reference client stanzas in unlang?
Hi, is there a way to reference the name of the client stanza (or its shortname) in unlang? I.e. if there is client foo { ipaddr = 1.2.3.4 shortname = foostuff } Then there's a request coming in from this client. In the client processing, can there be sth like if ( -- something that reveals foo or foostuff -- ) { ... } ? Using huntgroups and assigning Client-IP-Address into huntgroups is procedurally not an option. Greetings, Stefan Winter -- Stefan WINTER Ingenieur de Recherche Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg Tel: +352 424409 1 Fax: +352 422473 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: reference client stanzas in unlang?
Stefan Winter wrote: Hi, is there a way to reference the name of the client stanza (or its shortname) in unlang? I.e. if there is client foo { ipaddr = 1.2.3.4 shortname = foostuff } Then there's a request coming in from this client. In the client processing, can there be sth like if ( -- something that reveals foo or foostuff -- ) { ... } ? if (%{client:shortname} == foostuff) { ... } Also: %{home_server:foo} %{home_server_pool:foo} %{config:section.subsection.item} gets you value for that item Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: reference client stanzas in unlang?
is there a way to reference the name of the client stanza (or its shortname) in unlang? I.e. if there is client foo { ipaddr = 1.2.3.4 shortname = foostuff } Then there's a request coming in from this client. In the client processing, can there be sth like if ( -- something that reveals foo or foostuff -- ) { } This was documented recently on the list: http://lists.freeradius.org/pipermail/freeradius-users/2009-February/msg00076html Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Using accounting data for quotas
Hello, I've implemented this situation. well, our solution was a bit more complex, we have peak and off peak times. for example weekends are off peak. Users have a limited traffic based on their group, say 25GB/month. here is pretty much what i have done (simplified!): 1. add a traffic usage field in users table. 2. i have an hourlytraffic table, 1 row per online user/per hour. 3. i have a dailytraffic table, 1 row per online user/per day. 4. instead of plain SQL in sql module, i pass all the data to stored procedures. 5. when ever i get a new interim-update (every 5 minutes) i calculated the difference from sessions table. now i know how much traffic the user used in the last interim. based on the time i received the interim(off peak time or peak time) i know if i should add this traffic to usage of the user. 6. in the stored procedure, when ever a user has more usage then allowed by plan, i add a row to a disconnect_job table. every few minutes i disconnect sessions with COA from nas. the system is pretty flexible, different plans with different peak/off peak times, usage limits,etc. and it is very very stable! just to let you know how this performs. i run national DSL subscribers on this(about 50,000 online sessions) from over 50 nases all going through one freeradius/mysql box! few issues i ran into: Problem 1: hourlytraffic table will get huge!!! with millions and millions of rows. you wont be able to delete any data from that table since delete from hourly traffic where will lock the table for a while. Solution 1: Use new mysql 5.1 partitioned tables. you can partition your hourly/sessionlogs/daily tables based on months/weeks or days ... and drop an old partition instead of deleting data. Problem 2: sometimes(very very rare) i get packets in wrong order. for example i get packet with 2GB traffic and another one with 1.9GB, if you just substract them in your stored procedure, you end up with a negative number or if you are not using signed variables, you end up with a huge number. no idea why i get these packets from time to time: solution 2: always make sure the packet you receive is in the right order. if it is not, drop it! i hope this helps cheers, parham -Original Message- From: freeradius-users-bounces+p_beheshti=rasana@lists.freeradius.org on behalf of ahmed adel Sent: Sun 2/15/2009 12:43 PM To: FreeRadius users mailing list Subject: Re: Using accounting data for quotas I have implemented quota service based on Freeradius before, and I think that it is close to what you are looking for except that in my case there was a required action. Anyway it is normal that session remain open for long time so if using SQL you can have a trigger on the accounting table to update another table with a summary of the total bandwidth used for each user and this is available for MySQL and MSSQL. As for simultaneous you can disable that using simultaneous-use option. Also it is normal that the updates come in different times but the trigger on the database will solve this issue. For the traffic counters there are two approaches one is that your network equipment supports sending what is called Giga-Word counter which is a counter that tells you how many times the counter has rolled over, if not you will have to handle this in your SQL statment and this is by keeping the last update in a field in the database and on the new update compare the new update with the previous one and if the previous one is bigger just by simple math compensate for the different. For the last point also the trigger on the database will solve it as you will have another table to hold the history in. Best Regards Ahmed Adel From: Jonathan Gazeley jonathan.gaze...@bristol.ac.uk To: freeradius-users@lists.freeradius.org Sent: Friday, February 13, 2009 12:56:14 PM Subject: Using accounting data for quotas I'm trying to find a way to extract useful data from accounting logs to use towards a quota. I'm a bit stuck and I'm wondering if anyone has tried anything similar with success. Let me explain... My accounting logs are sent to SQL with the inner ID. Periodically, the NAS updates the accounting record with total of upload and download during that session. I've tweaked the FR queries so they also update a new field called 'lastupdatetime'. I want to write an hourly script that will tell me (eg in a CSV file) how much traffic has been done for each username (not necessarily each session) during the last hour. Clearly this will take some sort of hourly summary that can be compared each hour. But it is still not straightforward: - Some sessions remain open for weeks. - Some users have multiple simultaneous or multiple sequential sessions. - The updates come in at different times. - The traffic counters will roll over from time to time. - It's not possible to query hourly on how traffic the user has used since forever, because records older
RES: No authenticate method using Mysql
I have copied the file of the default virtual server to my virtual server file and edited it. Then I disabled the default Virtual server. Pedro Mazzoni Tecnologia da Informação intelitiva.com +55 21 3553-1947 / +55 21 9354-2234 pedro.mazz...@intelitiva.com Rua da Assembléia, 10 - Sl. 2213 Centro, Rio de Janeiro - CEP 20011-901 -Mensagem original- De: freeradius-users-bounces+pedro.mazzoni=intelitiva@lists.freeradius.org [mailto:freeradius-users-bounces+pedro.mazzoni=intelitiva@lists.freeradius.org] Em nome de t...@kalik.net Enviada em: segunda-feira, 16 de fevereiro de 2009 19:24 Para: FreeRadius users mailing list Assunto: Re: No authenticate method using Mysql I am trying to use mysql and Freeradius for AAA. The communication between freeradius and mysql server seems OK, since Freeradius is getting the clients from radclients table. When I do a test from the command line: radtest user1 pass localhost 1812 shared I got the output: rad_recv: Access-Request packet from host 127.0.0.1 port 56962, id=152, length=57 User-Name = user1 User-Password = pass NAS-IP-Address = 127.0.1.1 NAS-Port = 1812 Mon Feb 16 17:22:09 2009 : Info: No authenticate method (Auth-Type) configuration found for the request: Rejecting the user Mon Feb 16 17:22:09 2009 : Info: Failed to authenticate the user. Mon Feb 16 17:22:09 2009 : Info: Using Post-Auth-Type Reject Mon Feb 16 17:22:09 2009 : Debug: WARNING: Unknown value specified for Post-Auth-Type. Cannot perform requested action. Mon Feb 16 17:22:09 2009 : Info: Delaying reject of request 1 for 1 seconds Mon Feb 16 17:22:09 2009 : Debug: Going to the next request Mon Feb 16 17:22:09 2009 : Debug: Waking up in 0.9 seconds. Mon Feb 16 17:22:11 2009 : Info: Sending delayed reject for request 1 Sending Access-Reject of id 152 to 127.0.0.1 port 56962 Mon Feb 16 17:22:11 2009 : Debug: Waking up in 4.9 seconds. Following is my configuration file(please note that this is only the file in sites-avaiable dir, note radiusd.conf): What happened to the default virtual server? Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: RES: No authenticate method using Mysql
I have copied the file of the default virtual server to my virtual server file and edited it. Then I disabled the default Virtual server. And did you enable the new one? Read the README file in raddb/sites-available in order to find out how to fix/add listen section in order to make this work. Why did you disable default server? You have made the copy. So keep the copy and play with the one named default. If you mess up you can rename/copy the copy. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: wimax.c
dave anderson wrote: Wimax.c needs a small fix in order to print the right debug message content. Fixed, thanks. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Freeradius with OpenLDAP and AD.
Hi, I have several problems when I would like to link freeradius with AD using OpenLDAP. When I tried to test the binding of OpenLDAP to the AD with radtest, it responds Access-Accept (as you can see in the log after). But when I wanted to check with a real supplicant (under WinXP with MD5-Challenge Auth) I got an access-reject. Things I changed : - modules/ldap : ldap { server = test.fr identity = cn=bindradius,cn=Users,dc=test,dc=fr password = bindradius basedn = cn=Users,dc=test,dc=fr filter = (samaccountname=%{User-Name}) .. } password_attribute = userPassword - site-enabled/default inner-tunnel : authorize { .. # uncommented : ldap .. } authenticate { .. # uncommented : Auth-Type LDAP { ldap } Thanks for your help - Radtest : - r...@freeradius:~# radtest philippe philippe localhost 0 testing123 Sending Access-Request of id 50 to 127.0.0.1 port 1812 User-Name = philippe User-Password = philippe NAS-IP-Address = 192.168.1.3 NAS-Port = 0 rad_recv: Access-Accept packet from host 127.0.0.1 port 1812, id=50, length=20 - Freeradius log with radtest : - rad_recv: Access-Request packet from host 127.0.0.1 port 47525, id=50, length=60 User-Name = philippe User-Password = philippe NAS-IP-Address = 192.168.1.3 NAS-Port = 0 [..] Tue Feb 17 15:38:25 2009 : Info: [ldap] performing user authorization for philippe Tue Feb 17 15:38:25 2009 : Info: [ldap] expand: (samaccountname=%{User-Name}) - (samaccountname=philippe) Tue Feb 17 15:38:25 2009 : Info: [ldap] expand: cn=Users,dc=test,dc=fr - cn=Users,dc=test,dc=fr Tue Feb 17 15:38:25 2009 : Debug: rlm_ldap: ldap_get_conn: Checking Id: 0 Tue Feb 17 15:38:25 2009 : Debug: rlm_ldap: ldap_get_conn: Got Id: 0 Tue Feb 17 15:38:25 2009 : Debug: rlm_ldap: attempting LDAP reconnection Tue Feb 17 15:38:25 2009 : Debug: rlm_ldap: (re)connect to test.fr:389, authentication 0 Tue Feb 17 15:38:25 2009 : Debug: rlm_ldap: bind as cn=bindradius,cn=Users,dc=test,dc=fr/bindradius to test.fr:389 Tue Feb 17 15:38:25 2009 : Debug: rlm_ldap: waiting for bind result ... Tue Feb 17 15:38:25 2009 : Debug: rlm_ldap: Bind was successful Tue Feb 17 15:38:25 2009 : Debug: rlm_ldap: performing search in cn=Users,dc=test,dc=fr, with filter (samaccountname=philippe) Tue Feb 17 15:38:25 2009 : Info: [ldap] looking for check items in directory... Tue Feb 17 15:38:25 2009 : Info: [ldap] looking for reply items in directory... Tue Feb 17 15:38:25 2009 : Debug: WARNING: No known good password was found in LDAP. Are you sure that the user is configured correctly? Tue Feb 17 15:38:25 2009 : Info: [ldap] user philippe authorized to use remote access Tue Feb 17 15:38:25 2009 : Debug: rlm_ldap: ldap_release_conn: Release Id: 0 Tue Feb 17 15:38:25 2009 : Info: ++[ldap] returns ok [..] Tue Feb 17 15:38:25 2009 : Info: Found Auth-Type = LDAP Tue Feb 17 15:38:25 2009 : Info: +- entering group LDAP {...} Tue Feb 17 15:38:25 2009 : Info: [ldap] login attempt by philippe with password philippe Tue Feb 17 15:38:25 2009 : Info: [ldap] user DN: CN=philippe,CN=Users,DC=test,DC=fr Tue Feb 17 15:38:25 2009 : Debug: rlm_ldap: (re)connect to test.fr:389, authentication 1 Tue Feb 17 15:38:25 2009 : Debug: rlm_ldap: bind as CN=philippe,CN=Users,DC=test,DC=fr/philippe to test.fr:389 Tue Feb 17 15:38:25 2009 : Debug: rlm_ldap: waiting for bind result ... Tue Feb 17 15:38:25 2009 : Debug: rlm_ldap: Bind was successful Tue Feb 17 15:38:25 2009 : Info: [ldap] user philippe authenticated succesfully [..] Sending Access-Accept of id 50 to 127.0.0.1 port 47525 - With a real supplicant : - Tue Feb 17 15:40:50 2009 : Debug: Ready to process requests. rad_recv: Access-Request packet from host 192.168.1.1 port 1024, id=5, length=202 Framed-MTU = 1480 NAS-IP-Address = 192.168.1.1 NAS-Identifier = SWiTCH User-Name = philippe Service-Type = Framed-User Framed-Protocol = PPP NAS-Port = 21 NAS-Port-Type = Ethernet NAS-Port-Id = 21 Called-Station-Id = 00-13-21-a8-24-40 Calling-Station-Id = 00-15-c5-06-84-d8 Connect-Info = CONNECT Ethernet 100Mbps Full duplex Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = 4 EAP-Message =
Re: Freeradius with OpenLDAP and AD.
Hi, I have several problems when I would like to link freeradius with AD using OpenLDAP. Look up http://deployingradius.com/documents/configuration/active_directory.html to see how to inegrate with AD for pap and mschap/PEAP. When I tried to test the binding of OpenLDAP to the AD with radtest, it responds Access-Accept (as you can see in the log after). Yes. Tue Feb 17 15:38:25 2009 : Debug: rlm_ldap: bind as CN=philippe,CN=Users,DC=test,DC=fr/philippe to test.fr:389 Tue Feb 17 15:38:25 2009 : Debug: rlm_ldap: waiting for bind result ... Tue Feb 17 15:38:25 2009 : Debug: rlm_ldap: Bind was successful Tue Feb 17 15:38:25 2009 : Info: [ldap] user philippe authenticated succesfully Ldap bind as user works for pap requests. And nothing else. This is documented in ldap module configuration file. But when I wanted to check with a real supplicant (under WinXP with MD5-Challenge Auth) I got an access-reject. EAP-MD5 authentication requires clear text password: http://deployingradius.com/documents/protocols/compatibility.html AD is not going to provide it via ldap. You can't use AD to authenticate with EAP-MD5. Obtaining a reversibly encrypted password from AD is propriatory MS stuff. You need IAS for that plus to enable reversible passwords for your users in Remote Access Policy. If this wasn't enabled already, reversible passwords will be created next time user changes the password (ie. all users will most likely need to enter new passwords). Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius with OpenLDAP and AD.
Would Kerberos authentication work with AD and EAP, or am I thinking too early in the day? On Tue, Feb 17, 2009 at 8:55 AM, t...@kalik.net wrote: Hi, I have several problems when I would like to link freeradius with AD using OpenLDAP. Look up http://deployingradius.com/documents/configuration/active_directory.html to see how to inegrate with AD for pap and mschap/PEAP. When I tried to test the binding of OpenLDAP to the AD with radtest, it responds Access-Accept (as you can see in the log after). Yes. Tue Feb 17 15:38:25 2009 : Debug: rlm_ldap: bind as CN=philippe,CN=Users,DC=test,DC=fr/philippe to test.fr:389 Tue Feb 17 15:38:25 2009 : Debug: rlm_ldap: waiting for bind result ... Tue Feb 17 15:38:25 2009 : Debug: rlm_ldap: Bind was successful Tue Feb 17 15:38:25 2009 : Info: [ldap] user philippe authenticated succesfully Ldap bind as user works for pap requests. And nothing else. This is documented in ldap module configuration file. But when I wanted to check with a real supplicant (under WinXP with MD5-Challenge Auth) I got an access-reject. EAP-MD5 authentication requires clear text password: http://deployingradius.com/documents/protocols/compatibility.html AD is not going to provide it via ldap. You can't use AD to authenticate with EAP-MD5. Obtaining a reversibly encrypted password from AD is propriatory MS stuff. You need IAS for that plus to enable reversible passwords for your users in Remote Access Policy. If this wasn't enabled already, reversible passwords will be created next time user changes the password (ie. all users will most likely need to enter new passwords). Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: wimax.c
I would like to write the Wimax Freeradius Wiki but need an account. Can you help me get a log in. -Original Message- From: Alan DeKok [mailto:al...@deployingradius.com] Sent: February 17, 2009 6:15 AM To: FreeRadius users mailing list Subject: Re: wimax.c dave anderson wrote: Wimax.c needs a small fix in order to print the right debug message content. Fixed, thanks. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius with OpenLDAP and AD.
Would Kerberos authentication work with AD and EAP, or am I thinking too early in the day? No. Kerberos requires clear text passwords in the request. EAP-MD5 doesn't provide them. EAP-TTLS PAP will work - but native XP supplicant doesn't support that. You can get SecureW2 to do it. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: FreeRADIUS EAP-TLS and SSL certificate chains
Remember when you put your Root CA file (and perhaps the CRL for that CA) into your certificate directory, and ran 'c_rehash cert directory'? If you mean when I installed ssl certs for Apache, I never did this. I simply put the server cert and the chain file on the server, then configured mod_ssl with 2 required parameters - CertificateFile and CertificateChainFile. No (re)hashing was required. Well - it's just like that. You might have had RootCA.pem with the Verisign CA certificate. Personally - I like to have a separate file for each intermediate CA certificate in the chain. What i've got currently can be up to 3 files. Firstly, the server certificate itself, which has been signed by Verisign's Intermediate CA, then the cert for said Intermediate CA, and finally the root cert used to sign the Intermediate CA. My current setup is with the server cert in a file on it's own (jrs-radius02.pem is the cert, jrs-radius02.key is the keyfile), and the intermediate and root certs in the same file (verisign.pem. Intermediate cert at the top, root cert at the bottom). I then have the following config lines in the tls section of eap.conf for FreeRADIUS to reference these files: private_key_file = ${certdir}/jrs-radius02/jrs-radius02.key certificate_file = ${certdir}/jrs-radius02/jrs-radius02.pem CA_file = ${certdir}/jrs-radius02/verisign.pem When you think you are done - you can test the validity of your new certificate like this: openssl verify -crl_check -CApath certificate path /path/to/certificate-file/server.pem.cert I've actually dropped the -crl_check from this test, as i'm not doing crl checking within FreeRADIUS until i've got it working without it. Also, this command didn't seem to work when my verisign.pem contained 1 cert, even after a c_rehash, it only worked if all the certs were in individual files: jrs-radius02:/etc/freeradius/certs/jrs_radius02# openssl verify -CApath . jrs-radius02.pem jrs-radius02.pem: OK As such, I also tried commenting out CA_file in eap.conf and instead having: CA_path = ${certdir}/jrs-radius02/ With all my certs in individual files, but that gave the same behaviour, i.e. that on my client it shows me the certificate it got passed, for the jrs-radius02 server, but it doesn't have a certificate chain back to a known trusted root. Hope this helps. Give it a go and let us know if you have any problems. This still appears to be failing to pass the certificate chain. The root cert *definitely* exists on my test client (I extracted it from there and diffed it with the one on the server). If I install the intermediate cert on the client, then everything works fine (but I don't want to have to try and get my users to understand the process of installing a cert before getting online). However when Windows XP prompts me to accept the certificate FreeRADIUS is handing out it doesn't have any chain listed at all, so I assume is still not being handed that Intermediate cert. Thanks very much for the help so far. Any more would be greatly appreciated. I can attach full config files if you think that would be helpful. Dan On Fri, Feb 13, 2009 at 12:11 PM, Meyers, Dan d.mey...@lancaster.ac.uk wrote: I'm sure I must just be being thick with our FreeRADIUS config, but i've completed failed to find anything online or in the docs explaining *what* i'm doing wrong, so i'm posting here. We've had a FreeRADIUS server set up for some time now, with an SSL certificate directly signed by one of Verisign's root CA's, for the purposes of doing EAP-TLS domain auth. This worked fine on both FreeRADIUS 1.1.7 and 2.0.5. However our cert is due to expire in a month, and it would appear no one issues root signed certs any more, they're all cert chains. Obviously with things like apache this is fine, as you install the chain bundle file at the same time as your actual cert, and the chain gets passed to the client, who follows it to a root CA they do already trust. I'm having trouble working out how to do this with FreeRADIUS however. All the info I can find suggests that if I edit my certificate file so that it contains multiple certs, from least trusted at the top (my server cert) down the chain and file to the one which has been signed by a root CA the user's machine will already trust, then machines will follow the chain as expected and accept the certificate. However if I do this, and have a chain file of the same format as I use successfully on the web server (i.e. multiple BEGIN and END blocks with a single cert between each pair), then my client machines still fail to pick up the chain, and thus can't validate the certificate. Am I missing something blindingly obvious with regards to how to do certificate chains in FreeRADIUS? If so, please tell me what. Thanks - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: FreeRADIUS EAP-TLS and SSL certificate chains
What i've got currently can be up to 3 files. Firstly, the server certificate itself, which has been signed by Verisign's Intermediate CA, then the cert for said Intermediate CA, and finally the root cert used to sign the Intermediate CA. My current setup is with the server cert in a file on it's own (jrs-radius02.pem is the cert, jrs-radius02.key is the keyfile), and the intermediate and root certs in the same file (verisign.pem. Intermediate cert at the top, root cert at the bottom). I then have the following config lines in the tls section of eap.conf for FreeRADIUS to reference these files: private_key_file = ${certdir}/jrs-radius02/jrs-radius02.key certificate_file = ${certdir}/jrs-radius02/jrs-radius02.pem CA_file = ${certdir}/jrs-radius02/verisign.pem When you think you are done - you can test the validity of your new certificate like this: openssl verify -crl_check -CApath certificate path /path/to/certificate-file/server.pem.cert I've actually dropped the -crl_check from this test, as i'm not doing crl checking within FreeRADIUS until i've got it working without it. Also, this command didn't seem to work when my verisign.pem contained 1 cert, even after a c_rehash, it only worked if all the certs were in individual files: jrs-radius02:/etc/freeradius/certs/jrs_radius02# openssl verify -CApath .. jrs-radius02.pem jrs-radius02.pem: OK What? openssl verify -CAfile verisign.pem jrs-radius02.pem isn't working? Then something is wrong with your chain file. Check that you are using the correct root certificate and cat certificates again in a new bundle. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius with OpenLDAP and AD.
SDamron wrote: Would Kerberos authentication work with AD and EAP, or am I thinking too early in the day? It won't work. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: wimax.c
dave anderson wrote: I would like to write the Wimax Freeradius Wiki but need an account. Can you help me get a log in. Account creation was disabled to prevent spammers. I've mailed you information privately. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: FreeRADIUS EAP-TLS and SSL certificate chains
I've actually dropped the -crl_check from this test, as i'm not doing crl checking within FreeRADIUS until i've got it working without it. Also, this command didn't seem to work when my verisign.pem contained 1 cert, even after a c_rehash, it only worked if all the certs were in individual files: jrs-radius02:/etc/freeradius/certs/jrs_radius02# openssl verify - CApath .. jrs-radius02.pem jrs-radius02.pem: OK What? openssl verify -CAfile verisign.pem jrs-radius02.pem isn't working? Then something is wrong with your chain file. Check that you are using the correct root certificate and cat certificates again in a new bundle. OK, got this bit sorted, which was me being a tool. I was using vim, and hadn't noticed one file was being opened in dos mode and the other in unix. As soon as I catted them together instead of copy-pasting between terminals I saw that the root block was ending lines with ^M. Converted that to unix format, re-catted the two into my ca pem file, and openssl is now happy with a file containing multiple certs and validates the chain. My client is still giving the same behaviour of not getting the certificate chain, however. I did wonder if Windows was being daft, and resaved the ca file so all certs within it were in dos format instead of unix. After another rehash openssl still verified the chain fine, but my client is still not playing ball. Dan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
newbie question for freeradius
Hi all: i would like to use unix file /etc/passwd to authenticate users on my routers and somehow it always fails: rad_recv: Access-Request packet from host 192.168.10.101:61706, id=153, length=53 User-Name = tester User-Password = test NAS-Identifier = lab_1 NAS-IP-Address = 192.168.6.1 rlm_pap: WARNING! No known good password found for the user. Authentication may fail because of this. rlm_unix: GID too long in line: # $FreeBSD: src/etc/master.passwd,v 1.40.18.1 2008/11/25 02:59:29 kensmith Exp $ rlm_unix: [test]: invalid password rad_recv: Access-Request packet from host 192.168.10.101:61706, id=153, length=53 Sending Access-Reject of id 153 to 192.168.10.101 port 61706 here is the config for :users: DEFAULT Auth-Type = System Fall-Through = 1 i have user tester in /etc/passwd with password test in the freebsd box. Thanks in advance -- View this message in context: http://www.nabble.com/newbie-question-for-freeradius-tp22063719p22063719.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: newbie question for freeradius
ipfreak wrote: i would like to use unix file /etc/passwd to authenticate users on my routers and somehow it always fails: Because you broke the passwd file. rad_recv: Access-Request packet from host 192.168.10.101:61706, id=153, length=53 User-Name = tester User-Password = test NAS-Identifier = lab_1 NAS-IP-Address = 192.168.6.1 rlm_pap: WARNING! No known good password found for the user. Authentication may fail because of this. rlm_unix: GID too long in line: # $FreeBSD: src/etc/master.passwd,v 1.40.18.1 2008/11/25 02:59:29 kensmith Exp $ Wow... the passwd file does *not* allow comments. Whatever prompted you to add them? And that message should be pretty clear to anyone prepared to read it. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: FreeRADIUS EAP-TLS and SSL certificate chains
My client is still giving the same behaviour of not getting the certificate chain, however. OK. So which certificate signed the client certificate? Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: newbie question for freeradius
Hi Alan, FreeBSD's /etc/master.passwd file always has a comment at the top starting with a # which means ignore the line. Regards --jm On 17 Feb 2009, at 8:52 PM, Alan DeKok wrote: ipfreak wrote: i would like to use unix file /etc/passwd to authenticate users on my routers and somehow it always fails: Because you broke the passwd file. rad_recv: Access-Request packet from host 192.168.10.101:61706, id=153, length=53 User-Name = tester User-Password = test NAS-Identifier = lab_1 NAS-IP-Address = 192.168.6.1 rlm_pap: WARNING! No known good password found for the user. Authentication may fail because of this. rlm_unix: GID too long in line: # $FreeBSD: src/etc/master.passwd,v 1.40.18.1 2008/11/25 02:59:29 kensmith Exp $ Wow... the passwd file does *not* allow comments. Whatever prompted you to add them? And that message should be pretty clear to anyone prepared to read it. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: newbie question for freeradius
Jacques Marneweck wrote: FreeBSD's /etc/master.passwd file always has a comment at the top starting with a # which means ignore the line. That is non-standard... Anyways... if you're getting that message, it's because: 1) you're using a very old version of the server AND a) you edited the configuration files to enable the rlm_unix cache OR 2) you're using 2.x, and the FreeBSD libc is refusing to parse that line of the passwd file, and is returning that message. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Using Exec-Program-Wait for MOTP (mobile OTP) with MSCHAPv2
Alan DeKok a écrit : Fabiano wrote: Can you point me to a document or website where the following mechanism is described well ? ie MSCHAPv2 Radius Client - Freeradius does the MSCHAPv2 challenge ? - auth is delegated to external script receiving attributes like username and password in clear - external script gives the auth ok answer - Freeradius gives the auth accepted answer to the MSCHAPv2 Radius client. MS-CHAP doesn't work this way. You CANNOT give a cleartext password to an external script by looking at the MS-CHAP data. It is *impossible*. Ok, thanks. The part I don't understand is how does this MSCHAPv2 auth work in Freeradius, and how the external script could get the attributes when the MSCHAPv2 challenge password is encrypted ? Does it mean that I have to implement the MSCHAPv2 challenge auth by myself, entirely in the external script ? No. You tell the server what the correct password is, and it does the MS-CHAP calculations to authenticate the user. Concerning the cleartext password; In your previous message, you say : get it from somewhere but I can' figure out how... A database? You should know what the *correct* password is, otherwise you don't be able to authenticate the user. You mean, for example making the OTP script (doing exactly the contrary of what it actually does) write the password every 10 seconds to a database for every user and then let freeradius check the db ? Is this the only way ? Thanks again ! Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
linking gdbm_compat in rlm_dbm
I've noticed that the check that ./configure script does in order to find out if gdbm si used only tries to link with gdbm_compat. But the man page of gdbm says: If you wish to use the dbm or ndbm compatibility routines, you must link in the gdbm_compat library as well. For example: gcc -o prog proc.c -lgdbm -lgdbm_compat and indeed on any vanilla system this is the case. Debian, OTOH have patched their libgdbm_compat. -- damjan | дамјан This is my jabber ID -- dam...@bagra.net.mk -- not my mail address, it's a Jabber ID --^ :) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Using Exec-Program-Wait for MOTP (mobile OTP) with MSCHAPv2
Fabiano wrote: A database? You should know what the *correct* password is, otherwise you don't be able to authenticate the user. You mean, for example making the OTP script (doing exactly the contrary of what it actually does) write the password every 10 seconds to a database for every user and then let freeradius check the db ? Is this the only way ? It would help if you described what you are trying to do, and why. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Using Exec-Program-Wait for MOTP (mobile OTP) with MSCHAPv2
Alan DeKok a écrit : Fabiano wrote: A database? You should know what the *correct* password is, otherwise you don't be able to authenticate the user. You mean, for example making the OTP script (doing exactly the contrary of what it actually does) write the password every 10 seconds to a database for every user and then let freeradius check the db ? Is this the only way ? It would help if you described what you are trying to do, and why. Alan, I am using a firewall (m0n0.ch, based on FreeBSD) which has a PPTP server accepting only MSCHAPv2 auth. This PPTP server uses an internal database with flatfiles for authenticating VPN users but also offers auth through an external radius server. I thought that I could use the motp.sf.net project to make mobile clients (using cell phones qnd the j2me applet) authenticate with this setup. The MOTP project offers a shellscript named otverify.sh which waits some arguments to verify the client (Username, OTP, Init-Secret, PIN, Time Offset). Username and OTP are given by the VPN client Init-Secret, PIN and Time Offset are specified in the radius users file. Normally, this is done using xtradius, executing the script as external application and giving the arguments to it. The script answers ACCEPT or FAIL for final auth. That's it. I'm stuck here, having MSCHAPv2 clients and an auth script not useable with MSCHAPv2 auth. I have also tried this with the supplied PAM motp module, but as you said this is not possible. I had successful auths using radtest, but that's all... ;) I think that what I will try is rewrite the script in perl to generate the passwords every x seconds to a database and then make freeradius auth against the db entries. Do you think this is the best way ? Thanks again. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: newbie question for freeradius
Thanks. 1) rlm unix cache is set to 0. 2) yes, i am using FreeBSD7.1 and whatever the version the FreeBSD comes with. what really want to do is simple, just use /etc/passwd file for authentication. Date: Tue, 17 Feb 2009 20:15:06 +0100 From: al...@deployingradius.com To: freeradius-users@lists.freeradius.org Subject: Re: newbie question for freeradius Jacques Marneweck wrote: FreeBSD's /etc/master.passwd file always has a comment at the top starting with a # which means ignore the line. That is non-standard... Anyways... if you're getting that message, it's because: 1) you're using a very old version of the server AND a) you edited the configuration files to enable the rlm_unix cache OR 2) you're using 2.x, and the FreeBSD libc is refusing to parse that line of the passwd file, and is returning that message. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html _ Windows Live™: Keep your life in sync. http://windowslive.com/explore?ocid=TXT_TAGLM_WL_t1_allup_explore_022009- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: newbie question for freeradius
ip freak wrote: Thanks. 1) rlm unix cache is set to 0. 2) yes, i am using FreeBSD7.1 and whatever the version the FreeBSD comes with. what really want to do is simple, just use /etc/passwd file for authentication. Then use the default configuration that comes with 1.1.X for the unix module. The ONLY way you get that error is if you edit the configuration files do do things that are NOT recommended. In 1.1.7 (and many earlier versions) there are comments in radiusd.conf, in the configuration files, saying what NOT to do on FreeBSD. You seem to have done exactly what was NOT recommended. Why? And why are you running 1.1.x? It is years out of date. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html