Maintaining a (very) dynamic user list with freeradius
Hi, What is the best way to maintain a very dynamic user list for freeradius (on a Linux platform)? I'm talking about a setup where every few minutes (sometimes every minute) a user has to be added and/or removed, with in total up to about 200 users in the user base at the same moment. Ideally, I'd like to just regenerate the users file with a script whenever a change is needed and let radiusd reload it, but I saw in the docs that reloading the config (and the users file) is expensive, so this will probably not be very suitable for this situation. If anyhow possible I'd like to minimize any extra overhead, and avoid running PostgreSQL or MySQL servers, for example. Maybe use DBM? What is recommended for this purpose? Thanks for all suggestions. -- --Jos Vos [EMAIL PROTECTED] --X/OS Experts in Open Systems BV | Phone: +31 20 6938364 --Amsterdam, The Netherlands| Fax: +31 20 6948204 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Maintaining a (very) dynamic user list with freeradius
On Fri, 2007-11-02 at 09:00 +0100, Jos Vos wrote: Hi, What is the best way to maintain a very dynamic user list for freeradius (on a Linux platform)? I'm talking about a setup where every few minutes (sometimes every minute) a user has to be added and/or removed, with in total up to about 200 users in the user base at the same moment. Ideally, I'd like to just regenerate the users file with a script whenever a change is needed and let radiusd reload it, but I saw in the docs that reloading the config (and the users file) is expensive, so this will probably not be very suitable for this situation. If anyhow possible I'd like to minimize any extra overhead, and avoid running PostgreSQL or MySQL servers, for example. Maybe use DBM? The DBMs cannot be concurrently updated. Use SQL or LDAP. Running a postgresql server for ~200 row table is very little effort. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: SSL Certificate Problem...
http://lists.freeradius.org/pipermail/freeradius-users/2007-October/066981.html
Ivan Kalik
Kalik Informatika ISP
Dana 2/11/2007, Bernd [EMAIL PROTECTED] piše:
So I did the changes you told me. I can still not connect to my WLAN, but I
think thats because I have no certificates created or imported.
Debug Mode tells me this...
rad_recv: Accounting-Request packet from host 192.168.1.6:1028, id=16,
length=161
User-Name = bnickaes
NAS-Identifier = BBi5
Called-Station-Id = 00-19-cb-1f-66-2d:BBi WLAN test
Calling-Station-Id = 00-14-a5-3e-a8-ba
Acct-Status-Type = Stop
Acct-Session-Id = 416
Acct-Input-Octets = 1508
Acct-Output-Octets = 0
Acct-Input-Packets = 6
Acct-Output-Packets = 0
Acct-Delay-Time = 0
Acct-Session-Time = 6
Acct-Terminate-Cause = NAS-Request
Acct-Input-Gigawords = 0
Acct-Output-Gigawords = 0
Processing the preacct section of radiusd.conf
modcall: entering group preacct for request 32
modcall[preacct]: module preprocess returns noop for request 32
rlm_acct_unique: WARNING: Attribute NAS-Port was not found in request,
unique ID MAY be inconsistent
rlm_acct_unique: Hashing ',Client-IP-Address = 192.168.1.6,NAS-IP-Address =
192.168.1.6,Acct-Session-Id = 416,User-Name = bnickaes'
rlm_acct_unique: Acct-Unique-Session-ID = c32063e973b8db95.
modcall[preacct]: module acct_unique returns ok for request 32
rlm_realm: No '@' in User-Name = bnickaes, looking up realm NULL
rlm_realm: No such realm NULL
modcall[preacct]: module suffix returns noop for request 32
modcall[preacct]: module files returns noop for request 32
modcall: leaving group preacct (returns ok) for request 32
Processing the accounting section of radiusd.conf
modcall: entering group accounting for request 32
radius_xlat: '/var/log/radius/radacct/192.168.1.6/detail-20071102'
rlm_detail: /var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d
expands to /var/log/radius/radacct/192.168.1.6/detail-20071102
modcall[accounting]: module detail returns ok for request 32
modcall[accounting]: module unix returns noop for request 32
radius_xlat: '/var/log/radius/radutmp'
radius_xlat: 'bnickaes'
rlm_radutmp: No NAS-Port seen. Cannot do anything.
rlm_radumtp: WARNING: checkrad will probably not work!
modcall[accounting]: module radutmp returns noop for request 32
radius_xlat: 'bnickaes'
rlm_sql (sql): sql_set_user escaped user -- 'bnickaes'
radius_xlat: 'UPDATE radacct SET FramedIPAddress = '',
AcctSessionTime = '6', AcctInputOctets = '1508',
AcctOutputOctets = '0', ? AcctStopTime =
FROM_UNIXTIME(UNIX_TIMESTAMP(`AcctStartTime`) + `AcctSessionTime` )
WHERE UserName = 'bnickaes' AND AcctStopTime= '-00-00
00:00:00' '
radius_xlat: '/var/log/radius/sqltrace.sql'
rlm_sql (sql): Reserving sql socket id: 3
rlm_sql_mysql: query: UPDATE radacct SET FramedIPAddress = '',
AcctSessionTime = '6', AcctInputOctets = '1508',
AcctOutputOctets = '0', ? AcctStopTime =
FROM_UNIXTIME(UNIX_TIMESTAMP(`AcctStartTime`) + `AcctSessionTime` )
WHERE UserName = 'bnickaes' AND AcctStopTime= '-00-00
00:00:00'
rlm_sql (sql): Released sql socket id: 3
modcall[accounting]: module sql returns ok for request 32
modcall: leaving group accounting (returns ok) for request 32 Sending
Accounting-Response of id 16 to 192.168.1.6 port 1028 Finished request 32
and I think it's OK.
So I tried to create some certificates to get this finally done.
After I did what Tutorial for AD integration told me about creating self
signed certificates I run CA.all. So I type in all information and see this:
+ openssl ca -policy policy_anything -out newcert.pem -passin
+ pass:whatever -key whatever -extensions xpserver_ext -extfile
+ xpextensions -infiles newreq.pem
Using configuration from /etc/ssl/openssl.cnf Error opening CA private key
../cakey.pem 5010:error:02001002:system library:fopen:No such file or
directory:bss_file.c:352:fopen('./cakey.pem','r')
5010:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:354:
unable to load CA private key
+ openssl pkcs12 -export -in newcert.pem -inkey newreq.pem -out
+ cert-srv.p12 -clcerts -passin pass:whatever -passout pass:whatever
Error opening input file newcert.pem
newcert.pem: No such file or directory
+ openssl pkcs12 -in cert-srv.p12 -out cert-srv.pem -passin
+ pass:whatever -passout pass:whatever
Error opening input file cert-srv.p12
cert-srv.p12: No such file or directory
+ openssl x509 -inform PEM -outform DER -in cert-srv.pem -out
+ cert-srv.der
Error opening Certificate cert-srv.pem
5013:error:02001002:system library:fopen:No such file or
directory:bss_file.c:352:fopen('cert-srv.pem','r')
5013:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:354:
unable to load certificate
+ echo -e '\n\t\t##\n'
##
Maybe my fault is trivial, but I'm
Re: How to proxy password from TTLS
Wolfgang Burger wrote: I´m trying to add support for EAP-TTLS and I want to proxy the username and password of the inner TTLS session to another Radius-Server. That should work. Client doing TTLS -- FreeRADIUS -- 3rd-Party Backend-Server with database of Users Forwarding of the packets is working. The Access-Request that FreeRADIUS sends to the backend-server uses the username entered at the client, but no password at all. If i add User-Password := validpassword to preproxy_users, where validpassword is the valid password for the given username on the Backend-Server, everything works. Does the tunnel contain a clear-text password? Debug mode will show this. What do I have to change, to use the password transmitted in the TTLS-Tunnel? Or do I have fundamental errors in my idea of how to do this? Run the server in debugging mode to see what it's doing, and post the output here. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Security of sql md5 vs unix auth
Background: we use freeradius to provide AAA for our wireless hotspots. We would also like to use radius authentication for our layer 3 switches. This brings up the question of security. Which is going to be more secure, md5 hashed passwords in MySQL, or storing the passwords for the switch accounts in the /etc/shadow file (I had to set the file to world readable to allow the radiusd process to read the file.). Or is there another, better alternative that I just don't know about? Ben Wiechman Wisper High Speed Internet Office: 866.394.7737 Direct: 320.256.0184 Cell: 320.247.3224 [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to proxy password from TTLS
Reject after first request means that remote server wasn't doing EAP.
Ivan Kalik
Kalik Informatika ISP
Dana 2/11/2007, Wolfgang Burger [EMAIL PROTECTED] piše:
Am 02.11.2007 um 14:58 schrieb Alan DeKok:
Does the tunnel contain a clear-text password? Debug mode will show
this.
What do I have to change, to use the password transmitted in the
TTLS-Tunnel? Or do I have fundamental errors in my idea of how to do
this?
Run the server in debugging mode to see what it's doing, and post the
output here.
The output:
mac339:~ system$ sudo radiusd -X
FreeRADIUS Version 2.0.0-pre2, for host powerpc-apple-darwin8.10.0,
built on Oct 5 2007 at 16:14:01
Copyright (C) 2000-2007 The FreeRADIUS server project.
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE.
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License.
Config: including file: //etc/raddb/radiusd.conf
Config: including file: //etc/raddb/proxy.conf
Config: including file: //etc/raddb/clients.conf
Config: including file: //etc/raddb/snmp.conf
Config: including file: //etc/raddb/eap.conf
Config: including file: //etc/raddb/sql.conf
Config: including file: //etc/raddb/sql/mysql/dialup.conf
Config: including file: //etc/raddb/sql/mysql/counter.conf
Config: including files in directory: //etc/raddb/sites-enabled/
Config: including file: //etc/raddb/sites-enabled/default
Starting - reading configuration files ...
read_config_files: reading dictionary
main {
prefix = /
localstatedir = //var
logdir = //var/log/radius
libdir = //lib
radacctdir = //var/log/radius/radacct
hostname_lookups = no
max_request_time = 30
cleanup_delay = 5
max_requests = 1024
allow_core_dumps = no
log_stripped_names = no
log_file = //var/log/radius/radius.log
log_auth = no
log_auth_badpass = no
log_auth_goodpass = no
pidfile = //var/run/radiusd/radiusd.pid
checkrad = //sbin/checkrad
debug_level = 0
proxy_requests = yes
log {
syslog_facility = daemon
}
proxy server {
retry_delay = 5
retry_count = 3
default_fallback = no
dead_time = 120
wake_all_if_all_dead = no
}
security {
max_attributes = 200
reject_delay = 1
status_server = yes
}
}
home_server dras_server {
ipaddr = XXX.XXX.XXX.XXX IP address [XXX.XXX.XXX.XXX]
port = 1645
type = auth
secret = XXX
response_window = 20
max_outstanding = 65536
zombie_period = 40
status_check = none
ping_check = none
ping_interval = 30
check_interval = 30
num_answers_to_alive = 3
num_pings_to_alive = 3
revive_interval = 120
status_check_timeout = 4
}
server_pool dras_pool {
type = fail-over
home_server = dras_server
}
realm dras {
auth_pool = dras_pool
}
home_server localhost {
ipaddr = 127.0.0.1 IP address [127.0.0.1]
port = 1812
type = auth
secret = testing123
response_window = 20
max_outstanding = 65536
zombie_period = 40
status_check = status-server
ping_check = none
ping_interval = 30
check_interval = 30
num_answers_to_alive = 3
num_pings_to_alive = 3
revive_interval = 120
status_check_timeout = 4
}
server_pool my_auth_failover {
type = fail-over
home_server = localhost
}
realm example.com {
auth_pool = my_auth_failover
}
realm LOCAL {
}
listen {
type = auth
ipaddr = *
port = 0
client 192.168.1.24 {
secret = XXX.XXX.XXX.XXX
shortname = netgear1
}
client 192.168.1.132 {
secret = XXX.XXX.XXX.XXX
shortname = netgear2
}
client 192.168.1.133 {
secret = XXX.XXX.XXX.XXX
shortname = netgear3
}
}
listen {
type = acct
ipaddr = *
port = 0
}
radiusd: entering modules setup
radiusd: Library search path is /lib
instantiate {
Module: Linked to module rlm_exec
Module: Instantiating exec
exec {
wait = yes
input_pairs = request
shell_escape = yes
}
rlm_exec: wait=yes but no output defined. Did you mean output=none?
Module: Linked to module rlm_expr
Module: Instantiating expr
Module: Linked to module rlm_expiration
Module: Instantiating expiration
expiration {
reply-message = Password Has Expired
}
Module: Linked to module rlm_logintime
Module: Instantiating logintime
logintime {
reply-message = You are calling outside your allowed timespan
minimum-timeout = 60
}
}
server {
modules {
Module: Checking authenticate {...} for more modules to
Re: How to proxy password from TTLS
Am 02.11.2007 um 14:58 schrieb Alan DeKok:
Does the tunnel contain a clear-text password? Debug mode will show
this.
What do I have to change, to use the password transmitted in the
TTLS-Tunnel? Or do I have fundamental errors in my idea of how to do
this?
Run the server in debugging mode to see what it's doing, and post the
output here.
The output:
mac339:~ system$ sudo radiusd -X
FreeRADIUS Version 2.0.0-pre2, for host powerpc-apple-darwin8.10.0,
built on Oct 5 2007 at 16:14:01
Copyright (C) 2000-2007 The FreeRADIUS server project.
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE.
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License.
Config: including file: //etc/raddb/radiusd.conf
Config: including file: //etc/raddb/proxy.conf
Config: including file: //etc/raddb/clients.conf
Config: including file: //etc/raddb/snmp.conf
Config: including file: //etc/raddb/eap.conf
Config: including file: //etc/raddb/sql.conf
Config: including file: //etc/raddb/sql/mysql/dialup.conf
Config: including file: //etc/raddb/sql/mysql/counter.conf
Config: including files in directory: //etc/raddb/sites-enabled/
Config: including file: //etc/raddb/sites-enabled/default
Starting - reading configuration files ...
read_config_files: reading dictionary
main {
prefix = /
localstatedir = //var
logdir = //var/log/radius
libdir = //lib
radacctdir = //var/log/radius/radacct
hostname_lookups = no
max_request_time = 30
cleanup_delay = 5
max_requests = 1024
allow_core_dumps = no
log_stripped_names = no
log_file = //var/log/radius/radius.log
log_auth = no
log_auth_badpass = no
log_auth_goodpass = no
pidfile = //var/run/radiusd/radiusd.pid
checkrad = //sbin/checkrad
debug_level = 0
proxy_requests = yes
log {
syslog_facility = daemon
}
proxy server {
retry_delay = 5
retry_count = 3
default_fallback = no
dead_time = 120
wake_all_if_all_dead = no
}
security {
max_attributes = 200
reject_delay = 1
status_server = yes
}
}
home_server dras_server {
ipaddr = XXX.XXX.XXX.XXX IP address [XXX.XXX.XXX.XXX]
port = 1645
type = auth
secret = XXX
response_window = 20
max_outstanding = 65536
zombie_period = 40
status_check = none
ping_check = none
ping_interval = 30
check_interval = 30
num_answers_to_alive = 3
num_pings_to_alive = 3
revive_interval = 120
status_check_timeout = 4
}
server_pool dras_pool {
type = fail-over
home_server = dras_server
}
realm dras {
auth_pool = dras_pool
}
home_server localhost {
ipaddr = 127.0.0.1 IP address [127.0.0.1]
port = 1812
type = auth
secret = testing123
response_window = 20
max_outstanding = 65536
zombie_period = 40
status_check = status-server
ping_check = none
ping_interval = 30
check_interval = 30
num_answers_to_alive = 3
num_pings_to_alive = 3
revive_interval = 120
status_check_timeout = 4
}
server_pool my_auth_failover {
type = fail-over
home_server = localhost
}
realm example.com {
auth_pool = my_auth_failover
}
realm LOCAL {
}
listen {
type = auth
ipaddr = *
port = 0
client 192.168.1.24 {
secret = XXX.XXX.XXX.XXX
shortname = netgear1
}
client 192.168.1.132 {
secret = XXX.XXX.XXX.XXX
shortname = netgear2
}
client 192.168.1.133 {
secret = XXX.XXX.XXX.XXX
shortname = netgear3
}
}
listen {
type = acct
ipaddr = *
port = 0
}
radiusd: entering modules setup
radiusd: Library search path is /lib
instantiate {
Module: Linked to module rlm_exec
Module: Instantiating exec
exec {
wait = yes
input_pairs = request
shell_escape = yes
}
rlm_exec: wait=yes but no output defined. Did you mean output=none?
Module: Linked to module rlm_expr
Module: Instantiating expr
Module: Linked to module rlm_expiration
Module: Instantiating expiration
expiration {
reply-message = Password Has Expired
}
Module: Linked to module rlm_logintime
Module: Instantiating logintime
logintime {
reply-message = You are calling outside your allowed timespan
minimum-timeout = 60
}
}
server {
modules {
Module: Checking authenticate {...} for more modules to load
Module: Linked to module rlm_pap
Module: Instantiating pap
pap {
encryption_scheme = auto
auto_header = no
}
Module: Linked to module rlm_chap
Module: Instantiating chap
Module: Linked to module rlm_mschap
Module: Instantiating mschap
mschap {
Re: How to proxy password from TTLS
DEFAULT FreeRADIUS-Proxied-To == 127.0.0.1, Proxy-To-Realm := other_server Ivan Kalik Kalik Informatika ISP Dana 2/11/2007, Wolfgang Burger [EMAIL PROTECTED] piše: Hi, I have a working configuration of FreeRADIUS configured for EAP-TLS. I´m trying to add support for EAP-TTLS and I want to proxy the username and password of the inner TTLS session to another Radius-Server. Client doing TTLS -- FreeRADIUS -- 3rd-Party Backend-Server with database of Users Forwarding of the packets is working. The Access-Request that FreeRADIUS sends to the backend-server uses the username entered at the client, but no password at all. If i add User-Password := validpassword to preproxy_users, where validpassword is the valid password for the given username on the Backend-Server, everything works. What do I have to change, to use the password transmitted in the TTLS-Tunnel? Or do I have fundamental errors in my idea of how to do this? Any help is very welcome. Greetings, Wolfgang Burger [EMAIL PROTECTED] Max-Planck-Institut fuer Immunbiologie Scientific Data Processing Unit (+00 49) 761 / 5108 461 Stuebeweg 51 D-79108 Freiburg Germany - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Filtering out a attribute conditionally
Mike O'Connor wrote: I have a problem with my Cisco 7301's where I apply a address pool via a Cisco-AVPair (for each wholesale ISP customer) and the wholesale ISP supplies a Framed-IP-Address at the same time, the connection is kicked by the cisco. 1.x should be able to filter out the Framed-IP-Address in the response from a home server. Is there any way of adding or removing the ip_pool bases on a rule ? I don't know what you mean by that. Could Freeradius 2 do this ? It would likely be a lot easier. Download 2.0, and read man unlang. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: NAS-Group? - different replies to different NASes?
Adrian wrote: Since both requests are addressed to domain.com how can I selectively allow only certain responses to NAS A and others to NAS B? Match on the Client-IP-Address, or on the NAS-IP-Address attribute. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Need help
Frank Winkler wrote: On the old server, the users were authenticated by regular /etc/passwd means. I got this working on the new server. As there are some new features in the later versions, I'd prefer to move the RADIUS users to a separate smbpasswd-like file but I can't get the authentication to work. sigh See the FAQ about it doesn't work. Some questions: The old server querying itself for a /etc/passwd user: [EMAIL PROTECTED] # ./radtest frank XXX localhost 10 test123 Sending Access-Request of id 161 to 127.0.0.1:1812 User-Name = frank User-Password = D[\326\255h\016A\275\357%\367\027_y NAS-IP-Address = XXX NAS-Port-Id = 10 rad_recv: Access-Accept packet from host 127.0.0.1:1812, id=161, length=20 [EMAIL PROTECTED] # Why are you looking at the client side? The README, INSTALL, FAQ, and daily messages on this list say that you should run in debug mode. What do we have to add to the documentation to convince you that this is a good idea? Why is the password displayed in plain text instead of hashed as on the old server? Because it helps with debugging. I'm pretty unsure about the authtype. Don't set it. I can post debug outout of radiusd but it looks like it finds the user in the file but cannot authenticate the password. So... the passwords don't match? If you're unsure as to how the server works, it would be reasonable to assume that you don't know enough to correctly interpret the debug output. Post it here. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: problem with proxying
hacklberry wrote: Here is what I m trying to do: use my module rlm_xxx to authenticate user bob - if success i don't need anything else - if failure i want to proxy the authentication request to a 3rd party RADIUS server This is difficult to do, because proxying *is* a kind of authentication. The server is designed to authenticate the user once. What you want is try this, if that doesn't work, try that. The way that people generally solve these problems is to separate authentication and authorization. They first see if the user is known. If so, authenticate locally. If not, proxy. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radiusd deadlock on recvfrom on port 1814
Ryan Melendez wrote: I'm not positive that select is lying about data being available. It could be that there is data when select is called, but _something_ out of line grabs it before recvfrom() can get to it. Like what? There is nothing else listening on that IP address/port. The socket API makes sure of that. The only time I've ran into this in the past(not freeradius) is when some flavor of read is called on the socket outside the select loop (bad programming). I can't see anywhere this is happening in freeradius. There is only one place in the server where sockets are read: the main read loop. Again, this only started happening when I began running two radiusd processes on different interfaces on a multihomed system. I also have radrelay binding to one interface and replicating acct packets to the other process. Hmm... even 1.1.x can have one process listen on multiple interfaces. Why not try that? But 2.0 will make this much easier, as you can have different virtual servers (and thus completely different policies) for each socket. This is hard in 1.x. I suspect you are correct that some race condition in the kernel possibly regarding pthread. I'm going to continue investigating, I'll make the socket non-blocking as a last resort. If anyone has experienced this problem before, or has any suggestions please let me know. I've never seen it. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Startup problem with ldap
Massimo Meregalli wrote: If the server is started with radiusd -X or radiusd -s all is fine and the requests get answered correctly. Because it doesn't change uid's. If the server is started with radiusd -y it doesn't statup correctly. You have likely edited the user= and/or group= lines in radiusd.conf to set it to run as a non-root user. You have then made the configuration files so that the non-root user doesn't have permission to read them. As root, do su user, to the user you have configured. Then run radiusd -X, and you will likely see more output as to what's going wrong. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Radiusd -X start vs Radiusd start
Hi evr, I'm currently experimenting on freeradius 1.1.6 (on rhl3) my setup seams to be working fine except a little bug ! I'm using a software to monitor freeradius from the outside this soft is called (Whistle Blower running on a mac) This soft attempt to validate a user called Whistle Blower and freeradius must send a deny packet ! When I : radiusd -X start the process work fine When I : radiusd start the process times out ??? Any suggestions Thanks _ Envoie un sourire, fais rire, amuse-toi! Employez-le maintenant! http://www.emoticonesgratuites.ca/?icid=EMFRCA120- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radius server and MAC authentication for wireless
Shawn Adams wrote:
I've noted that some wireless APs using MAC/MAC authentication send the
MAC in the form:
...
The last seems most prevelent.
For your systems. Others vary.
The RFC's suggest one format, but who follows standards?
Is there a method to configure $RADIUS/user.conf or $RADIUS/radiusd.conf
(or other file) to allow the radius to authenticate *both* with one user
entry ?
There is no user.conf file. This is about computers: precision helps.
I guess I'm thinking about a user.conf entry which allows PC_X to attach
to Access_point_A and authenticate when the userid/password is sent
112233445566 *and* allow the same PC, when roaming to Access_point_B to
authenticate with 11-22-33-44-55-66 using only one users.conf entry.
You can use regular expressions in the hints file to re-write the
MAC address into some kind of normal format.
DEFAULT Attribute-With-Mac =~
([0-9a-fA-F]{2}):([0-9a-fA-F]{2}):([0-9a-fA-F]{2}):([0-9a-fA-F]{2}):([0-9a-fA-F]{2}):([0-9a-fA-F]{2})
Attribute-With-Mac = %{1}-%{2}-%{3}-%{4}-%{5}-%{6}
etc.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
How to proxy password from TTLS
Hi, I have a working configuration of FreeRADIUS configured for EAP-TLS. I´m trying to add support for EAP-TTLS and I want to proxy the username and password of the inner TTLS session to another Radius-Server. Client doing TTLS -- FreeRADIUS -- 3rd-Party Backend-Server with database of Users Forwarding of the packets is working. The Access-Request that FreeRADIUS sends to the backend-server uses the username entered at the client, but no password at all. If i add User-Password := validpassword to preproxy_users, where validpassword is the valid password for the given username on the Backend-Server, everything works. What do I have to change, to use the password transmitted in the TTLS-Tunnel? Or do I have fundamental errors in my idea of how to do this? Any help is very welcome. Greetings, Wolfgang Burger [EMAIL PROTECTED] Max-Planck-Institut fuer Immunbiologie Scientific Data Processing Unit (+00 49) 761 / 5108 461 Stuebeweg 51 D-79108 Freiburg Germany - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Cert Problem with EAP-TTSL, SecureW2 (1.0.5--1.1.7)
Martin Pauly wrote: On Tuesday 30 October 2007 18:35, Alan DeKok wrote: So... did you run the command to set the DH parameters? yeah, stupid me: I had looked for it in my own eap.conf, not in the one provided with the 1.1.5 package. No DH gets initialized, but the cert problem remains. Here's the debug output again (startup + 1 connection trial): ... Sending Access-Challenge of id 104 to 192.168.75.247 port 1645 EAP-Message = 0x0104032b158007211f04818d30818a3043a041a03f863d687474703a2f2f772e756e692d6d6172627572672e64652f68727a2f73657276696365732f73736c2d63612f323030342f73736c2d63612e6372783043a041a03f863d687474703a2f2f772e756e692d6d6172627572672e64652f68727a2f73657276696365732f73736c2d63612f323030342f73736c2d63612e63726c301106096086480186f8420101040403020640303d06096086480186f84201020430162e687474703a2f2f772e756e692d6d6172627572672e64652f68727a2f73657276696365732f73736c2d63612f304106096086480186f8420108043416 EAP-Message = 0x32687474703a2f2f772e7063612e64666e2e64652f64666e7063612f706f6c6963792f77706f6c6963792e68746d6c3081db06096086480186f842010d0481cd1681ca546869732063657274696669636174652077617320697373756564206279207468652053534c2043410a6f6620746865205068696c6970707320556e6976657273697479204d6172627572672c204765726d616e792e0a466f72206675727468657220696e666f726d6174696f6e20706c6561736520706f696e7420796f7572206661766f75726974650a5765622042726f7773657220746f0a687474703a2f2f772e756e692d6d6172627572672e64652f6872 EAP-Message = 0x7a2f73657276696365732f73736c2d63612f202e300d06092a864886f70d010104050003820101007ff9ef1d9c04f8e22415b1f74c7a20f6865b231c7c12fc90064b14c4c3489b577b0b0e0b606091de3f3dc6e5d09237c6ed27969915479522009c73f666d306309e34398df72d4349ccae354b9e723ff03ddf1a2147a09dfab2cba0a2eebf0bced6278be2c305f75a3f09b5a39833f438d1e18ad58ee3da35d0d2fdc11c7ed822370bb0b368ee80e4e42143425661f20b18bbd458fb6cecf6237f9714af076ea338b45cf03a165741a81712e0127620789d2450233c6135700048148efa0d7dc46c4155905bdd89bf630524c960a288b47e254feaa5 EAP-Message = 0xe8c2de0a76e2259f3ad7b54afd7ec1420928d2d0dca289a121cba633073fcaa07fe0bd6b2293f42227d00f16030100040e00 Message-Authenticator = 0x State = 0xa145d9de8019bae046f8849b2f1edf14 Finished request 3 Going to the next request Waking up in 6 seconds... --- Walking the entire request list --- Cleaning up request 1 ID 102 with timestamp 4729bd9a See the logs on the client for why it has stopped talking to the server. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: PAM_RADIUS_AUTH
Is this compatible with Solaris 10 First time I tried with IP address only, and got the following error. Oct 25 19:58:20 ada-delegate1 login: [ID 801593 auth.error] pam_radius_auth: Failed looking up IP address for RADIUS server 10.213.31.186 (errcode=12) Oct 25 19:58:20 ada-delegate1 login: [ID 801593 auth.error] pam_radius_auth: Failed looking up IP address for RADIUS server 10.213.69.133 (errcode=12) It was trying to resolve the IP address for an address again. Later I made a host entry and tried and the changed the config to name again. And getting the same error. Regards Soban From: Sobanbabu Bakthavathsalu Sent: 31 October 2007 10:46 To: FreeRadius users mailing list Subject: RE: PAM_RADIUS_AUTH Hi Alan, First time I tried with IP address only, and got the following error. Oct 25 19:58:20 ada-delegate1 login: [ID 801593 auth.error] pam_radius_auth: Failed looking up IP address for RADIUS server 10.213.31.186 (errcode=12) Oct 25 19:58:20 ada-delegate1 login: [ID 801593 auth.error] pam_radius_auth: Failed looking up IP address for RADIUS server 10.213.69.133 (errcode=12) It was trying to resolve the IP address for an address again. Later I made a host entry and tried and the changed the config to name again. And getting the same error. Regards Soban From: [EMAIL PROTECTED] [EMAIL PROTECTED] On Behalf Of Alan DeKok [EMAIL PROTECTED] Sent: 30 October 2007 17:28 To: FreeRadius users mailing list Subject: Re: PAM_RADIUS_AUTH Sobanbabu Bakthavathsalu wrote: Thank you for the response. There is no firewall in between the RADIUS server and Solaris server (RADIUS client), only an Cisco router with standard ACL. I have verified the ACL matches counter and found that the request from the clinet itself is not reachign the router. Is that host entries in /etc/hosts file wont work for this, do I need a DNS server for RADIUS server name authentication to work with pam_radius_auth. No. You *can* enter just an IP address... Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html CAUTION - Disclaimer * This e-mail contains PRIVILEGED AND CONFIDENTIAL INFORMATION intended solely for the use of the addressee(s). If you are not the intended recipient, please notify the sender by e-mail and delete the original message. Further, you are not to copy, disclose, or distribute this e-mail or its contents to any other person and any such actions are unlawful. This e-mail may contain viruses. Infosys has taken every reasonable precaution to minimize this risk, but is not liable for any damage you may sustain as a result of any virus in this e-mail. You should carry out your own virus checks before opening the e-mail or attachment. Infosys reserves the right to monitor and review the content of all messages sent to or from this e-mail address. Messages sent to or from this e-mail address may be stored on the Infosys e-mail system. ***INFOSYS End of Disclaimer INFOSYS*** - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
make freeradius-2.0 cvs Version
Hello all, I want to make freeradius-2-0-pre2 on a Redhat 3.2.3-47 with openssl-0.9.7a-33.23. make gives this error: /service/freeradius-cvs/radiusd/libtool --mode=compile gcc -g -O2 -I/service/freeradius-cvs/radiusd/src -DHOSTINFO= \i686-pc-linux-gnu\ -DRADIUSD_VERSION=\2.0.0-beta\ -DOPENSSL_NO_KRB5 -c threads.c gcc -g -O2 -I/service/freeradius-cvs/radiusd/src -DHOSTINFO= \i686-pc-linux-gnu\ -DRADIUSD_VERSION=\2.0.0-beta\ -DOPENSSL_NO_KRB5 -c threads.c -fPIC -DPIC -o .libs/threads.o In file included from /usr/include/openssl/evp.h:81, from threads.c:64: /usr/include/openssl/md4.h:105: conflicting types for `librad_MD4_CTX' /service/freeradius-cvs/radiusd/src/freeradius-devel/md4.h:75: previous declaration of `librad_MD4_CTX' gmake[4]: *** [threads.lo] Fehler 1 On an other system with fedora 4.1.1-30 and openssl-0.9.8b-8.3.fc6 the make runs fine without errors -- Grüße Hans-Peter Fuchs Hans-Peter Fuchs - RRZK Zimmer 20 Zentrum für angewandte Informatik - Universitätsweiter Service RRZK Universität zu Köln - Tel: 0221-470-6972 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: NAS-Group? - different replies to different NASes?
Multiple sql/ldap instances. Use one to authorize NAS A and another to authorize NAS B. Ivan Kalik Kalik Informatika ISP Dana 1/11/2007, Adrian [EMAIL PROTECTED] piše: Hello Everyone, I need help setting up custom replies for each NAS in my organization. I.E I have NAS A and NAS B When NAS A communicates with our Radius Server (Freeradius) I want to send back Tunnel attributes on domain matching. (i.e [EMAIL PROTECTED] - a set of tunnel attributes Service-Type, Tunnel-Password, Tunnel-Type...etc - not user specific). When NAS B communicates with our Radius I want to send back specific information about the user it's requesting (i.e [EMAIL PROTECTED] - Framed-IP, Framed-Netmask...etc) Since both requests are addressed to domain.com how can I selectively allow only certain responses to NAS A and others to NAS B? Thanks for the help Adrian Boros - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Startup problem with ldap
Hi,
I'm trying to run a freeradius 1.1.7 with ldap as
authorize and
authenticate backend and I'm having trouble with freeradius
startup.
If the server is started with radiusd -X or radiusd -s
all is fine and
the requests get answered correctly.
If the server is started with radiusd -y it doesn't
statup correctly.
From the radiusd.log file I notice that the line
Fri Nov 2 09:37:54 2007 : Info: Ready to process
requests.
is missing. If I comment the ldap section in authorize
and authenticate
the server startup correcly also with -y startup flag.
I've tried some debugging and I found that the server
will fork
correctly, the parent exit but the child never come alive as the
line
Here before setsid dosn't compare in the logfile.
I've also tried to start gdb on the running process to
see where the
process is and the results are reported at the end of the
message.
Here there are the modified section of radiusd.c, the
radiusd.log and
the output of the gdb session.
::
radiusd.c:
::
.
/*
* Disconnect from session
*/
if (debug_flag == 0 dont_fork == FALSE) {
pid = fork();
if(pid 0) {
radlog(L_ERR|L_CONS, Couldn't fork);
exit(1);
}
/*
* The parent exits, so the child can run in
the
background.
*/
if(pid 0) {
radlog(L_ERR, Parent Exit);
exit(0);
}
radlog(L_ERR, Here before setsid);
#ifdef HAVE_SETSID
setsid();
#endif
..
radiusd.log:
Fri Nov 2 09:56:33 2007 : Info: rlm_exec: Wait=yes but no
output
defined. Did you mean output=none?
Fri Nov 2 09:56:33 2007 : Info: rlm_sql (sql): Driver
rlm_sql_postgresql (module rlm_sql_postgresql) loaded and linked
Fri Nov 2 09:56:33 2007 : Info: rlm_sql (sql): Attempting to
connect to
[EMAIL PROTECTED]:/radius
Fri Nov 2 09:56:33 2007 : Error: Parent Exit
:
gdb
:
[EMAIL PROTECTED] main]# gdb .libs/radiusd 20867
GNU gdb Red Hat Linux (6.6-16.fc7rh)
Copyright (C) 2006 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License,
and you
are
welcome to change it and/or distribute copies of it under
certain
conditions.
Type show copying to see the conditions.
There is absolutely no warranty for GDB. Type show warranty
for
details.
This GDB was configured as i386-redhat-linux-gnu...
Using host libthread_db library /lib/libthread_db.so.1.
Attaching to
program: /usr/src/redhat/BUILD/freeradius-1.1.7/src/main/.libs/radiusd,
process 20867
Loaded symbols
for /usr/src/redhat/BUILD/freeradius-1.1.7/src/main/.libs/radiusd
Reading symbols from /lib/libnsl.so.1...done.
Loaded symbols for /lib/libnsl.so.1
Reading symbols from /lib/libresolv.so.2...done.
Loaded symbols for /lib/libresolv.so.2
Reading symbols from /lib/libpthread.so.0...done.
[Thread debugging using libthread_db enabled]
[New Thread -1209166144 (LWP 20867)]
Loaded symbols for /lib/libpthread.so.0
Reading symbols from /usr/lib/libradius-1.1.7.so...done.
Loaded symbols for /usr/lib/libradius-1.1.7.so
Reading symbols from /lib/libcrypt.so.1...done.
Loaded symbols for /lib/libcrypt.so.1
Reading symbols from /usr/lib/libsnmp.so.15...done.
Loaded symbols for /usr/lib/libsnmp.so.15
Reading symbols from /usr/lib/libltdl.so.3...done.
Loaded symbols for /usr/lib/libltdl.so.3
Reading symbols from /lib/libdl.so.2...done.
Loaded symbols for /lib/libdl.so.2
Reading symbols from /lib/libssl.so.6...done.
Loaded symbols for /lib/libssl.so.6
Reading symbols from /lib/libcrypto.so.6...done.
Loaded symbols for /lib/libcrypto.so.6
Reading symbols from /lib/libc.so.6...done.
Loaded symbols for /lib/libc.so.6
Reading symbols from /lib/ld-linux.so.2...done.
Loaded symbols for /lib/ld-linux.so.2
Re: Cert Problem with EAP-TTSL, SecureW2 (1.0.5--1.1.7)
On Tuesday 30 October 2007 18:35, Alan DeKok wrote: So... did you run the command to set the DH parameters? yeah, stupid me: I had looked for it in my own eap.conf, not in the one provided with the 1.1.5 package. No DH gets initialized, but the cert problem remains. Here's the debug output again (startup + 1 connection trial): pcrz322:/etc/freeradius# freeradius -X | tee /tmp/freerad.debug.log Starting - reading configuration files ... reread_config: reading radiusd.conf Config: including file: /etc/freeradius/proxy.conf Config: including file: /etc/freeradius/clients.conf Config: including file: /etc/freeradius/snmp.conf Config: including file: /etc/freeradius/eap.conf Config: including file: /etc/freeradius/sql.conf main: prefix = /usr main: localstatedir = /var main: logdir = /var/log/freeradius main: libdir = /usr/lib/freeradius main: radacctdir = /var/log/freeradius/radacct main: hostname_lookups = no main: snmp = no main: max_request_time = 30 main: cleanup_delay = 5 main: max_requests = 1024 main: delete_blocked_requests = 0 main: port = 0 main: allow_core_dumps = no main: log_stripped_names = no main: log_file = /var/log/freeradius/radius.log main: log_auth = no main: log_auth_badpass = no main: log_auth_goodpass = no main: pidfile = /var/run/freeradius/freeradius.pid main: user = freerad main: group = freerad main: usercollide = no main: lower_user = no main: lower_pass = no main: nospace_user = no main: nospace_pass = no main: checkrad = /usr/sbin/checkrad main: proxy_requests = yes proxy: retry_delay = 5 proxy: retry_count = 3 proxy: synchronous = no proxy: default_fallback = yes proxy: dead_time = 120 proxy: post_proxy_authorize = no proxy: wake_all_if_all_dead = no security: max_attributes = 200 security: reject_delay = 1 security: status_server = no main: debug_level = 0 read_config_files: reading dictionary read_config_files: reading naslist Using deprecated naslist file. Support for this will go away soon. read_config_files: reading clients read_config_files: reading realms radiusd: entering modules setup Module: Library search path is /usr/lib/freeradius Module: Loaded exec exec: wait = yes exec: program = (null) exec: input_pairs = request exec: output_pairs = (null) exec: packet_type = (null) rlm_exec: Wait=yes but no output defined. Did you mean output=none? Module: Instantiated exec (exec) Module: Loaded expr Module: Instantiated expr (expr) Module: Loaded PAP pap: encryption_scheme = crypt pap: auto_header = yes Module: Instantiated pap (pap) Module: Loaded CHAP Module: Instantiated chap (chap) Module: Loaded MS-CHAP mschap: use_mppe = yes mschap: require_encryption = no mschap: require_strong = no mschap: with_ntdomain_hack = no mschap: passwd = (null) mschap: ntlm_auth = (null) Module: Instantiated mschap (mschap) Module: Loaded System unix: cache = no unix: passwd = (null) unix: shadow = /etc/shadow unix: group = (null) unix: radwtmp = /var/log/freeradius/radwtmp unix: usegroup = no unix: cache_reload = 600 Module: Instantiated unix (unix) Module: Loaded eap eap: default_eap_type = ttls eap: timer_expire = 60 eap: ignore_unknown_eap_types = no eap: cisco_accounting_username_bug = no tls: rsa_key_exchange = no tls: dh_key_exchange = yes tls: rsa_key_length = 512 tls: dh_key_length = 512 tls: verify_depth = 0 tls: CA_path = (null) tls: pem_file_type = yes tls: private_key_file = /etc/freeradius/certs/key-radius-staff.pem tls: certificate_file = /etc/freeradius/certs/cert-radius-staff.pem tls: CA_file = /etc/freeradius/certs/unimr-ssl-ca.pem tls: private_key_password = omihnl tls: dh_file = /etc/freeradius/certs/dh tls: random_file = /dev/urandom tls: fragment_size = 1024 tls: include_length = yes tls: check_crl = no tls: check_cert_cn = (null) tls: cipher_list = (null) tls: check_cert_issuer = (null) rlm_eap_tls: Loading the certificate file as a chain rlm_eap: Loaded and initialized type tls ttls: default_eap_type = md5 ttls: copy_request_to_tunnel = yes ttls: use_tunneled_reply = yes rlm_eap: Loaded and initialized type ttls Module: Instantiated eap (eap) Module: Loaded preprocess preprocess: huntgroups = /etc/freeradius/huntgroups preprocess: hints = /etc/freeradius/hints preprocess: with_ascend_hack = no preprocess: ascend_channels_per_line = 23 preprocess: with_ntdomain_hack = no preprocess: with_specialix_jetstream_hack = no preprocess: with_cisco_vsa_hack = no preprocess: with_alvarion_vsa_hack = no Module: Instantiated preprocess (preprocess) Module: Loaded realm realm: format = suffix realm: delimiter = @ realm: ignore_default = no realm: ignore_null = no Module: Instantiated realm (suffix) Module: Loaded files files: usersfile = /etc/freeradius/users files: acctusersfile = /etc/freeradius/acct_users files: preproxy_usersfile = /etc/freeradius/preproxy_users files: compat = no Module: Instantiated files (files) Module: Loaded Acct-Unique-Session-Id
Re: Maintaining a (very) dynamic user list with freeradius
On Fri 02 Nov 2007, Jos Vos wrote: Hi, What is the best way to maintain a very dynamic user list for freeradius (on a Linux platform)? I'm talking about a setup where every few minutes (sometimes every minute) a user has to be added and/or removed, with in total up to about 200 users in the user base at the same moment. Ideally, I'd like to just regenerate the users file with a script whenever a change is needed and let radiusd reload it, but I saw in the docs that reloading the config (and the users file) is expensive, so this will probably not be very suitable for this situation. If anyhow possible I'd like to minimize any extra overhead, and avoid running PostgreSQL or MySQL servers, for example. Maybe use DBM? What is recommended for this purpose? Use either SQL or LDAP... -- Peter Nixon http://peternixon.net/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
SSL Certificate Problem...
So I did the changes you told me. I can still not connect to my WLAN, but I
think thats because I have no certificates created or imported.
Debug Mode tells me this...
rad_recv: Accounting-Request packet from host 192.168.1.6:1028, id=16,
length=161
User-Name = bnickaes
NAS-Identifier = BBi5
Called-Station-Id = 00-19-cb-1f-66-2d:BBi WLAN test
Calling-Station-Id = 00-14-a5-3e-a8-ba
Acct-Status-Type = Stop
Acct-Session-Id = 416
Acct-Input-Octets = 1508
Acct-Output-Octets = 0
Acct-Input-Packets = 6
Acct-Output-Packets = 0
Acct-Delay-Time = 0
Acct-Session-Time = 6
Acct-Terminate-Cause = NAS-Request
Acct-Input-Gigawords = 0
Acct-Output-Gigawords = 0
Processing the preacct section of radiusd.conf
modcall: entering group preacct for request 32
modcall[preacct]: module preprocess returns noop for request 32
rlm_acct_unique: WARNING: Attribute NAS-Port was not found in request,
unique ID MAY be inconsistent
rlm_acct_unique: Hashing ',Client-IP-Address = 192.168.1.6,NAS-IP-Address =
192.168.1.6,Acct-Session-Id = 416,User-Name = bnickaes'
rlm_acct_unique: Acct-Unique-Session-ID = c32063e973b8db95.
modcall[preacct]: module acct_unique returns ok for request 32
rlm_realm: No '@' in User-Name = bnickaes, looking up realm NULL
rlm_realm: No such realm NULL
modcall[preacct]: module suffix returns noop for request 32
modcall[preacct]: module files returns noop for request 32
modcall: leaving group preacct (returns ok) for request 32
Processing the accounting section of radiusd.conf
modcall: entering group accounting for request 32
radius_xlat: '/var/log/radius/radacct/192.168.1.6/detail-20071102'
rlm_detail: /var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d
expands to /var/log/radius/radacct/192.168.1.6/detail-20071102
modcall[accounting]: module detail returns ok for request 32
modcall[accounting]: module unix returns noop for request 32
radius_xlat: '/var/log/radius/radutmp'
radius_xlat: 'bnickaes'
rlm_radutmp: No NAS-Port seen. Cannot do anything.
rlm_radumtp: WARNING: checkrad will probably not work!
modcall[accounting]: module radutmp returns noop for request 32
radius_xlat: 'bnickaes'
rlm_sql (sql): sql_set_user escaped user -- 'bnickaes'
radius_xlat: 'UPDATE radacct SET FramedIPAddress = '',
AcctSessionTime = '6', AcctInputOctets = '1508',
AcctOutputOctets = '0', ? AcctStopTime =
FROM_UNIXTIME(UNIX_TIMESTAMP(`AcctStartTime`) + `AcctSessionTime` )
WHERE UserName = 'bnickaes' AND AcctStopTime= '-00-00
00:00:00' '
radius_xlat: '/var/log/radius/sqltrace.sql'
rlm_sql (sql): Reserving sql socket id: 3
rlm_sql_mysql: query: UPDATE radacct SET FramedIPAddress = '',
AcctSessionTime = '6', AcctInputOctets = '1508',
AcctOutputOctets = '0', ? AcctStopTime =
FROM_UNIXTIME(UNIX_TIMESTAMP(`AcctStartTime`) + `AcctSessionTime` )
WHERE UserName = 'bnickaes' AND AcctStopTime= '-00-00
00:00:00'
rlm_sql (sql): Released sql socket id: 3
modcall[accounting]: module sql returns ok for request 32
modcall: leaving group accounting (returns ok) for request 32 Sending
Accounting-Response of id 16 to 192.168.1.6 port 1028 Finished request 32
...and I think it's OK.
So I tried to create some certificates to get this finally done.
After I did what Tutorial for AD integration told me about creating self
signed certificates I run CA.all. So I type in all information and see this:
+ openssl ca -policy policy_anything -out newcert.pem -passin
+ pass:whatever -key whatever -extensions xpserver_ext -extfile
+ xpextensions -infiles newreq.pem
Using configuration from /etc/ssl/openssl.cnf Error opening CA private key
./cakey.pem 5010:error:02001002:system library:fopen:No such file or
directory:bss_file.c:352:fopen('./cakey.pem','r')
5010:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:354:
unable to load CA private key
+ openssl pkcs12 -export -in newcert.pem -inkey newreq.pem -out
+ cert-srv.p12 -clcerts -passin pass:whatever -passout pass:whatever
Error opening input file newcert.pem
newcert.pem: No such file or directory
+ openssl pkcs12 -in cert-srv.p12 -out cert-srv.pem -passin
+ pass:whatever -passout pass:whatever
Error opening input file cert-srv.p12
cert-srv.p12: No such file or directory
+ openssl x509 -inform PEM -outform DER -in cert-srv.pem -out
+ cert-srv.der
Error opening Certificate cert-srv.pem
5013:error:02001002:system library:fopen:No such file or
directory:bss_file.c:352:fopen('cert-srv.pem','r')
5013:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:354:
unable to load certificate
+ echo -e '\n\t\t##\n'
##
Maybe my fault is trivial, but I'm really a little clobbered over the head
with all this at the moment and I just got one week to get it done.
-
List info/subscribe/unsubscribe? See http
Re: How to proxy password from TTLS
You wrote earlier: DEFAULT FreeRADIUS-Proxied-To == 127.0.0.1, Proxy-To-Realm := other_server Does that mean, that FreeRADIUS recieves the EAP-Request, takes the inner TTLS payload and forwards it to itself (localhost) in default? And i can just redirect it to other_server? Thanks for your help Regards, Wolfgang Burger Yes. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radiusd deadlock on recvfrom on port 1814
On Fri, 2007-11-02 at 14:33 +0100, Alan DeKok wrote: Ryan Melendez wrote: I'm not positive that select is lying about data being available. It could be that there is data when select is called, but _something_ out of line grabs it before recvfrom() can get to it. Like what? There is nothing else listening on that IP address/port. The socket API makes sure of that. I wish I knew. One thing I specifically mention is that the two radius servers are bound to two different virtual interfaces with unique IPs. So both servers are running on the same physical interface. My only guess at this point is that something is going on with how virtual interfaces work under the hood. So something lower than the socket API... So I'm now wondering if there is something fundamentally wrong with how the kernel treats two udp sockets: 1)listening on the same port 2)bound to two different IPs, one of which is a VIF on the same physical interface 3)in two entirely different processes I'm inclined to say hell no, but stranger things have happened. Again, this only started happening when I began running two radiusd processes on different interfaces on a multihomed system. I also have radrelay binding to one interface and replicating acct packets to the other process. Hmm... even 1.1.x can have one process listen on multiple interfaces. Why not try that? I need to replicate acct data. I have radrelay replicating the data from the detail file of one sever to the other server bound to a virtual interface. This is the only way I found I could replicate the data while still getting the failover/unique proxy/timeout requirements. The second radius server only gets acct packets via radrelay originally sent to the first radius server. I haven't figured out what port 1814 is actually used for. Is there anything I could do to disable the proxy port on one or both of the servers? What would I loose? Thanks, Ryan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Radiusd -X start vs Radiusd start
Hi, Hi evr, I'm currently experimenting on freeradius 1.1.6 (on rhl3) my setup seams to be working fine except a little bug ! I'm using a software to monitor freeradius from the outside this soft is called (Whistle Blower running on a mac) This soft attempt to validate a user called Whistle Blower and freeradius must send a deny packet ! When I : radiusd -X start the process work fine When I : radiusd start the process times out ??? permissions. when run with '-X' the server runs with high priv. when run without -X, then the server runs as whoever you configured in radiusd.conf (usually 'radiusd') thus it may not be able to write to log files or read config files etc. check the permissions and ownership of eg log files, config files and the process PID file. radius -x (small x) will run in small debug mode and can highlight this issue alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Maintaining a (very) dynamic user list with freeradius
On Fri, Nov 02, 2007 at 11:11:17AM +, Phil Mayers wrote: Use SQL or LDAP. Running a postgresql server for ~200 row table is very little effort. Is http://wiki.freeradius.org/SQL_HOWTO the best documentation on how to populate / change the DB? Does this also apply to freeradius 1.0.1. As the systems I'll be using for freeradius are currently running RHEL4, I'm more or less forced to using freeradius 1.0.1 for now. If there are any caveats, please let me know. -- --Jos Vos [EMAIL PROTECTED] --X/OS Experts in Open Systems BV | Phone: +31 20 6938364 --Amsterdam, The Netherlands| Fax: +31 20 6948204 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Radiusd -X start vs Radiusd start
J-P Raymond wrote: This soft attempt to validate a user called Whistle Blower and freeradius must send a deny packet ! When I : radiusd -X start the process work fine When I : radiusd start the process times out ??? Set reject_delay = 0. It's fixed in 2.0-pre, but it should also be fixed in 1.x. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Maintaining a (very) dynamic user list with freeradius
Jos Vos wrote: As the systems I'll be using for freeradius are currently running RHEL4, I'm more or less forced to using freeradius 1.0.1 for now. If there are any caveats, please let me know. http://freeradius.org/security.html You *can* manually upgrade to 1.1.7. It's not hard. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radiusd deadlock on recvfrom on port 1814
Ryan Melendez wrote: I wish I knew. One thing I specifically mention is that the two radius servers are bound to two different virtual interfaces with unique IPs. That shouldn't matter... So I'm now wondering if there is something fundamentally wrong with how the kernel treats two udp sockets: 1)listening on the same port 2)bound to two different IPs, one of which is a VIF on the same physical interface 3)in two entirely different processes I'm inclined to say hell no, but stranger things have happened. It's certainly possible that it's not a well tested portion of the kernel. In any case, set O_NONBLOCK on the sockets, and the problem should be fixed. Hmm... even 1.1.x can have one process listen on multiple interfaces. Why not try that? I need to replicate acct data. I have radrelay replicating the data from the detail file of one sever to the other server bound to a virtual interface. This is the only way I found I could replicate the data while still getting the failover/unique proxy/timeout requirements. The second radius server only gets acct packets via radrelay originally sent to the first radius server. Hmm 2.0 may handle that a lot better. I haven't figured out what port 1814 is actually used for. Is there anything I could do to disable the proxy port on one or both of the servers? What would I loose? The ability to send packets to other servers. 1814 is used when FreeRADIUS is acting as a RADIUS client (i.e. proxy). Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Security of sql md5 vs unix auth
Ben Wiechman wrote: Background: we use freeradius to provide AAA for our wireless hotspots. We would also like to use radius authentication for our layer 3 switches. This brings up the question of security. It brings up a question of limited choices. Which is going to be more secure, md5 hashed passwords in MySQL, or storing the passwords for the switch accounts in the /etc/shadow file It's effectively the same from a security point of view. (I had to set the file to world readable to allow the radiusd process to read the file…). PLEASE don't do that! The comments in radiusd.conf describe how to *properly* let the server read /etc/shadow. Or is there another, better alternative that I just don’t know about? If you're doing PEAP for WiFi, you *can't* use MD5 or /etc/shadow passwords. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to proxy password from TTLS
Wolfgang Burger wrote:
The output:
mac339:~ system$ sudo radiusd -X
FreeRADIUS Version 2.0.0-pre2, for host powerpc-apple-darwin8.10.0,
Hmm... grab the latest CVS version. It's now called 2.0.0-beta, and
it much better than -pre2. See raddb/sites-available/, and eap.conf for
samples of virtual servers. You can control the inner-tunnel
authentication COMPLETELY separately from everything else.
...
Sending Access-Request of id 196 to XXX.XXX.XXX.XXX port 1645
...
EAP-Message = 0x020c0162757267657277
You've configured it to proxy the OUTER session, not the inner one.
$ cd raddb/sites-enabled
$ ln -s ../sites-available/inner-tunnel
$ cd ../..
$ vi eap.conf
(un-comment virtual_server = inner-tunnel.
$ vi sites-available/inner-tunnel
In the authorize section, add:
update control {
Proxy-To-Realm := realm...
}
And probably delete everything else from the authorize section.
This will tell the server to proxy the inner tunnel section to somewhere
else...
Thank you for your help Alan.
I wish any commercial product would have a support as good as yours.
g Some may argue. But they're WRONG!
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Filtering out a attribute conditionally
Hi Alan Is there any way of adding or removing the ip_pool bases on a rule ? I don't know what you mean by that. I still want the customer isp to be able to set a static ip address but I have to remove the cisco-avp pair when these come thought, or I want to add the cisco-avp pair when there is no static ip address. Could Freeradius 2 do this ? It would likely be a lot easier. Download 2.0, and read man unlang. I suspected that V2 would handle this better. I had read the unlang man page. Still trying get get a handle on it. Mike - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
