Re: question about windows users
so..somewhere along the line you are playing with the User-Name attribute...something which you cannot do with EAP - if you take a standard 2.1.6 install and make the basic changes to your eap.conf and clients.conf it will work. which Linux distribution should I use? So far I tryied debian-etchnhalf, or CentOS, and in every How to its written that I have to compile it by mysefl. This how to didnt work anyway... so I will try what you will suggest. Bartosz. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Removing tunnel attributes only for specific NAS
Hey Ignacio, I am in a need to get a Nomadix AG3100 gateway to do the same thing as you have done - get it authenticate to FreeRADIUS and redirect to portal pages for a simple user/pass login. I've exchanged a bunch of emails with their support team (which is awful) and read their guides but it's terribly cumbersome and seems that some kind of XML interface is required to be implemented. I was hoping to get some pointers from you on getting this working, Thanks, Liran. On Mon, Jul 24, 2006 at 12:14 PM, Ignacio Siles ignacio.si...@libera.netwrote: Hello, I am trying to implement a Nomadix AG-5000 public NAS in a in a network with an existing FreeRADIUS server. The environment is as follows: - The customer wants nomadix to make public authentication (with captive portal and PAP) for guest users, and employees who can’t use the protected wireless network working with WPA-Enterprise authentication. - The employees´ user names and passwords are stored in a LDAP structure. - There is a freeRADIUS v 1.0.5 server which asks that LDAP structure for authentication. So the Nomadix is configured as RADIUS client, connected to the FreeRADIUS server. I have tested the connection with test users stored in freeRADIUS´ “users” file, and everything worked fine. The problem starts with the Access-Accept RADIUS message. This message includes some tunnel attributes stored in the LDAP, which are necessary for the other networks to work properly. But the Nomadix does not understand those attributes and drops the Access-Accept messages, resulting in a failed authentication. The solution I’m thinking about is to remove this tunnel atributes of the Access-Accept message should they be sent to the Nomadix. I’ve read about rlm_attr_filter, but I don’t know how to configure it to remove tunnel attribures should the Nomadix be acting as the NAS. File /etc/raddb/attrs: DEFAULT Packet-type =* ANY, EAP-Message =* ANY, User-Name =* ANY, Message-Authenticator =* ANY, State =* ANY, Tunnel-Type := VLAN, Tunnel-Medium-Type := IEEE-802 Tunnel-Private-Group-Id := “55” Thank you in advance, - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius mysql apache2 for Wi Fi hotspotsetup
Hey Jerome, I am in a need to get a Nomadix AG3100 gateway to do the same thing as you have done - get it authenticate to FreeRADIUS and redirect to portal pages for a simple user/pass login. I've exchanged a bunch of emails with their support team (which is awful) and read their guides but it's terribly cumbersome and seems that some kind of XML interface is required to be implemented. I was hoping to get some pointers from you on getting this working, Thanks, Liran. On Thu, Mar 22, 2007 at 1:17 PM, Mini Jerome minijer...@gmail.com wrote: Hi, I have installed free radius to work with mysql on Ubuntu 6.0.6 with radiusclient Nomadicx AG 2000 and it works fine. At present on Nomadix , internal web server is on and it gives the login and logout pages whenever a mysql databse username and passwords are submitted ,session starts on radius server I would like to make the login/logout pages from an external web server instead of internal webserver of nomadix which is configured on Nomadix and restrict users to go to loginpage forcefully , whenever the wifi customer has been assigned dynamic IP from Nomadix. Can any one help// Mini Jerome - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: RADIUS attributes: acctoutputoctects and acctinputoctect inmikrotik
Hey Santiago, I am in a need to get a Nomadix AG3100 gateway to do the same thing as you have done - get it authenticate to FreeRADIUS and redirect to portal pages for a simple user/pass login. I've exchanged a bunch of emails with their support team (which is awful) and read their guides but it's terribly cumbersome and seems that some kind of XML interface is required to be implemented. I was hoping to get some pointers from you on getting this working, Thanks, Liran. On Wed, Jul 25, 2007 at 9:57 AM, Santiago Balaguer García santiago...@hotmail.com wrote: However, I work with a Nomadix 2000 and Nomadix 2100, and I did the same 10 MB download. So I did a test downloading the last MT firmware version: 2.9.44 (10.4 MB): Nomadix [Acct-Input-Octets]: 12533328 Nomadix [Acct-Output-Octets]: 271598 Mikrotik[Acct-Input-Octets]: 248630 Mikrotik[Acct-Output-Octets]: 11441495 Are you sure that it works fine? -- From: *t...@kalik.co.yu* Reply-To: *FreeRadius users mailing list freeradius-users@lists.freeradius.org* To: *FreeRadius users mailing list freeradius-users@lists.freeradius.org* Subject: *Re: RADIUS attributes: acctoutputoctects and acctinputoctect inmikrotik* Date: *Tue, 24 Jul 2007 20:16:10 +0100* I have RouterOSv2.9 and input is input and output is output. Ivan Kalik Kalik Informatika ISP Dana 24/7/2007, Santiago Balaguer García santiago...@hotmail.com pi¹e: Hi, I am working with freeradius and mirkrotik routers since two years. However, I have never realized that the radius attributes acctoutputoctects and acctinputoctects are intechanged in mikrotik. Does anyone know ths mikrotik bug? SantiagoÉxitos, grandes clásicos y novedades. Un millón de canciones en MSN Music. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Recibe ofertas de empleo adaptadas a tu perfil. Introduce tu CV en MSN Empleo. http://g.msn.com/8HMBESES/2752??PS=47575 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Long attribute name
I know it's almost trivial to go an alter the table column size, but for users convenience, the sql attribute length should be increased. Currently the schema.sql which comes with the distribution is varchar(32). One of the motorola wimax attributes is 39 characters, Motorola-WiMAX-Maximum-Commit-Bandwidth. And I notice the mysql silently truncate the inserted string. Regards. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: question about windows users
Hi, which Linux distribution should I use? So far I tryied debian-etchnhalf, or CentOS, and in every How to its written that I have to compile it by mysefl. This how to didnt work anyway... so I will try what you will suggest. Bartosz. theres nothing wrong with compiling it yourself - so long as you have the right dev libraries installed so all the bits you want get compiled.. you can check whats not going to be built be parsing the configure output eg ./configure --with-options-you-want | grep WARNING ignore the WARNING entries for things you care not about and fix the WARNING that you need (eap PEAP) by installing the needed librarieseg openssl-devel some distros come with a more recent FreeRADIUS (or have RPM / PKG available for them - eg Fedora Core 11) the default config from the source build is pretty much ready for anything you want after just editing a few lines in the config (so long as the supporting code - eg EAP ) has been compiled alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: current RHEL/CentOS pre-built packages (Was: freeRADIUS)
On Sun, May 17, 2009 at 11:33 PM, John Dennis jden...@redhat.com wrote: We expect to provide an official update to RHEL with a 2.x version of FreeRADIUS in the next update cycle which would be RHEL 5.5, So how do you plan to provide seamless upgrade for RHEL 5 users? Is freeradius 1.1.3 config compatible with 2.x? Or do we have to do a clean install? -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: check-item NAS-IP-ADdress Calling-Station-ID with openldap
Checkval with Calling-station-id works fine ! And I want to check also the IP of the NAS to authenticate my user. rlm_checkval: Item Name: Calling-Station-Id, Value: 192.168.0.80 rlm_checkval: Value Name: Calling-Station-Id, Value: 192.168.0.80 ++[station-check] returns ok NAS-IP-Address can be forged. Use Client-IP-Address. I am not sure why did it come out like that in checkval when elsewhere in the debug it looks OK. I try with Client-IP-Address instead of NAS-IP-Address but it don't works: rad_recv: Access-Request packet from host 192.168.0.50 port 1812, id=162, length=80 NAS-IP-Address = 192.168.0.50 NAS-Port = 1 NAS-Port-Type = Virtual User-Name = fmehault Calling-Station-Id = 192.168.0.80 User-Password = toto +- entering group authorize {...} [...] rlm_checkval: Could not find item named Client-IP-Address in request rlm_checkval: Could not find attribute named Client-IP-Address in check pairs ++[nas-check] returns notfound My ldap: dn: cn=Francois MEHAULT,ou=Utilisateurs,dc=netplus,dc=fr givenName:: RnJhbsOnb2lz sn: MEHAULT uid: fmehault cn: Francois MEHAULT homeDirectory: /home/admins/fmehault loginShell: /usr/local/bin/zsh gidNumber: 1203 uidNumber: 1203 objectClass: inetOrgPerson objectClass: posixAccount objectClass: top objectClass: radiusprofile objectClass: hostObject radiusGroupName: stagiaire userPassword: {MD5}9x2+UmKKP4OnerSUgXUlxg== radiusNASIpAddress: 192.168.0.50 host: labobe1 radiusCheckItem: Client-IP-Address = 192.168.0.50 radiusCallingStationId: 192.168.0.80 My checval modul: checkval station-check { item-name = Calling-Station-Id check-name = Calling-Station-Id data-type = string notfound-reject = yes } checkval nas-check { item-name = Client-IP-Address check-name = Client-IP-Address data-type = ipaddr notfound-reject = yes } Thanks Ivan Kalik for your first response Regards, François -Message d'origine- De : freeradius-users-bounces+francois.mehault=netplus...@lists.freeradius.org [mailto:freeradius-users-bounces+francois.mehault=netplus...@lists.freeradius.org] De la part de Ivan Kalik Envoyé : lundi 11 mai 2009 13:29 À : FreeRadius users mailing list Objet : Re: check-item NAS-IP-ADdress Calling-Station-ID with openldap I want to use FreeRadius to administer network equipement. I use also OpenLDAP to stock information about users. FreeRADIUS and OpenLDAP are installed on the same server FreeBSD 7.0. I contact a Network equipement (like catalyst cisco 2950 v12.1) with putty (ssh/telnet). I have 2 questions : - Why my calling-station-id in the request is a IP and not a MAC ? Because you are using telnet/ssh. Same applies to VPN. PPPoE (wired and wireless) request should have mac address in that field. Dial-up should have phone number. - When I authenticate on the cisco 2950, I have in my log « rlm_checkval: Item Name: NAS-IP-Address, Value: À¨ » instead of 192.168.0.50, what is the problem ??? NAS-IP-Address can be forged. Use Client-IP-Address. I am not sure why did it come out like that in checkval when elsewhere in the debug it looks OK. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
R: R: Common error on sql_counter on Ver 2.1.5
PS. You have either disabled group checking or removed group membership query. Ivan Kalik Kalik Informatika ISP None of them. Group checking is enabled (read_groups = yes) and the query (authorize_group_check_query = SELECT ... ) is defined in sql module. But simply the query isn't executed. Any Ideas? Now the attribute is Cleartext-Password and the op is := in radcheck ... The output now is shorter (without any warnings) but still no counter. Here it is: -- Ready to process requests. rad_recv: Access-Request packet from host 192.168.4.203 port 37145, id=67, lengt h=76 User-Name = mauro User-Password = flower NAS-IP-Address = 127.0.0.1 NAS-Port = 1 Called-Station-Id = 00-03-9D-4A-0A-0A +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop [sql] expand: %{User-Name} - mauro [sql] sql_set_user escaped user -- 'mauro' rlm_sql (sql): Reserving sql socket id: 4 [sql] expand: SELECT id, UserName, Attribute, Value, op FROM UtentiAutorizzati WHERE UserName = '%{SQL-User-Name}' AND MACADDWAN = '%{Called-Station-Id}' AND (CheckOnLine - UtentiConnessi) 0 AND DataScadenza GetDate() - SELECT id, Us erName, Attribute, Value, op FROM UtentiAutorizzati WHERE UserName = 'mauro' AND MACADDWAN = '00-03-9D-4A-0A-0A' AND (CheckOnLine - UtentiConnessi) 0 AND Data Scadenza GetDate() query: SELECT id, UserName, Attribute, Value, op FROM UtentiAutorizzati WHERE U serName = 'mauro' AND MACADDWAN = '00-03-9D-4A-0A-0A' AND (CheckOnLine - UtentiC onnessi) 0 AND DataScadenza GetDate() [sql] User found in radcheck table [sql] expand: SELECT id,UserName,Attribute,Value,op FROM radreply WHERE Userna me = '%{SQL-User-Name}' ORDER BY id - SELECT id,UserName,Attribute,Value,op FRO M radreply WHERE Username = 'mauro' ORDER BY id query: SELECT id,UserName,Attribute,Value,op FROM radreply WHERE Username = 'ma uro' ORDER BY id rlm_sql (sql): Released sql socket id: 4 ++[sql] returns ok rlm_sqlcounter: Entering module authorize code rlm_sqlcounter: Could not find Check item value pair ++[sessioncounter] returns noop WARNING: Please update your configuration, and remove 'Auth-Type = Local' WARNING: Use the PAP or CHAP modules instead. User-Password in the request is correct. +- entering group post-auth {...} ++[exec] returns noop Sending Access-Accept of id 67 to 192.168.4.203 port 37145 Finished request 0. Going to the next request Waking up in 4.9 seconds. Cleaning up request 0 ID 67 with timestamp +134 Ready to process requests. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Complete Configuration of freeRadius
Dear all, I am a students, and i want to implement wireless LAN with MAC based authentication by using freeRadius. I installed freeRadius on Fedora Core 6. I need complete configuration of freeRadius. Thank you - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: question about windows users
Ok, I downloaded 2.1.6 # unp freeradius-server-2.1.6.tar.gz # cd /usr/src/freeradius-server-2.1.6 # dpkg-buildpackage -rfakeroot -uc -us # dpkg -i freeradius_2.1.6-0_i386.deb - instalator create ca and server certs in /etc/freeradius/certs directory # cd /etc/freeradius/certs # make client next I made a copy of ca.der and client.p12 to xp directory, next I opened mmc and install both of them to Trusted Root Certificate Authorities and to Personal exclamation mark on client certificate: windows does not have enough information to verify this certificate you have private key that corresponds to this certificate http://w974.wrzuta.pl/obraz/powieksz/1RnZvXjxueu changes in /etc/freeradius/eap.conf only one line has been changed: default_eap_type = peap changes in /etc/freeradius/clients.conf client 192.168.5.0/24 { secret = password shortname = private-network-2 } log: #/etc/init.d/freeradius stop #freeradius -X FreeRADIUS Version 2.1.6, for host i486-pc-linux-gnu, built on May 19 2009 at 09:45:44 Copyright (C) 1999-2009 The FreeRADIUS server project and contributors. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License v2. Starting - reading configuration files ... including configuration file /etc/freeradius/radiusd.conf including configuration file /etc/freeradius/proxy.conf including configuration file /etc/freeradius/clients.conf including files in directory /etc/freeradius/modules/ including configuration file /etc/freeradius/modules/pam including configuration file /etc/freeradius/modules/pap including configuration file /etc/freeradius/modules/otp including configuration file /etc/freeradius/modules/chap including configuration file /etc/freeradius/modules/echo including configuration file /etc/freeradius/modules/exec including configuration file /etc/freeradius/modules/expr including configuration file /etc/freeradius/modules/ldap including configuration file /etc/freeradius/modules/krb5 including configuration file /etc/freeradius/modules/perl including configuration file /etc/freeradius/modules/unix including configuration file /etc/freeradius/modules/inner-eap including configuration file /etc/freeradius/modules/radutmp including configuration file /etc/freeradius/modules/counter including configuration file /etc/freeradius/modules/acct_unique including configuration file /etc/freeradius/modules/files including configuration file /etc/freeradius/modules/realm including configuration file /etc/freeradius/modules/wimax including configuration file /etc/freeradius/modules/mac2vlan including configuration file /etc/freeradius/modules/linelog including configuration file /etc/freeradius/modules/sqlcounter_expire_on_login including configuration file /etc/freeradius/modules/detail.example.com including configuration file /etc/freeradius/modules/checkval including configuration file /etc/freeradius/modules/logintime including configuration file /etc/freeradius/modules/sql_log including configuration file /etc/freeradius/modules/sradutmp including configuration file /etc/freeradius/modules/always including configuration file /etc/freeradius/modules/attr_rewrite including configuration file /etc/freeradius/modules/detail including configuration file /etc/freeradius/modules/digest including configuration file /etc/freeradius/modules/ippool including configuration file /etc/freeradius/modules/mac2ip including configuration file /etc/freeradius/modules/mschap including configuration file /etc/freeradius/modules/smbpasswd including configuration file /etc/freeradius/modules/passwd including configuration file /etc/freeradius/modules/policy including configuration file /etc/freeradius/modules/smsotp including configuration file /etc/freeradius/modules/etc_group including configuration file /etc/freeradius/modules/preprocess including configuration file /etc/freeradius/modules/attr_filter including configuration file /etc/freeradius/modules/detail.log including configuration file /etc/freeradius/modules/expiration including configuration file /etc/freeradius/eap.conf including configuration file /etc/freeradius/policy.conf including files in directory /etc/freeradius/sites-enabled/ including configuration file /etc/freeradius/sites-enabled/default including configuration file /etc/freeradius/sites-enabled/inner-tunnel including configuration file /etc/freeradius/sites-enabled/control-socket group = freerad user = freerad including dictionary file /etc/freeradius/dictionary main { prefix = /usr localstatedir = /var logdir = /var/log/freeradius libdir = /usr/lib/freeradius radacctdir = /var/log/freeradius/radacct hostname_lookups = no max_request_time = 30 cleanup_delay = 5 max_requests = 1024 allow_core_dumps = no pidfile = /var/run/freeradius/freeradius.pid
Re: Complete Configuration of freeRadius
I am a students, and i want to implement wireless LAN with MAC based authentication by using freeRadius. I installed freeRadius on Fedora Core 6. I need complete configuration of freeRadius. It's already configured. It will do that in default configuration. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: R: R: Common error on sql_counter on Ver 2.1.5
PS. You have either disabled group checking or removed group membership query. Ivan Kalik Kalik Informatika ISP None of them. Group checking is enabled (read_groups = yes) and the query (authorize_group_check_query = SELECT ... ) is defined in sql module. But simply the query isn't executed. Any Ideas? No, group *membership* query (when I write membership, I do mean membership). Have you just copied queries from the old version without looking if anything has changed? If you are upgrading from old version to a new one, which documentation should you follow - old or new? You opted for old, and are now wondering why things aren't working. It's no mistery to me. Use *new* documentation (user entries, sql queries, etc.). Configuration is largely compatible but things do change over years. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Freeradius 2.1.1 and SQLite database
Has anyone done any work with FreeRadius 2.1.1 or higher and SQLite as the backend db. Working on a single router solution with OpenWRT with FreeRadius running PEAP and EAP-TLS auth. Would love to have it working with sqlite as that is the smallest DB footprint of all the supported databases for Free Radius. Has anyone done work with the sqlite db and give me some pointers on the database setup for sqlite, looks like I need to create a file called sqlite_radius_client_database but not sure what the structure should be... And google isn't helping much either. Any assistance would be great. Many thanks Peter - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: question about windows users
# make client next I made a copy of ca.der and client.p12 to xp directory, next I opened mmc and install both of them to Trusted Root Certificate Authorities and to Personal exclamation mark on client certificate: windows does not have enough information to verify this certificate you have private key that corresponds to this certificate This is explained in raddb/certs/README - Compatibility. You should try altering make client command in Makefile so that client certificates are signed by ca and not server certificate. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: RADIUS attributes: acctoutputoctects and acctinputoctect inmikrotik
On Tue, May 19, 2009 at 9:10 AM, liran tal liransgar...@gmail.com wrote: Hey Santiago, I am in a need to get a Nomadix AG3100 gateway to do the same thing as you have done - get it authenticate to FreeRADIUS and redirect to portal pages for a simple user/pass login. I've exchanged a bunch of emails with their support team (which is awful) and read their guides but it's terribly cumbersome and seems that some kind of XML interface is required to be implemented. I was hoping to get some pointers from you on getting this working, We have implemented a solution with the Nomadix access gateway, using an external web server and the XML Web Services interface. If you just needs simple RADIUS login it is easiest to use the internal web server (IWS), this can be configured without using the XML web services. See the User Manual to understand how this works, We have had no problems with Nomadix to interact with FreeRADIUS and other RADIUS servers. --- mvh Brage Rønning Tukkensæter Trådløse Trondheim AS - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius 2.1.1 and SQLite database
Peter Lambrechtsen wrote: Has anyone done any work with FreeRadius 2.1.1 or higher and SQLite as the backend db. Nope. Would love to have it working with sqlite as that is the smallest DB footprint of all the supported databases for Free Radius. Write the code... submit it back. Has anyone done work with the sqlite db and give me some pointers on the database setup for sqlite, looks like I need to create a file called sqlite_radius_client_database but not sure what the structure should be... And google isn't helping much either. Apple uses it for their OS X Server system. The clients go into SQLite, so that their administration system doesn't have to deal with MySQL, PostgreSQL, or flat-text files. The schema is just the normal NAS schema, as with the other SQL drivers. To have it use the radcheck, radreply, etc. tables, you'll have to define the schemas, create the DB, and define the queries. It *should* work, so long as you use the hard-coded DB file name. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Change of Authorization (RFC 3576 / 5176)
I have just committed *full* support for CoA to the stable and master branches on git.freeradius.org. I'd like to thank the sponsor of this work, who wishes to remain anonymous. In 2.1.6, the server could *originate* CoA packets. e.g. If the users bandwidth consumption is over a quota, send a packet to disconnect them. In the current git code, it can now *receive* CoA packets. This also means full proxying of CoA packets. It is now possible to implement functionality such as: disconnect user bob This can be done by sending a CoA packet to the server, with User-Name of bob. The policies on the server can then look up in the accounting database to see where that user has logged in, and fill in the rest of the CoA packet with NAS IP, port, etc. The resulting packet can then be sent to the NAS. The only caveat is that none of these policies have been written. The functionality works, and has been tested with switches from at least one major networking vendor. We now need help to create the policies, schemas, etc. to implement the required functionality. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
communication safe ssh - NAS - FreeRADIUS ?
Hi, I authenticate on cisco equipments via ssh/telnet. There is no supplicant, so I don't understand in my case and i would like to know if the communication between my cisco equipment and my FreeRadius safe is. I have a secret shared between both. I understand that the communciation between freeradius and the client radius use the protocol Radius. But in my case there is no PEAP, EAP/TLS ... Someone can confirm me please if the communication is safe ? because I afraid to see in the file users my password in clear-text. Is it possible to use md5, ssha ... and how ? Thanks, Regards, François - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: question about windows users
So in other words this script is for all clients exept microsofts-like ? You should try altering make client command in Makefile so that client certificates are signed by ca and not server certificate. do you have such altered makefile? On Tue, May 19, 2009 at 1:35 PM, Ivan Kalik t...@kalik.net wrote: # make client next I made a copy of ca.der and client.p12 to xp directory, next I opened mmc and install both of them to Trusted Root Certificate Authorities and to Personal exclamation mark on client certificate: windows does not have enough information to verify this certificate you have private key that corresponds to this certificate This is explained in raddb/certs/README - Compatibility. You should try altering make client command in Makefile so that client certificates are signed by ca and not server certificate. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: communication safe ssh - NAS - FreeRADIUS ?
Am 19.05.2009 um 14:14 schrieb François Mehault: Hi, I authenticate on cisco equipments via ssh/telnet. There is no supplicant, so I don’t understand in my case and i would like to know if the communication between my cisco equipment and my FreeRadius safe is. I have a secret shared between both. I understand that the communciation between freeradius and the client radius use the protocol Radius. But in my case there is no PEAP, EAP/TLS … Someone can confirm me please if the communication is safe ? because I afraid to see in the file users my password in clear- text. Is it possible to use md5, ssha … and how ? For the compatibility, see http://deployingradius.com/documents/ protocols/compatibility.html Thanks, Regards, François - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/ users.html Have a nice day! Nicolas Goutte extragroup GmbH - Karlsruhe Waldstr. 49 76133 Karlsruhe Germany Geschäftsführer: Stephan Mönninghoff, Hans Martin Kern, Tilman Haerdle Registergericht: Amtsgericht Münster / HRB: 5624 Steuer Nr.: 337/5903/0421 / UstID: DE 204607841 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: check-item NAS-IP-ADdress Calling-Station-ID with openldap
Well, I am using checkval to check the attribute NAS-IP-Address, what I want : I have several users and several NAS, some users allows to authenticate on some NAS, and others not. I use an openldap database. Each users have an attribute radiusCheckItem. I don't know if I am right, if it's the good way to do what I need, but I am a novice with freeRadisu and OpenLDAP. -Message d'origine- De : Ivan Kalik [mailto:t...@kalik.net] Envoyé : mardi 19 mai 2009 13:46 À : François Mehault Objet : RE: check-item NAS-IP-ADdress Calling-Station-ID with openldap [...] rlm_checkval: Could not find item named Client-IP-Address in request rlm_checkval: Could not find attribute named Client-IP-Address in check pairs ++[nas-check] returns notfound OK. It can't work since Client-IP-Address is not in the request. Can you remind me: why are you using checkval? Multiple values for NAS IP? Your user entry has only one. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: communication safe ssh - NAS - FreeRADIUS ?
Oki, thanks. In fact, I want my radius client crypt my passwd in md5 for example, and freeradius check the MD5 hash. So I understand I have to use PAP ? In my modul ldap I think I have to put « password_attribute = userPassword ». But If I do, I have to put my password in clear in my ldap, otherwise it don't works. Also, I can comment the « password_attribute = userPassword » in my ldap module and put my password in md5/ssha etc... in openldap and it works. But I don't know very well why ?? modules { Module: Checking authenticate {...} for more modules to load Module: Linked to module rlm_pap Module: Instantiating pap pap { encryption_scheme = auto auto_header = no } Module: Linked to module rlm_chap Module: Instantiating chap Module: Linked to module rlm_mschap Module: Instantiating mschap mschap { use_mppe = yes require_encryption = no require_strong = no with_ntdomain_hack = no } Module: Linked to module rlm_unix Module: Instantiating unix unix { radwtmp = /var/log/radwtmp } Module: Linked to module rlm_eap Module: Instantiating eap eap { default_eap_type = md5 timer_expire = 60 ignore_unknown_eap_types = no cisco_accounting_username_bug = no max_sessions = 2048 } Module: Linked to sub-module rlm_eap_md5 Module: Instantiating eap-md5 Module: Linked to sub-module rlm_eap_leap Module: Instantiating eap-leap Module: Linked to sub-module rlm_eap_gtc Module: Instantiating eap-gtc gtc { challenge = Password: auth_type = PAP } Module: Linked to sub-module rlm_eap_tls Module: Instantiating eap-tls tls { rsa_key_exchange = no dh_key_exchange = yes rsa_key_length = 512 dh_key_length = 512 verify_depth = 0 pem_file_type = yes private_key_file = /usr/local/etc/raddb/certs/server.pem certificate_file = /usr/local/etc/raddb/certs/server.pem CA_file = /usr/local/etc/raddb/certs/ca.pem private_key_password = whatever dh_file = /usr/local/etc/raddb/certs/dh random_file = /usr/local/etc/raddb/certs/random fragment_size = 1024 include_length = yes check_crl = no cipher_list = DEFAULT make_cert_command = /usr/local/etc/raddb/certs/bootstrap cache { enable = no lifetime = 24 max_entries = 255 } } Module: Linked to sub-module rlm_eap_ttls Module: Instantiating eap-ttls ttls { default_eap_type = md5 copy_request_to_tunnel = no use_tunneled_reply = no virtual_server = inner-tunnel } Module: Linked to sub-module rlm_eap_peap Module: Instantiating eap-peap peap { default_eap_type = mschapv2 copy_request_to_tunnel = no use_tunneled_reply = no proxy_tunneled_request_as_eap = yes virtual_server = inner-tunnel } Module: Linked to sub-module rlm_eap_mschapv2 Module: Instantiating eap-mschapv2 mschapv2 { with_ntdomain_hack = no } De : freeradius-users-bounces+francois.mehault=netplus...@lists.freeradius.org [mailto:freeradius-users-bounces+francois.mehault=netplus...@lists.freeradius.org] De la part de Nicolas Goutte Envoyé : mardi 19 mai 2009 14:45 À : FreeRadius users mailing list Objet : Re: communication safe ssh - NAS - FreeRADIUS ? Am 19.05.2009 um 14:14 schrieb François Mehault: Hi, I authenticate on cisco equipments via ssh/telnet. There is no supplicant, so I don't understand in my case and i would like to know if the communication between my cisco equipment and my FreeRadius safe is. I have a secret shared between both. I understand that the communciation between freeradius and the client radius use the protocol Radius. But in my case there is no PEAP, EAP/TLS ... Someone can confirm me please if the communication is safe ? because I afraid to see in the file users my password in clear-text. Is it possible to use md5, ssha ... and how ? For the compatibility, see http://deployingradius.com/documents/protocols/compatibility.html Thanks, Regards, François - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Have a nice day! Nicolas Goutte extragroup GmbH - Karlsruhe Waldstr. 49 76133 Karlsruhe Germany Geschäftsführer: Stephan Mönninghoff, Hans Martin Kern, Tilman Haerdle Registergericht: Amtsgericht Münster / HRB: 5624 Steuer Nr.: 337/5903/0421 / UstID: DE 204607841 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: communication safe ssh - NAS - FreeRADIUS ?
I authenticate on cisco equipments via ssh/telnet. There is no supplicant, so I don't understand in my case and i would like to know if the communication between my cisco equipment and my FreeRadius safe is. I have a secret shared between both. I understand that the communciation between freeradius and the client radius use the protocol Radius. But in my case there is no PEAP, EAP/TLS ... Someone can confirm me please if the communication is safe ? because I afraid to see in the file users my password in clear-text. Is it possible to use md5, ssha ... and how ? Radius protocol *uses* md5 to encrypt password in the request. http://www.ietf.org/rfc/rfc2865.txt Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: current RHEL/CentOS pre-built packages (Was: freeRADIUS)
Fajar A. Nugraha wrote: So how do you plan to provide seamless upgrade for RHEL 5 users? Upgrades across a major version number of software require manual changes to the configuration. Is freeradius 1.1.3 config compatible with 2.x? Or do we have to do a clean install? The configuration is *similar*, but not identical. I would suggest a clean install, followed by a manual migration of the configuration. It shouldn't take too long. An hour to a day, at most. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: communication safe ssh - NAS - FreeRADIUS ?
Oki, thanks. In fact, I want my radius client crypt my passwd in md5 for example, and freeradius check the MD5 hash. So I understand I have to use PAP ? In my modul ldap I think I have to put « password_attribute = userPassword ». But If I do, I have to put my password in clear in my ldap, otherwise it don't works. Store password as {md5} and then encrypted value and enable auto header detection in pap module (it's disabled by default): pap { encryption_scheme = auto auto_header = no } Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: question about windows users
I created once again certs by myself, giving common name for user cert the same like in example u...@example.com, I place them on xp client - both of them looks ok, now something is happening (anyway like Aragorn said: still not king): Ready to process requests. rad_recv: Access-Request packet from host 192.168.5.206 port 1812, id=206, length=147 NAS-IP-Address = 192.168.5.206 NAS-Port = 50046 NAS-Port-Type = Ethernet User-Name = u...@example.com Called-Station-Id = 00-0C-30-81-9B-EE Calling-Station-Id = 00-0A-E4-13-1A-02 Service-Type = Framed-User Framed-MTU = 1500 EAP-Message = 0x02150175736572406578616d706c652e636f6d Message-Authenticator = 0x380489e7e9bb9568103d6ee3dccdfb15 +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] Looking up realm example.com for User-Name = u...@example.com [suffix] Found realm example.com [suffix] Adding Stripped-User-Name = user [suffix] Adding Realm = example.com [suffix] Proxying request from user user to realm example.com [suffix] Preparing to proxy authentication request to realm example.com ++[suffix] returns updated [eap] Request is supposed to be proxied to Realm example.com. Not doing EAP. ++[eap] returns noop ++[unix] returns updated ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns noop Sending Access-Request of id 14 to 127.0.0.1 port 1812 NAS-IP-Address = 192.168.5.206 NAS-Port = 50046 NAS-Port-Type = Ethernet User-Name = user Called-Station-Id = 00-0C-30-81-9B-EE Calling-Station-Id = 00-0A-E4-13-1A-02 Service-Type = Framed-User Framed-MTU = 1500 EAP-Message = 0x02150175736572406578616d706c652e636f6d Message-Authenticator = 0x Proxy-State = 0x323036 Proxying request 0 to home server 127.0.0.1 port 1812 Sending Access-Request of id 14 to 127.0.0.1 port 1812 NAS-IP-Address = 192.168.5.206 NAS-Port = 50046 NAS-Port-Type = Ethernet User-Name = user Called-Station-Id = 00-0C-30-81-9B-EE Calling-Station-Id = 00-0A-E4-13-1A-02 Service-Type = Framed-User Framed-MTU = 1500 EAP-Message = 0x02150175736572406578616d706c652e636f6d Message-Authenticator = 0x Proxy-State = 0x323036 Going to the next request Waking up in 0.9 seconds. rad_recv: Access-Request packet from host 127.0.0.1 port 1814, id=14, length=140 NAS-IP-Address = 192.168.5.206 NAS-Port = 50046 NAS-Port-Type = Ethernet User-Name = user Called-Station-Id = 00-0C-30-81-9B-EE Calling-Station-Id = 00-0A-E4-13-1A-02 Service-Type = Framed-User Framed-MTU = 1500 EAP-Message = 0x02150175736572406578616d706c652e636f6d Message-Authenticator = 0x2fe31c62e81552bf7a752f0c4a4b1633 Proxy-State = 0x323036 +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = user, looking up realm NULL [suffix] No such realm NULL ++[suffix] returns noop [eap] EAP packet type response id 0 length 21 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[unix] returns updated ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop [pap] Found existing Auth-Type, not changing it. ++[pap] returns noop Found Auth-Type = EAP +- entering group authenticate {...} [eap] Identity does not match User-Name, setting from EAP Identity. [eap] Failed in handler ++[eap] returns invalid Failed to authenticate the user. Using Post-Auth-Type Reject +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} - user attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 1 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 1 Sending Access-Reject of id 14 to 127.0.0.1 port 1814 Proxy-State = 0x323036 Waking up in 4.9 seconds. rad_recv: Access-Reject packet from host 127.0.0.1 port 1812, id=14, length=25 Proxy-State = 0x323036 +- entering group post-proxy {...} [eap] No pre-existing handler found ++[eap] returns noop Using Post-Auth-Type Reject +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} - u...@example.com attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Sending Access-Reject of id 206 to 192.168.5.206 port 1812 Finished request 0. Going to the next request Waking up in 4.9 seconds. Cleaning up request 1 ID 14 with timestamp +43 Cleaning up request 0 ID 206 with timestamp +43 Ready to process requests. On Tue, May 19, 2009 at 2:23 PM, Bartosz Chodzinski
Re: RFE configure script report
Can the ./configure script be made to report at the end what modules it found it can build. The ./configure output does have this information but it's not easy to follow. i guess you are asking this after seeing similar feature in other software? yes, net-snmp, xine-lib and conky are the first that comes to my mind -- damjan | дамјан This is my jabber ID -- dam...@bagra.net.mk -- not my mail address, it's a Jabber ID --^ :) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: question about windows users
I created once again certs by myself, giving common name for user cert the same like in example u...@example.com, I place them on xp client - both of them looks ok, now something is happening (anyway like Aragorn said: still not king): Ready to process requests. rad_recv: Access-Request packet from host 192.168.5.206 port 1812, id=206, length=147 ... User-Name = u...@example.com ... [suffix] Found realm example.com [suffix] Adding Stripped-User-Name = user [suffix] Adding Realm = example.com [suffix] Proxying request from user user to realm example.com [suffix] Preparing to proxy authentication request to realm example.com ++[suffix] returns updated ... Sending Access-Request of id 14 to 127.0.0.1 port 1812 ... User-Name = user ... Found Auth-Type = EAP +- entering group authenticate {...} [eap] Identity does not match User-Name, setting from EAP Identity. ... Don't strip the username. Why do you proxy this anyway? Create it as a local realm: realm example.com { } Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Complete Configuration of freeRadius
Ivan Kalik wrote: I am a students, and i want to implement wireless LAN with MAC based authentication by using freeRadius. I installed freeRadius on Fedora Core 6. I need complete configuration of freeRadius. It's already configured. It will do that in default configuration. Be careful, FC-6 (Fedora Core 6) is quite old in Fedora terms. The current version of Fedora is 10 and next week FC-11 will be released. The version of freeradius in FC-6 is the ancient 1.1.3. As of last night FC-9 and FC-10 have the most current freeradius 2.1.6 RPM's available in the testing repository. I think it's fair to say the it's already configured is more a property of the 2.x series rather than the 1.x series. -- John Dennis jden...@redhat.com Looking to carve out IT costs? www.redhat.com/carveoutcosts/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Dynamic clients and NAS-Identifier
Hi Alan, I realise, i've asked for the before, and it is on your todo list, but I'd like to make a case again for maybe getting it moved up higher onto the list. The current clients structure identify the NAS's by ip address. While this is perfect for corporate environments, it is not so perfect for the hotspot environment in which we operate. We have a central radius server for many different hotspot owners. Hotspots are running chillispot. We need to somehow authenticate the nas, so someone can not send rough accounting info to radius. The only way to currently identify a NAS is by IP address. You can then lookup the NAS, and create a radius secret based on the IP address. This is done using the dynamic_clients virtual server. The problem is that the hotspots can be anywhere. They are mostly behind ADSL lines. The source ip address of the radius packet is therefore not predictable. The only other way I can thing of is identifying the nas by the NAS-Identifier. To sum up. Currently a nas is authenticated by ip address/radius secret. I feel that being able to authenticate a nas by nas identifier/radius secret is a very good enhancement. I'm sure that I'm not the only one that have NAS's behind dynamic IPs, and this would make radius traffic from such NAS's much more secure. I'm prepared to do it myself, but by c skills really suck. I can only do copy and paste type editing. I've spent a few hours looking at the code, and it seems that (in listen.c) you need to create the value pairs somehow before sending the packet to module_authorize, but I have no clue how to even attempt this. I'm fully prepared to try and contribute somehow, but this is way out of my league. Anyway, end of long story. I simply hope to get this maybe moved a bit higher up on the todo list. Thanks!!! -- Johan Meiring Cape PC Services CC Tel: (021) 883-8271 Fax: (021) 886-7782 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: check-item NAS-IP-ADdress Calling-Station-ID with openldap
Thanks Ivan ! With huntgroup it works perfectly, now I am searching to manage my huntgroup whith ldap, no longer with the file huntgroup. Each users have the primitive radiusHuntgroupName, but I want to define my huntgroup in ldap, is it possible you think ? Regards, Francois -Message d'origine- De : Ivan Kalik [mailto:t...@kalik.net] Envoyé : mardi 19 mai 2009 15:09 À : François Mehault Objet : RE: check-item NAS-IP-ADdress Calling-Station-ID with openldap Well, I am using checkval to check the attribute NAS-IP-Address, what I want : I have several users and several NAS, some users allows to authenticate on some NAS, and others not. I use an openldap database. Each users have an attribute radiusCheckItem. I don't know if I am right, if it's the good way to do what I need, but I am a novice with freeRadisu and OpenLDAP. Well, if user is going to have only one value for NAS IP, then you don't need checkval - just map appropriate attribute as check item in raddb/ldap.attrmap. If he should be allowed on several devices it might be better to use huntgroups/sqlhuntgroups - as long as there are not too many combinations. Same applies to mac address - if user can use only one there is no need to use checkval. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
help me: proxing towards 2 different networks
Hi all, Thanks in advance for your help. Here is our Scenario which is working now: 1. Radius Client sends packets towards Radius Proxy (from 192.168.1.2 to 192.168.1.3) 2. Radius proxy listen on 192.168.1.3 for authentication packet and forwarding them towards two different network (192.168.14.4 and 192.168.24.4) Can I configure this scenario using FreeRadius? The current configuration is: First configuration Radiusd.conf listen { ipaddr = 192.168.1.2 port = 1812 type = auth interface = eth18 } proxy.conf home_server Server1 { type = auth ipaddr = 192.168.14.4 port = 1812 secret = SECRET require_message_authenticator = yes } home_server Server2 { type = auth ipaddr = 192.168.24.4 port = 1812 secret = SECRET require_message_authenticator = yes } home_server_pool Serverpool1 { type = fail-over home_server = Server1 } home_server_pool Serverpool2 { type = fail-over home_server = Server2 } realm isp1.com { auth_pool = Serverpool1 } realm isp2.com { auth_pool = Serverpool2 } Results: Expiration of the Timeout Second configuration Adding in radiusd.conf: listen { ipaddr = 192.168.14.3 port = 1812 type = proxy } Results: The packet is received correctly by Server1, but I can't send any packet towards Server2. Latest configuration Adding in radiusd.conf: listen { ipaddr = 192.168.14.3 port = 1812 type = proxy } listen { ipaddr = 192.168.24.3 port = 1812 type = proxy } Results: Expiration of the Timeout image002.jpg- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: help me: proxing towards 2 different networks
Marco De Magistris wrote: 1. Radius Client sends packets towards Radius Proxy (from 192.168.1.2 to 192.168.1.3) 2. Radius proxy listen on 192.168.1.3 for authentication packet and forwarding them towards two different network (192.168.14.4 and 192.168.24.4) Can I configure this scenario using FreeRadius? No. RADIUS doesn't work like that. Why do you want to do this? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius 2.1.1 and SQLite database
On 20/05/2009, at 12:00 AM, Alan DeKok al...@deployingradius.com wrote: Peter Lambrechtsen wrote: Has anyone done any work with FreeRadius 2.1.1 or higher and SQLite as the backend db. Nope. Would love to have it working with sqlite as that is the smallest DB footprint of all the supported databases for Free Radius. Write the code... submit it back. Will do Has anyone done work with the sqlite db and give me some pointers on the database setup for sqlite, looks like I need to create a file called sqlite_radius_client_database but not sure what the structure should be... And google isn't helping much either. Apple uses it for their OS X Server system. The clients go into SQLite, so that their administration system doesn't have to deal with MySQL, PostgreSQL, or flat-text files. The schema is just the normal NAS schema, as with the other SQL drivers. To have it use the radcheck, radreply, etc. tables, you'll have to define the schemas, create the DB, and define the queries. It *should* work, so long as you use the hard-coded DB file name. Ok I will have a go and submit my results back to the users/devel lists depending upon how I get along. The final destination is a single wifi router such as asus 500p which has a usb port that can take stick for local storage to host db with captive portal and wpa for either PEAP or tls logon ssids with web admin backend. All with openwrt. Will let you know how I get along with the freeradius component. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: current RHEL/CentOS pre-built packages (Was: freeRADIUS)
Fajar A. Nugraha wrote: On Sun, May 17, 2009 at 11:33 PM, John Dennis jden...@redhat.com wrote: We expect to provide an official update to RHEL with a 2.x version of FreeRADIUS in the next update cycle which would be RHEL 5.5, So how do you plan to provide seamless upgrade for RHEL 5 users? Is freeradius 1.1.3 config compatible with 2.x? Or do we have to do a clean install? Please note what Alan said about upgrades across major versions requiring manual configuration. Also, the package will have a different name, rather than freeradius it will be named freeradius2, however (and this is critical) it will conflict at the file level, in other words the both freeradius and freeradius2 cannot be simultaneously installed. -- John Dennis jden...@redhat.com Looking to carve out IT costs? www.redhat.com/carveoutcosts/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html