Re: Configuring own VSA to FreeRADIUS server
Sourav Chakraborty wrote: Hi Everyone, We are tring to add our own VSA to the Access-Accept message sent out by FreeRADIUS server.Can you please outline the steps as to how this can be done?We require this urgently. Create a dictionary. Tell FreeRADIUS to use it. Then, configure it just like any other attribute. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to enable only EAP-TTLS type and not EAP-TLS?
This is definitely more elegant than my suggestion but I found that many FreeRADIUS admins get confused by the CA_file CA_path options. They think that they need to place the CA chain from *their FreeRADIUS servers SSL certificate* in the file/directory specified in above options. But by doing so they most likely implicitly trust these CAs for client authentication via eap-tls, ie. they enabled EAP-TLS with some set of trusted CAs that were never intended to authenticate client certs for their organisation. Whereas the CA chain of *their FreeRADIUS servers SSL certificate* should be appended to the server certificate file specified with the certificate_file option. So since specifying an empty CA_file does not work (FreeRADIUS does not start) the only way for a really clean minimal config that is not allowing EAP-TLS is to have an empty CA_path directory. Defining the DEFAULT in the users file like below is a good additional step to rule all other EAP-Types out. my 2 cents Alan DeKok wrote on 09.01.2008 10:55: nikitha george wrote: Hi, I want to enable only TTLS authentication and if the client is requesting any other types EAP-TLS or PEAP the authentication should be denied. I am running freeradius-1.1.6, and if try to disable EAP-TLS module the server itself is not starting up. Please let me know if there are any ways to achieve this. Put this at the top of the users file: DEFAULT EAP-Type != EAP-TTLS, Auth-Type := Reject -- Beste Gruesse / Kind Regards Reimer Karlsen-Masur DFN-PKI FAQ: https://www.pki.dfn.de/faqpki 15 Jahre DFN-CERT + 15. DFN-Workshop Sicherheit in vernetzten Systemen am 13./14. Februar 2008 im CCH Hamburg - https://www.dfn-cert.de/ws2008/ -- Dipl.-Inform. Reimer Karlsen-Masur (PKI Team), Phone +49 40 808077-615 DFN-CERT Services GmbH, https://www.dfn-cert.de, Phone +49 40 808077-555 Sitz / Register: Hamburg, AG Hamburg, HRB 88805, Ust-IdNr.: DE 232129737 Sachsenstr. 5, 20097 Hamburg/Germany, CEO: Dr. Klaus-Peter Kossakowski smime.p7s Description: S/MIME Cryptographic Signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to enable only EAP-TTLS type and not EAP-TLS?
Reimer Karlsen-Masur, DFN-CERT wrote: This is definitely more elegant than my suggestion but I found that many FreeRADIUS admins get confused by the CA_file CA_path options. They think that they need to place the CA chain from *their FreeRADIUS servers SSL certificate* in the file/directory specified in above options. I've added some comments in eap.cnf raddb/certs/README explaining more about these issues. But by doing so they most likely implicitly trust these CAs for client authentication via eap-tls, ie. they enabled EAP-TLS with some set of trusted CAs that were never intended to authenticate client certs for their organisation. That's the whole purpose of CA_file, to be honest. Whereas the CA chain of *their FreeRADIUS servers SSL certificate* should be appended to the server certificate file specified with the certificate_file option. That is another way of doing it. So since specifying an empty CA_file does not work (FreeRADIUS does not start) the only way for a really clean minimal config that is not allowing EAP-TLS is to have an empty CA_path directory. That sounds reasonable. I've updated the code to permit CA_file to be empty, and added comments in eap.conf raddb/certs/README about this. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: RPM install error.
On Thu 10 Jan 2008, mohsen rahmanian wrote: I install freeradius-1.1.7-7.1.i386.rpm few days ago, When I try to install, upgrade or remove freeradius-1.1.7-7.1.i386.rpm get this error: /var/tmp/rpm-tmp.25681: line 1: fg: no job control error: %postun( freeradius-1.1.7-7.1.i386) scriptlet failed, exit status 1 I use Fedora Core 6 on Toshiba laptop. I try it with apt-get, but get previous error. Can you tell me why? Which rpm are you using? Where did you download it from? Hello Peter, I'm using freeradius-1.1.7-7.1.i386.rpm. I download it from http://ftp.twaren.net/Linux/OpenSuSE/repositories/network:/aaa/Fedora_Extr as_6/i386/ Hello Mohsen I maintain the network:aaa repository, but dont actually test the Fedora rpms myself. I believe I have fixed the problem you report (Fedora doesn't support the SUSE macros) but you will need to test. Regards -- Peter Nixon http://peternixon.net/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to enable only EAP-TTLS type and not EAP-TLS?
Alan DeKok wrote on 10.01.2008 11:26: Reimer Karlsen-Masur, DFN-CERT wrote: This is definitely more elegant than my suggestion but I found that many FreeRADIUS admins get confused by the CA_file CA_path options. They think that they need to place the CA chain from *their FreeRADIUS servers SSL certificate* in the file/directory specified in above options. I've added some comments in eap.cnf raddb/certs/README explaining more about these issues. But by doing so they most likely implicitly trust these CAs for client authentication via eap-tls, ie. they enabled EAP-TLS with some set of trusted CAs that were never intended to authenticate client certs for their organisation. That's the whole purpose of CA_file, to be honest. Agreed, but usually the CAs of the chain of the RADIUS servers SSL certificate are *not* the CAs that one wants to trust for organisational client authentication. Certs for client authN are mainly issued by organisational CAs. Whereas IMO the SSL cert of the RADIUS server should be issued by a CA which has its root CA certificate preinstalled in the standard certificate stores... Very good that you added some explanatory comments to these options. -- Beste Gruesse / Kind Regards Reimer Karlsen-Masur DFN-PKI FAQ: https://www.pki.dfn.de/faqpki 15 Jahre DFN-CERT + 15. DFN-Workshop Sicherheit in vernetzten Systemen am 13./14. Februar 2008 im CCH Hamburg - https://www.dfn-cert.de/ws2008/ -- Dipl.-Inform. Reimer Karlsen-Masur (PKI Team), Phone +49 40 808077-615 DFN-CERT Services GmbH, https://www.dfn-cert.de, Phone +49 40 808077-555 Sitz / Register: Hamburg, AG Hamburg, HRB 88805, Ust-IdNr.: DE 232129737 Sachsenstr. 5, 20097 Hamburg/Germany, CEO: Dr. Klaus-Peter Kossakowski smime.p7s Description: S/MIME Cryptographic Signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to enable only EAP-TTLS type and not EAP-TLS?
Reimer Karlsen-Masur, DFN-CERT wrote: Whereas IMO the SSL cert of the RADIUS server should be issued by a CA which has its root CA certificate preinstalled in the standard certificate stores... No. You are saying that the supplicant should trust those root CA's for ALL authentication. i.e. you have a certificate for example.com, signed by Verisign. The supplicant is configured to trust the verisign-signed certificates, because that's what you have. Now *anyone* who is issued a certificate from verisign can authenticate your users. If your users are using EAP-TTLS with PAP authentication, you've just convinced them to send their clear-text password to some random person on the Internet. RADIUS certificates for EAP should ALMOST ALWAYS be self-signed. That means that no one else can successfully convince the users to send them the passwords. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
SNMP error
Dear All, I have freeradius-1.1.7-1. it was installed on RHEL 3 SNMP net-snmp-5.0.9-2.30E.22 every thing was going OK i just installed RHEL 564-bit recompiled the freeradius on the new OS and reinstall the radius is working Ok i have SNMP version net-snmp-5.3.1-19.el5 but every time i wanted to snmpwalk from the radius i got that error RADIUS-AUTH-SERVER-MIB::radiusMIB = No Such Object available on this agent at this OID the command i execute is snmpwalk -v2c -c testsnmp -m /etc/raddb/RADIUS-AUTH-SERVER-MIB.txt localhost radius same command is working fine on the old machine. i searched for that on google but found nothing . any one can help ?? thanks Amr - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to enable only EAP-TTLS type and not EAP-TLS?
Hi, RADIUS certificates for EAP should ALMOST ALWAYS be self-signed. That means that no one else can successfully convince the users to send them the passwords. seconded/thirded. as UK eduroam support I agree that such a closed-loop system provides a better protection. though more config and deployment pains, certainly ;-) alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Problem in Accounting
Hi
I have configured the Free Radius Server to work as proxy radius server with
the following in the proxy.conf
realm NULL {
type = radius
authhost = 100.100.0.2:1812
accthost = 100.100.0.2:1813
secret = testing123
}
All the other conf files are configured properly. AM getting the following
problem.
For authentication of user, the Access Request packet is transferred to the
ip address 100.100.0.2. But for Accounting Request the packet is transfered
locally
Am getting log as sending Accounting Request to 127.0.0.1:4445
What can be the solution ?
--
Regards
Balu
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Version 2.0.0 has been released
January 10, 2007 - Version 2.0.0 has been released. We are pleased to announce that Version 2.0.0 has been released. This version is a tremendous step forward in functionality for the server. See http://freeradius.org for more information, including downloads, and major updates to the web site. Feature Improvements * simple policy language (see man unlang) * virtual servers (raddb/sites-available/README) * IPv6 support * better proxy support (raddb/proxy.conf) * More EAP types * Debugging output should be emmuch/em easier to understand * VMPS support * More modules have been moved to stable status (python, etc.) * SQL configuration has been cleaned up (see raddb/sql/*) * limited support for HUP. (The configuration for some modules is re-loaded on HUP. Nothing else is reloaded.) * check configuration and exit (radiusd -C) * Server core is now event based (simpler, more powerful) Bug Fixes * The server re-design has resulted in simple fixes for many issues that were too difficult to correct in Version 1.1.x. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to enable only EAP-TTLS type and not EAP-TLS?
[EMAIL PROTECTED] wrote on 10.01.2008 14:53: Hi, RADIUS certificates for EAP should ALMOST ALWAYS be self-signed. That means that no one else can successfully convince the users to send them the passwords. seconded/thirded. as UK eduroam support I agree that such a closed-loop system provides a better protection. though more config and deployment pains, certainly ;-) Actually we were talking about server side config. Looking at the supplicant, the user strongly should enter a fully qualified name of the radius server he is expecting his authN is checked against and he strongly should make sure that his supplicant is checking hard that this FQDN matches the CN of the RADIUS server cert. Usually there is some checkbox/option to enable that behavior. If the supplicant is not configured that strictly, at the end of the day it does not matter if you rolled your own self-signed RADIUS server cert or you have a cert with its root CA pre-installed. -- Beste Gruesse / Kind Regards Reimer Karlsen-Masur DFN-PKI FAQ: https://www.pki.dfn.de/faqpki 15 Jahre DFN-CERT + 15. DFN-Workshop Sicherheit in vernetzten Systemen am 13./14. Februar 2008 im CCH Hamburg - https://www.dfn-cert.de/ws2008/ -- Dipl.-Inform. Reimer Karlsen-Masur (PKI Team), Phone +49 40 808077-615 DFN-CERT Services GmbH, https://www.dfn-cert.de, Phone +49 40 808077-555 Sitz / Register: Hamburg, AG Hamburg, HRB 88805, Ust-IdNr.: DE 232129737 Sachsenstr. 5, 20097 Hamburg/Germany, CEO: Dr. Klaus-Peter Kossakowski smime.p7s Description: S/MIME Cryptographic Signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to enable only EAP-TTLS type and not EAP-TLS?
Hi, If the supplicant is not configured that strictly, at the end of the day it does not matter if you rolled your own self-signed RADIUS server cert or you have a cert with its root CA pre-installed. Actually, It's not quite the same: if the user at least managed to enable to CA checking, then - for a commercial CA, thousands of untrusted hosts match his check - for a self-signed CA, only one server matches - for a dedicated RADIUS Auth CA, only servers within the administrative reach which are trusted to handle user authentications anyway match This *is* a win in security vs. commercial CAs. Stefan -- Stefan WINTER Stiftung RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche Ingenieur Forschung Entwicklung 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg E-Mail: [EMAIL PROTECTED] Tel.: +352 424409-1 http://www.restena.lu Fax: +352 422473 signature.asc Description: This is a digitally signed message part. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to enable only EAP-TTLS type and not EAP-TLS?
Reimer Karlsen-Masur, DFN-CERT wrote: Actually we were talking about server side config. Yes. The server has been updated simplify configurations without EAP-TLS, and to document the issues involved in certificates. Looking at the supplicant, the user strongly should enter a fully qualified name of the radius server he is expecting his authN is checked against and he strongly should make sure that his supplicant is checking hard that this FQDN matches the CN of the RADIUS server cert. Usually there is some checkbox/option to enable that behavior. I don't recall seeing that, to be honest. wpa_supplicant doesn't have that, and Windows doesn't have it. They both have a validate server certificate checkbox, but that only checks the CA chain, NOT the CN. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem in Accounting
You haven't posted the debug output. Post one that has both access and
accounting requests for the same user.
Ivan Kalik
Kalik Informatika ISP
Dana 10/1/2008, Jayaraman Balasubramanian
[EMAIL PROTECTED] piše:
Hi
I have configured the Free Radius Server to work as proxy radius server with
the following in the proxy.conf
realm NULL {
type = radius
authhost = 100.100.0.2:1812
accthost = 100.100.0.2:1813
secret = testing123
}
All the other conf files are configured properly. AM getting the following
problem.
For authentication of user, the Access Request packet is transferred to the
ip address 100.100.0.2. But for Accounting Request the packet is transfered
locally
Am getting log as sending Accounting Request to 127.0.0.1:4445
What can be the solution ?
--
Regards
Balu
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to enable only EAP-TTLS type and not EAP-TLS?
Stefan Winter wrote on 10.01.2008 15:51: Hi, If the supplicant is not configured that strictly, at the end of the day it does not matter if you rolled your own self-signed RADIUS server cert or you have a cert with its root CA pre-installed. Actually, It's not quite the same: if the user at least managed to enable to CA checking, then - for a commercial CA, thousands of untrusted hosts match his check - for a self-signed CA, only one server matches - for a dedicated RADIUS Auth CA, only servers within the administrative reach which are trusted to handle user authentications anyway match This *is* a win in security vs. commercial CAs. agreed when you turn off 2/3 of the possible checks, but if he is that unexperienced as many users are, it is easy to trick them into installing/trusting a new rogue CA or self-signed rogue RADIUS server certificate anyway. Don't forget: The user desperately wants his internet connection -- Beste Gruesse / Kind Regards Reimer Karlsen-Masur Dipl.-Inform. Reimer Karlsen-Masur (PKI Team), Phone +49 40 808077-615 DFN-CERT Services GmbH, https://www.dfn-cert.de, Phone +49 40 808077-555 Sitz / Register: Hamburg, AG Hamburg, HRB 88805, Ust-IdNr.: DE 232129737 Sachsenstr. 5, 20097 Hamburg/Germany, CEO: Dr. Klaus-Peter Kossakowski smime.p7s Description: S/MIME Cryptographic Signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Version 2.0.0 has been released
Alan T DeKok wrote: January 10, 2007 - Version 2.0.0 has been released. We are pleased to announce that Version 2.0.0 has been released. This version is a tremendous step forward in functionality for the server. This is great news Alan! Any idea if a *BSD port is going to be released for it soon? I would love to see the Oracle module fixed so it can be selected/built from the configure menu (hint hint, eye twitch - David Wood). Cheers, Mike - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Version 2.0.0 has been released
Alan T DeKok wrote: January 10, 2007 - Version 2.0.0 has been released. We are pleased to announce that Version 2.0.0 has been released. This version is a tremendous step forward in functionality for the server. See http://freeradius.org for more information, including downloads, and major updates to the web site. Excellent ! Christ it's been a long time coming, but the improvements over 1.1.7 are incredible. Step 1 in ushering in a new age of NAC :) Congrats, Arr -- Arran Cudbard-Bell ([EMAIL PROTECTED]) Authentication, Authorisation and Accounting Officer Infrastructure Services | ENG1 E1-1-08 University Of Sussex, Brighton EXT:01273 873900 | INT: 3900 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Version 2 bzip file is gzip
Hi, It seems that the bzip2 file of the new version 2.0.0 is actually a gzip file: freeradius-server-2.0.0.tar.bz2: gzip compressed data, from Unix, last modified: Thu Jan 10 13:33:14 2008 I downloaded this from the main FreeRADIUS web site. Just something to be aware of :-) John. -- --- John Horne, University of Plymouth, UK Tel: +44 (0)1752 233914 E-mail: [EMAIL PROTECTED] Fax: +44 (0)1752 233839 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Version 2.0.0 has been released
Alan T DeKok wrote: January 10, 2007 - Version 2.0.0 has been released. Congratulations, and thanks for all your hard work on FreeRADIUS! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Version 2.0.0 has been released
congrats guys. On 10/01/2008, Matt Garretson [EMAIL PROTECTED] wrote: Alan T DeKok wrote: January 10, 2007 - Version 2.0.0 has been released. Congratulations, and thanks for all your hard work on FreeRADIUS! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Version 2 bzip file is gzip
John Horne wrote: It seems that the bzip2 file of the new version 2.0.0 is actually a gzip file: Fixed, thanks. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Version 2.0.0 has been released
Mother wrote: This is great news Alan! Any idea if a *BSD port is going to be released for it soon? The ports should be updated at some point... One goal of 2.0 was to be backwards compatible with 1.1.x as much as possible. So in *most* cases that I'm aware of, the old configuration files should also work in 2.0. i.e. I don't recall any cases where they won't work. This makes port upgrades a lot easier. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
FreeBSD port for 2.0.0 (was: Version 2.0.0 has been released)
Hi all, In message [EMAIL PROTECTED], Mother [EMAIL PROTECTED] writes Alan T DeKok wrote: January 10, 2007 - Version 2.0.0 has been released. We are pleased to announce that Version 2.0.0 has been released. This version is a tremendous step forward in functionality for the server. This is great news Alan! Any idea if a *BSD port is going to be released for it soon? I would love to see the Oracle module fixed so it can be selected/built from the configure menu (hint hint, eye twitch - David Wood). After a long delay (nearly two months), 2.0.0-pre2 got committed to the FreeBSD ports tree yesterday under my maintainership - it's the net/freeradius-devel port. We needed to start somewhere with FreeRADIUS 2.x - and that was it. Actually, I was about to call off that commit waiting for 2.0.0 to release, especially as Alan DeKok had said that the 2.0.0-pre2 tarball would be withdrawn - but it's too late now. I am about to start working on an update of that port to 2.0.0 - and it will likely be renamed net/freeradius2 at the same time, as it's no longer a development version. My part of this isn't likely to take too long (hopefully 12 hours to submit the FreeBSD PR barring unexpected problems as I start to work on it this evening), but getting it committed to the FreeBSD ports tree will take longer. Oracle support won't be in the initial port; I want to update the port with its existing database support to 2.0.0 first so that we can encourage people to start migrating to 2.x. I will try to look at Oracle later on - but any pointers you can give me would be welcome, as the bsd.database.mk setup doesn't support Oracle, so the overhead for supporting Oracle in a port is rather higher than for databases supported by bsd.database.mk (from memory, that's MySQL, PostgreSQL, SQLite, Firebird and Berkeley DB). I don't have an Oracle setup to test with here; my only SQL server runs MySQL, though I'm considering moving some databases to PostgreSQL. You said that you'd hacked the net/freeradius port to build with Oracle support. If you can send me a diff of what you did, that would be helpful so that I can unpick your work and incorporate it into the port. If you can change the arguments to configure rather than hacking the configure script (or configure.in), even better! As Alan DeKok has now fixed the problem with the bzip2 tarball for 2.0.0, I'm just about to update my Subversion development repository with the committed version of net/freeradius-devel, then set about updating it for 2.0.0 release. Best wishes, David -- David Wood [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Version 2.0.0 has been released
hi, congratulations, and thank you very much for all the work you put on freeradius. cheers, pedro -- you don't code php. you merely edit it until it works. - merlyn Information in this email including any attachments may be privileged, confidential and is intended exclusively for the addressee. The views expressed may not be official policy, but the personal views of the originator. If you have received it in error, please notify the sender by return e-mail and delete it from your system. You should not reproduce, distribute, store, retransmit, use or disclose its contents to anyone. Please note we reserve the right to monitor all e-mail communication through our internal and external networks. SKY and the SKY marks are trade marks of British Sky Broadcasting Group plc and are used under licence. British Sky Broadcasting Limited (Registration No. 2906991), Sky Interactive Limited (Registration No. 3554332), Sky-In-Home Service Limited (Registration No. 2067075) and Sky Subscribers Services Limited (Registration No. 2340150) are direct or indirect subsidiaries of British Sky Broadcasting Group plc (Registration No. 2247735). All of the c! ompanies mentioned in this paragraph are incorporated in England and Wales and share the same registered office at Grant Way, Isleworth, Middlesex TW7 5QD. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
interfacing with ISC DHCP
Is it possible to authenticate with radius and the have ISC DHCP hand out out an IP (etc)? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: SNMP error
On Thursday 10 January 2008 08:41:30 Amr el-Saeed wrote: but every time i wanted to snmpwalk from the radius i got that error RADIUS-AUTH-SERVER-MIB::radiusMIB = No Such Object available on this agent at this OID the command i execute is snmpwalk -v2c -c testsnmp -m /etc/raddb/RADIUS-AUTH-SERVER-MIB.txt localhost radius same command is working fine on the old machine. i searched for that on google but found nothing . any one can help ?? What does debug mode (-X) show? Are there any errors in your snmpd log file? Kevin Bonner signature.asc Description: This is a digitally signed message part. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to enable only EAP-TTLS type and not EAP-TLS?
Hi,
Oh, it exists. It's called subject_match within a network { } stanza of
wpa_supplicant, and all the Windows supplicants I've seen so far allow you
set your expectations on the server name. It's turned off by default though.
agreed. it is there.
however, this puts the security on the client end...and they'll still
get a connection with the proper server even if they've ommitted
all the checks. this is bad generally - you need to have a way
of the server checking that these client settings are enforced.
oh well. I guess thats what locked-down desktops, corporate images,
GPO pushed settings etc are all for. not handy for supporting
the average user.
alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: SNMP error
this is the log [smux_accept] accepted fd 12 from 127.0.0.1:57180 Jan 10 20:38:26 RADIUS-1-A snmpd[32488]: refused smux peer: oid SNMPv2-SMI::enterprises.3317.1.3.1, descr radiusd Jan 10 20:38:26 RADIUS-1-A snmpd[32488]: [smux_accept] accepted fd 12 from 127.0.0.1:57181 Jan 10 20:38:26 RADIUS-1-A snmpd[32488]: refused smux peer: oid SNMPv2-SMI::enterprises.3317.1.3.1, descr radiusd Jan 10 20:38:26 RADIUS-1-A snmpd[32488]: [smux_accept] accepted fd 12 from 127.0.0.1:57182 Jan 10 20:38:27 RADIUS-1-A snmpd[32488]: refused smux peer: oid SNMPv2-SMI::enterprises.3317.1.3.1, descr radiusd Jan 10 20:38:27 RADIUS-1-A snmpd[32488]: [smux_accept] accepted fd 12 from 127.0.0.1:57183 Jan 10 20:38:27 RADIUS-1-A snmpd[32488]: refused smux peer: oid SNMPv2-SMI::enterprises.3317.1.3.1, descr radiusd Jan 10 20:38:27 RADIUS-1-A snmpd[32488]: [smux_accept] accepted fd 12 from 127.0.0.1:57184 Jan 10 20:38:27 RADIUS-1-A snmpd[32488]: refused smux peer: oid SNMPv2-SMI::enterprises.3317.1.3.1, descr radiusd Jan 10 20:38:27 RADIUS-1-A snmpd[32488]: [smux_accept] accepted fd 12 from 127.0.0.1:57185 Jan 10 20:38:27 RADIUS-1-A snmpd[32488]: refused smux peer: oid SNMPv2-SMI::enterprises.3317.1.3.1, descr radiusd Jan 10 20:38:27 RADIUS-1-A snmpd[32488]: [smux_accept] accepted fd 12 from 127.0.0.1:57186 Jan 10 20:38:27 RADIUS-1-A snmpd[32488]: refused smux peer: oid SNMPv2-SMI::enterprises.3317.1.3.1, descr radiusd Jan 10 20:38:27 RADIUS-1-A snmpd[32488]: [smux_accept] accepted fd 12 from 127.0.0.1:57187 Jan 10 20:38:27 RADIUS-1-A snmpd[32488]: refused smux peer: oid SNMPv2-SMI::enterprises.3317.1.3.1, descr radiusd this is the debug mode SMUX read start SMUX connection closed: 66 SMUX connect try 1 SMUX open oid: 1.3.6.1.4.1.3317.1.3.1 SMUX open progname: radiusd SMUX open password: yallasnmp SMUX register oid: 1.3.6.1.2.1.67.1.1.1.1 SMUX register priority: -1 SMUX register operation: 1 SMUX register oid: 1.3.6.1.2.1.67.2.1.1.1 SMUX register priority: -1 SMUX register operation: 1 Waking up in 14 seconds... SMUX read start SMUX read len: 3 SMUX message received type: 0 rest len: 1 Unknown type: 0 Waking up in 14 seconds... SMUX read start SMUX connection closed: 66 SMUX connect try 1 SMUX open oid: 1.3.6.1.4.1.3317.1.3.1 SMUX open progname: radiusd SMUX open password: yallasnmp SMUX register oid: 1.3.6.1.2.1.67.1.1.1.1 SMUX register priority: -1 SMUX register operation: 1 SMUX register oid: 1.3.6.1.2.1.67.2.1.1.1 SMUX register priority: -1 SMUX register operation: 1 Waking up in 14 seconds... Kevin Bonner wrote: On Thursday 10 January 2008 08:41:30 Amr el-Saeed wrote: but every time i wanted to snmpwalk from the radius i got that error RADIUS-AUTH-SERVER-MIB::radiusMIB = No Such Object available on this agent at this OID the command i execute is snmpwalk -v2c -c testsnmp -m /etc/raddb/RADIUS-AUTH-SERVER-MIB.txt localhost radius same command is working fine on the old machine. i searched for that on google but found nothing . any one can help ?? What does debug mode (-X) show? Are there any errors in your snmpd log file? Kevin Bonner - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
I can't get 'access-accept' from Linux clients
Hi,
I can't still figure it out why I can't access from Linux clients.
I use version 1.1.7 of freeradius. Linux client is a Fedora 8 system.
I use Freeradius+eap+ttls. Users accounts are stored in a LDAP server.
My eap.conf is:
eap {
default_eap_type = ttls
timer_expire = 60
ignore_unknown_eap_types = no
md5 {
}
tls {
certificate_file =
/etc/pki/tls/certs/spectrum.xp-crt.pem
private_key_file =
/etc/pki/tls/certs/spectrum.xp-key.pem
CA_file = /etc/pki/tls/certs/cacert.pem
dh_file = ${raddbdir}/certs/dh
random_file = ${raddbdir}/certs/random
fragment_size = 1024
include_length = yes
copy_request_to_tunnel = no
use_tunneled_reply = no
}
ttls {
default_eap_type = md5
copy_request_to_tunnel = no
use_tunneled_reply = no
}
mschapv2 {
}
}
EOF
These are debugging messages:
rad_recv: Access-Request packet from host 10.30.1.151:2048, id=0, length=125
User-Name = jsmith
NAS-IP-Address = 10.30.1.151
Called-Station-Id = 000625f17036
Calling-Station-Id = 000e35bf5118
NAS-Identifier = 000625f17036
NAS-Port = 54
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
EAP-Message = 0x020b016d6261726265
Message-Authenticator = 0x05f08581315f74a9365956e711d1adec
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 78
modcall[authorize]: module preprocess returns ok for request 78
rlm_eap: EAP packet type response id 0 length 11
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module eap returns updated for request 78
modcall[authorize]: module files returns notfound for request 78
rlm_ldap: - authorize
rlm_ldap: performing user authorization for jsmith
radius_xlat: '(uid=jsmith)'
radius_xlat: 'ou=people,dc=foofoo,dc=edu'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in ou=people,dc=foofoo,dc=edu, with filter
(uid=jsmith)
request done: ld 0x557c59c0 msgid 91
rlm_ldap: checking if remote access for jsmith is allowed by radiusAllowed
rlm_ldap: Added password {SSHA}F8XliBuxscoShNf0k7RxlC7niB7ISswp in check items
rlm_ldap: looking for check items in directory...
rlm_ldap: looking for reply items in directory...
rlm_ldap: user jsmith authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
modcall[authorize]: module ldap returns ok for request 78
rlm_pap: Found existing Auth-Type, not changing it.
modcall[authorize]: module pap returns noop for request 78
modcall: leaving group authorize (returns updated) for request 78
rad_check_password: Found Auth-Type EAP
auth: type EAP
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 78
rlm_eap: EAP Identity
rlm_eap: processing type tls
rlm_eap_tls: Initiate
rlm_eap_tls: Start returned 1
modcall[authenticate]: module eap returns handled for request 78
modcall: leaving group authenticate (returns handled) for request 78
Sending Access-Challenge of id 0 to 10.30.1.151 port 2048
EAP-Message = 0x010100061520
Message-Authenticator = 0x
State = 0xfc48a9d073781d46b58418c4b4cd9827
Finished request 78
Going to the next request
--- Walking the entire request list ---
Waking up in 6 seconds...
rad_recv: Access-Request packet from host 10.30.1.151:2048, id=0, length=267
User-Name = jsmith
NAS-IP-Address = 10.30.1.151
Called-Station-Id = 000625f17036
Calling-Station-Id = 000e35bf5118
NAS-Identifier = 000625f17036
NAS-Port = 54
Framed-MTU = 1400
State = 0xfc48a9d073781d46b58418c4b4cd9827
NAS-Port-Type = Wireless-802.11
EAP-Message =
0x020100871500160301007c01780301478642113f068a6df0132c744c49958b45592615abb6622beddf19a8fa52510f20fd4cbc7f733120101175d6dd7f27f2585364c73af2b4d0f65332531e8c2d3c4b003000390038003500160013000a00330032002f006600050004006300620015001200090065006400140011000800060003020100
Message-Authenticator = 0xdfd8574e151c9d725b98e1d9f907aff5
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 79
modcall[authorize]: module preprocess returns ok for request 79
rlm_eap: EAP packet type response id 1 length 135
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module eap returns updated for request 79
modcall[authorize]: module files returns notfound for request 79
rlm_ldap: - authorize
rlm_ldap: performing user authorization for jsmith
radius_xlat:
Re: I can't get 'access-accept' from Linux clients
Hi, Hi, I can't still figure it out why I can't access from Linux clients. I use version 1.1.7 of freeradius. Linux client is a Fedora 8 system. what is the linux client config? i see the following in your debug rlm_eap: Request found, released from the list rlm_eap: EAP/md5 rlm_eap: processing type md5 rlm_eap_md5: User-Password is required for EAP-MD5 authentication rlm_eap: Handler failed in EAP/md5 rlm_eap: Failed in EAP select modcall[authenticate]: module eap returns invalid for request 84 modcall: leaving group authenticate (returns invalid) for request 84 auth: Failed to validate the user. i would also advise that you upgrade to 2.0.0 - not only could this issue be resolves anyway - its a hell of a lof easier to debug - far less EAP messages! alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: SNMP error
hi, known SNMP issues with 64bit and that version of SNMP. you will need to follow the debug instructions to help debug alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: interfacing with ISC DHCP
Yes. Ivan Kalik Kalik Informatika ISP Dana 10/1/2008, [EMAIL PROTECTED] [EMAIL PROTECTED] piše: Is it possible to authenticate with radius and the have ISC DHCP hand out out an IP (etc)? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: I can't get 'access-accept' from Linux clients
...
rlm_ldap: Added password {SSHA}F8XliBuxscoShNf0k7RxlC7niB7ISswp in check
items
...
rlm_eap_md5: User-Password is required for EAP-MD5 authentication
...
You can't use encrypted passwords with EAP-MD5.
http://deployingradius.com/documents/protocols/compatibility.html
Ivan Kalik
Kalik Informatika ISP
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeBSD port for 2.0.0
David Wood wrote: I am about to start working on an update of that port to 2.0.0 - and it will likely be renamed net/freeradius2 at the same time, as it's no longer a development version. My part of this isn't likely to take too long (hopefully 12 hours to submit the FreeBSD PR barring unexpected problems as I start to work on it this evening), but getting it committed to the FreeBSD ports tree will take longer. Sounds good to me. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to enable only EAP-TTLS type and not EAP-TLS?
however, this puts the security on the client end...and they'll still get a connection with the proper server even if they've ommitted all the checks. this is bad generally - you need to have a way of the server checking that these client settings are enforced. oh well. I guess thats what locked-down desktops, corporate images, GPO pushed settings etc are all for. not handy for supporting the average user. That road is painful. What we've come up so far with is supplying pre-configured supplicants (SecureW2) that bring the proper CA certificate along and set the expected CN automatically. It can even be preconfigured to auto-discard any other certificates, which doesn't give the user any opportunity to mess around. Of course, that is just pre-setting checkboxes in the supplicant. If a user *really* wants to sacrifice security for getting online cheap and easy on possible fraud networks, he can still toggle the settings manually later and shoot himself in the foot with it. For the built-in supplicant in XP/Vista: it generally sucks. There is the new Wireless Native API that is supposed to allow scripted auto-setups of 802.1X settings for an SSID, but we haven't tested if that's really practical. If you can find a student to code on that API, please go ahead :-) Stefan -- Stefan WINTER Stiftung RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche Ingenieur Forschung Entwicklung 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg E-Mail: [EMAIL PROTECTED] Tel.: +352 424409-1 http://www.restena.lu Fax: +352 422473 signature.asc Description: This is a digitally signed message part. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to enable only EAP-TTLS type and not EAP-TLS?
Alan, I tried with the configuration you had given below, but it does not work out. Still radius server is accepting TLS method. Thanks, Nikitha On 1/9/08, Alan DeKok [EMAIL PROTECTED] wrote: nikitha george wrote: Hi, I want to enable only TTLS authentication and if the client is requesting any other types EAP-TLS or PEAP the authentication should be denied. I am running freeradius-1.1.6, and if try to disable EAP-TLS module the server itself is not starting up. Please let me know if there are any ways to achieve this. Put this at the top of the users file: DEFAULT EAP-Type != EAP-TTLS, Auth-Type := Reject Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to enable only EAP-TTLS type and not EAP-TLS?
nikitha george wrote: Alan, I tried with the configuration you had given below, but it does not work out. Still radius server is accepting TLS method. And debug mode says ? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to enable only EAP-TTLS type and not EAP-TLS?
Stefan Winter wrote: For the built-in supplicant in XP/Vista: it generally sucks. There is the new Wireless Native API that is supposed to allow scripted auto-setups of 802.1X settings for an SSID, but we haven't tested if that's really practical. If you can find a student to code on that API, please go ahead :-) It's actually not that bad... The main difficulty is that Vista doesn't work like XP. And if a certain magic service isn't running, the API succeeds, but doesn't do anything. And if there's another connection manager running (e.g. intel, dell, etc.), then the API succeeds, but doesn't do anything. Just normal practice for Windows. But when the stars align, *wow*, it's sometimes useful! Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
