RE: Cant Start Radius Server MAC OSX (snow leopard)
Thanks Alan You are of course right. Being new to this i did not realize the very tight restrictions on formatting and type. Fixing the entry in users has done the trick. Radius server on mac oxs 10.6.x now authenticates users accessing login to the router. I will now go on to try do the same for Wpa2 access to our wifi access point Thanks David Date: Tue, 16 Aug 2011 00:07:58 -0400 From: al...@deployingradius.com To: freeradius-users@lists.freeradius.org Subject: Re: Cant Start Radius Server MAC OSX (snow leopard) DavidS wrote: /private/etc/raddb/users[220]: Parse error (check) for entry Service-Type: Invalid octet string NAS-Prompt-User??? for attribute name Errors reading /private/etc/raddb/users /private/etc/raddb/modules/files[7]: Instantiation failed for module files /private/etc/raddb/sites-enabled/inner-tunnel[111]: Failed to find module files. /private/etc/raddb/sites-enabled/inner-tunnel[34]: Errors parsing authorize section. } } Any thoughts? $ man users Read the documentation. You've typed random text into the users file. This won't work. The format of the users file is documented in the man page, in the comments at the top of the file *you edited*, and in the examples in that file. Follow the examples. They work. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Using a single row in radreply
Hi Fajar, Thanks for your reply. I guess we have to redesign the database as you said with one row it is not easy to add new attributes. I don't prefer to make changes in the source code as it may lead additional problems while upgrading freeradius. - Deniz AYDIN Senior Network Engineer -- View this message in context: http://freeradius.1045715.n5.nabble.com/Using-a-single-row-in-radreply-tp4701196p4703542.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Cant Start Radius Server MAC OSX (snow leopard)
Hi, including configuration file /private/etc/raddb/radiusd.conf Unable to open file /private/etc/raddb/radiusd.conf: Permission denied Errors reading /private/etc/raddb/radiusd.conf check permissions on the /private , /private/etc and /private/etc/raddb directory as well as the radiusd.conf file - they need to be readable by the daemon that radiusd runs as (in the config) - and...executable bit set to (for directories..IIRC) alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: NAS-IP-Address or NAS-Identifier in Access-Request?
Hi, Does anyone happen to know if consumer-level Wi-Fi routers typically transmit the NAS-IP-Address or NAS-Identifier (or maybe both) in the Access-Request? RFC's say An Access-Request MUST contain either a NAS-IP-Address attribute or a NAS-Identifier attribute (or both). so, you will get one or the other (or from good vendors, both!) if you dont get either than the kit isnt fit for purpose, or valid for anything (because if they cant follow such as basic RFC requirement then what hope have you for anything else to operte correctly on it?) alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Declare a time availability of NASs?
Hi, Is there any way to declare a time availability of NASs…such as a Login-Time attribute for NASs? I’d like to globally control when (time of yes day, time of week) all users can login through a certain wireless access point on my 802.1X network. the code/config is there - its up to you how to use it look at the 'logintime' module - its commented out by default in the authorize section of the virtual server. you can add the NAS's of interest to a huntgroup and then put conditions on that huntgroup alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: NAS-IP-Address or NAS-Identifier in Access-Request?
Thanks, Alan. Yes I read that in the RFC, but was wondering what vendors usually do, what's the most typical, etc. I'm also wondering the same about the Calling-Station-Id and Called-Station-ID. But sounds like those aren't included very often, completely optional. But now that I've thought of it, if there isn't a NAS-IP-Address then authentication wouldn't work, right? Cause FR needs to lookup the shared secret based upon the NAS-IP-Address? - Eric -Original Message- From: freeradius-users-bounces+me=egeier@lists.freeradius.org [mailto:freeradius-users-bounces+me=egeier@lists.freeradius.org] On Behalf Of Alan Buxey Sent: Tuesday, August 16, 2011 4:32 AM To: FreeRadius users mailing list Subject: Re: NAS-IP-Address or NAS-Identifier in Access-Request? Hi, Does anyone happen to know if consumer-level Wi-Fi routers typically transmit the NAS-IP-Address or NAS-Identifier (or maybe both) in the Access-Request? RFC's say An Access-Request MUST contain either a NAS-IP-Address attribute or a NAS-Identifier attribute (or both). so, you will get one or the other (or from good vendors, both!) if you dont get either than the kit isnt fit for purpose, or valid for anything (because if they cant follow such as basic RFC requirement then what hope have you for anything else to operte correctly on it?) alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Openssl Private Key error
Hi, I had generated certificates for EAP-TLS authentication. It worked fine in a linux setup but windows wouldn't play ball. Somebody pointed out that the CA.* scripts in the ssl directory can generate windows compatible certs. I did that but when I try to use that I get the following error regarding the private key I use during the eap handshake at the supplicant end (taken from the logs of wpa_supplicant). == OpenSSL: tls_connection_client_cert - SSL_use_certificate_file (DER) failed error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag OpenSSL: pending error: error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error OpenSSL: pending error: error:140C800D:SSL routines:SSL_use_certificate_file:ASN1 lib OpenSSL: SSL_use_certificate_file (PEM) -- OK OpenSSL: tls_connection_private_key - SSL_use_PrivateKey_File (DER) failed error:0D094068:asn1 encoding routines:d2i_ASN1_SET:bad tag OpenSSL: pending error: error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag OpenSSL: pending error: error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error OpenSSL: pending error: error:0D09A00D:asn1 encoding routines:d2i_PrivateKey:ASN1 lib OpenSSL: pending error: error:140CB00D:SSL routines:SSL_use_PrivateKey_file:ASN1 lib OpenSSL: tls_connection_private_key - SSL_use_PrivateKey_File (PEM) failed error:06074079:digital envelope routines:EVP_PBE_CipherInit:unknown pbe algorithm OpenSSL: pending error: error:23077073:PKCS12 routines:PKCS12_pbe_crypt:pkcs12 algor cipherinit error OpenSSL: pending error: error:2306A075:PKCS12 routines:PKCS12_item_decrypt_d2i:pkcs12 pbe crypt error OpenSSL: pending error: error:0907B00D:PEM routines:PEM_READ_BIO_PRIVATEKEY:ASN1 lib OpenSSL: pending error: error:140CB009:SSL routines:SSL_use_PrivateKey_file:PEM lib OpenSSL: tls_read_pkcs12 - Failed to use PKCS#12 file error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag OpenSSL: pending error: error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error OpenSSL: Failed to load private key TLS: Failed to load private key '/home/user/supplicant_testing/eap_authenticator_test/last_cert/newkey.pem' == I use wpa_supplicant (0.7.1) in the supplicant end. Can somebody plz give me some pointers on how to get over this problem. Is there any specific ssl command or openssl configuration at the supplicant end that I need to take care of... -- View this message in context: http://freeradius.1045715.n5.nabble.com/Openssl-Private-Key-error-tp4704998p4704998.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: NAS-IP-Address or NAS-Identifier in Access-Request?
Understood, thanks! Can I log the source IP address to the Post-Auth DB table? Thanks, Eric -Original Message- From: freeradius-users-bounces+me=egeier@lists.freeradius.org [mailto:freeradius-users-bounces+me=egeier@lists.freeradius.org] On Behalf Of Alan DeKok Sent: Tuesday, August 16, 2011 10:38 AM To: FreeRadius users mailing list Subject: Re: NAS-IP-Address or NAS-Identifier in Access-Request? Eric Geier wrote: Yes I read that in the RFC, but was wondering what vendors usually do, what's the most typical, etc. I'm also wondering the same about the Calling-Station-Id and Called-Station-ID. But sounds like those aren't included very often, completely optional. There's no way to know what is typical. There are many dozens of vendors, each of whom has many dozens of products using RADIUS. Each product may have dozens of different firmware revisions, each of which behaves slightly differently. But now that I've thought of it, if there isn't a NAS-IP-Address then authentication wouldn't work, right? Cause FR needs to lookup the shared secret based upon the NAS-IP-Address? No. The shared secret is looked up by source IP address. The NAS-IP-Address can be anything. It is pretty much ignored by the core RADIUS protocol. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Need help authenticating local users on Apple server
And then list it in the authorize section. What is the proper syntax for adding the opendirectory module? I am getting errors when attempting to start radius: /usr/local/etc/raddb/sites-enabled/inner-tunnel[195]: Entry is not a reference to a module /usr/local/etc/raddb/sites-enabled/inner-tunnel[189]: Errors parsing authenticate section. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Need help authenticating local users on Apple server
On 2011/08/16 10:39 PM, Raymond Norton wrote: And then list it in the authorize section. What is the proper syntax for adding the opendirectory module? I am getting errors when attempting to start radius: /usr/local/etc/raddb/sites-enabled/inner-tunnel[195]: Entry is not a reference to a module /usr/local/etc/raddb/sites-enabled/inner-tunnel[189]: Errors parsing authenticate section. Read again. list it in the authorize section not the authenticate section -- Johan Meiring Cape PC Services CC Tel: (021) 883-8271 Fax: (021) 886-7782 Before acting on this email or opening any attachments you should read Cape PC Service's email disclaimer at: http://www.pcservices.co.za/disclaimer.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Need help authenticating local users on Apple server
Read again. list it in the authorize section not the authenticate section My mistake. I thought the word And meant do both, based on my question. Removed from authenticate and listed opendirectory under authorize of inner tunnel. I now get the following error: /usr/local/etc/raddb/modules/opendirectory[11]: Failed to link to module 'rlm_opendirectory': dlopen(rlm_opendirectory.so, 9): image not found /usr/local/etc/raddb/sites-enabled/default[150]: Failed to load module opendirectory. /usr/local/etc/raddb/sites-enabled/default[62]: Errors parsing authorize section - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Need help authenticating local users on Apple server
Raymond Norton wrote: What is the proper syntax for adding the opendirectory module? $ man unlang Or, read the dozens of examples in the configuration file you edited. I am getting errors when attempting to start radius: /usr/local/etc/raddb/sites-enabled/inner-tunnel[195]: Entry is not a reference to a module /usr/local/etc/raddb/sites-enabled/inner-tunnel[189]: Errors parsing authenticate section. OK... you made a change to the file which created that error. Is it a secret? Or did you think we could guess what you did wrong? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Need help authenticating local users on Apple server
OK... you made a change to the file which created that error. Is it a secret? Or did you think we could guess what you did wrong? Johan informed me I misunderstood your original instructions and I was not to put anything under Authenticate of the inner-tunnel. I removed what I had there. My entry under Authorize is only this: authorize { opendirectory # And this is the error I now get with radiusd _X: Module: Checking authenticate {...} for more modules to load Module: Checking authorize {...} for more modules to load /usr/local/etc/raddb/modules/opendirectory[11]: Failed to link to module 'rlm_opendirectory': dlopen(rlm_opendirectory.so, 9): image not found /usr/local/etc/raddb/sites-enabled/inner-tunnel[48]: Failed to load module opendirectory. /usr/local/etc/raddb/sites-enabled/inner-tunnel[47]: Errors parsing authorize section. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: NAS-IP-Address or NAS-Identifier in Access-Request?
I found %{Packet-Src-IP-Address} but when I include this in the postauth_query, it doesn't work...the fields are blank in the DB when I view it. How could I log the source IP address of successful authentications? - Eric -Original Message- From: freeradius-users-bounces+me=egeier@lists.freeradius.org [mailto:freeradius-users-bounces+me=egeier@lists.freeradius.org] On Behalf Of Eric Geier Sent: Tuesday, August 16, 2011 3:49 PM To: 'FreeRadius users mailing list' Subject: RE: NAS-IP-Address or NAS-Identifier in Access-Request? Understood, thanks! Can I log the source IP address to the Post-Auth DB table? Thanks, Eric -Original Message- From: freeradius-users-bounces+me=egeier@lists.freeradius.org [mailto:freeradius-users-bounces+me=egeier@lists.freeradius.org] On Behalf Of Alan DeKok Sent: Tuesday, August 16, 2011 10:38 AM To: FreeRadius users mailing list Subject: Re: NAS-IP-Address or NAS-Identifier in Access-Request? Eric Geier wrote: Yes I read that in the RFC, but was wondering what vendors usually do, what's the most typical, etc. I'm also wondering the same about the Calling-Station-Id and Called-Station-ID. But sounds like those aren't included very often, completely optional. There's no way to know what is typical. There are many dozens of vendors, each of whom has many dozens of products using RADIUS. Each product may have dozens of different firmware revisions, each of which behaves slightly differently. But now that I've thought of it, if there isn't a NAS-IP-Address then authentication wouldn't work, right? Cause FR needs to lookup the shared secret based upon the NAS-IP-Address? No. The shared secret is looked up by source IP address. The NAS-IP-Address can be anything. It is pretty much ignored by the core RADIUS protocol. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Need help authenticating local users on Apple server
On Wed, Aug 17, 2011 at 7:51 AM, Raymond Norton ad...@lctn.org wrote: And this is the error I now get with radiusd _X: Module: Checking authenticate {...} for more modules to load Module: Checking authorize {...} for more modules to load /usr/local/etc/raddb/modules/opendirectory[11]: Failed to link to module 'rlm_opendirectory': dlopen(rlm_opendirectory.so, 9): image not found Is your freeradius installation built with opendirectory support? Since it's not marked as stable, it's not built by default. Try rebuilding it, but this time using ./configure --with-experimental-modules | tee configure.log ... then look at configure.log, see what it says about rlm_opendirectory. -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html