RE: windows users having trouble authenticating
I am still getting this error in my debug output: rlm_eap: SSL error error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca I have upgraded to version 2.1.8+dfsg-1ubuntu1, still no joy! PLEASE someone tell me how to make FreeRADIUS automatically accept the client cert. I have about 2 thousand clients that are not owned by my university, I cannot install the server cert on all of them, the logistics are too much. PLEASE HELP! Jake Sallee Godfather Of Bandwidth Network Engineer Fone: 254-295-4658 Phax: 254-295-4221 -Original Message- From: freeradius-users-bounces+jake.sallee=umhb@lists.freeradius.org [mailto:freeradius-users-bounces+jake.sallee=umhb@lists.freeradius.o rg] On Behalf Of Sallee, Stephen (Jake) Sent: Monday, August 02, 2010 7:07 PM To: FreeRadius users mailing list Subject: RE: windows users having trouble authenticating Thanks for the info, I have the client setup the way you suggest, in Win 7 almost everything you said were defaults. However I still get the unknown CA problem. Does anyone know how I can tell the FreeRADIUS server to accept the client cert automatically? Jake Sallee Godfather Of Bandwidth Network Engineer Fone: 254-295-4658 Phax: 254-295-4221 -Original Message- From: freeradius-users-bounces+jake.sallee=umhb@lists.freeradius.org [mailto:freeradius-users-bounces+jake.sallee=umhb@lists.freeradius.o rg] On Behalf Of Alan Buxey Sent: Monday, August 02, 2010 5:59 PM To: FreeRadius users mailing list Subject: Re: windows users having trouble authenticating hi, wierd output due to special character \t, \r , \n all did similar things in the output (latest version has fixed for this). issue with windows is to do with certs etc. you need to configure the supplicant to use PEAP, not to use the windows login, if you havent sorted out certs, then you need to not check any radius server ot tick anything..and not have the 'do not prompt for new certs' etc unticked. best to put the CA that the RADIUS server was signed with onto the host (in trusted CA local root store). alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: windows users having trouble authenticating
Sallee, Stephen (Jake) wrote: I am still getting this error in my debug output: rlm_eap: SSL error error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca I have upgraded to version 2.1.8+dfsg-1ubuntu1, still no joy! No amount of upgrading FreeRADIUS will make it work. This message comes because (a) the supplicant has a client certificate issued by a CA unknown to FreeRADIUS, or (b) the supplicant is telling FreeRADIUS that the servers CA is unknown to the client. PLEASE someone tell me how to make FreeRADIUS automatically accept the client cert. PEAP doesn't work like that. If you issued client certs, then FreeRADIUS *MUST* be configured to know about the CA. I have about 2 thousand clients that are not owned by my university, I cannot install the server cert on all of them, the logistics are too much. PLEASE HELP! We're trying. We're asking you to listen to our responses. PEAP (or any TLS based EAP method) *cannot* do what you ask. It's impossible, and it was designed to be impossible by the people who created the cryptography algorithms. If you want to have it work, then (a) configure FreeRADIUS to know about the CA that issued the client cert, or (b) put the FreeRADIUS cert/CA on a web site, for the clients to download themselves. I understand what you want, but please understand that there are limitations to the protocols *independent* of FreeRADIUS. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Freeradius 2.1.9 stop working
Hello. We have installed 2 FreeRAdius 2.1.9 on RedHat Servers. The Freeradius are doing proxying and everything is working well (duplicate accounting also) My problem is that for unknow reason the radiusd process stopped alone this make a problem for us. The Both Radiuses are doing the same. Sometimes the radiusd is no more working and I need to restart it with /etc/init.d/radiusd start I have another problem : When the logrotate is doing his job then the log radius.log stay empty and I need to restart or kill -HUP the radiusd process. Is someone already have this problem? Is there a bug? Server 1 : [r...@chinchilla radius]$uname -a Linux chinchilla 2.6.18-194.8.1.el5PAE #1 SMP Wed Jun 23 11:16:22 EDT 2010 i686 i686 i386 GNU/Linux radmin show version FreeRADIUS Version 2.1.9, for host i686-redhat-linux-gnu, built on Jul 26 2010 at 13:51:35 Server2 : [r...@cheetah radius]$uname -a Linux cheetah 2.6.18-194.3.1.el5PAE #1 SMP Sun May 2 04:42:25 EDT 2010 i686 i686 i386 GNU/Linux radmin show version FreeRADIUS Version 2.1.9, for host i686-redhat-linux-gnu, built on Jun 22 2010 at 21:23:08 Thanks, http://k-village/team_members/who_s_who/kpeople01.asp?login=ebellier Eric Bellière Operation Integration Expert ITNO/ISO/ISIO/LSS Mobistar NV/SA Avenue Jean Mermoz 32 6041 Gosselies cid:image003.jpg@01C961E5.77656AB0 Tel: +32 (0)2 745 7997 GSM: +32(0)495 55 1343 image001.jpgimage002.jpg smime.p7s Description: S/MIME cryptographic signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Freeradius/Samba Client rejected our response
Hi, I have some problem problems with the authentication and need help. The authentication fail at the authenticate part, while doing peap. The ntlm_auth success, I don’t understand the failure. Why do the client rejected the response? +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] Received EAP-TLV response. [peap] Client rejected our response. The password is probably incorrect. [eap] Handler failed in EAP/peap [eap] Failed in EAP select ++[eap] returns invalid Failed to authenticate the user. Using Post-Auth-Type Reject +- entering group REJECT {...} Lionne Stangier Debug: -- FreeRADIUS Version 2.1.9, for host i686-pc-linux-gnu, built on Aug 3 2010 at 09:49:25 Copyright (C) 1999-2009 The FreeRADIUS server project and contributors. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License v2. Starting - reading configuration files ... including configuration file /usr/local/etc/raddb/radiusd.conf including configuration file /usr/local/etc/raddb/proxy.conf including configuration file /usr/local/etc/raddb/clients.conf including files in directory /usr/local/etc/raddb/modules/ including configuration file /usr/local/etc/raddb/modules/detail including configuration file /usr/local/etc/raddb/modules/unix including configuration file /usr/local/etc/raddb/modules/ntlm_auth including configuration file /usr/local/etc/raddb/modules/mac2ip including configuration file /usr/local/etc/raddb/modules/mac2vlan including configuration file /usr/local/etc/raddb/modules/pam including configuration file /usr/local/etc/raddb/modules/logintime including configuration file /usr/local/etc/raddb/modules/echo including configuration file /usr/local/etc/raddb/modules/smbpasswd including configuration file /usr/local/etc/raddb/modules/realm including configuration file /usr/local/etc/raddb/modules/pap including configuration file /usr/local/etc/raddb/modules/ldap including configuration file /usr/local/etc/raddb/modules/exec including configuration file /usr/local/etc/raddb/modules/wimax including configuration file /usr/local/etc/raddb/modules/passwd including configuration file /usr/local/etc/raddb/modules/inner-eap including configuration file /usr/local/etc/raddb/modules/radutmp including configuration file /usr/local/etc/raddb/modules/always including configuration file /usr/local/etc/raddb/modules/chap including configuration file /usr/local/etc/raddb/modules/sql_log including configuration file /usr/local/etc/raddb/modules/perl including configuration file /usr/local/etc/raddb/modules/ippool including configuration file /usr/local/etc/raddb/modules/checkval including configuration file /usr/local/etc/raddb/modules/detail.log including configuration file /usr/local/etc/raddb/modules/policy including configuration file /usr/local/etc/raddb/modules/smsotp including configuration file /usr/local/etc/raddb/modules/attr_rewrite including configuration file /usr/local/etc/raddb/modules/detail.example.com including configuration file /usr/local/etc/raddb/modules/otp including configuration file /usr/local/etc/raddb/modules/mschap including configuration file /usr/local/etc/raddb/modules/expr including configuration file /usr/local/etc/raddb/modules/attr_filter including configuration file /usr/local/etc/raddb/modules/linelog including configuration file /usr/local/etc/raddb/modules/files including configuration file /usr/local/etc/raddb/modules/counter including configuration file /usr/local/etc/raddb/modules/etc_group including configuration file /usr/local/etc/raddb/modules/digest including configuration file /usr/local/etc/raddb/modules/sqlcounter_expire_on_login including configuration file /usr/local/etc/raddb/modules/preprocess including configuration file /usr/local/etc/raddb/modules/krb5 including configuration file /usr/local/etc/raddb/modules/acct_unique including configuration file /usr/local/etc/raddb/modules/sradutmp including configuration file /usr/local/etc/raddb/modules/expiration including configuration file /usr/local/etc/raddb/modules/cui including configuration file /usr/local/etc/raddb/eap.conf including configuration file /usr/local/etc/raddb/policy.conf including files in directory /usr/local/etc/raddb/sites-enabled/ including configuration file /usr/local/etc/raddb/sites-enabled/inner-tunnel including configuration file /usr/local/etc/raddb/sites-enabled/control-socket including configuration file /usr/local/etc/raddb/sites-enabled/default main { allow_core_dumps = no } including dictionary
Re: Freeradius 2.1.9 stop working
BELLIERE Eric wrote: My problem is that for unknow reason the radiusd process stopped alone this make a problem for us. The Both Radiuses are doing the same. Sometimes the radiusd is no more working and I need to restart it with /etc/init.d/radiusd start It might be bug #35. Try using the v2.1.x branch from http://git.freeradius.org. I have another problem : When the logrotate is doing his job then the log radius.log stay empty and I need to restart or kill -HUP the radiusd process. That's how log rotation should work: change the log file, and HUP the server. The previous behavior was non-standard for Unix daemons, and therefore wrong. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius/Samba Client rejected our response
Lionne Stangier wrote: Hi, I have some problem problems with the authentication and need help. The authentication fail at the authenticate part, while doing peap. The ntlm_auth success, I don’t understand the failure. Why do the client rejected the response? It's a Samba bug. https://bugzilla.samba.org/show_bug.cgi?id=6563 There was a message yesterday about this issue. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Tag and Untag a port in several VLAN
Hi there, I'm using FreeRadius 2.1.3. I'm doing a mac based port assignment with sql backend. To untag a port of the switch in a VLAN works well. But in some case i need to tag a port in several VLAN. In the wiki [1] it looks possible. By following indicated in the wiki i inserted the followind data in my sql backend : insert into radgroupreply(groupname,attribute,op,value) values ('AP_test','Egress-VLANID',':=','0x320007'); insert into radgroupreply(groupname,attribute,op,value) values ('AP_test','Egress-VLANID',':=','0x32000102'); But when i plug the equipment radius give this debug : [sql1] expand: SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = '%{Sql-Group}' ORDER BY id - SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = 'test' ORDER BY id rlm_sql: Failed to create the pair: Unknown value 0x320007 for attribute Egress-VLANID What am i missing or misunderstanding ? Help is welcome. Best regards, [1] http://wiki.freeradius.org/HP -- *Fabien COMBERNOUS* /unix system engineer/ www.kezia.com http://www.kezia.com/ *Tel: +33 (0) 467 992 986* Kezia Group - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
AW: Freeradius/Samba Client rejected our response
It's a Samba bug. https://bugzilla.samba.org/show_bug.cgi?id=6563 Thank you. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Tag and Untag a port in several VLAN
Fabien COMBERNOUS wrote: I'm using FreeRadius 2.1.3. I'm doing a mac based port assignment with sql backend. ... But when i plug the equipment radius give this debug : [sql1] expand: SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = '%{Sql-Group}' ORDER BY id - SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = 'test' ORDER BY id rlm_sql: Failed to create the pair: Unknown value 0x320007 for attribute Egress-VLANID What am i missing or misunderstanding ? The hex value isn't accepted in 2.1.3. You'll need to run 2.1.6 or later. Or, change the hex number to a decimal number. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Freeradius 2.1.9 digest authentication problem
Hello, trying to test digest authentication (freeradius 2.1.9). After uncommenting 'digest' in sites-available/default 'radiusd -X' starts fine. but after I added (according to 'man rlm_digest') to users file: testAuth-Type := Digest, User-Password = test Reply-Message = Hello, test with digest 'radius -X' shows [r...@host raddb]# /usr/local/sbin/radiusd -X FreeRADIUS Version 2.1.9, for host i686-pc-linux-gnu, built on Aug 3 2010 at 18:19:48 Copyright (C) 1999-2009 The FreeRADIUS server project and contributors. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License v2. Starting - reading configuration files ... including configuration file /usr/local/etc/raddb/radiusd.conf including configuration file /usr/local/etc/raddb/proxy.conf including configuration file /usr/local/etc/raddb/clients.conf including files in directory /usr/local/etc/raddb/modules/ including configuration file /usr/local/etc/raddb/modules/attr_rewrite including configuration file /usr/local/etc/raddb/modules/smbpasswd including configuration file /usr/local/etc/raddb/modules/otp including configuration file /usr/local/etc/raddb/modules/inner-eap including configuration file /usr/local/etc/raddb/modules/passwd including configuration file /usr/local/etc/raddb/modules/unix including configuration file /usr/local/etc/raddb/modules/expiration including configuration file /usr/local/etc/raddb/modules/ippool including configuration file /usr/local/etc/raddb/modules/wimax including configuration file /usr/local/etc/raddb/modules/attr_filter including configuration file /usr/local/etc/raddb/modules/always including configuration file /usr/local/etc/raddb/modules/digest including configuration file /usr/local/etc/raddb/modules/krb5 including configuration file /usr/local/etc/raddb/modules/detail including configuration file /usr/local/etc/raddb/modules/linelog including configuration file /usr/local/etc/raddb/modules/ldap including configuration file /usr/local/etc/raddb/modules/mac2vlan including configuration file /usr/local/etc/raddb/modules/sradutmp including configuration file /usr/local/etc/raddb/modules/smsotp including configuration file /usr/local/etc/raddb/modules/exec including configuration file /usr/local/etc/raddb/modules/chap including configuration file /usr/local/etc/raddb/modules/expr including configuration file /usr/local/etc/raddb/modules/preprocess including configuration file /usr/local/etc/raddb/modules/detail.log including configuration file /usr/local/etc/raddb/modules/radutmp including configuration file /usr/local/etc/raddb/modules/etc_group including configuration file /usr/local/etc/raddb/modules/acct_unique including configuration file /usr/local/etc/raddb/modules/mschap including configuration file /usr/local/etc/raddb/modules/pap including configuration file /usr/local/etc/raddb/modules/files including configuration file /usr/local/etc/raddb/modules/pam including configuration file /usr/local/etc/raddb/modules/sqlcounter_expire_on_login including configuration file /usr/local/etc/raddb/modules/perl including configuration file /usr/local/etc/raddb/modules/mac2ip including configuration file /usr/local/etc/raddb/modules/logintime including configuration file /usr/local/etc/raddb/modules/cui including configuration file /usr/local/etc/raddb/modules/ntlm_auth including configuration file /usr/local/etc/raddb/modules/checkval including configuration file /usr/local/etc/raddb/modules/counter including configuration file /usr/local/etc/raddb/modules/policy including configuration file /usr/local/etc/raddb/modules/realm including configuration file /usr/local/etc/raddb/modules/sql_log including configuration file /usr/local/etc/raddb/modules/echo including configuration file /usr/local/etc/raddb/modules/detail.example.com including configuration file /usr/local/etc/raddb/eap.conf including configuration file /usr/local/etc/raddb/policy.conf including files in directory /usr/local/etc/raddb/sites-enabled/ including configuration file /usr/local/etc/raddb/sites-enabled/control-socket including configuration file /usr/local/etc/raddb/sites-enabled/default including configuration file /usr/local/etc/raddb/sites-enabled/inner-tunnel main { user = radiusd group = radiusd allow_core_dumps = no } including dictionary file /usr/local/etc/raddb/dictionary main { prefix = /usr/local localstatedir = /usr/local/var logdir = /usr/local/var/log/radius libdir = /usr/local/lib radacctdir = /usr/local/var/log/radius/radacct hostname_lookups = no max_request_time = 30 cleanup_delay = 5 max_requests = 1024 pidfile = /usr/local/var/run/radiusd/radiusd.pid checkrad = /usr/local/sbin/checkrad debug_level = 0 proxy_requests = yes log { stripped_names = no
Re: Freeradius 2.1.9 digest authentication problem
Am 03.08.2010 um 13:23 schrieb al...@arctel.ru: Hello, trying to test digest authentication (freeradius 2.1.9). After uncommenting 'digest' in sites-available/default 'radiusd -X' starts fine. but after I added (according to 'man rlm_digest') to users file: testAuth-Type := Digest, User-Password = test Reply-Message = Hello, test with digest Please try using Cleartext-Password := test instead of User-password = test [...] Have a nice day! Nicolas Goutte extragroup GmbH - Karlsruhe Waldstr. 49 76133 Karlsruhe Germany Geschäftsführer: Lars Busch Registergericht: Amtsgericht Münster / HRB: 5624 Steuer Nr.: 337/5903/0421 / UstID: DE 204607841 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Tag and Untag a port in several VLAN
Alan DeKok wrote: Fabien COMBERNOUS wrote: I'm using FreeRadius 2.1.3. I'm doing a mac based port assignment with sql backend. ... But when i plug the equipment radius give this debug : [sql1] expand: SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = '%{Sql-Group}' ORDER BY id - SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = 'test' ORDER BY id rlm_sql: Failed to create the pair: Unknown value 0x320007 for attribute Egress-VLANID What am i missing or misunderstanding ? The hex value isn't accepted in 2.1.3. You'll need to run 2.1.6 or later. Or, change the hex number to a decimal number. Thank you for your answer. I can't change FreeRadius version. So i need to use decimal number. Can you give me an exemple about to untag a port in vlan 7 ? Best regards, -- *Fabien COMBERNOUS* /unix system engineer/ www.kezia.com http://www.kezia.com/ *Tel: +33 (0) 467 992 986* Kezia Group - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Tag and Untag a port in several VLAN
Fabien COMBERNOUS wrote: I can't change FreeRadius version. So i need to use decimal number. Can you give me an exemple about to untag a port in vlan 7 ? Convert the hex number to a decimal number. There are tools available to help you do this. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius 2.1.9 digest authentication problem
On Tue, Aug 03, 2010 at 01:26:25PM +0200, Nicolas Goutte wrote: Am 03.08.2010 um 13:23 schrieb al...@arctel.ru: Hello, trying to test digest authentication (freeradius 2.1.9). After uncommenting 'digest' in sites-available/default 'radiusd -X' starts fine. but after I added (according to 'man rlm_digest') to users file: testAuth-Type := Digest, User-Password = test Reply-Message = Hello, test with digest Please try using Cleartext-Password := test instead of User-password = test Tried Cleartext-Password := test, Cleartext-Password == test, Cleartext-Password = test, result is the same. Thank You -- Alexander Belov - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius 2.1.9 digest authentication problem
al...@arctel.ru wrote: trying to test digest authentication (freeradius 2.1.9). After uncommenting 'digest' in sites-available/default 'radiusd -X' starts fine. but after I added (according to 'man rlm_digest') to users file: testAuth-Type := Digest, User-Password = test Reply-Message = Hello, test with digest (1) Don't force Auth-Type (2) Use: Cleartext-Password := 'test Not: User-Password = test (3) search for digest in raddb/sites-available/default (4) READ the comments (5) enable digest as instructed Maybe, I missed something? You need to enable digest authentication. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Tag and Untag a port in several VLAN
On 2010/08/03 01:51 PM, Fabien COMBERNOUS wrote: Thank you for your answer. I can't change FreeRadius version. So i need to use decimal number. Can you give me an exemple about to untag a port in vlan 7 ? Just convert 0x320007 to decimal?? -- Johan Meiring Cape PC Services CC Tel: (021) 883-8271 Fax: (021) 886-7782 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Freeradius 2.1.9 stop working
Thanks Alan. Then if it is a bug I will have to upgrade? or do you have a patch? you send me the link for GIT.freeradius.org but what must I do to correct this problem? For the log rotate I will add kill -HUP `cat /var/run/radiusd/radiusd.pid` in postrotate. Like this : /var/log/radius/radius.log { daily rotate 4 create missingok postrotate kill -HUP `cat /var/run/radiusd/radiusd.pid` compress } Must I put this KILL -HUP for each log to rotate? (/var/log/radius/radacct/*/detail, /var/log/radius/checkrad.log, ...) or only for radius.log ? Thanks Eric Bellière -Original Message- From: freeradius-users-bounces+eric.belliere=mail.mobistar...@lists.freeradius.org [mailto:freeradius-users-bounces+eric.belliere=mail.mobistar...@lists.freera dius.org] On Behalf Of freeradius-users-requ...@lists.freeradius.org Sent: Tuesday 3 August 2010 12:00 To: freeradius-users@lists.freeradius.org Subject: Freeradius-Users Digest, Vol 64, Issue 7 Send Freeradius-Users mailing list submissions to freeradius-users@lists.freeradius.org To subscribe or unsubscribe via the World Wide Web, visit http://lists.freeradius.org/mailman/listinfo/freeradius-users or, via email, send a message with subject or body 'help' to freeradius-users-requ...@lists.freeradius.org You can reach the person managing the list at freeradius-users-ow...@lists.freeradius.org When replying, please edit your Subject line so it is more specific than Re: Contents of Freeradius-Users digest... Today's Topics: 1. Re: Freeradius 2.1.9 stop working (Alan DeKok) 2. Re: Freeradius/Samba Client rejected our response (Alan DeKok) -- Message: 1 Date: Tue, 03 Aug 2010 11:43:34 +0200 From: Alan DeKok al...@deployingradius.com Subject: Re: Freeradius 2.1.9 stop working To: FreeRadius users mailing list freeradius-users@lists.freeradius.org Message-ID: 4c57e4c6.8060...@deployingradius.com Content-Type: text/plain; charset=ISO-8859-1 BELLIERE Eric wrote: My problem is that for unknow reason the radiusd process stopped alone this make a problem for us. The Both Radiuses are doing the same. Sometimes the radiusd is no more working and I need to restart it with /etc/init.d/radiusd start It might be bug #35. Try using the v2.1.x branch from http://git.freeradius.org. I have another problem : When the logrotate is doing his job then the log radius.log stay empty and I need to restart or kill -HUP the radiusd process. That's how log rotation should work: change the log file, and HUP the server. The previous behavior was non-standard for Unix daemons, and therefore wrong. Alan DeKok. -- Message: 2 Date: Tue, 03 Aug 2010 11:53:53 +0200 From: Alan DeKok al...@deployingradius.com Subject: Re: Freeradius/Samba Client rejected our response To: FreeRadius users mailing list freeradius-users@lists.freeradius.org Message-ID: 4c57e731.7060...@deployingradius.com Content-Type: text/plain; charset=windows-1252 Lionne Stangier wrote: Hi, I have some problem problems with the authentication and need help. The authentication fail at the authenticate part, while doing peap. The ntlm_auth success, I don?t understand the failure. Why do the client rejected the response? It's a Samba bug. https://bugzilla.samba.org/show_bug.cgi?id=6563 There was a message yesterday about this issue. Alan DeKok. -- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html End of Freeradius-Users Digest, Vol 64, Issue 7 *** smime.p7s Description: S/MIME cryptographic signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius 2.1.9 digest authentication problem
Hi, Tried Cleartext-Password := test, Cleartext-Password == test, Cleartext-Password = test, result is the same. why? why did you do that? Cleartext-Password := test is the only correct way. you just compl;eted ignored the information/help given by the actual author of FreeRADIUS. you dont trust him to know how the code works?? alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius 2.1.9 digest authentication problem
Hi, Tried Cleartext-Password := test, Cleartext-Password == test, Cleartext-Password = test, result is the same. and remember - if you are changing the users file and not doing anything funky, you will have to restart the server! alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Tag and Untag a port in several VLAN
On 2010/08/03 01:51 PM, Fabien COMBERNOUS wrote: Thank you for your answer. I can't change FreeRadius version. So i need to use decimal number. Can you give me an exemple about to untag a port in vlan 7 ? Just convert 0x320007 to decimal?? No. Just a correct example in hexa to untag in vlan 7. I'll translate in decimal. Thank you for your help. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius 2.1.9 stop working
BELLIERE Eric wrote: Then if it is a bug I will have to upgrade? or do you have a patch? you send me the link for GIT.freeradius.org but what must I do to correct this problem? Try using the v2.1.x branch from http://git.freeradius.org. i.e. download it and install it. The instructions are on that web page. Go read them. For the log rotate I will add kill -HUP `cat /var/run/radiusd/radiusd.pid` in postrotate. Like this : /var/log/radius/radius.log { daily rotate 4 create missingok postrotate kill -HUP `cat /var/run/radiusd/radiusd.pid` compress } Must I put this KILL -HUP for each log to rotate? (/var/log/radius/radacct/*/detail, /var/log/radius/checkrad.log, ...) or only for radius.log ? Only for radius.log. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius 2.1.9 digest authentication problem
Am 03.08.2010 um 14:25 schrieb Alan Buxey: Hi, Tried Cleartext-Password := test, Cleartext-Password == test, Cleartext-Password = test, result is the same. why? why did you do that? Cleartext-Password := test is the only correct way. you just compl;eted ignored the information/ help given by the actual author of FreeRADIUS. you dont trust him to know how the code works?? Alan Cox's email was sent only minutes later. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Have a nice day. Nicolas Goutte extragroup GmbH - Karlsruhe Waldstr. 49 76133 Karlsruhe Germany Geschäftsführer: Lars Busch Registergericht: Amtsgericht Münster / HRB: 5624 Steuer Nr.: 337/5903/0421 / UstID: DE 204607841 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius 2.1.9 digest authentication problem
Hi, Alan Cox's email was sent only minutes later. Alan Cox? wow. RedHat finally taking development to new levels.. you meant Alan DeKok I assume?Too many Alan's for you? ;-) alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius 2.1.9 digest authentication problem
On Tue, Aug 03, 2010 at 01:56:48PM +0200, Alan DeKok wrote: al...@arctel.ru wrote: trying to test digest authentication (freeradius 2.1.9). After uncommenting 'digest' in sites-available/default 'radiusd -X' starts fine. but after I added (according to 'man rlm_digest') to users file: testAuth-Type := Digest, User-Password = test Reply-Message = Hello, test with digest (1) Don't force Auth-Type (2) Use: Cleartext-Password := 'test Not: User-Password = test Ok, it works as expected (according test procedure in 'man rlm_digest') with this config: test Cleartext-Password := test Reply-Message = Hello, test with digest i.e. without Auth-Type attrubute. I MUST NOT use Auth-Type? (3) search for digest in raddb/sites-available/default found and uncommented digest in authorize and authenticate sections already (before posting here). (4) READ the comments (5) enable digest as instructed Thank You -- Alexander Belov - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius 2.1.9 digest authentication problem
al...@arctel.ru wrote: i.e. without Auth-Type attrubute. I MUST NOT use Auth-Type? No. It has VERY limited uses. Nearly everyone who tries to use it gets it wrong. Ignore all of the third-party web sites that say to set Auth-Type. They're wrong, and they've been wrong for about 5 years. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Tag and Untag a port in several VLAN
Alan DeKok wrote: Fabien COMBERNOUS wrote: I'm using FreeRadius 2.1.3. I'm doing a mac based port assignment with sql backend. ... But when i plug the equipment radius give this debug : [sql1] expand: SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = '%{Sql-Group}' ORDER BY id - SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = 'test' ORDER BY id rlm_sql: Failed to create the pair: Unknown value 0x320007 for attribute Egress-VLANID What am i missing or misunderstanding ? The hex value isn't accepted in 2.1.3. You'll need to run 2.1.6 or later. Or, change the hex number to a decimal number. So i used the other possibility with Egress-VLAN-Name instead of Egress-VLANID. It is easier to understand the meaning of the value and it works with my version of FreeRadius. Thank you for your help. -- *Fabien COMBERNOUS* /unix system engineer/ www.kezia.com http://www.kezia.com/ *Tel: +33 (0) 467 992 986* Kezia Group - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius 2.1.9 digest authentication problem
Am 03.08.2010 um 15:24 schrieb Alan Buxey: Hi, Alan Cox's email was sent only minutes later. Alan Cox? wow. RedHat finally taking development to new levels.. you meant Alan DeKok I assume?Too many Alan's for you? ;-) Sorry for the mistyping. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Nicolas Goutte extragroup GmbH - Karlsruhe Waldstr. 49 76133 Karlsruhe Germany Geschäftsführer: Lars Busch Registergericht: Amtsgericht Münster / HRB: 5624 Steuer Nr.: 337/5903/0421 / UstID: DE 204607841 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: windows users having trouble authenticating
Alan: Thank you for your response, I think I finally know what is going on. I need to get a real cert from my FreeRADIUS Server, any sugestions about which vendor, IE Verisign vs thawte vs ? I was under the impression that the clients was sending a cert to the server and the server was rejecting it, instead it seems that the clients are rejecting the server. Jake Sallee Godfather Of Bandwidth Network Engineer Fone: 254-295-4658 Phax: 254-295-4221 -Original Message- From: freeradius-users-bounces+jake.sallee=umhb@lists.freeradius.org [mailto:freeradius-users-bounces+jake.sallee=umhb@lists.freeradius.o rg] On Behalf Of Alan DeKok Sent: Tuesday, August 03, 2010 1:47 AM To: FreeRadius users mailing list Subject: Re: windows users having trouble authenticating Sallee, Stephen (Jake) wrote: I am still getting this error in my debug output: rlm_eap: SSL error error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca I have upgraded to version 2.1.8+dfsg-1ubuntu1, still no joy! No amount of upgrading FreeRADIUS will make it work. This message comes because (a) the supplicant has a client certificate issued by a CA unknown to FreeRADIUS, or (b) the supplicant is telling FreeRADIUS that the servers CA is unknown to the client. PLEASE someone tell me how to make FreeRADIUS automatically accept the client cert. PEAP doesn't work like that. If you issued client certs, then FreeRADIUS *MUST* be configured to know about the CA. I have about 2 thousand clients that are not owned by my university, I cannot install the server cert on all of them, the logistics are too much. PLEASE HELP! We're trying. We're asking you to listen to our responses. PEAP (or any TLS based EAP method) *cannot* do what you ask. It's impossible, and it was designed to be impossible by the people who created the cryptography algorithms. If you want to have it work, then (a) configure FreeRADIUS to know about the CA that issued the client cert, or (b) put the FreeRADIUS cert/CA on a web site, for the clients to download themselves. I understand what you want, but please understand that there are limitations to the protocols *independent* of FreeRADIUS. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Quick IPv6 related questions
Hello all, I am running FreeRadius 2.1.8 with two NAS clients and a couple of end devices being authenticated successfully with EAP-TTLS. My setup was running just fine on IPv4 and I would like to jump to IPv6. My first trial seems ok, but not ideal, so here are my IPv6 related questions : a) Why am I seeing in my radius -X output lines as the following : ++[detail] returns ok [unix] IPv6 is not supported! ++[unix] returns noop rlm_radutmp: IPv6 not supported! ++[radutmp] returns noop What could trigger that IPv6 is not supported output? Is there something that might be going wrong, because clients get authenticated successfully as far as I can tell but I am afraid that something else might be broken. b) My FreeRadius machine has an easy to remember IPv6 address e.g. 2001:a::1 and NAS clients are using this to send packets to FR. However it seems that FR is configuring another IPv6 address from the router advertisements that it gets from the access network. The problem is that when this happens FR replies to NAS with packets coming from the autoconfigured address as source and thus breaks the setup as NAS are waiting packets from 2001:a::1. Is there a way to force FR to generate packets coming from the manually configured IP (2001:a::1) ? c) Is there a plan to get a dual stack FreeRadius? It would be really advantageous to be able to run FreeRadius in both ipv4 and ipv6 at the same time. Thanks a lot in advance, Panos - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Quick IPv6 related questions
Panagiotis Georgopoulos wrote: a) Why am I seeing in my radius –X output lines as the following : [unix] IPv6 is not supported! The unix module stores user login information into a wtmp style file. It doesn't support IPv6. rlm_radutmp: IPv6 not supported! Same thing here. It stores user login information into a utmp style file. It doesn't support IPv6. What could trigger that “IPv6 is not supported” output? Is there something that might be going wrong, because clients get authenticated successfully as far as I can tell but I am afraid that something else might be broken. If you don't use radlast and radwho, you can delete the unix and radutmp entries from the accounting section. Nothing else will be affected. b) My FreeRadius machine has “an easy to remember” IPv6 address e.g. 2001:a::1 and NAS clients are using this to send packets to FR. However it seems that FR is configuring another IPv6 address from the router advertisements that it gets from the access network. No. FreeRADIUS doesn't configure IPv6 addresses. Your OS does. The problem is that when this happens FR replies to NAS with packets coming from the autoconfigured address as source and thus breaks the setup as NAS are waiting packets from 2001:a::1. Is there a way to force FR to generate packets coming from the manually configured IP (2001:a::1) ? Update the listen section to bind to that specific IP. c) Is there a plan to get a dual stack FreeRadius? It would be really advantageous to be able to run FreeRadius in both ipv4 and ipv6 at the same time. Uh... it's *already* dual stack. You are running it dual stack right now. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: windows users having trouble authenticating
Sallee, Stephen (Jake) wrote: Thank you for your response, I think I finally know what is going on. I need to get a real cert from my FreeRADIUS Server, any sugestions about which vendor, IE Verisign vs thawte vs ? Nope. I was under the impression that the clients was sending a cert to the server and the server was rejecting it, instead it seems that the clients are rejecting the server. Using a known root CA for RADIUS authentication isn't really recommended. But if it solves the problem... And you'll need to make sure that the cert you get has the correct OIDs in it. See eap.conf. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: windows users having trouble authenticating
On 08/03/2010 01:30 PM, Alan DeKok wrote: Using a known root CA for RADIUS authentication isn't really recommended. Why? P.S. just to clarify, it's not using a known root CA for RADIUS authentication, rather it's using a server cert signed by a known root CA. -- John Dennis jden...@redhat.com Looking to carve out IT costs? www.redhat.com/carveoutcosts/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Quick IPv6 related questions
Hello Alan, Thanks for your replies, they are helpful. Regarding the last question... c) Is there a plan to get a dual stack FreeRadius? It would be really advantageous to be able to run FreeRadius in both ipv4 and ipv6 at the same time. Uh... it's *already* dual stack. You are running it dual stack right now. I guess the emphasis on my question above is on *at the same time*. Now radiusd.conf explicitly says : # OR, you can use an IPv6 address, but not both # at the same time. In other words FR to listen to both an IPv4 and an IPv6 address simultaneously for ipv4 and ipv6 NAS clients. Cheers, Panos - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Quick IPv6 related questions
Panagiotis Georgopoulos wrote: I guess the emphasis on my question above is on *at the same time*. Now radiusd.conf explicitly says : # OR, you can use an IPv6 address, but not both # at the same time. In other words FR to listen to both an IPv4 and an IPv6 address simultaneously for ipv4 and ipv6 NAS clients. You cannot have one listen section accept packets on BOTH IPv4 and IPv6 addresses. You CAN have two listen sections, one accepting IPv4, and one accepting IPv6. Just like you can have two listen sections, one for authentication, and the other for accounting. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: windows users having trouble authenticating
John Dennis wrote: On 08/03/2010 01:30 PM, Alan DeKok wrote: Using a known root CA for RADIUS authentication isn't really recommended. Why? P.S. just to clarify, it's not using a known root CA for RADIUS authentication, rather it's using a server cert signed by a known root CA. Sure. It's because *anyone* can set up an AP, and a RADIUS server that your PC will accept. If the AP has the same SSID as (say) your work, it will happily send your work username login via EAP to the rogue AP. The various EAP methods *should* have tied usernames (i.e. domains) to a field in the certificate. e.g. a cert with CN rad...@example.com should be sent logins for u...@example.com, but NEVER sent logins for u...@example.net You should ONLY send your login credentials when you *know* who it is on the other end of the EAP conversation. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Quick IPv6 related questions
Hi Alan, Panagiotis Georgopoulos wrote: I guess the emphasis on my question above is on *at the same time*. Now radiusd.conf explicitly says : # OR, you can use an IPv6 address, but not both # at the same time. In other words FR to listen to both an IPv4 and an IPv6 address simultaneously for ipv4 and ipv6 NAS clients. You cannot have one listen section accept packets on BOTH IPv4 and IPv6 addresses. You CAN have two listen sections, one accepting IPv4, and one accepting IPv6. Just like you can have two listen sections, one for authentication, and the other for accounting. Very Useful, thanks a lot, Panos - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: windows users having trouble authenticating
The various EAP methods *should* have tied usernames (i.e. domains) to a field in the certificate. e.g. a cert with CN rad...@example.com should be sent logins for u...@example.com, but NEVER sent logins for u...@example.net How does this workout with child domains? For example: I have two domains 1) umhb.edu and 2) Cru.umhb.edu. Cru is a child of umhb.edu, if I get a single cert for FreeRADIUS.umhb.edu will it be ok for authenticating users on both umhb.edu AND Cru.umhb.edu? Jake Sallee Godfather Of Bandwidth Network Engineer Fone: 254-295-4658 Phax: 254-295-4221 -Original Message- From: freeradius-users-bounces+jake.sallee=umhb@lists.freeradius.org [mailto:freeradius-users-bounces+jake.sallee=umhb@lists.freeradius.o rg] On Behalf Of Alan DeKok Sent: Tuesday, August 03, 2010 1:13 PM To: FreeRadius users mailing list Subject: Re: windows users having trouble authenticating John Dennis wrote: On 08/03/2010 01:30 PM, Alan DeKok wrote: Using a known root CA for RADIUS authentication isn't really recommended. Why? P.S. just to clarify, it's not using a known root CA for RADIUS authentication, rather it's using a server cert signed by a known root CA. Sure. It's because *anyone* can set up an AP, and a RADIUS server that your PC will accept. If the AP has the same SSID as (say) your work, it will happily send your work username login via EAP to the rogue AP. The various EAP methods *should* have tied usernames (i.e. domains) to a field in the certificate. e.g. a cert with CN rad...@example.com should be sent logins for u...@example.com, but NEVER sent logins for u...@example.net You should ONLY send your login credentials when you *know* who it is on the other end of the EAP conversation. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: windows users having trouble authenticating
Sallee, Stephen (Jake) wrote: The various EAP methods *should* have tied usernames (i.e. domains) to a field in the certificate. e.g. a cert with CN rad...@example.com should be sent logins for u...@example.com, but NEVER sent logins for u...@example.net How does this workout with child domains? For example: I have two domains 1) umhb.edu and 2) Cru.umhb.edu. Cru is a child of umhb.edu, if I get a single cert for FreeRADIUS.umhb.edu will it be ok for authenticating users on both umhb.edu AND Cru.umhb.edu? I said it SHOULD have been that way. It doesn't work that way now. There is NO tying of certificate CNs to user names. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: windows users having trouble authenticating
Alan DeKok wrote: Sallee, Stephen (Jake) wrote: The various EAP methods *should* have tied usernames (i.e. domains) to a field in the certificate. e.g. a cert with CN rad...@example.com should be sent logins for u...@example.com, but NEVER sent logins for u...@example.net How does this workout with child domains? For example: I have two domains 1) umhb.edu and 2) Cru.umhb.edu. Cru is a child of umhb.edu, if I get a single cert for FreeRADIUS.umhb.edu will it be ok for authenticating users on both umhb.edu AND Cru.umhb.edu? I said it SHOULD have been that way. It doesn't work that way now. There is NO tying of certificate CNs to user names. We should probably expand on that. With respect to the server's certificate, there is nothing tying it to anything on any client I've tested. The server's certificate is presented and you are allowed to accept it. If it isn't signed by a trusted authority you may have to click some additional warnings. FreeRadius can of course compare the client certs CN to the username for what it's worth. On most platforms, the user can put whatever they want for the username though. Or on XP, it gets auto-filled with the value of the CN from the clients certificate. So that particular check is of dubious value. With respect to Jake's question, I'm not sure if he's talking about the server certificate or the client certificate. Strictly speaking, server certificates are not really tied to a domain or DNS entry with EAP. I don't think the client ever actually sees the true IP address of the radius server or it's domain name. The NAS does (or might), but from the client to the Radius server it's all encapsulated and strictly speaking isn't IP traffic at all. You can use the server cert wherever you want, no matter what DNS name is on it. As long as you can get the users to click OK when they are presented with it, it will be fine. -David Mitchell -- - | David Mitchell (mitch...@ucar.edu) Network Engineer IV | | Tel: (303) 497-1845 National Center for | | FAX: (303) 497-1818 Atmospheric Research | - - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: windows users having trouble authenticating
Alan DeKok wrote: John Dennis wrote: On 08/03/2010 01:30 PM, Alan DeKok wrote: Using a known root CA for RADIUS authentication isn't really recommended. Why? P.S. just to clarify, it's not using a known root CA for RADIUS authentication, rather it's using a server cert signed by a known root CA. Sure. It's because *anyone* can set up an AP, and a RADIUS server that your PC will accept. If the AP has the same SSID as (say) your work, it will happily send your work username login via EAP to the rogue AP. The level of risk here varies depending on the EAP method. If you are using EAP-TLS, the server only gets a copy of the certificate so there is no risk of him stealing your credentials. With EAP-PEAP/MSCHAPv2 I believe the attacker can get enough information to perform a dictionary attack against your password which depending on it's strength may or may not be a problem (I'm not certain about this one if somebody else wants to chime in). And then there is EAP-TTLS where the rogue server will end up with a cleartext copy of the username and password if the user can be tricked into accepting the servers certificate. The various EAP methods *should* have tied usernames (i.e. domains) to a field in the certificate. e.g. a cert with CN rad...@example.com should be sent logins for u...@example.com, but NEVER sent logins for u...@example.net You should ONLY send your login credentials when you *know* who it is on the other end of the EAP conversation. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- - | David Mitchell (mitch...@ucar.edu) Network Engineer IV | | Tel: (303) 497-1845 National Center for | | FAX: (303) 497-1818 Atmospheric Research | - - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: windows users having trouble authenticating
AMZAING! Alan and John, you guys are on my Christmas card list now! I had my default eap type set to mschap and was never getting prompted to accept the server cert, john, you mentioned the mschap vs TLS and it hit me, set eap to TLS and VOILA, the client is prompted to accept the cert EXACTLY as we intended. Thanks a bundle! Jake Sallee Godfather Of Bandwidth Network Engineer Fone: 254-295-4658 Phax: 254-295-4221 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
suffix configuration
One last problem and I think I am ready for production, wohoo! When my users try to login with the convention usern...@domain the login fails because I do not think I have FreeRADIUS correctly configured to parse out the domain, however if they login with the convention domain\username it works fine. Where do I configure the behavior of suffix to act the same as prefix? Jake Sallee Godfather Of Bandwidth Network Engineer Fone: 254-295-4658 Phax: 254-295-4221 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Duplicate home server
Hello all, I am running FreeRADIUS Version 2.1.8 (built from freebsd ports) I feel like I am missing something blatantly obvious, but just cannot seem to figure it out. Maybe I am just not understanding the documentation. I am setting up a new server with a realm to direct some of it's requests to two existing radius servers (redundant). This is what I think is the relevant part of my proxy.conf: home_server radius1 { type = auth+acct ipaddr = xx.xx.144.5 port = 1645 secret = testing123 } home_server radius2 { type = auth+acct ipaddr = xx.xx.145.5 port = 1645 secret = testing123 } home_server_pool my_server_pool { type = fail-over home_server = radius1 home_server = radius2 } realm mydomain.com { pool = my_server_pool } But when I start the server, 'radiusd -X' dies reporting: /usr/local/etc/raddb/proxy.conf[744]: Duplicate home server ( Line 144 refers to this line home_server radius2 { ) As soon as I remove one of the home_server = radius2 lines from the pool, the server will start fine. Also if I change the ports on my home_server configs, the server will start. Is this not the correct way to setup redundant realm proxying? Thank you in advance, Cody - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Duplicate home server
Cody Ritts wrote: I am setting up a new server with a realm to direct some of it's requests to two existing radius servers (redundant). This is what I think is the relevant part of my proxy.conf: ... But when I start the server, 'radiusd -X' dies reporting: /usr/local/etc/raddb/proxy.conf[744]: Duplicate home server The config you posted works fine. ( Line 144 refers to this line home_server radius2 { ) 144 or 744? It makes a difference... As soon as I remove one of the home_server = radius2 lines from the pool, the server will start fine. Also if I change the ports on my home_server configs, the server will start. Is this not the correct way to setup redundant realm proxying? Yes. It should work, if you don't have another copy of the same config in proxy.conf. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Quick IPv6 related questions
Hi, In other words FR to listen to both an IPv4 and an IPv6 address simultaneously for ipv4 and ipv6 NAS clients. simply define another virtual server...exactly the same as default, but listing to the IPv6 instead? alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Duplicate home server
Thank you Alan. Since you said that it should work, I re-installed from scratch, and then re-configured the settings one by one, and it works. I am looking at the diffs, and I have no idea what I had wrong, but I am happy to know that at least those settings were correct. Thanks again, Cody On 8/3/10 2:13 PM, Alan DeKok wrote: Cody Ritts wrote: I am setting up a new server with a realm to direct some of it's requests to two existing radius servers (redundant). This is what I think is the relevant part of my proxy.conf: ... But when I start the server, 'radiusd -X' dies reporting: /usr/local/etc/raddb/proxy.conf[744]: Duplicate home server The config you posted works fine. ( Line 144 refers to this line home_server radius2 { ) 144 or 744? It makes a difference... As soon as I remove one of the home_server = radius2 lines from the pool, the server will start fine. Also if I change the ports on my home_server configs, the server will start. Is this not the correct way to setup redundant realm proxying? Yes. It should work, if you don't have another copy of the same config in proxy.conf. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Authenticating again LDAP, specific group
Greetings, I am running FreeRADIUS 2.1.8 on Ubuntu 8.04, attempting to use the ldap module. I only want to authenticate users in a certain group. These groups exist in LDAP as a posixGroup with a memberUID list. As I have it configured currently, I get an Access-Accept for any user in the directory. The ldap module is configured as such: ldap { server = 192.168.1.99 identity = cn=admin,dc=corp,dc=example,dc=com password = s3cret basedn = dc=corp,dc=example,dc=com filter = (uid=%{%{Stripped-User-Name}:-%{User-Name}}) ldap_connections_number = 5 timeout = 4 timelimit = 3 net_timeout = 1 tls { start_tls = no } dictionary_mapping = ${confdir}/ldap.attrmap edir_account_policy_check = no groupname_attribute = cn groupmembership_attribute = NOC groupmembership_filter = ((objectClass=posixGroup)(memberUid=%{Stripped-User-Name:-%{User-Name}})) } I've also seen recomendations to add something like this to the users file: DEFAULT LDAP-Group == NOC Service-Type = Administrative-User Now I can see the service-type displayed when I do a radtest using the username/password of users in the NOC group, but I still see an Access-Accept for users who are not in the group. How can I make the server reject users that aren't in the NOC group? Any hints would be fantastic. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authenticating again LDAP, specific group
This is how I have done it: http://lists.freeradius.org/mailman/htdig/freeradius-users/2009-November/msg1.html Works a treat for me. On Wed, Aug 4, 2010 at 11:27 AM, Cory Johnson cjohn...@commspeed.netwrote: Greetings, I am running FreeRADIUS 2.1.8 on Ubuntu 8.04, attempting to use the ldap module. I only want to authenticate users in a certain group. These groups exist in LDAP as a posixGroup with a memberUID list. As I have it configured currently, I get an Access-Accept for any user in the directory. The ldap module is configured as such: ldap { server = 192.168.1.99 identity = cn=admin,dc=corp,dc=example,dc=com password = s3cret basedn = dc=corp,dc=example,dc=com filter = (uid=%{%{Stripped-User-Name}:-%{User-Name}}) ldap_connections_number = 5 timeout = 4 timelimit = 3 net_timeout = 1 tls { start_tls = no } dictionary_mapping = ${confdir}/ldap.attrmap edir_account_policy_check = no groupname_attribute = cn groupmembership_attribute = NOC groupmembership_filter = ((objectClass=posixGroup)(memberUid=%{Stripped-User-Name:-%{User-Name}})) } I've also seen recomendations to add something like this to the users file: DEFAULT LDAP-Group == NOC Service-Type = Administrative-User Now I can see the service-type displayed when I do a radtest using the username/password of users in the NOC group, but I still see an Access-Accept for users who are not in the group. How can I make the server reject users that aren't in the NOC group? Any hints would be fantastic. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html