Re: Configuring freeradius for MACsec
Iirc, Cisco macsec/trustsec is implemented with EAP-FASTv2 . Their cute way of tying you into Cisco ACS 5 or ISE alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Configuring freeradius for MACsec
On 24.2.2012 at 8:38, in message 4f473e78.2070...@deployingradius.com, Alan DeKok al...@deployingradius.com wrote: Matija Levec wrote: What should be configured for radius to also send EAP-Key-Name AVP? Nothing. RFC 4072 says: The EAP-Key-Name AVP (Radius Attribute Type 102) is of type OctetString. It contains an opaque key identifier (name) generated by the EAP method. Exactly how this name is used depends on the link layer in question, and is beyond the scope of this document (see [EAPKey] for more discussion). Note that not all link layers use this name, and currently most EAP methods do not generate it. TTLS doesn't generate it. My guess is that Cisco has invented something themselves which defines EAP-Key-Name. Find out what that is, and we can implement it in FreeRADIUS. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html That is very likely the case. :( I'll try to get ACS 5.x and get any useful info out of it - not being very optimistic though. I'd like to thank everyone for their comments. Kind regards, Matija Levec - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Configuring freeradius for MACsec
On 2012/02/24 09:38 AM, Alan DeKok wrote: TTLS doesn't generate it. My guess is that Cisco has invented something themselves which defines EAP-Key-Name. Find out what that is, and we can implement it in FreeRADIUS. This? http://tools.ietf.org/html/draft-aboba-radext-wlan-15 -- Johan Meiring Cape PC Services CC Tel: (021) 883-8271 Fax: (021) 886-7782 Before acting on this email or opening any attachments you should read Cape PC Service's email disclaimer at: http://www.pcservices.co.za/disclaimer.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Configuring freeradius for MACsec
Alan Buxey wrote: Iirc, Cisco macsec/trustsec is implemented with EAP-FASTv2 . Their cute way of tying you into Cisco ACS 5 or ISE Ah. I have some code for EAP-FAST. I might take a look at it. The reason it hasn't been integrated is that the vendor who wrote it did it as pretty much a hack. They duplicated much of the TLS code from EAP-TLS, instead of re-using it as with PEAP and TTLS. Out of general principle, that needs to be fixed before it's integrated. Duplicate code increases bugs and maintenance costs. If anyone is interested in fixing it, I can put the code on github. It's probably not that hard to fix it, it just takes time I don't have. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Configuring freeradius for MACsec
On 02/24/2012 07:38 AM, Alan DeKok wrote: TTLS doesn't generate it. My guess is that Cisco has invented something themselves which defines EAP-Key-Name. Find out what that is, and we can implement it in FreeRADIUS. FWIW, a bit more digging shows section 1.4.1 of RFC 5247 is relevant, saying that: EAP-Key-Name = eap type || eap session id ...and appendix A lists Peer-Id, Server-Id and Session-Id values for existing methods. Sadly, since neither PEAP nor TTLS were ever standardised, it skips those :o( RFC 5216 suggests that EAP-TLS, and possibly all TLS-based methods in the absence of an alternative, might define EAP-Key-Name as: eap type || 0x0d || tls client random || tls server random But it's all very unclear, and I'm struggling to see what the point is; what is all this crud for? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RES: Authentication by group and time.
Hello, I managed to make it work, thanks. I have another question. The User is connected to the radius server and the time came that he can not stay connected, the radius makes the disconnect? Thanks , Angelo De: freeradius-users-bounces+angelo-listas=prolinx.com...@lists.freeradius.org [mailto:freeradius-users-bounces+angelo-listas=prolinx.com...@lists.freeradius.org] Em nome de ousmane sanogo Enviada em: quinta-feira, 23 de fevereiro de 2012 07:45 Para: FreeRadius users mailing list Assunto: Re: Authentication by group and time. Hello, look here http://wiki.freeradius.org/FAQ#How+do+I+use+Login-Time+for+groups%2C+not+for+users%3F Le 22 février 2012 19:42, Listas Angelo angelo-lis...@prolinx.com.br a écrit : Freeradius Dear users, good afternoon! I have a radius server using a mysql database authentication by performing login and mac address working very well. Now I need to implement a new plan of authentication where some users can only connect at a certain time of day (eg Monday to Friday from 18:00 to 22:00 pm and throughout the weekend). Looking for something in the documentation found on the Login-Time Freeradius but found nothing of how to deploy this in my current configuration structure. Has anyone made this and could give me some idea of how to do? Thank you! Angelo - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Oauth2 Google?
Hello, I'm wondering if I could get help, or find documentation(even just a draft) on setting up Oauth2 on a freeradius server(omniauth?). I'm looking to use my google apps domain user database, to manage users, and control access through an Untangle captive portal, which is already setup(then probably drop the portal and do EAP, though I'll play to see if I can start with EAP). Also if I'm on the completely wrong/old track, I'm no too worried about changing the plan now. Thanks for the time/sorry for not lurking more before posting, Jesse - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Oauth2 Google?
On 24/02/12 15:43, Jesse Crayston wrote: Hello, I'm wondering if I could get help, or find documentation(even just a draft) on setting up Oauth2 on a freeradius server(omniauth?). I'm looking to use my google apps domain user database, to manage users, and control access through an Untangle captive portal, which is already setup(then probably drop the portal and do EAP, though I'll play to see if I can start with EAP). Also if I'm on the completely wrong/old track, I'm no too worried about changing the plan now. It sounds like you're on the wrong track; none of the bits and pieces you've mentioned fit together. Can you explain in more detail what you're trying to accomplish? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Oauth2 Google?
Trying to get my users to have the same password on a radius server, as they do on the google apps domain. On Feb 24, 2012 8:45 AM, Phil Mayers p.may...@imperial.ac.uk wrote: On 24/02/12 15:43, Jesse Crayston wrote: Hello, I'm wondering if I could get help, or find documentation(even just a draft) on setting up Oauth2 on a freeradius server(omniauth?). I'm looking to use my google apps domain user database, to manage users, and control access through an Untangle captive portal, which is already setup(then probably drop the portal and do EAP, though I'll play to see if I can start with EAP). Also if I'm on the completely wrong/old track, I'm no too worried about changing the plan now. It sounds like you're on the wrong track; none of the bits and pieces you've mentioned fit together. Can you explain in more detail what you're trying to accomplish? - List info/subscribe/unsubscribe? See http://www.freeradius.org/** list/users.html http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
rlm_sqlcounter doesn't increase counter
Hello Fellow Freeradius-Users, I have freeradius-1.1.3 installed on Cent OS and I have Cisco C2960 switch as my NAS. I have a task to allocate browsing time 2hrs per day to students in our computer labs. Logs from radius in debug mode, counter doesn't increase it always shows (Check item - counter) is greater than zero; check_item=120, counter=0. Users are not signed out after Max-Daily-Session is reached. I want to be able to disconnect a user logged in after they reach their maximum daily session. Kindly find below config files which indicate maximum daily session of 120 seconds for testing purposes. I have searched through Freeradius's mailing-List but have not found solution yet. I will be grateful for any help. Thank you. ### config on Cisco switch C2960 # aaa new-model ! ! aaa group server radius dot1x ! aaa authentication login default group radius local aaa authentication dot1x default group radius aaa authorization exec default group radius if-authenticated aaa authorization network default group radius aaa accounting send stop-record authentication failure aaa accounting suppress null-username aaa accounting session-duration ntp-adjusted aaa accounting update newinfo periodic 1 aaa accounting exec default start-stop group radius aaa accounting network default start-stop group radius aaa accounting connection default start-stop group radius aaa accounting resource default start-stop-failure group radius interface FastEthernet0/9 switchport access vlan 6 switchport mode access authentication host-mode multi-auth authentication port-control auto authentication periodic authentication timer inactivity 5 dot1x pae both dot1x max-req 3 spanning-tree portfast radius-server host 10.1.7.202 auth-port 1812 acct-port 1813 key key ### /etc/raddb/sqlcounter.conf sqlcounter noresetcounter { counter-name = Max-All-Session-Time check-name = Max-All-Session sqlmod-inst = sql key = User-Name reset = never query = SELECT SUM(AcctSessionTime) FROM radacct WHERE UserName='%{%k}' } sqlcounter dailycounter { filename = ${raddbdir}/db.daily count-attribute = Acct-Session-Time driver = rlm_sqlcounter allowed-servicetype = Framed-User counter-name = Daily-Session-Time check-name = Max-Daily-Session sqlmod-inst = sqlcca3 key = User-Name reset = daily query = SELECT SUM(AcctSessionTime - GREATEST((%b - UNIX_TIMESTAMP(AcctStartTime)), 0)) FROM radacct WHERE UserName='%{%k}' AND UNIX_TIMESTAMP(AcctStartTime) + AcctSessionTime '%b' } sqlcounter monthlycounter { counter-name = Monthly-Session-Time check-name = Max-Monthly-Session sqlmod-inst = sqlcca3 key = User-Name reset = monthlyquery = SELECT SUM(AcctSessionTime - GREATEST((%b - UNIX_TIMESTAMP(AcctStartTime)), 0)) FROM radacct WHERE UserName='%{%k}' AND UNIX_TIMESTAMP(AcctStartTime) + AcctSessionTime '%b' } ## /etc/raddb/radius.conf ## modules { $INCLUDE ${confdir}/sqlcounter.conf instantiate { exec expr dailycounter } authorize { preprocess mschap suffix eap files sql dailycounter } authenticate { Auth-Type PAP { pap } Auth-Type CHAP { chap } Auth-Type MS-CHAP { mschap } unix eap } ### /etc/raddb/users ### clare Max-Daily-Session := 120, User-Password := password Auth-Type := Reject, Reply-Message = Your time limit is used, Simultaneous-Use := 1, # Dubug output # Going to the next request Waking up in 6 seconds... rad_recv: Access-Request packet from host 10.1.5.4:1645, id=220, length=244 User-Name = clare Service-Type = Framed-User Framed-MTU = 1500 Called-Station-Id = EC-30-91-1D-69-89 Calling-Station-Id = 00-1E-33-D5-7A-68 EAP-Message = 0x0209002b19001703010020205ecf13b3dc88bd738478cf6a2111e5903a5089b64e282bc15b5c7c6c0e771c Message-Authenticator = 0x2cac65588536701091195c7b06db31a1 Cisco-AVPair =
Re: rlm_sqlcounter doesn't increase counter
hi, you dont seem to have SQL enabled in the accounting section... the WIKI entry should work http://wiki.freeradius.org/Rlm_sqlcounter alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
adding radius accounts
Is there a tool/addon to add and remove radius accounts in the users file without modify the file directly. Also can the users file be configured to authenticate based on linux users already existing. Thanks - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Total Data download
Hi, Is there any tool or script with help of which I can get to know how much data downloaded by all user in last 30 days. Please share the solution. Best regards, Fazal Ahmed Malik - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Simultaneous-Use checking
Hi, i need little help with this. I have MySQL setup with freeradis, that is working. Now for Simultaneous-Use checking there are no querys to uncomment inside sql.conf by default (installed freeradius over apt-get ). Now i added to sql.conf simul_count_query = SELECT COUNT(*) FROM radacct WHERE UserName='%{SQL-User-Name}' AND AcctStopTime = 0 simul_verify_query = SELECT RadAcctId, AcctSessionId, UserName, NASIPAddress, NASPortId, FramedIPAddress, CallingStationId, FramedProtocol FROM radacct WHERE UserName='%{SQL-User-Name}' AND AcctStopTime = 0 Group checking is disabled. What else i have to do to get this checking started? Thx! -- View this message in context: http://freeradius.1045715.n5.nabble.com/Simultaneous-Use-checking-tp5514541p5514541.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html