Re: Novice Question
On 11/20/2012 10:23 AM, Tzvika Gelber wrote: radius1 Cleartext-Password := radius1 Tunnel-Type = VLAN Tunnel-Medium-Type = IEEE-802 Tunnel-Private-Group-Id = 1 This is wrong; see man users and the other examples in this file. You can't have a blank link between the check and response items, and response items need to be separated by ,. Please *read* the examples and docs that come with the server. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
EAP-TLS error: RSA_padding_check_PKCS1_type_1:block type is not 01
Hi All,
I'm using Freeradius server2.1.12 on x86 fedora14. My client is using
(armel ubuntu 10.04 lucid) IMX53 board. When I try connecting to radius
server I am receiving the following errors.
Do we require different certificates for arm boards, as I was able to
run without any issues on x86 with same certificates.
openssl version is 0.98g (on arm board)
openssl version is 1.0.0a-fips (on x86 free radius server 2.1.12)
/*ERROR:
---
*/
rad_recv: Access-Request packet from host 10.0.0.70 port 2050, id=8,
length=166
User-Name = testuser
NAS-IP-Address = 127.0.0.1
NAS-Port = 0
Called-Station-Id = 68-7F-74-64-0A-AA:linksys
Calling-Station-Id = 00-23-A7-3B-29-2C
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = CONNECT 0Mbps 802.11
EAP-Message = 0x020300060d00
State = 0xba89e950b88ae454eff4b9964b6ca194
Message-Authenticator = 0x3f69e77da835e1450b33224899e816b2
Tue Nov 20 16:48:05 2012 : Info: # Executing section authorize from file
/usr/local/etc/raddb/radiusd.conf
Tue Nov 20 16:48:05 2012 : Info: +- entering group authorize {...}
Tue Nov 20 16:48:05 2012 : Info: ++[preprocess] returns ok
Tue Nov 20 16:48:05 2012 : Info: ++[chap] returns noop
Tue Nov 20 16:48:05 2012 : Info: ++[mschap] returns noop
Tue Nov 20 16:48:05 2012 : Info: [suffix] No '@' in User-Name =
testuser, looking up realm NULL
Tue Nov 20 16:48:05 2012 : Info: [suffix] No such realm NULL
Tue Nov 20 16:48:05 2012 : Info: ++[suffix] returns noop
Tue Nov 20 16:48:05 2012 : Info: [eap] EAP packet type response id 3
length 6
Tue Nov 20 16:48:05 2012 : Info: [eap] No EAP Start, assuming it's an
on-going EAP conversation
Tue Nov 20 16:48:05 2012 : Info: ++[eap] returns updated
Tue Nov 20 16:48:05 2012 : Info: [files] users: Matched entry testuser
at line 131
Tue Nov 20 16:48:05 2012 : Info: ++[files] returns ok
Tue Nov 20 16:48:05 2012 : Info: Found Auth-Type = EAP
Tue Nov 20 16:48:05 2012 : Info: # Executing group from file
/usr/local/etc/raddb/radiusd.conf
Tue Nov 20 16:48:05 2012 : Info: +- entering group authenticate {...}
Tue Nov 20 16:48:05 2012 : Info: [eap] Request found, released from the list
Tue Nov 20 16:48:05 2012 : Info: [eap] EAP/tls
Tue Nov 20 16:48:05 2012 : Info: [eap] processing type tls
Tue Nov 20 16:48:05 2012 : Info: [tls] Authenticate
Tue Nov 20 16:48:05 2012 : Info: [tls] processing EAP-TLS
Tue Nov 20 16:48:05 2012 : Info: [tls] Received TLS ACK
Tue Nov 20 16:48:05 2012 : Info: [tls] ACK handshake fragment handler
Tue Nov 20 16:48:05 2012 : Info: [tls] eaptls_verify returned 1
Tue Nov 20 16:48:05 2012 : Info: [tls] eaptls_process returned 13
Tue Nov 20 16:48:05 2012 : Info: ++[eap] returns handled
Sending Access-Challenge of id 8 to 10.0.0.70 port 2050
EAP-Message =
0x0104020d0d8005f9bd300c0603551d13040530030101ff301d0603551d0e04160414b3807b965fdd9f8fee8fca751d47bf2aebac11fd30818d0603551d230481853081828014b3807b965fdd9f8fee8fca751d47bf2aebac11fda15fa45d305b310a3008060355040a130161310a3008060355040b1301613110300e06092a864886f70d010901160161310a30080603550407130161310a30080603550408130161310b3009060355040613026161310a30080603550403130161820900958dbc5fc22a1e39300d06092a864886f70d010104050003818100a8e4f602c2235087e8a8e93f610ce12e5e3e6a54103b1dccc56529aab99cc32649af
EAP-Message =
0x88b6fb15bdb71452ca8657933581fd72e30615d551ba01f76475e2809c53ca6c798138de31621f62e3644e3f847199de6a1a00ce71c631e200b4cf2747a9714a7bb778fec35669dd1c63102371576fc66ec5bbdf2c9f4fd956782216a10b16030100ad0da502010200a0003f303d310b3009060355040613026161310a30080603550408130161310a3008060355040a130161310a3008060355040b130161310a30080603550403130161005d305b310a3008060355040a130161310a3008060355040b1301613110300e06092a864886f70d010901160161310a30080603550407130161310a30080603550408130161310b3009060355040613
EAP-Message = 0x026161310a300806035504031301610e00
Message-Authenticator = 0x
State = 0xba89e950b98de454eff4b9964b6ca194
Tue Nov 20 16:48:05 2012 : Info: Finished request 8.
Tue Nov 20 16:48:05 2012 : Debug: Going to the next request
Tue Nov 20 16:48:05 2012 : Debug: Waking up in 0.5 seconds.
rad_recv: Access-Request packet from host 10.0.0.70 port 2050, id=9,
length=1287
User-Name = testuser
NAS-IP-Address = 127.0.0.1
NAS-Port = 0
Called-Station-Id = 68-7F-74-64-0A-AA:linksys
Calling-Station-Id = 00-23-A7-3B-29-2C
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = CONNECT 0Mbps 802.11
EAP-Message =
Re: Git master branch Debian build
Now the service start and start loading the configuration, but fails at rlm_eap. freeradius -X output below the debian package doesn't include the libfreeradius-eap.so. maybe add it to the libfreeradius package diff --git a/debian/libfreeradius3.install b/debian/libfreeradius3.install index d08b127..0eb4b91 100644 --- a/debian/libfreeradius3.install +++ b/debian/libfreeradius3.install @@ -1 +1,2 @@ usr/lib/freeradius/libfreeradius-radius.so +usr/lib/freeradius/libfreeradius-eap.so Well even with the libfreeradius-eap.so packaged into libfreeradius3, eap is not starting. I checked on my other systems running 2.2.10, but built with libtool and libltdl, the rlm_eap.so is linked with libfreeradius-eap. It's not the case on the master branch, but I guess that's normal because it uses freeradius own system to load libraries. So is it loading libfreeradius-eap.so ? I can't tell, don't know how to look for it :p Tried to run inside gdb but didn't get any helpful information. any hints to find what's going on ? In the mean time I think I'll dig into the source code. Olivier -- Olivier Beytrison Network Security Engineer, HES-SO Fribourg Mail: oliv...@heliosnet.org - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Statistics on EAP methods widely used
Hello all, I apologize for the spam but I thought that you would be able to give me a couple of pointers on the following. I am trying to find some statistics on what is the most commonly deployed/used EAP method using FreeRadius (or RADIUS in general). There are many claims that, for example, EAP-TLS and EAP-TTLS are most commonly used (and secure) but these are never backed up by any survey/references. Any pointers? Thanks a lot, Panos - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Git master branch Debian build
Olivier Beytrison wrote: Installation failed the first time. still missing the mods-enabled. corrected through the following patch OK, fixed a bunch of stuff... it should now be better. Now the service start and start loading the configuration, but fails at rlm_eap. freeradius -X output below the debian package doesn't include the libfreeradius-eap.so. maybe add it to the libfreeradius package It should be part of a rlm_eap package, if that exists. /etc/freeradius/mods-enabled/eap[17]: Failed to link to module 'rlm_eap': /usr/lib/freeradius/rlm_eap.so: undefined symbol: eap_wireformat /etc/freeradius/sites-enabled/default[321]: Failed to find eap in the The rlm_eap library should be linked against the libfreeradius-eap library. But not every system correctly supports inter-library dependencies. I'll take a look. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Statistics on EAP methods widely used
It works perfectly almost without any changes inside config files... :) hint: default_eap_type = peap inside eap.conf On 20.11.2012 14:24, Alan Buxey wrote: From my own experience PEAP (aka PEAPv0/mschapv2) is the most common EAP method in use (probably due to it being supported in most clients and backend authentication systems) alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-TLS error: RSA_padding_check_PKCS1_type_1:block type is not 01
Swaraj wrote: I'm using Freeradius server2.1.12 on x86 fedora14. My client is using (armel ubuntu 10.04 lucid) IMX53 board. When I try connecting to radius server I am receiving the following errors. The client is broken. It's not doing SSL correctly. Do we require different certificates for arm boards, as I was able to run without any issues on x86 with same certificates. Because it has different software. Tue Nov 20 16:48:05 2012 : Error: TLS Alert write:fatal:decrypt error Tue Nov 20 16:48:05 2012 : Error: TLS_accept: failed in SSLv3 read certificate verify B Tue Nov 20 16:48:05 2012 : Error: rlm_eap: SSL error error:0407006A:rsa routines:RSA_padding_check_PKCS1_type_1:block type is not 01 You CANNOT fix this by poking FreeRADIUS. I created certificates with the following commands: This is NOT a certificate issue. Notice that the error is NOT complaining about certificates. And why use your own commands to create certs? The scripts in raddb/certs WORK. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Statistics on EAP methods widely used
From my own experience PEAP (aka PEAPv0/mschapv2) is the most common EAP method in use (probably due to it being supported in most clients and backend authentication systems) alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Statistics on EAP methods widely used
On 20/11/12 12:53, Panagiotis Georgopoulos wrote: Hello all, I apologize for the “spam” but I thought that you would be able to give me a couple of pointers on the following. I am trying to find some statistics on what is the most commonly deployed/used EAP method using FreeRadius (or RADIUS in general). There are many claims that, for example, EAP-TLS and EAP-TTLS are most commonly used (and secure) but these are never backed up by any survey/references. Any pointers? We support the following: EAP-PEAP/MSCHAP EAP-TTLS/PAP EAP-TTLS/MSCHAP EAP-TLS ...and 99.9% of our auth is EAP-PEAP/MSCHAP. So, I would have to say that PEAP/MSCHAP is the most common, and my understanding of other sites suggests the same. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-TLS error: RSA_padding_check_PKCS1_type_1:block type is not 01
On 20/11/12 13:26, Alan DeKok wrote: Swaraj wrote: I'm using Freeradius server2.1.12 on x86 fedora14. My client is using (armel ubuntu 10.04 lucid) IMX53 board. When I try connecting to radius server I am receiving the following errors. The client is broken. It's not doing SSL correctly. Oops yes ignore my email; I thought the *server* was running on the IMX. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Statistics on EAP methods widely used
Panagiotis Georgopoulos wrote: I am trying to find some statistics on what is the most commonly deployed/used EAP method using FreeRadius (or RADIUS in general). That's hard. It requires organizations to tell people what they're doing. Most organizations won't say this. There are many claims that, for example, EAP-TLS and EAP-TTLS are most commonly used (and secure) but these are never backed up by any survey/references. Any pointers? The best source of these stats is probably the eduroam proxies. However, that information is hard to get. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Change Simultaneous-Use default value
Hello, How to change default Simultaneous-Use 0 (default) value without using user groups? So, all current users and new, that will be created - will have for example 2 allowed connections? Best Regards, Dmitry --- Dmitry KORZHEVIN System Administrator STIDIA S.A. - Luxembourg e: dmitry.korzhe...@stidia.com m: +38 093 874 5453 w: http://www.stidia.com smime.p7s Description: ÐÑипÑогÑаÑиÑеÑÐºÐ°Ñ Ð¿Ð¾Ð´Ð¿Ð¸ÑÑ S/MIME - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-TLS error: RSA_padding_check_PKCS1_type_1:block type is not 01
On 20/11/12 12:38, Swaraj wrote: Tue Nov 20 16:48:05 2012 : Error: rlm_eap: SSL error error:0407006A:rsa routines:RSA_padding_check_PKCS1_type_1:block type is not 01 That's very odd. It looks like a problem with OpenSSL - maybe endian-ness or something? I created certificates with the following commands: Did you create them *on* the ARM device? Can you verify them with openssl verify *on* the ARM device? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Git master branch Debian build
On 20.11.2012 14:44, Alan DeKok wrote: Olivier Beytrison wrote: Well even with the libfreeradius-eap.so packaged into libfreeradius3, eap is not starting. I checked on my other systems running 2.2.10, but built with libtool and libltdl, the rlm_eap.so is linked with libfreeradius-eap. I've just pushed a fix. Please check it out. Thanks Alan, Other changes broke the make install process. Clean up so that installation dependencies work radlast.mk, radzap.mk, radtest.mk and checkrad.mk are broken install.bindir not defined and not found. INSTALL radclient INSTALL radiusd INSTALL radsniff INSTALL radmin INSTALL radattr INSTALL radconf2xml INSTALL radwho INSTALL install.bindir install: install.bindir does not exist make[1]: *** [/opt/src/freeradius/FR3/freeradius-server/debian/tmp/usr/bin/radlast] Error 1 make[1]: Leaving directory `/opt/src/freeradius/FR3/freeradius-server' make: *** [install-arch] Error 2 dpkg-buildpackage: error: debian/rules binary gave error exit status 2 Olivier -- Olivier Beytrison Network Security Engineer, HES-SO Fribourg Mobile: +41 (0)78 619 73 53 Mail: oliv...@heliosnet.org - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Statistics on EAP methods widely used
Panagiotis Georgopoulos wrote: I am trying to find some statistics on what is the most commonly deployed/used EAP method using FreeRadius (or RADIUS in general). That's hard. It requires organizations to tell people what they're doing. Most organizations won't say this. Yeap, I understand this but telling people that you are doing EAP-TLS, or EAP-TTLS, or PEAP, or whatever does not really expose your network. Many companies have this information on the web already in how-to-connect-to-our-wifi guides. It seems strange to me that there is no survey with collective statistics about this anywhere. There are many claims that, for example, EAP-TLS and EAP-TTLS are most commonly used (and secure) but these are never backed up by any survey/references. Any pointers? The best source of these stats is probably the eduroam proxies. However, that information is hard to get. I've been searching all morning for NRPS statistics but I have been unable to find any online. I know there are eduroam people in this list... could they help? Thanks, Panos - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Change Simultaneous-Use default value
Dmitry Korzhevin wrote: Hello, How to change default Simultaneous-Use 0 (default) value without using user groups? So, all current users and new, that will be created - will have for example 2 allowed connections? Add an entry in the users file: DEFAULT Simultaneous-Use := 2 Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Statistics on EAP methods widely used
Hi, I've been searching all morning for NRPS statistics but I have been unable to find any online. I know there are eduroam people in this list... could they help? In eduroam, every identity provider makes the choice of EAP type all on their own. I.e. we do not have a central register of who uses which EAP type. Of course these things can be found out; if by no other means by sniffing the first bytes of EAP conversations on proxies to see which EAP type was negotiated. But seriously: what's the point? There are a number of EAP methods which satisfy the IETF requirements for good EAP types in RFC4017. So long as you stay in the good set - pick whatever fits your local situation best; some have advantages in certain situations, others don't. There is no definitive answer which EAP type is best, so you'll have to sit down and find out your own needs yourself. And if you just want statistics for statistics' sake... sorry, that kind of information is so hard to get hold of, I'm reasonably confident that it won't be done unless there's a real use case for it. That said, we might get information of that kind as a by-product of a configuration assistant tool which identity providers may use to make their lives easier, and then maybe we could generate numbers from that. Don't hold your breath though. Greetings, Stefan Winter -- Stefan WINTER Ingenieur de Recherche Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg Tel: +352 424409 1 Fax: +352 422473 signature.asc Description: OpenPGP digital signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Git master branch Debian build
Olivier Beytrison wrote: Well even with the libfreeradius-eap.so packaged into libfreeradius3, eap is not starting. I checked on my other systems running 2.2.10, but built with libtool and libltdl, the rlm_eap.so is linked with libfreeradius-eap. I've just pushed a fix. Please check it out. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Statistics on EAP methods widely used
Subject: Re: Statistics on EAP methods widely used From my own experience PEAP (aka PEAPv0/mschapv2) is the most common EAP method in use (probably due to it being supported in most clients and backend authentication systems) alan Thanks for your reply Alan. I've also read that PEAP is very widely deployed mostly because of the support by big vendors. But then again, I am unable to find any references or any survey with some statistics on this... Anyone else any pointers? Thanks, Panos - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius retransmit of EAP-TTLS start packet with incorrect packet id
On 19/11/12 16:27, Alan DeKok wrote: There are patches going into 3.0 which will detect RADIUS retransmits over multiple proxy hops. That is a rare case, but more likely in the case of eduroam. Fixing it is good. Ooh, really? What solution did you hit on? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Statistics on EAP methods widely used
I've been searching all morning for NRPS statistics but I have been unable to find any online. I know there are eduroam people in this list... could they help? On our side we support eap-peap/mschapv2 and eap-ttls/mschapv2. We're providing documentation and configuration tool for the peap method. Statistics reports 60% of peap against 40% of ttls. Total number of eduroam users live is approx 800 Olivier B. -- Olivier Beytrison Network Security Engineer, HES-SO Fribourg Mail: oliv...@heliosnet.org - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Statistics on EAP methods widely used
On 20/11/12 14:19, Panagiotis Georgopoulos wrote: Yeap, I understand this but telling people that you are doing EAP-TLS, or EAP-TTLS, or PEAP, or whatever does not really expose your network. Many companies have this information on the web already in how-to-connect-to-our-wifi guides. It seems strange to me that there is no survey with collective statistics about this anywhere. Why are you telling us that? We know. We agree. The point is that lots of *other* people don't. Alan is not saying this is sensible; he's saying it *is the case*. I've been searching all morning for NRPS statistics but I have been unable to find any online. I know there are eduroam people in this list... could they help? As Stefan has said, it's a lot of work, and you'll need to justify it. However, in the spirit of being helpful - our ORPS stats for the last 4 hours, excluding our own users, show the following EAP types (in hex): 91 0d 501 03 4848 15 7540 01 35801 19 So, about 75% PEAP, 10% TTLS, 15% identity packets, less than 0.2% TLS. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Git master branch Debian build
Olivier Beytrison wrote: Other changes broke the make install process. Whoops, typo. I've pushed another fix. Alan Dekok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Statistics on EAP methods widely used
Hi, information on the web already in how-to-connect-to-our-wifi guides. It seems strange to me that there is no survey with collective statistics about this anywhere. its because noone caredand therefore our systems arent collecting such information. we *could* survey our federationbut, to be honest, I think some of them are getting sick of being surveyed about this and that almost every few months. I've been searching all morning for NRPS statistics but I have been unable to find any online. I know there are eduroam people in this list... could they help? ...what would the end result be? is there a reason for wanting to know exact percentages of each good EAP method? EAP-TLS is fairly rare due to the PKI required...though with centralised systems such as eduroamJP project that may change... PEAP is most common... EAP-TTLS next so (though what method is used in EAP-TTLS inner is another thing altogether!) - then there are the hens teeth - EAP-FASTv1, EAP-PWD and PEAPv1-GTC alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Git master branch Debian build
On 20.11.2012 15:45, Alan DeKok wrote:
Olivier Beytrison wrote:
Other changes broke the make install process.
Whoops, typo. I've pushed another fix.
Yep thanks, this issue is resolved.
make install is ok for the binaries.
Now it barfs right after installing dhclient (last reference in src/all.mk)
INSTALL radwho
INSTALL radlast
INSTALL radtest
INSTALL radzap
INSTALL checkrad
INSTALL dhclient
mkdir: cannot create directory
`/opt/src/freeradius/FR3/freeradius-server/debian/tmp/etc/freeradius':
File exists
make[1]: *** [install.dirs] Error 1
make[1]: Leaving directory `/opt/src/freeradius/FR3/freeradius-server'
make: *** [install-arch] Error 2
dpkg-buildpackage: error: debian/rules binary gave error exit status 2
And what's fun, debin/tmp/etc/freeradius is a file. a perl script.
example.pl from rlm_perl.
Bug introduced with commit 3298d3cc096cc2c5a76ab22388a154a0301b1897
Possible fix : move example.pl in ${docdir}/examples/example.pl
diff --git a/src/modules/rlm_perl/Makefile.in
b/src/modules/rlm_perl/Makefile.in
index 59c5d4c..04a1482 100644
--- a/src/modules/rlm_perl/Makefile.in
+++ b/src/modules/rlm_perl/Makefile.in
@@ -15,4 +15,4 @@ include ../rules.mak
$(LT_OBJS): $(HEADERS)
install-scripts:
- @$(INSTALL) -m 755 src/modules/rlm_perl/example.pl $(R)$(raddbdir)
+ @$(INSTALL) -m 755 src/modules/rlm_perl/example.pl
$(R)$(docdir)/examples/example.pl
diff --git a/src/modules/rlm_perl/all.mk.in b/src/modules/rlm_perl/all.mk.in
index b82e83c..b582332 100644
--- a/src/modules/rlm_perl/all.mk.in
+++ b/src/modules/rlm_perl/all.mk.in
@@ -13,4 +13,4 @@ install: install.rlm_perl.scripts
.PHONY: install.rlm_perl.scripts
install.rlm_perl.scripts:
- @$(INSTALL) -m 755 src/modules/rlm_perl/example.pl $(R)$(raddbdir)
+ @$(INSTALL) -m 755 src/modules/rlm_perl/example.pl
$(R)$(docdir)/examples/example.pl
Olivier
--
Olivier Beytrison
Network Security Engineer, HES-SO Fribourg
Mobile: +41 (0)78 619 73 53
Mail: oliv...@heliosnet.org
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Received invalid reply digest from RADIUS server on FreeSwitch server
Dear All, I have setup FreeRADIUS server(Version:2.1.12 x86_64, Release : 4.el5_8, Backend : MySQL ) and FreeSwitch server as SIP server (Both server are on VM environment). I am getting below error on FreeSwitch (it uses FreeRadius-Client library ) after handling approx 250 request. It will not taking more calls after approx 250 calls on FreeSwitch as it gives RADIUS Auth Failed in FS logs. Nov 20 15:49:29 FreeSwitch-BC-Test freeswitch: rc_check_reply: received invalid reply digest from RADIUS server Nov 20 15:49:33 FreeSwitch-BC-Test freeswitch: rc_send_server: no reply from RADIUS server radiusserver:1813, 192.168.15.111 Nov 20 15:49:33 FreeSwitch-BC-Test freeswitch: rc_check_reply: received invalid reply digest from RADIUS server In FS logs, I can see Access-Accept in reply for failed call on FS. Also using wireshark I am getting Access-Accept UDP package on FS but it shows invalid reply digest. Is it issue from FreeRADIUS-Client or FreeRADIUS or issue of mis-configuration? Please help. Thanks and Regards, Ankur Kalavadia Software Engineer http://www.billcall.net/ Billcall Inc. http://maps.google.com/maps?q=8002%2C+Kewgarden+Rd.%2CSuite+1040%2CKew+Gard en%2CNew+York+11415%2CUSAhl=en 8002, Kew Garden Rd. Suite 1040 Kew Garden, New York 11415 USA http://www.linkedin.com/e/jsc/Bankai+Group/ We're hiring! Description: Description: Description: C:\Users\Bankim\Documents\linkedin_files\pic_plastic_slate_26x130.gif India No.: +91-8238002749 +91-9909428658 Email: mailto:ankur.kalava...@billcall.net ankur.kalava...@billcall.net SkyPe: ankur.billcall LinkedIn : in.linkedin.com/in/ankurkalavadia http://www.billcall.net/ Description: Description: Description: C:\Users\Bankim\Documents\linkedin_files\bankai_group.jpg image001.jpgimage002.png- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Git master branch Debian build
On 20.11.2012 14:44, Alan DeKok wrote: Olivier Beytrison wrote: Well even with the libfreeradius-eap.so packaged into libfreeradius3, eap is not starting. I checked on my other systems running 2.2.10, but built with libtool and libltdl, the rlm_eap.so is linked with libfreeradius-eap. I've just pushed a fix. Please check it out. your change in checkrad.mk moved the binary from sbindir do bindir. Is this change wanted or not? If yes i'll update the debin/freeradius.install accordingly. if not we'll need a install.sbindir in Makefile Olivier -- Olivier Beytrison Network Security Engineer, HES-SO Fribourg Mobile: +41 (0)78 619 73 53 Mail: oliv...@heliosnet.org - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Received invalid reply digest from RADIUS server on FreeSwitch server
Ankur - BillCall wrote: I have setup FreeRADIUS server(Version:2.1.12 x86_64, Release : 4.el5_8, Backend : MySQL ) and FreeSwitch server as SIP server (Both server are on VM environment). Upgrade to 2.2.0. Nov 20 15:49:29 FreeSwitch-BC-Test freeswitch: rc_check_reply: received invalid reply digest from RADIUS server The shared secret is wrong. Or, freeswith is vroken. Also using wireshark I am getting Access-Accept UDP package on FS but it shows invalid reply digest. Then the shared secret is wrong. FreeRADIUS calculates the correct reply digest, if the shared secret is correct. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problems with 802.1x
Hi
on 20.11.2012 16:22, Brekler Custodio wrote:
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/inner-tunnel
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/mschapv2
[eap] processing type mschapv2
[mschapv2] # Executing group from file
/etc/freeradius/sites-enabled/inner-tunnel
[mschapv2] +- entering group MS-CHAP {...}
[mschap] No Cleartext-Password configured. Cannot create LM-Password.
[mschap] No Cleartext-Password configured. Cannot create NT-Password.
[mschap] Creating challenge hash with username: 1085
[mschap] Told to do MS-CHAPv2 for 1085 with NT-Password
[mschap] FAILED: No NT/LM-Password. Cannot perform authentication.
[mschap] FAILED: MS-CHAP2-Response is incorrect
++[mschap] returns reject
looks like your authentication data is missing on the server side.
cheers
Erich
smime.p7s
Description: S/MIME Kryptografische Unterschrift
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius retransmit of EAP-TTLS start packet with incorrect packet id
Phil Mayers wrote:
Ooh, really? What solution did you hit on?
Cache reply by State.
authorize {
cached_reply
...
}
post-auth {
...
cached_reply
}
It returns handled in the authorize section if it finds a matching
State.
On authorize it does:
if (cache[request State]) {
send cached reply attrs
handled
}
On post-auth it does:
cache[request State] = 0
cache[reply State] = reply attrs
It should work, I think. So if you have an intermediate proxy fail,
the RADIUS re-transmit won't hit. But this will catch the retransmitted
packet, which has the same State as a previous reply.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Git master branch Debian build
Olivier Beytrison wrote:
Possible fix : move example.pl in ${docdir}/examples/example.pl
I've just fixed the old Makefile. The new one is fine.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Git master branch Debian build
Olivier Beytrison wrote: your change in checkrad.mk moved the binary from sbindir do bindir. Is this change wanted or not? If yes i'll update the debin/freeradius.install accordingly. if not we'll need a install.sbindir in Makefile I'll go fix that. Thanks for the patience. Switching to a new build system is complicated. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Git master branch Debian build
On 20.11.2012 16:30, Alan DeKok wrote: Olivier Beytrison wrote: your change in checkrad.mk moved the binary from sbindir do bindir. Is this change wanted or not? If yes i'll update the debin/freeradius.install accordingly. if not we'll need a install.sbindir in Makefile I'll go fix that. Thanks for the patience. Switching to a new build system is complicated. It's alright, I'm not in a hurry, and you're quite responsive ;) I rather feel like being the one bothering you ;) Compilation, installation, and package are successfully made. After installing the package, freeradius doesn't start. Unable to open file /etc/freeradius/radiusd.conf: No such file or directory Uh oh ? looking at /etc/freeradius, there's only the directories and the symlinks, but not a single file. Great. When looking in the build environnement, in debian/freeradius/etc/freeradius, all the files are present. During package creation, the files are correctly grabbed as per debian/freeradius.install dpkg -L list all the files. dpkg is high on cocaine or what ? Olivier -- Olivier Beytrison Network Security Engineer, HES-SO Fribourg Mobile: +41 (0)78 619 73 53 Mail: oliv...@heliosnet.org - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problems with 802.1x
Please send plain text messages. There's no need to send HTML messages with everything bold. Brekler Custodio wrote: *So i did the debug thing, and i couldnt find the error (im new on linux)* You were told to read the comments at the top of raddb/sites-available/inner-tunnel. It gives DETAILED INSTRUCTIONS for how to debug this issue. You need to follow instructions, or you will be unsubscribed and banned from the list. Not following instructions means you won't get the problem solved. It means you're wasting your time, and ours. You haven't told the server what the users known good password is. How do you expect the server to authenticate anyone, if it doesn't know who the user is? If your users are in sql, you need to edit raddb/sites-available/inner-tunnel. READ IT. Look for sql, and follow the instructions. It honestly isn't hard. It doesn't require much knowledge about anything. But it DOES require that you read the instructions, and then follow them. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problems with 802.1x
Hi on 20.11.2012 17:16, Brekler Custodio wrote: So you mean that my MYSQL Server has a problem with my authentication ? I don't think you use sql for authentication, follow the advice Alan gave you and check your sites-enabled/inner-tunnel file. cheers Erich Titl smime.p7s Description: S/MIME Kryptografische Unterschrift - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problems with 802.1x
Hi,
I did this question yesterday, but since im new i did a lot of wrong
things, like no subject, etc etc.
but you still got a couple of answers.
I dont know what is wrong, i THINK its our SQL BD that is not accepting
mschap.
I would appreciate that people dont answer like read this, read that, its
all explained, like i said, im new on linux, i read everything i found,
but didnt got the problem
right. firstly, we say 'rad this' or 'read that' because by reading this or that
you will know what to send - for example, dont bother sending the output of
radtest
because it doesnt matter - you need to post the output of radiusd -X
secondly, as per the response you got to your first email
server inner-tunnel {
# Executing section authorize from file
/etc/freeradius/sites-enabled/inner-tunnel
look, server is using the 'inner-tunnel' virtual server
but finds no suitable user.
because you havent enabled 'sql' function in the inner-tunnel.
look at the 'default' virtual server file. see where it mentions 'sql' - then
edit
the inner-tunnel and make sure IT ALSO mentions SQL.
then go and read the docs on deployingradius.org - and at least buy a good book
about FreeRADIUS - only by reading/learning can you get better - or all we are
doing
is your job for you - in which case, please start paying us :|
alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Problems with 802.1x
Im sorry Alan, im learning how to use this forum.
So, i read everything there, BUT there is one thing you dont know, my native
language isnt english, so its not that easy to understand everything there.On
the Inner-tunnel i already put the SQL.
So, here is another question, how can i create an user on freeradius database
and do a radtest with mschap ?Is that possible ?
Below is the part of inner-tunnel saying about SQL as i said i took off comment.
# This module takes care of EAP-MSCHAPv2 authentication.#
# It also sets the EAP-Type attribute in the request# attribute
list to the EAP type from the packet.## The example below uses
module failover to avoid querying all# of the following modules if the
EAP module returns ok.# Therefore, your LDAP and/or SQL servers will
not be queried# for the many packets that go back and forth to set up
TTLS# or PEAP. The load on those servers will therefore be reduced.
#eap {ok = return}
## Read the 'users' filefiles
## Look in an SQL database. The schema of the database
# is meant to mirror the users file.## See Authorization
Queries in sql.confsql
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problems with 802.1x
hi, ..as there seems to be some doubts about how your system is actually working for non-EAP methods (ie whether or not you actually use SQL at all.) it would be best if you actually sent the 'radiusd -X' output for when a successful authentication occurs. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Problems with 802.1x
So you mean that my MYSQL Server has a problem with my authentication ? Date: Tue, 20 Nov 2012 16:47:07 +0100 From: erich.t...@think.ch To: freeradius-users@lists.freeradius.org Subject: Re: Problems with 802.1x Hi looks like your authentication data is missing on the server side. cheers Erich - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problems with 802.1x
Brekler Custodio wrote: So, i read everything there, BUT there is one thing you dont know, my native language isnt english, so its not that easy to understand everything there. That's OK. On the Inner-tunnel i already put the SQL. Well, it didn't show up in the debug log. So you didn't enable sql in that file. So, here is another question, how can i create an user on freeradius database and do a radtest with mschap ? Is that possible ? Of course it's possible. See the rlm_sql documentation. It's on the Wiki. Below is the part of inner-tunnel saying about SQL as i said i took off comment. OK... you did that AFTER you posted the previous message. Did you provision a user in SQL, as documented in the Wiki? http://wiki.freeradius.org/modules/Rlm_sql Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Statistics on EAP methods widely used
Hi Olivier, I've been searching all morning for NRPS statistics but I have been unable to find any online. I know there are eduroam people in this list... could they help? On our side we support eap-peap/mschapv2 and eap-ttls/mschapv2. We're providing documentation and configuration tool for the peap method. Statistics reports 60% of peap against 40% of ttls. Total number of eduroam users live is approx 800 Thanks very much, Panos - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Statistics on EAP methods widely used
Hi, I understand your view here and I don't disagree. My point is to firstly see which of them are being used in practice and then try to identify why. In certain instances some of them are more convenient/secure/etc than others, but when you know their popularity you can start thinking of other questions such as why would you need to configure both PEAP and EAP-TTLS for example. If providers are doing so there must be a reason and this is what I wanted to see. answers 1) the usage figures are known by sites who tell - they always show PEAP being the most favoured 2) backend authentication method 3) PEAP is most convenient... with correct deployment they are all as secure as each other 4) because you can. we support PEAP/EAP-TTLS/EAP-TLS/EAP-PWD because our authentication system works with them all and it means that we can offer the widest range of authentication methods to clients - especially of interest to the mobile space where , for example, Apple could suddenly decide not to support PEAP anymore we've got EAP-TTLS there. From another point of view, I keep reading about x being the most widely deployed or z being the most commonly used but no one backs up their claim. That's why I thought to ask... there is knowledge and a very large historical tract of 802.1X space. the requirements of the scenario. I more wanted to see what do providers eventually support and what prevails in the real world (vs theory). ..and what would happen if the only vocal people who provided you with data were all using EAP-TLS or EAP-FAST, you would get a very distorted view of whats going on in the real world. that is the problem with such surveys or questions... alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Statistics on EAP methods widely used
Hi Phil, I've been searching all morning for NRPS statistics but I have been unable to find any online. I know there are eduroam people in this list... could they help? As Stefan has said, it's a lot of work, and you'll need to justify it. However, in the spirit of being helpful - our ORPS stats for the last 4 hours, excluding our own users, show the following EAP types (in hex): 91 0d 501 03 4848 15 7540 01 35801 19 So, about 75% PEAP, 10% TTLS, 15% identity packets, less than 0.2% TLS. Thanks a lot for this specific results. Essentially you are proving my point :-) At first you said that 99.9% is PEAP and practise says that 75% is PEAP (even in just 4 hours). Essentially this is what I am after, to see whether what I am reading online is also what happens in practice (in terms of deployment and usage) (and then search why). Thanks again, Panos - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Statistics on EAP methods widely used
Hi, At first you said that 99.9% is PEAP and practise says that 75% is PEAP (even in just 4 bt! thats where you are wrong ;-) you've got to take into account what the packet counts are measuring and whether these are unique clients. all it takes is a chatty couple of clients and your stats are skewed...for example, a client using EAP-TTLS that is continually reauthing will change the balance ..and EAP-TTLS takes a couple more packets to contruct the tunnel so will therefore have higher packet presence. we can , for example, see what methods sites use for their monitoring of service but that isnt indicative of all the methods that they useand locally they might use some other method for their local 802.1X - eg EAP-TLS eg 102 organisation use a PEAP test account, 10 organisations use EAP-TTLS (with various inner types). I guess the real questin is WHY are you asking this - for a comp sci research project or for eg local administrative work? alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problems with 802.1x
Hi, So here is a debug again. Like i said, SQL is uncommented on inner-tunnel. that better - and yes it is uncommented..the debug shows that nicely :-) ++[sql] returns ok ok [pap] Normalizing MD5-Password from hex encoding the password is MD5 encrypted. rlm_eap_mschapv2: Issuing Challenge and thats your problem. 802.1X methods like PEAPv0/MSCHAPv2 (standard microsoft PEAP) DO NOT send the password to the server. instead, they use a challenge-response method. which means that you need to be able to KNOW the actual password - so you need to have a copy of it. this all comes down to compatabilitywhich, once again, highlights the requirements to read the documentation - particularly the web site which I have already mentioned: http://deployingradius.com/documents/protocols/compatibility.html sothe passwords in DB need to be clear or NT-hash your current non 802.1X stuff works becaus the captive portal actually sends the user-password across to the RADIUS server...so it can do an MD5 and see that it just matches the database value. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Problems with 802.1x
Thanks a lot man! We will test now, thats was my first tought, but i wasnt sure.And the guy that is reponsable for the MYSQL BD doesnt have time to change it.He will test it for me and i will have a response and give a feedback here. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Statistics on EAP methods widely used
Hi, ...as I write this, we have 3856 clients using the wireless, 3828 are using PEAP 26 are using EAP-TTLS 2 are using EAP-TLS of course, if those 26 were very mobile across the UK then the national proxies might think we had far more EAP-TTLS users than PEAP users ALL are using WPA2/AES (for me, that is far more important as a statistic! ) but our values lie nicely in the 99% of clients are using PEAP that was already mentioned alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Statistics on EAP methods widely used
Hello Stefan, Thanks for your reply. Subject: Re: Statistics on EAP methods widely used Hi, I've been searching all morning for NRPS statistics but I have been unable to find any online. I know there are eduroam people in this list... could they help? In eduroam, every identity provider makes the choice of EAP type all on their own. I.e. we do not have a central register of who uses which EAP type. Of course these things can be found out; if by no other means by sniffing the first bytes of EAP conversations on proxies to see which EAP type was negotiated. But seriously: what's the point? I understand your view here and I don't disagree. My point is to firstly see which of them are being used in practice and then try to identify why. In certain instances some of them are more convenient/secure/etc than others, but when you know their popularity you can start thinking of other questions such as why would you need to configure both PEAP and EAP-TTLS for example. If providers are doing so there must be a reason and this is what I wanted to see. From another point of view, I keep reading about x being the most widely deployed or z being the most commonly used but no one backs up their claim. That's why I thought to ask... There is no definitive answer which EAP type is best, so you'll have to sit down and find out your own needs yourself. I didn't want to find which one is the best, because as you say this is in relation to the requirements of the scenario. I more wanted to see what do providers eventually support and what prevails in the real world (vs theory). Thanks for your reply, Panos - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Statistics on EAP methods widely used
Panagiotis Georgopoulos wrote: At first you said that 99.9% is PEAP and practise says that 75% is PEAP (even in just 4 hours). Essentially this is what I am after, to see whether what I am reading online is also what happens in practice (in terms of deployment and usage) (and then search why). If you're going to call us liars, then you can go find your own mailing list. This list isn't the place to do research. The people here are answering your questions out of the kindness of their hearts. It's not nice to call them liars. If you care enough about the numbers, you will go do your own work. Then, everyone here can question your methods and tell you you're doing it wrong. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Git master branch Debian build
Olivier Beytrison wrote: Thanks for the patience. Switching to a new build system is complicated. It's alright, I'm not in a hurry, and you're quite responsive ;) I rather feel like being the one bothering you ;) Bug fixes go in quickly, so that's nice. Unable to open file /etc/freeradius/radiusd.conf: No such file or directory Uh oh ? looking at /etc/freeradius, there's only the directories and the symlinks, but not a single file. Great. When looking in the build environnement, in debian/freeradius/etc/freeradius, all the files are present. During package creation, the files are correctly grabbed as per debian/freeradius.install dpkg -L list all the files. dpkg is high on cocaine or what ? Possibly. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Statistics on EAP methods widely used
On 20/11/12 17:50, Panagiotis Georgopoulos wrote: 91 0d 501 03 4848 15 7540 01 35801 19 So, about 75% PEAP, 10% TTLS, 15% identity packets, less than 0.2% TLS. Thanks a lot for this specific results. Essentially you are proving my point :-) At first you said that 99.9% is PEAP and practise says that 75% is PEAP (even in just 4 hours). Essentially this is what I am after, to see whether what I am reading online is also what happens in practice (in terms of deployment and usage) (and then search why). Sorry, but you're misunderstanding the stats, or reading too much into them. These are EAP types from EAP *packets*, not sessions. And, as I said, it excludes our *own* users (i.e. it's just visitors) which removed several hundred thousand PEAP packets from the count. EAP-Identity doesn't count as an auth type; there is one EAP packet for every session, at the start. If you exclude the Identity packets (type 1) and NAK packets (type 3) you have: 91 0d 4848 15 35801 19 This is 87% PEAP. However, this is still *packets*. It takes no account of sessions, of the client re-auth times, TLS session resumption, and so forth, and is still just for visitors. I'm afraid I don't have time to do more detailed processing. But really, you would want to unique any stats by client (Calling-Station-Id) and EAP-type, and measure EAP type client days or something. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Problems with 802.1x
Thanks everyone for the help.We will be looking for a solution.The guy that take cares of our BD said that all our passwords are MD5 and he dont know how to change to MSCHAPv2 or how to generate.And windows dont allow us to connect on 802.1x with MD5. =/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problems with 802.1x
on 20.11.2012 19:21, Brekler Custodio wrote: Thanks everyone for the help. We will be looking for a solution. The guy that take cares of our BD said that all our passwords are MD5 and he dont know how to change to MSCHAPv2 or how to generate. And windows dont allow us to connect on 802.1x with MD5. Well, all you have to do is to find the credentials in the database. AFAIK FR looks them up in the radtest table with an attribute of NT-Password. If you have another table where they are located you will either need to adapt the sql query or replicate the credentials. cheers Erich Titl smime.p7s Description: S/MIME Kryptografische Unterschrift - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Statistics on EAP methods widely used
Panagiotis Georgopoulos wrote: At first you said that 99.9% is PEAP and practise says that 75% is PEAP (even in just 4 hours). Essentially this is what I am after, to see whether what I am reading online is also what happens in practice (in terms of deployment and usage) (and then search why). If you're going to call us liars, then you can go find your own mailing list. When did I ever call someone a liar? This list isn't the place to do research. The people here are answering your questions out of the kindness of their hearts. It's not nice to call them liars. It is because of the kindness of the people that I decided to ask. I didn't call anyone a liar. I am trying to have a discussion with people that would be willing to share some real results or give me some pointers because there is nothing as such online. Panos - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Statistics on EAP methods widely used
Hi Phil, Thanks for your reply. Sorry, but you're misunderstanding the stats, or reading too much into them. These are EAP types from EAP *packets*, not sessions. And, as I said, it excludes our *own* users (i.e. it's just visitors) which removed several hundred thousand PEAP packets from the count. EAP-Identity doesn't count as an auth type; there is one EAP packet for every session, at the start. If you exclude the Identity packets (type 1) and NAK packets (type 3) you have: 91 0d 4848 15 35801 19 This is 87% PEAP. However, this is still *packets*. It takes no account of sessions, of the client re-auth times, TLS session resumption, and so forth, and is still just for visitors. You are right Phil, I didn't get that these were counters for packets. My comment was merely on the fact that I am unable to find some related statistics and that people mention online their feeling about deployed/used EAP methods but there is no such survey/analysis available. I'm afraid I don't have time to do more detailed processing. But really, you would want to unique any stats by client (Calling-Station-Id) and EAP-type, and measure EAP type client days or something. Fair enough, thanks a lot for the insight, Panos - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Statistics on EAP methods widely used
Hello Alan, Thanks for your reply, I understand your view here and I don't disagree. My point is to firstly see which of them are being used in practice and then try to identify why. In certain instances some of them are more convenient/secure/etc than others, but when you know their popularity you can start thinking of other questions such as why would you need to configure both PEAP and EAP-TTLS for example. If providers are doing so there must be a reason and this is what I wanted to see. answers 1) the usage figures are known by sites who tell - they always show PEAP being the most favoured I didn't know that, and some articles I read didn't favour PEAP that much. Good to learn. 2) backend authentication method 3) PEAP is most convenient... with correct deployment they are all as secure as each other I would imagine that from the backend's perspective deploying PEAP and EAP-TTLS is similar right? When you mention here convenient you mean in terms of the clients that support it out of the box? 4) because you can. we support PEAP/EAP-TTLS/EAP-TLS/EAP-PWD because our authentication system works with them all and it means that we can offer the widest range of authentication methods to clients - especially of interest to the mobile space where , for example, Apple could suddenly decide not to support PEAP anymore we've got EAP-TTLS there. So being more inclusive and supporting more devices out of the box is a reason for supporting more than one EAP method on the server. is knowledge and a very large historical tract of 802.1X space. the requirements of the scenario. I more wanted to see what do providers eventually support and what prevails in the real world (vs theory). ..and what would happen if the only vocal people who provided you with data were all using EAP-TLS or EAP-FAST, you would get a very distorted view of whats going on in the real world. that is the problem with such surveys or questions... Nothing would happen! I asked to see if people have pointers or would be willing to share their stats/numbers as there is nothing as such online. Thanks for your reply, Panos - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Statistics on EAP methods widely used
Panagiotis Georgopoulos wrote: When did I ever call someone a liar? At first you said that 99.9% is PEAP and practise says that 75% is PEAP (even in just 4 hours). I am trying to have a discussion with people that would be willing to share some real results or give me some pointers because there is nothing as such online. Sure. You need to understand the statistics that come back before disagreeing with them. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Reject all calls from one or more Calling Station ID regardless of username or password
Hi guys, I am a quite new user of the Free Radius Server and i have a problem. I have an old Dial In system. I want to reject all calls from one or more Calling Station ID regardless of username or password. I have tried to edit the user file like this USERNAME Calling-Station-Id == 404402704, Auth-Type := Reject The line a bow is based on the username and that is not what I want, I want that all users from Callingstation ID 404402704 shall be rejected. Have you guys got some suggestion how to solve my problem? /Henrik - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
