEM -outform DER -in cert-clt.pem - > out > > cert-clt.der > > So, you convert from a PEM certificate and PEM key, to a P12 cert+key, > to a PEM cert+key to DER cert+key. Why? The P12 cert+key will work > fine. > > > > > REM Server Cert Create > > C:\openssl\bin\openssl req -new -keyout newreq.pem -out newreq.pem -days > 730 > > -passin pass:PassCodeRemoved -passout pass:PassCodeRemoved > > Again, the key and certificate signing request must be given different > names or else your setup will fail. > > >
Re: Adding proxying to our EAP setup
Thanks for the help, Phil and Alan. This message is pretty much an FYI/wrapup for the archives (and for me, since it might be a bit before I get back to it.) The users I want to proxy have a fairly programmatic username pattern, so I think the best thing for me is to expression match in a users file (as opposed to hints or realms.) My setup looks like: authorize { preprocess eap files Autz-Type EAPINNER { eapfiles mschap } files has a DEFAULT line that catches the RADIUS server stripping through the tunnels, and applies it to the EAPINNER Autz-Type: DEFAULT NAS-IP-Address == "127.0.0.1", Autz-Type := EAPINNER The eapfiles is a second instance of the users file with the line: DEFAULT User-Name =~ "^vpn[0123456789]+$", Proxy-to-Realm := "VPNaccts" (I wonder if I couldn't combine the NAS-IP-Address, User-Name and Proxy-to-Realm in the first users file. Maybe I'll try that later. If I did it on the outer loop, it proxied the full EAP session, instead of just the inner authentication.) In eap.conf, setting peap's proxy_tunneled_request_as_eap toggle let me control whether I sent on EAP messages or MSCHAP messages. (My copy of the config didn't have that option, but it worked when I added it from the 1.1.3 eap.conf) Unfortunately, my upstream RADIUS server doesn't yet support MSCHAP or EAP, so I'm waiting on that. But I'm pleased with what I've been able to do so far. The catch I ran into involved the mschap section not authenticating off the User-Password in the users file if I had ntlm_auth line configured. This is my test system, and I don't have samba/winbindd configured so those attempts always failed, but it never seemed to fall back to figuring out itself. That made troubleshooting difficult when I couldn't get the simple users file entry to work. Commenting out the ntlm_auth line did the trick. I haven't changed anything on our production servers, but it must do things differently as we have ntlm_auth configured and authenticating from the AD or a sql database with local passwords. Maybe FreeRADIUS handles different ntlm_auth failures differently (cannot bind versus bad user password?) Until the upstream server gets the functionality I'm looking for, there were a few possible future issues I wanted to document before I lost them. If I set copy_request_to_tunnel in peap to yes, my NAS-IP-Address == 127.0.0.1 trick doesn't work. I was also concerned that proxying seems to keep the NAS-IP-Address set to 127.0.0.1, and I didn't know if the upstream provider would be concerned about that. I put a setting in the preproxy_users file to set that to an allowed NAS IP, but didn't get to fully test/confirm that worked. Thanks again for the help, and great product! Dave - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Support for Sub-TLVs within VSA TLVs
Hi All, I am trying to make a dictionary for Wimax attributes(defined by Wimax forum/NWG). Few of the attributes they defined have sub-attributes. Format for one such attribute is given below: RadiusType = 26 Length Value àWimax Type = 10 àLength àSub-type = 1 or 2 or 3 --àLength --àValue Does Freeradius have support for Sub-TLVs inside VSA TLVs today? If yes, can someone please give me an example of one such entry in dictionary. If Freeradius does not currently support sub-attributes, is there a plan to support this in future? Thanks in advance Santosh - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
AD Group based ldap auth
I'm trying to get group based authentication working using LDAP against AD. Right now I'm getting a failure related to the group search filter. What filter should I be using? groupmembership_filter = "(|(&(objectClass=group)(member=%{Ldap-UserDn}))(&(objectClass=top)(uniq uemember=%{Ldap-UserDn})))" Looking at the howto here http://lists.cistron.nl/pipermail/freeradius-users/2005-November/048536. html got me part of the way. Anyone out there doing group based auth against AD mind sharing their config? Thanks, Brian Dourty System Administrator - Team Lead IAT Services University of Missouri - Columbia 573-882-1035 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Windows Vista doing PEAP
Ok... It segfaulted again. I'm trying to follow the directions in the doc/bugs folder. It says to compile with --enable-developer. In the debian rules file, it has stamp-build: stamp-patch dh_testdir # dh_testroot ./configure \ $(confflags) \ --config-cache \ --prefix=/usr \ --exec-prefix=/usr \ --mandir=$(mandir) \ --sysconfdir=/etc \ --libdir=$(libdir) \ --datadir=/usr/share \ --localstatedir=/var \ --with-raddbdir=$(raddbdir) \ --with-logdir=/var/log/$(package) \ --with-system-libtool --disable-ltdl-install \ --with-large-files --with-udpfromto --with-edir \ --enable-strict-dependencies \ --enable-developer \ ${buildssl} I'm assuming it built it that way. Anways, here's what I got following those direcitons (Which is what leads me to think the symbols go stripped) Program received signal SIGSEGV, Segmentation fault. [Switching to Thread 1077729984 (LWP 14568)] 0x4018675b in strlen () from /lib/tls/libc.so.6 * 1 Thread 1077729984 (LWP 14568) 0x4018675b in strlen () from /lib/tls/libc.so.6 Thread 1 (Thread 1077729984 (LWP 14568)): #0 0x4018675b in strlen () from /lib/tls/libc.so.6 No symbol table info available. #1 0x4015a064 in vfprintf () from /lib/tls/libc.so.6 No symbol table info available. #2 0x40178161 in vsnprintf () from /lib/tls/libc.so.6 No symbol table info available. #3 0x08051805 in vradlog () No symbol table info available. #4 0x08051a4f in log_debug () No symbol table info available. #5 0x40403a08 in eap_compose () from /usr/lib/freeradius/rlm_eap-1.1.3.so No symbol table info available. #6 0x40402cbc in ?? () from /usr/lib/freeradius/rlm_eap-1.1.3.so No symbol table info available. #7 0x08165ec0 in ?? () No symbol table info available. #8 0x404053b5 in ?? () from /usr/lib/freeradius/rlm_eap-1.1.3.so No symbol table info available. #9 0x0155 in ?? () No symbol table info available. #10 0x40059714 in ?? () from /usr/lib/freeradius/libradius-1.1.3.so No symbol table info available. #11 0x4005a424 in ?? () from /usr/lib/freeradius/libradius-1.1.3.so No symbol table info available. #12 0x4005addc in ?? () from /usr/lib/freeradius/libradius-1.1.3.so No symbol table info available. #13 0x in ?? () No symbol table info available. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alan DeKok Sent: Friday, October 06, 2006 4:37 PM To: FreeRadius users mailing list Subject: Re: Windows Vista doing PEAP "King, Michael" <[EMAIL PROTECTED]> wrote: > Not to rude, have you had a chance to poke that Patch again? Reload it from the same URL as last time. If it still crashes, see doc/bugs. I don't see how it can crash at all, so the crash looks like a symptom of another issue. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: RHEL4 and Oracle Instant Client
Hi, You have to download it from oracle and then set all the needed paths, like LD_LIBRARY_PATH and ORA_HOME, pointing to the place where you descompressed oraclient. After that you need to recompile the rlm_oracle module under freeradiusxxx/src/modules/. Cheers On 10/10/06, Dourty, Brian R. (IATS) <[EMAIL PROTECTED]> wrote: Has anyone gotten the source RPM's from RHEL4 to build with the oracle module using the Oracle instant client? It keeps giving me the following error no matter what I try: checking for oci.h... yes checking for oracle_init in -loracleclient... no configure: warning: oracle libraries not found. Use --with-oracle-lib-dir=. configure: warning: sql submodule 'oracle' disabled Thanks, Brian Dourty System Administrator - Team Lead IAT Services University of Missouri - Columbia 573-882-1035 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Guilherme de Oliveira Franco Damovo - Brasil - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: disable FreeRadius checking of client certs
Thanks guys for your post. First off, I have tried using the WinXP supplicant and I have no problems authenticating with the Linksys wifi cards. I just wish the Linksys utility was like Cisco where I can tell it do provide either/or username/cert. The Cisco cards have no problem with this as where using the Linksys with its utility does not provide me with what I want. No big deal. Using the Linksys client utitliy, a username, password, and certificate must be provided (the certificate is a combo box so I can't even leave it blank). I have always preferred to use the utility that came with wifi cards for configuration. They typically provide more information and are more user friendly than the Windows supplicant. This problem does pertain to the Linksys software more than FreeRadius. I was just hoping there was a way in the FreeRadius config files to help solve the problem Travis - Original Message - From: "Artur Hecker" <[EMAIL PROTECTED]> To: "devel" <[EMAIL PROTECTED]>; "FreeRadius users mailing list" Sent: Tuesday, October 10, 2006 12:42 PM Subject: Re: disable FreeRadius checking of client certs Hi Travis Excuse me for top-posting, but just as Alan I'm a bit surprised by your post. If your authentication system is based on certificates, you need certificates and you really should not say anything like "certificates bother me" since that is the only expression of your trust, so without that verification no authentication will ever be reasonable or complete. If it is not, you do not have certificates. Allowing both for the same client (same machine) is discouraged. Personally I am not familar with a supplicant which tries one and then another for the same username. Thus, per user if you are using EAP-PEAP-MSCHAPv2 (passwords), then you are not using EAP-TLS. And vice versa. The good news is: the authentication method has strictly nothing to do with the WiFi card; it is completely virtualized, in software. EAP is only a transporter protocol, it does not say how to authenticate, it only says how to transport data. Thus, if EAP is supported by the card, then *every* EAP method is supported. That's magic about 802.1X and that's why it's supported in the operating system rather than being supported by a network card. Now if you are saying that you use a special Linksys 802.1X client, then I would first suggest that you use the standard WinXP client. Sorry, but the Linksys client is fairly unknown. Practically, it's difficult to guess from what you provided, but I think that you do use the WinXP supplicant (i.e. 802.1X client - I do not know of any linksys supplicant) and that you probably want to use EAP-PEAP-MSCHAPv2. That involves one server certificate (obviously one common trust anker - a self signed CA certificate) and some username/passwords on clients. What probably happened is that in the two cases where the Linksys card is used, you did not correctly configure EAP-PEAP (called "Protected EAP" in WinXP or similar), but you let it be "Smartcard or Certificate". Thus, the card tries to do TLS with some available pub/priv key combination, but Freeradius rejects it. Reconfigure the WinXP supplicant to do EAP-PEAP and it will ask you for passwords. Do not forget to deploy the server certificate on user machines... Well, I have not issued certs to clients. Some of my clients have the option to log in with a username "OR" a cert. However, there are a few random Linksys cards (I guess I should have mentioned this was for Wifi/WPA) that I "MUST" provide a username and a cert. Strictly speaking, every EAP session will take a Username and the AAA server will derive from it the authentication method to use. When used in EAP-TLS, Windows XP typically fills it out with the CN from the certificate (if available) but that is of course insufficient and it would be more correct to give an identifier and then to start a TLS authentication session for that id. (How exactly the username compares to the certified information is an open question, since the username can be altered by different means). If there are no certs on the client machine, Linksys fills the cert in with "Trust Any", so I assume it may be attempting with a blank? cert or another cert on the machine, such as VeriSign or the like.So this client is attempting to authenticate, I believe, with other certs on its machine because the radius log looks like below: hmmm??? you can't just use any certificate for authentication. What you need is a pair: certificate/private key. Nobody except Verisign has their private key. The only option for your Linksys 802.1X client would be to spontaneously create a CA and to issue one user certificate for EAP authentication signed by the latter. That can be done by XP, but there is no interest in doing so. I would suggest you deploy passwords on these machines an
cisco-accounting do not work. what i miss?
Hello to all! I have a problem with the accounting. I have FreeRADIUS Version 1.0.1 I think i have all I need to make the accounting but do not work. When I use the: "Radius Test Client", all is OK, i can see the log in mysql table(radacct)and in detail log file, but in the NAS don´t work. The authentication and authorization work ok. The Ip is assigned from the Radius. Also the "postauth logs" in mysql, works ok. -My cisco configuration aaa group server radius pal server A.B.C.D auth-port 1645 acct-port 1646 ! aaa authentication ppp default group pal aaa authorization network default group pal aaa accounting delay-start aaa accounting update newinfo aaa accounting network default start-stop group pal interface Virtual-Template2 ip unnumbered ATM2/0 ppp authentication pap radius-server configure-nas radius-server host A.B.C.D auth-port 1645 acct-port 1646 radius-server retransmit 2 radius-server timeout 20 radius-server key my RADIUS configuration radiusd.conf: accounting { detail radutmp pool sql} --- Any idea, where is the problem? I do not know, what is it happens Thanks for all - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: disable FreeRadius checking of client certs
"devel" <[EMAIL PROTECTED]> wrote: > Well, I have not issued certs to clients. Some of my clients have the > option to log in with a username "OR" a cert. However, there are a few > random Linksys cards (I guess I should have mentioned this was for Wifi/WPA) > that I "MUST" provide a username and a cert. Ok... > If there are no certs on the client machine, Linksys fills the cert in with > "Trust Any", so I assume it may be attempting with a blank? cert or another > cert on the machine, such as VeriSign or the like.So this client is > attempting to authenticate, I believe, with other certs on its machine > because the radius log looks like below: Then your solution would be to actually install a client cert on those machines. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
SQL Accounting oddness
I’ve just setup a new freeradius server using the exact same config files from our other radius server. We are using a different MySQL database for the second freeradius server so we have changed the database name in sql.conf to reflect this. Authentication is working fine and it’s authenticating from the database. However accounting information is not being entered into the radacct table, its currently empty but we are getting accounting packets back. I run freeradius in debug mode and found the following sql accounting queries that don’t look right: sql: accounting_update_query_alt = "INSERT into radacct (AcctSessionId, AcctUniqueId, UserName, Realm, NASIPAddress, NASPortId, NASPortType, AcctStartTime, AcctSessionTime, AcctAuthentic, ConnectInfo_start, AcctInputOctets, AcctOutputOctets, CalledStationId, CallingStationId, ServiceType, FramedProtocol, FramedIPAddress, AcctStartDelay) values('%{Acct-Session-Id}', '%{Acct-Unique-Session-Id}', '%{SQL-User-Name}', '%{Realm}', '%{NAS-IP-Address}', '%{NAS-Port}', '%{NAS-Port-Type}', DATE_SUB('%S',INTERVAL (%{Acct-Session-Time:-0} + %{Acct-Delay-Time:-0}) SECOND), '%{Acct-Session-Time}', '%{Acct-Authentic}', '', '%{Acct-Input-Octets}', '%{Acct-Output-Octets}', '%{Called-Station-Id}', '%{Calling-Station-Id}', '%{Service-Type}', '%{Framed-Protocol}', '%{Framed-IP-Address}', '0')" sql: accounting_start_query = "INSERT into radacct (AcctSessionId, AcctUniqueId, UserName, Realm, NASIPAddress, NASPortId, NASPortType, AcctStartTime, AcctStopTime, AcctSessionTime, AcctAuthentic, ConnectInfo_start, ConnectInfo_stop, AcctInputOctets, AcctOutputOctets, CalledStationId, CallingStationId, AcctTerminateCause, ServiceType, FramedProtocol, FramedIPAddress, AcctStartDelay, AcctStopDelay) values('%{Acct-Session-Id}', '%{Acct-Unique-Session-Id}', '%{SQL-User-Name}', '%{Realm}', '%{NAS-IP-Address}', '%{NAS-Port}', '%{NAS-Port-Type}', '%S', '0', '0', '%{Acct-Authentic}', '%{Connect-Info}', '', '0', '0', '%{Called-Station-Id}', '%{Calling-Station-Id}', '', '%{Service-Type}', '%{Framed-Protocol}', '%{Framed-IP-Address}', '%{Acct-Delay-Time}', '0')" Surely the values should be replaced by the actual information it should be entering into the table? If that’s the case that’s why the radacct table is empty, MySQL won’t insert the data showing there and must be erroring. Anyone got any ideas? Thanks John -- No virus found in this outgoing message. Checked by AVG Free Edition. Version: 7.0.407 / Virus Database: 268.13.1/469 - Release Date: 09/10/2006 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: disable FreeRadius checking of client certs
Well, I have not issued certs to clients. Some of my clients have the option to log in with a username "OR" a cert. However, there are a few random Linksys cards (I guess I should have mentioned this was for Wifi/WPA) that I "MUST" provide a username and a cert. If there are no certs on the client machine, Linksys fills the cert in with "Trust Any", so I assume it may be attempting with a blank? cert or another cert on the machine, such as VeriSign or the like.So this client is attempting to authenticate, I believe, with other certs on its machine because the radius log looks like below: Tue Oct 10 11:16:16 2006 : Error: TLS_accept:error in SSLv3 read client certificate A Tue Oct 10 11:16:16 2006 : Error: rlm_eap: SSL error error::lib(0):func(0):reason(0) Tue Oct 10 11:16:16 2006 : Error: TLS Alert read:fatal:unknown CA Tue Oct 10 11:16:16 2006 : Error: TLS_accept:failed in SSLv3 read client certificate A Tue Oct 10 11:16:16 2006 : Error: rlm_eap: SSL error error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca Tue Oct 10 11:16:16 2006 : Error: rlm_eap_tls: SSL_read failed inside of TLS (-1), TLS session fails. Tue Oct 10 11:16:16 2006 : Error: rlm_eap: SSL error error:140940E5:SSL routines:SSL3_READ_BYTES:ssl handshake failure Tue Oct 10 11:16:16 2006 : Error: rlm_eap_tls: BIO_read failed in a system call (-1), TLS session fails. I am not a FreeRadius expert so I may be misinterpreting the logs. Thanks. Travis - Original Message - From: "Alan DeKok" <[EMAIL PROTECTED]> To: "devel" <[EMAIL PROTECTED]>; "FreeRadius users mailing list" Sent: Tuesday, October 10, 2006 10:27 AM Subject: Re: disable FreeRadius checking of client certs "devel" <[EMAIL PROTECTED]> wrote: Is it possible to disable FreeRadius's checking of client certificates using EAP-TLS-PEAP? Certs can be quick a bother and a huge maintenance over-head. Thanks. Huh? Client certs are used for PEAP only when you deploy client certs to the end-user machines. Once they're deployed, they should really be checked. Perhasp you can explain why you've deployed client certs, but now don't want to use them. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: disable FreeRadius checking of client certs
"devel" <[EMAIL PROTECTED]> wrote: > Is it possible to disable FreeRadius's checking of client certificates > using EAP-TLS-PEAP? Certs can be quick a bother and a huge maintenance > over-head. Thanks. Huh? Client certs are used for PEAP only when you deploy client certs to the end-user machines. Once they're deployed, they should really be checked. Perhasp you can explain why you've deployed client certs, but now don't want to use them. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RHEL4 and Oracle Instant Client
Has anyone gotten the source RPM's from RHEL4 to build with the oracle module using the Oracle instant client? It keeps giving me the following error no matter what I try: checking for oci.h... yes checking for oracle_init in -loracleclient... no configure: warning: oracle libraries not found. Use --with-oracle-lib-dir=. configure: warning: sql submodule 'oracle' disabled Thanks, Brian Dourty System Administrator - Team Lead IAT Services University of Missouri - Columbia 573-882-1035 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
disable FreeRadius checking of client certs
Is it possible to disable FreeRadius's checking of client certificates using EAP-TLS-PEAP? Certs can be quick a bother and a huge maintenance over-head. Thanks. FreeRadius 1.1.3 Travis J. WeaverSoftware EngineerOberon, Inc.1315 S. Allen St.Suite 405State College, PA 16801phone: (814)867-2312 ext. 210fax: (814)867-2314http://www.oberonwireless.com[EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Dialupadmin Problems
All the detailed info about setting up dialup admin is found in the howto file..it even explains how to import the sql files for your chosen database. On 10/10/06, Andy Dixon <[EMAIL PROTECTED]> wrote: Hello, I am having problems getting dialupadmin to work on FreeBSD 6.1. If I go to any of the pages (eg add user) I just get a blank screen.. Also, if anyone could point me in the direction of where I can find some information on what needs to go into the tables in a postgres database for RADIUS users, I would be greatful. Thanks - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- With Regards Ali Jawad - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Dialupadmin Problems
Hello, I am having problems getting dialupadmin to work on FreeBSD 6.1. If I go to any of the pages (eg add user) I just get a blank screen.. Also, if anyone could point me in the direction of where I can find some information on what needs to go into the tables in a postgres database for RADIUS users, I would be greatful. Thanks smime.p7s Description: S/MIME cryptographic signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html