POP3
Hi, Could anyone tell me if there exists a solution to integrate FR with a POP3 server in order to provide Radius controlled access to mailboxes via POP3? I am currently using cucipop Thank you Slava Shkarupin Kiev, UA - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: proxy-to-realm versus using a suffix
Chris Fruehwirth wrote: Below is the debug output from FreeRADIUS. The first attempt is using the suffix [EMAIL PROTECTED], which works. The second attempt is using the users file and no realm, which fails. ... ++[eap] returns updated ++[unix] returns notfound users: Matched entry DEFAULT at line 207 ++[files] returns ok The files module is listed after the eap module. So the server will start EAP *before* you tell it to proxy the request. The solution is to mark the request as being proxied *before* the EAP module runs. If you don't want to do EAP authentication locally, then just delete the reference to the EAP module. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: about EAP using 1.1.7 and 2.0.3
Ryan Setiawan H wrote: Thanks for the reply, I've Update to freeradius 2.0.5, but still didn't show result, the debug still the same, here are the debug : ... rad_recv: Access-Request packet from host 192.168.12.130 port 1024, id=27, length=213 Sending duplicate reply to client local port 1024 - ID: 27 Sending Access-Challenge of id 27 to 192.168.12.130 port 1024 The client isn't receiving the response from the server. Use tcpdump or wireshark to debug your network. I'm using default configuration, just only change client.conf and users. there is clue, when I saw debug from 1.1.7 the second access request has different id but in this debug, it had same id ( that's is 27 ) maybe because client didn't receive challenge, it tried to retransmit Yes. The ID's are chosen by the client. If it's re-using the same ID, it's because it didn't receive the reply. I'm not expert at EAP but i think after challenge client should reply with different id... ( that is what I see at 1.1.7 ) Is there any configuration to be added ? No. Fix your network. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: POP3
Slava wrote: Could anyone tell me if there exists a solution to integrate FR with a POP3 server in order to provide Radius controlled access to mailboxes via POP3? I am currently using cucipop Look for patches to let cucipop do RADIUS authentication. If there are none, maybe cucipop does PAM authentication. You could then use the PAM RADIUS module. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
EAP/TLS
Thanks for the tips. If the certificates are fine then the only problem here is the radius server. XP can not authenticate the client can't get connected. here the output Ready to process requests. User-Name = MarsNet_Client NAS-IP-Address = 0.0.0.0 Framed-MTU = 1488 Called-Station-Id = 00:30:1a:29:03:66 Calling-Station-Id = 00:1c:f0:10:56:b8 NAS-Port-Type = Wireless-802.11 NAS-Identifier = 127.0.0.1 Connect-Info = CONNECT 11Mbps 802.11b EAP-Message = 0x02020013014d6172734e65745f436c69656e74 Message-Authenticator = 0x00ebc8fcffd2c906e2d36ec4fff17d3a +- entering group authorize ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop rlm_realm: No '@' in User-Name = MarsNet_Client, looking up realm NULL rlm_realm: No such realm NULL ++[suffix] returns noop rlm_eap: EAP packet type response id 2 length 19 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[unix] returns notfound ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop rlm_pap: WARNING! No known good password found for the user. Authentication may fail because of this. ++[pap] returns noop rad_check_password: Found Auth-Type EAP auth: type EAP +- entering group authenticate rlm_eap: EAP Identity rlm_eap: processing type tls rlm_eap_tls: Requiring client certificate rlm_eap_tls: Initiate rlm_eap_tls: Start returned 1 ++[eap] returns handled EAP-Message = 0x010300060d20 Message-Authenticator = 0x State = 0x7382effe7381e2540240fd45d4418b28 Finished request 4. Going to the next request Waking up in 4.9 seconds. Cleaning up request 4 ID 1 with timestamp +930 Ready to process requests. User-Name = MarsNet_Client NAS-IP-Address = 0.0.0.0 Framed-MTU = 1488 Called-Station-Id = 00:30:1a:29:03:66 Calling-Station-Id = 00:1c:f0:10:56:b8 NAS-Port-Type = Wireless-802.11 NAS-Identifier = 127.0.0.1 Connect-Info = CONNECT 11Mbps 802.11b EAP-Message = 0x02010013014d6172734e65745f436c69656e74 Message-Authenticator = 0xd79261edb8c5b177b0b6334837684449 +- entering group authorize ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop rlm_realm: No '@' in User-Name = MarsNet_Client, looking up realm NULL rlm_realm: No such realm NULL ++[suffix] returns noop rlm_eap: EAP packet type response id 1 length 19 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[unix] returns notfound ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop rlm_pap: WARNING! No known good password found for the user. Authentication may fail because of this. ++[pap] returns noop rad_check_password: Found Auth-Type EAP auth: type EAP +- entering group authenticate rlm_eap: EAP Identity rlm_eap: processing type tls rlm_eap_tls: Requiring client certificate rlm_eap_tls: Initiate rlm_eap_tls: Start returned 1 ++[eap] returns handled EAP-Message = 0x010200060d20 Message-Authenticator = 0x State = 0xae557800ae5775e5b09645c04263a306 Finished request 5. Going to the next request Waking up in 4.9 seconds. Cleaning up request 5 ID 3 with timestamp +950 Ready to process requests. --- On Mon, 7/7/08, Ivan Kalik [EMAIL PROTECTED] wrote: From: Ivan Kalik [EMAIL PROTECTED] Subject: Re: Private key To: FreeRadius users mailing list freeradius-users@lists.freeradius.org Date: Monday, July 7, 2008, 10:38 PM Why do you care if Windows does not have enough information to verify this certificate? Does radius server have any problems with it? Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
sql_log inside virtual servers
Hi All,
I'm trying to configure my virtual servers to have different sql_log
queries and having some difficulty specifying the queries within the
server { } block redefining sql_log { Start, Stop, Alive etc.. }
parameters within each virtual server instance.
Is this supported? Or can they only be set on a global basis?
Oh and I'm using 2.0.5.
Thanks
Leon
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: about EAP using 1.1.7 and 2.0.3
hi, as Alan stated - your NAS doesnt seem to be getting the responses from your server. some ACL or routing issue? (stick a sniffer directly in front of the switch...if you need to, you may need to have a 'port mirror' or somesuch from the switch that feeds that switch if traffic is on a mgmt VLAN and .1q trunking is involved etc. dont worry about the errors from the ./configure - unless you are using any of those technologies (postgresql, oracle, TNC or IKEv2) - your server is 'normal' alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: sql_log inside virtual servers
Leon Kyneur wrote:
I'm trying to configure my virtual servers to have different sql_log
queries and having some difficulty specifying the queries within the
server { } block
You don't. The modules are defined in the modules section of the
configuration file (raddb/modules)
redefining sql_log { Start, Stop, Alive etc.. }
parameters within each virtual server instance.
Is this supported? Or can they only be set on a global basis?
You can create multiple copies of the sql_log module, and use a named
copy in a virtual server.
sql_log foo {
... config ..
}
sql_log bar {
... config ...
}
server one {
accounting {
...
foo
...
}
}
i.e. give them unique names (sql_log foo), and the refer to them in
the virtual server as foo, and not sql_log.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP/TLS
Kwok Sianbin escribió: Thanks for the tips. If the certificates are fine then the only problem here is the radius server. XP can not authenticate the client can't get connected. here the output Ready to process requests. User-Name = MarsNet_Client NAS-IP-Address = 0.0.0.0 Framed-MTU = 1488 Called-Station-Id = 00:30:1a:29:03:66 Calling-Station-Id = 00:1c:f0:10:56:b8 NAS-Port-Type = Wireless-802.11 NAS-Identifier = 127.0.0.1 Connect-Info = CONNECT 11Mbps 802.11b EAP-Message = 0x02020013014d6172734e65745f436c69656e74 Message-Authenticator = 0x00ebc8fcffd2c906e2d36ec4fff17d3a +- entering group authorize ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop rlm_realm: No '@' in User-Name = MarsNet_Client, looking up realm NULL rlm_realm: No such realm NULL ++[suffix] returns noop rlm_eap: EAP packet type response id 2 length 19 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[unix] returns notfound ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop rlm_pap: WARNING! No known good password found for the user. Authentication may fail because of this. ++[pap] returns noop rad_check_password: Found Auth-Type EAP auth: type EAP +- entering group authenticate rlm_eap: EAP Identity rlm_eap: processing type tls rlm_eap_tls: Requiring client certificate rlm_eap_tls: Initiate rlm_eap_tls: Start returned 1 ++[eap] returns handled EAP-Message = 0x010300060d20 Message-Authenticator = 0x State = 0x7382effe7381e2540240fd45d4418b28 Finished request 4. Going to the next request Waking up in 4.9 seconds. Cleaning up request 4 ID 1 with timestamp +930 Ready to process requests. User-Name = MarsNet_Client NAS-IP-Address = 0.0.0.0 Framed-MTU = 1488 Called-Station-Id = 00:30:1a:29:03:66 Calling-Station-Id = 00:1c:f0:10:56:b8 NAS-Port-Type = Wireless-802.11 NAS-Identifier = 127.0.0.1 Connect-Info = CONNECT 11Mbps 802.11b EAP-Message = 0x02010013014d6172734e65745f436c69656e74 Message-Authenticator = 0xd79261edb8c5b177b0b6334837684449 +- entering group authorize ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop rlm_realm: No '@' in User-Name = MarsNet_Client, looking up realm NULL rlm_realm: No such realm NULL ++[suffix] returns noop rlm_eap: EAP packet type response id 1 length 19 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[unix] returns notfound ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop rlm_pap: WARNING! No known good password found for the user. Authentication may fail because of this. ++[pap] returns noop rad_check_password: Found Auth-Type EAP auth: type EAP +- entering group authenticate rlm_eap: EAP Identity rlm_eap: processing type tls rlm_eap_tls: Requiring client certificate rlm_eap_tls: Initiate rlm_eap_tls: Start returned 1 ++[eap] returns handled EAP-Message = 0x010200060d20 Message-Authenticator = 0x State = 0xae557800ae5775e5b09645c04263a306 Finished request 5. Going to the next request Waking up in 4.9 seconds. Cleaning up request 5 ID 3 with timestamp +950 Ready to process requests. --- On *Mon, 7/7/08, Ivan Kalik /[EMAIL PROTECTED]/* wrote: From: Ivan Kalik [EMAIL PROTECTED] Subject: Re: Private key To: FreeRadius users mailing list freeradius-users@lists.freeradius.org Date: Monday, July 7, 2008, 10:38 PM Why do you care if Windows does not have enough information to verify this certificate? Does radius server have any problems with it? Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html __ Información de NOD32, revisión 3253 (20080709) __ Este mensaje ha sido analizado con NOD32 antivirus system http://www.nod32.com Have you read last lines of eap.conf? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: sql_log inside virtual servers
On Wed, Jul 9, 2008 at 5:03 PM, Alan DeKok [EMAIL PROTECTED] wrote:
Leon Kyneur wrote:
I'm trying to configure my virtual servers to have different sql_log
queries and having some difficulty specifying the queries within the
server { } block
You don't. The modules are defined in the modules section of the
configuration file (raddb/modules)
redefining sql_log { Start, Stop, Alive etc.. }
parameters within each virtual server instance.
Is this supported? Or can they only be set on a global basis?
You can create multiple copies of the sql_log module, and use a named
copy in a virtual server.
sql_log foo {
... config ..
}
sql_log bar {
... config ...
}
server one {
accounting {
...
foo
...
}
}
i.e. give them unique names (sql_log foo), and the refer to them in
the virtual server as foo, and not sql_log.
Ah! I knew it would be something so simple. Thanks Alan.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP/TLS
++[eap] returns handled EAP-Message = 0x010300060d20 Message-Authenticator = 0x State = 0x7382effe7381e2540240fd45d4418b28 Finished request 4. Going to the next request Waking up in 4.9 seconds. Cleaning up request 4 ID 1 with timestamp +930 Ready to process requests. User-Name = MarsNet_Client NAS-IP-Address = 0.0.0.0 Framed-MTU = 1488 Called-Station-Id = 00:30:1a:29:03:66 Calling-Station-Id = 00:1c:f0:10:56:b8 NAS-Port-Type = Wireless-802.11 NAS-Identifier = 127.0.0.1 Connect-Info = CONNECT 11Mbps 802.11b EAP-Message = 0x02010013014d6172734e65745f436c69656e74 Message-Authenticator = 0xd79261edb8c5b177b0b6334837684449 +- entering group authorize Your client is broken. State attribute from the challenge must be returned in the next request. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: POP3
Alan DeKok wrote: Slava wrote: Could anyone tell me if there exists a solution to integrate FR with a POP3 server Look for patches to let cucipop do RADIUS authentication. If there are none, maybe cucipop does PAM authentication. You could then use the PAM RADIUS module. FWIW, Qpopper also can use PAM, although I haven't tried it myself: http://www.eudora.com/products/unsupported/qpopper/faq.html#PAM - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: wpa_supplicant(eapol_test) with freeradius: error coming in TLS
Gaurav Kansal escribió:
Hi
I am trying to use EAP-TLS between wpa_supplicant and freeradius. I
created the certificates (ca/server/client) as mentioned in
freeradius-server-2.0.5/raddb/certs/README. In
freeradius-server-2.0.5/raddb/users, following line is added at end:
testuser Cleartext-Password := password
On wpa_supplicant-0.5.10, created eapol_test.conf.tls with following
contents:
network={
eap=TLS
eapol_flags=0
key_mgmt=IEEE8021X
identity=testuser
ca_cert=/usr/local/etc/raddb/certs/ca.pem
client_cert=/usr/local/etc/raddb/certs/[EMAIL PROTECTED]
private_key=/usr/local/etc/raddb/certs/client.key
private_key_passwd=whatever
}
Executed wpa_supplicant (eapol_test) with following command
(wpa_supplicant side logs are after radius logs at end):
eapol_test -c eapol_test.conf.tls -a127.0.0.1 -p1812 -stesting123 -r1
On executing /usr/local/sbin/radiusd -X, I get following log and error
too:
rad_recv: Access-Request packet from host 127.0.0.1 port 32770, id=0,
length=124
User-Name = testuser
NAS-IP-Address = 127.0.0.1
Calling-Station-Id = 02-00-00-00-00-01
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = CONNECT 11Mbps 802.11b
EAP-Message = 0x020d017465737475736572
Message-Authenticator = 0x0e5f593f30507d677e8d7e68b072b55f
+- entering group authorize
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
rlm_realm: No '@' in User-Name = testuser, looking up realm NULL
rlm_realm: No such realm NULL
++[suffix] returns noop
rlm_eap: EAP packet type response id 0 length 13
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[unix] returns updated
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
rlm_pap: Found existing Auth-Type, not changing it.
++[pap] returns noop
rad_check_password: Found Auth-Type EAP
auth: type EAP
+- entering group authenticate
rlm_eap: EAP Identity
rlm_eap: processing type md5
rlm_eap_md5: Issuing Challenge
++[eap] returns handled
Sending Access-Challenge of id 0 to 127.0.0.1 port 32770
EAP-Message = 0x01010016041017695d19037d705af68ca37a7262ddcb
Message-Authenticator = 0x
State = 0x26767358261a69809cb3876d58ea
Finished request 0.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 127.0.0.1 port 32770, id=1,
length=135
User-Name = testuser
NAS-IP-Address = 127.0.0.1
Calling-Station-Id = 02-00-00-00-00-01
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = CONNECT 11Mbps 802.11b
EAP-Message = 0x02010006030d
State = 0x26767358261a69809cb3876d58ea
Message-Authenticator = 0x6dd1d34467725c79f19b72ff9612e3ce
+- entering group authorize
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
rlm_realm: No '@' in User-Name = testuser, looking up realm NULL
rlm_realm: No such realm NULL
++[suffix] returns noop
rlm_eap: EAP packet type response id 1 length 6
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[unix] returns updated
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
rlm_pap: Found existing Auth-Type, not changing it.
++[pap] returns noop
rad_check_password: Found Auth-Type EAP
auth: type EAP
+- entering group authenticate
rlm_eap: Request found, released from the list
rlm_eap: EAP NAK
rlm_eap: EAP-NAK asked for EAP-Type/tls
rlm_eap: processing type tls
rlm_eap_tls: Requiring client certificate
rlm_eap_tls: Initiate
rlm_eap_tls: Start returned 1
++[eap] returns handled
Sending Access-Challenge of id 1 to 127.0.0.1 port 32770
EAP-Message = 0x010200060d20
Message-Authenticator = 0x
State = 0x2676735827747e1a69809cb3876d58ea
Finished request 1.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 127.0.0.1 port 32770, id=2,
length=236
User-Name = testuser
NAS-IP-Address = 127.0.0.1
Calling-Station-Id = 02-00-00-00-00-01
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = CONNECT 11Mbps 802.11b
EAP-Message =
0x0202006b0d001603010060015c03014874ff7ae4659071f23a8aac506f1f25b7c9f1272eca77a38aaea1b9788b532d3400390038003500160013000a00330032002f00660005000400630062006100150012000900650064006000140011000800060003020100
State = 0x2676735827747e1a69809cb3876d58ea
Message-Authenticator = 0x1a18c152c7a7d0032d7876c2e02214d3
+- entering group authorize
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
rlm_realm: No '@' in User-Name = testuser, looking up realm NULL
Re: wpa_supplicant(eapol_test) with freeradius: error coming in TLS
Sergio Yébenes Moreno wrote: I think that PKI that comes with freeradius by default are shit Feel free to submit fixes. Most people don't have problems with the defaults. Perhaps because they realize that the defaults are for testing, and not for production use. (./bootstrap). I had the same problem. If you see the certification route in firefox, for example, you will see that client certificate are signed by SERVER CERTIFICATE and this by ca certificate. Which shouldn't be a problem. Probably you put ca_cert=/usr/local/etc/raddb/certs/ca.pem at eap.conf There is no configuration entry called 'ca_cert'. rlm_eap_tls: TLS 1.0 Handshake [length 0395], Certificate -- verify error:num=20:unable to get local issuer certificate rlm_eap_tls: TLS 1.0 Alert [length 0002], fatal unknown_ca) , and should be server.pem, or make your own ca, that signs clients and servers certificates. The default configuration works. Perhaps you could try explaining why you think it doesn't, or why it's wrong. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Reply Attribute and Stripping a realm
I have a couple questions. I need to force a reply attribute for the slipstream service to all my customers. I'm using flatfile, just a basic setup. What would be the best way to do this? Also, How do I strip Realms? We get users coming to our RADIUS in this format [EMAIL PROTECTED] My flatfile only has username due to the backend system we use. I need to strip the realm.. Thanks - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Reply Attribute and Stripping a realm
I need to force a reply attribute for the slipstream service to all my customers. I'm using flatfile, just a basic setup. What would be the best way to do this? Create a DEFAULT entry in users file. Also, How do I strip Realms? We get users coming to our RADIUS in this format [EMAIL PROTECTED] My flatfile only has username due to the backend system we use. I need to strip the realm.. Create a local realm in proxy.conf. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: POP3
Tanks much, will try the options you have pointed to Slava Shkarupin Kiev, UA - Original Message - From: Matt Garretson [EMAIL PROTECTED] To: FreeRadius users mailing list freeradius-users@lists.freeradius.org Sent: Wednesday, July 09, 2008 17:16 Subject: Re: POP3 Alan DeKok wrote: Slava wrote: Could anyone tell me if there exists a solution to integrate FR with a POP3 server Look for patches to let cucipop do RADIUS authentication. If there are none, maybe cucipop does PAM authentication. You could then use the PAM RADIUS module. FWIW, Qpopper also can use PAM, although I haven't tried it myself: http://www.eudora.com/products/unsupported/qpopper/faq.html#PAM - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html No virus found in this incoming message. Checked by AVG - http://www.avg.com Version: 8.0.138 / Virus Database: 270.4.7/1542 - Release Date: 09.07.2008 6:50 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
detail records
Hello all, We're using freeradius 2.0.5 in our test environment and noticed that our detail record doesn't have Freeradius-Proxied-To information like our current production radius which is still running an old version of freeradius. We currently setup the accounting record to be proxied to a remote radius server and running in debug mode showed that the accounting record was being sent to remote server but nothing in detail record. Is this something I have to specify on a config file? Cheers, Roy Kartadinata - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-TTLS / LDAP
Hey guys, sorry for the delay. Yeah after reading your advices, I agree that I misread. I will use EAP-TTLS with EAP method PAP encapsulated in it. Thanks Sergio for the link for Windows users : in my case with an intel wifi card, Intel was kind enough to provide the same kind of utilities. But for the others unknown manufacturer, your tool is really just *fine* :) Thanks again, Joris 2008/7/8 Ivan Kalik [EMAIL PROTECTED]: # THIS WILL NOT WORK FOR CHAP, MS-CHAP, or 802.1x (EAP). That relates to ldap bind as user authentication, not using ldap to store user information. Ivan Kalik Kalik Informatika ISP Dana 8/7/2008, joris [EMAIL PROTECTED] piše: Hello, After reading the configuration file radiusd.conf, it explicitly says that one can't use LDAP as the authentication backend when you use EAP (in my case, i'm interested in EAP-TTLS). Nonetheless, I can read elsewhere on the web that some people seem to use both EAP and LDAP, so I wonder who is right ? I would use LDAP for storing all my users/password and EAP to protect my users credentials over insecure Wifi. Any advices ? Cheers, Joris - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: detail records
Hi
We're using freeradius 2.0.5 in our test environment and noticed that our
detail record doesn't have Freeradius-Proxied-To information like our
current production radius which is still running an old version of
freeradius. We currently setup the accounting record to be proxied to a
remote radius server and running in debug mode showed that the accounting
record was being sent to remote server but nothing in detail record. Is this
something I have to specify on a config file?
You can easily add that functionality using unlang:
pre-proxy {
update proxy-request {
Freeradius-Proxied-To := %{control:Proxy-To-Realm}
}
detail_local
}
kind regards
Pshem
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: about freeradius accepts anybody
file autorizados contains this user1Cleartext-Password := Reply-Message = Autorizando. Fall-Through = No That's not going to work. You can't make EAP-TLS use passwords. I had to make this because I'm not the signer of client certificates, only for server. What are people with certificates that you haven't issued doing on your network? If you are accepting users from another organization, proxy requests to their home server. But if you are to maintain control over who gets access to your network you should tell people to use PEAP and give them usernames/passwords that you will store in autorizados file. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: wpa_supplicant(eapol_test) with freeradius: error coming in TLS
Hi I made the following change and it worked for me. In Makefile (/usr/local/etc/raddb/certs/), I passed the input files of that of ca rather than server while creating the client certificate. Regards, Gaurav Kansal Velankani Software Private Limited, 43, Electronics City, Phase - 2, Hosur Road, Bangalore - 560100 Phone : +91 80 4037 5300/01 Extn. # 5401 Direct: +91 80 4037 5401 Fax : +91 80 4037 5303 Mobile: +91 98454 22400 [EMAIL PROTECTED] www.velankani.com Every Customer is a Reference Customer -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alan DeKok Sent: Wednesday, July 09, 2008 8:58 PM To: FreeRadius users mailing list Subject: Re: wpa_supplicant(eapol_test) with freeradius: error coming in TLS Sergio Yébenes Moreno wrote: I think that PKI that comes with freeradius by default are shit Feel free to submit fixes. Most people don't have problems with the defaults. Perhaps because they realize that the defaults are for testing, and not for production use. (./bootstrap). I had the same problem. If you see the certification route in firefox, for example, you will see that client certificate are signed by SERVER CERTIFICATE and this by ca certificate. Which shouldn't be a problem. Probably you put ca_cert=/usr/local/etc/raddb/certs/ca.pem at eap.conf There is no configuration entry called 'ca_cert'. rlm_eap_tls: TLS 1.0 Handshake [length 0395], Certificate -- verify error:num=20:unable to get local issuer certificate rlm_eap_tls: TLS 1.0 Alert [length 0002], fatal unknown_ca) , and should be server.pem, or make your own ca, that signs clients and servers certificates. The default configuration works. Perhaps you could try explaining why you think it doesn't, or why it's wrong. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
