/etc/samba/smbpasswd
Hai All, If am using /etc/samba/smbpasswd how can I specify the etc/smbpasswd through network . is it possible like this filename = 192.168. XX. XX:/etc/samba/smbpasswd Regards. VIJAY - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: inner/outer authentication problem in 2.0.2
Gopinath Reddy N wrote: > But by way of hack if user knows some other valid user name in the > system he can use that as outer identity and get the policy setting of > that user. So to avoid that Iam just thinking is there a way I can come > out of this situation in freeradius Yes. That's why the inner and outer sessions are in different virtual servers. Put the policy into the virtual server for the inner tunnel, and not for the outer session. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Simultaneous-Use and radwho
Tuc at T-B-O-H.NET wrote: > I haven't been given authorization to do a radiusd -X yet, Copy the configs to a test machine. Run "radsniff" on the production machine to grab packets. Play them back on the test machine. Run radiusd -X on the test machine. > But it seems somehow they are able to "race" it : > > Wed Jun 11 18:19:53 2008 : Auth: Login OK: [regtum14/] (from > client SBC-2393 port 4 cli 00-13-02-20-F9-DC) > Wed Jun 11 18:19:53 2008 : Auth: Login OK: [regtum14/] (from > client SBC-2393 port 2 cli 00-1B-9E-C4-9E-CD The NAS is delaying the accounting packets. > Would switching to SQL be better? (Or is this something that MUST > have a radiusd -X to resolve?) No. The way to fix it is to fix the code so that the user is marked "conditionally logged in" for 10-20 seconds after the Access-Accept. if there's no Accounting start, that record is erased. Otherwise, the accounting start marks the users as "really logged in". That way, when the second login request comes, the server discovers that the first user is likely to be logged in, and rejects the second request. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius Hardware requirements
nf-vale wrote: > Please help me if you can. I need some data about Freeradius hardware > "requirements". Any commodity system will be fine. > This is for a project I'm working on and I need to establish a minimum > hardware requirements for a radius server (Freeradius 2.0.5) that will > serve about 3000 users, and will be used as authentication and > authorization server for some wireless AP's and 802.1x switches. Any commodity system will be fine. > It's expected that users will massively login (400 or more) at certain > time and after that re-authentication will happen every 6 or 10 mn, for > 802.1x clients. "Massive login" at 400 users? There are ISP's with 10M users running FreeRADIUS. When a dial-up POP reboots, 30k users log in in 30s. FreeRADIUS handles this fine. > Also I have some doubts about were to store user info, sql DB (postgres > maybe) or LDAP. What would it be the better solution, in terms of > performance. PostGreSQL would be my choice. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: inner/outer authentication problem in 2.0.2
Hi, Iam planning to send some Vendor Specific attributes to the user based on inner authentication. But by way of hack if user knows some other valid user name in the system he can use that as outer identity and get the policy setting of that user. So to avoid that Iam just thinking is there a way I can come out of this situation in freeradius Regards gnreddy 2008/6/11 Ivan Kalik <[EMAIL PROTECTED]>: > Why do you apply any policies to the outer identity? > > Ivan Kalik > Kalik Informatika ISP > > > Dana 11/6/2008, "Gopinath Reddy N" <[EMAIL PROTECTED]> piše: > > >Hello all, > > > >Iam using freeradius 2.0.2 version with TTLS/MSCHAPv2 > > > >I have two users in configuration > > > >tmpuser -> tmpgroup > >emp1 -> employee > > > > > >Iam using "tmpuser" in outer authentication and "emp1" in inner > >authentication. I have eap.conf file configured with > > > >ttls { > > copy_request_to_tunnel = yes > > use_tunneled_reply = yes > > } > >But when I login successfully freeradius is always applying policy from > >"tmpgroup" which belongs to the user used in outer authentication. But it > is > >supposed to apply policy from employee group as I have used "employee" in > >inner authentication. > > > >Could anybody let me know if this is a bug with freeradius or my > >configuration is wrong. > > > >Thanks in advance > > > >Regards > >gnreddy > > > > > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Fwd: Help with Rewriting RAD_REQUEST in rlm_perl for proxy
Sorry, my bad, I upgraded to 2.0.5 and this all started to work fine :-) -Ken Begin forwarded message: Greetings! I'm using freeradius installed from the freeradius.i386 1.1.3-1.2.el rpm on CentOS 5 (recompiled RedHat). - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Help with Rewriting RAD_REQUEST in rlm_perl for proxy
king = no Module: Instantiated detail (detail) Module: Loaded radutmp radutmp: filename = "/var/log/radius/radutmp" radutmp: username = "%{User-Name}" radutmp: case_sensitive = yes radutmp: check_with_nas = yes radutmp: perm = 384 radutmp: callerid = yes Module: Instantiated radutmp (radutmp) Module: Loaded perl perl: module = "/etc/raddb/modules/orange_filter.pl" perl: func_authorize = "authorize" perl: func_authenticate = "authenticate" perl: func_accounting = "accounting" perl: func_preacct = "preacct" perl: func_checksimul = "checksimul" perl: func_detach = "detach" perl: func_xlat = "xlat" perl: func_pre_proxy = "pre_proxy" perl: func_post_proxy = "post_proxy" perl: func_post_auth = "post_auth" perl: perl_flags = "(null)" perl: func_start_accounting = "(null)" perl: func_stop_accounting = "(null)" perl: max_clones = 32 perl: start_clones = 5 perl: min_spare_clones = 3 perl: max_spare_clones = 3 perl: cleanup_delay = 5 perl: max_request_per_clone = 0 Module: Instantiated perl (perl) Listening on authentication *:1812 Listening on accounting *:1813 Listening on proxy *:1814 Ready to process requests. rad_recv: Accounting-Request packet from host 165.217.8.24:32820, id=135, length=210 NAS-IP-Address = 148.121.8.213 Acct-Status-Type = Start User-Name = "[EMAIL PROTECTED]" NAS-Port = 4192 NAS-Port-Type = Wireless-802.11 Framed-IP-Address = 128.120.211.175 Calling-Station-Id = "001CB3B8AC38" Called-Station-Id = "000B86425400" Acct-Session-Id = "kenlime001CB3B8AC38-B90" Acct-Authentic = RADIUS Acct-Delay-Time = 0 Aruba-Essid-Name = "the-fake" Aruba-Location-Id = "SEG-FAKE-SOUTH" Aruba-User-Role = "wireless-stuff" Aruba-User-Vlan = 0 Processing the preacct section of radiusd.conf modcall: entering group preacct for request 0 modcall[preacct]: module "preprocess" returns noop for request 0 rlm_realm: Looking up realm "somerealm.com" for User-Name = "[EMAIL PROTECTED] " rlm_realm: Found realm "DEFAULT" rlm_realm: Proxying request from user kenlime to realm DEFAULT rlm_realm: Adding Realm = "DEFAULT" rlm_realm: Preparing to proxy accounting request to realm "DEFAULT" modcall[preacct]: module "suffix" returns updated for request 0 modcall[preacct]: module "files" returns noop for request 0 modcall: leaving group preacct (returns updated) for request 0 Processing the accounting section of radiusd.conf modcall: entering group accounting for request 0 radius_xlat: '/var/log/radius/radacct/169.237.4.24/detail-20080611' rlm_detail: /var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d expands to /var/log/radius/radacct/169.237.4.24/detail-20080611 rlm_detail: Freeradius-Proxied-To set to 169.237.4.13 modcall[accounting]: module "detail" returns ok for request 0 radius_xlat: '/var/log/radius/radutmp' radius_xlat: '[EMAIL PROTECTED]' modcall[accounting]: module "radutmp" returns ok for request 0 modcall: leaving group accounting (returns ok) for request 0 Processing the pre-proxy section of radiusd.conf modcall: entering group pre-proxy for request 0 perl_pool: item 0x9b3ae48 asigned new request. Handled so far: 1 found interpetator at address 0x9b3ae48 start pre_proxy *** rlm_perl: RAD_REQUEST: NAS-Port-Type = Wireless-802.11 rlm_perl: RAD_REQUEST: Acct-Session-Id = 12345678 rlm_perl: RAD_REQUEST: Called-Station-Id = 000B86425400 rlm_perl: RAD_REQUEST: Client-IP-Address = 165.217.8.24 rlm_perl: RAD_REQUEST: Aruba-User-Role = wireless-stuff rlm_perl: RAD_REQUEST: Acct-Authentic = RADIUS rlm_perl: RAD_REQUEST: Acct-Status-Type = Start rlm_perl: RAD_REQUEST: Realm = ARRAY(0x9c4374c) rlm_perl: RAD_REQUEST: NAS-IP-Address = 148.121.8.213 rlm_perl: RAD_REQUEST: Calling-Station-Id = 001CB3B8AC38 rlm_perl: RAD_REQUEST: Aruba-Essid-Name = the-fake rlm_perl: RAD_REQUEST: User-Name = 12345678 rlm_perl: RAD_REQUEST: Aruba-Location-Id = SEG-FAKE-SOUTH rlm_perl: RAD_REQUEST: Aruba-User-Vlan = 0 rlm_perl: RAD_REQUEST: Framed-IP-Address = 128.120.211.175 rlm_perl: RAD_REQUEST: NAS-Port = 4192 rlm_perl: RAD_REQUEST: Acct-Delay-Time = 0 returning from pre_proxy *** rlm_perl: Added pair User-Name = 12345678 rlm_perl: Added pair Acct-Session-Id = 12345678 rlm_perl: Added pair Proxy-To-Realm = DEFAULT perl_pool total/active/spare [5/0/5] Unreserve perl at address 0x9b3ae48 modcall[pre-proxy]: module "perl" returns updated for request 0 modcall: leaving group pre-proxy (returns updated) for request 0 Sending Accounting-Request of id 0 to 169.237.4.13 port 1813 NAS-IP-Address =
Simultaneous-Use and radwho
Hi, I haven't been given authorization to do a radiusd -X yet, but I'm seeing something in my logs that I don't get . User is logging in from multiple times, so I put on Simultaneous-Use and it goes against the radutmp. So I test it by hand and I get in radius.log Wed Jun 11 17:30:45 2008 : Auth: Multiple logins (max 1) : [regtum14/TESTING] (from client localhost port 1812) Ok, good. So I reset the device and make sure it gets an: Wed Jun 11 18:17:04 2008 : Info: rlm_radutmp: NAS 192.168.75.39 restarted (Accounting-On packet seen) Wed Jun 11 18:17:04 2008 : Info: rlm_sql (sql): received Acct On/Off packet But it seems somehow they are able to "race" it : Wed Jun 11 18:19:53 2008 : Auth: Login OK: [regtum14/] (from client SBC-2393 port 4 cli 00-13-02-20-F9-DC) Wed Jun 11 18:19:53 2008 : Auth: Login OK: [regtum14/] (from client SBC-2393 port 2 cli 00-1B-9E-C4-9E-CD Would switching to SQL be better? (Or is this something that MUST have a radiusd -X to resolve?) Thanks, Tuc - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Forcing lowercase User-Name with rlm_perl
Wow Chris, looks great and is very helpful! I will test it tomorrow and give a short feedback whether it works. Thanks a lot, oz On Wed, 11 Jun 2008 14:28:13 -0700 Chris <[EMAIL PROTECTED]> wrote: > I'm doing this: > > perl_tolower.pm: > use strict; > use vars qw(%RAD_REQUEST %RAD_REPLY %RAD_CHECK); > # > # This the remapping of return values > # > use constantRLM_MODULE_REJECT=>0;# /* immediately > reject the request */ > use constantRLM_MODULE_FAIL=> 1;# /* module failed, > don't reply */ > use constantRLM_MODULE_OK=>2;# /* the module is > OK, continue */ > use constantRLM_MODULE_HANDLED=> 3;# /* the module > handled the request, so stop. */ > use constantRLM_MODULE_INVALID=> 4;# /* the module > considers therequest invalid. */ > use constantRLM_MODULE_USERLOCK=> 5;# /* reject the > request (useris locked out) */ > use constantRLM_MODULE_NOTFOUND=> 6;# /* user not found > */ > use constantRLM_MODULE_NOOP=> 7;# /* module succeeded > withoutdoing anything */ > use constantRLM_MODULE_UPDATED=> 8;# /* OK (pairs > modified) */ > use constantRLM_MODULE_NUMCODES=> 9;# /* How many > return codes there are */ > > sub authorize { > $RAD_REQUEST{'User-Name'} = lc($RAD_REQUEST{'User-Name'}); > return RLM_MODULE_OK; > } > > sub preacct { > $RAD_REQUEST{'User-Name'} = lc($RAD_REQUEST{'User-Name'}); > return RLM_MODULE_OK; > } > > radiusd.conf: > modules { > ... > perl { > module = /usr/local/etc/perl_tolower.pm > } > ... > } > > In sites-enabled/default: > > authorize { > preprocess > perl > ... > } > > preacct { > preprocess > perl > ... > } > > Works great as long as you don't have occasion for upper-case in User- > Name. > > I am pretty sure when you define the module, you can have multiple > instances. It might be better to name this module perl-lc-username > and use perl-lc-username in the authorize{} and preacct{} sections of > sites-enabled/default. > > Like this: > > radiusd.conf: > > modules { > ... > perl-lc-username { > module = /usr/local/etc/perl_tolower.pm > } > ... > } > > In sites-enabled/default: > > authorize { > preprocess > perl-lc-username > ... > } > > preacct { > preprocess > perl-lc-username > ... > } > > That'd be a lot clearer when you're looking at it months or years > later. I haven't tried this but it works with other modules. > > On Jun 11, 2008, at 1:04 PM, oz wrote: > > > On Sat, 17 May 2008 18:09:09 -0700 > > Chris <[EMAIL PROTECTED]> wrote: > > > >> Thanks. I'll look at lc. > >> I was actually more concerned about the interfacing with > >> freeradius than the perl itself. > > > > Hello, another user here, who needs "lower_user = before" to be able > > to > > switch to freeradius-2.0.x. Our database is an historically grown > > users-file. > > > > Were you or somebody else able to follow the advice of using > > rlm_perl and lc()? > > > > I must admit, I'm not able to program freeradius-perl-plugins :-/, but > > would test it if necessary. At the moment I don't even have the > > rlm_perl in /usr/local/lib/, but that I could solve by myself I guess > > (libperl-dev wasn't already installed during compile-time on my > > minimal > > Debian/lenny etc.). > > > > I know, there is nothing like a wishlist, but the lowercase-feature is > > essential if we want to use 2.x it in the future. > > > > kind regards - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Freeradius Hardware requirements
Hi all, Please help me if you can. I need some data about Freeradius hardware "requirements". This is for a project I'm working on and I need to establish a minimum hardware requirements for a radius server (Freeradius 2.0.5) that will serve about 3000 users, and will be used as authentication and authorization server for some wireless AP's and 802.1x switches. It's expected that users will massively login (400 or more) at certain time and after that re-authentication will happen every 6 or 10 mn, for 802.1x clients. Also I have some doubts about were to store user info, sql DB (postgres maybe) or LDAP. What would it be the better solution, in terms of performance. The OS is a debian alike (2.6.19 kernel). Can anybody provide me some info on this? Thanks in advance Nelson Vale - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Forcing lowercase User-Name with rlm_perl
I'm doing this: perl_tolower.pm: use strict; use vars qw(%RAD_REQUEST %RAD_REPLY %RAD_CHECK); # # This the remapping of return values # use constantRLM_MODULE_REJECT=>0;# /* immediately reject the request */ use constantRLM_MODULE_FAIL=> 1;# /* module failed, don't reply */ use constantRLM_MODULE_OK=>2;# /* the module is OK, continue */ use constantRLM_MODULE_HANDLED=> 3;# /* the module handled the request, so stop. */ use constantRLM_MODULE_INVALID=> 4;# /* the module considers therequest invalid. */ use constantRLM_MODULE_USERLOCK=> 5;# /* reject the request (useris locked out) */ use constantRLM_MODULE_NOTFOUND=> 6;# /* user not found */ use constantRLM_MODULE_NOOP=> 7;# /* module succeeded withoutdoing anything */ use constantRLM_MODULE_UPDATED=> 8;# /* OK (pairs modified) */ use constantRLM_MODULE_NUMCODES=> 9;# /* How many return codes there are */ sub authorize { $RAD_REQUEST{'User-Name'} = lc($RAD_REQUEST{'User-Name'}); return RLM_MODULE_OK; } sub preacct { $RAD_REQUEST{'User-Name'} = lc($RAD_REQUEST{'User-Name'}); return RLM_MODULE_OK; } radiusd.conf: modules { ... perl { module = /usr/local/etc/perl_tolower.pm } ... } In sites-enabled/default: authorize { preprocess perl ... } preacct { preprocess perl ... } Works great as long as you don't have occasion for upper-case in User- Name. I am pretty sure when you define the module, you can have multiple instances. It might be better to name this module perl-lc-username and use perl-lc-username in the authorize{} and preacct{} sections of sites-enabled/default. Like this: radiusd.conf: modules { ... perl-lc-username { module = /usr/local/etc/perl_tolower.pm } ... } In sites-enabled/default: authorize { preprocess perl-lc-username ... } preacct { preprocess perl-lc-username ... } That'd be a lot clearer when you're looking at it months or years later. I haven't tried this but it works with other modules. On Jun 11, 2008, at 1:04 PM, oz wrote: On Sat, 17 May 2008 18:09:09 -0700 Chris <[EMAIL PROTECTED]> wrote: Thanks. I'll look at lc. I was actually more concerned about the interfacing with freeradius than the perl itself. Hello, another user here, who needs "lower_user = before" to be able to switch to freeradius-2.0.x. Our database is an historically grown users-file. Were you or somebody else able to follow the advice of using rlm_perl and lc()? I must admit, I'm not able to program freeradius-perl-plugins :-/, but would test it if necessary. At the moment I don't even have the rlm_perl in /usr/local/lib/, but that I could solve by myself I guess (libperl-dev wasn't already installed during compile-time on my minimal Debian/lenny etc.). I know, there is nothing like a wishlist, but the lowercase-feature is essential if we want to use 2.x it in the future. kind regards - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Memory Problem
I installed FreeRadius 2.0.3 just for accounting and I´m receving 200/300 accts/s. I have a serious problem that the memory used by the radiusd process starts to increase and don´t stop. I think that happens because FreeRadius uses the memory and keep it forever. Anyone can help me? Thanks, Caio Oliveira - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius/eDirectory/802.1X authentication issue
Newall, Bryce wrote: > See why I say I don't know a whole lot about how all this works?? :) So > it sounds like I don't even need LDAP, but it's helpful for at least > testing the RADIUS configuration with a program like NTRadPing to make > sure it's working correctly before jumping into the EAP-TLS setup. Yes. >> And you should ugprade to 2.0.5. It makes 1.1.0 look as bad as IAS. > > SLES 10 SP2 still ships with FreeRADIUS 1.1.0. Go figure. Any > suggestions as to where to find some good HOWTO docs? I went through > the FreeRADIUS Wiki, but it wasn't very complete. The configuration files that the server comes with are pretty complete. To be honest, it's pretty much impossible to write any good HOWTO's for RADIUS. With tiny edits (as documented and explained in the configs), the default configuration works with PAP, CHAP, MS-CHAP, Digest, EAP-MD5, EAP-MSCHAPv2, PEAP, EAP-TTLS Follow the explanations in the config files, and add support for LDAP, SQL, ... Any HOWTO will be not much more than "read the config files, and follow their instructions". Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Forcing lowercase User-Name with rlm_perl
On Sat, 17 May 2008 18:09:09 -0700 Chris <[EMAIL PROTECTED]> wrote: > Thanks. I'll look at lc. > I was actually more concerned about the interfacing with freeradius than the > perl itself. Hello, another user here, who needs "lower_user = before" to be able to switch to freeradius-2.0.x. Our database is an historically grown users-file. Were you or somebody else able to follow the advice of using rlm_perl and lc()? I must admit, I'm not able to program freeradius-perl-plugins :-/, but would test it if necessary. At the moment I don't even have the rlm_perl in /usr/local/lib/, but that I could solve by myself I guess (libperl-dev wasn't already installed during compile-time on my minimal Debian/lenny etc.). I know, there is nothing like a wishlist, but the lowercase-feature is essential if we want to use 2.x it in the future. kind regards - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: 'Attribute "User-Password" is required for authentication.' (EAP/TTLS/RADIUS/PAM)
sth wrote: > Hi folks, Posting huge amounts of configuration files to the list isn't necessary. > My NAS is talking to the FR instance (being run in "-X" debug mode, of > course), but the NAS doesn't appear to be sending the "User-Password" > attribute that FR is expecting. No. It's sending EAP-Message. This is how RADIUS works. > What I'm going for, here, is EAP/TTLS. > I've synthesized a few HOWTOs* to arrive at my current configuration, > which is attached in the form of my (sanitized) radiusd.conf, > clients.conf, and eap.conf, as well as /etc/pam.d/radiusd. Why? Which part of the documentation said this was a good idea? > Also attached are a few sample conversations as seen from the > perspective of FR using a user that's active in PAM > (radiusd-X_actual_eap_client.txt and radiusd-X_radeapclient.txt), AND > one using an account that's local at FR, i.e., in the /etc/raddb/users > file (radiusd-X_testuser_actual_eap_client.txt). Ugh. More "I tried random things and I'm not sure what they did, or why they didn't work". > My test case will eventually include Windows XP Pro, Vista Business, and > Mac OS X 10.4 specimens, but for now I'm using only Mac OS X 10.5, as it > seems to have very flexible native support for mucking with 802.1x > settings. The version of FreeRADIUS you're running won't work with Vista. Upgrade to 2.0.5. > I did see mention of a similar symptom in my searches, and a few > (including this one[2]) suggested that a fix was forthcoming in 1.1.5. > By way of attempting this, I tried rolling my own 2.0.5 instance of FR, > but it had the same problem. Similar symptom of... what? Are we supposed to read thousands of lines of debug output, from 6 different runs, and no explanation of what you're trying to do? The method you're using to ask for questions on the list explains why this is such a hard problem to solve. You're not starting off with the default configs. You're not following the examples. You're trying tons of different things at random to see if they work. And you expect someone here to work through it, figure out what you mean, and solve the problem. Umm... no. > In any case, this seems to be one of the more common errors for people > attempting 802.1x auth via RADIUS, and since there are so many different > scenarios cited by the posts I'm finding, So you're reading random posts on the net, rather than the documentation that comes with the server. . The documentation that comes with the server explains a lot. The Wiki has more documentation. > I hoped that the knowledgeable > ~ among you might analyze and comment on my configuration. I can provide > further information and diagnostic output upon request. No. Start off with 2.0.5. Read the FAQ. Add a known user, as given by the example in the FAQ. Un-check "validate server cert" on the Windows box. PEAP will work. It's that easy. Oh, and PAM isn't a useful authentication method for wireless. See my web page: http://deployingradius.com/documents/protocols/oracles.html Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: 'Attribute "User-Password" is required for authentication.' (EAP/TTLS/RADIUS/PAM)
As far as I understand your config files, you want to use MD5. So the question are: - is the client really sending MD5 hashes (or is it sending NT hashes for example) - can PAM handle it? - has PAM access to the password in MD5 or in clear to be able to check against it? I hope that my hints could bring you forward. Have a nice day! PS.: personally what I find curious is that there is no "ttls" in the log, except at initialization of radiusd. Am 11.06.2008 um 20:47 schrieb sth: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 [...] I did see mention of a similar symptom in my searches, and a few (including this one[2]) suggested that a fix was forthcoming in 1.1.5. By way of attempting this, I tried rolling my own 2.0.5 instance of FR, but it had the same problem. Alan's post here[3] indicates, "It needs a password." What I'm not clear on is _what_ needs a password: is the client not sending it, or does the FR server not have access to the backend against which it should be verifying the password incoming from the client? If the client is not sending it, how might I go about ascertaining why? In any case, this seems to be one of the more common errors for people attempting 802.1x auth via RADIUS, and since there are so many different scenarios cited by the posts I'm finding, I hoped that the knowledgeable ~ among you might analyze and comment on my configuration. I can provide further information and diagnostic output upon request. If at any point it's appropriate for someone to say, "You fool! You can't have WPA(2) Enterprise authentication for both Mac and Windows!" please, don't hesitate to do so. ;-) [...] Nicolas Goutte extragroup GmbH - Karlsruhe Waldstr. 49 76133 Karlsruhe Germany Geschäftsführer: Stephan Mönninghoff, Hans Martin Kern, Tilman Haerdle Registergericht: Amtsgericht Münster / HRB: 5624 Steuer Nr.: 337/5903/0421 / UstID: DE 204607841 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
'Attribute "User-Password" is required for authentication.' (EAP/TTLS/RADIUS/PAM)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi folks, I've been tasked with determining the feasibility of migrating a campus wireless deployment from "open wireless plus VPN" to WPA2 Enterprise. The existing VPN server authenticates against a RHEL4 FreeRADIUS server (1.0.1-3.RHEL4.5, the latest available distro-standard package), which itself primarily auts against PAM. (There are a few users defined in the RADIUS users file, but these are the exception rather than the rule.) This function is to be bolted-onto an existing, production FreeRADIUS server, which is why I'm using such an old version of FR. My NAS is talking to the FR instance (being run in "-X" debug mode, of course), but the NAS doesn't appear to be sending the "User-Password" attribute that FR is expecting. What I'm going for, here, is EAP/TTLS. I've synthesized a few HOWTOs* to arrive at my current configuration, which is attached in the form of my (sanitized) radiusd.conf, clients.conf, and eap.conf, as well as /etc/pam.d/radiusd. FWIW, I'm getting good answers when running 'radtest' locally, so the FR-to-PAM linkage is working properly. * Namely, Hack #44 from O'Reilly's "Wireless Hacks, 2nd Ed." and an article[1] from Free Software Magazine. Also attached are a few sample conversations as seen from the perspective of FR using a user that's active in PAM (radiusd-X_actual_eap_client.txt and radiusd-X_radeapclient.txt), AND one using an account that's local at FR, i.e., in the /etc/raddb/users file (radiusd-X_testuser_actual_eap_client.txt). My test case will eventually include Windows XP Pro, Vista Business, and Mac OS X 10.4 specimens, but for now I'm using only Mac OS X 10.5, as it seems to have very flexible native support for mucking with 802.1x settings. I did see mention of a similar symptom in my searches, and a few (including this one[2]) suggested that a fix was forthcoming in 1.1.5. By way of attempting this, I tried rolling my own 2.0.5 instance of FR, but it had the same problem. Alan's post here[3] indicates, "It needs a password." What I'm not clear on is _what_ needs a password: is the client not sending it, or does the FR server not have access to the backend against which it should be verifying the password incoming from the client? If the client is not sending it, how might I go about ascertaining why? In any case, this seems to be one of the more common errors for people attempting 802.1x auth via RADIUS, and since there are so many different scenarios cited by the posts I'm finding, I hoped that the knowledgeable ~ among you might analyze and comment on my configuration. I can provide further information and diagnostic output upon request. If at any point it's appropriate for someone to say, "You fool! You can't have WPA(2) Enterprise authentication for both Mac and Windows!" please, don't hesitate to do so. ;-) Thanks in advance for your time. Cheers, - -sth [1]http://www.freesoftwaremagazine.com/community_posts/howto_incremental_setup_freeradius_server_eap_authentications [2]http://lists.cistron.nl/pipermail/freeradius-users/2007-February/060265.html [3]http://www.mail-archive.com/[EMAIL PROTECTED]/msg22607.html sam hooker|[EMAIL PROTECTED]|http://www.noiseplant.com Yes, my television runs Linux, too. Yes, really. http://mythtv.org -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.8 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAkhQHdEACgkQX8KByLv3aQ2ZlwCdFRD/+GGPomxSZmdJq+fD3T24 8I4AoLkwSuUwdjcCrnu48HF7obHCX2qy =yzeE -END PGP SIGNATURE- client 127.0.0.1 { secret = testing123 shortname = localhost nastype = other # localhost isn't usually a NAS... } client w.x.y.z { secret = supersecret shortname = sth_wireless_test } eap { default_eap_type = md5 timer_expire = 60 ignore_unknown_eap_types = no cisco_accounting_username_bug = no md5 { } leap { } gtc { auth_type = PAP } tls { private_key_password = ultrasecret private_key_file = ${raddbdir}/certs/eap-test.pem certificate_file = ${raddbdir}/certs/eap-test.pem CA_file = ${raddbdir}/certs/demoCA/cacert.pem dh_file = ${raddbdir}/certs/dh random_file = /dev/urandom } ttls { default_eap_type = md5 copy_request_to_tunnel = yes use_tunneled_reply = yes } peap { default_eap_type = md5 copy_request_to_tunnel = yes use_tunneled_reply = yes
Re: freeradius 2.05 peap and ldap bind?
> We just installed freeradius 2.05 on a Centos 5 system. We got >PEAP working rather quickly against our ldap server against LM/NT >passwords. We would also like to allow clients using Securew2 >supplicants configured for TTLS -PAP connections against (crypt and >SSHA) passwords stored in our ldap database. You have done it. If PEAP works, so will EAP-TTLS/PAP. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: FreeRadius/eDirectory/802.1X authentication issue
> -Original Message- > From: [EMAIL PROTECTED] > [mailto:freeradius-users- > [EMAIL PROTECTED] On Behalf Of Alan DeKok > Sent: Wednesday, June 11, 2008 10:30 AM > To: FreeRadius users mailing list > Subject: Re: FreeRadius/eDirectory/802.1X authentication issue > > > We need to have FreeRADIUS speak LDAP > > with Novell eDirectory, and be able to authenticate wireless clients > > using EAP-TLS (or even EAP-TTLS, but we're using TLS right now). > > Er... EAP-TLS means that it won't normally do user lookups in LDAP. See why I say I don't know a whole lot about how all this works?? :) So it sounds like I don't even need LDAP, but it's helpful for at least testing the RADIUS configuration with a program like NTRadPing to make sure it's working correctly before jumping into the EAP-TLS setup. > And you should ugprade to 2.0.5. It makes 1.1.0 look as bad as IAS. SLES 10 SP2 still ships with FreeRADIUS 1.1.0. Go figure. Any suggestions as to where to find some good HOWTO docs? I went through the FreeRADIUS Wiki, but it wasn't very complete. Thanks! Bryce Newall Systems Administrator Poway Unified School District (858) 679-2576 [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Forwarding username and framed-ip-address to two destinations
issbruek wrote: > we are using Freeradiuss 1.1.7 and are looking for a solution to forward > username and framed-ip-adress to another additional IP-adresss. Using... what protocol? > Currently the radiusserver receives the accounting data and stores it into a > sql-database. In the end we want freeradius to send the data towards the > SQL-database AND the other IP address. How would a solution look like? radrelay. Use 2.0.5. See raddb/sites-available/copy-acct-to-home-server. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius 2.05 peap and ldap bind?
Tim Tyler wrote: > Freeradius experts, > We just installed freeradius 2.05 on a Centos 5 system. We got PEAP > working rather quickly against our ldap server against LM/NT passwords. > We would also like to allow clients using Securew2 supplicants > configured for TTLS -PAP connections against (crypt and SSHA) passwords > stored in our ldap database. That shouldn't be hard. > I presume we need to do an ldap bind? I would suggest not. LDAP bind is a hack. LDAP is a *database*. Use it as a *database*. > How do I configure TTLS-pap > requests to do an ldap bind for authorization/authentication without > breaking PEAP in 2.05? which 2.05 config file(s) will handle this > directly? Configure the LDAP module to pull the passwords from LDAP, and add them into the request. This is, in fact, in the default config. > Note: > In the old 1.x configs, I used to use the following authorize and > authentication configs show below to allow secureW2 users configured > with TTLS-pap to work: ... In 2.0, the virtual servers make your life easier. A LOT easier. See raddb/inner-tunnel, and references to "inner-tunnel" in raddb/eap.conf. There's even a sample config for testing the inner tunnel portion without doing EAP... Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius/eDirectory/802.1X authentication issue
Newall, Bryce wrote: > I am looking into setting up a test RADIUS server with FreeRADIUS 2.0.5, > since the current server is running 1.1.0. As I mentioned before, > though, I don't know a lot about RADIUS, and would love to find some > HOW-TO's to help me make it work. As would I. This isn't a RADIUS thing. It's a Windows thing. FreeRADIUS is at the mercy of the Windows system, which is doing weird things. And that's not just me blaming everything on other people's software. There's really no other conclusion possible from your description. > We need to have FreeRADIUS speak LDAP > with Novell eDirectory, and be able to authenticate wireless clients > using EAP-TLS (or even EAP-TTLS, but we're using TLS right now). Er... EAP-TLS means that it won't normally do user lookups in LDAP. And you should ugprade to 2.0.5. It makes 1.1.0 look as bad as IAS. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: FreeRadius/eDirectory/802.1X authentication issue
> -Original Message- > From: [EMAIL PROTECTED] > [mailto:freeradius-users- > [EMAIL PROTECTED] On Behalf Of Phil > Mayers > Sent: Wednesday, June 11, 2008 2:00 AM > To: FreeRadius users mailing list > Subject: Re: FreeRadius/eDirectory/802.1X authentication issue > > On Tue, Jun 10, 2008 at 07:32:45PM -0700, Newall, Bryce wrote: > >login credentials each time. The "Use Windows login credentials" (or > >whatever it's called; can't remember off the top of my head) option is > >checked. In fact, if I un-check it and have Windows prompt me for the > >credentials, then the authentication works properly! (With or without > > reset the users profile. we've had the same problem here and that fixed > it. Tried that first thing; no luck, unfortunately. And again, these were brand new laptops with brand new profiles, so that shouldn't have mattered, but I did it anyway just to be safe. I am looking into setting up a test RADIUS server with FreeRADIUS 2.0.5, since the current server is running 1.1.0. As I mentioned before, though, I don't know a lot about RADIUS, and would love to find some HOW-TO's to help me make it work. We need to have FreeRADIUS speak LDAP with Novell eDirectory, and be able to authenticate wireless clients using EAP-TLS (or even EAP-TTLS, but we're using TLS right now). Bryce Newall Systems Administrator Poway Unified School District (858) 679-2576 [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
freeradius 2.05 peap and ldap bind?
Freeradius experts, We just installed freeradius 2.05 on a Centos 5 system. We got PEAP working rather quickly against our ldap server against LM/NT passwords. We would also like to allow clients using Securew2 supplicants configured for TTLS -PAP connections against (crypt and SSHA) passwords stored in our ldap database. I presume we need to do an ldap bind? How do I configure TTLS-pap requests to do an ldap bind for authorization/authentication without breaking PEAP in 2.05? which 2.05 config file(s) will handle this directly? Note: In the old 1.x configs, I used to use the following authorize and authentication configs show below to allow secureW2 users configured with TTLS-pap to work: authorize { preprocess chap mschap suffix eap ldap } authenticate { Auth-Type PAP { pap } Auth-Type CHAP { chap } Auth-Type MS-CHAP { mschap } unix Auth-Type LDAP { ldap } eap } Tim Tyler Network Engineer - Beloit College [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Check Items on launch
Hi, What do you have in the users file, starting from line 28? kind regards Pshem 2008/6/12 Breuer Nicolas <[EMAIL PROTECTED]>: > > Just a question, > > Is it normal that warning on the launch of the radiusd > > [users]:28 WARNING! Check item "Pool-Suffix" found in reply item list for > user "DEFAULT".This attribute MUST go on the first line with the other > check items > > This attribute is an internal reply attribute > > Added in local Dictionnary... > ATTRIBUTE Pool-Suffix3000string > > If it's only a warning OK but this is not a CHECK item but > a REPLY item :) > > Thanks > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Forwarding username and framed-ip-address
Hi, we are using Freeradiuss 1.1.7 and are looking for a solution to forward username and framed-ip-adress to another additional IP-adresss. Currently the radiusserver receives the accounting data and stores it into a sql-database. In the end we want freeradius to send the data towards the SQL-database AND the other IP address. How would a solution look like? regards, issbruek -- View this message in context: http://www.nabble.com/Forwarding-username-and-framed-ip-address-tp17780924p17780924.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Certificate Error!
Issuer: ..., MarNet Subject: ..., MarsNet Check certificate details. It seems that there are some typing errors there. Ivan Kalik Kalik Informatika ISP Dana 11/6/2008, "Kwok Sianbin" <[EMAIL PROTECTED]> piše: >Hi Ivan, > > > >The date shows in Client Cert as word format and dates are correct. > >Here I attach Cert details tab. > >Root certificate is fine.. both client and root certificates were generated at >the same time. > >Afterward I tried to connect but connection failed. > > > > > > > > > >--- On Tue, 6/10/08, Ivan Kalik <[EMAIL PROTECTED]> wrote: >From: Ivan Kalik <[EMAIL PROTECTED]> >Subject: Re: Certificate Error! >To: "FreeRadius users mailing list" >Date: Tuesday, June 10, 2008, 4:59 PM > >What is the system date format on that XP: day/month/year or >month/day/year? Click on the certificate details tab. Are dates printed >as words or numbers? > >Ivan Kalik >Kalik Informatika ISP > > >Dana 10/6/2008, "Kwok Sianbin" <[EMAIL PROTECTED]> piše: > >>Hi Ivan, >>The dates are ok (up-to-date). >>Here I attach the certificate >> >> >> >>- Original Message >>From: Ivan Kalik <[EMAIL PROTECTED]> >>To: freeradius-users@lists.freeradius.org >>Sent: Tuesday, June 10, 2008 12:00:33 AM >>Subject: Re: Certificate Error! >> >>>and then copy ca.der, client.p12 then I install the certificate into >Windows XP. >>> >>>When click the client certificate and it shows >>> >>>"Windows doesn't have enough information to verify this >certificate" >>> >>>Server cert in Trusted Root Cert >>> >>>"This certificate has expired or is not yet valid. >>> >> >>And below there is a line Valid from ... to ... - what are the dates? >> >>Ivan Kalik >>Kalik Informatika ISP >> >>- >>List info/subscribe/unsubscribe? See >http://www.freeradius.org/list/users.html >> >> >> >> >> > >- >List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > > > > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: FR and PEAP question
>In ldap.attrmap I have the line: >checkItem NT-Password ntPassword > >in radiusd.conf in my ldap declaration, I have: >password_attribute = ntPassword > And that would work if you were using pap module. But you are using mschap. That one looks for cleartext password first. If it doesn't find it tries nt stuff. And you have an encrypted User-Password here. Delete that ... >Wed Jun 11 09:42:02 2008 : Debug: rlm_ldap: Added User-Password = >ĂĽ,ÂŹgA??"J;???ÂŚĂm in check items .. and server will use this one: >Wed Jun 11 09:42:02 2008 : Debug: rlm_ldap: looking for check items in >directory... >Wed Jun 11 09:42:02 2008 : Debug: rlm_ldap: LDAP attribute ntPassword as >RADIUS attribute NT-Password == 0xe52cac67419a9a224a3b108f3fa6cb6d And you won't see any of this: >Wed Jun 11 09:42:02 2008 : Debug: >!!! >Wed Jun 11 09:42:02 2008 : Debug: !!!Replacing User-Password in config >items with Cleartext-Password. !!! >Wed Jun 11 09:42:02 2008 : Debug: >!!! >Wed Jun 11 09:42:02 2008 : Debug: !!! Please update your configuration so that >the "known good" !!! >Wed Jun 11 09:42:02 2008 : Debug: !!! clear text password is in >Cleartext-Password, and not in User-Password. !!! >Wed Jun 11 09:42:02 2008 : Debug: >!!! >Wed Jun 11 09:42:02 2008 : Debug: auth: type Local On top of that - what happened to the eap module? It should be called before files. You haven't commented that out by any chance? Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MySQL connection over SSL possible?
Anders Holm wrote: > Hitting "Reply All" in most MUAs would do this. The list should be smart > enough to only forward on one copy per recipient ... It's not. We get 2 copies of every mail you send to the list. > ALL mails I receive for this list has the list in *both* TO and CC headers > Must be a local mailer thing. I see: From: you Sender: freeradius-users-bounces... Reply-To: [EMAIL PROTECTED] To: freeradius-users@ Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Redundant SQLIPPOOL > NOK
Breuer Nicolas wrote: >>> LIVE SYSTEM = SQLIPPOOL > > When database was down it works > but when radius received a 1017 error, it doesn't go to the second > module. Yes, this was discussed before. The code hasn't changed since last time, so the answer hasn't changed, either. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MySQL connection over SSL possible?
Hitting "Reply All" in most MUAs would do this. The list should be smart enough to only forward on one copy per recipient ... ALL mails I receive for this list has the list in *both* TO and CC headers //anders - Original Message - From: "Nicolas Goutte" <[EMAIL PROTECTED]> To: "FreeRadius users mailing list" Sent: Wednesday, June 11, 2008 11:15:38 AM GMT +00:00 GMT Britain, Ireland, Portugal Subject: Re: MySQL connection over SSL possible? Please try to avoid to send emails to the list as "TO" *and* as "CC". (I (and probably not only me) get your messages always twice.) Have a nice day! Am 11.06.2008 um 11:31 schrieb Anders Holm: > "There are other options." > > Yes, I've come up with a few. Would you have others as well? > Suggestions are welcome in all cases .. > > //anders > > - Original Message - > From: "Alan DeKok" <[EMAIL PROTECTED]> > To: "FreeRadius users mailing list" [EMAIL PROTECTED]> > Sent: Monday, June 9, 2008 5:57:48 PM GMT +00:00 GMT Britain, > Ireland, Portugal > Subject: Re: MySQL connection over SSL possible? > > Anders Holm wrote: >> So, that's a "yes" .. :) > > Yes. > >> rlm_sql_mysql is the driver, and I'd rather not have my own >> version running, but would love to see that rolled in, if >> possible. My only problem with creating a patch and send it in is >> more that I am not a coder really. I'd be more likely to create >> more problems then I'd solve .. ;) > > There are other options. > > Alan DeKok. > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/ > users.html > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/ > users.html Nicolas Goutte extragroup GmbH - Karlsruhe Waldstr. 49 76133 Karlsruhe Germany Geschäftsführer: Stephan Mönninghoff, Hans Martin Kern, Tilman Haerdle Registergericht: Amtsgericht Münster / HRB: 5624 Steuer Nr.: 337/5903/0421 / UstID: DE 204607841 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Redundant SQLIPPOOL > NOK
Dear, Redundant config seems not working. Conf : LIVE-SYSTEM-01 { fail=1 } if (!ok) { LIVE-SYSTEM-02 } >> LIVE SYSTEM = SQLIPPOOL When database was down it works but when radius received a 1017 error, it doesn't go to the second module. I checked the same thing with the accounting (sql module) > OK. Receive an Alive packet so Start the SQLIPPOOL module (in our config - not very standart) ++? if (!ok) ? Evaluating !(ok) -> TRUE ++? if (!ok) -> FALSE rlm_sql (ACCOUNTING-01): Reserving sql socket id: 1 expand: %{User-Name} -> [EMAIL PROTECTED] rlm_sql (ACCOUNTING-01): sql_set_user escaped user --> '[EMAIL PROTECTED]' expand: BEGIN -> BEGIN expand: %{User-Name} -> [EMAIL PROTECTED] rlm_sql (ACCOUNTING-01): sql_set_user escaped user --> '[EMAIL PROTECTED]' expand: UPDATE radippool SET nas_ip_address = '%{NAS-IP-Address}', rb_path='%{Calling-Station-Id}', calling_station_id = '%{User-Name}', expiry_time = DATE_ADD(NOW(), INTERVAL 86400 SECOND) WHERE ip_address = '%{Framed-IP- Address}' -> UPDATE radippool SET nas_ip_address = '217.112.179.1', rb_path='*xxx*14/1*35*272', calling_station_id = '[EMAIL PROTECTED]', expiry_time = DATE_ADD(NOW(), INTERVAL 86400 SECOND) WHERE ip_address = '217.112.179.x' > ERROR RECEIVED rlm_sql_mysql: MYSQL check_error: 1017 received sqlippool_command: database query error in: 'UPDATE radippool SET nas_ip_address = '217.112.179.1', rb_path='*vxx4/1*35*272', calling_station_id = '[EMAIL PROTECTED]', expiry_time = DATE_ADD(NOW(), INTERVAL 86400 SECOND) WHERE ip_address = '217.112.179.5'' expand: %{User-Name} -> [EMAIL PROTECTED] rlm_sql (ACCOUNTING-01): sql_set_user escaped user --> '[EMAIL PROTECTED]' expand: COMMIT -> COMMIT rlm_sql (ACCOUNTING-01): Released sql socket id: 1 ++[LIVE-SYSTEM-01] returns ok Returns OK but >> sqlippool_command: database query error in For info : i paste the same scenario on the sql module (accounting) , who works : +- entering group accounting expand: %{User-Name} -> [EMAIL PROTECTED] rlm_sql (ACCOUNTING-01): sql_set_user escaped user --> '[EMAIL PROTECTED]' expand: INSERT into radacct rlm_sql (ACCOUNTING-01): Reserving sql socket id: 0 rlm_sql_mysql: MYSQL check_error: 1017 received > Alternate query: expand: UPDATE radacct SET AcctStartTime . rlm_sql_mysql: MYSQL check_error: 1017 received rlm_sql_mysql: MYSQL check_error: 1017 received rlm_sql_mysql: Cannot store result ++[ACCOUNTING-01] returns fail OK!!! > Go to Second database.. ++? if (!ok) ? Evaluating !(ok) -> FALSE ++? if (!ok) -> TRUE ++- entering if (!ok) expand: %{User-Name} -> [EMAIL PROTECTED] rlm_sql (ACCOUNTING-02): But On the SQLIPPOOL on the post auth section it works (same table) ... Hum , Strange rlm_sql_mysql: MYSQL check_error: 1017 received sqlippool_query1: database query error expand: %{User-Name} -> [EMAIL PROTECTED] rlm_sql (ACCOUNTING-01): sql_set_user escaped user --> '[EMAIL PROTECTED]' expand: COMMIT -> COMMIT rlm_sql (ACCOUNTING-01): Released sql socket id: 2 rlm_sqlippool: IP address could not be allocated. expand: IP Allocation FAILED from XXX +++[LIVE-SYSTEM-01] returns noop >>> NOop so NOT OK , > Go to the 2nd db : +++? if (!ok) ? Evaluating !(ok) -> FALSE +++? if (!ok) -> TRUE +++- entering if (!ok) rlm_sql (ACCOUNTING-02): Reserving sql socket id: 2 etc... Allocated IP: 217.112.186.180 from ip_pooling (did cli port user [EMAIL PROTECTED]) [LIVE-SYSTEM-02] returns ok - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FR and PEAP question
Am 11.06.2008 um 14:48 schrieb Matt Ashfield: Hi I’m still trying to get this working. I’m using an XP machine plugged into an edge switch acting as a NAS. I’m using the PEAP/ MSCHAP in XP to authenticate against an LDAP directory. In that directory, we have created an attribute called ntPasssword which I have populated with the word ‘password’ (create, I know!). Below is what I get when I run in debug mode. You have coded "Password" in UTF-16LE and applied the MD4 hash on it, before putting it in "ntPassword", haven't you? Have a nice day! In ldap.attrmap I have the line: checkItem NT-Password ntPassword in radiusd.conf in my ldap declaration, I have: password_attribute = ntPassword I can’t quite figure out what’s going on below. Looks to me like the passwords are not matching. Any advice is appreciated. Thanks [...] Matt [EMAIL PROTECTED] -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ivan Kalik Sent: Tuesday, June 10, 2008 11:21 AM To: freeradius-users@lists.freeradius.org Subject: RE: FR and PEAP question eapol_test from wpa_supplicant JRadius Simulator Ivan Kalik Kalik Informatika ISP Dana 10/6/2008, "Matt Ashfield" <[EMAIL PROTECTED]> piše: >I'd like to test this with PEAP/MSCHAP requests if possible. Is there a >howto? Clearly I'm down the wrong path here. > >Matt >[EMAIL PROTECTED] > > >-Original Message- >From: [EMAIL PROTECTED] >[mailto:[EMAIL PROTECTED] On Behalf >Of Ivan Kalik >Sent: Tuesday, June 10, 2008 11:02 AM >To: freeradius-users@lists.freeradius.org >Subject: RE: FR and PEAP question > >FreeRADIUS-Proxied-To == 127.0.0.1 will match only for eap requests. You >can't test for it with pap requests (radtest). > >Ivan Kalik >Kalik Informatika ISP > > >Dana 10/6/2008, "Matt Ashfield" <[EMAIL PROTECTED]> piše: > >>I thought it would get referenced because in my users file I have: >> >>DEFAULT FreeRADIUS-Proxied-To == 127.0.0.1, Huntgroup-Name == UNBFWSS, >>unbldap-Ldap-Group == staff, Autz-Type := Ldap1 >> User-Name=`%{User-Name}`, >> Tunnel-Private-Group-Id=staff, >> Tunnel-Type=VLAN, >> Fall-Through = no >> >>And in huntgroups I have this. Although I am unsure if this is correct. >>UNBFWSS NAS-IP-Address == 127.0.0.1 >> >> >>Matt >>[EMAIL PROTECTED] >> >> >>-Original Message- >>From: [EMAIL PROTECTED] >>[mailto:[EMAIL PROTECTED] On Behalf >>Of Ivan Kalik >>Sent: Tuesday, June 10, 2008 10:36 AM >>To: freeradius-users@lists.freeradius.org >>Subject: RE: FR and PEAP question >> >>>The password that is being supplied by radtest is in plain-text, should I >>be >>>supplying it in ntPassword-encrypted format? >> >>No. >> >>> >>>It looks to me like I have something wrong with my authenticate section. >>> >>>My authorize section looks like: >>>authorize { >>>preprocess >>>chap >>>mschap >>>suffix >>>eap >>>Autz-Type Ldap1 { >>>redundant-load-balance{ >>>unbldap >>>unbldap2 >>>} >>>mschap >>>} >>>} >>> >> >>Not really. You just haven't called that Autz-Type anywhere. >> >>Ivan Kalik >>Kalik Informatika ISP >> >>- >>List info/subscribe/unsubscribe? See >>http://www.freeradius.org/list/users.html >> >> > >- >List info/subscribe/unsubscribe? See >http://www.freeradius.org/list/users.html > > >- >List info/subscribe/unsubscribe? See http://www.freeradius.org/ list/users.html > > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/ users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/ users.html Nicolas Goutte extragroup GmbH - Karlsruhe Waldstr. 49 76133 Karlsruhe Germany Geschäftsführer: Stephan Mönninghoff, Hans Martin Kern, Tilman Haerdle Registergericht: Amtsgericht Münster / HRB: 5624 Steuer Nr.: 337/5903/0421 / UstID: DE 204607841 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Whether the FreeRADIUS supports switch 3Com 5500G-EI ?
Ivan Kalik ?: Have the Tunnel attributes appeared now in the Access-Accept? If they have, that's all radius server can do. If the switch doesn't understand tunnel attributes ... Yes. Now tunnel attributes began to be appeared. We with Victor shall lay out working configs and we shall close bugreport. Thanks for the help. Best regards Gennadii Redko. Ivan Kalik Kalik Informatika ISP Dana 11/6/2008, "Gennadiy Redko" <[EMAIL PROTECTED]> piše: Ivan Kalik wrote: Did you put use-tunneled-reply=yes in peap config? I also can't see freeradius config files. Ivan Kalik Kalik Informatika ISP Hi, Ivan. This option too has not helped. Regards. Gennadii. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Check Items on launch
Just a question, Is it normal that warning on the launch of the radiusd [users]:28 WARNING! Check item "Pool-Suffix" found in reply item list for user "DEFAULT".This attribute MUST go on the first line with the other check items This attribute is an internal reply attribute Added in local Dictionnary... ATTRIBUTE Pool-Suffix3000string If it's only a warning OK but this is not a CHECK item but a REPLY item :) Thanks - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Whether the FreeRADIUS supports switch 3Com 5500G-EI ?
Sorry, my mistake. Missed the SHIFT while typing. Ivan Kalik Kalik Informatika ISP Dana 11/6/2008, "Guk Viktor" <[EMAIL PROTECTED]> piše: > >> >> Did you put use-tunneled-reply=yes in peap config? I also can't see >> freeradius config files. >> >> Ivan Kalik >> Kalik Informatika ISP >> >> >> Dana 10/6/2008, "Krzysztof OlÄdzki" <[EMAIL PROTECTED]> >> piĹĄe: >> >Sorry! >We changed "use_tunneled_reply = yes" in other file of Ńonfig >freeradius. After they found where necessarily correctly everything it >earned(eap.conf). >By all large thanks for help!!! >- >List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: FR and PEAP question
Hi I’m still trying to get this working. I’m using an XP machine plugged into an edge switch acting as a NAS. I’m using the PEAP/MSCHAP in XP to authenticate against an LDAP directory. In that directory, we have created an attribute called ntPasssword which I have populated with the word ‘password’ (create, I know!). Below is what I get when I run in debug mode. In ldap.attrmap I have the line: checkItem NT-Password ntPassword in radiusd.conf in my ldap declaration, I have: password_attribute = ntPassword I can’t quite figure out what’s going on below. Looks to me like the passwords are not matching. Any advice is appreciated. Thanks rad_recv: Access-Request packet from host 11.2.19.3 port 2048, id=3, length=102 NAS-IP-Address = 11.2.19.3 NAS-Port-Type = Ethernet Service-Type = Framed-User Message-Authenticator = 0xfbe3f8eb4dd656189f641a6aef2a8e59 NAS-Port = 2 Framed-MTU = 1490 User-Name = "mda" Calling-Station-Id = "00-11-25-81-1D-DA" EAP-Message = 0x02030008016d6461 Wed Jun 11 09:42:02 2008 : Debug: +- entering group authorize Wed Jun 11 09:42:02 2008 : Debug: modsingle[authorize]: calling preprocess (rlm_preprocess) for request 1 Wed Jun 11 09:42:02 2008 : Debug: modsingle[authorize]: returned from preprocess (rlm_preprocess) for request 1 Wed Jun 11 09:42:02 2008 : Debug: ++[preprocess] returns ok Wed Jun 11 09:42:02 2008 : Debug: modsingle[authorize]: calling suffix (rlm_realm) for request 1 Wed Jun 11 09:42:02 2008 : Debug: rlm_realm: No '@' in User-Name = "mda", looking up realm NULL Wed Jun 11 09:42:02 2008 : Debug: rlm_realm: No such realm "NULL" Wed Jun 11 09:42:02 2008 : Debug: modsingle[authorize]: returned from suffix (rlm_realm) for request 1 Wed Jun 11 09:42:02 2008 : Debug: ++[suffix] returns noop Wed Jun 11 09:42:02 2008 : Debug: modsingle[authorize]: calling unbldap (rlm_ldap) for request 1 Wed Jun 11 09:42:02 2008 : Debug: rlm_ldap: - authorize Wed Jun 11 09:42:02 2008 : Debug: rlm_ldap: performing user authorization for mda Wed Jun 11 09:42:02 2008 : Debug: WARNING: Deprecated conditional expansion ":-". See "man unlang" for details Wed Jun 11 09:42:02 2008 : Debug: expand: (uid=%{Stripped-User-Name:-%{User-Name}}) -> (uid=mda) Wed Jun 11 09:42:02 2008 : Debug: expand: ou=people,dc=unb,dc=ca -> ou=people,dc=unb,dc=ca Wed Jun 11 09:42:02 2008 : Debug: rlm_ldap: ldap_get_conn: Checking Id: 0 Wed Jun 11 09:42:02 2008 : Debug: rlm_ldap: ldap_get_conn: Got Id: 0 Wed Jun 11 09:42:02 2008 : Debug: rlm_ldap: performing search in ou=people,dc=unb,dc=ca, with filter (uid=mda) Wed Jun 11 09:42:02 2008 : Debug: rlm_ldap: Added User-Password = å,¬gA??"J;???¦Ëm in check items Wed Jun 11 09:42:02 2008 : Debug: rlm_ldap: looking for check items in directory... Wed Jun 11 09:42:02 2008 : Debug: rlm_ldap: LDAP attribute ntPassword as RADIUS attribute NT-Password == 0xe52cac67419a9a224a3b108f3fa6cb6d Wed Jun 11 09:42:02 2008 : Debug: rlm_ldap: looking for reply items in directory... Wed Jun 11 09:42:02 2008 : Debug: rlm_ldap: user mda authorized to use remote access Wed Jun 11 09:42:02 2008 : Debug: rlm_ldap: ldap_release_conn: Release Id: 0 Wed Jun 11 09:42:02 2008 : Debug: modsingle[authorize]: returned from unbldap (rlm_ldap) for request 1 Wed Jun 11 09:42:02 2008 : Debug: ++[unbldap] returns ok Wed Jun 11 09:42:02 2008 : Debug: modsingle[authorize]: calling mschap (rlm_mschap) for request 1 Wed Jun 11 09:42:02 2008 : Debug: modsingle[authorize]: returned from mschap (rlm_mschap) for request 1 Wed Jun 11 09:42:02 2008 : Debug: ++[mschap] returns noop Wed Jun 11 09:42:02 2008 : Debug: modsingle[authorize]: calling mschap (rlm_mschap) for request 1 Wed Jun 11 09:42:02 2008 : Debug: modsingle[authorize]: returned from mschap (rlm_mschap) for request 1 Wed Jun 11 09:42:02 2008 : Debug: ++[mschap] returns noop Wed Jun 11 09:42:02 2008 : Debug: modsingle[authorize]: calling files (rlm_files) for request 1 Wed Jun 11 09:42:02 2008 : Debug: modsingle[authorize]: returned from files (rlm_files) for request 1 Wed Jun 11 09:42:02 2008 : Debug: ++[files] returns noop Wed Jun 11 09:42:02 2008 : Debug: !!! Wed Jun 11 09:42:02 2008 : Debug: !!!Replacing User-Password in config items with Cleartext-Password. !!! Wed Jun 11 09:42:02 2008 : Debug: !!! Wed Jun 11 09:42:02 2008 : Debug: !!! Please update your configuration so that the "known good" !!! Wed Jun 11 09:42:02 2008 : Debug: !!! clear text password is in Cleartext-Password, and not in User-Password. !!! Wed Jun 11 09:42:02 2008 : Debug: !!! Wed Jun 11 09:42:02 2008 : Debug: auth: type Local Wed Jun 11 09:42:02 2008 : Debug: auth: No User-Pa
Re: inner/outer authentication problem in 2.0.2
Why do you apply any policies to the outer identity? Ivan Kalik Kalik Informatika ISP Dana 11/6/2008, "Gopinath Reddy N" <[EMAIL PROTECTED]> piše: >Hello all, > >Iam using freeradius 2.0.2 version with TTLS/MSCHAPv2 > >I have two users in configuration > >tmpuser -> tmpgroup >emp1 -> employee > > >Iam using "tmpuser" in outer authentication and "emp1" in inner >authentication. I have eap.conf file configured with > >ttls { > copy_request_to_tunnel = yes > use_tunneled_reply = yes > } >But when I login successfully freeradius is always applying policy from >"tmpgroup" which belongs to the user used in outer authentication. But it is >supposed to apply policy from employee group as I have used "employee" in >inner authentication. > >Could anybody let me know if this is a bug with freeradius or my >configuration is wrong. > >Thanks in advance > >Regards >gnreddy > > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Whether the FreeRADIUS supports switch 3Com 5500G-EI ?
Have the Tunnel attributes appeared now in the Access-Accept? If they have, that's all radius server can do. If the switch doesn't understand tunnel attributes ... Ivan Kalik Kalik Informatika ISP Dana 11/6/2008, "Gennadiy Redko" <[EMAIL PROTECTED]> piše: >Ivan Kalik wrote: >> Did you put use-tunneled-reply=yes in peap config? I also can't see >> freeradius config files. >> >> Ivan Kalik >> Kalik Informatika ISP >Hi, Ivan. >This option too has not helped. >Regards. >Gennadii. >- >List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Whether the FreeRADIUS supports switch 3Com 5500G-EI ?
Did you put use-tunneled-reply=yes in peap config? I also can't see freeradius config files. Ivan Kalik Kalik Informatika ISP Dana 10/6/2008, "Krzysztof Olędzki" <[EMAIL PROTECTED]> piše: Sorry! We changed "use_tunneled_reply = yes" in other file of сonfig freeradius. After they found where necessarily correctly everything it earned(eap.conf). By all large thanks for help!!! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Whether the FreeRADIUS supports switch 3Com 5500G-EI ?
On 2008-06-11 12:37, Gennadiy Redko wrote: [5500G-EI]display interface GigabitEthernet 7/0/40 GigabitEthernet7/0/40 current state : DOWN This port is down, there is no client connected nor authorized/authenticated. [5500G-EI]display port-security interface GigabitEthernet 7/0/40 GigabitEthernet7/0/40 is link-down Port mode is noRestriction noRestriction? "port-security port-mode userlogin-secure"? Best regards, Krzysztof Olędzki - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problems compiling Freeradius 2.0.4 on Fedora 8 [Updated to 2.0.5]
Piero Giobbi wrote: > Ups, sorry, here's with the line above: ... > -lnsl -lresolv -lpthread -lssl -lcrypto -Wl,--rpath -Wl,/usr/local/lib/ > /libeap/.libs/libfreeradius-eap.so: undefined reference to `BIO_test_flags'/ > /libeap/.libs/libfreeradius-eap.so: undefined reference to `EVP_MD_size'/ The installed version of OpenSSL doesn't have the correct functions that FreeRADIUS needs. Try using a recent version of OpenSSL. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
inner/outer authentication problem in 2.0.2
Hello all, Iam using freeradius 2.0.2 version with TTLS/MSCHAPv2 I have two users in configuration tmpuser -> tmpgroup emp1 -> employee Iam using "tmpuser" in outer authentication and "emp1" in inner authentication. I have eap.conf file configured with ttls { copy_request_to_tunnel = yes use_tunneled_reply = yes } But when I login successfully freeradius is always applying policy from "tmpgroup" which belongs to the user used in outer authentication. But it is supposed to apply policy from employee group as I have used "employee" in inner authentication. Could anybody let me know if this is a bug with freeradius or my configuration is wrong. Thanks in advance Regards gnreddy - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Whether the FreeRADIUS supports switch 3Com 5500G-EI ?
Ivan Kalik wrote: Did you put use-tunneled-reply=yes in peap config? I also can't see freeradius config files. Ivan Kalik Kalik Informatika ISP Hi, Ivan. This option too has not helped. Regards. Gennadii. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Whether the FreeRADIUS supports switch 3Com 5500G-EI ?
Krzysztof Olędzki wrote: OK, we absolutely need some more info: - display vlan - display vlan ... (2?) - display interface ... (G7/0/40?) - display port-security interface ... (G7/0/40) Hi,Krzysztof Viktor Guk wrote: >All too most, only with the letter "G". [5500G-EI]disp vlan The following VLANs exist: 1(default), 2 [5500G-EI]disp vlan 2 VLAN ID: 2 VLAN Type: static Route Interface: not configured Description: vlan2 Name: vlan2 Tagged Ports: none Untagged Ports: GigabitEthernet7/0/39GigabitEthernet7/0/47 [5500G-EI]display interface GigabitEthernet 7/0/40 GigabitEthernet7/0/40 current state : DOWN IP Sending Frames' Format is PKTFMT_ETHNT_2, Hardware address is 001a-c147-8e68 Media type is twisted pair, loopback not set Port hardware type is 1000_BASE_T Unknown-speed mode, unknown-duplex mode Link speed type is autonegotiation, link duplex type is autonegotiation Flow-control is not enabled The Maximum Frame Length is 1522 Broadcast MAX-pps: 3000 Unicast MAX-ratio: 100% Multicast MAX-ratio: 100% Forbid jumbo frame to pass PVID: 1 Mdi type: auto Port link-type: access Tagged VLAN ID : none Untagged VLAN ID : 1 Last 300 seconds input: 0 packets/sec 7 bytes/sec Last 300 seconds output: 0 packets/sec 48 bytes/sec Input(total): 23 packets, 2240 bytes 2 broadcasts, 12 multicasts, 0 pauses Input(normal): - packets, - bytes - broadcasts, - multicasts, - pauses Input: 0 input errors, 0 runts, 0 giants, - throttles, 0 CRC - frame, - overruns, 0 aborts, - ignored, - parity errors Output(total): 151 packets, 14501 bytes 89 broadcasts, 50 multicasts, 0 pauses Output(normal): - packets, - bytes - broadcasts, - multicasts, - pauses Output: 0 output errors, - underruns, - buffer failures 0 aborts, 0 deferred, 0 collisions, 0 late collisions 0 lost carrier, - no carrier [5500G-EI]display port-security interface GigabitEthernet 7/0/40 GigabitEthernet7/0/40 is link-down Port mode is noRestriction NeedtoKnow mode is disabled Intrusion mode is no action Max mac-address num is not configured Stored mac-address num is 0 Authorization is permit With the options offered by you the stand too has not earned BTW: There is no need to add and use TMT802, freeradius already comes with all what you need here: Tunnel-Type = VLAN Tunnel-Medium-Type = IEEE-802 Tunnel-Private-Group-ID = ... Best regards, Krzysztof Olędzki Best regards. Gennadii Redko - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problems compiling Freeradius 2.0.4 on Fedora 8 [Updated to 2.0.5]
Ups, sorry, here's with the line above: /usr/bin/gmake -w -C libeap gmake[7]: Entering directory `/root/freeradius-server-2.0.5/src/ modules/rlm_eap/libeap' gmake[7]: Nothing to be done for `all'. gmake[7]: Leaving directory `/root/freeradius-server-2.0.5/src/modules/ rlm_eap/libeap' /root/freeradius-server-2.0.5/libtool --mode=link gcc -o radeapclient radeapclient.lo libeap/libfreeradius-eap.la -lnsl - lresolv -lpthread -lcrypto -lssl -lcrypto gcc -o .libs/radeapclient .libs/radeapclient.o libeap/.libs/ libfreeradius-eap.so /root/freeradius-server-2.0.5/src/lib/.libs/ libfreeradius-radius.so -lnsl -lresolv -lpthread -lssl -lcrypto -Wl,-- rpath -Wl,/usr/local/lib libeap/.libs/libfreeradius-eap.so: undefined reference to `BIO_test_flags' libeap/.libs/libfreeradius-eap.so: undefined reference to `EVP_MD_size' collect2: ld returned 1 exit status gmake[6]: *** [radeapclient] Error 1 gmake[6]: Leaving directory `/root/freeradius-server-2.0.5/src/modules/ rlm_eap' gmake[5]: *** [common] Error 2 gmake[5]: Leaving directory `/root/freeradius-server-2.0.5/src/modules' gmake[4]: *** [all] Error 2 gmake[4]: Leaving directory `/root/freeradius-server-2.0.5/src/modules' gmake[3]: *** [common] Error 2 gmake[3]: Leaving directory `/root/freeradius-server-2.0.5/src' gmake[2]: *** [all] Error 2 gmake[2]: Leaving directory `/root/freeradius-server-2.0.5/src' gmake[1]: *** [common] Error 2 gmake[1]: Leaving directory `/root/freeradius-server-2.0.5' make: *** [all] Error 2 Sorry Alan, i forgot to include "the" problem when i try to build freeradius 2.0.5 on Fedora 8. Below is from make: /collect2: ld returned 1 exit status/ /gmake[6]: *** [radeapclient] Error 1/ And you've deleted the actual error message. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MySQL connection over SSL possible?
Please try to avoid to send emails to the list as "TO" *and* as "CC". (I (and probably not only me) get your messages always twice.) Have a nice day! Am 11.06.2008 um 11:31 schrieb Anders Holm: "There are other options." Yes, I've come up with a few. Would you have others as well? Suggestions are welcome in all cases .. //anders - Original Message - From: "Alan DeKok" <[EMAIL PROTECTED]> To: "FreeRadius users mailing list" [EMAIL PROTECTED]> Sent: Monday, June 9, 2008 5:57:48 PM GMT +00:00 GMT Britain, Ireland, Portugal Subject: Re: MySQL connection over SSL possible? Anders Holm wrote: So, that's a "yes" .. :) Yes. rlm_sql_mysql is the driver, and I'd rather not have my own version running, but would love to see that rolled in, if possible. My only problem with creating a patch and send it in is more that I am not a coder really. I'd be more likely to create more problems then I'd solve .. ;) There are other options. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/ users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/ users.html Nicolas Goutte extragroup GmbH - Karlsruhe Waldstr. 49 76133 Karlsruhe Germany Geschäftsführer: Stephan Mönninghoff, Hans Martin Kern, Tilman Haerdle Registergericht: Amtsgericht Münster / HRB: 5624 Steuer Nr.: 337/5903/0421 / UstID: DE 204607841 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MySQL connection over SSL possible?
"There are other options." Yes, I've come up with a few. Would you have others as well? Suggestions are welcome in all cases .. //anders - Original Message - From: "Alan DeKok" <[EMAIL PROTECTED]> To: "FreeRadius users mailing list" Sent: Monday, June 9, 2008 5:57:48 PM GMT +00:00 GMT Britain, Ireland, Portugal Subject: Re: MySQL connection over SSL possible? Anders Holm wrote: > So, that's a "yes" .. :) Yes. > rlm_sql_mysql is the driver, and I'd rather not have my own version running, > but would love to see that rolled in, if possible. My only problem with > creating a patch and send it in is more that I am not a coder really. I'd be > more likely to create more problems then I'd solve .. ;) There are other options. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MySQL connection over SSL possible?
Indeed, stunnel is one way to go, another might be SSH tunnels, or as another poster mentioned IPSec tunnels. Yes, data integrity and security of the data is vital, along the whole path from backend storage to end device, so this is just one piece of that puzzle ... What I'll do short term is to look at ways to create a secure tunnel, and if time permitting see if I can manage to create a patch that someone that has better coding skills then me would then need to sanitize.. :) I can see a few new options coming out from such a patch ssl = yes I haven't checked, but from memory I'm not even sure it's possible to specify a port number for the database, need to check that too .. Questions, questions, and so little time .. :) //anders - Original Message - From: "A L M Buxey" <[EMAIL PROTECTED]> To: "FreeRadius users mailing list" Sent: Monday, June 9, 2008 6:19:30 PM GMT +00:00 GMT Britain, Ireland, Portugal Subject: Re: MySQL connection over SSL possible? Hi, > No. Driver is sql_mysql.c file in > src/modules/rlm_sql/drivers/rlm_sql_mysql/ folder of your distribution. > You will need to edit the source file and recompile to have freeradius > mysql client ask for a SSL connection. hmm, i could see a future with sql.conf containing ssl = yes and each SQL driver, if supported, using SSL method to connect. would probably also need certs etc in the config for this to happen. for another option, without editing code, use eg stunnel to connect to the remote SQL server and then tell FreeRADIUS to use the local end port of the stunnel session. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Setting Post-Proxy-Type ??
Alan DeKok a écrit : Mustapha Bouikhif wrote: I am having problemes getting Post-Proxy-Type to work in FreeRadius (FR); I did tests with FR v2.0.3 and FR v2.0.5 after update without success; Here is what i want to do: Use attr_rewrite to write some attributes (those for setting VLAN) in proxy replies received from the home server. So I had defined 3 sections for attr_rewrite in radiusd.conf: ... post-proxy { ... Post-Proxy-Type post.proxy.dr4 { Why are you using a Post-Proxy-Type here? The uses file looks like: DEFAULTHuntgroup-Name == "Nomade_Eduroam", Realm == "DEFAULT", Post-Proxy-Type := post.proxy.dr4 I don't think setting the Post-Proxy-Type here works the way you want. You should probably just use virtual servers, instead. Set the virtual server for the realm. See "proxy.conf". In proxy.conf file, I have set: post_proxy_authorize = yes Don't. It doesn't work. When I started radiusd (in debug mode), it tells me : Parse error (check) for entry DEFAULT: Unknown value for post.proxy.dr4 for attribute Post-Proxy-Type I don't know what i am doing wrong ? Use virtual servers. They're a lot easier. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Thanks Alain, I have set a virtual server for the DEFAULT realm... -- Mustapha BOUIKHIF Service Systèmes d'Information CNRS - DR4 tel: +33 1 69 82 33 97 fax: +33 1 69 82 33 39 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius/eDirectory/802.1X authentication issue
On Tue, Jun 10, 2008 at 07:32:45PM -0700, Newall, Bryce wrote: login credentials each time. The "Use Windows login credentials" (or whatever it's called; can't remember off the top of my head) option is checked. In fact, if I un-check it and have Windows prompt me for the credentials, then the authentication works properly! (With or without reset the users profile. we've had the same problem here and that fixed it. the domain name.) And it's the same username/password that I use to log on to the laptop. It's very strange that it works fine when I have Windows prompt for the credentials, but won't when I have it use the login credentials. Bryce Newall Systems Administrator Poway Unified School District (858) 679-2576 [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problems compiling Freeradius 2.0.4 on Fedora 8 [Updated to 2.0.5]
Am 11.06.2008 um 09:50 schrieb Piero Giobbi: Hi again. Sorry Alan, i forgot to include "the" problem when i try to build freeradius 2.0.5 on Fedora 8. Below is from make: collect2: ld returned 1 exit status Is it the only error line about the linking problem or are there relevant lines just in front of this line? gmake[6]: *** [radeapclient] Error 1 gmake[6]: Leaving directory `/root/freeradius-server-2.0.5/src/ modules/rlm_eap' gmake[5]: *** [common] Error 2 gmake[5]: Leaving directory `/root/freeradius-server-2.0.5/src/ modules' gmake[4]: *** [all] Error 2 gmake[4]: Leaving directory `/root/freeradius-server-2.0.5/src/ modules' gmake[3]: *** [common] Error 2 gmake[3]: Leaving directory `/root/freeradius-server-2.0.5/src' gmake[2]: *** [all] Error 2 gmake[2]: Leaving directory `/root/freeradius-server-2.0.5/src' gmake[1]: *** [common] Error 2 gmake[1]: Leaving directory `/root/freeradius-server-2.0.5' make: *** [all] Error 2 [...] Nicolas Goutte extragroup GmbH - Karlsruhe Waldstr. 49 76133 Karlsruhe Germany Geschäftsführer: Stephan Mönninghoff, Hans Martin Kern, Tilman Haerdle Registergericht: Amtsgericht Münster / HRB: 5624 Steuer Nr.: 337/5903/0421 / UstID: DE 204607841 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problems compiling Freeradius 2.0.4 on Fedora 8 [Updated to 2.0.5]
Piero Giobbi wrote: > Sorry Alan, i forgot to include "the" problem when i try to build > freeradius 2.0.5 on Fedora 8. Below is from make: > > /collect2: ld returned 1 exit status/ > /gmake[6]: *** [radeapclient] Error 1/ And you've deleted the actual error message. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problems compiling Freeradius 2.0.4 on Fedora 8 [Updated to 2.0.5]
Hi again. Sorry Alan, i forgot to include "the" problem when i try to build freeradius 2.0.5 on Fedora 8. Below is from make: collect2: ld returned 1 exit status gmake[6]: *** [radeapclient] Error 1 gmake[6]: Leaving directory `/root/freeradius-server-2.0.5/src/modules/ rlm_eap' gmake[5]: *** [common] Error 2 gmake[5]: Leaving directory `/root/freeradius-server-2.0.5/src/modules' gmake[4]: *** [all] Error 2 gmake[4]: Leaving directory `/root/freeradius-server-2.0.5/src/modules' gmake[3]: *** [common] Error 2 gmake[3]: Leaving directory `/root/freeradius-server-2.0.5/src' gmake[2]: *** [all] Error 2 gmake[2]: Leaving directory `/root/freeradius-server-2.0.5/src' gmake[1]: *** [common] Error 2 gmake[1]: Leaving directory `/root/freeradius-server-2.0.5' make: *** [all] Error 2 OpenSSL> version OpenSSL 0.9.8g 19 Oct 2007 OpenSSL> Linux 2.6.25.4-10.fc8 #1 SMP Thu May 22 23:34:09 EDT 2008 i686 i686 i386 GNU/Linux Below is warnings from the configure. thx. p 10 jun 2008 kl. 16.08 skrev [EMAIL PROTECTED] : Hi, Update on FR 2.0.5 with Fedora 8 (from configure): [EMAIL PROTECTED] freeradius-server-2.0.5]# ./configure | grep -i warning config.status: WARNING: ./Make.inc.in seems to ignore the -- datarootdir setting config.status: WARNING: ./src/include/build-radpaths-h.in seems to ignore the --datarootdir setting chmod: cannot access `check-radiusd-config': No such file or directory configure: WARNING: silently not building rlm_eap_ikev2. configure: WARNING: FAILURE: rlm_eap_ikev2 requires: libeap-ikev2 EAPIKEv2/connector.h. configure: WARNING: the TNCS library isn't found! configure: WARNING: silently not building rlm_eap_tnc. configure: WARNING: FAILURE: rlm_eap_tnc requires: -lTNCS. configure: WARNING: silently not building rlm_sql_iodbc. configure: WARNING: FAILURE: rlm_sql_iodbc requires: libiodbc isql.h. configure: WARNING: silently not building rlm_sql_postgresql. configure: WARNING: FAILURE: rlm_sql_postgresql requires: libpq-fe.h libpq. configure: WARNING: oracle headers not found. Use --with-oracle-home-dir=. configure: WARNING: silently not building rlm_sql_oracle. configure: WARNING: FAILURE: rlm_sql_oracle requires: oci.h. configure: WARNING: silently not building rlm_sql_unixodbc. configure: WARNING: FAILURE: rlm_sql_unixodbc requires: sql.h. .. If it makes more sense... so, you dont have the required includes etc for building IKEv2, TNC, IODBC, postgresql or Oracle support into the server. do you use any of these? if not, then whats the problem? alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius/eDirectory/802.1X authentication issue
Newall, Bryce wrote: > I'm convinced that it has SOMETHING to do with how Windows is passing > the credentials through to FreeRadius, rather than a FreeRadius problem; > I'm just not sure where to troubleshoot. You'll know from reading this list where *my* biases are. For most problem interactions with external devices, it's usually the external devices that are buggy. For behavior that's internal to the server, it's often administrator misconfiguration. For some rare cases, it's a FreeRADIUS bug. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html