Re: MSCHAPv2 use_tunneling_reply problem
So what you're saying is that even though the users are using anonymous outerid and want anonymity you want to release their id to the site they are at? -- Sent from my Android device with K-9 Mail. Please excuse my brevity.- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: 2.2.2 release date
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Why are you so keen for 2.2.2 release? The delay is down to an issue which needs identifying and testing. people who download the HEAD of 2.2.x and test help at this point. alan - -- Sent from my Android device with K-9 Mail. Please excuse my brevity. -BEGIN PGP SIGNATURE- Version: APG v1.0.8 iHkEAREIADkFAlJSacUyHEFsYW4gQnV4ZXkgKEFsYW4gQnV4ZXkpIDxhLmwubS5i dXhleUBsYm9yby5hYy51az4ACgkQobRdvRSkLC4+9gCfalIHe8vJaMdqi9rN+Zpq wHZ5pvMAn3u6blRvzJA4bkIcR3IIAWbLXhrI =Bu4r -END PGP SIGNATURE- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius issue : Active Directory Integration
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Hi. Wondering what authentication method you are using as maybe looking at wrong ntlm check the mschap module for its ntlm_auth incantation. Also, if you have doubts about the AD account used to bind them follow that up. Get it bound in the same way. What does ntlm_auth do on the command line for you? alan - -- Sent from my Android device with K-9 Mail. Please excuse my brevity. -BEGIN PGP SIGNATURE- Version: APG v1.0.8 iHkEAREIADkFAlJOYUIyHEFsYW4gQnV4ZXkgKEFsYW4gQnV4ZXkpIDxhLmwubS5i dXhleUBsYm9yby5hYy51az4ACgkQobRdvRSkLC6y4ACdEIQs/dxW8YhNraSmI3pX qbNXMmcAn2s9S34AfgH/JbgqjHiYr51Vw9uN =lpVL -END PGP SIGNATURE- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Cache for machine authentication
Using EAP? use the EAP cache and populate the entry with whatever is needed. -- Sent from my Android device with K-9 Mail. Please excuse my brevity.- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: What does FR 2.2.2 fix?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Some things started acting differently in 2.2.1 compared to previous releases of 2.x 2.2.2 should revert that so things behave the same - so far that seems to be true but we are still seeing stalled module in core messages that we did not see with 2.2.0 alan - -- Sent from my Android device with K-9 Mail. Please excuse my brevity. -BEGIN PGP SIGNATURE- Version: APG v1.0.8 iHkEAREIADkFAlJO8E8yHEFsYW4gQnV4ZXkgKEFsYW4gQnV4ZXkpIDxhLmwubS5i dXhleUBsYm9yby5hYy51az4ACgkQobRdvRSkLC4v6wCcDkljo+wc582+s9TDOJEr Zz7YKAoAnjM3sq4jiTOJdOn7sKwLN83aycJh =/vny -END PGP SIGNATURE- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Running RADIUS in permanent debug mode with rotating log
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 I really wouldn't recommend running in full debug mode on a production server full time... its only single threaded so if you have to service lots of requests you have an immediate bottleneck. What sort of weird problems are you facing? You know you can run on debug mode for single users or clients via radmin/raddebug ?? If you really want to proceed then you can use eg crontab to run a script which kills all radiusd processes and then starts new debug session with the date in the logfile eg radiusd -X /var/log/debug-'date +args xxx' Where + args xx is the date string format you require alan Clement Ogedengbe c.ogeden...@worc.ac.uk wrote: Hello, We have been having strange experiences with our RADIUS service lately and we thought it would be a good idea to run RADIUS in debug mode permanently to enable us effectively troubleshoot user complaints. How can we run radiusd -x logname such that we have different logname for each day? Clement - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - -- Sent from my Android device with K-9 Mail. Please excuse my brevity. -BEGIN PGP SIGNATURE- Version: APG v1.0.8 iHkEAREIADkFAlJNM9EyHEFsYW4gQnV4ZXkgKEFsYW4gQnV4ZXkpIDxhLmwubS5i dXhleUBsYm9yby5hYy51az4ACgkQobRdvRSkLC7CfwCgir2zDhH8h4HExwUJ1vB9 820ZXBAAnjvmK6fXtpUpJbEGJDCa8gvkkjMz =KXvy -END PGP SIGNATURE- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: how to change the radius default testing123 password
hi, pretty definitive. incorrect shared secret - are you SURE that you havent got any white spaces etc lurking around? keep the shared secret in quotes if in doubt alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Active Directory authentication question
Well. There's no such thing as EAP-TLS/MSCHAPv2 . So I'd guess that your Android device is just doing PEAPv0/EAP-MSCHAPv2 or such and your config allows it to. If you ran in full debug mode when connecting with the Android device you'd see exactly what's happening alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: empty preacct and accounting section
As the msg says. Your preacct {} and accounting {} sections in your server are not configured to do anything. Add active modules to them eg a database call and things will be different. alan- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Active Directory authentication question
Or ask your distribution provider why they still provide wpa_supplicant package without eapol_test tool ;) alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Get errors with radtest on ip address
No problem with radiusd at this point. It's not received a single packet. You've got a problem with your local network environment on the host. Care to share /etc/hosts? alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRADIUS Accounting Logging to Two Separate Locations Simultaneously
The default install comes with a few accounting virtual servers that you can use. I'd strongly advise one of the or of band asynchronous ones. If you use UDP syslog is not blocking. .. it is fire and forget. .. so if you might lose packets if you have congested links or a disruption between source and destination. For security throw a VPN tunnel between the hosts. At the end is whatever floats your boat and is maintainable. . you had a big list some of which seem prone to issues and overworked. And why not think of it the other way around? Let security have all the logs and then give ops access to the data via their system. ..ops then no longer need to worry about data retention, the legal issues, disk space etc. ..they just run a radius daemon ;) alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius 2.2.0 - binaries not being installed ???
But if you'd installed the debian/Ubuntu package version then it is 'freeradius' ;) alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP logging
Your reference is wrong/unknown which means that there's a noop. This means no operation which means no fticks output alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: debian, wpa_supplicant, TTLS/TLS working, PEAP/TLS fails
TLS in PEAP. Yes I've seen it. And EAP-MSCHAPV2 in PEAP alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: User Account Configuration
Think about the login time ... If you create an account for the future then if it has a start validity date. .. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: sql_counter module doesn't count
If your NAS can't send accounting then there's nothing you can do at the freeradius end to make it do accounting alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: sql_counter module doesn't count
Hi That's just an authentication request accounting packets is what you need. Is your kit configured to send accounting to this RADIUS server? alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problems setting up a freeradius server with PEAP
Hi How are you generating the certs and what format are they in? alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Auth by NAS-Identifier using unlang
I assume that's the freeradius2 package rather than freeradius as 1.x doesn't have unlang alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authorization failed in cisco switch
now i can logon into the switch but i can with all USERS. Yes. Because that's how you have configured it. You've set the DEFAULT to have those abilities. I would recommend reading freeradius resources and buy a book to discover/understand policies, groups etc alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Ubuntu FreeRadius does not recoginize some perl.so symbols and does not compile from source and is also outdated (Why is there no new version in SID? Is the package still maintained?)
Freeradius does not build from source. Yes. It does. But you are compiling some random external flavour. Download the source from freeradius.org and report what happens alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Dynamic vlan assignment
I'm sure there was some late in the day ios updates for 1130 series AP this stuff works with capwap/lwapp 1131 anyway, if MBSSID is not supported with dynamic vlan assignment so don't use mbssid, use guest mode instead. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: [ANN] Version 3.0.0-rc0
Hi Don't you have freeradius-utils already. .. which contains radtest etc which is very useful for admins alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius Authentication against AD or AD LDS (LDAP)
Hi Store the passwords in nt-hash format. Use guest usernames with a particular format so that you can use some simple unlang to select the right type of authentication rather than hitting each method and causing unnecessary load and delay alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: LDAP authentication filter based on source SSID
Look at the requests coming from your AP in debug mode. You should see information there that can be used eg called station id with SSID appended or a VSA with the SSID name or number in it. Use that with your policy alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PEAP using different CA?
User a deployment tool as then things like CN checks are done alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius using linux user passwd
Read the compatability matrix. Check what EAP method your clients are using versus the password storage method you are using. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: 3.0
What the hurry? Are you actually using the pre release? I ask because we may find some other hitherto unknown bug alan Original message From: David Peterson dav...@wirelessconnections.net Date: 09/07/2013 16:33 (GMT+00:00) To: FreeRadius users mailing list freeradius-users@lists.freeradius.org Subject: 3.0 Any ETA on 3.0 being released? David - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Re[2]: acct_users
Yes, issues can appear in new code as well as get fixed. Known problems in 2.2.0 will be solved in 2.2.1 which is near/ready for release alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem with CISCO WIRELESS CONTROLLER and RADIUS Authentication
Those are VSA that you are getting from the NAS. You're WiFi kit is centrally managed so config is pushed from the controller alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: something like huntgroups?
Hi I'll see if I can send through some dictionary file entries later today Alan This smartphone uses eduroam which gives me free WiFi around the world. Now thats what I call smart! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius outer identity
Don't do such authorization checks on the outer id if EAP dont run ldap in the outer the current default config is set up in such a way alan Original message From: val john valjohn1...@gmail.com Date: 27/06/2013 04:58 (GMT+00:00) To: FreeRadius users mailing list freeradius-users@lists.freeradius.org Subject: freeradius outer identity Hi guys , i have freeradius server that authenticate with LDAP and set up was working fine , but when the client specifies the outer identity (some dummy user name ) Radius server taking that dummy user name as actual username , because of that LDAP authentication fails . (Authentication proceeds working file if the client not specifying any outer identity) Can you guys please advice , how to fix this issue Thank You John - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ldap
Hi Always start simple. Run radtest on the RADIUS server box using 127.0.0.1 ... THEN move to running against it from other systems once you've verified all authentication etc is working Note that it is port 1812 UDP alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-TTLS security level
The security depends on the configuration of your clients and the certificate chosen for your radius server alan This smartphone uses eduroam for free WiFi access around the world. Now that's what I call smart. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Accounting: visualize login, logout and commands
For switches, ensure that your are sending accounting and ensure on the radius server that you are recording sick packets. ... but what switches are you running as eg Cisco switches use Tacacs+ for sending details of all commands run. .. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: SSL error
Compiled without required ssl environment being present? The debug output will have printed or more information regarding the error alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP error
Looks like a client with incorrect settings. Why would you want to add that ca to your server? Your radius server isn't signed by it. alan This smartphone uses eduroam for free WiFi access around the world. Now that's what I call smart. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re:
Show us the radius server debug alan -- This smartphone uses eduroam for free WiFi access around the world. Now that's what I call smart. Original message From: Matthew Melbourne m...@melbourne.org.uk Date: 24/05/2013 17:10 (GMT+00:00) To: freeradius-users@lists.freeradius.org Subject: Hi, I have an interesting scenario where a broadband user has Auth-Type=Reject configured as an attribute in the back-end database of FreeRADIUS, and this sppears to be working, as radtest and radclient confirm (the Access-Reject packet is received): [root@radius-one radius]# echo User-Name=mmelbourne@realm,Password=mypassword,Framed-Protocol=PPP | radclient -x -s 127.0.0.1 auth radius_secret Sending Access-Request of id 45 to 127.0.0.1 port 1812 User-Name = mmelbourne@realm Password = mypassword Framed-Protocol = PPP rad_recv: Access-Reject packet from host 127.0.0.1:1812, id=45, length=73 Reply-Message = Your account has been disabled, please call support Total approved auths: 0 Total denied auths: 1 Total lost auths: 0 However, on the NAS (LNS), a radius debug shows that the authentication succeeds with an Access-Accept, even though the account disabled Reply-Message is received: May 23 14:12:28.076: RADIUS(00011A84): Send Access-Request to 213.x.x.x:1812 id 21793/12, len 107 May 23 14:12:28.076: RADIUS: authenticator 70 A9 8C A5 A8 79 A8 61 - 4D F6 99 37 F7 63 FE A5 May 23 14:12:28.076: RADIUS: Framed-Protocol [7] 6 PPP [1] May 23 14:12:28.076: RADIUS: User-Name [1] 21 mmelbourne@realm May 23 14:12:28.076: RADIUS: CHAP-Password [3] 19 * May 23 14:12:28.076: RADIUS: NAS-Port-Type [61] 6 Virtual [5] May 23 14:12:28.076: RADIUS: NAS-Port[5] 6 826 May 23 14:12:28.076: RADIUS: NAS-Port-Id [87] 17 Uniq-Sess-ID826 May 23 14:12:28.076: RADIUS: Service-Type[6] 6 Framed [2] May 23 14:12:28.076: RADIUS: NAS-IP-Address [4] 6 88.x.x.x May 23 14:12:28.084: RADIUS: Received from id 21793/12 213.x.x.x:1812, Access-Accept, len 157 May 23 14:12:28.084: RADIUS: authenticator 79 6C DA EB 1A CC AD CA - BB E3 C9 CE D1 C3 AC 47 May 23 14:12:28.084: RADIUS: Reply-Message [18] 53 May 23 14:12:28.084: RADIUS: 59 6F 75 72 20 61 63 63 6F 75 6E 74 20 68 61 73 [Your account has] May 23 14:12:28.084: RADIUS: 20 62 65 65 6E 20 64 69 73 61 62 6C 65 64 2C 20 [ been disabled, ] May 23 14:12:28.084: RADIUS: 70 6C 65 61 73 65 20 63 61 6C 6C 20 73 75 70 70 [please call supp] May 23 14:12:28.084: RADIUS: 6F 72 74 [ ort] May 23 14:12:28.084: RADIUS: Framed-IP-Address [8] 6 77.x.x.x May 23 14:12:28.084: RADIUS: Framed-IP-Netmask [9] 6 255.255.255.255 May 23 14:12:28.084: RADIUS: Framed-Protocol [7] 6 PPP [1] May 23 14:12:28.084: RADIUS: Service-Type[6] 6 Framed [2] May 23 14:12:28.084: RADIUS: Vendor, Cisco [26] 54 May 23 14:12:28.084: RADIUS: Cisco AVpair [1] 48 ip:dns-servers=213.x.x.x 213.x.x.x May 23 14:12:28.084: RADIUS: Idle-Timeout[28] 6 28800 The only difference I can see is that the first example uses a plain-text password, and the RADIUS on the LNS is using CHAP? The backend database has = in the 'op' field (and not :=), so the returned attribute is Auth-Type = Reject and not Auth-Type := Reject, but it is correctly rejected using radtest/radclient, and I believe the = operand to be correct. Has anyone seen anything similar; the NAS is a 7206VXR running 12.2(31)SB2 and the backend is FreeRADIUS 1.1? -- Matthew Melbourne - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: [Help] How to control the authentication session timeout
Controlled by the NAS and/or the RADIUS server depending on NAS settings. ie you should be able to set session-timeout on the NAS and then override/update the value on the RADIUS server depending on your chosen policies...eg for particular users/clients etc...and if proxying you may have agreements or filtering in place to set/agree the value alan -- This smartphone uses free WiFi around the world with eduroam, now that's what I call smart. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Procautions on upgrading FR from 2.1.10 to 2.2.0
...have a little test/dev server. Copy your current config onto it and run the new version in full debug mode, see what it might complain about Alternatively, compare your config against vanilla config and then just start from vanilla making required changes...this can really help to clean up old legacy configs and also helps you learn the server and how it works..I note this method as its going to be crucial for 2.x to 3.x upgrades alan -- This smartphone uses free WiFi around the world with eduroam, now that's what I call smart. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Connect-Info attribute
Do your NAS send connect-info? Do tour other RADIUS servers even note or use it? Freeradius is more verbose so you will notice this and the provided sql schemas are very generic , one size won't fit all, you may find that you have to edit the config files your purpose. Are you using the filters? If so, you will need to ensure eg connect-info is added to the relevant filter file eg 'attrs' alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Setting different IDLE-TIMEOUTS based on IP Address
Use any one of the clients.conf methods that were mentioned yesterday with some unlang and this would be working already. I seem to recall that huntgroups might be going the way if the dodo(?) It doesn't do regex methods because its older... pre 1.0 code alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Setting different IDLE-TIMEOUTS based on IP Address
If your NAS can take such a value then it can be assigned. Either via eg users file and huntgroup or via eg unlang if(%{NAS-Ip-Address} == 192.168.1.1) { update reply { Attribute = XYZ } } ..'man unlang' for more info alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Real server certificate for PEAP
A self-signed is real. It's just that you are the CA...which actually gives you greater security and keeps your authentication under your own destiny control. If you believe that having a RADIUS server signed by a CA that is in the OS of your clients is the way you want to go, then simply go and buy a cert from eg thawte, verisign etc. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Auth-Type krb5 not recognized by v2.1.12
What you are doing is actually okay (its one of those exceptions where auth-type needs to be present as the server has no idea to use krb5). I wonder if your server has been built with kerberos support? alan -- This smartphone uses free WiFi around the world with eduroam, now that's what I call smart. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Setting up EAP-TLS as the ONLY authentication mechanism?
All that stuff is on by default to ensure that people who want more than a really dumb and minimal server can get up and running without having to try to find what combination of stuff needs to be enabled. So, eg proxying is enabled ..whats the issue? Unless you have actually edited proxy.conf to do something it won't do anything , there's no entry in clients.conf other than localhost too, so even if you had the required ports open to the world, nothing is going to happen. If all you want is EAP-TLS auth then its very easy to minimise to that configmuch much easier than having to learn the server better and trying to get there from a minimal config that doesn't work out if the box (ask those who have tried doing it that way...look at mailing list history for those that stripped the config out before then trying to get things to work) This isn't Apache, which does have a whole load of things on and can get you p0wned on port 80 if you have that open to the world alan -- This smartphone uses free WiFi around the world with eduroam, now that's what I call smart. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Setting up EAP-TLS as the ONLY authentication mechanism?
Blah blah. But you don't say what the issue is with the documentation...in fact your issue was with the default config and your requirements...which are actually both fully documented in the config. I don't see why you've dropped in from nowhere, thrown your ego around and then claim to be leaving. Expect help/advice in the future? Because if so, you've gone about it the wrong way really alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to use checkval
Do you need RPM? Can you not just build and install from the source? alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Failed to load module jradius freeradius server
This is the freeradius list, not the jradius list. If you want help and advice then use the appropriate list Many thanks alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius with either LDAP or Mysql Error lib not found
As Fajar says, some distros split up the functions into separate packages (so you don't need to install loads of things just to have a basic server) use your package manager to find/install the sub packages alan -- This smartphone uses free WiFi around the world with eduroam, now that's what I call smart. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Failed to load module jradius freeradius server
This is the freeradius list, not the jradius list. If you want help and advice then use the appropriate list Which bit wasn't clear? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius 2.2.0 memory leak issue.
Have you tried the latest 2.2 GIT release? Many code updates alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: [Help] How to eliminate client certificate popup
2. Check fig.9 and fig-10 .. looks like there is an option to cache user information and to 'not prompt user to ...' that I think (cmiiw) will give proper solution. It will stop pop-ups for future connections but not remove pop-ups for initial connection...which is what the requester wants. alan -- This smartphone uses free WiFi around the world with eduroam, now that's what I call smart. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: schema.sql for postgresql problem in raduser group table
Do YOU need a primary key? alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: overlapping cisco avpairs (UCS+IOS)
If request is from UCS then reply with the required UCS reply attribute, else send back your old reply attribute. This can be done by either using the client-identifier attribute and unlang, or by using a new virtual-server instance... well, it can actually be done by at least another 3 ways but they are the 2 methods I'd choose from Alan -- This smartphone uses free WiFi around the world with eduroam, now that's what I call smart. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem with quoting (Version 2.2.0)
Escape quotes around the CA path? \ alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem with quoting (Version 2.2.0)
or use a local symlink that doesn't have spaces in it ;) alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radiusd starts but rejects test user
Read the docs. Really, start from the beginning! In this case, this is the second hurdle ..getting another device to talk to your server. Add that system to your clients.conf file with a correct/matching shared secret. This isn't rocket science but you must read the documentation in the first place! alan -- This smartphone uses free WiFi around the world with eduroam, now that's what I call smart. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Upgrading from FR 2.1.10 to 2.2.x
First, check that centos doesn't have the security issue backported For upgrade, backup your current configuration directory eg cp -R /etc/raddb /etc/raddb.backup Then install the new version 2.1.10 and 2.2.0 are config compatible apart from one single option which isn't set by default (check the release notes). Freeradius install will not touch files that already exist...so you won't get any new options/comments in your config files so may lose visibility of any new features in that regard...but new config files and modules and virtual servers will appear in your config. So, radiusd -X of your current server , capture the startup output, then do the same again after the upgrade and compare the difference. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: [EAP/TLS] Authenfication through a certificate
As already said, post output of radiusd -X (that will clearly show the logic taken) alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FTP Error when Radius is UP
Huh? How are the 2 related? What have you done to get onto thus state? alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radiusd running config - is it possible to display
? It's all on disk. And if that's changed since the server was run then radiusd -X won't help. You know you can run a check/verify instance...? And that using radmin you can check the configuration of particular modules in the current running instance? alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Quick question about RFC 3579 2.6.5
Really? Hmm, the rest of eduroam are using operator-name. Will check about prevalence if the wispr attribute alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius and EAP_TLS Problem:
So you went from a working system and then changed everything for the switch authentication. Why? Why didn't you just keep the same AAA backend? Either way, if you want to use 2 different certs and CAs then you'll need 2 instances or proxy the other ones off to eg microsd NPS server..but again, why? alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Session-Timeout
Yes. You could do it simply with users file, use unlang in post-auth or add it to LDAP as 3 places to start with (just one way is enough!) And you'll need to ensure tour NAS kit follow/honours the value you provide. If you are proxying a la eduroam then the remote site providing the service will decide what to do. They may honour your value, they may filter it out or they may override it with their chosen value alan -- This smartphone uses free WiFi around the world with eduroam, now that's what I call smart. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Chap/Pap Authentication
Forget the user-password. You are not using it, you are trying to kludge it. Just use the variable you have, or the facsimile you are making. This is freeradius, there are at least a dozen ways of doing what you want, Alan has given you a fine method alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: No authenticate method (Auth-Type) found for the request
...and then you did comment . And added more. It's open source and the documentation and Wikipedia is there for everyone.e to contribute. Don't like it? Feel free to show the world how you think it should look, or add the missing bits you have discovered. Unfortunately , what we get is people saying the docs are poor...that they found out how to do what they want...and never tell us. The next person who comes along then faces the same issue as the initial person was selfish. It's not a developer problem. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: LDAP Reply Attributes
Switch config issue? Ensure your switch is configured to authorize over RADIUS as well as to authenticate over RADIUS. (sounds like its doing the latter but not the former) alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Failure with TLS authentication and Freeradius on Fefora-17
The certs resulting from a make install and initial run of 'radiusd -X' are valid and will work. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Instantiation failed for module sql Errors initializing modules
Hi, Are you running as root? alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Failure with TLS authentication and Freeradius on Fefora-17
Ummm, if you are using those scripts then you have local certs which are different on each server...and thus the client wouldnt match. If you require both servers to be used by the same client then you need to use the same CA on both server installs. Likewise, only one server/CA should be making your client cert. alan -- This smartphone uses free WiFi around the world with eduroam, now that's what I call smart. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_ippool does not create DB and IDX files
That's just your/redhat view of the structure. Some might also say /opt is the place for things if only there was a standard that wasn't LSB ;) alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius down every Sun Dec 30 06:50:40 2012 : Error: ASSERT FAILED modcall.c[106]: (p-type MOD_SINGLE) (p-type = MOD_POLICY)
This fails without fail every Sunday? In that case check what happens... eg if that HUP'ING of the freeradius is a weekly crontab then investigate what else is going on at that time ...eg there appear to be mysql errors - ate you using mysql? If so, its not good having errors with that module (and can be the cause if the problem...) I wouldn't say just stop that jobit has a purpose...but see if you are also eg dealing with mysql logrotating at the same time and if you are, don't. I would advise doing a restart of the daemon rather than a HUP and contact your distro maintainers to get latest version. 2.1.10 is really really old. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius Attribute For HotSpot Users
Use expiration . Once a user has logged in for the first time then set the expiration for that account to the required valueor set it when the counter is reached. Et voila, next time they try to login they can't (then you can do fancy extra stuff like telling them that their account has expired on the login window etc) alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Kerberos - Radius does not get password
Hmm, having run FR with AD authentication using winbindd and samba for many many years I am interested in what problems with those daemons you were having ... why need the frequent restarts etc. eduroam certainly wouldn't have had the high take-up we've seen in eg Europe if all sites had to reengineer their backend authentication and couldn't use PEAP/MSCHAPv2 alan -- This smartphone uses free WiFi around the world with eduroam, now that's what I call smart. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: how to read db files?
Hi, Seems that the first thing you need to fix is your routing and access ACLs to Google ;) how to read Berkeley DB files Is pretty much a Google-whack. Might want to check out the db-utils package eg http://amath.colorado.edu/computing/spamtrack/bdb/ alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius query on password encryption and decryption
Yes. All clients will have a place where the shared secret is configured EVEN if the target is the locahost (that doesn't change the spec!) Check the seagull docs and XML profile Alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Issue with Kerberos
You can sort out the host key file if you want. PAP gives a warning because it hasnt been given a plain text password to test/verifythat's okay as you don't need it...and it does tell you things MAY fail. Alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: share information between authorize and authenticate sections (rlm_perl rlm_python)
Hi, in perl, i could write some new attributes in RAD_CHECK ??, then authenticate() will access them. in python, attributes are read only, so i cannot use them to pass information to authenticate(). A simple database, like redis, could be a solution by adding info with the id of the request (with Message-Authenticator as key)? we use and update private internal FreeRADIUS attributes alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP
Hi, I wanted to ping the Eduroam people about EAP over WAN links. Are there considerations that can cause connectivity issues that I should be examining? depends on how fast your authentication backend is and what your NAS timers are set to. if your backend takes around 1 second to auth and your NAS has a 2s timeout, then the EAP roundtrip time etc could cause that to fail if you have yoru NAS set to eg 5s RADIUS timeout instead then things should be okay... in eduroam we deal with/prpxy EAP authentications from the other side of the world...sites with too low timers on the NAS kit or with slow backend authentication soon find the problems. alan PS I know of a couple of APs that sit on the end of remote ISP links and can happily do EAP authentication remotely proxied by a tier of RADIUS servers - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: computer authentication
Hi, I am using all of the defaults from a freeradius install. [1]example.com Phils point was that a computer/machine authentication wont be sent with a realm, it will be of the form host/name.domain - where name is the hostname of the computer and domain will be its AD domain... alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: computer authentication
Hi, [eap] Identity does not match User-Name, setting from EAP Identity. EAP doesnt like the user-name being played around withensure that you 'nostrip' in your proxy.conf for the realm you are handlingor use 'stripped-user-name' for the checks/handlers. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: computer authentication
Hi, I have added 'nostrip' to the realm [1]example.com and it looks like it has problems with that. Possibly some sort of loop? looks like it, just realm example.com { nostrip } should do - ie take this request locally/directly alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Eduroam FreeRadius not working so well
Hi, This looks like something I should be doing but I have no idea where to insert this section. Is it in proxy.conf or somewhere else? And in the authorize section of your virtual server, straight after the preprocess/suffix/realm module calls (ie before any real authorization action) With this configuration, I guess I don't need realm's LOCAL or NULL? correct - you will deal with your LOCAL realm by handling your defined realm, with eduroam you dont want to EVER authenticate a user you hasnt provided a realm - because , for your own users, they may work finewhen they are at your sitethey then think/believe their configuration works...and then find it doesnt work when they go to another eduroam site...and then they'll blame that site, your site or eduroam. best policy for eduroam is ALWAYS ensure a realm is defined on the client alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: computer authentication
Hi, SOLVED. Modified my proxy.conf file as per another list post. You cannot just add the 'nostrip' option to the realm. You must remove the home_server and home_server_pool, but keep the options from the home_server and put them under the realm. or do as I said in my post tonight. you can keep the default home_server values etc then...and your realm staements stay tidy. if you define auth_pools etc for your homesever then things get loopy (I'd have replied earlier but you pasted your test onto google docs and my phone didnt have decent enough connectivity at the time to go web fetching) alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: computer authentication
Hi, you probably want to set peap as your default EAP type in eap.conf to save s couple of packets and a NAK. I don't see the ntlm_auth being called, have you edited the mschap module? The host name is rather shortare you sure this host is bound into an AD? alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Eduroam FreeRadius not working so well
Hi, I have a valid current subscription and yum reports no updates for my freeradius install, so I'm assuming it's okay. I didn't want to dwell on the version though as I just upgraded from a much older release which didn't help with my problem. 2.1.12-4 appears to have the required TLS fix - however, not sure why 2.2.0 isnt provided now anyway - this backporting of random things doesnt help in diagnosis alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Eduroam FreeRadius not working so well
Hi, home_server_pool EDUROAM-FTLR { type= fail-over home_server = proxy1 home_server = proxy2 } I would use: type = client-port-balance to balance between the 2. (that method ensures the EAP goes to one remote server) realm DEFAULT { pool = EDUROAM-FTLR nostrip } h, this isnt best practice if thats all you have for throwing stuff upstream. woulf strongly recommend using unlang to validate that the user has valid realm etc and then update the request to use a realm identifier (eg eduroam) and use that in proxy.conf instead - thus you are only sending valid users upstream (and not all the random typos and junk) as the upstream servers will like you more for that - and wont be dropping requests and messing you up. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Eduroam FreeRadius not working so well
In the first instance, upgrade. There is a major security problem with 2.1.x release. Get 2.2.x onto your system asap. What are your NAS (cisco controllers) timeouts? Is this box a pure proxy or does it do authentication too? Have you enabled ciscos status-check system so it knows the RADIUS server isn't dead but just hasn't had a remote response yet? Around 67% of eduroam sites in the UK use freeradius alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Python access to attribute lists
Hi, I wonder if a better option wouldn't be something like rlm_unixsocket which passes the request down a unix socket in a standard format, and takes the reply in the same way. Then the various interpreters could run out-of-process. I was thinking about the same thing the other day after the mumblings about removing rlm_perl from FreeRADIUS.we dotn need that much really. just a way of passing some details into external code and passing some details back (the external code in our case is PERL as its just so darn flexible and extensible...). i was thinking of having the PERL code running as a background process like our other PERL code (which removes a lot of issues and means everything can be nicely threaded etc) with some 'exec'd code to throw the values to it and get an answer back.. rlm_rest might be an alternative as you say. whilst I like omelettes...in our case, we've been simmering a slow-cook stew with our RADIUS configurations/adjustments/changes over the years so a few new broken eggs for a quick snack might not be to everyones taste (basically all our local scripts for various servers would have to be rewritten from almost scratch (the joys of PERL being our local modules/subroutines which can just be dropped into the new handler/code) but a unix socket approach would be far more efficient I feel (cue the screams from people with other ideas! ) likewise too busy with other projects/work/issues alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Eduroam FreeRadius not working so well
Hi, This is the RedHat RPM which I believe are maintained by RedHat. Hopefully they've back ported any major security issues! got the changelog for the 2.1.12 RPM release you are running? It does both autentication and proxy and I do have status-check enabled. On the contraller I increased the default timeout from 2 seconds up to 8 seconds. At the same time I lowered the 2 seconds is very low for international RADIUS proxying...the traffic needs to get to the end site...and then be dealt with by the end site (which may take 1 - many seconds to actually authenticate the user once the tunnel is created). somewhere around 10 seconds is the maximum I would expect for global roaming authentication via multple proxy peers the RADIUS server is at the mercy of the controller and the remote sites... who might not be answering at all...they could just reject. I havent seen a sanity error message like that since the troublesome 2.1.7 - 2.1.9 days when the proxy code got some rewrites in places. I wonder if your proxy.conf for the home server stuff is correct and not flipping requests between remote proxys? what does the server show/say in full debug mode with a test remote account? alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Radius Code set to 2??
You were already given an answer. AP shouldn't be sending a RADIUS access-accept to the server. Either a misconfiguration, software bug or misreading of the issue alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius authentication problems
Hi, Found Auth-Type = Accept Auth-Type = Accept, accepting the user RADIUS all okay I followed the plain mac auth guide to get this far, and the system sort of works, but not quite. So the configs must be out of whack somehow, but since radius doesn't give any debug info when I get booted out of the network I'm at loss here. Any help? why would it (give you any info) - its done its job, authenticating your system as required. your problem is on your controller - what else o you have to send to the Ruckus along with the access-aceppt. do you also need to send other stuff? is the problem some nice L2/L3 network issue - such as the network you are dropping the client onto doesnt exist in the controller...or there is no routing for it or no DHCP available to the client? not a RADIUS problem alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: I wanna post
Hi, I want a pony, and a cessna and to eat sushi off a cute mexican girl dressed in a combination pikachu/nurses outfit. ...I want a way of wiping that reply from my memory...the images, the images! ;-) alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: 802.1x Issue
Hi, Have you guys hear about SecureW2 ? People from Cloudpath Networks said they can make it work MD5 hash passwords on 802.1x with TTLS-PAP. They said i can make it work aswell with EAP-TLS via certificates and PKI. Is that correct ? Have anyone tested that before ? i'll repeat what was already said in this thread: Old Windows systems need an extra supplicant to do other forms of EAP such as EAP-TTLS/PAP - eg open1X or SecureW2 - Windows 8 now natively supports such EAP methods so...yes, if you have a backend constraint then you can get around this by making your customers install a 3rd party program to allow eg EAP-TTLS/PAP to be used - which means you can use eg MD5 passwords in the backend. your level of success with such 3rd party supplicants will be mixed and varied...sometimes it wont install, sometimes it has issues with the wireless drivers. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: 802.1x Issue
Hi, So would you recommend ? Your opinion above looks like you wouldnt do that, since it may not work. Kinda complicated, since we are an university, and need to work with everyone. we are a university and we avoid using any extra programs/utils to perform such duties (especially as the OSes now have 802.1X support natively. we were involved in the OpenSEA alliance a while back and helped evolve the open1x tool but until theres a must-have and compelling reason to go for such a tool (eg perhaps integrated single sign-on with applications via moonshot) then take the basic default OS 802.1X where you can. I believe that SecureW2 was popular in many european countries for eduroam but that has receeded too (and older pre-licence change version is what is used) alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: 802.1x Issue
Hi, Most times you will be able to get the native supplicant working given enough prodding, but prodding on a large scale is unfeasable without some kind of automated tool, because students are really really bad at following instructions. oh yes, I agree with that - configuration deployment tool = big yes! - 3rd party suppliance = big no ;-) What ever happened to Open1X anyway, last update in 2011, is it pretty much dead now? ISTR that they got bogged down with the whole TNC/posture vaidation thing.the initial product coming from a company that got divided into the wind (Identity Engines IIRC) - with the opensea alliance just pretty much gone save for some google cached pages and wayback engine storage space. back in 2007 the 802.1X space was a different beast. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: About Radius security
Hi, But when using this method through a proxy way, wher eis data encryption ? the TLS tunnel is set up with the remote server - the traffic being passed through all the interim proxies. so the client only trusts the remote server (ie the server they authenticate against) - all the traffic is encapsulated within the TLS tunnel (which is transferred in RADIUS packets). so long as the client is configured to trust only the CA of the remote RADIUS server and the CommonName of the remote RADIUS server, you have the PKI assurance. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: 802.1x Issue
Hi, Well, lets say its not possible... since we are an university, with something about 600 conections every night, with lots of O.S working (70% we are a university with around 6500 concurrent wireless users and 5000 concurrent wired connections in the student residential network. windows), it would be kinda hard to configure every single computer with a software. Its better to make a new DB with new passwords on EAP and use a .bat + xml profile to configure windows notebooks. we use a profile deployment tool - our current choice is cloudpath Xpressconnect - which does its job. our Windows clients are configured to use standard microsoft PEAP PEAPv0/MSCHAPv2 - our backend authentication is Microsoft ActiveDirectory - our FreeRADIUS servers authenticate the users via the AD - and we have a post-auth PERL script which does some checks and then, if eg a student - puts them onto a student VLAN. all basic 802.1X and AAA stuff. we are also a member of eduroam - so visitors to our campus who are also from eduroam sites just get online - most without even realising as they have en eduroam profile on their smartphone or tablet. zero config 'open laptop and be online' - all done by the same FreeRADIUS architecture. Old Windows systems need an extra supplicant to do other forms of EAP such as EAP-TTLS/PAP - eg open1X or SecureW2 - Windows 8 now natively supports such EAP methods - so those new surface tablets should make life easier. Just ensure that your settings are actually secure on the clients - ie ensure that the clients are set to trust the CA of your RADIUS server and are set to have the CN of your RADIUS server. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html