Re: eap testing
Hi, requests to two backend servers. in 'proxy.conf' i have configured 'type=client-balance' so that it can work with EAP. client-port-balance Now i wanna do load testing of this configuration with EAP-TLS. So with configuration i need to have a lot of NAS, with different IP's. But I only have 2. the NAS should be sending their requests using different ports and this other balance method will be fine Could any one please help me in this situation. Could please suggest me a tool or a guideline to achieve my goal. up until now, we are not sure what your goal really is - you seem to be doing a lot of testing but with no real requirements or case. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: eap testing
On 2/20/13, a.l.m.bu...@lboro.ac.uk a.l.m.bu...@lboro.ac.uk wrote: Hi, requests to two backend servers. in 'proxy.conf' i have configured 'type=client-balance' so that it can work with EAP. client-port-balance Now i wanna do load testing of this configuration with EAP-TLS. So with configuration i need to have a lot of NAS, with different IP's. But I only have 2. the NAS should be sending their requests using different ports and this other balance method will be fine Could any one please help me in this situation. Could please suggest me a tool or a guideline to achieve my goal. up until now, we are not sure what your goal really is - you seem to be doing a lot of testing but with no real requirements or case. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Best Regards Muhammad Nadeem Muhammad Ali Jinnah University thanc A.L.M for your answer,, My primary goal is to configure a fast system to authenticate EAP-TLS requests. For this purpose i used proxy (to distribute requests to different freeradius servers). Now i just wanna confirm NumberOfRequests/second , handled by my system. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
freeradius-proxy with Rlm_cache
Hi, We would like to configure a freeradius proxy-server v. 2.2.0 under RHEL6 with users caching. The scenario we would like to achieve is the following: 1. client sends username/OTP to freeradius-proxy that relays to central radius server. Central radius server accepts and replies to freeradius-proxy that relays to client. 2. client sends same username/OTP within TTL to freeradius-proxy that accepts and replies to client. This should be possible using Rlm_cache module but we did not find a proper how-to for configuring this. Any help much appreciated. Dominique - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: eap testing
On 2/20/13, a.l.m.bu...@lboro.ac.uk a.l.m.bu...@lboro.ac.uk wrote: Hi, requests to two backend servers. in 'proxy.conf' i have configured 'type=client-balance' so that it can work with EAP. client-port-balance Now i wanna do load testing of this configuration with EAP-TLS. So with configuration i need to have a lot of NAS, with different IP's. But I only have 2. the NAS should be sending their requests using different ports and this other balance method will be fine Could any one please help me in this situation. Could please suggest me a tool or a guideline to achieve my goal. up until now, we are not sure what your goal really is - you seem to be doing a lot of testing but with no real requirements or case. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html And A.L.M, i have used type=client-port-balance But it didnot make any difference from previous (type=client-balance). What could be the issue.\???/ -- Best Regards Muhammad Nadeem Muhammad Ali Jinnah University - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: eap testing
Hi, My primary goal is to configure a fast system to authenticate EAP-TLS requests. For this purpose i used proxy (to distribute requests to different freeradius servers). Now i just wanna confirm NumberOfRequests/second , handled by my system. what is fast? (I can make a RADIUS server faster by chucking more CPU power at it.. 8 core Xeon instead of a core duo II etc.) - what are your actual requirements? ie what number of concurrent client connections/authentications are you looking for, what EAP methods (each method has its own quirks/requirements/number of packets) have you looked at crypto offloading technology to take CPU load down as part of this requirement? what AAA policy are you going to have for EAP-TLS - CRL? dynamic checking? (each has their own load/impact) do you need this proxy? Can your kit be configured to just talk directly to a few back end RADIUS servers? what is the purpose of this proxy? alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: eap testing
On 2/20/13, a.l.m.bu...@lboro.ac.uk a.l.m.bu...@lboro.ac.uk wrote: Hi, My primary goal is to configure a fast system to authenticate EAP-TLS requests. For this purpose i used proxy (to distribute requests to different freeradius servers). Now i just wanna confirm NumberOfRequests/second , handled by my system. what is fast? (I can make a RADIUS server faster by chucking more CPU power at it.. 8 core Xeon instead of a core duo II etc.) - what are your actual requirements? ie what number of concurrent client connections/authentications are you looking for, what EAP methods (each method has its own quirks/requirements/number of packets) have you looked at crypto offloading technology to take CPU load down as part of this requirement? what AAA policy are you going to have for EAP-TLS - CRL? dynamic checking? (each has their own load/impact) do you need this proxy? Can your kit be configured to just talk directly to a few back end RADIUS servers? what is the purpose of this proxy? alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html ie what number of concurrent client connections/authentications are you looking about 250/sec for, what EAP methods (each method has its own quirks/requirements/number of packets) EAP-TLS what is the purpose of this proxy? Basic purpose is 'load-balancing' on a cluster of Freeradius servers. I am donot using any 3rd party Load balancing Tool (like Virtual Linux server etc etc). -- Best Regards Muhammad Nadeem Muhammad Ali Jinnah University - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: eap testing
Hi, Basic purpose is 'load-balancing' on a cluster of Freeradius servers. why? do you need to load-balance in this manner? can your clients not do any load balancing? the FR balance code worksas you say, if you only have 2 NAS then you only get 50/50 - with more it will spread. apart from some academic research/course assignment I am still wondering why you are putting this into place. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
unsubscribe
unsubscribe - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: eap testing
On 2/20/13, a.l.m.bu...@lboro.ac.uk a.l.m.bu...@lboro.ac.uk wrote: Hi, Basic purpose is 'load-balancing' on a cluster of Freeradius servers. why? do you need to load-balance in this manner? can your clients not do any load balancing? the FR balance code worksas you say, if you only have 2 NAS then you only get 50/50 - with more it will spread. apart from some academic research/course assignment I am still wondering why you are putting this into place. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Thanx alan why? do you need to load-balance in this manner? Is there any other way to do this??? suppose i have hundreds of NAS, how their requests can be sent in parallel, to different FR??? Is FR support such a mechanism without using REALM and PROXY??? If yes., what is it??? -- Best Regards Muhammad Nadeem Muhammad Ali Jinnah University - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: eap testing
Hi, Is there any other way to do this??? suppose i have hundreds of NAS, how their requests can be sent in parallel, to different FR??? Is FR support such a mechanism without using REALM and PROXY??? If yes., what is it??? 1) why would you want to send a request from a NAS in parallel to different servers? that is just asking for major problems 2) what NAS kit are yu dealing with? Can this kit not do its own load-balancing? 3) are you simply balancing realm targets? - why just one proxy anyway? that would be single point failure and bottleneck. have multiple proxies alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: unsubscribe
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html (But the essence of it is, to unsubscribe, go here: http://lists.freeradius.org/mailman/listinfo/freeradius-users) -- Jon The Nice Guy Spriggs On 20 February 2013 10:29, Andrew Long furs...@gmail.com wrote: unsubscribe - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: eap testing
On 2/20/13, a.l.m.bu...@lboro.ac.uk a.l.m.bu...@lboro.ac.uk wrote: Hi, Is there any other way to do this??? suppose i have hundreds of NAS, how their requests can be sent in parallel, to different FR??? Is FR support such a mechanism without using REALM and PROXY??? If yes., what is it??? 1) why would you want to send a request from a NAS in parallel to different servers? that is just asking for major problems 2) what NAS kit are yu dealing with? Can this kit not do its own load-balancing? 3) are you simply balancing realm targets? - why just one proxy anyway? that would be single point failure and bottleneck. have multiple proxies alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Thanx alan, now we are aligned :) 1) why would you want to send a request from a NAS in parallel to different servers? that is just asking for major problems I dont want to do this,,, I just want that requests from NAS (Their are thousands of NAS, which send requests for AAA to FR) should be distributed among many backend Free Radius servers. 2) what NAS kit are yu dealing with? Can this kit not do its own load-balancing? No it didnot, 3) are you simply balancing realm targets? - why just one proxy anyway? that would be single point failure and bottleneck. have multiple proxies Yes this was in my mind, so further research cleared me that a NAS have some backup server IP's (may have multiple backup IP's that can be used if a proxy server become down). So i can configure multiple Proxy servers, which are load balancing among same Freeradius servers. hopefully u understand the scenario. Thanks -- Best Regards Muhammad Nadeem Muhammad Ali Jinnah University - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: eap testing
Hi, be used if a proxy server become down). So i can configure multiple Proxy servers, which are load balancing among same Freeradius servers. hopefully u understand the scenario. Thanks okay. so back to the other questions - how many clients and what sort of auths/sec speed are you looking for? you can run a whole campus infrastructure from one single RADIUS server on 3yr old hardware with over 10k concurrent users - depending on AAA requirements and policy. the same server can choke if the backend uses some single threaded table locking junk like MySQL ;-) alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: eap testing
On 2/20/13, a.l.m.bu...@lboro.ac.uk a.l.m.bu...@lboro.ac.uk wrote: Hi, be used if a proxy server become down). So i can configure multiple Proxy servers, which are load balancing among same Freeradius servers. hopefully u understand the scenario. Thanks okay. so back to the other questions - how many clients and what sort of auths/sec speed are you looking for? you can run a whole campus infrastructure from one single RADIUS server on 3yr old hardware with over 10k concurrent users - depending on AAA requirements and policy. the same server can choke if the backend uses some single threaded table locking junk like MySQL ;-) alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html thanx alan how many clients and what sort of auths/sec speed are you looking for? EAP-TLS and about 250 requests/second, and client can be up to 0.5 million to 1.5 million (its just not a campus project, this could be used for commercial purpose , but i am not quite sure, wether it will be or not ;( ) the same server can choke if the backend uses some single threaded table locking dont worry about this ,, I have a clustered, high speed and indexed database as backend database. -- Best Regards Muhammad Nadeem Muhammad Ali Jinnah University - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RADIUS-Proxy before MAC Auth
Hello everybody, I'm using FR 2.1.12 on CentOS 6.3 802.1x and MAC Auth as described in WiKi is working fine. Authentication is done local Now, I have the demand to implement RADIUS Proxy also. As I understand MAC Auth is done before RADIUS Proxy. But I do not want to administrate about 5.000 RADIUS Proxy clients in my authorized_macs file (RADIUS Proxy is using 802.1x only). Is there a way to proxy requests based on realms before checking the MAC address? In my testing I couldn't realize RADIUS Proxy without keeping the MAC in authorized_macs file. Appreciate your help. Thank you in advance. Freundliche Grüße Oliver Warda Universitätsklinikum Tübingen Geschäftsbereich Informationstechnologie Geissweg 11 72076 Tübingen Telefon: +49 (0)7071 29 85604 E-Mail: oliver.wa...@med.uni-tuebingen.de - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Radius server failed to respond
Hi, pam_radius_auth: DEBUG: getservbyname(radius, udp) returned -562132672. pam_radius_auth: RADIUS server 127.0.0.1 failled to respond pam_radius_auth: All RADIUS servers failed to respond. is the RADIUS server actually running when you are trying this? what does /etc/pam_radius_auth.conf (or wherever the config lives) look like? alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Radius server failed to respond
Do you mean the server file? Its /etc/raddb/server 127.0.0.1 testing123 3 I run the server in debugging mode using -X. Regards, Ahmed. -Original Message- From: freeradius-users-bounces+ahmed.sajid=stfc.ac...@lists.freeradius.org [mailto:freeradius-users-bounces+ahmed.sajid=stfc.ac...@lists.freeradius.org] On Behalf Of a.l.m.bu...@lboro.ac.uk Sent: 20 February 2013 12:01 To: FreeRadius users mailing list Subject: Re: Radius server failed to respond Hi, pam_radius_auth: DEBUG: getservbyname(radius, udp) returned -562132672. pam_radius_auth: RADIUS server 127.0.0.1 failled to respond pam_radius_auth: All RADIUS servers failed to respond. is the RADIUS server actually running when you are trying this? what does /etc/pam_radius_auth.conf (or wherever the config lives) look like? alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Scanned by iCritical. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Radius server failed to respond
Hi, I can authenticate using Kerberos, by running radius in debugging mode. I can see that I get Access-Accept packet but SSH doesn't gets logged in. I get following in /var/log/messages pam_radius_auth: DEBUG: getservbyname(radius, udp) returned -562132672. pam_radius_auth: RADIUS server 127.0.0.1 failled to respond pam_radius_auth: All RADIUS servers failed to respond. The file /etc/pam.d/sshd #%PAM-1.0 auth required pam_sepermit.so auth sufficient pam_radius_auth.so auth include password-auth accountrequired pam_nologin.so accountinclude password-auth password include password-auth # pam_selinux.so close should be the first session rule sessionrequired pam_selinux.so close sessionrequired pam_loginuid.so # pam_selinux.so open should only be followed by sessions to be executed in the user context sessionrequired pam_selinux.so open env_params sessionoptional pam_keyinit.so force revoke sessioninclude password-auth It seems to work fine but every now and then it just breaks. Regards, Ahmed. -- Scanned by iCritical. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius-proxy with Rlm_cache
On 20/02/13 08:38, Dominique Frise wrote:
Hi,
We would like to configure a freeradius proxy-server v. 2.2.0 under
RHEL6 with users caching.
The scenario we would like to achieve is the following:
1. client sends username/OTP to freeradius-proxy that relays to central
radius server.
Central radius server accepts and replies to freeradius-proxy that
relays to client.
2. client sends same username/OTP within TTL to freeradius-proxy that
accepts and replies to client.
This should be possible using Rlm_cache module but we did not find a
proper how-to for configuring this.
Can you show a debug (radiusd -X) of an auth request? This will make
it more obvious what attributes you need to have as key/value.
Also, this will probably only work if your OTP is simple PAP-like i.e.
request/accept. It probably won't work if Access-Challenge or any
challenge/response is involved.
But, for example, if your request looked like this:
User-Name = foo
User-Password = bar
OTP-Password = 123456
...then you'd want an rlm_cache config like this:
cache otpcache {
# note - we need to escape the key values
# otherwise the client can perform injection/overlap
# attacks by modifying their username
key =
%{urlquote:%{User-Name}}/%{urlquote:%{User-Password}}/%{urlquote:%{OTP-Password}}
ttl = 60
}
...and then:
authorize {
# first, just check the cache, don't
# create entries or set reply attrs
update control {
Cache-Status-Only = yes
}
otpcache
# future cache lookups here, and in post-auth,
# should be normal ones
update control {
Cache-Status-Only !* ANY
}
if (ok) {
# entry found in cache; set auth type to accept
# and call cache again to get reply attrs
update control {
Auth-Type := Accept
}
otpcache
ok
}
...
}
post-auth {
# first, delete any existing cache entries
update control {
Cache-TTL = 0
}
otpcache
# clear that variable
update control {
Cache-TTL !* ANY
}
# now cache the reply
otpcache
}
It's a bit awkward TBH; I kind of wish modules could have named
methods e.g. cache.{check,get,set,expire} but you can wrap it all in
a policy.conf if you want readability.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Radius server failed to respond
On 20/02/13 11:53, ahmed.sa...@stfc.ac.uk wrote: Hi, I can authenticate using Kerberos, by running radius in debugging mode. I can see that I get Access-Accept packet but SSH doesn’t gets logged in. I get following in /var/log/messages pam_radius_auth: DEBUG: getservbyname(radius, udp) returned -562132672. You have underlying problems with NSS, which means get*() libc calls are sporadically failing. This is not a RADIUS problem; ensure your system can reliably make name/service resolution calls. If you are using nss_ldap, perhaps ensure it's not enabled for services; there's no value in doing these over the network. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Radius server failed to respond
Hi Phil, That could be the problem. I am using LDAP to get user information. getent passwd works okay everytime I have system to use LDAP for accounting. Do I have to set it up in FreeRadius as well? Or shall I do either or? Regards, Ahmed. -- Scanned by iCritical. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: RADIUS-Proxy before MAC Auth
Oliver Warda wrote:
Now, I have the demand to implement RADIUS Proxy also.
As I understand MAC Auth is done before RADIUS Proxy.
Yes.
But I do not want to administrate about 5.000 RADIUS Proxy clients in my
authorized_macs file (RADIUS Proxy is using 802.1x only).
Is there a way to proxy requests based on realms before checking the MAC
address?
Yes. You can check if the User-Name contains an @ character. If
so, proxy. For example:
if (User-Name =~ /@/) {
suffix
if (updated) {
handled
}
}
mac-checks...
That should stop processing the request as soon as it's marked to be
proxied.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Radius server failed to respond
Hi, I run the server in debugging mode using -X. thats good. keep it to yourself, that'll help. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius-proxy with Rlm_cache
Hi Phil,
Here below a debug output :
==
rad_recv: Access-Request packet from host 127.0.0.1 port 11148, id=74,
length=94
User-Name = dfrise
User-Password = 276988
NAS-IP-Address = 13.22.27.94
NAS-Identifier = sshd
NAS-Port = 10123
NAS-Port-Type = Virtual
Service-Type = Authenticate-Only
Calling-Station-Id = ci-1-6.unil.ch
# Executing section authorize from file /etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = dfrise, looking up realm NULL
[suffix] Found realm NULL
[suffix] Adding Stripped-User-Name = dfrise
[suffix] Adding Realm = NULL
[suffix] Proxying request from user dfrise to realm NULL
[suffix] Preparing to proxy authentication request to realm NULL
++[suffix] returns updated
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns noop
# Executing section pre-proxy from file /etc/raddb/sites-enabled/default
+- entering group pre-proxy {...}
[cache] expand: %{User-Name} - dfrise
[cache] expand: I'm the cached reply from %t - I'm the cached
reply from Wed Feb 20 08:28:43 2013
[cache] expand: 0x010203 - 0x010203
rlm_cache: Adding entry for dfrise, with TTL of 10
++[cache] returns updated
Sending Access-Request of id 24 to 13.22.27.198 port 1812
User-Name = dfrise
User-Password = 276988
NAS-IP-Address = 13.22.27.94
NAS-Identifier = sshd
NAS-Port = 10123
NAS-Port-Type = Virtual
Service-Type = Authenticate-Only
Calling-Station-Id = ci-1-6.unil.ch
Proxy-State = 0x3734
Proxying request 0 to home server 13.22.27.198 port 1812
Sending Access-Request of id 24 to 13.22.27.198 port 1812
User-Name = dfrise
User-Password = 276988
NAS-IP-Address = 13.22.27.94
NAS-Identifier = sshd
NAS-Port = 10123
NAS-Port-Type = Virtual
Service-Type = Authenticate-Only
Calling-Station-Id = ci-1-6.unil.ch
Proxy-State = 0x3734
Going to the next request
Waking up in 0.9 seconds.
rad_recv: Access-Accept packet from host 13.22.27.198 port 1812, id=24,
length=30
Idle-Timeout = 1800
Proxy-State = 0x3734
# Executing section post-proxy from file /etc/raddb/sites-enabled/default
+- entering group post-proxy {...}
[eap] No pre-existing handler found
++[eap] returns noop
[cache] expand: %{User-Name} - dfrise
rlm_cache: Found entry for dfrise
++[cache] returns ok
Found Auth-Type = Accept
Auth-Type = Accept, accepting the user
# Executing section post-auth from file /etc/raddb/sites-enabled/default
+- entering group post-auth {...}
++[exec] returns noop
[cache] expand: %{User-Name} - dfrise
rlm_cache: Found entry for dfrise
++[cache] returns ok
Sending Access-Accept of id 74 to 127.0.0.1 port 11148
Reply-Message += I'm the cached reply from Wed Feb 20 08:28:43
2013
Idle-Timeout = 1800
Reply-Message += I'm the cached reply from Wed Feb 20 08:28:43
2013
Finished request 0.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 127.0.0.1 port 22765, id=125,
length=94
User-Name = dfrise
User-Password = 276988
NAS-IP-Address = 13.22.27.94
NAS-Identifier = sshd
NAS-Port = 21740
NAS-Port-Type = Virtual
Service-Type = Authenticate-Only
Calling-Station-Id = ci-1-6.unil.ch
# Executing section authorize from file /etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = dfrise, looking up realm NULL
[suffix] Found realm NULL
[suffix] Adding Stripped-User-Name = dfrise
[suffix] Adding Realm = NULL
[suffix] Proxying request from user dfrise to realm NULL
[suffix] Preparing to proxy authentication request to realm NULL
++[suffix] returns updated
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns noop
# Executing section pre-proxy from file /etc/raddb/sites-enabled/default
+- entering group pre-proxy {...}
[cache] expand: %{User-Name} - dfrise
rlm_cache: Found entry for dfrise
++[cache] returns ok
Sending Access-Request of id 105 to 13.22.27.198 port 1812
User-Name = dfrise
User-Password = 276988
NAS-IP-Address = 13.22.27.94
NAS-Identifier = sshd
NAS-Port = 21740
NAS-Port-Type = Virtual
Service-Type = Authenticate-Only
Calling-Station-Id = ci-1-6.unil.ch
Proxy-State = 0x313235
Proxying request 1 to home server 13.22.27.198 port 1812
Sending Access-Request of id 105 to 13.22.27.198
Re: AVP EAP-KEY name support in FR
Srinu Bandari wrote: Alan, We had tried with latest build, now it sends Access-Challenge and there is a segmentation fault. Please find debug log for the latest ones as below. Whoops. Please do a git pull. It should work now. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-TLS and OS X clients
Quoting a.l.m.bu...@lboro.ac.uk: SSL certs can be in various formats. Ones that are 'usable' depends on the underlying code, but the useful types are usually PEM, DER (also known as CER) and P12these are all active certs. CSR is a certificate signing request file and isn't a valid cert for client use. ... On OSX you need to ensure you have the CA installed - and TRUSTED! Thanks, Alan. That straightened some things out for me. Eventually, though, it turned out that the most important issue was with OS X 10.7 (Lion). With this particular version of Apple's OS, the facility for adding enterprise network configurations is not as flexible as it once was. Now, if something different is required, a special (free) tool must first be obtained -- the iPhone Configuration Utility -- with which to create an XML profile that can then be applied. Not exactly what I was expecting, but that's the way it is. For anyone who might be interested, here's the set of instructions that I used: If your school uses TTLS with PAP (LDAP backend) then yah, the auto connection with ethernet will not help you. That is because the default EAP type that is supported is TTLS MSCHAPv2 (which is a bit more secure that PAP --ya ya, I know it is not fool proof). Anyway, all is not lost. You have three choices on how to get an 802.1X profie that supports TTLS with PAP onto your Mac. 1. Download iPCU and create a .mobileconfig file 2. Buy Lion server and use Profile Manager 3. Create a .mobileconfig (xml file) from scratch Options 2 and 3 are kind of a pain in the rear, so let's stick with option 1. Please put on your learning hat now **Please note this example is for a wired OR wireless 802.1X connection that requires TTLS and PAP for Lion clients** 1. Download and install the iPCUhttp://support.apple.com/kb/DL851 2. Open the iPCU (the iPCU is install in Applications - Utilities) 3. In the right hand side click on Configuration Profiles. 4. Click on New. (upper left) 5. You will see a new profile with a bunch of payloads (general, passcode, restrictions, etc). Don't worry you do not need to fill most of these out. 6. Click on General and fill out a Profile Name, Identifier (they can be anything) the rest of the fields you can leave blank. I used spam and spam. 7. Now click on WiFi. Do be scared here. Lion can use WiFi profiles for Ethernet (it will just ignore the SSID field). Click configure. 7a. For SSID ..If your school has a wireless network that uses TTLS with PAP, fill in the SSID name (wireless network name) that your school uses. If your school does not use wireless, then just use an label (e.g. spam). 7b. Ignore the hidden network field (unless of course your school uses a hidden SSID and you want to use wireless for this connection). 7c. Security Type ..Again if this is for Ethernet, just use WPA/WPA2 Enterprise. If this profile is going to be used for WiFi, then you need to find out what type of security your school uses. Most likely it will be WPA/WPA2 Enterprise (I hope). 7d. Once you choose WPA/WPA2 Enterprise you will see more options appear. Choose TTLS. 7e. Ignore EAP-FAST settings. Leave all boxes unchecked for EAP-FAST. 7f. For Inner Authentication choose PAP. 8. You will see three tabs, one for protocol (that you already filled out), one for Authentication and one for Trust. You can ignore trust unless you have the certificate from the radius server already loaded on your client. Don't worry if you do not have the cert, the Mac will load it (with your permission) during the first authentication. Ignore the Authentication tab for now. 9. Now look at the top left of the tool and choose Export 9a. for Security, just choose none (don't worry about signing it) 9b. Hit Export. 10. You will get a Save As dialogue box. Give the profile a name (like spam or something) and choose where you would like to save the profile. 11. Now goto where you save your profile and double click it. System Prefs will launch and try to install the profile. 11a. Just hit continue and continue again. 11b. You will be prompted for settings which are the username and password. You can either just hit install (the eapol supplicant will ask you for your credentials during the authentication phase) or you can fill them out now. BE SURE TO INPUT THE CORRECT INFORMATION. If you insert a bad username or password into this field, it will get saved as a keychain entry (with bad info) and you will never be able to connect. The Mac will just silently fail authentication until you delete the keychain entry and do a fresh auth. Save yourself some trouble and leave the fields blank and just hit install. 11c. You will be prompted for your admin password to install the profile. 12. The profile should be installed now. 13. In system prefs, click show all then click network. 14. If you click on your Ethernet interface you should now
Re: EAP-TLS and OS X clients
Hi, Eventually, though, it turned out that the most important issue was with OS X 10.7 (Lion). With this particular version of Apple's OS, yes, I know. Apple suck for doing this. I manage campus network at Loughborough university and eduroam federation in the UK and so am well aware of OSX and their idea of making OSX have the same .mobileconfig method as iOS. you might want to look into 'eduroam CAT' tool - as your NREN federation/eduroam people about it. whoa re your instructions aimed at? I worry a great deal about them because you arent telling them to install/verify a CA or a RADIUS server for the connection (thus basically negating the whole point of PKI!) and the site might use EAP-FAST (some places actually do more than just EAP-TTLS). also, end users dont need to run this tool! you (the admin) so all the hard work of configuring the profile and then just provide the end user/customer the *SIGNED* mobileconfig file alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius-proxy with Rlm_cache
On 20/02/13 13:31, Dominique Frise wrote: Hi Phil, Here below a debug output : == rad_recv: Access-Request packet from host 127.0.0.1 port 11148, id=74, length=94 User-Name = dfrise User-Password = 276988 Ok, so the PIN is appended to the password. In which case your key is just User-Name and User-Password. Anyway - the recipe in my other email should cover what you need. What you're doing now - single calls to cache - probably won't cover it. You will need more logic, as per my example. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Radius server failed to respond
On 20/02/13 13:08, ahmed.sa...@stfc.ac.uk wrote: Hi Phil, That could be the problem. I am using LDAP to get user information. getent passwd works okay everytime I have system to use LDAP for accounting. Do I have to set it up in FreeRadius as well? Or shall I do either or? I don't understand any of that, I'm afraid. The log you posted shows pam_radius failing because getservbyname() failed. getservbyname() uses NSS. Fix NSS to be reliable and this error will go away. This is not a RADIUS problem. You should just remove ldap from services in /etc/nsswitch.conf - it's pointless and unhelpful. But it's not a RADIUS problem, and thus OT for this list. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Radius server failed to respond
Thank you very much for the explanation. Regards, Ahmed. -- Scanned by iCritical. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
echo module creating zombies
Hello list,
I have a problem regarding the echo module which on my system creates zombie
processes. I am using the following settings for echo:
wait = no
program = /bin/true (just for testing purposes)
packet_type = Access-Accept
After echo execs the program in question there is an undead child process left
behind:
13467 ?Ssl0:00 /usr/local/freeradius/sbin/radiusd
14258 ?Z 0:00 \_ [true] defunct
This is pretty much everything strace has to say:
14258 execve(/bin/true, [/bin/true, asdf], [/* 6 vars */]) = 0
14258 brk(0)= 0x85c6000
14258 mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0)
= 0xb7787000
14258 access(/etc/ld.so.preload, R_OK) = -1 ENOENT (No such file or directory)
14258 open(/etc/ld.so.cache, O_RDONLY) = 3
14258 fstat64(3, {st_mode=S_IFREG|0644, st_size=67227, ...}) = 0
14258 mmap2(NULL, 67227, PROT_READ, MAP_PRIVATE, 3, 0) = 0xb7776000
14258 close(3) = 0
14258 open(/lib/i686/libc.so.6, O_RDONLY) = 3
14258 read(3,
\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0\0h\1\0004\0\0\0\320\366\24\0\0\0\0\0004\0
\0\n\0(\0D\0C\0\6\0\0\0004\0\0\0004\0\0\0004\0\0\0@\1\0\0@\1\0\0\5\0\0\0\4\0\0\0\3\0\0\0`z\23\0`z\23\0`z\23\0\23\0\0\0\23\0\0\0\4\0\0\0\1\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0P\272\24\0P\272\24\0\5\0\0\0\0\20\0\0\1\0\0\0\344\301\24\0\344\301\24\0\344\301\24\0\230'\0\0lT\0\0\6\0\0\0\0\20\0\0\2\0\0\0|\335\24\0|\335\24\0|\335\24\0\360\0\0\0\360\0\0\0\6\0\0\0\4\0\0\0\4\0\0\0t\1\0\0t\1\0\0t\1\0\0
\0\0\0
\0\0\0\4\0\0\0\4\0\0\0\7\0\0\0\344\301\24\0\344\301\24\0\344\301\24\0\10\0\0\0@\0\0\0\4\0\0\0\4\0\0\0P\345tdtz\23\0tz\23\0tz\23\0\314+\0\0\314+\0\0\4\0\0\0\4\0\0\0Q\345td\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\6\0\0\0\4\0\0\0R\345td\344\301\24\0\344\301\24\0\344\301\24\0\34\36\0\0\34\36\0\0\4\0\0\0\1\0\0\0\4\0\0\0\20\0\0\0\1\0\0\0GNU\0\0\0\0\0\2\0\0\0\6\0\0\0\t\0\0\0\363\3\0\0\t\0\0\0\0\2\0\0\16\0\0\0\2400\20D\200
\2\1\214\3\346\220AE\210\0\204\0\10\0A\200\0@\300\200\0\f\2\f\0!
\0010\0\10@\\10\246\4\210H6l\240\0260\0\204\200\216\4\10B$\2\f\246\244\32\6c\310\0\302
\1\300\0R\0!\201\10\4\n \250\24\0\24(`\0\0P\240\312DB, 512) = 512
14258 fstat64(3, {st_mode=S_IFREG|0755, st_size=1376624, ...}) = 0
14258 mmap2(NULL, 1381968, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3,
0) = 0xb7624000
14258 mmap2(0xb777, 12288, PROT_READ|PROT_WRITE,
MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x14c) = 0xb777
14258 mmap2(0xb7773000, 9808, PROT_READ|PROT_WRITE,
MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0xb7773000
14258 close(3) = 0
14258 mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0)
= 0xb7623000
14258 set_thread_area({entry_number:-1 - 6, base_addr:0xb76236c0,
limit:1048575, seg_32bit:1, contents:0, read_exec_only:0, limit_in_pages:1,
seg_not_present:0, useable:1}) = 0
14258 mprotect(0xb777, 8192, PROT_READ) = 0
14258 mprotect(0x804f000, 4096, PROT_READ) = 0
14258 mprotect(0xb77a3000, 4096, PROT_READ) = 0
14258 munmap(0xb7776000, 67227) = 0
14258 brk(0)= 0x85c6000
14258 brk(0x85e7000)= 0x85e7000
14258 close(1) = 0
14258 close(2) = 0
14258 exit_group(0) = ?
Any ideas why the zombies occur ?
Thanks
Stephan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Ntlm_auth vs. Cleartext-password
Good afternoon everybody, We have configured freeradius to authenticate against Active Directory/Samba using ntlm_auth, following the instructions on: http://deployingradius.com/documents/configuration/active_directory.html Everything works as expected. Right now on our production server we are using LDAP to store the user credentials. We would like to achieve a smooth transition to the new authentication method. So want to configure freeradius to authenticate with ntlm_auth just in the cases when there is not ClearText-Password available, but we do not know how to do it. Using instructions from modules/mschap: # If ntlm_auth is configured below, then the mschap # module will call ntlm_auth for every MS-CHAP # authentication request. If there is a cleartext # or NT hashed password available, you can set # MS-CHAP-Use-NTLM-Auth := No in the control items, # and the mschap module will do the authentication itself, # without calling ntlm_auth. We were able to *bypass* the ntlm_auth on some users/groups defining on the users file the control item MS-CHAP-Use-NTLM-Auth := No. But is there a way to configure freeradius such that if Cleartext-Password password is available it uses it, and otherwise it uses ntlm_auth to authenticate? Thank you so much for your help. Regards, * Oscar Remírez de Ganuza Satrústegui* Servicios Informáticos (Área de Infraestructuras) Universidad de Navarra Tel. +34 948425600 x803130 http://www.unav.es/SI/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-TLS and OS X clients
Quoting a.l.m.bu...@lboro.ac.uk: you might want to look into 'eduroam CAT' tool - as your NREN federation/eduroam people about it. Thanks very much! I'll look into it. whoa re your instructions aimed at? I worry a great deal about them because you arent telling them to install/verify a CA or a RADIUS server for the connection (thus basically negating the whole point of PKI!) and the site might use EAP-FAST (some places actually do more than just EAP-TTLS). also, end users dont need to run this tool! you (the admin) so all the hard work of configuring the profile and then just provide the end user/customer the *SIGNED* mobileconfig file Oh, hey, I thought I was just sharing this information with a bunch of lazy sysadmins, some of whom might be interested to know how I eventually managed to connect OS X 10.7 (Lion) hosts to my wifi network. As I mentioned in my previous post, I did not author those instructions. I'm also not in the habit of re-posting information written by others, but although they may not be perfect, I thought they were helpful and then suddenly became worried that Apple might make them disappear at one point or another (it wasn't exactly easy information to find). Moreover, I explained that I was using a WPA2-Enterprise configuration with Freeradius 2.1.0, EAP-TLS and 4096-bit SHA-1 in my first post in this thread on Sunday 17 Feb. Cheers, Jaap - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Ntlm_auth vs. Cleartext-password
Óscar Remírez de Ganuza Satrústegui wrote:
We were able to /bypass/ the ntlm_auth on some users/groups defining on
the users file the control item MS-CHAP-Use-NTLM-Auth := No.
But is there a way to configure freeradius such that if
Cleartext-Password password is available it uses it, and otherwise it
uses ntlm_auth to authenticate?
authorize {
...
if (control:Cleartext-Password) {
update control {
MS-CHAP-Use-NTLM-Auth := No
}
}
...
}
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: echo module creating zombies
Original-Nachricht Datum: Wed, 20 Feb 2013 10:29:07 -0500 Von: Craig Campbell craig.campb...@ccraft.ca An: FreeRadius users mailing list freeradius-users@lists.freeradius.org Betreff: Re: echo module creating zombies Try changing wait to yes. Zombies are processes that have ended, but for which the parent has not waited to acknowledge the death of the child. Their 'slot' in the process table has not been freed for re-use. -Original Message- From: steff...@gmx.de Sent: Wednesday, February 20, 2013 9:54 AM To: freeradius-users@lists.freeradius.org Subject: echo module creating zombies Hello list, I have a problem regarding the echo module which on my system creates zombie processes. I am using the following settings for echo: wait = no program = /bin/true (just for testing purposes) packet_type = Access-Accept After echo execs the program in question there is an undead child process left behind: 13467 ?Ssl0:00 /usr/local/freeradius/sbin/radiusd 14258 ?Z 0:00 \_ [true] defunct Ah, okay, thanks. I deliberately set wait=no since I don't want the module to fail just because the underlying binary exited with something else than 0. I just need to run a script and pass it the username after a successful login, is there a better way to do this ? The exec module doesn't seem the right way to to this. Regards Stephan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: echo module creating zombies
steff...@gmx.de wrote: I have a problem regarding the echo module which on my system creates zombie processes. I am using the following settings for echo: wait = no program = /bin/true (just for testing purposes) packet_type = Access-Accept After echo execs the program in question there is an undead child process left behind: Which version is this? There was one version (IIRC) which had this issue. But recent ones don't. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: echo module creating zombies
Original-Nachricht Datum: Wed, 20 Feb 2013 10:59:14 -0500 Von: Alan DeKok al...@deployingradius.com An: FreeRadius users mailing list freeradius-users@lists.freeradius.org Betreff: Re: echo module creating zombies steff...@gmx.de wrote: I have a problem regarding the echo module which on my system creates zombie processes. I am using the following settings for echo: wait = no program = /bin/true (just for testing purposes) packet_type = Access-Accept After echo execs the program in question there is an undead child process left behind: Which version is this? There was one version (IIRC) which had this issue. But recent ones don't. These are versions 2.1.9 and 2.2.0. Regards Stephan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Ntlm_auth vs. Cleartext-password
Wow, thank you so much Alan.
It works flawlessly.
Thanks again.
Regards,
*
Oscar Remírez de Ganuza Satrústegui*
Servicios Informáticos (Área de Infraestructuras)
Universidad de Navarra
Tel. +34 948425600 x803130
http://www.unav.es/SI/
On Wed, Feb 20, 2013 at 4:21 PM, Alan DeKok al...@deployingradius.comwrote:
Óscar Remírez de Ganuza Satrústegui wrote:
We were able to /bypass/ the ntlm_auth on some users/groups defining on
the users file the control item MS-CHAP-Use-NTLM-Auth := No.
But is there a way to configure freeradius such that if
Cleartext-Password password is available it uses it, and otherwise it
uses ntlm_auth to authenticate?
authorize {
...
if (control:Cleartext-Password) {
update control {
MS-CHAP-Use-NTLM-Auth := No
}
}
...
}
Alan DeKok.
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: echo module creating zombies
Try changing wait to yes.
Zombies are processes that have ended, but for which the parent has not
waited to acknowledge the death of the child.
Their 'slot' in the process table has not been freed for re-use.
-Original Message-
From: steff...@gmx.de
Sent: Wednesday, February 20, 2013 9:54 AM
To: freeradius-users@lists.freeradius.org
Subject: echo module creating zombies
Hello list,
I have a problem regarding the echo module which on my system creates zombie
processes. I am using the following settings for echo:
wait = no
program = /bin/true (just for testing purposes)
packet_type = Access-Accept
After echo execs the program in question there is an undead child process
left behind:
13467 ?Ssl0:00 /usr/local/freeradius/sbin/radiusd
14258 ?Z 0:00 \_ [true] defunct
This is pretty much everything strace has to say:
14258 execve(/bin/true, [/bin/true, asdf], [/* 6 vars */]) = 0
14258 brk(0)= 0x85c6000
14258 mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1,
0) = 0xb7787000
14258 access(/etc/ld.so.preload, R_OK) = -1 ENOENT (No such file or
directory)
14258 open(/etc/ld.so.cache, O_RDONLY) = 3
14258 fstat64(3, {st_mode=S_IFREG|0644, st_size=67227, ...}) = 0
14258 mmap2(NULL, 67227, PROT_READ, MAP_PRIVATE, 3, 0) = 0xb7776000
14258 close(3) = 0
14258 open(/lib/i686/libc.so.6, O_RDONLY) = 3
14258 read(3,
\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0\0h\1\0004\0\0\0\320\366\24\0\0\0\0\0004\0
\0\n\0(\0D\0C\0\6\0\0\0004\0\0\0004\0\0\0004\0\0\0@\1\0\0@\1\0\0\5\0\0\0\4\0\0\0\3\0\0\0`z\23\0`z\23\0`z\23\0\23\0\0\0\23\0\0\0\4\0\0\0\1\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0P\272\24\0P\272\24\0\5\0\0\0\0\20\0\0\1\0\0\0\344\301\24\0\344\301\24\0\344\301\24\0\230'\0\0lT\0\0\6\0\0\0\0\20\0\0\2\0\0\0|\335\24\0|\335\24\0|\335\24\0\360\0\0\0\360\0\0\0\6\0\0\0\4\0\0\0\4\0\0\0t\1\0\0t\1\0\0t\1\0\0
\0\0\0
\0\0\0\4\0\0\0\4\0\0\0\7\0\0\0\344\301\24\0\344\301\24\0\344\301\24\0\10\0\0\0@\0\0\0\4\0\0\0\4\0\0\0P\345tdtz\23\0tz\23\0tz\23\0\314+\0\0\314+\0\0\4\0\0\0\4\0\0\0Q\345td\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\6\0\0\0\4\0\0\0R\345td\344\301\24\0\344\301\24\0\344\301\24\0\34\36\0\0\34\36\0\0\4\0\0\0\1\0\0\0\4\0\0\0\20\0\0\0\1\0\0\0GNU\0\0\0\0\0\2\0\0\0\6\0\0\0\t\0\0\0\363\3\0\0\t\0\0\0\0\2\0\0\16\0\0\0\2400\20D\200
\2\1\214\3\346\220AE\210\0\204\0\10\0A\200\0@\300\200\0\f\2\f\0!
\0010\0\10@\\10\246\4\210H6l\240\0260\0\204\200\216\4\10B$\2\f\246\244\32\6c\310\0\302
\1\300\0R\0!\201\10\4\n \250\24\0\24(`\0\0P\240\312DB, 512) = 512
14258 fstat64(3, {st_mode=S_IFREG|0755, st_size=1376624, ...}) = 0
14258 mmap2(NULL, 1381968, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE,
3, 0) = 0xb7624000
14258 mmap2(0xb777, 12288, PROT_READ|PROT_WRITE,
MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x14c) = 0xb777
14258 mmap2(0xb7773000, 9808, PROT_READ|PROT_WRITE,
MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0xb7773000
14258 close(3) = 0
14258 mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1,
0) = 0xb7623000
14258 set_thread_area({entry_number:-1 - 6, base_addr:0xb76236c0,
limit:1048575, seg_32bit:1, contents:0, read_exec_only:0, limit_in_pages:1,
seg_not_present:0, useable:1}) = 0
14258 mprotect(0xb777, 8192, PROT_READ) = 0
14258 mprotect(0x804f000, 4096, PROT_READ) = 0
14258 mprotect(0xb77a3000, 4096, PROT_READ) = 0
14258 munmap(0xb7776000, 67227) = 0
14258 brk(0)= 0x85c6000
14258 brk(0x85e7000)= 0x85e7000
14258 close(1) = 0
14258 close(2) = 0
14258 exit_group(0) = ?
Any ideas why the zombies occur ?
Thanks
Stephan
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
Craig Campbell
craig.campb...@ccraft.ca
CampbellCraft Consulting Inc.
2 Kenny Court
Whitby, Ontario
Canada
L1R 2L8
905 922-2789
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Listing attributes in a request
Does the output from radius -X display all of the attributes in a request from a client? If not, is there a way to see all of the attributes in the request? I'm looking for the value of a VSA and I'm not seeing it. I'm not sure if it's not being displayed in the debug output or just not there at all. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
simulate Point Access
Hello, i try to make a virtual infrastructure for testing wireless eap authtication via freeradius, so i created three virtual machine for supplicant, authenticator (point access), radius server i installed wpa_supplicant on first machine, freeradius on server, but i have no idea on how can i simulate a point access whith a linux virtual machine. please help me ! thank you. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Listing attributes in a request
Adam Moffett wrote: Does the output from radius -X display all of the attributes in a request from a client? Yes. FreeRADIUS isn't in the business of hiding information from the administrator. If not, is there a way to see all of the attributes in the request? I'm looking for the value of a VSA and I'm not seeing it. Then the NAS isn't sending it. Remember, this is RADIUS. If anything goes wrong, it's usually the fault of the NAS. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: simulate Point Access
On Wed, Feb 20, 2013 at 10:46:59PM +0100, tabibel sami wrote: Hello, i try to make a virtual infrastructure for testing wireless eap authtication via freeradius, so i created three virtual machine for supplicant, authenticator (point access), radius server i installed wpa_supplicant on first machine, freeradius on server, but i have no idea on how can i simulate a point access whith a linux virtual machine. please help me ! If you are just interested in testing EAP, then you only need one machine. Your test setup is never going to be able to test the behaviour of different APs out there anyway, so to do that you'd want to just do it for real. Build wpa_supplicant, and make sure you build the eapol_test program. It's not enabled in the wpa_supplicant defconfig file by default. Then build or install freeradius. eapol_test takes the same config files as wpa_supplicant, but rather than talking EAP (as a supplicant) over wireless, it just sends the EAP directly in RADIUS packets. FreeRADIUS by default listens on localhost with secret testing123, and comes with a selection of conf files for eapol_test, so you can point it at localhost for testing your EAP. Of course, you can run eapol_test on a different machine than FreeRADIUS if you want to - just make sure you set up a client for the test machine in the FR config. Matthew -- Matthew Newton, Ph.D. m...@le.ac.uk Systems Specialist, Infrastructure Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, ith...@le.ac.uk - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Proxy Problem
Hi everybody,, I have configured a proxy server with 'type=client-port-balance'. I have configure two backed FR servers(192.168.0.109 and 192.168.0.112). I am sending requests from a PC to 192.168.0.102 ( acting as proxy server). But requests are forwarded to only one FR server (i-e 192.168.0.112). Why proxy server is not sending requests to other one. As each request has same IP but different PORT, So hashing mechanism of Proxy server should also choose other FR server (192.168.0.109) for requests entertaining. could anyone please tell me what's the issue. Thanks - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
