EAP-TLS does not send an access OK.
Hello, Hello, I work on a WIFI authentication project, dealing with EAP/TLS on Freeradius. I allready read a lots of docs on the net The certificats are created with xpextensions and installed. I use freeradius. My config files are joined. Client : windows XP pro sp2. Here is the freeradius log when I try to connect : rad_recv: Access-Request packet from host 172.17.5.100:32778 http://172.17.5.100:32778, id=168, length=150 User-Name = mobile NAS-IP-Address = 172.17.5.100 http://172.17.5.100 NAS-Identifier = 172.17.5.100 http://172.17.5.100 NAS-Port = 1 NAS-Port-Type = Wireless-802.11 Calling-Station-Id = 000F20957BB7 Called-Station-Id = 000B8641C660 Framed-MTU = 1100 EAP-Message = 0x0201000b016d6f62696c65 Aruba-Essid-Name = eole Aruba-Location-Id = 2.1.1 Message-Authenticator = 0x4b5ee61553ec73cc454c403ec873ad24 rlm_pap: WARNING! No known good password found for the user. Authentication may fail because of this. Sending Access-Challenge of id 168 to 172.17.5.100 http://172.17.5.100 port 32778 Aruba-User-Vlan = 200 Aruba-User-Role = eole EAP-Message = 0x010200060d20 Message-Authenticator = 0x State = 0xf1d8d2c72aac139bb25089361b94918e rad_recv: Access-Request packet from host 172.17.5.100:32778 http://172.17.5.100:32778, id=169, length=269 User-Name = mobile NAS-IP-Address = 172.17.5.100 http://172.17.5.100 NAS-Identifier = 172.17.5.100 http://172.17.5.100 NAS-Port = 1 NAS-Port-Type = Wireless-802.11 Calling-Station-Id = 000F20957BB7 Called-Station-Id = 000B8641C660 Framed-MTU = 1100 EAP-Message = 0x020200700d8000661603010061015d0301473c2a4b426528392f0efd1946172b375ed92f04360eb7068b276ad02f65df942002bc6aa8929e3855237d44cfed0de9e0eef6830330686250346b2a2141ff2f66001600040005000a000900640062000300060013001200630100 State = 0xf1d8d2c72aac139bb25089361b94918e Aruba-Essid-Name = eole Aruba-Location-Id = 2.1.1 Message-Authenticator = 0xd4944b76a67263b3c6431530b33522d1 rlm_pap: WARNING! No known good password found for the user. Authentication may fail because of this. Sending Access-Challenge of id 169 to 172.17.5.100 http://172.17.5.100 port 32778 Aruba-User-Vlan = 200 Aruba-User-Role = eole EAP-Message = 0x0103040a0dc00411160301004a02460301473c2a46804b2c3888c0fcb80af8456213cc201aedf4dbc513dcc2f8dc0d7a2520c39aea56359ef81ae4da7be8959b0abee59ccc86f23934883ad976089ed8db2700040016030102fa0b0002f60002f30002f0308202ec30820255a003020102020101300d06092a864886f70d01010405003081ab310b30090603550406130246523112301006035504081309426f7572676f676e65310f300d06035504071306426561756e6531153013060355040a130c63682d626561756e652e6672311b3019060355040b131273696e666f2e63682d626561756e652e667231193017060355040313104348 EAP-Message = 0x2d424541554e4520544c532043413128302606092a864886f70d010901161961646d696e2e7265736561754063682d626561756e652e6672301e170d3037313030343036303635395a170d3137313030313036303635395a3081b2310b30090603550406130246523112301006035504081309426f7572676f676e65310f300d06035504071306426561756e6531153013060355040a130c63682d626561756e652e6672311b3019060355040b131273696e666f2e63682d626561756e652e66723120301e06035504031317667265657261646975732e63682d626561756e652e66723128302606092a864886f70d010901161961646d696e2e726573 EAP-Message = 0x6561754063682d626561756e652e667230819f300d06092a864886f70d010101050003818d0030818902818100b0dbd8779b2d0041264551b5a97c4860c2fdec4c953a8d6f00839eadfccced93c100d3d832cb2e7432ebf888ccae4183baa244042116d38a5f31f31e475bfa0ada5047795d30b4b14b79585dc719f95eb361efecb1efef87b1c832dbf69380a46375e46f3eb88df40ab35ebed329e35978ab394989e7114ca11c1444ae1f0203010001a317301530130603551d25040c300a06082b06010505070301300d06092a864886f70d01010405000381810053a216c3ab1d7895dd006da7dbc281c4fd6159869c212aa97e72cf29c5b109 EAP-Message = 0x2468002d3c9d510561b12ce489d0bfb8e227fe9d02d96d7c740c57cbeac880d50d39983db03e46e9705ad0b915d2d9dd166fa746a7043e0af9f483213b43276d1822469d97c73074cb5d0225e8d9709a7a04303495279eda4dca1c44284997705216030100be0db60301024000b000ae3081ab310b30090603550406130246523112301006035504081309426f7572676f676e65310f300d06035504071306426561756e6531153013060355040a130c63682d626561756e652e6672311b3019060355040b131273696e666f2e63682d626561756e652e6672311930170603550403131043482d424541554e4520544c532043413128302606092a EAP-Message = 0x864886f70d010901161961646d696e2e726573656175 Message-Authenticator = 0x State = 0x3086036a150a272bec4609fc740fdb2d rad_recv: Access-Request packet from host 172.17.5.100:32778 http://172.17.5.100:32778, id=170, length=163 User-Name = mobile NAS-IP-Address = 172.17.5.100 http://172.17.5.100 NAS-Identifier = 172.17.5.100 http://172.17.5.100 NAS-Port = 1 NAS-Port-Type = Wireless-802.11
Re: EAP-TLS does not send an access OK.
Patrice Oliver wrote: The certificats are created with xpextensions and installed. I use freeradius. Ok. Did you install the CA (or root) cert on the Windows machine? I see no OK, and no 'not OK'. I don't understand why 'rlm_eap_tls: No SSL info available. Waiting for more SSL data.' I don't understand why freeradius sends an access challenge instead of an access ok since the certificates are OK. Because the TLS method has not finished. The Windows machine received the server certificate, and decided it did not want to continue EAP-TLS. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: [SPAM] Re: EAP-TLS does not send an access OK.
Alan DeKok a écrit : Patrice Oliver wrote: The certificats are created with xpextensions and installed. I use freeradius. Ok. Did you install the CA (or root) cert on the Windows machine? Yes, and the client certificate too. I see no OK, and no 'not OK'. I don't understand why 'rlm_eap_tls: No SSL info available. Waiting for more SSL data.' I don't understand why freeradius sends an access challenge instead of an access ok since the certificates are OK. Because the TLS method has not finished. The Windows machine received the server certificate, and decided it did not want to continue EAP-TLS. How do I work around this ? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Best regards. -- *Hospices Civils de Beaune* *Patrice OLIVER* /Chef de Projet Ville Hôpital/ /Responsable Réseau Sécurité/ BP 104 21203 BEAUNE Cedex Tél. 03 80 24 44 09 Fax. 03 80 24 45 90 Ce message, y compris les pièces jointes, est établi à l'attention exclusive de son ou ses destinataires et est confidentiel. Toute utilisation non conforme à sa destination, toute diffusion ou publication, totale ou partielle, est interdite sauf autorisation expresse de l'expéditeur. Si vous n'êtes pas le destinataire de ce message, merci d'avertir l'expéditeur de l'erreur de distribution puis de le détruire. Tout message électronique est susceptible d'altération et son intégrité ne peut être assurée. L'expéditeur décline toute responsabilité dans l'hypothèse où il aurait été modifié ou falsifié. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Problems With Radwho
Hi Guys/Gals I have problem where radwho only shows users logged in for two nas'es. Aswell as only their accounting info goes into the radacct table. I can see the other users authenticating and i can log into them. So they must be dailing up No idea why its happening. Im using radiusd: FreeRADIUS Version 1.1.7, for host i686-pc-linux-gnu, built on Oct 10 2007 at 08:13:06 Regards Willem Gerber -- The casing said 'Windows XP or better'... so I installed Linux -- Anonymous begin:vcard fn:Willem Gerber n:Gerber;Willem email;internet:[EMAIL PROTECTED] note;quoted-printable:Destiny Electronic Commerce (Pty) Ltd.=0D=0A= =0D=0A= www.e-destiny.co.za=0D=0A= =0D=0A= 011 695 5500 phone=0D=0A= 086 660 2933 fax x-mozilla-html:TRUE version:2.1 end:vcard - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: [SPAM] Re: [SPAM] Re: EAP-TLS does not send an access OK.
Problem is not with the server but with Windows XP. Have you imported the correct certificate? Is it in the correct store? What's Windows XP complaining about in Event Viewer? Ivan Kalik Kalik Informatika ISP Dana 16/11/2007, Patrice Oliver [EMAIL PROTECTED] piše: Alan DeKok a écrit : Patrice Oliver wrote: Ok. Did you install the CA (or root) cert on the Windows machine? Yes, and the client certificate too. Then there isn't much else that can go wrong. Because the TLS method has not finished. The Windows machine received the server certificate, and decided it did not want to continue EAP-TLS. How do I work around this ? Convince the Windows machine to accept the server certificate. eap.conf has pointers to Windows knowledge base articles. Maybe those will help. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html If you refer to xpextensions, I used it to create the certificates. May I send you my eap.conf file ? Reading it should determine a mistake ... Patrice -- *Hospices Civils de Beaune* *Patrice OLIVER* /Chef de Projet Ville Hôpital/ /Responsable Réseau Sécurité/ BP 104 21203 BEAUNE Cedex Tél. 03 80 24 44 09 Fax. 03 80 24 45 90 Ce message, y compris les pičces jointes, est établi ŕ l'attention exclusive de son ou ses destinataires et est confidentiel. Toute utilisation non conforme ŕ sa destination, toute diffusion ou publication, totale ou partielle, est interdite sauf autorisation expresse de l'expéditeur. Si vous n'ętes pas le destinataire de ce message, merci d'avertir l'expéditeur de l'erreur de distribution puis de le détruire. Tout message électronique est susceptible d'altération et son intégrité ne peut ętre assurée. L'expéditeur décline toute responsabilité dans l'hypothčse oů il aurait été modifié ou falsifié. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: [SPAM] Re: EAP-TLS does not send an access OK.
Patrice Oliver wrote: ... Ok. Did you install the CA (or root) cert on the Windows machine? Yes, and the client certificate too. Then there isn't much else that can go wrong. Because the TLS method has not finished. The Windows machine received the server certificate, and decided it did not want to continue EAP-TLS. How do I work around this ? Convince the Windows machine to accept the server certificate. eap.conf has pointers to Windows knowledge base articles. Maybe those will help. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problems With Radwho
Im seeing the authentication requests from the server and the reply packets. What would a accounting packet look like ? Sorry for asking. The traffic looks right to me if i do radius -X Regards Willem Gerber [EMAIL PROTECTED] wrote: Are you getting accounting packets from those access servers? Or just authentication? If nAS is not sending ... Ivan Kalik Kalik Informatika ISP Dana 16/11/2007, Willem Gerber [EMAIL PROTECTED] piše: Hi Guys/Gals I have problem where radwho only shows users logged in for two nas'es. Aswell as only their accounting info goes into the radacct table. I can see the other users authenticating and i can log into them. So they must be dailing up No idea why its happening. Im using radiusd: FreeRADIUS Version 1.1.7, for host i686-pc-linux-gnu, built on Oct 10 2007 at 08:13:06 Regards Willem Gerber -- The casing said 'Windows XP or better'... so I installed Linux -- Anonymous - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- The casing said 'Windows XP or better'... so I installed Linux -- Anonymous begin:vcard fn:Willem Gerber n:Gerber;Willem email;internet:[EMAIL PROTECTED] note;quoted-printable:Destiny Electronic Commerce (Pty) Ltd.=0D=0A= =0D=0A= www.e-destiny.co.za=0D=0A= =0D=0A= 011 695 5500 phone=0D=0A= 086 660 2933 fax x-mozilla-html:TRUE version:2.1 end:vcard - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problems With Radwho
Are you getting accounting packets from those access servers? Or just authentication? If nAS is not sending ... Ivan Kalik Kalik Informatika ISP Dana 16/11/2007, Willem Gerber [EMAIL PROTECTED] piše: Hi Guys/Gals I have problem where radwho only shows users logged in for two nas'es. Aswell as only their accounting info goes into the radacct table. I can see the other users authenticating and i can log into them. So they must be dailing up No idea why its happening. Im using radiusd: FreeRADIUS Version 1.1.7, for host i686-pc-linux-gnu, built on Oct 10 2007 at 08:13:06 Regards Willem Gerber -- The casing said 'Windows XP or better'... so I installed Linux -- Anonymous - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: [SPAM] Re: [SPAM] Re: EAP-TLS does not send an access OK.
Alan DeKok a écrit : Patrice Oliver wrote: Ok. Did you install the CA (or root) cert on the Windows machine? Yes, and the client certificate too. Then there isn't much else that can go wrong. Because the TLS method has not finished. The Windows machine received the server certificate, and decided it did not want to continue EAP-TLS. How do I work around this ? Convince the Windows machine to accept the server certificate. eap.conf has pointers to Windows knowledge base articles. Maybe those will help. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html If you refer to xpextensions, I used it to create the certificates. May I send you my eap.conf file ? Reading it should determine a mistake ... Patrice -- *Hospices Civils de Beaune* *Patrice OLIVER* /Chef de Projet Ville Hôpital/ /Responsable Réseau Sécurité/ BP 104 21203 BEAUNE Cedex Tél. 03 80 24 44 09 Fax. 03 80 24 45 90 Ce message, y compris les pièces jointes, est établi à l'attention exclusive de son ou ses destinataires et est confidentiel. Toute utilisation non conforme à sa destination, toute diffusion ou publication, totale ou partielle, est interdite sauf autorisation expresse de l'expéditeur. Si vous n'êtes pas le destinataire de ce message, merci d'avertir l'expéditeur de l'erreur de distribution puis de le détruire. Tout message électronique est susceptible d'altération et son intégrité ne peut être assurée. L'expéditeur décline toute responsabilité dans l'hypothèse où il aurait été modifié ou falsifié. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problems With Radwho
It's not Access-Request but Accounting-Request. If you don't see them after the Access-Accept then your NAS is not sending accounting data. Ivan Kalik Kalik Informatika iSP Dana 16/11/2007, Willem Gerber [EMAIL PROTECTED] piše: Im seeing the authentication requests from the server and the reply packets. What would a accounting packet look like ? Sorry for asking. The traffic looks right to me if i do radius -X Regards Willem Gerber [EMAIL PROTECTED] wrote: Are you getting accounting packets from those access servers? Or just authentication? If nAS is not sending ... Ivan Kalik Kalik Informatika ISP Dana 16/11/2007, Willem Gerber [EMAIL PROTECTED] piše: Hi Guys/Gals I have problem where radwho only shows users logged in for two nas'es. Aswell as only their accounting info goes into the radacct table. I can see the other users authenticating and i can log into them. So they must be dailing up No idea why its happening. Im using radiusd: FreeRADIUS Version 1.1.7, for host i686-pc-linux-gnu, built on Oct 10 2007 at 08:13:06 Regards Willem Gerber -- The casing said 'Windows XP or better'... so I installed Linux -- Anonymous - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- The casing said 'Windows XP or better'... so I installed Linux -- Anonymous - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: [SPAM] Re: [SPAM] Re: [SPAM] Re: EAP-TLS does not send an access OK.
I self-generated my certificates, and created my own AC, not dependent of an official AC. Do you think it can be the origin of my problem ? Best regards. [EMAIL PROTECTED] a écrit : Problem is not with the server but with Windows XP. Have you imported the correct certificate? Is it in the correct store? What's Windows XP complaining about in Event Viewer? Ivan Kalik Kalik Informatika ISP Dana 16/11/2007, Patrice Oliver [EMAIL PROTECTED] piše: Alan DeKok a écrit : Patrice Oliver wrote: Ok. Did you install the CA (or root) cert on the Windows machine? Yes, and the client certificate too. Then there isn't much else that can go wrong. Because the TLS method has not finished. The Windows machine received the server certificate, and decided it did not want to continue EAP-TLS. How do I work around this ? Convince the Windows machine to accept the server certificate. eap.conf has pointers to Windows knowledge base articles. Maybe those will help. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html If you refer to xpextensions, I used it to create the certificates. May I send you my eap.conf file ? Reading it should determine a mistake ... Patrice -- *Hospices Civils de Beaune* *Patrice OLIVER* /Chef de Projet Ville Hôpital/ /Responsable Réseau Sécurité/ BP 104 21203 BEAUNE Cedex Tél. 03 80 24 44 09 Fax. 03 80 24 45 90 Ce message, y compris les pičces jointes, est établi ŕ l'attention exclusive de son ou ses destinataires et est confidentiel. Toute utilisation non conforme ŕ sa destination, toute diffusion ou publication, totale ou partielle, est interdite sauf autorisation expresse de l'expéditeur. Si vous n'ętes pas le destinataire de ce message, merci d'avertir l'expéditeur de l'erreur de distribution puis de le détruire. Tout message électronique est susceptible d'altération et son intégrité ne peut ętre assurée. L'expéditeur décline toute responsabilité dans l'hypothčse oů il aurait été modifié ou falsifié. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- *Hospices Civils de Beaune* *Patrice OLIVER* /Chef de Projet Ville Hôpital/ /Responsable Réseau Sécurité/ BP 104 21203 BEAUNE Cedex Tél. 03 80 24 44 09 Fax. 03 80 24 45 90 Ce message, y compris les pie`ces jointes, est établi a` l'attention exclusive de son ou ses destinataires et est confidentiel. Toute utilisation non conforme a` sa destination, toute diffusion ou publication, totale ou partielle, est interdite sauf autorisation expresse de l'expéditeur. Si vous n'e^tes pas le destinataire de ce message, merci d'avertir l'expéditeur de l'erreur de distribution puis de le détruire. Tout message électronique est susceptible d'altération et son intégrité ne peut e^tre assurée. L'expéditeur décline toute responsabilité dans l'hypothe`se ou` il aurait été modifié ou falsifié. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius auto-vlan 3com switch 4500G
Hi Krzysztof, Thanks for sharing your experience. Please add here: vlan-assignment-mode string accounting optional An 3Com product engineer gave me the same instruction, unfortunqtly the 4500G does not support the vlan-assignment-mode and accounting does not take optional as argument. Maybe it shoud. The 4500G is new, and like many new product it must go thru a real world user trial phase to uncover birth defects. This said 3com is going to replace my 4500G with a 5500G at no cost. And this is a solution to my problem -which is not a freeradius one anymore. Thanks again, enjoy the day, Philippe. - Original Message - From: Krzysztof Olędzki [EMAIL PROTECTED] To: [EMAIL PROTECTED] Cc: FreeRadius users mailing list freeradius-users@lists.freeradius.org Subject: Re: freeradius auto-vlan 3com switch 4500G Date: Fri, 16 Nov 2007 00:10:23 +0100 On 2007-11-11 18:27, Philippe Breton wrote: On Sun, 2007-11-11 at 17:37 +0100, Krzysztof Olędzki wrote: On 2007-11-10 17:30, Philippe Breton wrote: Did you setup your switch properly: domain (...) vlan-assignment-mode string Hard to give a 100% answer on this question. I believe I did with the help of 3com support. This is the most important part. Please make sure it is set up (display current-configuration). ... I agree with you. The 4500G is new to me. I believe I got it right. One important fact to keep in mind is the semantic is a litle different between the 5500g and 4500G , i.e. what's in this doc does not apply in the 4500G http://www.3com.hu/download/switch_radius_setup.doc/switch_radius_setup.doc This is my current config: Please excuse me for the long delay. A day should be longer than 24h. ;) description VLAN181 # radius scheme system server-type extended primary authentication 127.0.0.1 1645 primary accounting 127.0.0.1 1646 user-name-format without-domain radius scheme radius1 server-type standard primary authentication 192.168.181.18 key authentication sdfsdfsfsf user-name-format without-domain # domain system access-limit disable state active idle-cut disable self-service-url disable domain wustl.edu authentication default radius-scheme radius1 access-limit disable state active idle-cut disable self-service-url disable Please add here: vlan-assignment-mode string accounting optional It is required for 3c5500G, so it should also solve the problem on 3c4500G. If not, please enable radius/mac-authentication/port-security debugging on the switch. Best regards, Krzysztof Olędzki -- Krzysztof Olędzki Axel Springer Polska Sp. z o.o. tel: +48-22-2320969 fax: +48-22-2325530 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: please help not allow the many connections from single user
how can we prevent it? Restrict the user to a single session. Have a look at the (check) attribute Simultaneous-Use. If you are using sql accounting you will need to make slight adjustments to radiusd.conf and sql.conf. Read instructions in them. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Any ideas on this compile error ??
maybe it would help to install libltdl3-dev or something like that? Norbert Wegener Willem Gerber wrote: Hey Guys I cant get radius to compile :/ Linux vaughan 2.6.20-1.2307.fc5 #1 Sun Mar 18 20:44:48 EDT 2007 i686 i686 i386 GNU/Linux /home/willem/freeradius-1.1.7/src/include/modpriv.h:7:18: error: ltdl.h: No such file or directory In file included from rlm_sqlippool.c:37: /home/willem/freeradius-1.1.7/src/include/modpriv.h:16: error: expected specifier-qualifier-list before 'lt_dlhandle' In file included from rlm_sqlippool.c:39: /home/willem/freeradius-1.1.7/src/modules/rlm_sql/rlm_sql.h:15:18: error: ltdl.h: No such file or directory In file included from rlm_sqlippool.c:39: /home/willem/freeradius-1.1.7/src/modules/rlm_sql/rlm_sql.h:68: error: expected specifier-qualifier-list before 'lt_dlhandle' rlm_sqlippool.c: In function 'sqlippool_command': rlm_sqlippool.c:311: error: 'SQL_INST' has no member named 'module' rlm_sqlippool.c: In function 'sqlippool_query1': rlm_sqlippool.c:358: error: 'SQL_INST' has no member named 'module' rlm_sqlippool.c: In function 'sqlippool_postauth': rlm_sqlippool.c:539: warning: pointer targets in passing argument 2 of 'strNcpy' differ in signedness rlm_sqlippool.c:526: warning: unused variable 'self' gmake[6]: *** [rlm_sqlippool.lo] Error 1 gmake[6]: Leaving directory `/home/willem/freeradius-1.1.7/src/modules/rlm_sqlippool' gmake[5]: *** [common] Error 2 gmake[5]: Leaving directory `/home/willem/freeradius-1.1.7/src/modules' gmake[4]: *** [all] Error 2 gmake[4]: Leaving directory `/home/willem/freeradius-1.1.7/src/modules' gmake[3]: *** [common] Error 2 gmake[3]: Leaving directory `/home/willem/freeradius-1.1.7/src' gmake[2]: *** [all] Error 2 gmake[2]: Leaving directory `/home/willem/freeradius-1.1.7/src' gmake[1]: *** [common] Error 2 gmake[1]: Leaving directory `/home/willem/freeradius-1.1.7' make: *** [all] Error 2 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Any ideas on this compile error ??
Hey Guys I cant get radius to compile :/ Linux vaughan 2.6.20-1.2307.fc5 #1 Sun Mar 18 20:44:48 EDT 2007 i686 i686 i386 GNU/Linux /home/willem/freeradius-1.1.7/src/include/modpriv.h:7:18: error: ltdl.h: No such file or directory In file included from rlm_sqlippool.c:37: /home/willem/freeradius-1.1.7/src/include/modpriv.h:16: error: expected specifier-qualifier-list before 'lt_dlhandle' In file included from rlm_sqlippool.c:39: /home/willem/freeradius-1.1.7/src/modules/rlm_sql/rlm_sql.h:15:18: error: ltdl.h: No such file or directory In file included from rlm_sqlippool.c:39: /home/willem/freeradius-1.1.7/src/modules/rlm_sql/rlm_sql.h:68: error: expected specifier-qualifier-list before 'lt_dlhandle' rlm_sqlippool.c: In function 'sqlippool_command': rlm_sqlippool.c:311: error: 'SQL_INST' has no member named 'module' rlm_sqlippool.c: In function 'sqlippool_query1': rlm_sqlippool.c:358: error: 'SQL_INST' has no member named 'module' rlm_sqlippool.c: In function 'sqlippool_postauth': rlm_sqlippool.c:539: warning: pointer targets in passing argument 2 of 'strNcpy' differ in signedness rlm_sqlippool.c:526: warning: unused variable 'self' gmake[6]: *** [rlm_sqlippool.lo] Error 1 gmake[6]: Leaving directory `/home/willem/freeradius-1.1.7/src/modules/rlm_sqlippool' gmake[5]: *** [common] Error 2 gmake[5]: Leaving directory `/home/willem/freeradius-1.1.7/src/modules' gmake[4]: *** [all] Error 2 gmake[4]: Leaving directory `/home/willem/freeradius-1.1.7/src/modules' gmake[3]: *** [common] Error 2 gmake[3]: Leaving directory `/home/willem/freeradius-1.1.7/src' gmake[2]: *** [all] Error 2 gmake[2]: Leaving directory `/home/willem/freeradius-1.1.7/src' gmake[1]: *** [common] Error 2 gmake[1]: Leaving directory `/home/willem/freeradius-1.1.7' make: *** [all] Error 2 -- The casing said 'Windows XP or better'... so I installed Linux -- Anonymous begin:vcard fn:Willem Gerber n:Gerber;Willem email;internet:[EMAIL PROTECTED] note;quoted-printable:Destiny Electronic Commerce (Pty) Ltd.=0D=0A= =0D=0A= www.e-destiny.co.za=0D=0A= =0D=0A= 011 695 5500 phone=0D=0A= 086 660 2933 fax x-mozilla-html:TRUE version:2.1 end:vcard - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
DEFAULT entry in users file (1.0.5--1.1.7)
Hi everybody, sorry to ask, but I don' get it. I'm still trying to upgrade from 1.0.5 to 1.1.7. Previously, my users fiel looked like this: [some static entries for special users] [some entries with Auth-Type=Reject for special conditions] DEFAULT Auth-Type = LDAP, Called-Station-Id == our-dialup-number Service-Type = Framed-User, Framed-Protocol = PPP, [more reply-items for dialup users] # All other requests: simply match against LDAP # Replace 'outer' attribute User-Name with value from variable # == This yields the true username from inside the tunnel in case of # anonymous outer identification with 802.1x DEFAULT Auth-Type = LDAP User-Name = `%{User-Name}`, Reply-Message = Matched DEFAULT user entry in staff-RADIUS So all my normal users' passwords are checked against LDAP, using LDAP bind-as-user. There's a properly configured LDAP section in radiusd.conf, of course. With 1.1.7 (and perhaps with any version =1.1.4), Auth-Type = LDAP seems to be gone, but what on earth do put there instead? The static entries (with cleartext-password for 1.1.7) work fine, With a users file like DEFAULT User-Name = `%{User-Name}` the server complains loudly about the missing Auth-Type when asking with radtest: rad_recv: Access-Request packet from host 127.0.0.1:41995, id=59, length=58 User-Name = martin User-Password = testpass NAS-IP-Address = 255.255.255.255 NAS-Port = 10 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module preprocess returns ok for request 0 modcall[authorize]: module chap returns noop for request 0 modcall[authorize]: module mschap returns noop for request 0 rlm_realm: No '@' in User-Name = pauly0, looking up realm NULL rlm_realm: Found realm NULL rlm_realm: Adding Stripped-User-Name = pauly0 rlm_realm: Proxying request from user pauly0 to realm NULL rlm_realm: Adding Realm = NULL rlm_realm: Authentication realm is LOCAL. modcall[authorize]: module suffix returns noop for request 0 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module eap returns noop for request 0 users: Matched entry DEFAULT at line 69 radius_xlat: 'pauly0' modcall[authorize]: module files returns ok for request 0 rlm_pap: WARNING! No known good password found for the user. Authentication may fail because of this. modcall[authorize]: module pap returns noop for request 0 modcall: leaving group authorize (returns ok) for request 0 auth: No authenticate method (Auth-Type) configuration found for the request: Rejecting the user auth: Failed to validate the user. So how do I direct the server to use LDAP without setting Auth-Type? Or is radtest somehow the wrong test tool in the new scenario?? Thanks, Martin -- Dr. Martin Pauly Fax:49-6421-28-26994 HRZ Univ. MarburgPhone: 49-6421-28-23527 Hans-Meerwein-Str. E-Mail: [EMAIL PROTECTED] D-35032 Marburg - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: [SPAM] Re: [SPAM] Re: [SPAM] Re: EAP-TLS does not send an access OK.
Alan DeKok a écrit : Patrice Oliver wrote: If you refer to xpextensions, I used it to create the certificates. May I send you my eap.conf file ? Reading it should determine a mistake ... No. It is not a problem with configuring FreeRADIUS. And please fix your mailer so it doesn't add SPAM to every subject line. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Sorry pour the Spam tag. I did setup spamassassin to tag all mails which are not written in French. In my society, we receive essentiels french mails. I just deactivate this setup. Hope this helps. Best regards. :) -- *Hospices Civils de Beaune* *Patrice OLIVER* /Chef de Projet Ville Hôpital/ /Responsable Réseau Sécurité/ BP 104 21203 BEAUNE Cedex Tél. 03 80 24 44 09 Fax. 03 80 24 45 90 Ce message, y compris les pièces jointes, est établi à l'attention exclusive de son ou ses destinataires et est confidentiel. Toute utilisation non conforme à sa destination, toute diffusion ou publication, totale ou partielle, est interdite sauf autorisation expresse de l'expéditeur. Si vous n'êtes pas le destinataire de ce message, merci d'avertir l'expéditeur de l'erreur de distribution puis de le détruire. Tout message électronique est susceptible d'altération et son intégrité ne peut être assurée. L'expéditeur décline toute responsabilité dans l'hypothèse où il aurait été modifié ou falsifié. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: [SPAM] Re: [SPAM] Re: [SPAM] Re: EAP-TLS does not sendan accessOK.
And have a look at the Event Viewer. Is anything recorded when conversation stops? Ivan Kalik Kalik Informatika ISP Dana 16/11/2007, Patrice Oliver [EMAIL PROTECTED] piše: [EMAIL PROTECTED] a écrit : Sort of. Official CA is already in the store. You just have to add yours in there. Windows doesn't get on with .pem very well so import p12 version. Is your root certificate listed in Trusted Root CA store? Also your client cert should be in Personal. Yes for trusted root ca store. I will try with .p12 file. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: [SPAM] Re: [SPAM] Re: EAP-TLS does not send an access OK.
Patrice Oliver wrote: If you refer to xpextensions, I used it to create the certificates. May I send you my eap.conf file ? Reading it should determine a mistake ... No. It is not a problem with configuring FreeRADIUS. And please fix your mailer so it doesn't add SPAM to every subject line. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius doesn't work with ldap
Eduardo Lima wrote: So I'll have to unencrypt all the ldap passwords to use mschapv2??? Yes. See the web page for your options. What about the ldap database security?? The LDAP database has to be kept secure. Please go read the web page again. If you want to use MS-CHAP, your options are limited for how to store passwords. If you don't like those options, then don't use MS-CHAP. If you want to store passwords via a different method than is permitted in the table, AND you want to use MS-CHAP, then you need to change your requirements to match reality. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: variables in 1.1.7
Norbert Wegener wrote: ... rlm_ldap: Adding mobile as Huntgroup-Name == VL-SBS-AD02-0001 You can't add the Huntgroup-Name attribute. It's like Group, which means Unix group, and do lookups in a unix group. Huntgroup-Name means do lookups in a huntgroup. Create and use another attribute for this. sql.conf: authorize_check_query = call firstif ('0','%{SQL-User-Name}','%{Huntgroup-Name}', '%{NAS-IP-Address}','=','2') I would have expected the %{Huntgroup-Name} to be VL-SBS-AD02-0001, but this is not true. Is the desired assignment possible at all in 1.1.7 ? Yes. sql.conf becomes: ... %{My-Other-Attribute:-%{Huntgroup-Name}} Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Any ideas on this compile error ??
Willem Gerber wrote: I cant get radius to compile :/ ... /home/willem/freeradius-1.1.7/src/include/modpriv.h:7:18: error: ltdl.h: No such file or directory That file is included with FreeRADIUS. The build works if you use the recommend method of: $ ./configure $ make $ make install If you're using another method, perhaps it would have been good to say so. Any other method you're using is platform-specific, and thus has little to do with FreeRADIUS. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: [SPAM] Re: [SPAM] Re: [SPAM] Re: EAP-TLS does not send an accessOK.
Sort of. Official CA is already in the store. You just have to add yours in there. Windows doesn't get on with .pem very well so import p12 version. Is your root certificate listed in Trusted Root CA store? Also your client cert should be in Personal. Ivan Kalik Kalik Informatika ISP Dana 16/11/2007, Patrice Oliver [EMAIL PROTECTED] piše: I self-generated my certificates, and created my own AC, not dependent of an official AC. Do you think it can be the origin of my problem ? Best regards. [EMAIL PROTECTED] a écrit : Problem is not with the server but with Windows XP. Have you imported the correct certificate? Is it in the correct store? What's Windows XP complaining about in Event Viewer? Ivan Kalik Kalik Informatika ISP Dana 16/11/2007, Patrice Oliver [EMAIL PROTECTED] piše: Alan DeKok a écrit : Patrice Oliver wrote: Ok. Did you install the CA (or root) cert on the Windows machine? Yes, and the client certificate too. Then there isn't much else that can go wrong. Because the TLS method has not finished. The Windows machine received the server certificate, and decided it did not want to continue EAP-TLS. How do I work around this ? Convince the Windows machine to accept the server certificate. eap.conf has pointers to Windows knowledge base articles. Maybe those will help. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html If you refer to xpextensions, I used it to create the certificates. May I send you my eap.conf file ? Reading it should determine a mistake .. Patrice -- *Hospices Civils de Beaune* *Patrice OLIVER* /Chef de Projet Ville Hôpital/ /Responsable Réseau Sécurité/ BP 104 21203 BEAUNE Cedex Tél. 03 80 24 44 09 Fax. 03 80 24 45 90 Ce message, y compris les pičces jointes, est établi ŕ l'attention exclusive de son ou ses destinataires et est confidentiel. Toute utilisation non conforme ŕ sa destination, toute diffusion ou publication, totale ou partielle, est interdite sauf autorisation expresse de l'expéditeur. Si vous n'ętes pas le destinataire de ce message, merci d'avertir l'expéditeur de l'erreur de distribution puis de le détruire. Tout message électronique est susceptible d'altération et son intégrité ne peut ętre assurée. L'expéditeur décline toute responsabilité dans l'hypothčse oů il aurait été modifié ou falsifié. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- *Hospices Civils de Beaune* *Patrice OLIVER* /Chef de Projet Ville Hôpital/ /Responsable Réseau Sécurité/ BP 104 21203 BEAUNE Cedex Tél. 03 80 24 44 09 Fax. 03 80 24 45 90 Ce message, y compris les pie`ces jointes, est établi a` l'attention exclusive de son ou ses destinataires et est confidentiel. Toute utilisation non conforme a` sa destination, toute diffusion ou publication, totale ou partielle, est interdite sauf autorisation expresse de l'expéditeur. Si vous n'e^tes pas le destinataire de ce message, merci d'avertir l'expéditeur de l'erreur de distribution puis de le détruire. Tout message électronique est susceptible d'altération et son intégrité ne peut e^tre assurée. L'expéditeur décline toute responsabilité dans l'hypothe`se ou` il aurait été modifié ou falsifié. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: [SPAM] Re: EAP-TLS does not send an access OK.
Alan DeKok a écrit : Patrice Oliver wrote: The certificats are created with xpextensions and installed. I use freeradius. Ok. Did you install the CA (or root) cert on the Windows machine? I see no OK, and no 'not OK'. I don't understand why 'rlm_eap_tls: No SSL info available. Waiting for more SSL data.' I don't understand why freeradius sends an access challenge instead of an access ok since the certificates are OK. Because the TLS method has not finished. The Windows machine received the server certificate, and decided it did not want to continue EAP-TLS. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Do I need to send you ma configuration ? Maybe you will see something wrong. Best regards, Patrice. -- *Hospices Civils de Beaune* *Patrice OLIVER* /Chef de Projet Ville Hôpital/ /Responsable Réseau Sécurité/ BP 104 21203 BEAUNE Cedex Tél. 03 80 24 44 09 Fax. 03 80 24 45 90 Ce message, y compris les pièces jointes, est établi à l'attention exclusive de son ou ses destinataires et est confidentiel. Toute utilisation non conforme à sa destination, toute diffusion ou publication, totale ou partielle, est interdite sauf autorisation expresse de l'expéditeur. Si vous n'êtes pas le destinataire de ce message, merci d'avertir l'expéditeur de l'erreur de distribution puis de le détruire. Tout message électronique est susceptible d'altération et son intégrité ne peut être assurée. L'expéditeur décline toute responsabilité dans l'hypothèse où il aurait été modifié ou falsifié. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
variables in 1.1.7
With version 1.1.7 I want to achieve the following, which is probably easy in 2.0: In the authorize section I have an ldap module and an sql module sp1. group { ldap1 sp1 } I want to get an attribute from AD and use the value of that attribute in a later call to a database radiusd -AX shows: rlm_ldap: looking for check items in directory... rlm_ldap: Adding mobile as Huntgroup-Name == VL-SBS-AD02-0001 rlm_ldap: looking for reply items in directory... rlm_ldap: user host/28tef003.ww006.company.net authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module ldap1 returns ok for request 1 radius_xlat: 'host/28tef003.ww006.company.net' rlm_sql (sp1): sql_set_user escaped user -- 'host/28tef003.ww006.company.net' radius_xlat: 'call firstif ('0','host/28tef003.ww006.company.net','', '1.2.3.4','=','2')' Retrieving an attribute from AD obviously works. In sql.conf I have changed authorize_check_query to use a stored procedure: sql.conf: authorize_check_query = call firstif ('0','%{SQL-User-Name}','%{Huntgroup-Name}', '%{NAS-IP-Address}','=','2') I would have expected the %{Huntgroup-Name} to be VL-SBS-AD02-0001, but this is not true. Is the desired assignment possible at all in 1.1.7 ? Norbert Wegener - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: [SPAM] Re: [SPAM] Re: [SPAM] Re: EAP-TLS does not send an accessOK.
[EMAIL PROTECTED] a écrit : Sort of. Official CA is already in the store. You just have to add yours in there. Windows doesn't get on with .pem very well so import p12 version. Is your root certificate listed in Trusted Root CA store? Also your client cert should be in Personal. Yes for trusted root ca store. I will try with .p12 file. Ivan Kalik Kalik Informatika ISP Dana 16/11/2007, Patrice Oliver [EMAIL PROTECTED] piše: I self-generated my certificates, and created my own AC, not dependent of an official AC. Do you think it can be the origin of my problem ? Best regards. [EMAIL PROTECTED] a écrit : Problem is not with the server but with Windows XP. Have you imported the correct certificate? Is it in the correct store? What's Windows XP complaining about in Event Viewer? Ivan Kalik Kalik Informatika ISP Dana 16/11/2007, Patrice Oliver [EMAIL PROTECTED] piše: Alan DeKok a écrit : Patrice Oliver wrote: Ok. Did you install the CA (or root) cert on the Windows machine? Yes, and the client certificate too. Then there isn't much else that can go wrong. Because the TLS method has not finished. The Windows machine received the server certificate, and decided it did not want to continue EAP-TLS. How do I work around this ? Convince the Windows machine to accept the server certificate. eap.conf has pointers to Windows knowledge base articles. Maybe those will help. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html If you refer to xpextensions, I used it to create the certificates. May I send you my eap.conf file ? Reading it should determine a mistake .. Patrice -- *Hospices Civils de Beaune* *Patrice OLIVER* /Chef de Projet Ville Hôpital/ /Responsable Réseau Sécurité/ BP 104 21203 BEAUNE Cedex Tél. 03 80 24 44 09 Fax. 03 80 24 45 90 Ce message, y compris les pičces jointes, est établi ŕ l'attention exclusive de son ou ses destinataires et est confidentiel. Toute utilisation non conforme ŕ sa destination, toute diffusion ou publication, totale ou partielle, est interdite sauf autorisation expresse de l'expéditeur. Si vous n'ętes pas le destinataire de ce message, merci d'avertir l'expéditeur de l'erreur de distribution puis de le détruire. Tout message électronique est susceptible d'altération et son intégrité ne peut ętre assurée. L'expéditeur décline toute responsabilité dans l'hypothčse oů il aurait été modifié ou falsifié. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- *Hospices Civils de Beaune* *Patrice OLIVER* /Chef de Projet Ville Hôpital/ /Responsable Réseau Sécurité/ BP 104 21203 BEAUNE Cedex Tél. 03 80 24 44 09 Fax. 03 80 24 45 90 Ce message, y compris les pie`ces jointes, est établi a` l'attention exclusive de son ou ses destinataires et est confidentiel. Toute utilisation non conforme a` sa destination, toute diffusion ou publication, totale ou partielle, est interdite sauf autorisation expresse de l'expéditeur. Si vous n'e^tes pas le destinataire de ce message, merci d'avertir l'expéditeur de l'erreur de distribution puis de le détruire. Tout message électronique est susceptible d'altération et son intégrité ne peut e^tre assurée. L'expéditeur décline toute responsabilité dans l'hypothe`se ou` il aurait été modifié ou falsifié. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- *Hospices Civils de Beaune* *Patrice OLIVER* /Chef de Projet Ville Hôpital/ /Responsable Réseau Sécurité/ BP 104 21203 BEAUNE Cedex Tél. 03 80 24 44 09 Fax. 03 80 24 45 90 Ce message, y compris les pie`ces jointes, est établi a` l'attention exclusive de son ou ses destinataires et est confidentiel. Toute utilisation non conforme a` sa destination, toute diffusion ou publication, totale ou partielle, est interdite sauf autorisation expresse de l'expéditeur. Si vous n'e^tes pas le destinataire de ce message, merci d'avertir l'expéditeur de l'erreur de distribution puis de le détruire. Tout message électronique est susceptible d'altération et son intégrité ne peut e^tre assurée. L'expéditeur décline toute responsabilité dans l'hypothe`se ou` il aurait été modifié ou falsifié. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: DEFAULT entry in users file (1.0.5--1.1.7)
So how do I direct the server to use LDAP without setting Auth-Type? Or is radtest somehow the wrong test tool in the new scenario?? Uncomment ldap in authorize and authenticate sections of radiusd.conf. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius doesn't work with ldap
Ldap authentication work with radping (wired connection) but on the wireless, it keeps failing. I don't understand this: Processing the authenticate section of radiusd.conf modcall: entering group MS-CHAP for request 6 rlm_mschap: No User-Password configured. Cannot create LM-Password. rlm_mschap: No User-Password configured. Cannot create NT-Password. rlm_mschap: Told to do MS-CHAPv2 for ducavalcanti with NT-Password rlm_mschap: FAILED: No NT/LM-Password. Cannot perform authentication. rlm_mschap: FAILED: MS-CHAP2-Response is incorrect MS-CHAPv2 doesn't work with openLDAP??? It does. But it doesn't work with encrypted passwords. Ntradping sends a pap request and that protocol can use encrypted passwords. http://deployingradius.com/documents/protocols/compatibility.html Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius doesn't work with ldap
So I'll have to unencrypt all the ldap passwords to use mschapv2??? What about the ldap database security?? [EMAIL PROTECTED] escreveu: Ldap authentication work with radping (wired connection) but on the wireless, it keeps failing. I don't understand this: Processing the authenticate section of radiusd.conf modcall: entering group MS-CHAP for request 6 rlm_mschap: No User-Password configured. Cannot create LM-Password. rlm_mschap: No User-Password configured. Cannot create NT-Password. rlm_mschap: Told to do MS-CHAPv2 for ducavalcanti with NT-Password rlm_mschap: FAILED: No NT/LM-Password. Cannot perform authentication. rlm_mschap: FAILED: MS-CHAP2-Response is incorrect MS-CHAPv2 doesn't work with openLDAP??? It does. But it doesn't work with encrypted passwords. Ntradping sends a pap request and that protocol can use encrypted passwords. http://deployingradius.com/documents/protocols/compatibility.html Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - Abra sua conta no Yahoo! Mail, o único sem limite de espaço para armazenamento! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
please help not allow the many connections from single user
Hi We has big problem to have many connections from single user in DSL clients A single user can authenticate on the different LNS server to use the internet connection. how can we prevent it? As our users are using the dynamic ip, the ip address is assigned by the LNS not the radius in this case, the ip pool can't be defined in the radius setting. Right? Can you help to give us detail info? thank you so much Be a better pen pal. Text or chat with friends inside Yahoo! Mail. See how. http://overview.mail.yahoo.com/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: [SPAM] Re: [SPAM] Re: [SPAM] Re: EAP-TLS does not send an accessOK.
Hello, I did inspect event viewer log -- nothing bad for me. About the root certificate, I used the .der file. Is there a problem with .der files ? Cordialement, Patrice OLIVER Chef du Projet Ville Hôpital Responsable Réseaux Sécurité HOSPICES CIVILS DE BEAUNE Service Informatique BP 104 21203 BEAUNE CEDEX Tél. 33 3 80 24 44 09 Fax 33 3 80 24 45 90 -Original Message- From: [EMAIL PROTECTED] To: FreeRadius users mailing list freeradius-users@lists.freeradius.org Date: Fri, 16 Nov 2007 13:31:42 +0100 Subject: Re: [SPAM] Re: [SPAM] Re: [SPAM] Re: EAP-TLS does not send an accessOK. Sort of. Official CA is already in the store. You just have to add yours in there. Windows doesn't get on with .pem very well so import p12 version. Is your root certificate listed in Trusted Root CA store? Also your client cert should be in Personal. Ivan Kalik Kalik Informatika ISP Dana 16/11/2007, Patrice Oliver [EMAIL PROTECTED] pi¹e: I self-generated my certificates, and created my own AC, not dependent of an official AC. Do you think it can be the origin of my problem ? Best regards. [EMAIL PROTECTED] a écrit : Problem is not with the server but with Windows XP. Have you imported the correct certificate? Is it in the correct store? What's Windows XP complaining about in Event Viewer? Ivan Kalik Kalik Informatika ISP Dana 16/11/2007, Patrice Oliver [EMAIL PROTECTED] pi¹e: Alan DeKok a écrit : Patrice Oliver wrote: Ok. Did you install the CA (or root) cert on the Windows machine? Yes, and the client certificate too. Then there isn't much else that can go wrong. Because the TLS method has not finished. The Windows machine received the server certificate, and decided it did not want to continue EAP-TLS. How do I work around this ? Convince the Windows machine to accept the server certificate. eap.conf has pointers to Windows knowledge base articles. Maybe those will help. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html If you refer to xpextensions, I used it to create the certificates. May I send you my eap.conf file ? Reading it should determine a mistake .. Patrice -- *Hospices Civils de Beaune* *Patrice OLIVER* /Chef de Projet Ville Hôpital/ /Responsable Réseau Sécurité/ BP 104 21203 BEAUNE CedexTél. 03 80 24 44 09 Fax. 03 80 24 45 90 Ce message, y compris les pièces jointes, est établi à l'attention exclusive de son ou ses destinataires et est confidentiel. Toute utilisation non conforme à sa destination, toute diffusion ou publication, totale ou partielle, est interdite sauf autorisation expresse de l'expéditeur. Si vous n'êtes pas le destinataire de ce message, merci d'avertir l'expéditeur de l'erreur de distribution puis de le détruire. Tout message électronique est susceptible d'altération et son intégrité ne peut être assurée. L'expéditeur décline toute responsabilité dans l'hypothèse où il aurait été modifié ou falsifié. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- *Hospices Civils de Beaune* *Patrice OLIVER* /Chef de Projet Ville Hôpital/ /Responsable Réseau Sécurité/ BP 104 21203 BEAUNE Cedex Tél. 03 80 24 44 09 Fax. 03 80 24 45 90 Ce message, y compris les pie`ces jointes, est établi a` l'attention exclusive de son ou ses destinataires et est confidentiel. Toute utilisation non conforme a` sa destination, toute diffusion ou publication, totale ou partielle, est interdite sauf autorisation expresse de l'expéditeur. Si vous n'e^tes pas le destinataire de ce message, merci d'avertir l'expéditeur de l'erreur de distribution puis de le détruire. Tout message électronique est susceptible d'altération et son intégrité ne peut e^tre assurée. L'expéditeur décline toute responsabilité dans l'hypothe`se ou` il aurait été modifié ou falsifié. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
DH and random
Hi. When i've configured my freeradius i've seen 2 metods to create files DH and random: first: DH: openssl dhparam -check -text -5 512 -out dh Random: dd if=/dev/urandom of=random count=2 second: DH: date /etc/1x/DH Random date /etc/1x/random And I wondering what is different in theory and practice? my freeradius is acting, but i wanna understand for what i need this two file and is it never mind when i use instead of first, second method. THX for answers- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Mikrotik and PPPoE queue prioirties
Hello, I use PPPoE connections through freeradius and mikrotik. What I would like to do is setup the customer's dynamic queue that is setup through the radgroupreply table setup so that when the customers log in I can also assign that queue to a priority based upon the group the customer is put in. Is this possible and how? Matt - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Mikrotik and PPPoE queue prioirties
Assign that priority to a queue for [an IP address | a subnet]. Assign the user [that static IP address | to the pool with addresses from that subnet]. Ivan Kalik Kalik Informatika ISP Dana 16/11/2007, Matthew Neumark [EMAIL PROTECTED] piše: Hello, I use PPPoE connections through freeradius and mikrotik. What I would like to do is setup the customer's dynamic queue that is setup through the radgroupreply table setup so that when the customers log in I can also assign that queue to a priority based upon the group the customer is put in. Is this possible and how? Matt - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Mikrotik and PPPoE queue prioirties
Ivan, I wish that was a option, but the problem is all my customers already have ip addresses assigned to them. The ip addresses aren't done by the packet they order it was done based upon when they signed up. Is there a way to do a dynamic priority based on per user basis? Like a group setting or address list group? Thank You, Matt -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Friday, November 16, 2007 3:26 PM To: freeradius-users@lists.freeradius.org Subject: Re: Mikrotik and PPPoE queue prioirties Assign that priority to a queue for [an IP address | a subnet]. Assign the user [that static IP address | to the pool with addresses from that subnet]. Ivan Kalik Kalik Informatika ISP Dana 16/11/2007, Matthew Neumark [EMAIL PROTECTED] piše: Hello, I use PPPoE connections through freeradius and mikrotik. What I would like to do is setup the customer's dynamic queue that is setup through the radgroupreply table setup so that when the customers log in I can also assign that queue to a priority based upon the group the customer is put in. Is this possible and how? Matt - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
1.17 compilation errors
Hello. when trying to compile freeradius under ubuntu 7.10, i get the following error: gcc -g -O2 -D_REENTRANT -D_POSIX_PTHREAD_SEMANTICS -Wall -D_GNU_SOURCE -DNDEBUG -I/home/paulb/build/freeradius-1.1.7/src/include -I/home/paulb/build/freeradius-1.1.7/src/modules/rlm_sql -c rlm_sqlippool.c -fPIC -DPIC -o .libs/rlm_sqlippool.o In file included from rlm_sqlippool.c:37: /home/paulb/build/freeradius-1.1.7/src/include/modpriv.h:7:18: error: ltdl.h: No such file or directory In file included from rlm_sqlippool.c:37: /home/paulb/build/freeradius-1.1.7/src/include/modpriv.h:16: error: expected specifier-qualifier-list before 'lt_dlhandle' In file included from rlm_sqlippool.c:39: /home/paulb/build/freeradius-1.1.7/src/modules/rlm_sql/rlm_sql.h:15:18: error: ltdl.h: No such file or directory In file included from rlm_sqlippool.c:39: /home/paulb/build/freeradius-1.1.7/src/modules/rlm_sql/rlm_sql.h:68: error: expected specifier-qualifier-list before 'lt_dlhandle' rlm_sqlippool.c: In function 'sqlippool_command': rlm_sqlippool.c:311: error: 'SQL_INST' has no member named 'module' rlm_sqlippool.c: In function 'sqlippool_query1': rlm_sqlippool.c:358: error: 'SQL_INST' has no member named 'module' rlm_sqlippool.c: In function 'sqlippool_postauth': rlm_sqlippool.c:539: warning: pointer targets in passing argument 2 of 'strNcpy' differ in signedness rlm_sqlippool.c:526: warning: unused variable 'self' make[6]: *** [rlm_sqlippool.lo] Error 1 make[6]: Leaving directory `/home/paulb/build/freeradius-1.1.7/src/modules/rlm_sqlippool' make[5]: *** [common] Error 2 make[5]: Leaving directory `/home/paulb/build/freeradius-1.1.7/src/modules' make[4]: *** [all] Error 2 make[4]: Leaving directory `/home/paulb/build/freeradius-1.1.7/src/modules' make[3]: *** [common] Error 2 make[3]: Leaving directory `/home/paulb/build/freeradius-1.1.7/src' make[2]: *** [all] Error 2 make[2]: Leaving directory `/home/paulb/build/freeradius-1.1.7/src' make[1]: *** [common] Error 2 make[1]: Leaving directory `/home/paulb/build/freeradius-1.1.7' make: *** [all] Error 2 I simply have no idea what it is referring to, and what i can do to fix it. Sorry if it seems a bit noobtistic, i haven't ever compiled something this complex. Thanks, Paul -- If you are savvy and smart about the choices you make in life, The sky is not the limit! Mark Shuttleworth Random quote of the week/month/whenever i get to updating it: This is an incline plane. You roll stuff down it. Or is it one of those incline planes have been used throughout the millenia, from the Egyptian pyramids to this stupid science class videos? - Jasmine Lee - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Mikrotik and PPPoE queue prioirties
That's not standard radius but VSA teritory. You can dynamically assign filtering (firewall) type ACL on Mikrotik but not rate-limiting (shaping) ones. Queue definition will accept multiple source addresses (sort of an IP address list - it will take more than one, but how many ...). Ivan Kalik Kalik Informatika ISP Dana 16/11/2007, Matthew Neumark [EMAIL PROTECTED] piše: Ivan, I wish that was a option, but the problem is all my customers already have ip addresses assigned to them. The ip addresses aren't done by the packet they order it was done based upon when they signed up. Is there a way to do a dynamic priority based on per user basis? Like a group setting or address list group? Thank You, Matt -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Friday, November 16, 2007 3:26 PM To: freeradius-users@lists.freeradius.org Subject: Re: Mikrotik and PPPoE queue prioirties Assign that priority to a queue for [an IP address | a subnet]. Assign the user [that static IP address | to the pool with addresses from that subnet]. Ivan Kalik Kalik Informatika ISP Dana 16/11/2007, Matthew Neumark [EMAIL PROTECTED] piše: Hello, I use PPPoE connections through freeradius and mikrotik. What I would like to do is setup the customer's dynamic queue that is setup through the radgroupreply table setup so that when the customers log in I can also assign that queue to a priority based upon the group the customer is put in. Is this possible and how? Matt - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: 1.17 compilation errors
ah thanks. seems it hasent been indexed by google yet. sorry for not searching the archives. On Nov 16, 2007 5:33 PM, [EMAIL PROTECTED] wrote: You had this answered yesterday: http://www.nabble.com/Any-ideas-on-this-compile-errortf4821396.html Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- If you are savvy and smart about the choices you make in life, The sky is not the limit! Mark Shuttleworth Random quote of the week/month/whenever i get to updating it: This is an incline plane. You roll stuff down it. Or is it one of those incline planes have been used throughout the millenia, from the Egyptian pyramids to this stupid science class videos? - Jasmine Lee - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: 1.17 compilation errors
You had this answered yesterday: http://www.nabble.com/Any-ideas-on-this-compile-errortf4821396.html Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Radrelay Locking Issues
Hello, I'm using freeradius 1.1.7 on a RHEL4 (built by pkgsrc, though) amd64 box as a logger/relay for accounting packets. Unfortunately, it looks like it's not relaying all the accounting packets it receives, since lines such as these appear in its logs: Fri Nov 16 17:12:31 2007 : Error: rlm_detail: Failed to aquire filelock for /var/log/radiusd/replicate1.log, giving up Fri Nov 16 17:12:44 2007 : Error: rlm_detail: Failed to aquire filelock for /var/log/radiusd/replicate1.log, giving up Fri Nov 16 17:12:47 2007 : Error: rlm_detail: Failed to aquire filelock for /var/log/radiusd/replicate1.log, giving up Fri Nov 16 17:12:56 2007 : Error: rlm_detail: Failed to aquire filelock for /var/log/radiusd/replicate1.log, giving up Fri Nov 16 17:13:01 2007 : Error: rlm_detail: Failed to aquire filelock for /var/log/radiusd/replicate1.log, giving up Fri Nov 16 17:13:27 2007 : Error: rlm_detail: Failed to aquire filelock for /var/log/radiusd/replicate1.log, giving up Fri Nov 16 17:13:45 2007 : Error: rlm_detail: Failed to aquire filelock for /var/log/radiusd/replicate2.log, giving up Fri Nov 16 17:15:00 2007 : Error: rlm_detail: Failed to aquire filelock for /var/log/radiusd/replicate2.log, giving up Fri Nov 16 17:15:00 2007 : Error: rlm_detail: Failed to aquire filelock for /var/log/radiusd/replicate1.log, giving up Fri Nov 16 17:15:03 2007 : Error: rlm_detail: Failed to aquire filelock for /var/log/radiusd/replicate1.log, giving up Currently I'm trying to replicate the accounting logs to two separate servers using two separate files and two separate instances of radrelay, but as you can see, I appear to be losing some packets. While a majority of the accounting is passing, I'd much prefer all of it to pass. It's logged on the box, but other devices need to use the accounting packets as well. Are there any obvious fixes to resolve the locking contention that appears between radrelay and rlm_detail that causes rlm_detail to give up on logging? I may have missed something, finding radrelay itself was a journey (it's not in the wiki or on the site anywhere and the source distribution's doc/radrelay is pretty old). /var on the box is an ext3 partition, if that makes any difference. Thanks! Brian De Wolf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html