Re: Quirky question about rewriting usernames
Hi On 19/07/07, Cliff Cole [EMAIL PROTECTED] wrote: Hello all. Here is my issue. This is very weird and would only affect one NAS. I'm not sure freeradius is capable of this. I want a username that comes in to check for an @domainname. If the domainname is there I want it to be stripped and added back later. If the domainname is not there I'd like it to continue and have to domainname added later in the authentication process. I hope this makes sense and any help is appreciated What do you mean by 'later' you can definitely check for the presence of domain, you can strip it and add it again. you just have to define the flow. rlm_attr will be of help to you (for both stripping and adding). kind regards Pshem - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Support for Cisco
Hi all, I am trying to configure free radius for some Cisco devices. till now i am able to authenticate using the radius server and i am getting into user level or privilege level depending on the attribute i am defining. Now what i am looking for is authorization. There is something called Cisco-AV priv attribute through which one can define privilege level from 1 to 15. But i am not able to define it in users file. Can anyone tell me how to define this or whether we can define this kind of attribute in freeradius or not? Thanks in advance, Ashish - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Support for Cisco
On Thu 19 Jul 2007, ashish verma wrote: Hi all, I am trying to configure free radius for some Cisco devices. till now i am able to authenticate using the radius server and i am getting into user level or privilege level depending on the attribute i am defining. Now what i am looking for is authorization. There is something called Cisco-AV priv attribute through which one can define privilege level from 1 to 15. But i am not able to define it in users file. Can anyone tell me how to define this or whether we can define this kind of attribute in freeradius or not? http://wiki.freeradius.org/Cisco#Per_User_Privilege_Level -- Peter Nixon http://peternixon.net/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Support for Cisco
I thought it was: cisco-avpair = shell:priv-lvl=levelnumber If not, we need to fix the wiki. Cheers Peter On Thu 19 Jul 2007, [EMAIL PROTECTED] wrote: Use proper format: Cisco-AVPair = priv-lvl=levelnumber Ivan Kalik Kalik Informatika ISP Dana 19/7/2007, ashish verma [EMAIL PROTECTED] piše: Hi all, I am trying to configure free radius for some Cisco devices. till now i am able to authenticate using the radius server and i am getting into user level or privilege level depending on the attribute i am defining. Now what i am looking for is authorization. There is something called Cisco-AV priv attribute through which one can define privilege level from 1 to 15. But i am not able to define it in users file. Can anyone tell me how to define this or whether we can define this kind of attribute in freeradius or not? Thanks in advance, Ashish - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Peter Nixon http://peternixon.net/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Support for Cisco
Sorry, my mistake. It is shell:priv-lvl=levelnumber Ivan Kalik Kalik Informatika ISP Dana 19/7/2007, Peter Nixon [EMAIL PROTECTED] piše: I thought it was: cisco-avpair = shell:priv-lvl=levelnumber If not, we need to fix the wiki. Cheers Peter On Thu 19 Jul 2007, [EMAIL PROTECTED] wrote: Use proper format: Cisco-AVPair = priv-lvl=levelnumber Ivan Kalik Kalik Informatika ISP Dana 19/7/2007, ashish verma [EMAIL PROTECTED] piše: Hi all, I am trying to configure free radius for some Cisco devices. till now i am able to authenticate using the radius server and i am getting into user level or privilege level depending on the attribute i am defining. Now what i am looking for is authorization. There is something called Cisco-AV priv attribute through which one can define privilege level from 1 to 15. But i am not able to define it in users file. Can anyone tell me how to define this or whether we can define this kind of attribute in freeradius or not? Thanks in advance, Ashish - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Peter Nixon http://peternixon.net/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Support for Cisco
Use proper format: Cisco-AVPair = priv-lvl=levelnumber Ivan Kalik Kalik Informatika ISP Dana 19/7/2007, ashish verma [EMAIL PROTECTED] piše: Hi all, I am trying to configure free radius for some Cisco devices. till now i am able to authenticate using the radius server and i am getting into user level or privilege level depending on the attribute i am defining. Now what i am looking for is authorization. There is something called Cisco-AV priv attribute through which one can define privilege level from 1 to 15. But i am not able to define it in users file. Can anyone tell me how to define this or whether we can define this kind of attribute in freeradius or not? Thanks in advance, Ashish - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius-Users Digest, Vol 27, Issue 116
: timer_expire = 60
eap: ignore_unknown_eap_types = no
eap: cisco_accounting_username_bug = no
rlm_eap: Loaded and initialized type md5
rlm_eap: Loaded and initialized type leap
gtc: challenge = Password:
gtc: auth_type = PAP
rlm_eap: Loaded and initialized type gtc
tls: rsa_key_exchange = no
tls: dh_key_exchange = yes
tls: rsa_key_length = 512
tls: dh_key_length = 512
tls: verify_depth = 0
tls: CA_path = (null)
tls: pem_file_type = yes
tls: private_key_file = /etc/freeradius/certs/cert-srv.pem
tls: certificate_file = /etc/freeradius/certs/cert-srv.pem
tls: CA_file = /etc/freeradius/certs/demoCA/cacert.pem
tls: private_key_password = whatever
tls: dh_file = /etc/freeradius/certs/dh
tls: random_file = /etc/freeradius/certs/random
tls: fragment_size = 1024
tls: include_length = yes
tls: check_crl = yes
tls: check_cert_cn = %{User-Name}
tls: cipher_list = DEFAULT
tls: check_cert_issuer = /C=GB/ST=Berkshire/L=Newbury/O=My Company Ltd
rlm_eap_tls: Loading the certificate file as a chain
rlm_eap: Loaded and initialized type tls
ttls: default_eap_type = md5
ttls: copy_request_to_tunnel = no
ttls: use_tunneled_reply = no
rlm_eap: Loaded and initialized type ttls
mschapv2: with_ntdomain_hack = no
rlm_eap: Loaded and initialized type mschapv2
Module: Instantiated eap (eap)
Module: Loaded preprocess
preprocess: huntgroups = /etc/freeradius/huntgroups
preprocess: hints = /etc/freeradius/hints
preprocess: with_ascend_hack = no
preprocess: ascend_channels_per_line = 23
preprocess: with_ntdomain_hack = no
preprocess: with_specialix_jetstream_hack = no
preprocess: with_cisco_vsa_hack = no
preprocess: with_alvarion_vsa_hack = no
Module: Instantiated preprocess (preprocess)
Module: Loaded realm
realm: format = suffix
realm: delimiter = @
realm: ignore_default = no
realm: ignore_null = no
Module: Instantiated realm (suffix)
Module: Loaded files
files: usersfile = /etc/freeradius/users
files: acctusersfile = /etc/freeradius/acct_users
files: preproxy_usersfile = /etc/freeradius/preproxy_users
files: compat = no
Module: Instantiated files (files)
Module: Loaded Acct-Unique-Session-Id
acct_unique: key = User-Name, Acct-Session-Id, NAS-IP-Address,
Client-IP-Address
Module: Instantiated acct_unique (acct_unique)
Module: Loaded detail
detail: detailfile =
/var/log/freeradius/radacct/%{Client-IP-Address}/detail-%Y%m%d
detail: detailperm = 384
detail: dirperm = 493
detail: locking = no
Module: Instantiated detail (detail)
Module: Loaded radutmp
radutmp: filename = /var/log/freeradius/radutmp
radutmp: username = %{User-Name}
radutmp: case_sensitive = yes
radutmp: check_with_nas = yes
radutmp: perm = 384
radutmp: callerid = yes
Module: Instantiated radutmp (radutmp)
Listening on authentication 127.0.0.1:1812
Listening on accounting 127.0.0.1:1813
Ready to process requests.
rad_recv: Access-Request packet from host 127.0.0.1:32823, id=217,
length=95
User-Name = jrc
NAS-Identifier = jrcnas
NAS-Port-Type = Ethernet
CUI = 0
Service-Type = Framed-User
Framed-MTU = 1400
Calling-Station-Id = 1:1:1:1:1:1
Message-Authenticator = 0x2568987af6f31763f9199f8067fafee1
EAP-Message = 0x02d20008016a7263
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 0
Segmentation fault
cheux301:/etc/freeradius#
-
--
Thanks Regards,
Govardhana K N
-- next part --
An HTML attachment was scrubbed...
URL:
https://lists.freeradius.org/pipermail/freeradius-users/attachments/20070719/d5a2969f/attachment-0001.html
--
Message: 2
Date: Thu, 19 Jul 2007 17:59:54 +1200
From: Pshem Kowalczyk [EMAIL PROTECTED]
Subject: Re: Quirky question about rewriting usernames
To: FreeRadius users mailing list
freeradius-users@lists.freeradius.org
Message-ID:
[EMAIL PROTECTED]
Content-Type: text/plain; charset=UTF-8; format=flowed
Hi
On 19/07/07, Cliff Cole [EMAIL PROTECTED] wrote:
Hello all.
Here is my issue. This is very weird and would only affect one NAS.
I'm not sure freeradius is capable of this. I want a username that
comes in to check for an @domainname. If the domainname is there I
want it to be stripped and added back later. If the domainname is not
there I'd like it to continue and have to domainname added later in
the authentication process. I hope this makes sense and any help is
appreciated
What do you mean by 'later' you can definitely check for the presence
of domain, you can strip it and add it again. you just have to define
the flow. rlm_attr will be of help to you (for both stripping and
adding).
kind regards
Pshem
--
Message: 3
Date: Thu, 19 Jul 2007 14:33:13 +0530
From: ashish verma [EMAIL PROTECTED]
Subject: Support
Help(1.1.3): Access-Reject is sent by server for EAP-MD5 challenge response
Hi, I am trying to send an Access-Request with EAP-Identity response. The Request was successful and Server sent an Access-Challenge in response (MD5 challenge), the response to this challenge is failing (receiving Access-Reject from Server), the Error message was rlm_eap_md5: User-Password is required for EAP-MD5 authentication. I have the User-Password attribute in Access-Request. Below is the Access-Request packet attributes, User-Name = jrc User-Password = jrc Nas-identifier = jrcnas Nas-Ip-Address = 10.10.10.10 Nas-Port = 20 Nas-Port-Type = 15 CUI = 0 Service-Type = Framed-User Framed-MTU = 1400 Calling-Station-Id = 1:1:1:1:1:1 NSP-Id = nap BS-ID = TestBS EAP-Code = Response EAP-Id = 210 EAP-Type-Identity = jrc EAP-MD5-Password = jrc Message-Authenticator = 0x00 am I doing any wrong here? Can Anybody help me how to solve this problem? --- rad_recv: Access-Request packet from host 127.0.0.1:32825, id=177, length=150 User-Name = jrc User-Password = jrc NAS-Identifier = jrcnas NAS-IP-Address = 10.10.10.10 NAS-Port = 20 NAS-Port-Type = Ethernet CUI = 0 Service-Type = Framed-User Framed-MTU = 1400 Calling-Station-Id = 1:1:1:1:1:1 NSP-ID = nap BS-ID = TestBS Message-Authenticator = 0x4cc4b9e9f807f7648ddb267ec1365cc6 EAP-Message = 0x02d20008016a7263 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module preprocess returns ok for request 0 modcall[authorize]: module chap returns noop for request 0 modcall[authorize]: module mschap returns noop for request 0 rlm_realm: No '@' in User-Name = jrc, looking up realm NULL rlm_realm: No such realm NULL modcall[authorize]: module suffix returns noop for request 0 rlm_eap: EAP packet type response id 210 length 8 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module eap returns updated for request 0 users: Matched entry jrc at line 231 modcall[authorize]: module files returns ok for request 0 modcall: leaving group authorize (returns updated) for request 0 rad_check_password: Found Auth-Type EAP auth: type EAP Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 0 rlm_eap: EAP Identity rlm_eap: processing type md5 rlm_eap_md5: Issuing Challenge modcall[authenticate]: module eap returns handled for request 0 modcall: leaving group authenticate (returns handled) for request 0 Sending Access-Challenge of id 177 to 127.0.0.1 port 32825 CUI = TestCUI2 Service-Type = Framed-User Framed-Protocol = PPP Framed-IP-Address = 172.31.128.112 Framed-IP-Netmask = 255.255.255.0 Framed-MTU = 1400 AAA-Session-Id = MultiSessionId2 MSK = TestMSK2 HA-IP-MIP4 = 1.2.3.5 DHCPv4-Server = 5.6.7.9 MN-HA-MIP4-KEY = TestMIPKey2 MN-HA-MIP4-SPI = TestMIPSPI2 DHCP-RK = TestDHCPRK2 DHCP-RK-KEY-ID = TestDHCPRKID2 DHCP-RK_LIFETIME = 30 EAP-Message = 0x01d300160410f492fb48923219d8c9760b271cf4e031 Message-Authenticator = 0x State = 0x467be2cc5938e30e368d1633e8ebd4fd Finished request 0 Going to the next request --- Walking the entire request list --- Waking up in 6 seconds... rad_recv: Access-Request packet from host 127.0.0.1:32825, id=178, length=182 User-Name = jrc User-Password = jrc NAS-Identifier = jrcnas NAS-IP-Address = 10.10.10.10 NAS-Port = 20 NAS-Port-Type = Ethernet CUI = 0 Service-Type = Framed-User Framed-MTU = 1400 Calling-Station-Id = 1:1:1:1:1:1 NSP-ID = nap BS-ID = TestBS Message-Authenticator = 0x7c3e1b2a25d10ce176811099e6ea64a3 State = 0x467be2cc5938e30e368d1633e8ebd4fd EAP-Message = 0x02d300160410d879a36a071bbf8da598184dbe22 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 1 modcall[authorize]: module preprocess returns ok for request 1 modcall[authorize]: module chap returns noop for request 1 modcall[authorize]: module mschap returns noop for request 1 rlm_realm: No '@' in User-Name = jrc, looking up realm NULL rlm_realm: No such realm NULL modcall[authorize]: module suffix returns noop for request 1 rlm_eap: EAP packet type response id 211 length 22 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module eap returns updated for request 1 users: Matched entry jrc at line 231
mod_auth_radius
Hi All, is there a tutorial how to install mod_auth_radius on an apache 2.xx server? The howto on the freeradius webpage is a little bit deprecated i guess. i get an error when starting the apache server after installing mod_auth_radius: # service httpd start Starting httpd: httpd: Syntax error on line 205 of /etc/httpd/conf/httpd.conf: Cannot load /usr/lib/httpd/modules/mod_auth_radius-2.0.so into server: /usr/lib/httpd/modules/mod_auth_radius-2.0.so: undefined symbol: ap_snprintf [FAILED] Thanks for your answers. Markus - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Help(1.1.3): Access-Reject is sent by server for EAP-MD5 challengeresponse
I am trying to send an Access-Request with EAP-Identity response. The Request was successful and Server sent an Access-Challenge in response (MD5 challenge), the response to this challenge is failing (receiving Access-Reject from Server), the Error message was rlm_eap_md5: User-Password is required for EAP-MD5 authentication. I have the User-Password attribute in Access-Request. Below is the Access-Request packet attributes, You don't quite understand how EAP-MD5 works. There is not supposed to be a User-Password in the request - instead, a response to the MD5-Challenge the server sent out earlier. The *server* needs to know the user's password to verify this response. So putting the attribute User-Password in the request won't gain you anything, other than violating RFCs. The server will not look there. With EAP-MD5, the user's password is *never* on the wire. You want to configure the user's password in the server, for example in the users file. In 1.16 and later, you will want to use the name Cleartext-Password instead of User-Password for that - it reduces confusion. Stefan -- Stefan WINTER Stiftung RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche Ingenieur Forschung Entwicklung 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg E-Mail: [EMAIL PROTECTED] Tel.: +352 424409-1 http://www.restena.lu Fax: +352 422473 signature.asc Description: This is a digitally signed message part. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Help(1.1.3): Access-Reject is sent by server for EAP-MD5 challengeresponse
Thanks for the help Stefan. On 7/19/07, Stefan Winter [EMAIL PROTECTED] wrote: I am trying to send an Access-Request with EAP-Identity response. The Request was successful and Server sent an Access-Challenge in response (MD5 challenge), the response to this challenge is failing (receiving Access-Reject from Server), the Error message was rlm_eap_md5: User-Password is required for EAP-MD5 authentication. I have the User-Password attribute in Access-Request. Below is the Access-Request packet attributes, You don't quite understand how EAP-MD5 works. There is not supposed to be a User-Password in the request - instead, a response to the MD5-Challenge the server sent out earlier. The *server* needs to know the user's password to verify this response. So putting the attribute User-Password in the request won't gain you anything, other than violating RFCs. The server will not look there. With EAP-MD5, the user's password is *never* on the wire. You want to configure the user's password in the server, for example in the users file. In 1.16 and later, you will want to use the name Cleartext-Password instead of User-Password for that - it reduces confusion. Stefan -- Stefan WINTER Stiftung RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche Ingenieur Forschung Entwicklung 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg E-Mail: [EMAIL PROTECTED] Tel.: +352 424409-1 http://www.restena.lu Fax: +352 422473 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- With Regards, Govardhana K N - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Quirky question about rewriting usernames
Thanks for the reply. I'm new to free radius and have been overwhelmed with documentation the past few days. Let me explain in some logic and maybe I can make some sense as to what I'm trying to do. User authentication comes from NAS A IF the username does not have @domain.com and NAS = NAS A THEN append @domain.com IF the username has @domain.com and NAS = NAS A THEN continue with username as is. Hope this helps to clear up what I'm trying to do. I appologize for not being very clear. Thanks Cliff On 7/19/07, Pshem Kowalczyk [EMAIL PROTECTED] wrote: Hi On 19/07/07, Cliff Cole [EMAIL PROTECTED] wrote: Hello all. Here is my issue. This is very weird and would only affect one NAS. I'm not sure freeradius is capable of this. I want a username that comes in to check for an @domainname. If the domainname is there I want it to be stripped and added back later. If the domainname is not there I'd like it to continue and have to domainname added later in the authentication process. I hope this makes sense and any help is appreciated What do you mean by 'later' you can definitely check for the presence of domain, you can strip it and add it again. you just have to define the flow. rlm_attr will be of help to you (for both stripping and adding). kind regards Pshem - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Time-out Problem with Huntgroups in conjunction with MYSQL Backend
Hello FR users, I am running FreeRadius 1.1.3 together with MySQL 5.0.27 I use huntgroups to allow access to specific devices only to certain users belonging to a certain group (I use huntgroups since I didnt find a way to do it via MySQL) I have the following issue: When for a longer period (e.g. over night) no one logs into one of the devices (so the radius server sits idle), it happens that the first time in the morning someone tries to login he fails because FR rejects the Request with invalid user - only after 3 or 4 tries the login-attempt is successfull The reason seems to be, that after such a long dormant period, when the first RADIUS-request(s) arrive, FR has to re-connect to the MySQL DB to query the user's group-membership Since this re-connect takes too long the query returns Not found and the user is rejected as unknown Here is what you see in the radius.log file: Tue Jul 17 08:05:16 2007 : Info: rlm_sql_mysql: Starting connect to MySQL server for #9 Tue Jul 17 08:05:16 2007 : Error: rlm_sql (sql): failed after re-connect Tue Jul 17 08:05:16 2007 : Auth: No huntgroup access: [xxx] (from client ATWRE22e7601 port 1 cli 10.0.0.31) Tue Jul 17 08:05:16 2007 : Auth: Invalid user: [xxx] (from client ATWRE22e7601 port 1 cli 10.0.0.31) Tue Jul 17 08:05:25 2007 : Info: rlm_sql_mysql: Starting connect to MySQL server for #8 Tue Jul 17 08:05:25 2007 : Error: rlm_sql (sql): failed after re-connect Tue Jul 17 08:05:25 2007 : Auth: No huntgroup access: [xxx] (from client ATWRE22e7601 port 0) Tue Jul 17 08:05:25 2007 : Auth: Invalid user: [xxx] (from client ATWRE22e7601 port 0) Tue Jul 17 08:05:38 2007 : Info: rlm_sql_mysql: Starting connect to MySQL server for #7 Tue Jul 17 08:05:38 2007 : Error: rlm_sql (sql): failed after re-connect Tue Jul 17 08:05:38 2007 : Auth: No huntgroup access: [xxx] (from client ATWRE22e7601 port 0) Tue Jul 17 08:05:38 2007 : Auth: Invalid user: [xxx] (from client ATWRE22e7601 port 0) Tue Jul 17 08:06:00 2007 : Info: rlm_sql_mysql: Starting connect to MySQL server for #6 Tue Jul 17 08:06:00 2007 : Auth: Login OK: [xxx] (from client ATWRE22b7201 port 2 cli 10.0.0.31) Hope the logfile is sufficient, otherwise I would have to let FR run in debug-mode over night The funny thing is, that this problem doesn't occure when all entries in the huntgroups file are commented out So my question is, is there a config parameter to tell FR to wait a bit longer in the preprocess module (I assume) for the MYSQL query to deliver its answer? thanks alot regards thomas pudil - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Level 2 authentication with RADIUS.
Hi all, I am new to the list and for RADIUS too so i might ask some repetitive questions. Here is my question: Can we have level 2 (enable) authentication too with Radius server as we have for level 1(user level)? If yes, can someone provide me some documentation. I tried to search for it but couldnt find any. Thanks in advance, Ashish - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Level 2 authentication with RADIUS.
Can we have level 2 (enable) authentication too with Radius server as we have for level 1(user level)? If you say enable I suspect you are talking about Cisco equipment? Then enable is really level 15. And the following link was posted just MINUTES ago on this list. Did you read the etiquette thing about read the mail archives before asking?? http://wiki.freeradius.org/Cisco#Per_User_Privilege_Level Stefan -- Stefan WINTER Stiftung RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche Ingenieur Forschung Entwicklung 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg E-Mail: [EMAIL PROTECTED] Tel.: +352 424409-1 http://www.restena.lu Fax: +352 422473 signature.asc Description: This is a digitally signed message part. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Level 2 authentication with RADIUS.
enable is really level 15. And the following link was posted just MINUTES ago on this list. Did you read the etiquette thing about read the mail archives before asking?? Wait a minute. That link was sent in reply to YOUR question! Did you even read it? -- Stefan WINTER Stiftung RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche Ingenieur Forschung Entwicklung 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg E-Mail: [EMAIL PROTECTED] Tel.: +352 424409-1 http://www.restena.lu Fax: +352 422473 signature.asc Description: This is a digitally signed message part. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: TLS cant connect ldap+freeradius+novell
Hi. Martin G wrote: Hello! Im new to both this mailinglist and to novell/linux/ldap/freeradius but iv tried my best to install a radius/ldap linuxserver to pass on radius-requests from a Aruba-controller to our novell-server. IPs: Novell 10.10.0.11 Aruba 10.10.0.28 Linux (freeradius+ldap) 10.10.0.132 Iv tried to change tls_mode, port and tls_start on and off a couple of times without any good result and when i go use ldapsearch -vvv -h 10.10.0.11 -x -Z -b ou=adm,ou=malmo,o=wifi cn=lotta i recieve TLS: hostname does not match CN in peer certificate. At least this means that your ldap server understands STARTTLS on the standard ldap port. So in FreeRADIUS ldap config section you should *not* set port and tls_mode options at all. You should set start_tls=yes though. As for the ldap server certificate name mismatch So i have some thoughts about the certificate, but iv exported the selfsigned novell-certificate from the novellserver and verifyed it. But im not sure how to use a client-certificate on the linux. When i use freeradius -XXX -A on the linuxserver and i trie to do a radius-request, the aruba gets a timeout and the linuxserver tells me the following logg: Now for the certificates. Since your ldap server is using a server certificate you must configure FreeRADIUS to trust the issuing CA. Since identity and password are set it seems you do not use SSL client authentication to authenticate the FreeRADIUS server (acting as ldap client) at the ldap server. Hence don't set tls_certfile and tls_keyfile options. Either use tls_cacertfile xor tlc_cacertdir option. If using former, put in all the CA certificate chain validating the ldap servers certificate in PEM format. Concatenate the CA certs into the file named by this option. If using the latter, put all CA certs of the chain validating the ldap servers certificate in PEM format with .pem file extension into that directory. cd into this directory and execute # c_rehash . to build some symlinks. The dot (.) for the current directory seems vital. c_rehash is a tool that comes with openssl. Be aware that the openldap client configuration file on the system or for that user running FreeRADIUS is being used. That is ~/.ldap.conf or system wide something like /etc/openldap/ldap.conf or what ever fits your FS layout and ldap installation on the FreeRADIUS server. To ease ldap debugging within FreeRADIUS set loglevel -1 in the ldap.conf file. Debugging output is to be found in files configured by syslogd more than likely in /var/log/messages or similar. HTH good luck -- Beste Gruesse / Kind Regards Reimer Karlsen-Masur DFN-PKI FAQ: https://www.pki.dfn.de/faqpki -- Dipl.-Inform. Reimer Karlsen-Masur (PKI Team), Phone +49 40 808077-615 DFN-CERT Services GmbH, https://www.dfn-cert.de, Phone +49 40 808077-555 Sitz / Register: Hamburg, AG Hamburg, HRB 88805, Ust-IdNr.: DE 232129737 smime.p7s Description: S/MIME Cryptographic Signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: 3COM sw4500 802.1x Problem
Hello; I could solve my problem with change Auth-Type attribute to EAP in LDAP an everything is ok. Thank you for your relation. Best Regards, Aydin Kocak. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Time-out Problem with Huntgroups in conjunction with MYSQL Backend
Yes. MySQL has wait_timeout set to 8 hours. See last option: http://dev.mysql.com/doc/refman/5.0/en/instance-manager-command-options.html Ivan Kalik Kalik Informatika ISP Dana 19/7/2007, [EMAIL PROTECTED] [EMAIL PROTECTED] piše: Hello FR users, I am running FreeRadius 1.1.3 together with MySQL 5.0.27 I use huntgroups to allow access to specific devices only to certain users belonging to a certain group (I use huntgroups since I didnt find a way to do it via MySQL) I have the following issue: When for a longer period (e.g. over night) no one logs into one of the devices (so the radius server sits idle), it happens that the first time in the morning someone tries to login he fails because FR rejects the Request with invalid user - only after 3 or 4 tries the login-attempt is successfull The reason seems to be, that after such a long dormant period, when the first RADIUS-request(s) arrive, FR has to re-connect to the MySQL DB to query the user's group-membership Since this re-connect takes too long the query returns Not found and the user is rejected as unknown Here is what you see in the radius.log file: Tue Jul 17 08:05:16 2007 : Info: rlm_sql_mysql: Starting connect to MySQL server for #9 Tue Jul 17 08:05:16 2007 : Error: rlm_sql (sql): failed after re-connect Tue Jul 17 08:05:16 2007 : Auth: No huntgroup access: [xxx] (from client ATWRE22e7601 port 1 cli 10.0.0.31) Tue Jul 17 08:05:16 2007 : Auth: Invalid user: [xxx] (from client ATWRE22e7601 port 1 cli 10.0.0.31) Tue Jul 17 08:05:25 2007 : Info: rlm_sql_mysql: Starting connect to MySQL server for #8 Tue Jul 17 08:05:25 2007 : Error: rlm_sql (sql): failed after re-connect Tue Jul 17 08:05:25 2007 : Auth: No huntgroup access: [xxx] (from client ATWRE22e7601 port 0) Tue Jul 17 08:05:25 2007 : Auth: Invalid user: [xxx] (from client ATWRE22e7601 port 0) Tue Jul 17 08:05:38 2007 : Info: rlm_sql_mysql: Starting connect to MySQL server for #7 Tue Jul 17 08:05:38 2007 : Error: rlm_sql (sql): failed after re-connect Tue Jul 17 08:05:38 2007 : Auth: No huntgroup access: [xxx] (from client ATWRE22e7601 port 0) Tue Jul 17 08:05:38 2007 : Auth: Invalid user: [xxx] (from client ATWRE22e7601 port 0) Tue Jul 17 08:06:00 2007 : Info: rlm_sql_mysql: Starting connect to MySQL server for #6 Tue Jul 17 08:06:00 2007 : Auth: Login OK: [xxx] (from client ATWRE22b7201 port 2 cli 10.0.0.31) Hope the logfile is sufficient, otherwise I would have to let FR run in debug-mode over night The funny thing is, that this problem doesn't occure when all entries in the huntgroups file are commented out So my question is, is there a config parameter to tell FR to wait a bit longer in the preprocess module (I assume) for the MYSQL query to deliver its answer? thanks alot regards thomas pudil - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: TLS cant connect ldap+freeradius+novell
Thx for the reply! Iv tried removing port and tls_mode from my radius.conf and hade tls_start = yes set. The tls_certfile and tls_keyfile is now commented away #. I use the tls_certfile to /etc/freeradius/certs/WIFITREE_CA.b64 Id tried to use c_rehash . in that directory but the rehash dont find my cert, only other certs in that path who is made into strange names. Can i force it to pick my .b64 certificate or can i convert it in any other way? (after the certs turned into funny names from c_rehash, its just to rename them, if it starts to work with the right certificate?) The only output i now get from lldapsearch -vvv -h 10.10.0.11 -x -Z -b ou=adm,ou=malmo,o=wifi cn=lotta is: ldap_initialize( ldap://10.10.0.11 ) ldap_start_tls: Connect error (-11) ldap_result: Can't contact LDAP server (-1) Did i miss anything or is the only thing left now, to get a .pem certificate? /Mr G From: Reimer Karlsen-Masur, DFN-CERT [EMAIL PROTECTED] Reply-To: FreeRadius users mailing list freeradius-users@lists.freeradius.org To: FreeRadius users mailing list freeradius-users@lists.freeradius.org Subject: Re: TLS cant connect ldap+freeradius+novell Date: Thu, 19 Jul 2007 16:06:46 +0200 Hi. Martin G wrote: Hello! Im new to both this mailinglist and to novell/linux/ldap/freeradius but iv tried my best to install a radius/ldap linuxserver to pass on radius-requests from a Aruba-controller to our novell-server. IPs: Novell 10.10.0.11 Aruba 10.10.0.28 Linux (freeradius+ldap) 10.10.0.132 Iv tried to change tls_mode, port and tls_start on and off a couple of times without any good result and when i go use ldapsearch -vvv -h 10.10.0.11 -x -Z -b ou=adm,ou=malmo,o=wifi cn=lotta i recieve TLS: hostname does not match CN in peer certificate. At least this means that your ldap server understands STARTTLS on the standard ldap port. So in FreeRADIUS ldap config section you should *not* set port and tls_mode options at all. You should set start_tls=yes though. As for the ldap server certificate name mismatch So i have some thoughts about the certificate, but iv exported the selfsigned novell-certificate from the novellserver and verifyed it. But im not sure how to use a client-certificate on the linux. When i use freeradius -XXX -A on the linuxserver and i trie to do a radius-request, the aruba gets a timeout and the linuxserver tells me the following logg: Now for the certificates. Since your ldap server is using a server certificate you must configure FreeRADIUS to trust the issuing CA. Since identity and password are set it seems you do not use SSL client authentication to authenticate the FreeRADIUS server (acting as ldap client) at the ldap server. Hence don't set tls_certfile and tls_keyfile options. Either use tls_cacertfile xor tlc_cacertdir option. If using former, put in all the CA certificate chain validating the ldap servers certificate in PEM format. Concatenate the CA certs into the file named by this option. If using the latter, put all CA certs of the chain validating the ldap servers certificate in PEM format with .pem file extension into that directory. cd into this directory and execute # c_rehash . to build some symlinks. The dot (.) for the current directory seems vital. c_rehash is a tool that comes with openssl. Be aware that the openldap client configuration file on the system or for that user running FreeRADIUS is being used. That is ~/.ldap.conf or system wide something like /etc/openldap/ldap.conf or what ever fits your FS layout and ldap installation on the FreeRADIUS server. To ease ldap debugging within FreeRADIUS set loglevel -1 in the ldap.conf file. Debugging output is to be found in files configured by syslogd more than likely in /var/log/messages or similar. HTH good luck -- Beste Gruesse / Kind Regards Reimer Karlsen-Masur DFN-PKI FAQ: https://www.pki.dfn.de/faqpki -- Dipl.-Inform. Reimer Karlsen-Masur (PKI Team), Phone +49 40 808077-615 DFN-CERT Services GmbH, https://www.dfn-cert.de, Phone +49 40 808077-555 Sitz / Register: Hamburg, AG Hamburg, HRB 88805, Ust-IdNr.: DE 232129737 smime.p7s - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html _ Express yourself instantly with MSN Messenger! Download today it's FREE! http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: TLS cant connect ldap+freeradius+novell
Sorry, when i tried to rehash my certificate, id changed its path, but now its back and i got a new output from my ldapsearch-command: ldapsearch -vvv -h 10.10.0.11 -x -Z -b ou =adm,ou=malmo,o=wifi cn=lotta ldap_initialize( ldap://10.10.0.11 ) ldap_start_tls: Connect error (-11) additional info: TLS: hostname does not match CN in peer certificate filter: cn=lotta requesting: All userApplication attributes # extended LDIF # # LDAPv3 # base ou=adm,ou=malmo,o=wifi with scope subtree # filter: cn=lotta # requesting: ALL # # lotta, ADM, MALMO, WIFI dn: cn=lotta,ou=ADM,ou=MALMO,o=WIFI zenzfdVersion:: PD94bWwgdmVyc2lvbj0iMS4fSe34FNvZGluZz0iVVRGLTgiPz48QWdlbnREYX RhPjxWZXJzaW9uPjQuMC4xLjU5PC9WZXJzaWwAffwawFWZXJXcml0ZVRpbWU+MTE0OTUwMTY4MjwvVmV yV3JpdGVUaW1lPjwvQwfAwREYXRhPg== zenpolPolicy: cn=UserZenPolPackage,ou=ZEN,o=WIFI#0#zenUserPackage sasDefaultLoginSequence: --No default-- uid: lotta givenName: lotta fullName: lotta whatever Language: ENGLISH sn: whatever passwordUniqueRequired: FALSE passwordRequired: TRUE passwordMinimumLength: 5 passwordExpirationTime: 20070815131928Z passwordExpirationInterval: 3456000 passwordAllowChange: TRUE objectClass: inetOrgPerson objectClass: organizationalPerson objectClass: Person objectClass: ndsLoginProperties objectClass: Top objectClass: radiusprofile loginTime: 20070719121749Z loginGraceRemaining: 6 loginGraceLimit: 6 cn: lotta ACL: 2#subtree#cn=lotta,ou=ADM,ou=MALMO,o=WIFI#[All Attributes Rights] ACL: 6#entry#cn=lotta,ou=ADM,ou=MALMO,o=WIFI#loginScript ACL: 2#entry#[Public]#messageServer ACL: 2#entry#[Root]#groupMembership ACL: 6#entry#cn=lotta,ou=ADM,ou=MALMO,o=WIFI#printJobConfiguration ACL: 2#entry#[Root]#networkAddress # search result search: 3 result: 0 Success # numResponses: 2 # numEntries: 1 Iv also added the loglevel -1 to the /etc/ldap/ldap.conf and removed the TLSCertificateFile and TLSCertificateKeyFile from the /etc/ldap/sldap.conf as i did forget before. Do i need to convert the certificate to .pem and how if the c_rehash dont work? I paste the new output from the freeradius -XXX -A if it might help... freeradius -XXX -A Tue Jul 10 12:35:00 2007 : Info: Starting - reading configuration files ... Tue Jul 10 12:35:00 2007 : Debug: reread_config: reading radiusd.conf Tue Jul 10 12:35:00 2007 : Debug: Config: including file: /etc/freeradius/prox y.conf Tue Jul 10 12:35:00 2007 : Debug: Config: including file: /etc/freeradius/clie nts.conf Tue Jul 10 12:35:00 2007 : Debug: Config: including file: /etc/freeradius/snmp ..conf Tue Jul 10 12:35:00 2007 : Debug: Config: including file: /etc/freeradius/eap. conf Tue Jul 10 12:35:00 2007 : Debug: Config: including file: /etc/freeradius/sql. conf Tue Jul 10 12:35:00 2007 : Debug: main: prefix = /usr Tue Jul 10 12:35:00 2007 : Debug: main: localstatedir = /var Tue Jul 10 12:35:00 2007 : Debug: main: logdir = /var/log/freeradius Tue Jul 10 12:35:00 2007 : Debug: main: libdir = /usr/lib/freeradius Tue Jul 10 12:35:00 2007 : Debug: main: radacctdir = /var/log/freeradius/radac ct Tue Jul 10 12:35:00 2007 : Debug: main: hostname_lookups = no Tue Jul 10 12:35:00 2007 : Debug: main: max_request_time = 30 Tue Jul 10 12:35:00 2007 : Debug: main: cleanup_delay = 5 Tue Jul 10 12:35:00 2007 : Debug: main: max_requests = 1024 Tue Jul 10 12:35:00 2007 : Debug: main: delete_blocked_requests = 0 Tue Jul 10 12:35:00 2007 : Debug: main: port = 0 Tue Jul 10 12:35:00 2007 : Debug: main: allow_core_dumps = no Tue Jul 10 12:35:00 2007 : Debug: main: log_stripped_names = yes Tue Jul 10 12:35:00 2007 : Debug: main: log_file = /var/log/freeradius/radius. log Tue Jul 10 12:35:00 2007 : Debug: main: log_auth = yes Tue Jul 10 12:35:00 2007 : Debug: main: log_auth_badpass = yes Tue Jul 10 12:35:00 2007 : Debug: main: log_auth_goodpass = yes Tue Jul 10 12:35:00 2007 : Debug: main: pidfile = /var/run/freeradius/freeradi us.pid Tue Jul 10 12:35:00 2007 : Debug: main: user = freerad Tue Jul 10 12:35:00 2007 : Debug: main: group = freerad Tue Jul 10 12:35:00 2007 : Debug: main: usercollide = no Tue Jul 10 12:35:00 2007 : Debug: main: lower_user = no Tue Jul 10 12:35:00 2007 : Debug: main: lower_pass = no Tue Jul 10 12:35:00 2007 : Debug: main: nospace_user = no Tue Jul 10 12:35:00 2007 : Debug: main: nospace_pass = no Tue Jul 10 12:35:00 2007 : Debug: main: checkrad = /usr/sbin/checkrad Tue Jul 10 12:35:00 2007 : Debug: main: proxy_requests = yes Tue Jul 10 12:35:00 2007 : Debug: proxy: retry_delay = 5 Tue Jul 10 12:35:00 2007 : Debug: proxy: retry_count = 3 Tue Jul 10 12:35:00 2007 : Debug: proxy: synchronous = no Tue Jul 10 12:35:00 2007 : Debug: proxy: default_fallback = yes Tue Jul 10 12:35:00 2007 : Debug: proxy: dead_time = 120 Tue Jul 10 12:35:00 2007 : Debug: proxy: post_proxy_authorize = no Tue Jul 10 12:35:00 2007 : Debug: proxy: wake_all_if_all_dead = no Tue Jul 10 12:35:00 2007 : Debug: security: max_attributes = 200 Tue Jul 10 12:35:00 2007 : Debug:
Re: TLS cant connect ldap+freeradius+novell
Hm. Martin G wrote: Sorry, when i tried to rehash my certificate, id changed its path, but now its back and i got a new output from my ldapsearch-command: ldapsearch -vvv -h 10.10.0.11 -x -Z -b ou =adm,ou=malmo,o=wifi cn=lotta ldap_initialize( ldap://10.10.0.11 ) ldap_start_tls: Connect error (-11) additional info: TLS: hostname does not match CN in peer certificate What is the CN in the SubjectDN of the ldap servers certificate? Is it a FQDN? If so, try to map IP# 10.10.0.11 to this FQDN via /etc/hosts if your DNS server can't find the FQDN. Try to call ldapsearch with -h FQDN option. Is above warning going away? filter: cn=lotta requesting: All userApplication attributes # extended LDIF # # LDAPv3 # base ou=adm,ou=malmo,o=wifi with scope subtree # filter: cn=lotta # requesting: ALL # # lotta, ADM, MALMO, WIFI dn: cn=lotta,ou=ADM,ou=MALMO,o=WIFI zenzfdVersion:: Something is at least working. It's not SSL secured though. ... Iv also added the loglevel -1 to the /etc/ldap/ldap.conf and removed the TLSCertificateFile and TLSCertificateKeyFile from the /etc/ldap/sldap.conf as i did forget before. slapd.conf is the config file of the openldap *server*. Messing with this file should not change anything. Or was that a typo? Do i need to convert the certificate to .pem and how if the c_rehash dont work? If tls_cacertdir is not set, then don't use c_rehash. Set tls_cacertfile to a single ASCII file containing all PEM formatted CA certificates of the CA certificate chain that is needed to validate your ldap servers certificate. Concatenate these PEM formatted CA certs into this single ASCII file. And I forgot, set ldap_debug to -1 in the radius config file. Don't send your ldap servers password in log files ;-) ... Tue Jul 10 12:35:00 2007 : Debug: Module: Loaded LDAP Tue Jul 10 12:35:00 2007 : Debug: ldap: server = 10.10.0.11 Tue Jul 10 12:35:00 2007 : Debug: ldap: port = 389 Tue Jul 10 12:35:00 2007 : Debug: ldap: net_timeout = 1 Tue Jul 10 12:35:00 2007 : Debug: ldap: timeout = 4 Tue Jul 10 12:35:00 2007 : Debug: ldap: timelimit = 3 Tue Jul 10 12:35:00 2007 : Debug: ldap: identity = cn=admin,o=wifi Tue Jul 10 12:35:00 2007 : Debug: ldap: tls_mode = no Tue Jul 10 12:35:00 2007 : Debug: ldap: start_tls = yes Tue Jul 10 12:35:00 2007 : Debug: ldap: tls_cacertfile = /etc/freeradius/certs /WIFITREE_CA.b64 Tue Jul 10 12:35:00 2007 : Debug: ldap: tls_cacertdir = (null) Tue Jul 10 12:35:00 2007 : Debug: ldap: tls_certfile = (null) Tue Jul 10 12:35:00 2007 : Debug: ldap: tls_keyfile = (null) Tue Jul 10 12:35:00 2007 : Debug: ldap: tls_randfile = (null) Tue Jul 10 12:35:00 2007 : Debug: ldap: tls_require_cert = allow Tue Jul 10 12:35:00 2007 : Debug: ldap: password = novell Tue Jul 10 12:35:00 2007 : Debug: ldap: basedn = ou=adm,ou=malmo,o=wifi ... Tue Jul 10 12:35:00 2007 : Debug: ldap: ldap_debug = 0 Tue Jul 10 12:35:00 2007 : Debug: ldap: ldap_connections_number = 5 Tue Jul 10 12:35:00 2007 : Debug: ldap: compare_check_items = no -- Beste Gruesse / Kind Regards Reimer Karlsen-Masur DFN-PKI FAQ: https://www.pki.dfn.de/faqpki -- Dipl.-Inform. Reimer Karlsen-Masur (PKI Team), Phone +49 40 808077-615 DFN-CERT Services GmbH, https://www.dfn-cert.de, Phone +49 40 808077-555 Sitz / Register: Hamburg, AG Hamburg, HRB 88805, Ust-IdNr.: DE 232129737 smime.p7s Description: S/MIME Cryptographic Signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Adding a ldap.attrb Dialuppassword to radius-ldap.schema
RHEL5/FreeRadius freeradius-1.1.3-1.2.el5/Fedora Directory server. Scenario... Currently trying to move all our dial up user entry's from users file to ldap ( FDS ) and need to add an attribute in radius ldap schema which would contain clear text password of the dial in password for the dial up users and match the dial in password to that password instead of users login password. What needs to be done to make this possible if it is possible? ( user are already authenticated through ldap except for their adsl dial in passwords which are in clear text and even if the passwords weren't in clear text and they could use there login password to login the user ain't smart enough and or technology challenge ( or at least majority of them ) to know if they change they're login password they needed to change it in the adsl router as well ) Schema changes? Dictionary changes ldap.attrmap changes ldap changes in radiusd.conf? ( password_attribute already mapped to userPassword in the ldap section ) Best regards Johann B. -- Johann B. Gudmundsson. RHCE,CCSA Unix System Engineer. IT Management. Reiknistofnun University of Iceland. Taeknigardi, Dunhaga 5. Email: [EMAIL PROTECTED] IS-107 Reykjavik. Phone: +354-525-4267 Iceland. Fax: +354-552-8801 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: TLS cant connect ldap+freeradius+novell
Subject of the novell-server-certificate is : O = WIFITREE OU = Organizational CA And thats no FQDN!? (I exported it from the novell as an .der and extracted it to see the subject, maby wrong way to do it? i havent exported the private key with either the .b64 or the .der and that shouldnt matter ?) *output from novell* Subject name: OU=Organizational CA.O=WIFITREE Issuer name: OU=Organizational CA.O=WIFITREE Effective date: den 22 oktober 2005 23:04:08 Expiration date: den 22 oktober 2015 23:04:08 Certificate status: Valid Any idea how to type the FQDN !? :( (Thx for all the good answers this far!) /Mr G From: Reimer Karlsen-Masur, DFN-CERT [EMAIL PROTECTED] Reply-To: FreeRadius users mailing list freeradius-users@lists.freeradius.org To: FreeRadius users mailing list freeradius-users@lists.freeradius.org Subject: Re: TLS cant connect ldap+freeradius+novell Date: Thu, 19 Jul 2007 17:51:24 +0200 Hm. Martin G wrote: Sorry, when i tried to rehash my certificate, id changed its path, but now its back and i got a new output from my ldapsearch-command: ldapsearch -vvv -h 10.10.0.11 -x -Z -b ou =adm,ou=malmo,o=wifi cn=lotta ldap_initialize( ldap://10.10.0.11 ) ldap_start_tls: Connect error (-11) additional info: TLS: hostname does not match CN in peer certificate What is the CN in the SubjectDN of the ldap servers certificate? Is it a FQDN? If so, try to map IP# 10.10.0.11 to this FQDN via /etc/hosts if your DNS server can't find the FQDN. Try to call ldapsearch with -h FQDN option. Is above warning going away? filter: cn=lotta requesting: All userApplication attributes # extended LDIF # # LDAPv3 # base ou=adm,ou=malmo,o=wifi with scope subtree # filter: cn=lotta # requesting: ALL # # lotta, ADM, MALMO, WIFI dn: cn=lotta,ou=ADM,ou=MALMO,o=WIFI zenzfdVersion:: Something is at least working. It's not SSL secured though. ... Iv also added the loglevel -1 to the /etc/ldap/ldap.conf and removed the TLSCertificateFile and TLSCertificateKeyFile from the /etc/ldap/sldap.conf as i did forget before. slapd.conf is the config file of the openldap *server*. Messing with this file should not change anything. Or was that a typo? Do i need to convert the certificate to .pem and how if the c_rehash dont work? If tls_cacertdir is not set, then don't use c_rehash. Set tls_cacertfile to a single ASCII file containing all PEM formatted CA certificates of the CA certificate chain that is needed to validate your ldap servers certificate. Concatenate these PEM formatted CA certs into this single ASCII file. And I forgot, set ldap_debug to -1 in the radius config file. Don't send your ldap servers password in log files ;-) ... Tue Jul 10 12:35:00 2007 : Debug: Module: Loaded LDAP Tue Jul 10 12:35:00 2007 : Debug: ldap: server = 10.10.0.11 Tue Jul 10 12:35:00 2007 : Debug: ldap: port = 389 Tue Jul 10 12:35:00 2007 : Debug: ldap: net_timeout = 1 Tue Jul 10 12:35:00 2007 : Debug: ldap: timeout = 4 Tue Jul 10 12:35:00 2007 : Debug: ldap: timelimit = 3 Tue Jul 10 12:35:00 2007 : Debug: ldap: identity = cn=admin,o=wifi Tue Jul 10 12:35:00 2007 : Debug: ldap: tls_mode = no Tue Jul 10 12:35:00 2007 : Debug: ldap: start_tls = yes Tue Jul 10 12:35:00 2007 : Debug: ldap: tls_cacertfile = /etc/freeradius/certs /WIFITREE_CA.b64 Tue Jul 10 12:35:00 2007 : Debug: ldap: tls_cacertdir = (null) Tue Jul 10 12:35:00 2007 : Debug: ldap: tls_certfile = (null) Tue Jul 10 12:35:00 2007 : Debug: ldap: tls_keyfile = (null) Tue Jul 10 12:35:00 2007 : Debug: ldap: tls_randfile = (null) Tue Jul 10 12:35:00 2007 : Debug: ldap: tls_require_cert = allow Tue Jul 10 12:35:00 2007 : Debug: ldap: password = novell Tue Jul 10 12:35:00 2007 : Debug: ldap: basedn = ou=adm,ou=malmo,o=wifi ... Tue Jul 10 12:35:00 2007 : Debug: ldap: ldap_debug = 0 Tue Jul 10 12:35:00 2007 : Debug: ldap: ldap_connections_number = 5 Tue Jul 10 12:35:00 2007 : Debug: ldap: compare_check_items = no -- Beste Gruesse / Kind Regards Reimer Karlsen-Masur DFN-PKI FAQ: https://www.pki.dfn.de/faqpki -- Dipl.-Inform. Reimer Karlsen-Masur (PKI Team), Phone +49 40 808077-615 DFN-CERT Services GmbH, https://www.dfn-cert.de, Phone +49 40 808077-555 Sitz / Register: Hamburg, AG Hamburg, HRB 88805, Ust-IdNr.: DE 232129737 smime.p7s - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html _ Express yourself instantly with MSN Messenger! Download today it's FREE! http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RadiusClient
I'm trying to authenticate a linux client against a radius server. I've implemented the radius server with freeradius and i've tested it with a cisco client and it worked, but, unfortunately, i'm having seriuos problems to authenticate the linux client using RadiusClient. I'm running the server in debug mode and when i run radiusclient User-Name = testuser Password = testuser the password the server shows it's not plain text, it's sth like \211pe;\336. so i thought it could be a problem with the secret word. However, i've checket it in the servers file (at the client) and in the clients.conf file (at the server) and it's the same. Sth i found is that i don't seem to have the file radius.seq in /var/run, i would like to create it but i don't know what the sequence number is and i don't know what the format of the file should be. I'd appreciate it a lot if sb could help me Sofia _ ¿Cuánto vale tu auto? Tips para mantener tu carro. ¡De todo en MSN Latino Autos! http://latino.msn.com/autos/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: New freeradius installation
Lisa Casey said: I correct the error in the users file and get no more complaints regarding radiusd.conf Why? I've noticed this as well. I've always assumed it's a knock-on effect from the error in the users file. Same way missing a quote or a semi colon in something like perl can cause dozens of knock on errors that go away when you fix the actual problem. The configuration parsing in freeradius is very complex, so it wouldn't be surprising if a formatting error causes a 'cascade effect'. Or it might be because if the users file can't be read, then the 'files' module isn't instantiated. Bottom line, I wouldn't worry about it. In fact, I don't worry about it. Fix the users file, everything works. :-) Lisa Casey -- hugh - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Second level authentication.
Hi Stefan, I read the document and thanks for giving the link, that was helpful. Well I think i put my question in a wrong way. Let me put it in a different way. I dont want the user to go directly in priv mode. through priv level = 15 we direclty get into priv level right. what i am looking for is first the user get into user level and then with another password in level 2. (not with enable password)..it should be through RADIUS server. Ashish - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Second level authentication.
You want a shell user to get to privilege mode without typing enableand knowing enable password? I am quite certain that Cisco spent many years making sure that's impossible. If you find a way to do that you can blackmail them for a hell of a lot of money. Ivan Kalik Kalik Informatika ISP Dana 19/7/2007, ashish verma [EMAIL PROTECTED] piše: Hi Stefan, I read the document and thanks for giving the link, that was helpful. Well I think i put my question in a wrong way. Let me put it in a different way. I dont want the user to go directly in priv mode. through priv level = 15 we direclty get into priv level right. what i am looking for is first the user get into user level and then with another password in level 2. (not with enable password)..it should be through RADIUS server. Ashish - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: TLS cant connect ldap+freeradius+novell
Any idea how to type the FQDN !? :( Well if this was your server: http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/ FQDN would be: messenger.msn.click-url.com Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Quirky question about rewriting usernames
Once again. I am backwards on my wording, I am so sorry. This should be correct. IF the username does have @domain.com and NAS = NAS A THEN continue with username as is IF the username does not have @domain.com and NAS = NAS A THEN append the @domain.com I have been trying the hints file. I'm able to append @domain.com but do not know how to check for @domain.com and continue if the @domain.com is present. Here is what I have in my hints file. DEFAULT NAS-IP-Address == 255.255.255.255 User-Name := [EMAIL PROTECTED] This part works great and hopefully I'm FINALLY clear on what I'm trying to accomplish. Cliff On 7/19/07, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: How about the other way around: IF the username does not have @domain.com and NAS = NAS A THEN continue with username as is IF the username has @domain.com and NAS = NAS A THEN strip @domain.com That works by default. If you want to keep it the other way around have a look at the hints file. Ivan Kalik Kalik Informatika ISP Dana 19/7/2007, Cliff Cole [EMAIL PROTECTED] piše: Thanks for the reply. I'm new to free radius and have been overwhelmed with documentation the past few days. Let me explain in some logic and maybe I can make some sense as to what I'm trying to do. User authentication comes from NAS A IF the username does not have @domain.com and NAS = NAS A THEN append @domain.com IF the username has @domain.com and NAS = NAS A THEN continue with username as is. Hope this helps to clear up what I'm trying to do. I appologize for not being very clear. Thanks Cliff On 7/19/07, Pshem Kowalczyk [EMAIL PROTECTED] wrote: Hi On 19/07/07, Cliff Cole [EMAIL PROTECTED] wrote: Hello all. Here is my issue. This is very weird and would only affect one NAS. I'm not sure freeradius is capable of this. I want a username that comes in to check for an @domainname. If the domainname is there I want it to be stripped and added back later. If the domainname is not there I'd like it to continue and have to domainname added later in the authentication process. I hope this makes sense and any help is appreciated What do you mean by 'later' you can definitely check for the presence of domain, you can strip it and add it again. you just have to define the flow. rlm_attr will be of help to you (for both stripping and adding). kind regards Pshem - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Second level authentication.
Hi ashish, First of all, WHY you will need such a setup? Afaik, cisco will send a request to radius for user '$enable15$' whenever someone tries to "enable". Run freeradius in debug mode (radiusd -X) and then login as one of your users. Type "enable" and the cisco will send a request to the radiusd. From the debugging session, save that request. Logout, login on cisco as another username. Type "enable" and the same password. From the debugging radius session, save the new request. If you see any relevant differences between the two requests, you may be able to make freeradius do what you want. If the requests are the same, you realize there is no way to figure out the user behind each request. Best regards, Claudiu Filip @:[EMAIL PROTECTED] Http://www.globtel.ro T:+40344880100 F:+40344880113 Thursday, July 19, 2007, 7:51:30 PM, you wrote: I dont want the user to go directly in priv mode. through priv level = 15 we direclty get into priv level right. what i am looking for is first the user get into user level and then with another password in level 2. (not with enable password)..it should be through RADIUS server. Ashish - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: TLS cant connect ldap+freeradius+novell
Iv found the following on the novellserver (CA-service): Distinguished name: WIFITREE CA.Security Host server: NW1.SYSTEM.WIFI NW1 would be the servername and NW1.SYSTEM.WIFI the FQDN? I added the info in all kinds of sorts in my hosts-file to the novell-ip on the linux-server but still no progress :( Still: ldapsearch -vvv -h NW1.SYSTEM.WIFI wifi -x -Z -b ou=adm,ou=malmo,o=wifi cn=lotta ldap_initialize( ldap://wifi ) ldap_start_tls: Connect error (-11) additional info: TLS: hostname does not match CN in peer certificate filter: cn=lotta requesting: All userApplication attributes Any good idea!? (iv added the novell-servers dns-ip to the ifconfig-dns of the linux also, but no help from that either). /Mr G Any idea how to type the FQDN !? :( Well if this was your server: http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/ FQDN would be: messenger.msn.click-url.com Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html From: Martin G [EMAIL PROTECTED] Reply-To: FreeRadius users mailing list freeradius-users@lists.freeradius.org To: freeradius-users@lists.freeradius.org Subject: Re: TLS cant connect ldap+freeradius+novell Date: Thu, 19 Jul 2007 18:05:22 +0200 Subject of the novell-server-certificate is : O = WIFITREE OU = Organizational CA And thats no FQDN!? (I exported it from the novell as an .der and extracted it to see the subject, maby wrong way to do it? i havent exported the private key with either the .b64 or the .der and that shouldnt matter ?) *output from novell* Subject name: OU=Organizational CA.O=WIFITREE Issuer name: OU=Organizational CA.O=WIFITREE Effective date: den 22 oktober 2005 23:04:08 Expiration date: den 22 oktober 2015 23:04:08 Certificate status: Valid Any idea how to type the FQDN !? :( (Thx for all the good answers this far!) /Mr G From: Reimer Karlsen-Masur, DFN-CERT [EMAIL PROTECTED] Reply-To: FreeRadius users mailing list freeradius-users@lists.freeradius.org To: FreeRadius users mailing list freeradius-users@lists.freeradius.org Subject: Re: TLS cant connect ldap+freeradius+novell Date: Thu, 19 Jul 2007 17:51:24 +0200 Hm. Martin G wrote: Sorry, when i tried to rehash my certificate, id changed its path, but now its back and i got a new output from my ldapsearch-command: ldapsearch -vvv -h 10.10.0.11 -x -Z -b ou =adm,ou=malmo,o=wifi cn=lotta ldap_initialize( ldap://10.10.0.11 ) ldap_start_tls: Connect error (-11) additional info: TLS: hostname does not match CN in peer certificate What is the CN in the SubjectDN of the ldap servers certificate? Is it a FQDN? If so, try to map IP# 10.10.0.11 to this FQDN via /etc/hosts if your DNS server can't find the FQDN. Try to call ldapsearch with -h FQDN option. Is above warning going away? filter: cn=lotta requesting: All userApplication attributes # extended LDIF # # LDAPv3 # base ou=adm,ou=malmo,o=wifi with scope subtree # filter: cn=lotta # requesting: ALL # # lotta, ADM, MALMO, WIFI dn: cn=lotta,ou=ADM,ou=MALMO,o=WIFI zenzfdVersion:: Something is at least working. It's not SSL secured though. ... Iv also added the loglevel -1 to the /etc/ldap/ldap.conf and removed the TLSCertificateFile and TLSCertificateKeyFile from the /etc/ldap/sldap.conf as i did forget before. slapd.conf is the config file of the openldap *server*. Messing with this file should not change anything. Or was that a typo? Do i need to convert the certificate to .pem and how if the c_rehash dont work? If tls_cacertdir is not set, then don't use c_rehash. Set tls_cacertfile to a single ASCII file containing all PEM formatted CA certificates of the CA certificate chain that is needed to validate your ldap servers certificate. Concatenate these PEM formatted CA certs into this single ASCII file. And I forgot, set ldap_debug to -1 in the radius config file. Don't send your ldap servers password in log files ;-) ... Tue Jul 10 12:35:00 2007 : Debug: Module: Loaded LDAP Tue Jul 10 12:35:00 2007 : Debug: ldap: server = 10.10.0.11 Tue Jul 10 12:35:00 2007 : Debug: ldap: port = 389 Tue Jul 10 12:35:00 2007 : Debug: ldap: net_timeout = 1 Tue Jul 10 12:35:00 2007 : Debug: ldap: timeout = 4 Tue Jul 10 12:35:00 2007 : Debug: ldap: timelimit = 3 Tue Jul 10 12:35:00 2007 : Debug: ldap: identity = cn=admin,o=wifi Tue Jul 10 12:35:00 2007 : Debug: ldap: tls_mode = no Tue Jul 10 12:35:00 2007 : Debug: ldap: start_tls = yes Tue Jul 10 12:35:00 2007 : Debug: ldap: tls_cacertfile = /etc/freeradius/certs /WIFITREE_CA.b64 Tue Jul 10 12:35:00 2007 : Debug: ldap: tls_cacertdir = (null) Tue Jul 10 12:35:00 2007 : Debug: ldap: tls_certfile = (null) Tue Jul 10 12:35:00 2007 : Debug: ldap: tls_keyfile = (null) Tue Jul 10 12:35:00 2007 : Debug: ldap: tls_randfile = (null) Tue
Re: Second level authentication.
Hi, You want a shell user to get to privilege mode without typing enableand knowing enable password? I am quite certain that Cisco spent many years making sure that's impossible. If you find a way to do that you can blackmail them for a hell of a lot of money. err, TACACS+ with priv_lvl 15 - they helped write that protocol alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Quirky question about rewriting usernames
Use regular expressions: http://wiki.freeradius.org/Operators Check for @ or that it doesn't end with @domain.com or whatever you fancy. Ivan Kalik Kalik Informatika ISP Dana 19/7/2007, Cliff Cole [EMAIL PROTECTED] piše: Once again. I am backwards on my wording, I am so sorry. This should be correct. IF the username does have @domain.com and NAS = NAS A THEN continue with username as is IF the username does not have @domain.com and NAS = NAS A THEN append the @domain.com I have been trying the hints file. I'm able to append @domain.com but do not know how to check for @domain.com and continue if the @domain.com is present. Here is what I have in my hints file. DEFAULT NAS-IP-Address == 255.255.255.255 User-Name := [EMAIL PROTECTED] This part works great and hopefully I'm FINALLY clear on what I'm trying to accomplish. Cliff On 7/19/07, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: How about the other way around: IF the username does not have @domain.com and NAS = NAS A THEN continue with username as is IF the username has @domain.com and NAS = NAS A THEN strip @domain.com That works by default. If you want to keep it the other way around have a look at the hints file. Ivan Kalik Kalik Informatika ISP Dana 19/7/2007, Cliff Cole [EMAIL PROTECTED] pi#65533;e: Thanks for the reply. I'm new to free radius and have been overwhelmed with documentation the past few days. Let me explain in some logic and maybe I can make some sense as to what I'm trying to do. User authentication comes from NAS A IF the username does not have @domain.com and NAS = NAS A THEN append @domain.com IF the username has @domain.com and NAS = NAS A THEN continue with username as is. Hope this helps to clear up what I'm trying to do. I appologize for not being very clear. Thanks Cliff On 7/19/07, Pshem Kowalczyk [EMAIL PROTECTED] wrote: Hi On 19/07/07, Cliff Cole [EMAIL PROTECTED] wrote: Hello all. Here is my issue. This is very weird and would only affect one NAS. I'm not sure freeradius is capable of this. I want a username that comes in to check for an @domainname. If the domainname is there I want it to be stripped and added back later. If the domainname is not there I'd like it to continue and have to domainname added later in the authentication process. I hope this makes sense and any help is appreciated What do you mean by 'later' you can definitely check for the presence of domain, you can strip it and add it again. you just have to define the flow. rlm_attr will be of help to you (for both stripping and adding). kind regards Pshem - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/usershtml - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: 1.1.7 sqlippool %{SQL-User-Name}
Hugh Messenger wrote: It's been pretty darn stable for me in 1.1.6. And now we've gotten the MySQL stuff whipped into shape and fixed a few other issues for 1.1.7, I'd say it's ready for Prime Time. Alan? I have that Internet thing working again, so yes. Tomorrow looks good. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Support for WiMAX VSA
Nitin Naveen wrote: Hi I am Nitin Naveen working with HUGHES SYSTIQUE. We have been working to enhance freeradius to support WiMAX VSA (as per WiMAX NWG forum). WiMAX VSA are not the typical type-length-value rather they have type-length-controlinfo-value. Yes.. We have enhanced the dictionary but we were not able to generate the attributes as per the WiMAX NWG format. For now we have developed our own rlm_hsc_wimax module. We like to contribute to freeradius so that the WiMAX VSA are supported as part of the standard distribution. To this end we can share our code. But before that we would like to follow the correct procedure for releasing the code. Submit a feature request on bugs.freeradius.org. Add the patch as an attachment. Make sure that the code has the GPL license in it. The FreeRADIUS code currently does this. Copyright can remain with you. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Support for WiMAX VSA
Walter Goulet wrote: Question on your planned contribution to FreeRADIUS: Does your module support the key generation algorithms for the WiMAX mobility keys? Specifically, is your module able to correctly generate the MN-HA-MIP4-KEY and related key material from the EMSK derived as part of the EAP exchange? Personally this was seen as the biggest challenge towards building NWG compliance into FreeRADIUS as opposed to VSA format. If there is sufficient interest in getting the work done, there are ways of getting the work done. My goal (if it wasn't obvious by now) is to make FreeRADIUS the default WiMAX AAA server. If we add MIP4 and MIP6 support, I won't complain. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem in EAP-TLS Authentication
Govardhana K N wrote: I was trying to configure EAP with TLS/TTlS. After enabling TLS/TTLS in eap.conf, I tried sending an Radius Access-Request with EAP-Identitye response. The Server is crashing becoz of segmentation fault. The debug lod from the server is given below. See doc/bugs The problem is most likely that the dynamic linker can't find the libraries it needs. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: mod_auth_radius
Rascher, Markus wrote: # service httpd start Starting httpd: httpd: Syntax error on line 205 of /etc/httpd/conf/httpd.conf: Cannot load /usr/lib/httpd/modules/mod_auth_radius-2.0.so into server: /usr/lib/httpd/modules/mod_auth_radius-2.0.so: undefined symbol: ap_snprintf There are patches to make the module build with newer versions of Apache. They should really be applied, but I've been busy with other things. Once that's done, a new version of the module should be released. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: 3COM sw4500 802.1x Problem
Aydın KOÇAK wrote: Hello; I could solve my problem with change Auth-Type attribute to EAP in LDAP an everything is ok. Don't do that. If anyone is reading the archive of this list, don't do that. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: New freeradius installation
Lisa Casey wrote: But if I make changes to my users file (and accidently make a mistake), I get errors regarding that of course when I restart radius, but I also get errors regarding the radiusd.conf file. No, those errors are saying radiusd.conf says to load the files module, which says to load the users file, but something went wrong. I correct the error in the users file and get no more complaints regarding radiusd.conf Why? If something goes wrong with your car, a little red light often shows up on the dashboard. But the light isn't the problem, it's just the complaint about the problem. The same thing applies here. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
2.0 mysql.sql
Peter - a couple of things about the MySQL stuff:
1) I just noticed that the ./docs/examples/mysql.sql schema in the 2.0 HEAD
doesn't look right:
#
# Table structure for table 'radippool'
#
CREATE TABLE radippool (
idint(11) unsigned NOT NULL auto_increment,
pool_name varchar(30) NOT NULL,
FramedIPAddress varchar(15) NOT NULL default ,
NASIPAddress varchar(15) NOT NULL default ,
CalledStationId VARCHAR(30) NOT NULL,
CallingStationID VARCHAR(30) NOT NULL,
expiry_time DATETIME NOT NULL default '-00-00 00:00:00',
username varchar(64) NOT NULL default ,
pool_key varchar(30) NOT NULL,
PRIMARY KEY (id)
);
Note the missing default values. The 1.1.7 branch has a more correct
looking version.
2) Also, I just noticed in the 2.0 mysql-ippool-dialup.conf, the
allocate-clear query has ...
allocate-clear = UPDATE ${ippool_table} \
SET NASIPAddress = '', pool_key = 0, \
CallingStationID = '', username = '', \
expiry_time = '-00-00 00:00:00' \
WHERE expiry_time = NOW() - INTERVAL 1 SECOND
AND nasipaddress = '%{Nas-IP-Address}'
Note the lower case 'nasipaddress'. Pretty please for to remember that
MySQL on Windows is cASe SenSITiVe when it comes to column names. Well, by
default. Yes, one can make the names case insensitive, but that can cause
problems.
And yeah, there aren't many of us using MySQL on Windows behind FR, but I
happen to be one of them. Don't ask. :)
FYI, slippool.conf in 1.1.7 has the correct case-ification.
-- hugh
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Segfault with -X and rlm_krb5 under Fedora 7 x86_64
This may be a Fedora/Kerberos issue rather than a Freeradius issue, but...
Has anyone experienced radiusd -X segfaulting when using rlm_krb5?
This is under Fedora 7 (x86_64), with freeradius 1.1.6 and 2.0.0-pre1
built from source tarballs. (I am trying to migrate to this environment
from a working freeradius-1.1.0 / Fedora Core 2 / i686 installation.)
The segfault is actually occurring in the Kerberos libraries, which
means that Freeradius might not be the issue, however the segfault
occurs only when radiusd is given -X or -sfxx options. I.e.
radiusd -sfx and radiusd work as expected, and do not segfault.
(One thing off the top of my head: Does this point to something
possibly happening when debug_flag is = 2 ?)
The killer request: radtest testuser testpass localhost 1 testing123
Below are my users and radiusd.conf files. Full gdb output from a
segfault case follows.
So, this isn't a bug report... i'm just hoping for tips on how to
proceed... thanks in advance for any clues.
-Matt
### begin complete users file ###
DEFAULT Auth-Type:=Kerberos
### end complete users file ###
### begin partial radiusd.conf ###
# stuff that was changed from the default 1.1.6 radiusd.conf :
prefix = /opt/radius
localstatedir = /var
user = radiusd
group = radiusd
log_auth = yes
proxy_requests = no
modules {
krb5 {
keytab = radius-krb5.keytab
service_principal = radius
}
}
authenticate {
Auth-Type Kerberos {
krb5
}
}
### end partial radiusd.conf ###
### begin gdb output ###
[EMAIL PROTECTED] raddb]# gdb radiusd
GNU gdb Red Hat Linux (6.6-15.fc7rh)
Copyright (C) 2006 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type show copying to see the conditions.
There is absolutely no warranty for GDB. Type show warranty for details.
This GDB was configured as x86_64-redhat-linux-gnu...
Using host libthread_db library /lib64/libthread_db.so.1.
(gdb) run -X
Starting program: /usr/local/sbin/radiusd -X
[Thread debugging using libthread_db enabled]
[New Thread 46912517212928 (LWP 25560)]
Starting - reading configuration files ...
reread_config: reading radiusd.conf
Config: including file: /opt/radius/etc/raddb/clients.conf
Config: including file: /opt/radius/etc/raddb/snmp.conf
Config: including file: /opt/radius/etc/raddb/eap.conf
Config: including file: /opt/radius/etc/raddb/sql.conf
main: prefix = /opt/radius
main: localstatedir = /var
main: logdir = /var/log/radius
main: libdir = /opt/radius/lib
main: radacctdir = /var/log/radius/radacct
main: hostname_lookups = no
main: max_request_time = 30
main: cleanup_delay = 5
main: max_requests = 1024
main: delete_blocked_requests = 0
main: port = 0
main: allow_core_dumps = no
main: log_stripped_names = no
main: log_file = /var/log/radius/radius.log
main: log_auth = yes
main: log_auth_badpass = no
main: log_auth_goodpass = no
main: pidfile = /var/run/radiusd/radiusd.pid
main: user = radiusd
main: group = radiusd
main: usercollide = no
main: lower_user = no
main: lower_pass = no
main: nospace_user = no
main: nospace_pass = no
main: checkrad = /opt/radius/sbin/checkrad
main: proxy_requests = no
security: max_attributes = 200
security: reject_delay = 1
security: status_server = no
main: debug_level = 0
read_config_files: reading dictionary
read_config_files: reading naslist
read_config_files: reading clients
read_config_files: reading realms
radiusd: entering modules setup
Module: Library search path is /opt/radius/lib
Module: Loaded exec
exec: wait = yes
exec: program = (null)
exec: input_pairs = request
exec: output_pairs = (null)
exec: packet_type = (null)
rlm_exec: Wait=yes but no output defined. Did you mean output=none?
Module: Instantiated exec (exec)
Module: Loaded expr
Module: Instantiated expr (expr)
Module: Loaded Kerberos
krb5: keytab = radius-krb5.keytab
krb5: service_principal = radius
rlm_krb5: krb5_init ok
Module: Instantiated krb5 (krb5)
Module: Loaded PAP
pap: encryption_scheme = crypt
pap: auto_header = yes
Module: Instantiated pap (pap)
Module: Loaded CHAP
Module: Instantiated chap (chap)
Module: Loaded MS-CHAP
mschap: use_mppe = yes
mschap: require_encryption = no
mschap: require_strong = no
mschap: with_ntdomain_hack = no
mschap: passwd = (null)
mschap: ntlm_auth = (null)
Module: Instantiated mschap (mschap)
Module: Loaded System
unix: cache = no
unix: passwd = (null)
unix: shadow = (null)
unix: group = (null)
unix: radwtmp = /var/log/radius/radwtmp
unix: usegroup = no
unix: cache_reload = 600
Module: Instantiated unix (unix)
Module: Loaded preprocess
preprocess: huntgroups = /opt/radius/etc/raddb/huntgroups
preprocess: hints = /opt/radius/etc/raddb/hints
preprocess: with_ascend_hack = no
preprocess: ascend_channels_per_line = 23
preprocess: with_ntdomain_hack = no
Second level authentication..
Hi Ivan, What i meant is you type enable but the password you give should be authenticated by RADIUS server not the enable password stored on the device. I am not sure whether it is possible or not. But just wanted to know from the experts. Thanks, Ashish On 7/19/07, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: Send Freeradius-Users mailing list submissions to freeradius-users@lists.freeradius.org To subscribe or unsubscribe via the World Wide Web, visit http://lists.freeradius.org/mailman/listinfo/freeradius-users or, via email, send a message with subject or body 'help' to [EMAIL PROTECTED] You can reach the person managing the list at [EMAIL PROTECTED] When replying, please edit your Subject line so it is more specific than Re: Contents of Freeradius-Users digest... Today's Topics: 1. Second level authentication. (ashish verma) 2. Re: Second level authentication. ([EMAIL PROTECTED]) 3. Re: TLS cant connect ldap+freeradius+novell ([EMAIL PROTECTED]) 4. Re: Quirky question about rewriting usernames (Cliff Cole) 5. Re: Second level authentication. (Claudiu Filip) 6. Re: TLS cant connect ldap+freeradius+novell (Martin G) -- Message: 1 Date: Thu, 19 Jul 2007 22:21:30 +0530 From: ashish verma [EMAIL PROTECTED] Subject: Second level authentication. To: freeradius-users@lists.freeradius.org Message-ID: [EMAIL PROTECTED] Content-Type: text/plain; charset=iso-8859-1 Hi Stefan, I read the document and thanks for giving the link, that was helpful. Well I think i put my question in a wrong way. Let me put it in a different way. I dont want the user to go directly in priv mode. through priv level = 15 we direclty get into priv level right. what i am looking for is first the user get into user level and then with another password in level 2. (not with enable password)..it should be through RADIUS server. Ashish -- next part -- An HTML attachment was scrubbed... URL: https://lists.freeradius.org/pipermail/freeradius-users/attachments/20070719/4c1e3a0e/attachment-0001.html -- Message: 2 Date: Thu, 19 Jul 2007 18:13:00 +0100 From: [EMAIL PROTECTED] Subject: Re: Second level authentication. To: FreeRadius users mailing list freeradius-users@lists.freeradius.org Message-ID: [EMAIL PROTECTED] Content-Type: text/plain; charset=ISO-8859-2 You want a shell user to get to privilege mode without typing enableand knowing enable password? I am quite certain that Cisco spent many years making sure that's impossible. If you find a way to do that you can blackmail them for a hell of a lot of money. Ivan Kalik Kalik Informatika ISP Dana 19/7/2007, ashish verma [EMAIL PROTECTED] pi?e: Hi Stefan, I read the document and thanks for giving the link, that was helpful. Well I think i put my question in a wrong way. Let me put it in a different way. I dont want the user to go directly in priv mode. through priv level = 15 we direclty get into priv level right. what i am looking for is first the user get into user level and then with another password in level 2. (not with enable password)..it should be through RADIUS server. Ashish -- Message: 3 Date: Thu, 19 Jul 2007 18:19:59 +0100 From: [EMAIL PROTECTED] Subject: Re: TLS cant connect ldap+freeradius+novell To: FreeRadius users mailing list freeradius-users@lists.freeradius.org Message-ID: [EMAIL PROTECTED] Content-Type: text/plain; charset=ISO-8859-2 Any idea how to type the FQDN !? :( Well if this was your server: http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/ FQDN would be: messenger.msn.click-url.com Ivan Kalik Kalik Informatika ISP -- Message: 4 Date: Thu, 19 Jul 2007 13:30:23 -0400 From: Cliff Cole [EMAIL PROTECTED] Subject: Re: Quirky question about rewriting usernames To: FreeRadius users mailing list freeradius-users@lists.freeradius.org Message-ID: [EMAIL PROTECTED] Content-Type: text/plain; charset=WINDOWS-1252; format=flowed Once again. I am backwards on my wording, I am so sorry. This should be correct. IF the username does have @domain.com and NAS = NAS A THEN continue with username as is IF the username does not have @domain.com and NAS = NAS A THEN append the @domain.com I have been trying the hints file. I'm able to append @domain.com but do not know how to check for @domain.com and continue if the @domain.com is present. Here is what I have in my hints file. DEFAULT NAS-IP-Address == 255.255.255.255 User-Name := [EMAIL PROTECTED] This part works great and hopefully I'm FINALLY clear on what I'm trying to accomplish. Cliff On 7/19/07, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: How about the other way around: IF the username does not have @domain.com and NAS = NAS A THEN continue with username as is IF the username has
