RE: windows users having trouble authenticating
I am still getting this error in my debug output: rlm_eap: SSL error error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca I have upgraded to version 2.1.8+dfsg-1ubuntu1, still no joy! PLEASE someone tell me how to make FreeRADIUS automatically accept the client cert. I have about 2 thousand clients that are not owned by my university, I cannot install the server cert on all of them, the logistics are too much. PLEASE HELP! Jake Sallee Godfather Of Bandwidth Network Engineer Fone: 254-295-4658 Phax: 254-295-4221 -Original Message- From: freeradius-users-bounces+jake.sallee=umhb@lists.freeradius.org [mailto:freeradius-users-bounces+jake.sallee=umhb@lists.freeradius.o rg] On Behalf Of Sallee, Stephen (Jake) Sent: Monday, August 02, 2010 7:07 PM To: FreeRadius users mailing list Subject: RE: windows users having trouble authenticating Thanks for the info, I have the client setup the way you suggest, in Win 7 almost everything you said were defaults. However I still get the unknown CA problem. Does anyone know how I can tell the FreeRADIUS server to accept the client cert automatically? Jake Sallee Godfather Of Bandwidth Network Engineer Fone: 254-295-4658 Phax: 254-295-4221 -Original Message- From: freeradius-users-bounces+jake.sallee=umhb@lists.freeradius.org [mailto:freeradius-users-bounces+jake.sallee=umhb@lists.freeradius.o rg] On Behalf Of Alan Buxey Sent: Monday, August 02, 2010 5:59 PM To: FreeRadius users mailing list Subject: Re: windows users having trouble authenticating hi, wierd output due to special character \t, \r , \n all did similar things in the output (latest version has fixed for this). issue with windows is to do with certs etc. you need to configure the supplicant to use PEAP, not to use the windows login, if you havent sorted out certs, then you need to not check any radius server ot tick anything..and not have the 'do not prompt for new certs' etc unticked. best to put the CA that the RADIUS server was signed with onto the host (in trusted CA local root store). alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: windows users having trouble authenticating
Sallee, Stephen (Jake) wrote: I am still getting this error in my debug output: rlm_eap: SSL error error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca I have upgraded to version 2.1.8+dfsg-1ubuntu1, still no joy! No amount of upgrading FreeRADIUS will make it work. This message comes because (a) the supplicant has a client certificate issued by a CA unknown to FreeRADIUS, or (b) the supplicant is telling FreeRADIUS that the servers CA is unknown to the client. PLEASE someone tell me how to make FreeRADIUS automatically accept the client cert. PEAP doesn't work like that. If you issued client certs, then FreeRADIUS *MUST* be configured to know about the CA. I have about 2 thousand clients that are not owned by my university, I cannot install the server cert on all of them, the logistics are too much. PLEASE HELP! We're trying. We're asking you to listen to our responses. PEAP (or any TLS based EAP method) *cannot* do what you ask. It's impossible, and it was designed to be impossible by the people who created the cryptography algorithms. If you want to have it work, then (a) configure FreeRADIUS to know about the CA that issued the client cert, or (b) put the FreeRADIUS cert/CA on a web site, for the clients to download themselves. I understand what you want, but please understand that there are limitations to the protocols *independent* of FreeRADIUS. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Freeradius 2.1.9 stop working
Hello. We have installed 2 FreeRAdius 2.1.9 on RedHat Servers. The Freeradius are doing proxying and everything is working well (duplicate accounting also) My problem is that for unknow reason the radiusd process stopped alone this make a problem for us. The Both Radiuses are doing the same. Sometimes the radiusd is no more working and I need to restart it with /etc/init.d/radiusd start I have another problem : When the logrotate is doing his job then the log radius.log stay empty and I need to restart or kill -HUP the radiusd process. Is someone already have this problem? Is there a bug? Server 1 : [r...@chinchilla radius]$uname -a Linux chinchilla 2.6.18-194.8.1.el5PAE #1 SMP Wed Jun 23 11:16:22 EDT 2010 i686 i686 i386 GNU/Linux radmin show version FreeRADIUS Version 2.1.9, for host i686-redhat-linux-gnu, built on Jul 26 2010 at 13:51:35 Server2 : [r...@cheetah radius]$uname -a Linux cheetah 2.6.18-194.3.1.el5PAE #1 SMP Sun May 2 04:42:25 EDT 2010 i686 i686 i386 GNU/Linux radmin show version FreeRADIUS Version 2.1.9, for host i686-redhat-linux-gnu, built on Jun 22 2010 at 21:23:08 Thanks, http://k-village/team_members/who_s_who/kpeople01.asp?login=ebellier Eric Bellière Operation Integration Expert ITNO/ISO/ISIO/LSS Mobistar NV/SA Avenue Jean Mermoz 32 6041 Gosselies cid:image003.jpg@01C961E5.77656AB0 Tel: +32 (0)2 745 7997 GSM: +32(0)495 55 1343 image001.jpgimage002.jpg smime.p7s Description: S/MIME cryptographic signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Freeradius/Samba Client rejected our response
Hi,
I have some problem problems with the authentication and need help.
The authentication fail at the authenticate part, while doing peap.
The ntlm_auth success, I don’t understand the failure.
Why do the client rejected the response?
+- entering group authenticate {...}
[eap] Request found, released from the list [eap] EAP/peap [eap] processing
type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done
initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap]
Session established. Decoding tunneled attributes.
[peap] Received EAP-TLV response.
[peap] Client rejected our response. The password is probably incorrect.
[eap] Handler failed in EAP/peap
[eap] Failed in EAP select
++[eap] returns invalid
Failed to authenticate the user.
Using Post-Auth-Type Reject
+- entering group REJECT {...}
Lionne Stangier
Debug:
--
FreeRADIUS Version 2.1.9, for host i686-pc-linux-gnu, built on Aug 3 2010 at
09:49:25 Copyright (C) 1999-2009 The FreeRADIUS server project and
contributors.
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR
PURPOSE.
You may redistribute copies of FreeRADIUS under the terms of the GNU General
Public License v2.
Starting - reading configuration files ...
including configuration file /usr/local/etc/raddb/radiusd.conf including
configuration file /usr/local/etc/raddb/proxy.conf including configuration file
/usr/local/etc/raddb/clients.conf including files in directory
/usr/local/etc/raddb/modules/ including configuration file
/usr/local/etc/raddb/modules/detail
including configuration file /usr/local/etc/raddb/modules/unix including
configuration file /usr/local/etc/raddb/modules/ntlm_auth
including configuration file /usr/local/etc/raddb/modules/mac2ip
including configuration file /usr/local/etc/raddb/modules/mac2vlan
including configuration file /usr/local/etc/raddb/modules/pam including
configuration file /usr/local/etc/raddb/modules/logintime
including configuration file /usr/local/etc/raddb/modules/echo including
configuration file /usr/local/etc/raddb/modules/smbpasswd
including configuration file /usr/local/etc/raddb/modules/realm
including configuration file /usr/local/etc/raddb/modules/pap including
configuration file /usr/local/etc/raddb/modules/ldap including configuration
file /usr/local/etc/raddb/modules/exec including configuration file
/usr/local/etc/raddb/modules/wimax
including configuration file /usr/local/etc/raddb/modules/passwd
including configuration file /usr/local/etc/raddb/modules/inner-eap
including configuration file /usr/local/etc/raddb/modules/radutmp
including configuration file /usr/local/etc/raddb/modules/always
including configuration file /usr/local/etc/raddb/modules/chap including
configuration file /usr/local/etc/raddb/modules/sql_log
including configuration file /usr/local/etc/raddb/modules/perl including
configuration file /usr/local/etc/raddb/modules/ippool
including configuration file /usr/local/etc/raddb/modules/checkval
including configuration file /usr/local/etc/raddb/modules/detail.log
including configuration file /usr/local/etc/raddb/modules/policy
including configuration file /usr/local/etc/raddb/modules/smsotp
including configuration file /usr/local/etc/raddb/modules/attr_rewrite
including configuration file /usr/local/etc/raddb/modules/detail.example.com
including configuration file /usr/local/etc/raddb/modules/otp including
configuration file /usr/local/etc/raddb/modules/mschap
including configuration file /usr/local/etc/raddb/modules/expr including
configuration file /usr/local/etc/raddb/modules/attr_filter
including configuration file /usr/local/etc/raddb/modules/linelog
including configuration file /usr/local/etc/raddb/modules/files
including configuration file /usr/local/etc/raddb/modules/counter
including configuration file /usr/local/etc/raddb/modules/etc_group
including configuration file /usr/local/etc/raddb/modules/digest
including configuration file
/usr/local/etc/raddb/modules/sqlcounter_expire_on_login
including configuration file /usr/local/etc/raddb/modules/preprocess
including configuration file /usr/local/etc/raddb/modules/krb5 including
configuration file /usr/local/etc/raddb/modules/acct_unique
including configuration file /usr/local/etc/raddb/modules/sradutmp
including configuration file /usr/local/etc/raddb/modules/expiration
including configuration file /usr/local/etc/raddb/modules/cui including
configuration file /usr/local/etc/raddb/eap.conf including configuration file
/usr/local/etc/raddb/policy.conf including files in directory
/usr/local/etc/raddb/sites-enabled/
including configuration file /usr/local/etc/raddb/sites-enabled/inner-tunnel
including configuration file /usr/local/etc/raddb/sites-enabled/control-socket
including configuration file /usr/local/etc/raddb/sites-enabled/default
main {
allow_core_dumps = no
}
including dictionary
Re: Freeradius 2.1.9 stop working
BELLIERE Eric wrote: My problem is that for unknow reason the radiusd process stopped alone this make a problem for us. The Both Radiuses are doing the same. Sometimes the radiusd is no more working and I need to restart it with /etc/init.d/radiusd start It might be bug #35. Try using the v2.1.x branch from http://git.freeradius.org. I have another problem : When the logrotate is doing his job then the log radius.log stay empty and I need to restart or kill -HUP the radiusd process. That's how log rotation should work: change the log file, and HUP the server. The previous behavior was non-standard for Unix daemons, and therefore wrong. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius/Samba Client rejected our response
Lionne Stangier wrote: Hi, I have some problem problems with the authentication and need help. The authentication fail at the authenticate part, while doing peap. The ntlm_auth success, I don’t understand the failure. Why do the client rejected the response? It's a Samba bug. https://bugzilla.samba.org/show_bug.cgi?id=6563 There was a message yesterday about this issue. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Tag and Untag a port in several VLAN
Hi there,
I'm using FreeRadius 2.1.3. I'm doing a mac based port assignment with
sql backend.
To untag a port of the switch in a VLAN works well.
But in some case i need to tag a port in several VLAN. In the wiki [1]
it looks possible. By following indicated in the wiki i inserted the
followind data in my sql backend :
insert into radgroupreply(groupname,attribute,op,value) values
('AP_test','Egress-VLANID',':=','0x320007');
insert into radgroupreply(groupname,attribute,op,value) values
('AP_test','Egress-VLANID',':=','0x32000102');
But when i plug the equipment radius give this debug :
[sql1] expand: SELECT id, groupname, attribute, value,
op FROM radgroupreply WHERE groupname =
'%{Sql-Group}' ORDER BY id - SELECT id, groupname,
attribute, value, op FROM radgroupreply
WHERE groupname = 'test' ORDER BY id
rlm_sql: Failed to create the pair: Unknown value 0x320007 for attribute
Egress-VLANID
What am i missing or misunderstanding ?
Help is welcome.
Best regards,
[1] http://wiki.freeradius.org/HP
--
*Fabien COMBERNOUS*
/unix system engineer/
www.kezia.com http://www.kezia.com/
*Tel: +33 (0) 467 992 986*
Kezia Group
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
AW: Freeradius/Samba Client rejected our response
It's a Samba bug. https://bugzilla.samba.org/show_bug.cgi?id=6563 Thank you. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Tag and Untag a port in several VLAN
Fabien COMBERNOUS wrote:
I'm using FreeRadius 2.1.3. I'm doing a mac based port assignment with
sql backend.
...
But when i plug the equipment radius give this debug :
[sql1] expand: SELECT id, groupname, attribute, value,
op FROM radgroupreply WHERE groupname =
'%{Sql-Group}' ORDER BY id - SELECT id, groupname,
attribute, value, op FROM radgroupreply
WHERE groupname = 'test' ORDER BY id
rlm_sql: Failed to create the pair: Unknown value 0x320007 for attribute
Egress-VLANID
What am i missing or misunderstanding ?
The hex value isn't accepted in 2.1.3. You'll need to run 2.1.6 or later.
Or, change the hex number to a decimal number.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Freeradius 2.1.9 digest authentication problem
Hello,
trying to test digest authentication (freeradius 2.1.9). After
uncommenting 'digest' in sites-available/default 'radiusd -X'
starts fine. but after I added (according to 'man rlm_digest')
to users file:
testAuth-Type := Digest, User-Password = test
Reply-Message = Hello, test with digest
'radius -X' shows
[r...@host raddb]# /usr/local/sbin/radiusd -X
FreeRADIUS Version 2.1.9, for host i686-pc-linux-gnu, built on Aug 3 2010 at
18:19:48
Copyright (C) 1999-2009 The FreeRADIUS server project and contributors.
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE.
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License v2.
Starting - reading configuration files ...
including configuration file /usr/local/etc/raddb/radiusd.conf
including configuration file /usr/local/etc/raddb/proxy.conf
including configuration file /usr/local/etc/raddb/clients.conf
including files in directory /usr/local/etc/raddb/modules/
including configuration file /usr/local/etc/raddb/modules/attr_rewrite
including configuration file /usr/local/etc/raddb/modules/smbpasswd
including configuration file /usr/local/etc/raddb/modules/otp
including configuration file /usr/local/etc/raddb/modules/inner-eap
including configuration file /usr/local/etc/raddb/modules/passwd
including configuration file /usr/local/etc/raddb/modules/unix
including configuration file /usr/local/etc/raddb/modules/expiration
including configuration file /usr/local/etc/raddb/modules/ippool
including configuration file /usr/local/etc/raddb/modules/wimax
including configuration file /usr/local/etc/raddb/modules/attr_filter
including configuration file /usr/local/etc/raddb/modules/always
including configuration file /usr/local/etc/raddb/modules/digest
including configuration file /usr/local/etc/raddb/modules/krb5
including configuration file /usr/local/etc/raddb/modules/detail
including configuration file /usr/local/etc/raddb/modules/linelog
including configuration file /usr/local/etc/raddb/modules/ldap
including configuration file /usr/local/etc/raddb/modules/mac2vlan
including configuration file /usr/local/etc/raddb/modules/sradutmp
including configuration file /usr/local/etc/raddb/modules/smsotp
including configuration file /usr/local/etc/raddb/modules/exec
including configuration file /usr/local/etc/raddb/modules/chap
including configuration file /usr/local/etc/raddb/modules/expr
including configuration file /usr/local/etc/raddb/modules/preprocess
including configuration file /usr/local/etc/raddb/modules/detail.log
including configuration file /usr/local/etc/raddb/modules/radutmp
including configuration file /usr/local/etc/raddb/modules/etc_group
including configuration file /usr/local/etc/raddb/modules/acct_unique
including configuration file /usr/local/etc/raddb/modules/mschap
including configuration file /usr/local/etc/raddb/modules/pap
including configuration file /usr/local/etc/raddb/modules/files
including configuration file /usr/local/etc/raddb/modules/pam
including configuration file
/usr/local/etc/raddb/modules/sqlcounter_expire_on_login
including configuration file /usr/local/etc/raddb/modules/perl
including configuration file /usr/local/etc/raddb/modules/mac2ip
including configuration file /usr/local/etc/raddb/modules/logintime
including configuration file /usr/local/etc/raddb/modules/cui
including configuration file /usr/local/etc/raddb/modules/ntlm_auth
including configuration file /usr/local/etc/raddb/modules/checkval
including configuration file /usr/local/etc/raddb/modules/counter
including configuration file /usr/local/etc/raddb/modules/policy
including configuration file /usr/local/etc/raddb/modules/realm
including configuration file /usr/local/etc/raddb/modules/sql_log
including configuration file /usr/local/etc/raddb/modules/echo
including configuration file /usr/local/etc/raddb/modules/detail.example.com
including configuration file /usr/local/etc/raddb/eap.conf
including configuration file /usr/local/etc/raddb/policy.conf
including files in directory /usr/local/etc/raddb/sites-enabled/
including configuration file /usr/local/etc/raddb/sites-enabled/control-socket
including configuration file /usr/local/etc/raddb/sites-enabled/default
including configuration file /usr/local/etc/raddb/sites-enabled/inner-tunnel
main {
user = radiusd
group = radiusd
allow_core_dumps = no
}
including dictionary file /usr/local/etc/raddb/dictionary
main {
prefix = /usr/local
localstatedir = /usr/local/var
logdir = /usr/local/var/log/radius
libdir = /usr/local/lib
radacctdir = /usr/local/var/log/radius/radacct
hostname_lookups = no
max_request_time = 30
cleanup_delay = 5
max_requests = 1024
pidfile = /usr/local/var/run/radiusd/radiusd.pid
checkrad = /usr/local/sbin/checkrad
debug_level = 0
proxy_requests = yes
log {
stripped_names = no
Re: Freeradius 2.1.9 digest authentication problem
Am 03.08.2010 um 13:23 schrieb al...@arctel.ru: Hello, trying to test digest authentication (freeradius 2.1.9). After uncommenting 'digest' in sites-available/default 'radiusd -X' starts fine. but after I added (according to 'man rlm_digest') to users file: testAuth-Type := Digest, User-Password = test Reply-Message = Hello, test with digest Please try using Cleartext-Password := test instead of User-password = test [...] Have a nice day! Nicolas Goutte extragroup GmbH - Karlsruhe Waldstr. 49 76133 Karlsruhe Germany Geschäftsführer: Lars Busch Registergericht: Amtsgericht Münster / HRB: 5624 Steuer Nr.: 337/5903/0421 / UstID: DE 204607841 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Tag and Untag a port in several VLAN
Alan DeKok wrote:
Fabien COMBERNOUS wrote:
I'm using FreeRadius 2.1.3. I'm doing a mac based port assignment with
sql backend.
...
But when i plug the equipment radius give this debug :
[sql1] expand: SELECT id, groupname, attribute, value,
op FROM radgroupreply WHERE groupname =
'%{Sql-Group}' ORDER BY id - SELECT id, groupname,
attribute, value, op FROM radgroupreply
WHERE groupname = 'test' ORDER BY id
rlm_sql: Failed to create the pair: Unknown value 0x320007 for attribute
Egress-VLANID
What am i missing or misunderstanding ?
The hex value isn't accepted in 2.1.3. You'll need to run 2.1.6 or later.
Or, change the hex number to a decimal number.
Thank you for your answer.
I can't change FreeRadius version. So i need to use decimal number.
Can you give me an exemple about to untag a port in vlan 7 ?
Best regards,
--
*Fabien COMBERNOUS*
/unix system engineer/
www.kezia.com http://www.kezia.com/
*Tel: +33 (0) 467 992 986*
Kezia Group
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Tag and Untag a port in several VLAN
Fabien COMBERNOUS wrote: I can't change FreeRadius version. So i need to use decimal number. Can you give me an exemple about to untag a port in vlan 7 ? Convert the hex number to a decimal number. There are tools available to help you do this. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius 2.1.9 digest authentication problem
On Tue, Aug 03, 2010 at 01:26:25PM +0200, Nicolas Goutte wrote: Am 03.08.2010 um 13:23 schrieb al...@arctel.ru: Hello, trying to test digest authentication (freeradius 2.1.9). After uncommenting 'digest' in sites-available/default 'radiusd -X' starts fine. but after I added (according to 'man rlm_digest') to users file: testAuth-Type := Digest, User-Password = test Reply-Message = Hello, test with digest Please try using Cleartext-Password := test instead of User-password = test Tried Cleartext-Password := test, Cleartext-Password == test, Cleartext-Password = test, result is the same. Thank You -- Alexander Belov - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius 2.1.9 digest authentication problem
al...@arctel.ru wrote: trying to test digest authentication (freeradius 2.1.9). After uncommenting 'digest' in sites-available/default 'radiusd -X' starts fine. but after I added (according to 'man rlm_digest') to users file: testAuth-Type := Digest, User-Password = test Reply-Message = Hello, test with digest (1) Don't force Auth-Type (2) Use: Cleartext-Password := 'test Not: User-Password = test (3) search for digest in raddb/sites-available/default (4) READ the comments (5) enable digest as instructed Maybe, I missed something? You need to enable digest authentication. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Tag and Untag a port in several VLAN
On 2010/08/03 01:51 PM, Fabien COMBERNOUS wrote: Thank you for your answer. I can't change FreeRadius version. So i need to use decimal number. Can you give me an exemple about to untag a port in vlan 7 ? Just convert 0x320007 to decimal?? -- Johan Meiring Cape PC Services CC Tel: (021) 883-8271 Fax: (021) 886-7782 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Freeradius 2.1.9 stop working
Thanks Alan.
Then if it is a bug I will have to upgrade? or do you have a patch?
you send me the link for GIT.freeradius.org but what must I do to correct
this problem?
For the log rotate I will add kill -HUP `cat /var/run/radiusd/radiusd.pid`
in postrotate.
Like this :
/var/log/radius/radius.log {
daily
rotate 4
create
missingok
postrotate
kill -HUP `cat /var/run/radiusd/radiusd.pid`
compress
}
Must I put this KILL -HUP for each log to rotate?
(/var/log/radius/radacct/*/detail, /var/log/radius/checkrad.log, ...) or
only for radius.log ?
Thanks
Eric Bellière
-Original Message-
From:
freeradius-users-bounces+eric.belliere=mail.mobistar...@lists.freeradius.org
[mailto:freeradius-users-bounces+eric.belliere=mail.mobistar...@lists.freera
dius.org] On Behalf Of freeradius-users-requ...@lists.freeradius.org
Sent: Tuesday 3 August 2010 12:00
To: freeradius-users@lists.freeradius.org
Subject: Freeradius-Users Digest, Vol 64, Issue 7
Send Freeradius-Users mailing list submissions to
freeradius-users@lists.freeradius.org
To subscribe or unsubscribe via the World Wide Web, visit
http://lists.freeradius.org/mailman/listinfo/freeradius-users
or, via email, send a message with subject or body 'help' to
freeradius-users-requ...@lists.freeradius.org
You can reach the person managing the list at
freeradius-users-ow...@lists.freeradius.org
When replying, please edit your Subject line so it is more specific
than Re: Contents of Freeradius-Users digest...
Today's Topics:
1. Re: Freeradius 2.1.9 stop working (Alan DeKok)
2. Re: Freeradius/Samba Client rejected our response (Alan DeKok)
--
Message: 1
Date: Tue, 03 Aug 2010 11:43:34 +0200
From: Alan DeKok al...@deployingradius.com
Subject: Re: Freeradius 2.1.9 stop working
To: FreeRadius users mailing list
freeradius-users@lists.freeradius.org
Message-ID: 4c57e4c6.8060...@deployingradius.com
Content-Type: text/plain; charset=ISO-8859-1
BELLIERE Eric wrote:
My problem is that for unknow reason the radiusd process stopped alone
this make a problem for us.
The Both Radiuses are doing the same. Sometimes the radiusd is no more
working and I need to restart it with /etc/init.d/radiusd start
It might be bug #35. Try using the v2.1.x branch from
http://git.freeradius.org.
I have another problem : When the logrotate is doing his job then the
log radius.log stay empty and I need to restart or kill -HUP the radiusd
process.
That's how log rotation should work: change the log file, and HUP the
server.
The previous behavior was non-standard for Unix daemons, and therefore
wrong.
Alan DeKok.
--
Message: 2
Date: Tue, 03 Aug 2010 11:53:53 +0200
From: Alan DeKok al...@deployingradius.com
Subject: Re: Freeradius/Samba Client rejected our response
To: FreeRadius users mailing list
freeradius-users@lists.freeradius.org
Message-ID: 4c57e731.7060...@deployingradius.com
Content-Type: text/plain; charset=windows-1252
Lionne Stangier wrote:
Hi,
I have some problem problems with the authentication and need help.
The authentication fail at the authenticate part, while doing peap.
The ntlm_auth success, I don?t understand the failure.
Why do the client rejected the response?
It's a Samba bug. https://bugzilla.samba.org/show_bug.cgi?id=6563
There was a message yesterday about this issue.
Alan DeKok.
--
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
End of Freeradius-Users Digest, Vol 64, Issue 7
***
smime.p7s
Description: S/MIME cryptographic signature
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius 2.1.9 digest authentication problem
Hi, Tried Cleartext-Password := test, Cleartext-Password == test, Cleartext-Password = test, result is the same. why? why did you do that? Cleartext-Password := test is the only correct way. you just compl;eted ignored the information/help given by the actual author of FreeRADIUS. you dont trust him to know how the code works?? alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius 2.1.9 digest authentication problem
Hi, Tried Cleartext-Password := test, Cleartext-Password == test, Cleartext-Password = test, result is the same. and remember - if you are changing the users file and not doing anything funky, you will have to restart the server! alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Tag and Untag a port in several VLAN
On 2010/08/03 01:51 PM, Fabien COMBERNOUS wrote: Thank you for your answer. I can't change FreeRadius version. So i need to use decimal number. Can you give me an exemple about to untag a port in vlan 7 ? Just convert 0x320007 to decimal?? No. Just a correct example in hexa to untag in vlan 7. I'll translate in decimal. Thank you for your help. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius 2.1.9 stop working
BELLIERE Eric wrote:
Then if it is a bug I will have to upgrade? or do you have a patch?
you send me the link for GIT.freeradius.org but what must I do to correct
this problem?
Try using the v2.1.x branch from http://git.freeradius.org.
i.e. download it and install it.
The instructions are on that web page. Go read them.
For the log rotate I will add kill -HUP `cat /var/run/radiusd/radiusd.pid`
in postrotate.
Like this :
/var/log/radius/radius.log {
daily
rotate 4
create
missingok
postrotate
kill -HUP `cat /var/run/radiusd/radiusd.pid`
compress
}
Must I put this KILL -HUP for each log to rotate?
(/var/log/radius/radacct/*/detail, /var/log/radius/checkrad.log, ...) or
only for radius.log ?
Only for radius.log.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius 2.1.9 digest authentication problem
Am 03.08.2010 um 14:25 schrieb Alan Buxey: Hi, Tried Cleartext-Password := test, Cleartext-Password == test, Cleartext-Password = test, result is the same. why? why did you do that? Cleartext-Password := test is the only correct way. you just compl;eted ignored the information/ help given by the actual author of FreeRADIUS. you dont trust him to know how the code works?? Alan Cox's email was sent only minutes later. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Have a nice day. Nicolas Goutte extragroup GmbH - Karlsruhe Waldstr. 49 76133 Karlsruhe Germany Geschäftsführer: Lars Busch Registergericht: Amtsgericht Münster / HRB: 5624 Steuer Nr.: 337/5903/0421 / UstID: DE 204607841 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius 2.1.9 digest authentication problem
Hi, Alan Cox's email was sent only minutes later. Alan Cox? wow. RedHat finally taking development to new levels.. you meant Alan DeKok I assume?Too many Alan's for you? ;-) alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius 2.1.9 digest authentication problem
On Tue, Aug 03, 2010 at 01:56:48PM +0200, Alan DeKok wrote: al...@arctel.ru wrote: trying to test digest authentication (freeradius 2.1.9). After uncommenting 'digest' in sites-available/default 'radiusd -X' starts fine. but after I added (according to 'man rlm_digest') to users file: testAuth-Type := Digest, User-Password = test Reply-Message = Hello, test with digest (1) Don't force Auth-Type (2) Use: Cleartext-Password := 'test Not: User-Password = test Ok, it works as expected (according test procedure in 'man rlm_digest') with this config: test Cleartext-Password := test Reply-Message = Hello, test with digest i.e. without Auth-Type attrubute. I MUST NOT use Auth-Type? (3) search for digest in raddb/sites-available/default found and uncommented digest in authorize and authenticate sections already (before posting here). (4) READ the comments (5) enable digest as instructed Thank You -- Alexander Belov - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius 2.1.9 digest authentication problem
al...@arctel.ru wrote: i.e. without Auth-Type attrubute. I MUST NOT use Auth-Type? No. It has VERY limited uses. Nearly everyone who tries to use it gets it wrong. Ignore all of the third-party web sites that say to set Auth-Type. They're wrong, and they've been wrong for about 5 years. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Tag and Untag a port in several VLAN
Alan DeKok wrote:
Fabien COMBERNOUS wrote:
I'm using FreeRadius 2.1.3. I'm doing a mac based port assignment with
sql backend.
...
But when i plug the equipment radius give this debug :
[sql1] expand: SELECT id, groupname, attribute, value,
op FROM radgroupreply WHERE groupname =
'%{Sql-Group}' ORDER BY id - SELECT id, groupname,
attribute, value, op FROM radgroupreply
WHERE groupname = 'test' ORDER BY id
rlm_sql: Failed to create the pair: Unknown value 0x320007 for attribute
Egress-VLANID
What am i missing or misunderstanding ?
The hex value isn't accepted in 2.1.3. You'll need to run 2.1.6 or later.
Or, change the hex number to a decimal number.
So i used the other possibility with Egress-VLAN-Name instead of
Egress-VLANID.
It is easier to understand the meaning of the value and it works with my
version of FreeRadius.
Thank you for your help.
--
*Fabien COMBERNOUS*
/unix system engineer/
www.kezia.com http://www.kezia.com/
*Tel: +33 (0) 467 992 986*
Kezia Group
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius 2.1.9 digest authentication problem
Am 03.08.2010 um 15:24 schrieb Alan Buxey: Hi, Alan Cox's email was sent only minutes later. Alan Cox? wow. RedHat finally taking development to new levels.. you meant Alan DeKok I assume?Too many Alan's for you? ;-) Sorry for the mistyping. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Nicolas Goutte extragroup GmbH - Karlsruhe Waldstr. 49 76133 Karlsruhe Germany Geschäftsführer: Lars Busch Registergericht: Amtsgericht Münster / HRB: 5624 Steuer Nr.: 337/5903/0421 / UstID: DE 204607841 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: windows users having trouble authenticating
Alan: Thank you for your response, I think I finally know what is going on. I need to get a real cert from my FreeRADIUS Server, any sugestions about which vendor, IE Verisign vs thawte vs ? I was under the impression that the clients was sending a cert to the server and the server was rejecting it, instead it seems that the clients are rejecting the server. Jake Sallee Godfather Of Bandwidth Network Engineer Fone: 254-295-4658 Phax: 254-295-4221 -Original Message- From: freeradius-users-bounces+jake.sallee=umhb@lists.freeradius.org [mailto:freeradius-users-bounces+jake.sallee=umhb@lists.freeradius.o rg] On Behalf Of Alan DeKok Sent: Tuesday, August 03, 2010 1:47 AM To: FreeRadius users mailing list Subject: Re: windows users having trouble authenticating Sallee, Stephen (Jake) wrote: I am still getting this error in my debug output: rlm_eap: SSL error error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca I have upgraded to version 2.1.8+dfsg-1ubuntu1, still no joy! No amount of upgrading FreeRADIUS will make it work. This message comes because (a) the supplicant has a client certificate issued by a CA unknown to FreeRADIUS, or (b) the supplicant is telling FreeRADIUS that the servers CA is unknown to the client. PLEASE someone tell me how to make FreeRADIUS automatically accept the client cert. PEAP doesn't work like that. If you issued client certs, then FreeRADIUS *MUST* be configured to know about the CA. I have about 2 thousand clients that are not owned by my university, I cannot install the server cert on all of them, the logistics are too much. PLEASE HELP! We're trying. We're asking you to listen to our responses. PEAP (or any TLS based EAP method) *cannot* do what you ask. It's impossible, and it was designed to be impossible by the people who created the cryptography algorithms. If you want to have it work, then (a) configure FreeRADIUS to know about the CA that issued the client cert, or (b) put the FreeRADIUS cert/CA on a web site, for the clients to download themselves. I understand what you want, but please understand that there are limitations to the protocols *independent* of FreeRADIUS. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Quick IPv6 related questions
Hello all, I am running FreeRadius 2.1.8 with two NAS clients and a couple of end devices being authenticated successfully with EAP-TTLS. My setup was running just fine on IPv4 and I would like to jump to IPv6. My first trial seems ok, but not ideal, so here are my IPv6 related questions : a) Why am I seeing in my radius -X output lines as the following : ++[detail] returns ok [unix] IPv6 is not supported! ++[unix] returns noop rlm_radutmp: IPv6 not supported! ++[radutmp] returns noop What could trigger that IPv6 is not supported output? Is there something that might be going wrong, because clients get authenticated successfully as far as I can tell but I am afraid that something else might be broken. b) My FreeRadius machine has an easy to remember IPv6 address e.g. 2001:a::1 and NAS clients are using this to send packets to FR. However it seems that FR is configuring another IPv6 address from the router advertisements that it gets from the access network. The problem is that when this happens FR replies to NAS with packets coming from the autoconfigured address as source and thus breaks the setup as NAS are waiting packets from 2001:a::1. Is there a way to force FR to generate packets coming from the manually configured IP (2001:a::1) ? c) Is there a plan to get a dual stack FreeRadius? It would be really advantageous to be able to run FreeRadius in both ipv4 and ipv6 at the same time. Thanks a lot in advance, Panos - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Quick IPv6 related questions
Panagiotis Georgopoulos wrote: a) Why am I seeing in my radius –X output lines as the following : [unix] IPv6 is not supported! The unix module stores user login information into a wtmp style file. It doesn't support IPv6. rlm_radutmp: IPv6 not supported! Same thing here. It stores user login information into a utmp style file. It doesn't support IPv6. What could trigger that “IPv6 is not supported” output? Is there something that might be going wrong, because clients get authenticated successfully as far as I can tell but I am afraid that something else might be broken. If you don't use radlast and radwho, you can delete the unix and radutmp entries from the accounting section. Nothing else will be affected. b) My FreeRadius machine has “an easy to remember” IPv6 address e.g. 2001:a::1 and NAS clients are using this to send packets to FR. However it seems that FR is configuring another IPv6 address from the router advertisements that it gets from the access network. No. FreeRADIUS doesn't configure IPv6 addresses. Your OS does. The problem is that when this happens FR replies to NAS with packets coming from the autoconfigured address as source and thus breaks the setup as NAS are waiting packets from 2001:a::1. Is there a way to force FR to generate packets coming from the manually configured IP (2001:a::1) ? Update the listen section to bind to that specific IP. c) Is there a plan to get a dual stack FreeRadius? It would be really advantageous to be able to run FreeRadius in both ipv4 and ipv6 at the same time. Uh... it's *already* dual stack. You are running it dual stack right now. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: windows users having trouble authenticating
Sallee, Stephen (Jake) wrote: Thank you for your response, I think I finally know what is going on. I need to get a real cert from my FreeRADIUS Server, any sugestions about which vendor, IE Verisign vs thawte vs ? Nope. I was under the impression that the clients was sending a cert to the server and the server was rejecting it, instead it seems that the clients are rejecting the server. Using a known root CA for RADIUS authentication isn't really recommended. But if it solves the problem... And you'll need to make sure that the cert you get has the correct OIDs in it. See eap.conf. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: windows users having trouble authenticating
On 08/03/2010 01:30 PM, Alan DeKok wrote: Using a known root CA for RADIUS authentication isn't really recommended. Why? P.S. just to clarify, it's not using a known root CA for RADIUS authentication, rather it's using a server cert signed by a known root CA. -- John Dennis jden...@redhat.com Looking to carve out IT costs? www.redhat.com/carveoutcosts/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Quick IPv6 related questions
Hello Alan, Thanks for your replies, they are helpful. Regarding the last question... c) Is there a plan to get a dual stack FreeRadius? It would be really advantageous to be able to run FreeRadius in both ipv4 and ipv6 at the same time. Uh... it's *already* dual stack. You are running it dual stack right now. I guess the emphasis on my question above is on *at the same time*. Now radiusd.conf explicitly says : # OR, you can use an IPv6 address, but not both # at the same time. In other words FR to listen to both an IPv4 and an IPv6 address simultaneously for ipv4 and ipv6 NAS clients. Cheers, Panos - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Quick IPv6 related questions
Panagiotis Georgopoulos wrote: I guess the emphasis on my question above is on *at the same time*. Now radiusd.conf explicitly says : # OR, you can use an IPv6 address, but not both # at the same time. In other words FR to listen to both an IPv4 and an IPv6 address simultaneously for ipv4 and ipv6 NAS clients. You cannot have one listen section accept packets on BOTH IPv4 and IPv6 addresses. You CAN have two listen sections, one accepting IPv4, and one accepting IPv6. Just like you can have two listen sections, one for authentication, and the other for accounting. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: windows users having trouble authenticating
John Dennis wrote: On 08/03/2010 01:30 PM, Alan DeKok wrote: Using a known root CA for RADIUS authentication isn't really recommended. Why? P.S. just to clarify, it's not using a known root CA for RADIUS authentication, rather it's using a server cert signed by a known root CA. Sure. It's because *anyone* can set up an AP, and a RADIUS server that your PC will accept. If the AP has the same SSID as (say) your work, it will happily send your work username login via EAP to the rogue AP. The various EAP methods *should* have tied usernames (i.e. domains) to a field in the certificate. e.g. a cert with CN rad...@example.com should be sent logins for u...@example.com, but NEVER sent logins for u...@example.net You should ONLY send your login credentials when you *know* who it is on the other end of the EAP conversation. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Quick IPv6 related questions
Hi Alan, Panagiotis Georgopoulos wrote: I guess the emphasis on my question above is on *at the same time*. Now radiusd.conf explicitly says : # OR, you can use an IPv6 address, but not both # at the same time. In other words FR to listen to both an IPv4 and an IPv6 address simultaneously for ipv4 and ipv6 NAS clients. You cannot have one listen section accept packets on BOTH IPv4 and IPv6 addresses. You CAN have two listen sections, one accepting IPv4, and one accepting IPv6. Just like you can have two listen sections, one for authentication, and the other for accounting. Very Useful, thanks a lot, Panos - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: windows users having trouble authenticating
The various EAP methods *should* have tied usernames (i.e. domains) to a field in the certificate. e.g. a cert with CN rad...@example.com should be sent logins for u...@example.com, but NEVER sent logins for u...@example.net How does this workout with child domains? For example: I have two domains 1) umhb.edu and 2) Cru.umhb.edu. Cru is a child of umhb.edu, if I get a single cert for FreeRADIUS.umhb.edu will it be ok for authenticating users on both umhb.edu AND Cru.umhb.edu? Jake Sallee Godfather Of Bandwidth Network Engineer Fone: 254-295-4658 Phax: 254-295-4221 -Original Message- From: freeradius-users-bounces+jake.sallee=umhb@lists.freeradius.org [mailto:freeradius-users-bounces+jake.sallee=umhb@lists.freeradius.o rg] On Behalf Of Alan DeKok Sent: Tuesday, August 03, 2010 1:13 PM To: FreeRadius users mailing list Subject: Re: windows users having trouble authenticating John Dennis wrote: On 08/03/2010 01:30 PM, Alan DeKok wrote: Using a known root CA for RADIUS authentication isn't really recommended. Why? P.S. just to clarify, it's not using a known root CA for RADIUS authentication, rather it's using a server cert signed by a known root CA. Sure. It's because *anyone* can set up an AP, and a RADIUS server that your PC will accept. If the AP has the same SSID as (say) your work, it will happily send your work username login via EAP to the rogue AP. The various EAP methods *should* have tied usernames (i.e. domains) to a field in the certificate. e.g. a cert with CN rad...@example.com should be sent logins for u...@example.com, but NEVER sent logins for u...@example.net You should ONLY send your login credentials when you *know* who it is on the other end of the EAP conversation. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: windows users having trouble authenticating
Sallee, Stephen (Jake) wrote: The various EAP methods *should* have tied usernames (i.e. domains) to a field in the certificate. e.g. a cert with CN rad...@example.com should be sent logins for u...@example.com, but NEVER sent logins for u...@example.net How does this workout with child domains? For example: I have two domains 1) umhb.edu and 2) Cru.umhb.edu. Cru is a child of umhb.edu, if I get a single cert for FreeRADIUS.umhb.edu will it be ok for authenticating users on both umhb.edu AND Cru.umhb.edu? I said it SHOULD have been that way. It doesn't work that way now. There is NO tying of certificate CNs to user names. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: windows users having trouble authenticating
Alan DeKok wrote: Sallee, Stephen (Jake) wrote: The various EAP methods *should* have tied usernames (i.e. domains) to a field in the certificate. e.g. a cert with CN rad...@example.com should be sent logins for u...@example.com, but NEVER sent logins for u...@example.net How does this workout with child domains? For example: I have two domains 1) umhb.edu and 2) Cru.umhb.edu. Cru is a child of umhb.edu, if I get a single cert for FreeRADIUS.umhb.edu will it be ok for authenticating users on both umhb.edu AND Cru.umhb.edu? I said it SHOULD have been that way. It doesn't work that way now. There is NO tying of certificate CNs to user names. We should probably expand on that. With respect to the server's certificate, there is nothing tying it to anything on any client I've tested. The server's certificate is presented and you are allowed to accept it. If it isn't signed by a trusted authority you may have to click some additional warnings. FreeRadius can of course compare the client certs CN to the username for what it's worth. On most platforms, the user can put whatever they want for the username though. Or on XP, it gets auto-filled with the value of the CN from the clients certificate. So that particular check is of dubious value. With respect to Jake's question, I'm not sure if he's talking about the server certificate or the client certificate. Strictly speaking, server certificates are not really tied to a domain or DNS entry with EAP. I don't think the client ever actually sees the true IP address of the radius server or it's domain name. The NAS does (or might), but from the client to the Radius server it's all encapsulated and strictly speaking isn't IP traffic at all. You can use the server cert wherever you want, no matter what DNS name is on it. As long as you can get the users to click OK when they are presented with it, it will be fine. -David Mitchell -- - | David Mitchell (mitch...@ucar.edu) Network Engineer IV | | Tel: (303) 497-1845 National Center for | | FAX: (303) 497-1818 Atmospheric Research | - - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: windows users having trouble authenticating
Alan DeKok wrote: John Dennis wrote: On 08/03/2010 01:30 PM, Alan DeKok wrote: Using a known root CA for RADIUS authentication isn't really recommended. Why? P.S. just to clarify, it's not using a known root CA for RADIUS authentication, rather it's using a server cert signed by a known root CA. Sure. It's because *anyone* can set up an AP, and a RADIUS server that your PC will accept. If the AP has the same SSID as (say) your work, it will happily send your work username login via EAP to the rogue AP. The level of risk here varies depending on the EAP method. If you are using EAP-TLS, the server only gets a copy of the certificate so there is no risk of him stealing your credentials. With EAP-PEAP/MSCHAPv2 I believe the attacker can get enough information to perform a dictionary attack against your password which depending on it's strength may or may not be a problem (I'm not certain about this one if somebody else wants to chime in). And then there is EAP-TTLS where the rogue server will end up with a cleartext copy of the username and password if the user can be tricked into accepting the servers certificate. The various EAP methods *should* have tied usernames (i.e. domains) to a field in the certificate. e.g. a cert with CN rad...@example.com should be sent logins for u...@example.com, but NEVER sent logins for u...@example.net You should ONLY send your login credentials when you *know* who it is on the other end of the EAP conversation. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- - | David Mitchell (mitch...@ucar.edu) Network Engineer IV | | Tel: (303) 497-1845 National Center for | | FAX: (303) 497-1818 Atmospheric Research | - - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: windows users having trouble authenticating
AMZAING! Alan and John, you guys are on my Christmas card list now! I had my default eap type set to mschap and was never getting prompted to accept the server cert, john, you mentioned the mschap vs TLS and it hit me, set eap to TLS and VOILA, the client is prompted to accept the cert EXACTLY as we intended. Thanks a bundle! Jake Sallee Godfather Of Bandwidth Network Engineer Fone: 254-295-4658 Phax: 254-295-4221 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
suffix configuration
One last problem and I think I am ready for production, wohoo! When my users try to login with the convention usern...@domain the login fails because I do not think I have FreeRADIUS correctly configured to parse out the domain, however if they login with the convention domain\username it works fine. Where do I configure the behavior of suffix to act the same as prefix? Jake Sallee Godfather Of Bandwidth Network Engineer Fone: 254-295-4658 Phax: 254-295-4221 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Duplicate home server
Hello all,
I am running FreeRADIUS Version 2.1.8 (built from freebsd ports)
I feel like I am missing something blatantly obvious, but just cannot
seem to figure it out. Maybe I am just not understanding the documentation.
I am setting up a new server with a realm to direct some of it's
requests to two existing radius servers (redundant).
This is what I think is the relevant part of my proxy.conf:
home_server radius1 {
type = auth+acct
ipaddr = xx.xx.144.5
port = 1645
secret = testing123
}
home_server radius2 {
type = auth+acct
ipaddr = xx.xx.145.5
port = 1645
secret = testing123
}
home_server_pool my_server_pool {
type = fail-over
home_server = radius1
home_server = radius2
}
realm mydomain.com {
pool = my_server_pool
}
But when I start the server, 'radiusd -X' dies reporting:
/usr/local/etc/raddb/proxy.conf[744]: Duplicate home server
( Line 144 refers to this line home_server radius2 { )
As soon as I remove one of the home_server = radius2 lines from the
pool, the server will start fine. Also if I change the ports on my
home_server configs, the server will start.
Is this not the correct way to setup redundant realm proxying?
Thank you in advance,
Cody
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Duplicate home server
Cody Ritts wrote:
I am setting up a new server with a realm to direct some of it's
requests to two existing radius servers (redundant).
This is what I think is the relevant part of my proxy.conf:
...
But when I start the server, 'radiusd -X' dies reporting:
/usr/local/etc/raddb/proxy.conf[744]: Duplicate home server
The config you posted works fine.
( Line 144 refers to this line home_server radius2 { )
144 or 744? It makes a difference...
As soon as I remove one of the home_server = radius2 lines from the
pool, the server will start fine. Also if I change the ports on my
home_server configs, the server will start.
Is this not the correct way to setup redundant realm proxying?
Yes. It should work, if you don't have another copy of the same
config in proxy.conf.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Quick IPv6 related questions
Hi, In other words FR to listen to both an IPv4 and an IPv6 address simultaneously for ipv4 and ipv6 NAS clients. simply define another virtual server...exactly the same as default, but listing to the IPv6 instead? alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Duplicate home server
Thank you Alan.
Since you said that it should work, I re-installed from scratch, and
then re-configured the settings one by one, and it works. I am looking
at the diffs, and I have no idea what I had wrong, but I am happy to
know that at least those settings were correct.
Thanks again,
Cody
On 8/3/10 2:13 PM, Alan DeKok wrote:
Cody Ritts wrote:
I am setting up a new server with a realm to direct some of it's
requests to two existing radius servers (redundant).
This is what I think is the relevant part of my proxy.conf:
...
But when I start the server, 'radiusd -X' dies reporting:
/usr/local/etc/raddb/proxy.conf[744]: Duplicate home server
The config you posted works fine.
( Line 144 refers to this line home_server radius2 { )
144 or 744? It makes a difference...
As soon as I remove one of the home_server = radius2 lines from the
pool, the server will start fine. Also if I change the ports on my
home_server configs, the server will start.
Is this not the correct way to setup redundant realm proxying?
Yes. It should work, if you don't have another copy of the same
config in proxy.conf.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Authenticating again LDAP, specific group
Greetings,
I am running FreeRADIUS 2.1.8 on Ubuntu 8.04, attempting to use the ldap
module. I only want to authenticate users in a certain group. These
groups exist in LDAP as a posixGroup with a memberUID list. As I
have it configured currently, I get an Access-Accept for any user in
the directory.
The ldap module is configured as such:
ldap {
server = 192.168.1.99
identity = cn=admin,dc=corp,dc=example,dc=com
password = s3cret
basedn = dc=corp,dc=example,dc=com
filter = (uid=%{%{Stripped-User-Name}:-%{User-Name}})
ldap_connections_number = 5
timeout = 4
timelimit = 3
net_timeout = 1
tls {
start_tls = no
}
dictionary_mapping = ${confdir}/ldap.attrmap
edir_account_policy_check = no
groupname_attribute = cn
groupmembership_attribute = NOC
groupmembership_filter =
((objectClass=posixGroup)(memberUid=%{Stripped-User-Name:-%{User-Name}}))
}
I've also seen recomendations to add something like this to the users file:
DEFAULT LDAP-Group == NOC
Service-Type = Administrative-User
Now I can see the service-type displayed when I do a radtest using the
username/password of users in the NOC group, but I still see an
Access-Accept for users who are not in the group.
How can I make the server reject users that aren't in the NOC group? Any
hints would be fantastic.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authenticating again LDAP, specific group
This is how I have done it:
http://lists.freeradius.org/mailman/htdig/freeradius-users/2009-November/msg1.html
Works a treat for me.
On Wed, Aug 4, 2010 at 11:27 AM, Cory Johnson cjohn...@commspeed.netwrote:
Greetings,
I am running FreeRADIUS 2.1.8 on Ubuntu 8.04, attempting to use the ldap
module. I only want to authenticate users in a certain group. These groups
exist in LDAP as a posixGroup with a memberUID list. As I have it
configured currently, I get an Access-Accept for any user in the
directory.
The ldap module is configured as such:
ldap {
server = 192.168.1.99
identity = cn=admin,dc=corp,dc=example,dc=com
password = s3cret
basedn = dc=corp,dc=example,dc=com
filter = (uid=%{%{Stripped-User-Name}:-%{User-Name}})
ldap_connections_number = 5
timeout = 4
timelimit = 3
net_timeout = 1
tls {
start_tls = no
}
dictionary_mapping = ${confdir}/ldap.attrmap
edir_account_policy_check = no
groupname_attribute = cn
groupmembership_attribute = NOC
groupmembership_filter =
((objectClass=posixGroup)(memberUid=%{Stripped-User-Name:-%{User-Name}}))
}
I've also seen recomendations to add something like this to the users file:
DEFAULT LDAP-Group == NOC
Service-Type = Administrative-User
Now I can see the service-type displayed when I do a radtest using the
username/password of users in the NOC group, but I still see an
Access-Accept for users who are not in the group.
How can I make the server reject users that aren't in the NOC group? Any
hints would be fantastic.
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
