Re: Windows 7 EAP-TLS WIred Auth
On 02/13/2011 10:37 PM, Christ Schlacta wrote: it seems to get to the same point (Finished request xxx.) and then repeats the entire process four times (the same number of times specified in my switch config) then fails to connect. I'm not sure if I'm missing something, or what.. but it should all be fine, as this is the same config I use for my wireless config. I'm certain I've missed something obvious, and if you can provide any additional information to point me in the right direction, I'd much appreciate it. The client is stopping sending. This is almost always because it doesn't trust the server cert. This is noted at length in eap.conf. Ensure you have setup the wireless connection client properly. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
AW: AW: AW: Authenticating SSH login on a Cisco IOS switch to AD
OK, I think I found out where things are going wrong. In my Radius -X log I noticed the Starting - reading configuration files is short, compared to those of others. What is missing is actually: including files in directory /usr/local/etc/raddb/modules/ (followed by including configuration file /usr/local/etc/raddb/modules/checkval including configuration file /usr/local/etc/raddb/modules/krb5 including configuration file /usr/local/etc/raddb/modules/sql_log including configuration file /usr/local/etc/raddb/modules/linelog including configuration file /usr/local/etc/raddb/modules/exec including configuration file /usr/local/etc/raddb/modules/ldap including configuration file /usr/local/etc/raddb/modules/sradutmp including configuration file /usr/local/etc/raddb/modules/chap including configuration file /usr/local/etc/raddb/modules/radutmp including configuration file /usr/local/etc/raddb/modules/inner-eap including configuration file /usr/local/etc/raddb/modules/unix including configuration file/usr/local/etc/raddb/modules/sqlcounter_expire_on_login including configuration file /usr/local/etc/raddb/modules/dynamic_clients including configuration file /usr/local/etc/raddb/modules/mac2ip including configuration file /usr/local/etc/raddb/modules/counter including configuration file /usr/local/etc/raddb/modules/smbpasswd including configuration file /usr/local/etc/raddb/modules/files including configuration file /usr/local/etc/raddb/modules/realm including configuration file /usr/local/etc/raddb/modules/etc_group including configuration file /usr/local/etc/raddb/modules/pam including configuration file /usr/local/etc/raddb/modules/acct_unique including configuration file /usr/local/etc/raddb/modules/detail.example.com including configuration file /usr/local/etc/raddb/modules/preprocess including configuration file /usr/local/etc/raddb/modules/digest including configuration file /usr/local/etc/raddb/modules/mac2vlan including configuration file /usr/local/etc/raddb/modules/opendirectory including configuration file /usr/local/etc/raddb/modules/attr_rewrite including configuration file /usr/local/etc/raddb/modules/otp including configuration file /usr/local/etc/raddb/modules/policy including configuration file /usr/local/etc/raddb/modules/ippool including configuration file /usr/local/etc/raddb/modules/logintime including configuration file /usr/local/etc/raddb/modules/wimax including configuration file /usr/local/etc/raddb/modules/expiration including configuration file /usr/local/etc/raddb/modules/attr_filter including configuration file /usr/local/etc/raddb/modules/smsotp including configuration file /usr/local/etc/raddb/modules/ntlm_auth including configuration file /usr/local/etc/raddb/modules/detail including configuration file /usr/local/etc/raddb/modules/mschap including configuration file /usr/local/etc/raddb/modules/detail.log including configuration file /usr/local/etc/raddb/modules/pap including configuration file /usr/local/etc/raddb/modules/always including configuration file /usr/local/etc/raddb/modules/passwd including configuration file /usr/local/etc/raddb/modules/cui including configuration file /usr/local/etc/raddb/modules/expr including configuration file /usr/local/etc/raddb/modules/echo including configuration file /usr/local/etc/raddb/modules/perl) This is all not in my freeradius -X logs and is in the logs of others. Now where do I enable/disable loading the modules folder? -Ursprüngliche Nachricht- Von: freeradius-users-bounces+chris.schaatsbergen=aleo- solar...@lists.freeradius.org [mailto:freeradius-users- bounces+chris.schaatsbergen=aleo-solar...@lists.freeradius.org] Im Auftrag von Schaatsbergen, Chris Gesendet: Freitag, 11. Februar 2011 19:32 An: FreeRadius users mailing list Betreff: AW: AW: AW: Authenticating SSH login on a Cisco IOS switch to AD So far I have done everything there exactly as described with the same outcome. No. If you get the error Failed to link to module 'rlm_ntlm_auth':..., it means you did something *other* than what is on the web page. This is I believe indeed the missing piece, problem is I cannot find it in your web page. It's the exec ntlm_auth { ... text. Add it, *and* the ntlm_auth entry in the authenticate section. The ntlm_auth file with the exec ntlm_auth text has been in the module folder since I started working on this (actually I believe it was already there as it is has been added in 2.1.8), about a week ago. It is also what I have indicated both in my original post and in the repost I made today. The file
EAP transaction benchmark
Hi community, I need to benchmark the eap transactions in the case of EAP-TLS auth. I mean how many transactions per second of eap a system can handle ( test bed is a multi core intel based system with 36 GB of ram ) also if there are any tools available the we can use to benchmark eap process ( some type of eap radclient ) so that we build some threaded process upon that tool to check these transactions for our environment. Also if there are any benchmarks that are already done by community/testers can be useful too. I am using 2 phase auth 1 is EAP-TLS and then MAC based auth. Thanks. Waqas Toor - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP transaction benchmark
Waqas Toor wrote: I need to benchmark the eap transactions in the case of EAP-TLS auth. I mean how many transactions per second of eap a system can handle ( test bed is a multi core intel based system with 36 GB of ram ) CPU matters more than RAM. also if there are any tools available the we can use to benchmark eap process ( some type of eap radclient ) so that we build some threaded process upon that tool to check these transactions for our environment. Also if there are any benchmarks that are already done by community/testers can be useful too. Read raddb/certs/README. This is documented. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: AW: AW: AW: Authenticating SSH login on a Cisco IOS switch to AD
Schaatsbergen, Chris wrote: OK, I think I found out where things are going wrong. In my Radius -X log I noticed the Starting - reading configuration files is short, compared to those of others. What is missing is actually: including files in directory /usr/local/etc/raddb/modules/ ... Now where do I enable/disable loading the modules folder? radiusd.conf? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
eappeap_postproxy() - set fake-proxy_reply
Hello, I can't think I understand what went wrong but it works. just escaping from first NULL check in eap_post_proxy() or commit: add0068afc3b732c27c9cc116d7ec331f9a32735 says I misconfigured PEAP proxy? --- src/modules/rlm_eap/types/rlm_eap_peap/peap.c |3 ++- 1 files changed, 2 insertions(+), 1 deletions(-) diff --git a/src/modules/rlm_eap/types/rlm_eap_peap/peap.c b/src/modules/rlm_eap/types/rlm_eap_peap/peap.c index 0d9a031..36c012b 100644 --- a/src/modules/rlm_eap/types/rlm_eap_peap/peap.c +++ b/src/modules/rlm_eap/types/rlm_eap_peap/peap.c @@ -571,7 +571,7 @@ static int eappeap_postproxy(EAP_HANDLER *handler, void *data) request-proxy = NULL; rad_assert(fake-reply == NULL); - fake-reply = request-proxy_reply; + fake-reply = fake-proxy_reply = request-proxy_reply; request-proxy_reply = NULL; if ((debug_flag 0) fr_log_fp) { @@ -585,7 +585,7 @@ static int eappeap_postproxy(EAP_HANDLER *handler, void *data) fake-options = ~RAD_REQUEST_OPTION_PROXY_EAP; RDEBUG2(Passing reply back for EAP-MS-CHAP-V2); module_post_proxy(0, fake); + fake-proxy_reply = NULL; /* * FIXME: If rcode returns fail, do something -- 1.7.2.3 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
AW: AW: AW: AW: Authenticating SSH login on a Cisco IOS switch to AD
That is clear, but it seems it is missing in the Lenny Package somehow as http://lists.freeradius.org/pipermail/freeradius-users/2011-January/msg00192.html has exactly the same problem as me, no modules folder being read causing the ntlm_auth not being recognized as module. Where can I find a proper radiusd.conf? Or where in the radiusd.conf should it be? The beginning part of our current radiusd.conf: # -*- text -*- ## ## radiusd.conf -- FreeRADIUS server configuration file. ## ## http://www.freeradius.org/ ## $Id: radiusd.conf.in,v 1.272 2008/04/26 15:14:33 aland Exp $ ## ## # # Read man radiusd before editing this file. See the section # titled DEBUGGING. It outlines a method where you can quickly # obtain the configuration you want, without running into # trouble. # # Run the server in debugging mode, and READ the output. # # $ radiusd -X # # We cannot emphasize this point strongly enough. The vast # majority of problems can be solved by carefully reading the # debugging output, which includes warnings about common issues, # and suggestions for how they may be fixed. # # There may be a lot of output, but look carefully for words like: # warning, error, reject, or failure. The messages there # will usually be enough to guide you to a solution. # # If you are going to ask a question on the mailing list, then # explain what you are trying to do, and include the output from # debugging mode (radiusd -X). Failure to do so means that all # of the responses to your question will be people telling you # to post the output of radiusd -X. ## # # The location of other config files and logfiles are declared # in this file. # # Also general configuration for modules can be done in this # file, it is exported through the API to modules that ask for # it. # # See man radiusd.conf for documentation on the format of this # file. Note that the individual configuration items are NOT # documented in that man page. They are only documented here, # in the comments. # # As of 2.0.0, FreeRADIUS supports a simple processing language # in the authorize, authenticate, accounting, etc. sections. # See man unlang for details. # prefix = /usr exec_prefix = /usr sysconfdir = /etc localstatedir = /var sbindir = ${exec_prefix}/sbin logdir = /var/log/freeradius raddbdir = /etc/freeradius radacctdir = ${logdir}/radacct # Location of config and logfiles. confdir = ${raddbdir} run_dir = ${localstatedir}/run/freeradius # Should likely be ${localstatedir}/lib/radiusd db_dir = $(raddbdir) -Ursprüngliche Nachricht- Von: freeradius-users-bounces+chris.schaatsbergen=aleo- solar...@lists.freeradius.org [mailto:freeradius-users- bounces+chris.schaatsbergen=aleo-solar...@lists.freeradius.org] Im Auftrag von Alan DeKok Gesendet: Montag, 14. Februar 2011 12:40 An: FreeRadius users mailing list Betreff: Re: AW: AW: AW: Authenticating SSH login on a Cisco IOS switch to AD Schaatsbergen, Chris wrote: OK, I think I found out where things are going wrong. In my Radius -X log I noticed the Starting - reading configuration files is short, compared to those of others. What is missing is actually: including files in directory /usr/local/etc/raddb/modules/ ... Now where do I enable/disable loading the modules folder? radiusd.conf? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: AW: AW: AW: AW: Authenticating SSH login on a Cisco IOS switch to AD
Schaatsbergen, Chris wrote: That is clear, but it seems it is missing in the Lenny Package somehow as http://lists.freeradius.org/pipermail/freeradius-users/2011-January/msg00192.html has exactly the same problem as me, no modules folder being read causing the ntlm_auth not being recognized as module. shrug I don't run Lenny, so I can't say any more. Where can I find a proper radiusd.conf? Have you tried the 2.1.10 tar file on freeradius.org? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
AW: AW: AW: AW: AW: Authenticating SSH login on a Cisco IOS switch to AD
I think freeradius is a great piece of software and I will certainly continue to use it. I am also very happy with the great documentation that can be found, both the wiki and Alan's website are an awesome source of very good information. The support community here is also very active, which is a great thing. But had someone with freeradius knowledge taken the time to look at the freeradius -X logs I (and David Dumortier) supplied with our questions, they would have seen the problem right away I suppose, in both our cases. Probably there have been too many typical n00b users who asked questions after not following the (clear) documentation properly, but please understand we are not all like that. This has caused me an enormous load of stress and has cost me about 3 days (and one night sleep), and I assume it has caused you a certain amount of stress as well, and it could have been so much more satisfying had it been checked just a little bit more. Of course, you are not responsible for every package being produced and I do not know yet how this all works as I did not install our freeradius server myself (unfortunately). But in our cases, the users where not to blame, other than using an available and hopefully supported package. I will have a new lenny server installed with just the 2.1.10 debian backport package on it (no older versions) to see if that comes with a proper radiusd.conf file. If so then my problem is caused by an older package being installed earlier and new users will not be bothered by it. Again, I really think freeradius is a great piece of software, there is plenty of good documentation and it has an awesome support community here. So I will certainly continue to use freeradius as our authentication server. But please, if a user says he followed the instructions to the letter, give them the benefit of the doubt and see if something else is going wrong. -Ursprüngliche Nachricht- Von: freeradius-users-bounces+chris.schaatsbergen=aleo- solar...@lists.freeradius.org [mailto:freeradius-users- bounces+chris.schaatsbergen=aleo-solar...@lists.freeradius.org] Im Auftrag von Alan DeKok Gesendet: Montag, 14. Februar 2011 12:57 An: FreeRadius users mailing list Betreff: Re: AW: AW: AW: AW: Authenticating SSH login on a Cisco IOS switch to AD Schaatsbergen, Chris wrote: That is clear, but it seems it is missing in the Lenny Package somehow as http://lists.freeradius.org/pipermail/freeradius-users/2011- January/msg00192.html has exactly the same problem as me, no modules folder being read causing the ntlm_auth not being recognized as module. shrug I don't run Lenny, so I can't say any more. Where can I find a proper radiusd.conf? Have you tried the 2.1.10 tar file on freeradius.org? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
AW: Freeradius on lenny doesn't permit mschap auth
Hi David, In case you have not found it yet, in the lenny package somehow there is one line missing in the radiusd.conf file. In the modules section there should be: $INCLUDE ${confdir}/modules/ I would suggest, top of the modules section. Then ntlm_auth should work. Good luck, Chris -Ursprüngliche Nachricht- Von: freeradius-users-bounces+chris.schaatsbergen=aleo- solar...@lists.freeradius.org [mailto:freeradius-users- bounces+chris.schaatsbergen=aleo-solar...@lists.freeradius.org] Im Auftrag von David Dumortier Gesendet: Freitag, 14. Januar 2011 11:27 An: freeradius-users@lists.freeradius.org Betreff: Freeradius on lenny doesn't permit mschap auth Hi all, I had read and configure like http://wiki.freeradius.org/FreeRADIUS_Active_Directory_Integration_HOWT O I have test ntlm_auth with success but radtest user passwd localhost 0 testing123 fail I attach my debug output Thanks -- David Dumortier - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: AW: AW: AW: Authenticating SSH login on a Cisco IOS switch to AD
Hi, That is clear, but it seems it is missing in the Lenny Package somehow as http://lists.freeradius.org/pipermail/freeradius-users/2011-January/msg00192.html has exactly the same problem as me, no modules folder being read causing the ntlm_auth not being recognized as module. Where can I find a proper radiusd.conf? Or where in the radiusd.conf should it be? from the main source www.freeradius.org get the 2.1.10 tarball , extract it and look at what the config should be like. I wonder if lenny is requiring you to install other packages for purpose/facilities alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
AW: AW: AW: AW: Authenticating SSH login on a Cisco IOS switch to AD
Thanks! Actually in this case I was too early writing the mail (because I was rather annoyed), something I should not allow myself to happen. The radiusd.conf file is documented on the Wiki site (though the link there that should point to the latest version is not working as it points to the currently unexisting http://github.com/alandekok/freeradius-server/blob/stable/raddb/radiusd.conf). I found the missing piece: $INCLUDE ${confdir}/modules/ Which should be in (the top of) the modules section. With that addition freeradius starts without error messages so I can continue Alan DeKoks (excellent) description how to enable AD authentication. -Ursprüngliche Nachricht- Von: freeradius-users-bounces+chris.schaatsbergen=aleo- solar...@lists.freeradius.org [mailto:freeradius-users- bounces+chris.schaatsbergen=aleo-solar...@lists.freeradius.org] Im Auftrag von Alan Buxey Gesendet: Montag, 14. Februar 2011 13:48 An: FreeRadius users mailing list Betreff: Re: AW: AW: AW: Authenticating SSH login on a Cisco IOS switch to AD Hi, That is clear, but it seems it is missing in the Lenny Package somehow as http://lists.freeradius.org/pipermail/freeradius-users/2011- January/msg00192.html has exactly the same problem as me, no modules folder being read causing the ntlm_auth not being recognized as module. Where can I find a proper radiusd.conf? Or where in the radiusd.conf should it be? from the main source www.freeradius.org get the 2.1.10 tarball , extract it and look at what the config should be like. I wonder if lenny is requiring you to install other packages for purpose/facilities alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Freeradius2.1.3 + Fedora9 + PEAP + AD = problem
Hello everyone, is there any progress resolving this issue? I have samba 3.5.6 on FC14 and have the SAME problem like I've had with FC9/10, Freeradius2 and samba included with distribution. The problem is I cant rollback to older Samba version as it does not support Windows 2008R2 domain Also I've got one pointI am running Fedora 8 with freeradius 1, with Samba 3.5.3 and radius is working fine for my wireless clients but I wanted to use freeradius 2 on newer Fedora distros - cant make it working, spent a lt of time with this and still stucked on same issue like described above. Anyone has a suggestion pls? (Yes I have included the XP extensions - same certificate working OK with freeradius 1 and samba 3.5.3 on MS clients) Thanks! Lukas MSCHAP Success ++[eap] returns handled } # server inner-tunnel [peap] Got tunneled reply code 11 EAP-Message = 0x01f700331a03f6002e533d363346434138453641313741443238314644303643423431 30373237353139413233364537433744 Message-Authenticator = 0x State = 0x2f3b45522ecc5ffaf0daaa4d5068ce69 [peap] Got tunneled reply RADIUS code 11 EAP-Message = 0x01f700331a03f6002e533d363346434138453641313741443238314644303643423431 30373237353139413233364537433744 Message-Authenticator = 0x State = 0x2f3b45522ecc5ffaf0daaa4d5068ce69 [peap] Got tunneled Access-Challenge ++[eap] returns handled Sending Access-Challenge of id 122 to 172.31.183.1 port 2048 EAP-Message = 0x01f7005b190017030100509b7087b2a112825ea5aa08f802b90731b5f46e59349a2cde dc81a89f4103967283ba2f8990331ecb9ec7535a4f77b110e189f58f6162dbdc9a713a14 d562f0f4fa52f6838fccc6a9be5003515e0b1263 Message-Authenticator = 0x State = 0x2e4eb3ac29b9aa99635005e47464e6cc Finished request 12. Going to the next request Waking up in 1.4 seconds. Cleaning up request 0 ID 110 with timestamp +9 Cleaning up request 1 ID 111 with timestamp +9 Cleaning up request 2 ID 112 with timestamp +9 Cleaning up request 3 ID 113 with timestamp +9 Cleaning up request 4 ID 114 with timestamp +9 WARNING: !! WARNING: !! EAP session for state 0xbed60aebbaf213e9 did not finish! WARNING: !! Please read http://wiki.freeradius.org/Certificate_Compatibility WARNING: !! -- View this message in context: http://freeradius.1045715.n5.nabble.com/Freeradius2-1-3-Fedora9-PEAP-AD- problem-tp2780544p3384416.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: AW: AW: AW: AW: Authenticating SSH login on a Cisco IOS switch to AD
On 2011/02/14 01:50 PM, Schaatsbergen, Chris wrote: That is clear, but it seems it is missing in the Lenny Package somehow as http://lists.freeradius.org/pipermail/freeradius-users/2011-January/msg00192.html has exactly the same problem as me, no modules folder being read causing the ntlm_auth not being recognized as module. Where can I find a proper radiusd.conf? Or where in the radiusd.conf should it be? Looking at config below... /usr/local/etc/raddb/modules/ Lenny package does NOT put stuff in /usr/local/ Seems you have two versions of freeradius on your system. Cheers, -- Johan Meiring Cape PC Services CC Tel: (021) 883-8271 Fax: (021) 886-7782 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Support
A slightly different question, does the support from http://networkradius.com come from the active users of this mailing list? I.e. if I buy a support contract there, do the Alans get a part of that? I am missing a donate button on the freeradius website and I hope/expect we do not need that much support once this server is up and running. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: AW: AW: AW: AW: Authenticating SSH login on a Cisco IOS switch to AD
Schaatsbergen, Chris wrote: Thanks! Actually in this case I was too early writing the mail (because I was rather annoyed), something I should not allow myself to happen. The radiusd.conf file is documented on the Wiki site (though the link there that should point to the latest version is not working as it points to the currently unexisting http://github.com/alandekok/freeradius-server/blob/stable/raddb/radiusd.conf). That should point to radiusd.conf.in. I found the missing piece: $INCLUDE ${confdir}/modules/ Which should be in (the top of) the modules section. With that addition freeradius starts without error messages so I can continue Alan DeKoks (excellent) description how to enable AD authentication. Most of the howtos assume you're running a recent version of the server. Some systems have *old* versions of the server. We're unable to maintain copies of the documentation for each version of the server. This makes life harder for the average admin, but we have to draw the line somewhere. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Support
Schaatsbergen, Chris wrote: A slightly different question, does the support from http://networkradius.com come from the active users of this mailing list? I.e. if I buy a support contract there, do the Alans get a part of that? I am missing a donate button on the freeradius website and I hope/expect we do not need that much support once this server is up and running. Network RADIUS is a for-profit company which does FreeRADIUS support, development, consulting, etc. No one on this list is asked to work for free. I run the company, and while I'm not getting rich, the proceeds from it have kept me off of the streets. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
AW: Support
-Ursprüngliche Nachricht- Von: freeradius-users-bounces+chris.schaatsbergen=aleo- solar...@lists.freeradius.org [mailto:freeradius-users- bounces+chris.schaatsbergen=aleo-solar...@lists.freeradius.org] Im Auftrag von Alan DeKok Gesendet: Montag, 14. Februar 2011 15:33 An: FreeRadius users mailing list Betreff: Re: Support Schaatsbergen, Chris wrote: A slightly different question, does the support from http://networkradius.com come from the active users of this mailing list? I.e. if I buy a support contract there, do the Alans get a part of that? I am missing a donate button on the freeradius website and I hope/expect we do not need that much support once this server is up and running. Network RADIUS is a for-profit company which does FreeRADIUS support, development, consulting, etc. No one on this list is asked to work for free. I run the company, and while I'm not getting rich, the proceeds from it have kept me off of the streets. Well, I am not doing it to keep you off the streets (you should not be a freeradius prisoner), but to make sure FreeRadius continues to get developed and this active community stays active. As a former developer myself I can understand how annoying it can be if you have helped someone a great deal and then get absolutely nothing in return (quite often people even forget to thank you). I will try and convince the management to cough up. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
AW: AW: AW: AW: AW: Authenticating SSH login on a Cisco IOS switch to AD
Most of the howtos assume you're running a recent version of the server. Some systems have *old* versions of the server. We're unable to maintain copies of the documentation for each version of the server. This makes life harder for the average admin, but we have to draw the line somewhere. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html We are running a current version of the server (2.1.10), but somehow the radiusd.conf file is not right. I hope to find out what is wrong exactly and post it here for future use. After a short (and rather violent) discussion with our linux expert I believe originally version 2.0.4 had been installed as that is the current stable version for lenny. But before I started working with it, it had already been upgraded to 2.1.8 and I requested the upgrade to 2.1.10 recently because of the lowercase function. All upgrades, no new installs, perhaps there lies the problem. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
AW: AW: AW: AW: AW: AW: Authenticating SSH login on a Cisco IOS switch to AD
-Ursprüngliche Nachricht- Von: freeradius-users-bounces+chris.schaatsbergen=aleo- solar...@lists.freeradius.org [mailto:freeradius-users- bounces+chris.schaatsbergen=aleo-solar...@lists.freeradius.org] Im Auftrag von Alan DeKok Gesendet: Montag, 14. Februar 2011 16:00 An: FreeRadius users mailing list Betreff: Re: AW: AW: AW: AW: AW: Authenticating SSH login on a Cisco IOS switch to AD Schaatsbergen, Chris wrote: We are running a current version of the server (2.1.10), but somehow the radiusd.conf file is not right. The radiusd.conf file isn't over-written when a new package is installed. You've customized it locally, and it *must* be left alone. Crystal Clear. So you should never upgrade the existing installation. And if you really do need a new version then you should backup the old installation, perform a clean new installation and then redo all the configuration you had done before (and hope that it still works). Pity, but on the other hand a very good reason to keep your documentation up to date. Talking about work for the admins :p I am glad when I have this server up and running, I just have to finish the documentation and can then 'throw it over the wall' to the system administrators ;) There are actually other programs (Splunk, costs 12k a year) that use different config files for system config and user config. Maybe an idea for a future release of freeradius? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
AW: AW: AW: AW: AW: Authenticating SSH login on a Cisco IOS switch to AD
-Ursprüngliche Nachricht- Von: freeradius-users-bounces+chris.schaatsbergen=aleo- solar...@lists.freeradius.org [mailto:freeradius-users- bounces+chris.schaatsbergen=aleo-solar...@lists.freeradius.org] Im Auftrag von Johan Meiring Gesendet: Montag, 14. Februar 2011 14:48 An: freeradius-users@lists.freeradius.org Betreff: Re: AW: AW: AW: AW: Authenticating SSH login on a Cisco IOS switch to AD On 2011/02/14 01:50 PM, Schaatsbergen, Chris wrote: That is clear, but it seems it is missing in the Lenny Package somehow as http://lists.freeradius.org/pipermail/freeradius-users/2011- January/msg00192.html has exactly the same problem as me, no modules folder being read causing the ntlm_auth not being recognized as module. Where can I find a proper radiusd.conf? Or where in the radiusd.conf should it be? Looking at config below... /usr/local/etc/raddb/modules/ Lenny package does NOT put stuff in /usr/local/ Seems you have two versions of freeradius on your system. Cheers, I took the other data from another 'ticket' here which is clearly not running on lenny indeed. But the problem has been solved, thanks for your help to think of an answer though :) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius2.1.3 + Fedora9 + PEAP + AD = problem
Hi, first off, i dont think this is a SAMBA issue...thats just me though - the SAMBA issue manifests itself in the authentication phase where ntlm_auth blows up (or rather is a damp squib) is there any progress resolving this issue? I have samba 3.5.6 on FC14 and have the SAME problem like I've had with FC9/10, Freeradius2 and samba included with distribution. The problem is I cant rollback to older Samba version as it does not support Windows 2008R2 domain using 3.0.33 with 2008R2 here - I'd be very suprised if anything released after that version didnt work with 2008R2 !! WARNING: !! EAP session for state 0xbed60aebbaf213e9 did not finish! WARNING: !! Please read http://wiki.freeradius.org/Certificate_Compatibility WARNING: !! is your config on the new distro the same as that on the old distro? there really is no reason why you cant just clone/copy the configs if its the same version of FR! I'm wondering if something else hasnt been enabled/checked here. either that of its pointing to an OpenSSL issue - which would be nice (not) 2.1.11 has some extra tweaks in the PEAP code - might try the GIT release just to check? alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius2.1.3 + Fedora9 + PEAP + AD = problem
Alan Buxey wrote: first off, i dont think this is a SAMBA issue...thats just me though - the SAMBA issue manifests itself in the authentication phase where ntlm_auth blows up (or rather is a damp squib) Sometimes ntlm_auth returns the *wrong* results, and only the client PC knows that they're wrong. In that case, the same thing happens. The client goes huh? and drops the connection part way through. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Windows 7 EAP-TLS WIred Auth
On 2/14/2011 01:07, Phil Mayers wrote: On 02/13/2011 10:37 PM, Christ Schlacta wrote: it seems to get to the same point (Finished request xxx.) and then repeats the entire process four times (the same number of times specified in my switch config) then fails to connect. I'm not sure if I'm missing something, or what.. but it should all be fine, as this is the same config I use for my wireless config. I'm certain I've missed something obvious, and if you can provide any additional information to point me in the right direction, I'd much appreciate it. The client is stopping sending. This is almost always because it doesn't trust the server cert. This is noted at length in eap.conf. Ensure you have setup the wireless connection client properly. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html That was one of the first things I checked, the root certificate is the ONLY one checked in the windows 7 certificate dialogue. also, wireless clients work with this exact setup (all of them!), but so far, this wired client doesn't seem to want to. I did eventually find a sorta fix. I had jumbo frames enabled, disabling them fixed the problem temporarily. the problem has returned in a different form now. the radius server doesn't even see the auth requests now, and the client just won't even try to authenticate. I think this qualifies as a different issue, that I need to pursue separately. should I follow up here, or is it an issue I should contact my switch manufacturer about, or is it a windows problem? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Proxying CoA Disconnect in freeRADIUS 2.1.10
Dear All, I'm having some trouble asking my freeRADIUS-2.1.10 server (Linux, x86_64) to correctly proxy CoA and Disconnect-Request packets. I am generating Disconnect-Request packets from my network_control machine (172.16.3.2) to the freeRADIUS server at 172.16.3.11 using: cat packet.txt |radclient -x -d /etc/raddb 172.16.3.11:3799 disconnect secret1 where packet.txt contains the following AV pairs: Acct-Session-ID = '819026ec' NAS-IP-Address = '172.16.3.60' User-Name='testu...@test.com' I was hoping that the requests would be proxied to pppoe_one at 172.16.3.60. The network_control machine receives a Disconnect-Ack from the freeRADIUS machine but the packet is not being retransmitted to pppoe_one. Output from 'radiusd -X' is: rad_recv: Disconnect-Request packet from host 172.16.3.2 port 34463, id=100, length=66 Acct-Session-Id = 819026ec NAS-IP-Address = 172.16.3.60 User-Name = testu...@test.com server coa { # Executing section recv-coa from file /etc/raddb/sites-enabled/coa +- entering group recv-coa {...} ++[control] returns noop ++[ok] returns ok # Executing section send-coa from file /etc/raddb/sites-enabled/coa +- entering group send-coa {...} ++[ok] returns ok } # server coa Sending Disconnect-ACK of id 100 to 172.16.3.2 port 34463 Finished request 0. As far as I know, I have followed instructions documented in sites-available/coa as well as reading a few other relevant posts on this list. I wonder if anyone has any advice? Relevant extracts from my configs are listed below. Many thanks, Charlie ** radiusd.conf ** proxy_requests = yes $INCLUDE proxy.conf $INCLUDE sites-enabled/ ** clients.conf ** client pppoe_one { ipaddr = 172.16.3.60 secret = secret1 nastype = other coa_server = access_concentrators } client network_control { ipaddr = 172.16.3.2 secret = secret1 nastype = other coa_server = access_concentrators } ** proxy.conf ** home_server home_pppoe_one { type = coa ipaddr = 172.16.3.60 port = 1700 secret = secret1 require_message_authenticator = no response_window = 20 zombie_period = 40 revive_interval = 120 status_check = none check_interval = 30 num_answers_to_alive = 3 coa { irt = 2 mrt = 16 mrc = 5 mrd = 30 } } home_server_pool access_concentrators { home_server = home_pppoe_one } ** sites-enabled/coa ** listen { type = coa ipaddr = * port = 3799 server = coa } server coa { recv-coa { update control { Home-Server-Pool := access-concentrators } ok } send-coa { # Sample module. ok } } - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Proxying CoA Disconnect in freeRADIUS 2.1.10
Charles Price wrote: I'm having some trouble asking my freeRADIUS-2.1.10 server (Linux, x86_64) to correctly proxy CoA and Disconnect-Request packets. It's intended to work, but it hasn't been well tested recently. As far as I know, I have followed instructions documented in sites-available/coa as well as reading a few other relevant posts on this list. Well, it *should* work. I'll see if I can find time to look into it. This configuration is simple enough that I should be able to use it pretty much as-is. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Proxying CoA Disconnect in freeRADIUS 2.1.10
I'll see if I can find time to look into it. This configuration is simple enough that I should be able to use it pretty much as-is. Much appreciated, Alan. If you need any additional testing or information from me, please let me know. Regards, Charlie - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Support
Hi, A slightly different question, does the support from http://networkradius.com come from the active users of this mailing list? I.e. if I buy a support contract there, do the Alans get a part of that? I am missing a donate button on the freeradius website and I hope/expect we do not need that much support once this server is up and running. Network RADIUS is a for-profit company which does FreeRADIUS support, development, consulting, etc. No one on this list is asked to work for free. I run the company, and while I'm not getting rich, the proceeds from it have kept me off of the streets. :-) I use FreeRADIUS in anger (well, sometimes I'm happy too) in a major environment and within a national level. as such I am very interested in seeing issues that people have with it and seeign what other people do to achieve results. I have learnt quite a lot from this list...and helping people out is just my altruistic streak that occasionally comes through (heck, I really want them to use FreeRADIUS rather than waste money on NPS or ACS etc ;-) ). I already have a salaried position but I do have an amazon wishlist that some kind people have looked at after I've got them out of a pickle or done their work for them! ;-) (many thanks to those people..I've enjoyed the books and games). please think about networkradius.com if you want to have a solid support for the product - it will ensure that you have a good FreeRADIUS deployment and you wont get Mr Random in management bearing down on you with money being thrown at some limited commercial platform whilst there are good people on this list, I'd state you should never rely on a public mailing list for support of critical systems!! - we're here when we have the time to be :-) alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Windows 7 EAP-TLS WIred Auth
Hi, I did eventually find a sorta fix. I had jumbo frames enabled, disabling them fixed the problem temporarily. the problem has returned in a different form now. the radius server doesn't even see the auth requests now, and the client just won't even try to authenticate. I think this qualifies as a different issue, that I need to pursue separately. should I follow up here, or is it an issue I should contact my switch manufacturer about, or is it a windows problem? if the server doesnt even see the auth attempts when the client is physically connected to the switch then take a good long look at the switch. use all the commands etc that you can on that switch - the show commands, the debug commands etc to find out what its doing or failing to do. we've had quite a few issues over the years with manufacturers and how they read the specs - life wouldnt be the same without a few interesting firmware upgrades (and cryptic changelogs that come with them). we had a recent one where cisco voip firmware blocked EAP-TLS through the softswitch - kinda annoying. Sounds more like REALLY F'ing annoying to me! But it's probably just me :) font size=1 div style='border:none;border-bottom:double windowtext 2.25pt;padding:0in 0in 1.0pt 0in' /div This email is intended to be reviewed by only the intended recipient and may contain information that is privileged and/or confidential. If you are not the intended recipient, you are hereby notified that any review, use, dissemination, disclosure or copying of this email and its attachments, if any, is strictly prohibited. If you have received this email in error, please immediately notify the sender by return email and delete this email from your system. /font - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Support
On Tue, Feb 15, 2011 at 4:45 AM, Alan Buxey a.l.m.bu...@lboro.ac.uk wrote: please think about networkradius.com if you want to have a solid support for the product - it will ensure that you have a good FreeRADIUS deployment and you wont get Mr Random in management bearing down on you with money being thrown at some limited commercial platform or worse, throwing money for some limited commercial platform's LICENSE but not bothering spending anything on SUPPORT, leaving you high-and-dry when you need help the most. -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
How to set Authentication method priority??
Hi, 1. nbsp;nbsp;nbsp;nbsp;I have pam_radius_auth module configured to authenticate the login users. I have configured FreeRadius Server on a linux machine. I want to set the the priority for local authentication or Radius authentication for SSH. How can I do this? 2. I have created a user called user on client machine with passwd 123qwe and I have created the same user on server with password User_12, when authentication request reached the server it is sending Access-Accept message back to client, but user is not getting access to the machine(SSH). I have following configuration in my /etc/pam.d/ssh file auth nbsp; nbsp; nbsp; sufficient nbsp; nbsp;pam_radius_auth.so debugauth nbsp; nbsp; nbsp; required nbsp; nbsp; pam_nologin.soauth nbsp; nbsp; nbsp; required nbsp; nbsp; pam_unix.soauth nbsp; nbsp; nbsp; required nbsp; nbsp; pam_env.so # [1]auth nbsp; nbsp; nbsp; required nbsp; nbsp; pam_tally.so deny=10 per_user account nbsp; nbsp;required nbsp; nbsp; pam_unix.sonbsp;session nbsp; nbsp;required nbsp; nbsp; pam_unix.sosession nbsp; nbsp;optional nbsp; nbsp; pam_motd.so # [1]session nbsp; nbsp;optional nbsp; nbsp; pam_mail.so standard noenv # [1]session nbsp; nbsp;required nbsp; nbsp; pam_limits.sonbsp;#password nbsp; required nbsp; nbsp; pam_unix.sonbsp;# Alternate strength checking for password. Note that this# requires the libpam-cracklib package to be installed.# You will need to comment out the password line above and# uncomment the next two in order to use this.## password required nbsp; nbsp; nbsp; pam_cracklib.so retry=3 minlen=6 difok=3# password required nbsp; nbsp; nbsp; pam_unix.so use_authtok nullok md5nbsp;password required nbsp; nbsp; nbsp; pam_cracklib.so retry=3 minlen=8 difok=3 lcredit=-1 ucredit=-1 dcredit=-1 ocredit=-1nbsp;password required nbsp; nbsp; nbsp; pam_unix.so use_authtok nullok md5 shadow remember=5 Please let me know If I am making any mistake here. and help me to set the priority. Thanx and RegardsVijay S. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html