Re: problem with eap-tls between FR and XP client
bLn wrote: I'm trying to connect a Windows XP client (also I'm trying with Vista) with freeradius with EAP-TLS. I made my set of certificates (from this site http://www.linuxjournal.com/node/8095/print) Why? If you just start the server in debugging mode after you first install it, it will create temporary certificates for you. The radb/certs directory also has Makefiles and OpenSSL configuration files that allow you to easily create certificates. Did you not see them when you edited the RADIUS configuration? Did you not see the *DOCUMENTATION* saying that this happened when you edited the tls section of eap.conf ? When I try to connect with freeradius my log is this: (it's too long because I see the same request again and again) ... Sending Access-Challenge of id 171 to 10.0.0.1 port 3072 EAP-Message = 0x0108000a0d80 Message-Authenticator = 0x State = 0x2f6428b72c6c25c07b0fb3246e0f1a2d Finished request 12. Going to the next request Waking up in 0.8 seconds. Cleaning up request 0 ID 159 with timestamp +21 Yes. This is a common problem. The discussion of the cause, and how to fix it, is in the FAQ, and in the comments in eap.conf. Where should we put documentation so that you will READ it? Apparently including it with the server doesn't help. I've tried with AP Mikrotiks too and I got the same error, I think freeradius is waiting for the request from client and this doesn't back never, but I'm not sure. The reason is documented. Lots. I've never been able to understand why people spend huge amounts of time working with third-party web sites and guides that are YEARS out of date, when they could just read the documentation included with the server. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Storing user MAC address after first auth
Greetings ! I have the following situation here that I'd like to ask for some assistance with, if possible: My client has a RADIUS server installed (running freeRADIUS 2.0.5), and routers working as hotspots that users can connect to. Users can authorize against the RADIUS server using a name/password combination, which is stored in a MySQL database (using the rlm_sql module and the Cleartext-Password attribute in the radcheck table). This part works correctly. Now, my client wants an extra check to be added which would allow each user to login only from a specific MAC address, which can be different for each user, and which is obtained when the user logs in for the first time. Checking the MAC address is easy, as the hotspot is sending the MAC address in the Calling-Station-Id attribute that I could easily store in the radcheck table as well - but the problem is that this MAC address is not known when the name/password pair is being added to the radcheck table, and I am to make it so that when the user is successfully authorized for the first time, there is no MAC check, but the user's current MAC address is remembered on the server, and further logins are only permitted from that MAC address. So, I am thinking that the best solution would be to have the RADIUS server add a new (username), 'Calling-Station-Id', '=', (user's MAC) entry to the radcheck table, right after a successful SQL auth step, if such an entry isn't yet in the table. And my question is - is there a way to accomplish this with existing FreeRADIUS modules, or do I need to implement my own module to do this ? Thank you ! / Tomas - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Storing user MAC address after first auth
On 7/5/09 10:18, Tomas Mecir wrote:
Greetings !
I have the following situation here that I'd like to ask for some
assistance with, if possible:
My client has a RADIUS server installed (running freeRADIUS 2.0.5),
and routers working as hotspots that users can connect to. Users can
authorize against the RADIUS server using a name/password combination,
which is stored in a MySQL database (using the rlm_sql module and the
Cleartext-Password attribute in the radcheck table). This part works
correctly.
Now, my client wants an extra check to be added which would allow each
user to login only from a specific MAC address, which can be different
for each user, and which is obtained when the user logs in for the
first time. Checking the MAC address is easy, as the hotspot is
sending the MAC address in the Calling-Station-Id attribute that I
could easily store in the radcheck table as well - but the problem is
that this MAC address is not known when the name/password pair is
being added to the radcheck table, and I am to make it so that when
the user is successfully authorized for the first time, there is no
MAC check, but the user's current MAC address is remembered on the
server, and further logins are only permitted from that MAC address.
So, I am thinking that the best solution would be to have the RADIUS
server add a new (username), 'Calling-Station-Id', '=', (user's MAC)
entry to the radcheck table, right after a successful SQL auth step,
if such an entry isn't yet in the table.
And my question is - is there a way to accomplish this with existing
FreeRADIUS modules, or do I need to implement my own module to do this
?
You can do it with the policy language. But you'll need to upgrade to
the latest version of the server.
I've attached an example (so my mail client doesn't wrap it). Make sure
you've defined always instances 'noop' and 'updated'.
Regards,
Arran
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
--
Arran Cudbard-Bell (a.cudbard-b...@sussex.ac.uk),
Authentication, Authorisation and Accounting Officer,
Infrastructure Services (IT Services),
E1-1-08, Engineering 1, University Of Sussex, Brighton, BN1 9QT
DDI+FAX: +44 1273 873900 | INT: 3900
GPG: 86FF A285 1AA1 EE40 D228 7C2E 71A9 25BB 1E68 54A2
if(!%{sql:SELECT COUNT(*) FROM radcheck WHERE username == '%{SQL-User-Name}'
AND attribute = 'Calling-Station-ID'} = 0){
if(%{sql:INSERT INTO radcheck (username,attribute,op,value) VALUES
('%{SQL-User-Name}','Calling-Station-ID','==','%{Calling-Station-ID}')} = 1){
updated
}
else {
noop
}
}
else {
noop
}-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Storing user MAC address after first auth
On 7/5/09 10:18, Tomas Mecir wrote: Greetings ! I have the following situation here that I'd like to ask for some assistance with, if possible: My client has a RADIUS server installed (running freeRADIUS 2.0.5), and routers working as hotspots that users can connect to. Users can authorize against the RADIUS server using a name/password combination, which is stored in a MySQL database (using the rlm_sql module and the Cleartext-Password attribute in the radcheck table). This part works correctly. Now, my client wants an extra check to be added which would allow each user to login only from a specific MAC address, which can be different for each user, and which is obtained when the user logs in for the first time. Checking the MAC address is easy, as the hotspot is sending the MAC address in the Calling-Station-Id attribute that I could easily store in the radcheck table as well - but the problem is that this MAC address is not known when the name/password pair is being added to the radcheck table, and I am to make it so that when the user is successfully authorized for the first time, there is no MAC check, but the user's current MAC address is remembered on the server, and further logins are only permitted from that MAC address. So, I am thinking that the best solution would be to have the RADIUS server add a new (username), 'Calling-Station-Id', '=', (user's MAC) entry to the radcheck table, right after a successful SQL auth step, if such an entry isn't yet in the table. And my question is - is there a way to accomplish this with existing FreeRADIUS modules, or do I need to implement my own module to do this ? Nope that's trivial, but you'll need to upgrade to the latest version of FR. As your using MySQL you can use a bit of MySQL specific syntax. Thank you ! / Tomas - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Arran Cudbard-Bell (a.cudbard-b...@sussex.ac.uk), Authentication, Authorisation and Accounting Officer, Infrastructure Services (IT Services), E1-1-08, Engineering 1, University Of Sussex, Brighton, BN1 9QT DDI+FAX: +44 1273 873900 | INT: 3900 GPG: 86FF A285 1AA1 EE40 D228 7C2E 71A9 25BB 1E68 54A2 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Storing user MAC address after first auth
You can do it with the policy language. But you'll need to upgrade to the latest version of the server. I've attached an example (so my mail client doesn't wrap it). Make sure you've defined always instances 'noop' and 'updated'. Sorry take that first ! out, and ignore the duplicate reply. Low coffee day. -- Arran Cudbard-Bell (a.cudbard-b...@sussex.ac.uk), Authentication, Authorisation and Accounting Officer, Infrastructure Services (IT Services), E1-1-08, Engineering 1, University Of Sussex, Brighton, BN1 9QT DDI+FAX: +44 1273 873900 | INT: 3900 GPG: 86FF A285 1AA1 EE40 D228 7C2E 71A9 25BB 1E68 54A2 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Storing user MAC address after first auth
2009/5/7 Arran Cudbard-Bell a.cudbard-b...@sussex.ac.uk: You can do it with the policy language. But you'll need to upgrade to the latest version of the server. I've attached an example (so my mail client doesn't wrap it). Make sure you've defined always instances 'noop' and 'updated'. Excellent, thank you, works like a charm ! Didn't even have to upgrade the radius server, it works on the existing 2.0.5 installation with no problems. Many thanks for your help ! / Tomas - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
FreeRadius and logwatch
Hello forum, Just wondering if someone found or had written perl scripts for logwatch so that we can send the logs all tidy?? Asking this in case I missed something or if someone had this in it's drawer! I'm going to post this as well to the logwatch mailing. Best regards, Matt - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Storing user MAC address after first auth
On 7/5/09 15:33, Tomas Mecir wrote: 2009/5/7 Arran Cudbard-Bella.cudbard-b...@sussex.ac.uk: You can do it with the policy language. But you'll need to upgrade to the latest version of the server. I've attached an example (so my mail client doesn't wrap it). Make sure you've defined always instances 'noop' and 'updated'. Excellent, thank you, works like a charm ! Didn't even have to upgrade the radius server, it works on the existing 2.0.5 installation with no problems. Many thanks for your help ! Yeah I had a feeling the INSERT statements would still work even though the server complained about them not being valid. The return code for that section of unlang code won't be correct until you update the server, but if you don't care then that's fine :) Glad it worked. Regards, Arran -- Arran Cudbard-Bell (a.cudbard-b...@sussex.ac.uk), Authentication, Authorisation and Accounting Officer, Infrastructure Services (IT Services), E1-1-08, Engineering 1, University Of Sussex, Brighton, BN1 9QT DDI+FAX: +44 1273 873900 | INT: 3900 GPG: 86FF A285 1AA1 EE40 D228 7C2E 71A9 25BB 1E68 54A2 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
freeradius - Openssl
Dear all; I have to remove the link that does between freeradius and openssl.. to do some tests.. Can some one tells me what is the function that I must comment in rlm_eap_tls.c to use the module eap_tls without openssl? thank you so much for your help! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Is PEAP/EAP-MSCHAPv2 with certs a reasonable way to keep untrusted computers off the lan?
Hello all, I want to deny any untrusted computer access to our lan. Lately we've had a lot of students and staff bring laptops into our school and plugging them in to any convenient network port. I want only users with domain credentials using trusted computers on the LAN. My test setup looks like Active Directory = winbind = Freeradius = NAS = Supplicant I think that using PEAP/EAP-MSCHAPv2 with client certs may be a reasonable way to proceed but I would like to get a sanity check from folks. 1) Would PEAP/EAP-MSCHAPv2 with client certs accomplish my goal? 2) Is there a better approach? 3) I am not clear on how to force checking of the client cert. I enabled EAP-TLS-Require-Client-Cert = Yes under the PEAP section of the eap.conf file but my WindowsXP client was still allowed to authenticate without specifying a root CA. Am I missing the point, if so please guide me. 4) Eventually I'll want to extend this approach to wireless devices so that trusted computers will get LAN services while untrusted computers with valid user credentials will be handed off to a different VLAN. Thanks for your help! John - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Is PEAP/EAP-MSCHAPv2 with certs a reasonable way to keep untrusted computers off the lan?
I want to deny any untrusted computer access to our lan. Lately we've had a lot of students and staff bring laptops into our school and plugging them in to any convenient network port. I want only users with domain credentials using trusted computers on the LAN. My test setup looks like Active Directory = winbind = Freeradius = NAS = Supplicant I think that using PEAP/EAP-MSCHAPv2 with client certs may be a reasonable way to proceed but I would like to get a sanity check from folks. 1) Would PEAP/EAP-MSCHAPv2 with client certs accomplish my goal? No. Because your problem has nothing to do with authentication (methods). Your problem is with authorization. 2) Is there a better approach? That depends on your hardware. If your switches support port based authentication and dynamic VLAN assignment via radius you can make this work. 4) Eventually I'll want to extend this approach to wireless devices so that trusted computers will get LAN services while untrusted computers with valid user credentials will be handed off to a different VLAN. Same principle applies. But authenticating devices is not very wise. It's far better to authenticate users. And it is far better to have equipment that places unauthenticated users in a guest VLAN, than to break authentication and make radius accept users that fail authentication. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Is PEAP/EAP-MSCHAPv2 with certs a reasonable way to keep untrusted computers off the lan?
1) Would PEAP/EAP-MSCHAPv2 with client certs accomplish my goal? No. Because your problem has nothing to do with authentication (methods). Your problem is with authorization. Thanks for your reply. I am not sure I understand your distinction, sorry for my ignorance. I want my users to have to supply both a valid domain user/password combo AND I want their computers to prove that they are allowed on the lan. My understanding of the PEAP/EAP-MSCHAPv2 + cert approach was that my users (and their computers) would need both sorts of credentials in order to use the lan. 2) Is there a better approach? That depends on your hardware. If your switches support port based authentication and dynamic VLAN assignment via radius you can make this work. The switches are configured to use dot1x. Is that what you mean? I am not using dynamic vlans. My intention is that users who sucessfuly authenticate will by switched according to the vlan rules in place on the port on the NAS. 4) Eventually I'll want to extend this approach to wireless devices so that trusted computers will get LAN services while untrusted computers with valid user credentials will be handed off to a different VLAN. Same principle applies. But authenticating devices is not very wise. It's far better to authenticate users. Does my explanation above make this moot? And it is far better to have equipment that places unauthenticated users in a guest VLAN, than to break authentication and make radius accept users that fail authentication. Understood. Thanks again. I'll be interested to read your reply. John - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Graphing - Online users
Dear All , I have a question , is there any way to make a graph ( Like mrtg or cacti ) to graph no of online users ?? Regards - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Fair usage package implementation
I wonder if how such a package can be implemented, 1. Unlimited rate normally 2. But when downloaded packets exceed certain defined figure, download rate is trottled. Assumption == 1. Assuming the radius client is sending accounting information to the server, and so the downloaded octets can be obtained from the database through some sql query. 2. Assuming the radius client has some radius attributes which can set the download rate, WISPr-Bandwidth-Max-Down for example. One way I could think of is to run a batch job which work out per user octet usage and then set the attribute WISPr-Bandwidth-Max-Down accordingly. But this will have to be per day basis, it might be too late ( after the subscriber have over abused it ). Is there way such a thing can be implemented inside radiusd so that everything happens on the fly ? Regards. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Another package - set expiry at first use
I have another question about implementing another package :- Upon successful authentication, check it is firstuse. If yes, set expiry to say 6 months from now. Any advise how to implement this at the radius server ? My first cut thinking will be check 'radacct' for existence of any past usage records. If yes, set expiry 5 months from now. Anyone already has a mysql script written for this ? Regards - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
