date:20080205

Amr el-Saeed wrote:
 any suggestions about what to do to make snmp work on 64-bit??

  Debug it and submit a patch.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: SNMP error

Edvin Seferovic wrote:
 I am also curious about the answer on this question ! Are there any plans to
 implement AgentX protocol into freeradius project? 

  No plans.

  At this point, the only plans for 2.0 are minor feature improvements
and bug fixes.  I plan on spending time working on the book, unless
otherwise motivated.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Configuring radrelay using proxy.conf in v2.0.1

Ryan wrote:
 Need some advise/help on configuring the proxy.conf to replicate the
 radrelay function that was available in v1.1.3. However was not able
 to find any information so far as the radrelay has been deprecated in
 v2.0.1.

  radrelay has been replaced by radiusd reading directly from the detail
file.  See raddb/sites-available/copy-acct-to-home-server

  You will likely need to grab CVS head, as I've just committed a patch
to fix some issues with reading the detail file.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: rlm_ldap.c

Kevin J wrote:
 In ldap.c:2660, there is a condition check to see if vals_idx is zero
 
 2660if (!vals_idx){
 2661pairdelete(pairs,
 newpair-attribute);
 2662}
 2663pairadd(pairlist, newpair);
 
 
 this code line makes Radius not appending any reply attribute if the
 number of attribute is greater than 1. any thought in why we need this here?

  No... it deletes all existing attributes of that type the first time
through the loop.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Problems using EAP-TLS with freeradius version 2

2008-02-05 Thread Reimer Karlsen-Masur, DFN-CERT



Jeffrey Hutzelman wrote on 04.02.2008 00:43:
 --On Thursday, January 31, 2008 05:42:50 PM +0100 Reimer Karlsen-Masur,
 DFN-CERT [EMAIL PROTECTED] wrote:
 
 If the Microsoft Smartcard Logon extendedKeyUsage *is part* of your
 client certificates they might not work with Windows build-in supplicant.
 
 This is not surprising, if that is the only EKU in the cert.  

I was talking about a set of EKUs like MS Smartcard Logon in combination
with clientAuth and eg. e-mail protection...even if I did not state that
clearly enough.

Windows does not like to use EE-certs containing EKUs clientAuth and MS
Smartcard Logon for EAP-TLS with its build-in supplicant.

-- 
Beste Gruesse / Kind Regards

Reimer Karlsen-Masur

DFN-PKI FAQ: https://www.pki.dfn.de/faqpki

15 Jahre DFN-CERT + 15. DFN-Workshop Sicherheit in vernetzten Systemen
am 13./14. Februar 2008 im CCH Hamburg - https://www.dfn-cert.de/ws2008/
--
Dipl.-Inform. Reimer Karlsen-Masur (PKI Team),   Phone   +49 40 808077-615

DFN-CERT Services GmbH, https://www.dfn-cert.de,  Phone  +49 40 808077-555
Sitz / Register: Hamburg, AG Hamburg, HRB 88805,  Ust-IdNr.:  DE 232129737
Sachsenstr. 5,   20097 Hamburg/Germany,   CEO: Dr. Klaus-Peter Kossakowski


smime.p7s
Description: S/MIME Cryptographic Signature
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Attributes sent to proxy servers ...


Hi,

Noticed with CVS head that all attributes (including internal ones) 
appear to be getting proxied. Is this just a cosmetic thing ?


Sending Access-Request of id 11 to 194.82.174.185 port 1812
   Framed-MTU = 1480
   NAS-IP-Address = 139.184.8.16
   NAS-Identifier = hp-e-its-dev8021x-sw1
   User-Name = [EMAIL PROTECTED]
   Event-Type = Framed-User
   Framed-Protocol = PPP
   NAS-Port = 1
   NAS-Port-Type = Ethernet
   NAS-Port-Id = 1
   Called-Station-Id = 001438fb9400
   Calling-Station-Id = 001b63a3a8dd
   Connect-Info = CONNECT Ethernet 100Mbps Full duplex
   Tunnel-Type:0 = VLAN
   Tunnel-Medium-Type:0 = IEEE-802
   Tunnel-Private-Group-Id:0 = 700
   State = 0x06441900
   EAP-Message = 
0x0244002b19001703010020c006fdcd03d0e15b7001c3e94e1a45340325626fed36c7c97450769dc33c587f

   Message-Authenticator = 0x
   Proxy-State = 0x313035
Proxying request 60 to home server 194.82.174.185 port 1812
Sending Access-Request of id 11 to 194.82.174.185 port 1812
   Framed-MTU = 1480
   NAS-IP-Address = 139.184.8.16
   NAS-Identifier = hp-e-its-dev8021x-sw1
   User-Name = [EMAIL PROTECTED]
   Event-Type = Framed-User
   Framed-Protocol = PPP
   NAS-Port = 1
   NAS-Port-Type = Ethernet
   NAS-Port-Id = 1
   Called-Station-Id = 001438fb9400
   Calling-Station-Id = 001b63a3a8dd
   Connect-Info = CONNECT Ethernet 100Mbps Full duplex
   Tunnel-Type:0 = VLAN
   Tunnel-Medium-Type:0 = IEEE-802
   Tunnel-Private-Group-Id:0 = 700
   State = 0x06441900
   EAP-Message = 
0x0244002b19001703010020c006fdcd03d0e15b7001c3e94e1a45340325626fed36c7c97450769dc33c587f

   Message-Authenticator = 0x
   Stripped-User-Name = [EMAIL PROTECTED]
   Realm = jrs
   EAP-Type = PEAP
   Called-Station-SSID = 
   Packet-Src-Ip-Address-Oct1 = 139
   Packet-Src-Ip-Address-Oct2 = 184
   Packet-Src-Ip-Address-Oct3 = 8
   Packet-Src-Ip-Address-Oct4 = 16
   SS-Flags = 01
   NAS-Flags = 01001011000
   Supplicant-Flags = 000100
   SQL-User-Name = [EMAIL PROTECTED]
   Realm = jrs
   Proxy-State = 0x313035
Going to the next request

Thanks
Arran

--
Arran Cudbard-Bell ([EMAIL PROTECTED])
Authentication, Authorisation and Accounting Officer
Infrastructure Services | ENG1 E1-1-08 
University Of Sussex, Brighton

EXT:01273 873900 | INT: 3900

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Attributes sent to proxy servers ...

hi,

you are still pre-proxy attr filtering? 

alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

FreeRADIUS and RSA RADIUS Server

2008-02-05 Thread Jakub Morávek

Hello,
   I have not many experiences with radius, so my question may be stupid.
Has anybody experience with using freeradius (Version 1.1.3 in Debian Sarge)
as proxy for RSA RADIUS Server included in RSA Authentication Manager 6.1? I
need to solve following problem with the Agent host i.e. host which send
authenticate request to RSA Auth Manager.

When authentication request goest through freeradius proxy, RSA Manager
thinks that Agent host is my freeradius proxy instead of original host which
sent authenticate request. Below is pasted part of pre-proxy detail log and
debug log.

part of output from: freeradius -X:

Sending Access-Request of id 0 to 10.100.25.2 port 1812
User-Name = jakub
User-Password = 1234628665
NAS-IP-Address = 127.0.1.1
NAS-Identifier = ssh
NAS-Port = 21704
NAS-Port-Type = Virtual
Service-Type = Authenticate-Only
Calling-Station-Id = 10.5.0.39
Proxy-State = 0x313039

output of /var/log/freeradius/radacct/10.5.0.31/pre-proxy-detail-20080204:

Packet-Type = Access-Request
Mon Feb  4 23:55:50 2008
User-Name = jakub
User-Password = 1234628665
NAS-IP-Address = 127.0.1.1
NAS-Identifier = ssh
NAS-Port = 21704
NAS-Port-Type = Virtual
Service-Type = Authenticate-Only
Calling-Station-Id = 10.5.0.39
Client-IP-Address = 10.5.0.31
Stripped-User-Name = jakub
Realm = NULL
Realm = NULL
Proxy-State = 0x313039

Does this mean, that freeradius process all attributes from
pre-proxy-detail-20080204 log, but sends only attributes, which are shown in
extended debug mode? If so, can anybody give me any advice how can I
configure freeradius to send more attributes?

   Jakub
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

FR2 - proxying inner tunnel

2008-02-05 Thread Dmitry Sergienko


Hi!

Does anyone here have working inner tunnel proxying with freeradius 2.0.x?

Still having troubles with doing EAP-PEAP-MSCHAPv2 authorization. Switched to 
FreeRadius 2.0.1 from 1.1.7.
What I need: extract MSCHAPv2 auth from PEAP, proxy auth to external server 
which knows nothing about EAP.
All configs are almost default from distribution. Key changes:

in eap.conf:
peap {
  default_eap_type = mschapv2
  copy_request_to_tunnel = yes
  use_tunneled_reply = yes
  proxy_tunneled_request_as_eap = no
  virtual_server = proxy-inner-tunnel
}

proxy-inner-tunnel is taken from examples with modified realm name:

server proxy-inner-tunnel {
authorize {
update control {
Proxy-To-Realm := xxx
}
}
}

As a result, no proxying has been done by freeradius:

  PEAP: Sending tunneled request
EAP-Message = 0x0206000801616161
FreeRADIUS-Proxied-To = 127.0.0.1
User-Name = aaa
server proxy-inner-tunnel {
Tue Feb  5 14:56:01 2008 : Debug: +- entering group authorize
Tue Feb  5 14:56:01 2008 : Debug: ++[control] returns notfound
} # server proxy-inner-tunnel
  PEAP: Got tunneled reply RADIUS code 0
Tue Feb  5 14:56:01 2008 : Debug:   PEAP: Tunneled authentication will be 
proxied to xxx
Tue Feb  5 14:56:01 2008 : Debug:   Tunneled session will be proxied.  Not 
doing EAP.
Tue Feb  5 14:56:01 2008 : Debug:   modsingle[authenticate]: returned from eap 
(rlm_eap) for request 6
Tue Feb  5 14:56:01 2008 : Debug: ++[eap] returns handled
Tue Feb  5 14:56:01 2008 : Debug: There was no response configured: rejecting 
request 6
Tue Feb  5 14:56:01 2008 : Debug:   Found Post-Auth-Type Reject
Tue Feb  5 14:56:01 2008 : Debug: +- entering group REJECT


--
Best wishes,
Dmitry Sergienko (SDA104-RIPE)
Trifle Co., Ltd.

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Attributes sent to proxy servers ...


[EMAIL PROTECTED] wrote:

hi,

you are still pre-proxy attr filtering? 


alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
  
No, didn't really see the point.. Internal attributes aren't meant to be 
proxied, and those are the only ones I really wanted filtering out.


Looks like something very strange is going on with proxying accounting 
packets as well.


rad_recv: Accounting-Request packet from host 139.184.8.16 port 1026, 
id=225, length=141

   Acct-Session-Id = 004E0019
   Acct-Status-Type = Start
   Acct-Authentic = RADIUS
   Acct-Delay-Time = 15
   NAS-Port = 1
   Calling-Station-Id = 00-1B-63-A3-A8-DD
   Event-Type = Framed-User
   NAS-IP-Address = 139.184.8.16
   NAS-Identifier = hp-e-its-dev8021x-sw1
   User-Name = [EMAIL PROTECTED]
server default-outer {
+- entering group preacct
++? if (%{User-Name} =~ /?([EMAIL PROTECTED])@?([-[:alnum:]._]*)?$/)
   expand: %{User-Name} - [EMAIL PROTECTED]
? Evaluating (%{User-Name} =~ /?([EMAIL PROTECTED])@?([-[:alnum:]._]*)?$/) 
- TRUE

++? if (%{User-Name} =~ /?([EMAIL PROTECTED])@?([-[:alnum:]._]*)?$/) - 
TRUE
++- entering if (%{User-Name} =~ /?([EMAIL 
PROTECTED])@?([-[:alnum:]._]*)?$/)
+++? if (!%{2}||(%{2} == 'sussex.ac.uk'))
   expand: %{2} - loopback.sussex.ac.uk
? Evaluating loopback.sussex.ac.uk - FALSE
   expand: %{2} - loopback.sussex.ac.uk
? Evaluating (%{2} == 'sussex.ac.uk') - FALSE
+++? if (!%{2}||(%{2} == 'sussex.ac.uk')) - FALSE
+++- entering else else
   expand: [EMAIL PROTECTED] - [EMAIL PROTECTED]
[request] returns noop
+++- else else returns noop
++- if (%{User-Name} =~ /?([EMAIL PROTECTED])@?([-[:alnum:]._]*)?$/) 
returns noop

++ ... skipping else for request 20: Preceding if was taken
   expand: %{Realm} - %{2}
++- entering switch %{Realm}
+++- entering case
[control] returns noop
[request] returns noop
+++- case  returns noop
++- switch %{Realm} returns noop
++? if (%{Called-Station-Id} =~ 
/^([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2,})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([-a-z0-9_.]*)?/i)

   expand: %{Called-Station-Id} -
? Evaluating (%{Called-Station-Id} =~ 
/^([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2,})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([-a-z0-9_.]*)?/i) 
- FALSE
++? if (%{Called-Station-Id} =~ 
/^([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2,})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([-a-z0-9_.]*)?/i) 
- FALSE
++? if (%{Calling-Station-Id} =~ 
/([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2,})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})/i)

   expand: %{Calling-Station-Id} - 00-1B-63-A3-A8-DD
? Evaluating (%{Calling-Station-Id} =~ 
/([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2,})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})/i) 
- TRUE
++? if (%{Calling-Station-Id} =~ 
/([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2,})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})/i) 
- TRUE
++- entering if (%{Calling-Station-Id} =~ 
/([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2,})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})/i)

   expand: %{1}%{2}%{3}%{4}%{5}%{6} - 001B63A3A8DD
+++[request] returns noop
++- if (%{Calling-Station-Id} =~ 
/([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2,})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})/i) 
returns noop

++? if (%{NAS-Port-Id} =~ /wl[0-9]*/)
   expand: %{NAS-Port-Id} -
? Evaluating (%{NAS-Port-Id} =~ /wl[0-9]*/) - FALSE
++? if (%{NAS-Port-Id} =~ /wl[0-9]*/) - FALSE
++? if ((%{NAS-Port-Type} == 'Wireless-802.11')||(%{NAS-Port-Type} 
== 'Ethernet'))

   expand: %{NAS-Port-Type} -
?? Evaluating (%{NAS-Port-Type} == 'Wireless-802.11') - FALSE
   expand: %{NAS-Port-Type} -
?? Evaluating (%{NAS-Port-Type} == 'Ethernet') - FALSE
++? if ((%{NAS-Port-Type} == 'Wireless-802.11')||(%{NAS-Port-Type} 
== 'Ethernet')) - FALSE

++? if (%{NAS-IP-Address} == '127.0.0.1')
   expand: %{NAS-IP-Address} - 139.184.8.16
? Evaluating (%{NAS-IP-Address} == '127.0.0.1') - FALSE
++? if (%{NAS-IP-Address} == '127.0.0.1') - FALSE
   expand: %{Client-Shortname} - hp-e-its-dev8021x-sw1
++[request] returns noop
rlm_acct_unique: WARNING: Attribute Client-IP-Address was not found in 
request, unique ID MAY be inconsistent
rlm_acct_unique: Hashing ',NAS-Port = 1,NAS-IP-Address = 
139.184.8.16,Acct-Session-Id = 004E0019,User-Name = 
[EMAIL PROTECTED]'

rlm_acct_unique: Acct-Unique-Session-ID = 67d4bffd71faf76b.
++[acct_unique] returns ok
+- entering group accounting
   expand: /var/log/radiusd/%Y%m%d/accounting-detail-%H:00 - 
/var/log/radiusd/20080205/accounting-detail-12:00
rlm_detail: /var/log/radiusd/%Y%m%d/accounting-detail-%H:00 expands to 
/var/log/radiusd/20080205/accounting-detail-12:00
   expand: %{Packet-Src-IP-Address} - %t - 139.184.8.16 - Tue Feb  5 
12:49:09 2008

++[accounting_log] returns ok
   expand: %{Stripped-User-Name} - [EMAIL PROTECTED]
   expand: %{%{Stripped-User-Name}:-%{%{User-Name}:-DEFAULT

Re: Attributes sent to proxy servers ...

Arran Cudbard-Bell wrote:
 Noticed with CVS head that all attributes (including internal ones)
 appear to be getting proxied. Is this just a cosmetic thing ?

  It's just a cosmetic thing.  The internal attributes are being
printed, but not sent.

  I don't see why it's happening, though.  The code in src/lib/radius.c
doesn't print internal attributes in debugging mode...

  Does this happen in 2.0.1?

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Attributes sent to proxy servers ...


Arran Cudbard-Bell wrote:

[EMAIL PROTECTED] wrote:

hi,

you are still pre-proxy attr filtering?
alan
-
List info/subscribe/unsubscribe? See 
http://www.freeradius.org/list/users.html
  
No, didn't really see the point.. Internal attributes aren't meant to 
be proxied, and those are the only ones I really wanted filtering out.


Looks like something very strange is going on with proxying accounting 
packets as well.


rad_recv: Accounting-Request packet from host 139.184.8.16 port 1026, 
id=225, length=141

   Acct-Session-Id = 004E0019
   Acct-Status-Type = Start
   Acct-Authentic = RADIUS
   Acct-Delay-Time = 15
   NAS-Port = 1
   Calling-Station-Id = 00-1B-63-A3-A8-DD
   Event-Type = Framed-User
   NAS-IP-Address = 139.184.8.16
   NAS-Identifier = hp-e-its-dev8021x-sw1
   User-Name = [EMAIL PROTECTED]
server default-outer {
+- entering group preacct
++? if (%{User-Name} =~ /?([EMAIL PROTECTED])@?([-[:alnum:]._]*)?$/)
   expand: %{User-Name} - [EMAIL PROTECTED]
? Evaluating (%{User-Name} =~ 
/?([EMAIL PROTECTED])@?([-[:alnum:]._]*)?$/) - TRUE
++? if (%{User-Name} =~ /?([EMAIL PROTECTED])@?([-[:alnum:]._]*)?$/) - 
TRUE
++- entering if (%{User-Name} =~ 
/?([EMAIL PROTECTED])@?([-[:alnum:]._]*)?$/)

+++? if (!%{2}||(%{2} == 'sussex.ac.uk'))
   expand: %{2} - loopback.sussex.ac.uk
? Evaluating loopback.sussex.ac.uk - FALSE
   expand: %{2} - loopback.sussex.ac.uk
? Evaluating (%{2} == 'sussex.ac.uk') - FALSE
+++? if (!%{2}||(%{2} == 'sussex.ac.uk')) - FALSE
+++- entering else else
   expand: [EMAIL PROTECTED] - [EMAIL PROTECTED]
[request] returns noop
+++- else else returns noop
++- if (%{User-Name} =~ /?([EMAIL PROTECTED])@?([-[:alnum:]._]*)?$/) 
returns noop

++ ... skipping else for request 20: Preceding if was taken
   expand: %{Realm} - %{2}
++- entering switch %{Realm}
+++- entering case
[control] returns noop
[request] returns noop
+++- case  returns noop
++- switch %{Realm} returns noop
++? if (%{Called-Station-Id} =~ 
/^([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2,})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([-a-z0-9_.]*)?/i) 


   expand: %{Called-Station-Id} -
? Evaluating (%{Called-Station-Id} =~ 
/^([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2,})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([-a-z0-9_.]*)?/i) 
- FALSE
++? if (%{Called-Station-Id} =~ 
/^([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2,})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([-a-z0-9_.]*)?/i) 
- FALSE
++? if (%{Calling-Station-Id} =~ 
/([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2,})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})/i) 


   expand: %{Calling-Station-Id} - 00-1B-63-A3-A8-DD
? Evaluating (%{Calling-Station-Id} =~ 
/([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2,})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})/i) 
- TRUE
++? if (%{Calling-Station-Id} =~ 
/([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2,})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})/i) 
- TRUE
++- entering if (%{Calling-Station-Id} =~ 
/([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2,})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})/i) 


   expand: %{1}%{2}%{3}%{4}%{5}%{6} - 001B63A3A8DD
+++[request] returns noop
++- if (%{Calling-Station-Id} =~ 
/([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2,})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})/i) 
returns noop

++? if (%{NAS-Port-Id} =~ /wl[0-9]*/)
   expand: %{NAS-Port-Id} -
? Evaluating (%{NAS-Port-Id} =~ /wl[0-9]*/) - FALSE
++? if (%{NAS-Port-Id} =~ /wl[0-9]*/) - FALSE
++? if ((%{NAS-Port-Type} == 'Wireless-802.11')||(%{NAS-Port-Type} 
== 'Ethernet'))

   expand: %{NAS-Port-Type} -
?? Evaluating (%{NAS-Port-Type} == 'Wireless-802.11') - FALSE
   expand: %{NAS-Port-Type} -
?? Evaluating (%{NAS-Port-Type} == 'Ethernet') - FALSE
++? if ((%{NAS-Port-Type} == 'Wireless-802.11')||(%{NAS-Port-Type} 
== 'Ethernet')) - FALSE

++? if (%{NAS-IP-Address} == '127.0.0.1')
   expand: %{NAS-IP-Address} - 139.184.8.16
? Evaluating (%{NAS-IP-Address} == '127.0.0.1') - FALSE
++? if (%{NAS-IP-Address} == '127.0.0.1') - FALSE
   expand: %{Client-Shortname} - hp-e-its-dev8021x-sw1
++[request] returns noop
rlm_acct_unique: WARNING: Attribute Client-IP-Address was not found in 
request, unique ID MAY be inconsistent
rlm_acct_unique: Hashing ',NAS-Port = 1,NAS-IP-Address = 
139.184.8.16,Acct-Session-Id = 004E0019,User-Name = 
[EMAIL PROTECTED]'

rlm_acct_unique: Acct-Unique-Session-ID = 67d4bffd71faf76b.
++[acct_unique] returns ok
+- entering group accounting
   expand: /var/log/radiusd/%Y%m%d/accounting-detail-%H:00 - 
/var/log/radiusd/20080205/accounting-detail-12:00
rlm_detail: /var/log/radiusd/%Y%m%d/accounting-detail-%H:00 expands to 
/var/log/radiusd/20080205/accounting-detail-12:00
   expand: %{Packet-Src-IP-Address} - %t - 139.184.8.16 - Tue Feb  5 
12:49:09 2008

++[accounting_log] returns ok
   expand: %{Stripped-User-Name} - [EMAIL PROTECTED]
   expand: %{%{Stripped-User-Name

Re: Attributes sent to proxy servers ...

Arran Cudbard-Bell wrote:
...
 Looks like something very strange is going on with proxying accounting
 packets as well.
...
 Where have all the attributes gone ?!!?

  I think you did a cvs update without re-building everything.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Attributes sent to proxy servers ...




Never mind ...

++[sql] returns ok
  expand: %{User-Name} - [EMAIL PROTECTED]
attr_filter: Matched entry DEFAULT at line 12
++[attr_filter.accounting_response] returns updated

*sigh*


All works now.

Might be any idea to replace
accounting {
   ...
   #  Filter attributes from the accounting response.
   attr_filter.accounting_response
}

With
accounting {
   ...
   #  Filter attributes from the accounting response.
   if(!%{control:Proxy-To-Realm}){
   attr_filter.accounting_response
   }
}

In the default config, or create a Post-Acct section for the filter to 
live in. Else all proxied accounting requests will have their attributes 
stripped out.


Still getting internal attributes displayed...

Sending Accounting-Request of id 206 to 194.82.174.185 port 1813
   Acct-Session-Id = 004E001B
   Acct-Status-Type = Start
   Acct-Authentic = RADIUS
   Acct-Delay-Time = 0
   NAS-Port = 1
   Calling-Station-Id = 001B63A3A8DD
   Event-Type = Framed-User
   NAS-IP-Address = 139.184.8.16
   NAS-Identifier = hp-e-its-dev8021x-sw1
   User-Name = [EMAIL PROTECTED]
   Stripped-User-Name = [EMAIL PROTECTED]
   Realm = jrs
   Acct-Unique-Session-Id = 98c00d277000c63a
   SQL-User-Name = [EMAIL PROTECTED]
   Realm = jrs
   Proxy-State = 0x323532

--
Arran Cudbard-Bell ([EMAIL PROTECTED])
Authentication, Authorisation and Accounting Officer
Infrastructure Services | ENG1 E1-1-08 
University Of Sussex, Brighton

EXT:01273 873900 | INT: 3900

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: FreeRADIUS and RSA RADIUS Server

Jakub Morávek wrote:
 In RSA terminology Agent hosts is host which sends authetication request.
...
 In my case RSA rejects user1 access, because RSA thikns, that user1
 wants to log into freeradius and there is no freeradius Agent host
 defined in RSA database.

  So... you might need to define one.

 My idea is that freeradius does not send Client-IP-Address attribute and
 therefore RSA RADIUS determines that original host is freeradius proxy
 server.

  The Client-IP-Address attribute is not sent in a packet.  The RADIUS
protocol uses the originating IP address to determine the client.

  I would suggest reading the RSA documentation to see how to make it
think that FreeRADIUS is not the originating host.  If the documentation
does not define how to do that, it is likely impossible.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Attributes sent to proxy servers ...


Alan DeKok wrote:

Arran Cudbard-Bell wrote:
  

Might be any idea to replace
accounting {


...
  

   #  Filter attributes from the accounting response.
   if(!%{control:Proxy-To-Realm}){
   attr_filter.accounting_response



  I'll look into it...

  

Still getting internal attributes displayed...



  Fixed.

  

Yep confirmed.

Sending Accounting-Request of id 108 to 194.82.174.185 port 1813
   Acct-Session-Id = 004E002C
   Acct-Status-Type = Start
   Acct-Authentic = RADIUS
   Acct-Delay-Time = 0
   NAS-Port = 1
   Calling-Station-Id = 001B63A3A8DD
   Service-Type = Framed-User
   NAS-IP-Address = 139.184.8.16
   NAS-Identifier = hp-e-its-dev8021x-sw1
   User-Name = [EMAIL PROTECTED]
   Proxy-State = 0x313931
Proxying request 9 to home server 194.82.174.185 port 1813
Sending Accounting-Request of id 108 to 194.82.174.185 port 1813
   Acct-Session-Id = 004E002C
   Acct-Status-Type = Start
   Acct-Authentic = RADIUS
   Acct-Delay-Time = 0
   NAS-Port = 1
   Calling-Station-Id = 001B63A3A8DD
   Service-Type = Framed-User
   NAS-IP-Address = 139.184.8.16
   NAS-Identifier = hp-e-its-dev8021x-sw1
   User-Name = [EMAIL PROTECTED]
   Proxy-State = 0x313931
Going to the next request

Thanks :)

Small cosmetic one

Module: Instantiating attr_filter.access_reject
 attr_filter attr_filter.access_reject {
   attrsfile = /etc/raddb/filters/attrs.access_reject
   key = %{User-Name}
 }
[/etc/raddb/filters/attrs.access_reject]:11 WARNING! Check item 
Event-Type found in filter list for realm DEFAULT.

}
}

Thats not a 'Check-Item' thats a user defined internal attribute.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
  



--
Arran Cudbard-Bell ([EMAIL PROTECTED])
Authentication, Authorisation and Accounting Officer
Infrastructure Services | ENG1 E1-1-08 
University Of Sussex, Brighton

EXT:01273 873900 | INT: 3900

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: FreeRADIUS and RSA RADIUS Server


Ivan Kalik wrote:

My idea is that freeradius does not send Client-IP-Address attribute and
therefore RSA RADIUS determines that original host is freeradius proxy
server.




Ahem, your first post:

output of /var/log/freeradius/radacct/10.5.0.31/pre-proxy-detail-20080204:

Packet-Type = Access-Request
Mon Feb  4 23:55:50 2008
User-Name = jakub
User-Password = 1234628665
NAS-IP-Address = 127.0.1.1
NAS-Identifier = ssh
NAS-Port = 21704
NAS-Port-Type = Virtual
Service-Type = Authenticate-Only
Calling-Station-Id = 10.5.0.39
Client-IP-Address = 10.5.0.31   ===
Stripped-User-Name = jakub
Realm = NULL
Realm = NULL
Proxy-State = 0x313039
  
No. This was a bug, Alan just fixed it. It's cosmetic. 
'Client-IP-Address' is never sent !

Ivan Kalik
Kalik Informatika ISP

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
  



--
Arran Cudbard-Bell ([EMAIL PROTECTED])
Authentication, Authorisation and Accounting Officer
Infrastructure Services | ENG1 E1-1-08 
University Of Sussex, Brighton

EXT:01273 873900 | INT: 3900

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: FreeRADIUS and RSA RADIUS Server


My idea is that freeradius does not send Client-IP-Address attribute and
therefore RSA RADIUS determines that original host is freeradius proxy
server.


Ahem, your first post:

output of /var/log/freeradius/radacct/10.5.0.31/pre-proxy-detail-20080204:

Packet-Type = Access-Request
Mon Feb  4 23:55:50 2008
User-Name = jakub
User-Password = 1234628665
NAS-IP-Address = 127.0.1.1
NAS-Identifier = ssh
NAS-Port = 21704
NAS-Port-Type = Virtual
Service-Type = Authenticate-Only
Calling-Station-Id = 10.5.0.39
Client-IP-Address = 10.5.0.31   ===
Stripped-User-Name = jakub
Realm = NULL
Realm = NULL
Proxy-State = 0x313039

Ivan Kalik
Kalik Informatika ISP

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: FR2 - proxying inner tunnel

Dmitry Sergienko wrote:
 Does anyone here have working inner tunnel proxying with freeradius 2.0.x?
 
 Still having troubles with doing EAP-PEAP-MSCHAPv2 authorization.
 Switched to FreeRadius 2.0.1 from 1.1.7.

  I think the issue was introduced recently.  Try editing
src/main/event.c, function request_post_handler()

...
if (request-root-proxy_requests 
/* !request-proxy   */ // comment out this line
!request-in_proxy_hash // add this line
(request-reply-code == 0) 
(request-packet-dst_port != 0) 
(request-packet-code != PW_STATUS_SERVER)) {
...

  Re-build  install.  See if that helps...

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Attributes sent to proxy servers ...

Arran Cudbard-Bell wrote:
 Might be any idea to replace
 accounting {
...
#  Filter attributes from the accounting response.
if(!%{control:Proxy-To-Realm}){
attr_filter.accounting_response

  I'll look into it...

 Still getting internal attributes displayed...

  Fixed.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: FreeRADIUS and RSA RADIUS Server

2008-02-05 Thread Jakub Morávek

Firs of all thanks for your reply. I'll try to be more specific.

On Feb 5, 2008 2:58 PM, Alan DeKok [EMAIL PROTECTED] wrote:

 Jakub Morávek wrote:
 I have not many experiences with radius, so my question may be
  stupid. Has anybody experience with using freeradius (Version 1.1.3 in
  Debian Sarge) as proxy for RSA RADIUS Server included in RSA
  Authentication Manager 6.1?

  Many people have tried this.  It works.


I know, but I did not find anyone who discussed this problem.




  When authentication request goest through freeradius proxy, RSA Manager
  thinks that Agent host is my freeradius proxy instead of original host
  which sent authenticate request.

  I don't know what an Agent host is.  FreeRADIUS *is* a RADIUS client
  to the RSA manager.


In RSA terminology Agent hosts is host which sends authetication request.

For example, if you want to setup ssh-server to authenticate ssh login
against RSA, you have to add ssh-server (name and it's ip address) into
RSA  database and setup list of users, which are allowed to log into
ssh-server.
If user1 tries to access ssh-server, ssh-server sends authentication
request to RSA.
RSA looks into database if user1 is allowed to log into ssh-server host.

In my case RSA rejects user1 access, because RSA thikns, that user1
wants to log into freeradius and there is no freeradius Agent host
defined in RSA database.



  Does this mean, that freeradius process all attributes from
  pre-proxy-detail-20080204 log, but sends only attributes, which are
  shown in extended debug mode? If so, can anybody give me any advice how
  can I configure freeradius to send more attributes?

  To do... what?


My idea is that freeradius does not send Client-IP-Address attribute and
therefore RSA RADIUS determines that original host is freeradius proxy
server.



  Alan DeKok.
 -
 List info/subscribe/unsubscribe? See
 http://www.freeradius.org/list/users.html


   Jakub
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: FreeRADIUS and RSA RADIUS Server


Jakub Morávek wrote:

Firs of all thanks for your reply. I'll try to be more specific.

On Feb 5, 2008 2:58 PM, Alan DeKok [EMAIL PROTECTED] 
mailto:[EMAIL PROTECTED] wrote:


Jakub Morávek wrote:
I have not many experiences with radius, so my question may be
 stupid. Has anybody experience with using freeradius (Version
1.1.3 in
 Debian Sarge) as proxy for RSA RADIUS Server included in RSA
 Authentication Manager 6.1?

 Many people have tried this.  It works.


I know, but I did not find anyone who discussed this problem.
 




 When authentication request goest through freeradius proxy, RSA
Manager
 thinks that Agent host is my freeradius proxy instead of
original host
 which sent authenticate request.

 I don't know what an Agent host is.  FreeRADIUS *is* a RADIUS
client
 to the RSA manager.


In RSA terminology Agent hosts is host which sends authetication 
request.


For example, if you want to setup ssh-server to authenticate ssh 
login against RSA, you have to add ssh-server (name and it's ip 
address) into RSA  database and setup list of users, which are allowed 
to log into ssh-server.
If user1 tries to access ssh-server, ssh-server sends 
authentication request to RSA.
RSA looks into database if user1 is allowed to log into ssh-server 
host.


In my case RSA rejects user1 access, because RSA thikns, that 
user1 wants to log into freeradius and there is no freeradius 
Agent host defined in RSA database.
 



 Does this mean, that freeradius process all attributes from
 pre-proxy-detail-20080204 log, but sends only attributes, which are
 shown in extended debug mode? If so, can anybody give me any
advice how
 can I configure freeradius to send more attributes?

 To do... what?


My idea is that freeradius does not send Client-IP-Address attribute 
and therefore RSA RADIUS determines that original host is freeradius 
proxy server.


Erm no, your wrong 'Client-IP-Address' in an internal FreeRADIUS 
attribute. If it was sent the Funk RADIUS server wouldn't understand 
it... but it's not sent as all FR internal attributes are filtered out.


The RSA Funk Sever determines Agent Host identity from the UDP Packet 
Header, not any of the attributes inside the RADIUS Packet. It could in 
theory use NAS-IP-Address as an identifier, but I doubt it does.




 Alan DeKok.
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html 



   Jakub


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html



--
Arran Cudbard-Bell ([EMAIL PROTECTED])
Authentication, Authorisation and Accounting Officer
Infrastructure Services | ENG1 E1-1-08 
University Of Sussex, Brighton

EXT:01273 873900 | INT: 3900

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Cisco 1200 AP

2008-02-05 Thread John Melton

I have configured a Cisco 1200 AP for WPA2-PSK which is working with a 
wireless device able to connect OK.


I have tried to add MAC authentication using the FreeRadius server, but 
have not been able to get it working.  I can see from the FreeRadius log 
that the AP is sending the Access-Request packet and an Access-Accept 
response is being returned but the wireless device is unable to connect.


Has anyone setup this configuration and got it working?

Regards,

John
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Cisco 1200 AP

2008-02-05 Thread Julian Stöver


Hello,
which firmware version?

bye
julian


Am 05.02.2008 um 17:05 schrieb John Melton:

I have configured a Cisco 1200 AP for WPA2-PSK which is working with  
a wireless device able to connect OK.


I have tried to add MAC authentication using the FreeRadius server,  
but have not been able to get it working.  I can see from the  
FreeRadius log that the AP is sending the Access-Request packet and  
an Access-Accept response is being returned but the wireless device  
is unable to connect.


Has anyone setup this configuration and got it working?

Regards,

John
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Cisco 1200 AP

2008-02-05 Thread John Melton


Hi,

1200 AP is running c1200-k9w7-mx.123-8.JEB1


-- John



Julian Stöver wrote:

Hello,
which firmware version?

bye
julian


Am 05.02.2008 um 17:05 schrieb John Melton:

I have configured a Cisco 1200 AP for WPA2-PSK which is working with a 
wireless device able to connect OK.


I have tried to add MAC authentication using the FreeRadius server, 
but have not been able to get it working.  I can see from the 
FreeRadius log that the AP is sending the Access-Request packet and an 
Access-Accept response is being returned but the wireless device is 
unable to connect.


Has anyone setup this configuration and got it working?

Regards,

John
-
List info/subscribe/unsubscribe? See 
http://www.freeradius.org/list/users.html


-
List info/subscribe/unsubscribe? See 
http://www.freeradius.org/list/users.html

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Cisco 1200 AP

but the wireless device is unable to connect.

Has anyone setup this configuration and got it working?


You did:
that the AP is sending the Access-Request packet and an Access-Accept
response is being returned 

Problems you are having are not with radius. How are you setting IP
address etc.?

Ivan Kalik
Kalik Informatika ISP

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Cisco 1200 AP

2008-02-05 Thread Julian Stöver

Is the wireless device sending its own mac or the clients mac address?  
there's somethimes a bug (CSCsj17603) with the firmware that the CISCO  
1200 AP sends his own mac address, in this case you should update you  
firmware. For detailed informations read the cisco docs. If it's a  
freeradius bug you should post the debug log.


bye
julian


Am 05.02.2008 um 17:30 schrieb John Melton:


Hi,

1200 AP is running c1200-k9w7-mx.123-8.JEB1


-- John



Julian Stöver wrote:

Hello,
which firmware version?
bye
julian
Am 05.02.2008 um 17:05 schrieb John Melton:
I have configured a Cisco 1200 AP for WPA2-PSK which is working  
with a wireless device able to connect OK.


I have tried to add MAC authentication using the FreeRadius  
server, but have not been able to get it working.  I can see from  
the FreeRadius log that the AP is sending the Access-Request  
packet and an Access-Accept response is being returned but the  
wireless device is unable to connect.


Has anyone setup this configuration and got it working?

Regards,

John
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: FreeRADIUS and RSA RADIUS Server

2008-02-05 Thread David Mitton

The RSA Authentication Server does not take requests from undefined agents. All Agent Hosts must be defined in the Server's Agent Host list.However, we are talking about RADIUS requests here,from theRSA Server's point of view, the RADIUS server is the agent host making the request to it via the RSA SecurIDAPIs. If you look at the RSA Server documentation you will find information on how to define Agent Hosts that happen to be RADIUS servers.
Furthermore, there is a feature in our system that will also extend such "protection" to the NAS'es that originated the RADIUS request. This is a defense in depth to prevent rogue access points and the like. If this feature is enabled, all NASes that generate RSA auth requests must also be defined as Agent Hosts in the RSA Servers db. The originated IP address of the RADIUS request is passed up to RSA server and looked up.
You can turn that feature off at the Agent Host interface between RADIUS and SecurID:- If using the Windows EAPplugins, its in the RSA Security Center application, Remote EAP Configuration page, Authentication Settings dialog, "Enable RADIUS Client Check" check box.- If using the RSA RADIUS server, open the securid.ini file and change the setting of CheckUserAllowedByClient=1 to =0 in the [Configuration] section and restart the server. This is documented in the manual.
Dave.Feb 5, 2008 10:37:46 AM, freeradius-users@lists.freeradius.org wrote:

Jakub Morávek wrote: In RSA terminology "Agent hosts" is host which sends authetication request. In my case RSA rejects "user1" access, because RSA thikns, that "user1" wants to log into "freeradius" and there is no "freeradius" Agent host defined in RSA database.So... you might need to define one. My idea is that freeradius does not send Client-IP-Address attribute and therefore RSA RADIUS determines that original host is freeradius proxy server.The Client-IP-Address attribute is not sent in a packet. The RADIUSprotocol uses the originating IP address to determine the client.I would suggest reading the RSA documentation to see how to make itthink that FreeRADIUS is not the originating host. If the documentationdoes not define how to do that, it is likely impossible.Alan DeKok.-List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

freeradius v.2.0.1 and Cisco 1200AP IOS V.12.3

2008-02-05 Thread Dave Cummings


Greetings

I have been working with freeradius v.2.0.1 and a
Cisco 1200 Series Access Point (version 12.3 IOS) for many months now
with no success to getting this working.  I am doing research on
freeradius product for a univeristy campus that I go to for
implementation in the near future.  I am out of ideas of how to
configure this correctly.  I still to this day do not have my Cisco
1200 AP authenticating with freeradius version 2.0.1.  Does anyone have
a configuration setup of this type of scheme or are willing to tell me
how to start from ground up to make this work.  My plan is simple at
this point.  I want to use freeradius, a Cisco 1200 Series Access
Point, and one windows xp pro client to connect to the AP and
authenticate against freeradius.  I appreciate any input on this
matter.  Thanks again open source community.

Dave








 

_
Shed those extra pounds with MSN and The Biggest Loser!
http://biggestloser.msn.com/-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: freeradius v.2.0.1 and Cisco 1200AP IOS V.12.3

2008-02-05 Thread Phil Mayers


Dave Cummings wrote:

Greetings

I have been working with freeradius v.2.0.1 and a Cisco 1200 Series 
Access Point (version 12.3 IOS) for many months now with no success to 


2.0.1 has not been out for many months

getting this working.  I am doing research on freeradius product for a 
univeristy campus that I go to for implementation in the near future.  I 
am out of ideas of how to configure this correctly.  I still to this day 
do not have my Cisco 1200 AP authenticating with freeradius version 
2.0.1.  Does anyone have a configuration setup of this type of scheme or 
are willing to tell me how to start from ground up to make this work.  
My plan is simple at this point.  I want to use freeradius, a Cisco 1200 
Series Access Point, and one windows xp pro client to connect to the AP 
and authenticate against freeradius.  I appreciate any input on this 
matter.  Thanks again open source community.


Lots of people have done this. However, you haven't given enough info 
for us to help you. In fact, you've given *NO* info. See here:


http://linuxmafia.com/faq/Essays/smart-questions.html

Also, have you tried running the server in debug mode, as documented in 
the README? This will tell you what the server is doing when things 
aren't working.


When installing FreeRadius 2.0.1, the only thing you should need is to 
add this to /etc/raddb/users


usernameCleartext-Password := thepassword

...and it should work. If it doesn't, by far the most likely explanation 
is that you have the Cisco AP configured incorrectly; you will need to 
examine the Cisco documentation, this is not a Cisco support list.

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

wiki

2008-02-05 Thread Phil Mayers

I assume account creation is deliberately disabled on the wiki; could 
whoever runs/has access create me one?

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: freeradius v.2.0.1 and Cisco 1200AP IOS V.12.3

Hi,

 When installing FreeRadius 2.0.1, the only thing you should need is to add 
 this to /etc/raddb/users

 username  Cleartext-Password := thepassword

..and the clients file (and maybe even the firewall on the server! ;-) )
so that the AP acting as a NAS can talk to FR :-)

 ...and it should work. If it doesn't, by far the most likely explanation is 
 that you have the Cisco AP configured incorrectly; you will need to examine 
 the Cisco documentation, this is not a Cisco support list.

agreed.

alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: wiki

Write to Peter Nixon with your desired logon details.

Ivan Kalik
Kalik Informatika ISP


Dana 5/2/2008, Phil Mayers [EMAIL PROTECTED] piše:

I assume account creation is deliberately disabled on the wiki; could
whoever runs/has access create me one?
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html



-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: freeradius v.2.0.1 and Cisco 1200AP IOS V.12.3

Hi,

 I have been working with freeradius v.2.0.1 and a
 Cisco 1200 Series Access Point (version 12.3 IOS) for many months now
 with no success to getting this working.  I am doing research on
 freeradius product for a univeristy campus that I go to for
 implementation in the near future.  I am out of ideas of how to
 configure this correctly.  I still to this day do not have my Cisco
 1200 AP authenticating with freeradius version 2.0.1.  Does anyone have
 a configuration setup of this type of scheme or are willing to tell me
 how to start from ground up to make this work.  My plan is simple at
 this point.  I want to use freeradius, a Cisco 1200 Series Access
 Point, and one windows xp pro client to connect to the AP and
 authenticate against freeradius.  I appreciate any input on this
 matter.  Thanks again open source community.

most of us would simply follow the FreeRADIUS EAP-TLS guide (which
covers PEAP etc too!) - which works 'out of the box' when you
do a make install and run it for the first time,

followed by following the cisco document on how to configure WPA
for the 1200 series AP. 

then, configure FreeRADIUS client.conf to allow the AP to talk to
the FR server

install the FR CA cert onto the Windows client. et voila. thats
most of the work done (or all of it if you EAP-TLS)

so. what exactly is your problem?  

have you followed the cisco docs so that your AP is configured to
do WPA and has the RADIUS server configured ?  whats the debug
output from your FR daemon?  

alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

New bee to FreeRadius; need help in configuration

2008-02-05 Thread Deepak Panigrahy


Hi,
I have successfully configured the Freeradius server.
The one thing that I noticed is: Everytime I modify the Clients.conf 
file to include a client, I have to stop the server and then start it 
gain so that the client is picked up.
I am wondering if there is any other way so that the server can refresh 
itself everytime I add a client, automatically.


Can anybody help me out?

Thanks,
Deepak
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

PEAP mschapv2 Proxy not working.

2008-02-05 Thread Andrew Olson


Hello,

I'm having trouble getting freeradius-1.1.7 to proxy PEAP-mshcapv2 to 
another RADIUS server.  My other server doesn't do EAP, so I'm just sending 
mschapv2 achieved with proxy_tunneled_request_as_eap = no in eap.conf.


When I proxy to my other server, I get back an Access-Accept packet.  Then, 
freeradius sends an Access Challenge to the client, receives a response and 
then things appear to break.


I am able to successfully authenticate users with PEAP by defining them 
locally in the users file.  Additionally, I have gotten TTLS to work by 
proxying to another server, it's just PEAP that I'm having problems with.


The differing line in the debug seems to be:
proxied
  eaptls_process returned 7
  rlm_eap_peap: EAPTLS_OK
  rlm_eap_peap: Session established.  Decoding tunneled attributes.
  rlm_eap_peap: EAP type mschapv2

-vs-

non-proxied

  eaptls_process returned 7
  rlm_eap_peap: EAPTLS_OK
  rlm_eap_peap: Session established.  Decoding tunneled attributes.
  rlm_eap_peap: Received EAP-TLV response.


I'm running a pretty standard config, I think.  I can send copies of it, if 
that would help.


Thanks,
Andrew Olson


The complete proxied debug starting with the Access-Request is as follows:

Sending Access-Request of id 0 to 198.82.247.36 port 1812
User-Name = anolson
NAS-IP-Address := 198.82.245.57
MS-CHAP-Challenge = 0x85feba9cbed9e9191bf72a29f0f82312
MS-CHAP2-Response = 
0x0700b776d1433b4d6dab43d5bde9163e8b45ee7fcb070f3766e7e7b0f198b72754b44a9ef0255d712db1

Proxy-State = 0x3136
Service-Type := Framed-User
Waking up in 6 seconds...
rad_recv: Access-Accept packet from host 198.82.247.36:1812, id=0, length=189
Filter-Id = CNS_NET1
MS-CHAP2-Success = 
0x07533d4343304142444332354233304645314131394238363737413941334136454631364134454634

MS-MPPE-Send-Key = 0x7b5fcacde0c3798261894df701a5cdd5
MS-MPPE-Recv-Key = 0x3900c03d5b5851da66e8fb27d90077f9
MS-MPPE-Encryption-Policy = 0x0001
MS-MPPE-Encryption-Types = 0x000e
  Processing the post-proxy section of radiusd.conf
modcall: entering group post-proxy for request 6
  PEAP: Passing reply from proxy back into the tunnel.
  PEAP: Passing reply back for EAP-MS-CHAP-V2 0x8170500 2
  Processing the post-proxy section of radiusd.conf
modcall: entering group post-proxy for request 6
  rlm_eap_mschapv2: Passing reply from proxy back into the tunnel 0x8170500 2.
  rlm_eap_mschapv2: Authentication succeeded.
MSCHAP Success
  modcall[post-proxy]: module eap returns ok for request 6
modcall: leaving group post-proxy (returns ok) for request 6
  POST-PROXY 2
  POST-AUTH 2
 PEAP: Got reply 11
  PEAP: Got tunneled Access-Challenge
  PEAP: Reply was handled
  modcall[post-proxy]: module eap returns ok for request 6
modcall: leaving group post-proxy (returns ok) for request 6
Sending Access-Challenge of id 16 to 128.173.10.131 port 56945
EAP-Message = 
0x0107005b190017030100502c303c60e1337bcb4c17a281f71910d23777fd5f4a4d5aefab92a23ff28a993aa17ebc2d6bd7567b9386fec7c4e6f2f7ae4c4655a8492000e0e473fc7e8be63a1bf372449cba9f795dc6535b04648cdb

Message-Authenticator = 0x
State = 0x23a96486ec5dbd008e1eddcee31dfa93
Finished request 6
Going to the next request
Waking up in 6 seconds...
rad_recv: Access-Request packet from host 128.173.10.131:56945, id=17, 
length=151

User-Name = anolson
State = 0x23a96486ec5dbd008e1eddcee31dfa93
EAP-Message = 
0x020700541980004e170301002050f4490743b89308d9bb84f411a1629e7b6f06dd6c02c2525747560f657f63d117030100209d0c853d82e17d05938ab49201447c135a90d068d1641a23db5fc04cfcc0dd08

Message-Authenticator = 0x3c828120c544cde1b5d4366b7e735350
  Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 7
  modcall[authorize]: module preprocess returns ok for request 7
  modcall[authorize]: module chap returns noop for request 7
  modcall[authorize]: module mschap returns noop for request 7
rlm_realm: No '@' in User-Name = anolson, looking up realm NULL
rlm_realm: No such realm NULL
  modcall[authorize]: module suffix returns noop for request 7
  rlm_eap: EAP packet type response id 7 length 84
  rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
  modcall[authorize]: module eap returns updated for request 7
  modcall[authorize]: module files returns notfound for request 7
modcall: leaving group authorize (returns updated) for request 7
  rad_check_password:  Found Auth-Type EAP
auth: type EAP
  Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 7
  rlm_eap: Request found, released from the list
  rlm_eap: EAP/peap
  rlm_eap: processing type peap
  rlm_eap_peap: Authenticate
  rlm_eap_tls: processing TLS
rlm_eap_tls:  Length Included
  eaptls_verify returned 11
  eaptls_process returned 7
  rlm_eap_peap: EAPTLS_OK
  rlm_eap_peap:

Re: New bee to FreeRadius; need help in configuration

2008-02-05 Thread Vijay Avarachen

Deepak,
  Have you considered using a ldap or sql backend instead of flat-file?

Vijay

On Feb 5, 2008 2:33 PM, Deepak Panigrahy [EMAIL PROTECTED]
wrote:

 Hi,
 I have successfully configured the Freeradius server.
 The one thing that I noticed is: Everytime I modify the Clients.conf
 file to include a client, I have to stop the server and then start it
 gain so that the client is picked up.
 I am wondering if there is any other way so that the server can refresh
 itself everytime I add a client, automatically.

 Can anybody help me out?

 Thanks,
 Deepak
 -
 List info/subscribe/unsubscribe? See
 http://www.freeradius.org/list/users.html




-- 
Knowledge is the only wealth that grows as you spend it, and diminishes as
you save it.
-- ancient Sanskrit saying
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: New bee to FreeRadius; need help in configuration

Hi,
 Deepak,
   Have you considered using a ldap or sql backend instead of flat-file?

those , too, will need to be refreshed via a server restart - the SQL
clients are only read upon start.

alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: New bee to FreeRadius; need help in configuration

2008-02-05 Thread Deepak Panigrahy





Hi,
I feel there should be some way so that the server can refresh itself
automatically with the clients without going down.

Thanks,
Deepak

[EMAIL PROTECTED] wrote:

  Hi,
  
  
Deepak,
  Have you considered using a ldap or sql backend instead of flat-file?

  
  
those , too, will need to be refreshed via a server restart - the SQL
clients are only read upon start.

alan
  




-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: Detail cisco logging

2008-02-05 Thread hamid benane

hello,
 you for the page web of freeradius, i look it befor i ask this question.
 
can anyone give me the right configuration of the swith cisco3560 to 
authenticate a windows XP on lan network. i use TLS ou PEAP.
 
thanks 
 
 
_

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: New bee to FreeRadius; need help in configuration

2008-02-05 Thread Marinko Tarlac


Users Yes,
NAS No

Julian Stöver wrote:

Hi,
i think thats wrong. I can add SQL users without refreshing the 
server, and the debug mode also shows me, how the database is 
requested for the user data on every request!


bye
julian

Am 05.02.2008 um 22:40 schrieb [EMAIL PROTECTED]:


Hi,

Deepak,
 Have you considered using a ldap or sql backend instead of 
flat-file?


those , too, will need to be refreshed via a server restart - the SQL
clients are only read upon start.

alan
-
List info/subscribe/unsubscribe? See 
http://www.freeradius.org/list/users.html


-
List info/subscribe/unsubscribe? See 
http://www.freeradius.org/list/users.html




-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: freeradius v.2.0.1 and Cisco 1200AP IOS V.12.3

2008-02-05 Thread John Melton

I have found a Cisco document (FAQ-Wireless-Security.pdf) with the  
following statement:


Q. Why does MAC authentication not work with Wi−Fi Protected Access
(WPA) in Cisco IOS Software Release 12.3(8)JA2?
A. The only level of security for MAC authentication is to check the  
MAC address of the
client against a list of permitted MAC addresses. This is considered  
very weak. In earlier
Cisco IOS Software releases, you could configure MAC authentication  
and WPA to encrypt
the information. But because WPA itself has a MAC address that checks,  
Cisco decided not
to allow this type of configuration in later Cisco IOS Software  
releases and decided only to

improve security features.

Regards,

John

On 5 Feb 2008, at 20:04, [EMAIL PROTECTED] wrote:


Hi,

When installing FreeRadius 2.0.1, the only thing you should need is  
to add

this to /etc/raddb/users

usernameCleartext-Password := thepassword


..and the clients file (and maybe even the firewall on the  
server! ;-) )

so that the AP acting as a NAS can talk to FR :-)

...and it should work. If it doesn't, by far the most likely  
explanation is
that you have the Cisco AP configured incorrectly; you will need to  
examine

the Cisco documentation, this is not a Cisco support list.


agreed.

alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: Detail cisco logging

Well, look again. Same question was asked and answered today. Different
Cisco device but that doesn't change a thing.

Ivan Kalik
Kalik Informatika ISP


Dana 5/2/2008, hamid benane [EMAIL PROTECTED] piše:

hello,
 you for the page web of freeradius, i look it befor i ask this question.
 
can anyone give me the right configuration of the swith cisco3560 to 
authenticate a windows XP on lan network. i use TLS ou PEAP.
 
thanks 
 
 
_




-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: FR2 - proxying inner tunnel

2008-02-05 Thread Dmitry Sergienko


Hi!

Alan DeKok wrote:

Dmitry Sergienko wrote:

Does anyone here have working inner tunnel proxying with freeradius 2.0.x?

Still having troubles with doing EAP-PEAP-MSCHAPv2 authorization.
Switched to FreeRadius 2.0.1 from 1.1.7.


  I think the issue was introduced recently.  Try editing
src/main/event.c, function request_post_handler()

...
if (request-root-proxy_requests 
/* !request-proxy   */ // comment out this line
!request-in_proxy_hash // add this line
(request-reply-code == 0) 
(request-packet-dst_port != 0) 
(request-packet-code != PW_STATUS_SERVER)) {
...

  Re-build  install.  See if that helps...


Thanks for the tip.
successfully_proxied_request() also needs patching:

/* 

 *  If it was already proxied, do nothing. 

 * 

 *  FIXME: This should really be a serious error. 

 */ 

/*  if (request-in_proxy_hash || request-proxy) { */ 

if (request-in_proxy_hash) { 

return 0; 

} 



AFAIU this function relies on empty request-packet, but it is not empty because has been 
filled in eappeap_process():


/* 

 *  Seed the proxy packet with the 

 *  tunneled request. 

 */ 

rad_assert(request-proxy == NULL); 

request-proxy = fake-packet; 




The second oddity: when setting proxy_tunneled_request_as_eap = no proxying is not 
working because no inner MSCHAPv2 request extracted. Debug looks like this:


Wed Feb  6 00:33:09 2008 : Debug:   PEAP: Calling authenticate in order to initiate 
tunneled EAP session.
Wed Feb  6 00:33:09 2008 : Debug:   WARNING: Unknown value specified for Auth-Type. 
Cannot perform requested action.


Solution is quite simple: write down the following in proxy-inner-tunnel file after 
authorize {} section:


authenticate { 

eap 

} 




module_authenticate() is being called in eappeap_process() to extract MSCHAPv2 request and 
when no authenticate section in virtual server proxying will fail. IMHO it will be useful 
to have these lines in example proxy-inner-tunnel as a comment for 
proxy_tunneled_request_as_eap set to no. Maybe someone will run into the same issue 
and spend several hours or days to figure out how to fix this.




--
Best regards,
Dmitry Sergienko
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

password failover

2008-02-05 Thread jonr


Hello,

How do I set up a freeradius server so that if the password fails for  
the primary radius server it tries the secondary for the password. In  
my scenario, the primary is up and servicing requests, but the  
password for the device is incorrect. Now the device looks to the  
secondary to get authorized and the secondary holds the correct secret  
for the device.


I have looked at fail-over and load-balancing but am not sure if  
either of these are what I am looking for. Can someone tell me what I  
am looking for and I can do the rest.


Thanks for any help,

Jon


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: FreeRADIUS and RSA RADIUS Server