Replace NAS-Identifier with Huntgroup
Hi. I was wondering, is it possible to replace the NAS-Identifier features by playing with Huntgroups? The idea is to have one user which can access in several NAS with customized params, and this is what HG are for. But how to Reject the user, if it has no associated HG? I'm having some troubles in fully understanding HuntGroups, as the wiki pages looks only partial. Is there any other documentation source? thanks -- Lorenzo Milesi - lorenzo.mil...@yetopen.it GPG/PGP Key-Id: 0xE704E230 - http://keyserver.linux.it - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Cisco av-pair for NX-OS and IOS
On Thu, 2013-02-07 at 23:51 -0500, Norman Zhang wrote: Hi, Using freeradius2-2.1.12. I need to setup read-write access for both Cisco NX-OS and IOS devices. I did the following, DEFAULT Group == operator-rw, Auth-Type = System Service-Type = NAS-Prompt-User, cisco-avpair := shell:roles*\network-admin vdc-admin priv-lvl=15\ I can log into both NX-OS and IOS devices; however, IOS devices only permits exec mode not the privileged exec (enable) mode. Not sure if I'm doing something wrong on the syntax. Can someone give me few pointers? I guess you should not concatenate the IOS and NX-OS attributes to a single combined attribute. Also, priv-lvl=15 should be shell:priv-lvl=15 I believe. This should work: DEFAULT Group == operator-rw, Auth-Type = System Cisco-AVPair+=shell:roles=network-admin vdc-admin, Cisco-AVPair+=shell:priv-lvl=15, Service-Type = NAS-Prompt-User -Øystein - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
DHCP question
I am trying to design a system with full redundancy. I know I can use FreeRadius proxy and/or multiple front ends with a MySQL master-master for the data. For IP redundancy I can install heartbeat so all of that is fine. My biggest unknown is DHCP. How does the new FreeRadius DHCP server store lease information? Will the design I am creating allow for DHCP failover from one machine to the next. One design caveat, the DHCP request will be Relay with Option 82 (hence the need for heartbeat). Any issues with Option 82 requests? David - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
git question
Are we still using git fetch origin v2.1.x:v2.1.x to get v2.2? David - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: DHCP question
On 14/02/13 13:13, David Peterson wrote: I am trying to design a system with full redundancy. I know I can use FreeRadius proxy and/or multiple front ends with a MySQL master-master for the data. For IP redundancy I can install heartbeat so all of that is fine. My biggest unknown is DHCP. How does the new FreeRadius DHCP server store lease information? Will the design I am creating allow for DHCP failover from one machine to the next. It stores leases however you configure it to. Unlike ISC dhcpd, there's no built-in lease database. The server comes with examples using the sqlippool module. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: git question
On 14/02/13 13:26, David Peterson wrote: Are we still using git fetch origin v2.1.x:v2.1.x to get v2.2? No. v2.x.x is the branch name now. git clone ... git checkout v2.x.x - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: git question
On 02/14/2013 08:26 AM, David Peterson wrote: Are we still using git fetch origin v2.1.x:v2.1.x to get v2.2? $ git branch -r origin/HEAD - origin/master origin/master origin/v1.1.x origin/v2.1.x-apple origin/v2.x.x According to the above there is no v2.1.x branch. BTW, git remote is can be very useful for setting up your .git/config so you don't have to deal with verbose syntax. -- John Dennis jden...@redhat.com Looking to carve out IT costs? www.redhat.com/carveoutcosts/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: AVP EAP-KEY name support in FR
Srinu Bandari wrote: EAP key identifier must be sent as a part of Access-Accept message in EAP Key-Name AVP (Radius Attribute Type 102). Sure. But it's been hard to find out what is put *into* it. That link has been missing. This what Cisco Documentation states: The switch has no visibility into the details of the EAP session between the supplicant and the authentication server, so it cannot derive the MSK or the CAK directly. Instead, the switch receives the CAK from the authentication server in the Access-Accept message at the end of the IEEE 802.1X authentication. The CAK is delivered in the RADIUS vendor-specific attributes (VSAs) MS-MPPE-Send-Key and MS-MPPE-Recv-Key. Along with the CAK, the authentication server sends an EAP key identifier that is derived from the EAP exchange and is delivered to the authenticator in the EAP Key-Name attribute of the Access-Accept message. From 802.1X: The EAP Session-Id for EAP-TLS is specified in IETF RFC 5216 and IETF RFC 5247 and IETF RFC 4072 define the RADIUS EAP-Key-Name Attribute (Type 102) used to convey the EAP Session-Id OK. So, we need to send Session-ID value as EAP Key-Name AVP (Radius Attribute Type 102) part of Access-Accept message. That's not clear to me from the above description. But if it works... We'll be releasing 2.2.1 shortly. I think this change can go into it. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: AVP EAP-KEY name support in FR
On 14/02/13 14:01, Alan DeKok wrote: Srinu Bandari wrote: EAP key identifier must be sent as a part of Access-Accept message in EAP Key-Name AVP (Radius Attribute Type 102). Sure. But it's been hard to find out what is put *into* it. That link has been missing. This what Cisco Documentation states: The switch has no visibility into the details of the EAP session between the supplicant and the authentication server, so it cannot derive the MSK or the CAK directly. Instead, the switch receives the CAK from the authentication server in the Access-Accept message at the end of the IEEE 802.1X authentication. The CAK is delivered in the RADIUS vendor-specific attributes (VSAs) MS-MPPE-Send-Key and MS-MPPE-Recv-Key. Along with the CAK, the authentication server sends an EAP key identifier that is derived from the EAP exchange and is delivered to the authenticator in the EAP Key-Name attribute of the Access-Accept message. From 802.1X: The EAP Session-Id for EAP-TLS is specified in IETF RFC 5216 and IETF RFC 5247 and IETF RFC 4072 define the RADIUS EAP-Key-Name Attribute (Type 102) used to convey the EAP Session-Id OK. So, we need to send Session-ID value as EAP Key-Name AVP (Radius Attribute Type 102) part of Access-Accept message. That's not clear to me from the above description. But if it works... Yeah, I got super-confused about all the EAP-Key-Name stuff when I looked a couple of months ago. Does anyone know if there's known-good test data we can compare against, or a client/application that validates it? Does eapol_test implement/check it? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: AVP EAP-KEY name support in FR
Phil Mayers wrote: Does anyone know if there's known-good test data we can compare against, or a client/application that validates it? Does eapol_test implement/check it? It doesn't seem to. If someone has a packet trace from ACS, that should be enough. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Complie error
What might I be missing when I get this error: (Version 2.x.x) Making all in rlm_eap_pwd... make[9]: Entering directory `/usr/src/freeradius-server/src/modules/rlm_eap/types/rlm_eap_pwd' make[9]: *** No rule to make target `rlm_eap_pwd.h', needed by `rlm_eap_pwd.c'. Stop. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: User mapping
Anybody got any idea about the following? Regards, Ahmed. -Original Message- From: Sajid, Ahmed (STFC,RAL,SC) Sent: 13 February 2013 15:01 To: FreeRadius users mailing list Subject: RE: User mapping Hi Alan, Thanks for the quick reply. So, pam module can't be used. How can I set it up in Radius using rlm_password? Regards, Ahmed Sajid. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: User mapping
ahmed.sa...@stfc.ac.uk wrote: Anybody got any idea about the following? Read the rlm_passwd documentation. It seems you haven't done that. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Complie error
Hi, What might I be missing when I get this error: (Version 2.x.x) Making all in rlm_eap_pwd... make[9]: Entering directory `/usr/src/freeradius-server/src/modules/rlm_eap/types/rlm_eap_pwd' make[9]: *** No rule to make target `rlm_eap_pwd.h', needed by `rlm_eap_pwd.c'. Stop. likely to be an old version of OpenSSL without required ECC support etc - so the build process doesnt pick this up properly...and thus this new module fails to have right bits just remove that /usr/src/freeradius-server/src/modules/rlm_eap/types/rlm_eap_pwd directory (are you using EAP_PWD ?) alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Complie error
David Peterson wrote: What might I be missing when I get this error: (Version 2.x.x) Making all in rlm_eap_pwd... make[9]: Entering directory `/usr/src/freeradius-server/src/modules/rlm_eap/types/rlm_eap_pwd' make[9]: *** No rule to make target `rlm_eap_pwd.h', needed by `rlm_eap_pwd.c'. Stop. Hmm... Version 2.x doesn't have the EAP-PWD module. It looks like your source tree is screwed up somehow. I'd suggest just deleting the rlm_eap_pwd directory. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Complie error
It looks like it was my flawed git skills hard at work. So now I am fighting libtool. What is the best method for a successful compile and install for Ubuntu where the libtool gets in your way. I am stuck here if I use --with-system-libtool option .libs/modules.o: In function `setup_modules': /usr/src/freeradius-server/src/main/modules.c:1412: undefined reference to `lt_preloaded_symbols' David -Original Message- From: Alan DeKok [mailto:al...@deployingradius.com] Sent: Thursday, February 14, 2013 11:38 AM To: David Peterson-WirelessConnections; FreeRadius users mailing list Subject: Re: Complie error David Peterson wrote: What might I be missing when I get this error: (Version 2.x.x) Making all in rlm_eap_pwd... make[9]: Entering directory `/usr/src/freeradius-server/src/modules/rlm_eap/types/rlm_eap_pwd' make[9]: *** No rule to make target `rlm_eap_pwd.h', needed by `rlm_eap_pwd.c'. Stop. Hmm... Version 2.x doesn't have the EAP-PWD module. It looks like your source tree is screwed up somehow. I'd suggest just deleting the rlm_eap_pwd directory. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: AVP EAP-KEY name support in FR
Srinu Bandari wrote: EAP key identifier must be sent as a part of Access-Accept message in EAP Key-Name AVP (Radius Attribute Type 102). OK. Please try the v2.x.x branch from git. Read raddb/sites-available/default. Look for EAP-Key-Name. The key is generated by default. For security reasons, it's not put into the reply. You need to do that step manually. That requires a 3-line addition to the post-auth section. Let me know if it works. If so, it's a nice feature to have. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Complie error
It compiles properly but when I run the daemon it can't find the freeradius libs. I get this at the end of compile: PATH=$PATH:/sbin ldconfig -n /usr/local/lib -- Libraries have been installed in: /usr/local/lib If you ever happen to want to link against installed libraries in a given directory, LIBDIR, you must either use libtool, and specify the full pathname of the library, or use the `-LLIBDIR' flag during linking and do at least one of the following: - add LIBDIR to the `LD_LIBRARY_PATH' environment variable during execution - add LIBDIR to the `LD_RUN_PATH' environment variable during linking - use the `-Wl,--rpath -Wl,LIBDIR' linker flag - have your system administrator add LIBDIR to `/etc/ld.so.conf' See any operating system documentation about shared libraries for more information, such as the ld(1) and ld.so(8) manual pages. David -Original Message- From: freeradius-users-bounces+davidp=wirelessconnections@lists.freeradius.org [mailto:freeradius-users-bounces+davidp=wirelessconnections.net@lists.freera dius.org] On Behalf Of Phil Mayers Sent: Thursday, February 14, 2013 12:06 PM To: freeradius-users@lists.freeradius.org Subject: Re: Complie error On 14/02/13 16:57, David Peterson wrote: It looks like it was my flawed git skills hard at work. So now I am fighting libtool. What is the best method for a successful compile and install for Ubuntu where the libtool gets in your way. Take off and nuke the entire site from orbit. It's the only way to be sure. [Bloody libtool...] Why are you using --with-system-libtool? What happens if you just: ./configure make make install ? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Failed to load wimax module freeradius 2.1.12
Hi, I hope someone can point me in the right direction here. I am trying to build FR version 2.1.12 with the option --with-experimental-modules on Debian Linux Squeeze 2.6.32-5-amd64 because I need to build support for Wimax stuff. However I get the following compiling error(s): === checking openssl/hmac.h usability... no checking openssl/hmac.h presence... no checking for openssl/hmac.h... no configure: WARNING: silently not building rlm_wimax. configure: WARNING: FAILURE: rlm_wimax requires: openssl/hmac.h. configure: creating ./config.status config.status: creating Makefile === and however when I launch FR, this is what I get: === /usr/local/etc/raddb/modules/wimax[92]: Failed to link to module 'rlm_wimax': rlm_wimax.so: cannot open shared object file: No such file or directory /usr/local/etc/raddb/sites-enabled/default[122]: Failed to load module wimax. /usr/local/etc/raddb/sites-enabled/default[69]: Errors parsing authorize section. === I am trying to build the FreeRadius package version version 2.1.12 from sources from the official tarball from freeradius.org. I know I am missing something but I have looked almost everywhere and can not get a proper clue to this. Regards, - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Complie error
That might be your /etc/ld.so.conf - see the man pages for ld.so and check /usr/local/lib is there or in rpath (ldd radiusd) Alternatively ./configure --prefix /usr David Peterson dav...@wirelessconnections.net wrote: It compiles properly but when I run the daemon it can't find the freeradius libs. -- Sent from my mobile device, please excuse brevity and typos. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Complie error
Hi, It compiles properly but when I run the daemon it can't find the freeradius libs. I get this at the end of compile: PATH=$PATH:/sbin ldconfig -n /usr/local/lib -- Libraries have been installed in: /usr/local/lib as Phil says, check the LD path is known in eg /etc/ld.so.conf you might also want to run 'ldconfig -v' to verify that the libraries have been picked up and are seen/known alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Failed to load wimax module freeradius 2.1.12
Hi, I hope someone can point me in the right direction here. I am trying to build FR version 2.1.12 with the option --with-experimental-modules on Debian Linux Squeeze 2.6.32-5-amd64 because I need to build support for Wimax stuff. However I get the following compiling error(s): checking openssl/hmac.h usability... no checking openssl/hmac.h presence... no checking for openssl/hmac.h... no configure: WARNING: silently not building rlm_wimax. configure: WARNING: FAILURE: rlm_wimax requires: openssl/hmac.h. configure: creating ./config.status config.status: creating Makefile you dont have the required headers present to build the code. check you have the openssl devel package installed libssl-dev IIRC alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP TLS client
Hi, I have configured freeradius to entertain EAP-TLS requests. And i am using the freeradius certificate (shipped with software). I got stuck at end, now i don't know how to send EAP-TLS request to server. I read man radeapclient, but it only support md5. Could you please tell me how could i send request to server using EAP-TLS authentication method. Either by using a real EAP supplicant (Windows machine, Mac OS, ...) or for a command-line test use eapol_test, which is part of wpa_supplicant. Stefan -- Stefan WINTER Ingenieur de Recherche Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg Tel: +352 424409 1 Fax: +352 422473 signature.asc Description: OpenPGP digital signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html