Setting VLAN from inner-tunnel
Hi
I am trying to assign a VLAN for PEAP and TTLS clients using a section
like this in the inner-tunnel configuration:-
update outer.reply {
Tunnel-Private-Group-ID := 123
Tunnel-Type := VLAN
Tunnel-Medium-Type := IEEE-802
}
However, I can't get it to work. The attributes are added and in the
debug I can see that they go to the NAS in the access-challenge
sections but they are not present in the final access-accept.
Is there any way to make this work?
Thanks
--
Ben Thompson
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Setting VLAN from inner-tunnel
On Mon, Mar 29, 2010 at 01:02:09PM +0100, Leighton Man wrote:
Is there any way to make this work?
I have it working with:
update reply {
Tunnel-Type = VLAN
Tunnel-Medium-Type = IEEE-802
Tunnel-Private-Group-Id = 141
}
Thanks, but unless I'm missing somthing I don't understand how this
can this work from the inner tunnel without update outer.reply ?
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Problem with HUP occurs after upgrade from 2.1.5
Hi I have a server running 2.1.5 which has been running happily for a long time with the same config. However, I recenlty tried upgrading to 2.1.8 and found that after HUP the server dies :- Mon Mar 8 22:05:58 2010 : Info: Loaded virtual server inner-tunnel Mon Mar 8 22:05:58 2010 : Info: Loaded virtual server default Mon Mar 8 22:05:59 2010 : Error: ASSERT FAILED modcall.c[106]: (p-type MOD_SINGLE) (p-type = MOD_POLICY) I also tried 2.1.6 and this also had the problem. Can anyone advise what this error means? Thanks Ben - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
poptop - received RADIUS server response with invalid length
Hi We are running a poptop vpn server which authenticates via radiusclient and freeradius. Some people have reported problems logging in so I decided to investigate. Here is a log from the vpn server :- Nov 14 11:26:12 nassrv3 pppd[15621]: sent [LCP ConfReq id=0x1 asyncmap 0x0 auth chap MS-v2 magic 0xa7836037 pcomp accomp] Nov 14 11:26:12 nassrv3 pppd[15621]: rcvd [LCP ConfAck id=0x1 asyncmap 0x0 auth chap MS-v2 magic 0xa7836037 pcomp accomp] Nov 14 11:26:12 nassrv3 pppd[15621]: sent [LCP EchoReq id=0x0 magic=0xa7836037] Nov 14 11:26:12 nassrv3 pppd[15621]: sent [CHAP Challenge id=0x9 f426157bf1a8cd0fbc8d2276a48e731a, name = pptpd] Nov 14 11:26:12 nassrv3 pptpd[15620]: CTRL: Ignored a SET LINK INFO packet with real ACCMs! Nov 14 11:26:12 nassrv3 pppd[15621]: rcvd [LCP Ident id=0x2 magic=0x76cf2fdd MSRASV5.10] Nov 14 11:26:12 nassrv3 pppd[15621]: rcvd [LCP Ident id=0x3 magic=0x76cf2fdd MSRAS-0-ANNA] Nov 14 11:26:12 nassrv3 pppd[15621]: rcvd [LCP EchoRep id=0x0 magic=0x76cf2fdd] Nov 14 11:26:12 nassrv3 pppd[15621]: rcvd [CHAP Response id=0x9 4166d4713ef8cec048e88644889a7fbcadcaef9a0709f7576bad0ce28f82ed7e5fb6e8c193a192bb00, name = ozw1] Nov 14 11:26:12 nassrv3 pppd[15621]: rc_check_reply: received RADIUS server response with invalid length Nov 14 11:26:12 nassrv3 pppd[15621]: rc_avpair_gen: received attribute with invalid length Nov 14 11:26:12 nassrv3 pppd[15621]: Peer ozw1 failed CHAP authentication Nov 14 11:26:12 nassrv3 pppd[15621]: sent [CHAP Failure id=0x9 ] Nov 14 11:26:12 nassrv3 pppd[15621]: sent [LCP TermReq id=0x2 Authentication failed] Nov 14 11:26:12 nassrv3 pppd[15621]: rcvd [LCP TermAck id=0x2 Authentication failed] Nov 14 11:26:12 nassrv3 pppd[15621]: Connection terminated. Nov 14 11:26:12 nassrv3 pppd[15621]: Exit. Nov 14 11:26:12 nassrv3 pptpd[15620]: GRE: read(fd=6,buffer=5109c0,len=8196) from PTY failed: status = -1 error = Input/output error, usually caused by unexpected termination of pppd, check option syntax and pppd logs Nov 14 11:26:12 nassrv3 pptpd[15620]: CTRL: PTY read or GRE write failed (pty,gre)=(6,7) Nov 14 11:26:12 nassrv3 pptpd[15620]: CTRL: Reaping child PPP[15621] Nov 14 11:26:12 nassrv3 pptpd[15620]: CTRL: Client 81.132.112.97 control connection finished Here is the relevent part of radius.log :- Wed Nov 14 11:26:12 2007 : Auth: Login OK: [ozw1] (from client vpnvirtualip port 0 cli 1.18) Here is a packet capture showing the radius conversation :- 11:26:12.567346 IP vpn.york.ac.uk.33286 nasaaa2.york.ac.uk.radius: RADIUS, Access Request (1), id: 0xc1 length: 140 11:26:12.568107 IP nasaaa2.york.ac.uk.radius vpn.york.ac.uk.33286: RADIUS, Access Accept (2), id: 0xc1 length: 179 11:26:12.568122 IP vpn.york.ac.uk nasaaa2.york.ac.uk: ICMP vpn.york.ac.uk udp port 33286 unreachable, length 215 Can anyone suggest what might be the problem here? I don't understand the upd port unreachable or the received RADIUS server response with invalid length messages. Thanks Ben Thompson - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_eap_tls sometimes fails to read files after HUP
On Thu, 2006-03-23 at 12:15 -0500, Alan DeKok wrote: Ben Thompson [EMAIL PROTECTED] wrote: Could someone advise how to go about debugging this problem? b) look at the logs to see what SSL errors are being returned right before the Error reading certificate file message. Hi Thanks for the help, here is the log :- Fri Mar 24 15:37:19 2006 : Info: Reloading configuration files. Fri Mar 24 15:37:19 2006 : Info: Using deprecated naslist file. Support for this will go away soon. Fri Mar 24 15:37:19 2006 : Info: rlm_eap_tls: Loading the certificate file as a chain Fri Mar 24 15:37:19 2006 : Error: rlm_eap: SSL error error:0906D06C:PEM routines:PEM_read_bio:no start line Fri Mar 24 15:37:19 2006 : Error: rlm_eap_tls: Error reading certificate file Fri Mar 24 15:37:19 2006 : Error: rlm_eap: Failed to initialize type tls Fri Mar 24 15:37:19 2006 : Error: radiusd.conf[9]: eap: Module instantiation failed. Fri Mar 24 15:37:19 2006 : Error: radiusd.conf[1719] Unknown module eap. Fri Mar 24 15:37:19 2006 : Error: radiusd.conf[1666] Failed to parse authenticate section. -- Ben Thompson University of York - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Version 1.1.1 stops responding
On Thu, 2006-03-23 at 09:24 -0500, King, Michael wrote: So I built 1.1.1 on Debian. After a period of so many hours (variable) it stops responding. (Sometimes 2hours, sometimes 16hours) Now here's where it get's weird, (and makes me suspect it might not be freeRADIUS at the root cause) If I stop and restart the freeRADIUS service, it continues to ignore RADIUS packets. I am seeing a similar problem on RedHat. I originally thought it was only happening when I sent a HUP signal, but it turns out this is not the case. However in my case all I have to do to fix it is restart the service (I do not need to reboot the entire operating system). Ben - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
rlm_eap_tls sometimes fails to read files after HUP
Hi I have just upgraded to FreeRADIUS 1.1.1 after previously using the 1.0.1 RedHat package. At first startup it works fine but sometimes when the server receives a HUP signal (we do this every 15 mins) to re-read the config files I am getting the following errors :- Wed Mar 22 16:48:45 2006 : Info: Reloading configuration files. Wed Mar 22 16:48:47 2006 : Info: rlm_eap_tls: Loading the certificate file as a chain Wed Mar 22 16:48:47 2006 : Error: rlm_eap_tls: Error reading certificate file Wed Mar 22 16:48:47 2006 : Error: rlm_eap: Failed to initialize type tls Wed Mar 22 16:48:47 2006 : Error: radiusd.conf[9]: eap: Module instantiation failed. Wed Mar 22 16:48:47 2006 : Error: radiusd.conf[1719] Unknown module eap. Wed Mar 22 16:48:47 2006 : Error: radiusd.conf[1666] Failed to parse authenticate section. At this point I have to restart. As I said this only happens sometimes, at other times it is successful and I just get this :- Wed Mar 22 16:47:36 2006 : Info: Reloading configuration files. Wed Mar 22 16:47:36 2006 : Info: rlm_eap_tls: Loading the certificate file as a chain Wed Mar 22 16:47:37 2006 : Info: Ready to process requests. Could someone advise how to go about debugging this problem? Thanks Ben Thompson - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
D-Link Airplus Supplicant MSCHAP2 error
Hi
We run a WPA/TKIP/PEAP wireless network with FreeRADIUS 1.0.1 on Redhat.
Most client machines tend to be Windows XP and we they are usually set
up to use the Microsoft built in supplicant. Occasionally someone comes
along with a Windows 2000 box and we have to set them up using whatever
software came with the network card as there is no wireless
configuration tool included in the OS. Usernames are specified using the
format [EMAIL PROTECTED] and we normally reject anything without a realm
using the following entry in the users file :-
DEFAULT Realm == NULL, Auth-Type := Reject
we also have :-
DEFAULT FreeRADIUS-Proxied-To == 127.0.0.1
User-Name = %{User-Name},
Fall-Through = Yes
and in eap.conf :-
peap {
default_eap_type = mschapv2
copy_request_to_tunnel = yes
use_tunneled_reply = yes
}
The other day someone came along with a Win2K box with D-Link wireless
card and we attempted to set it up to access the network. We could not
get it to work and noticed the following output from FreeRADIUS :-
modcall: entering group Auth-Type for request 6
rlm_mschap: No User-Password configured. Cannot create LM-Password.
rlm_mschap: Found NT-Password
rlm_mschap: Told to do MS-CHAPv2 for [EMAIL PROTECTED] with
NT-Password
rlm_mschap: FAILED: MS-CHAP2-Response is incorrect
modcall[authenticate]: module mschap returns reject for request 6
modcall: group Auth-Type returns reject for request 6
rlm_eap: Freeing handler
modcall[authenticate]: module eap returns reject for request 6
modcall: group authenticate returns reject for request 6
auth: Failed to validate the user.
PEAP: Got tunneled reply RADIUS code 3
Tunnel-Type:1 := VLAN
Tunnel-Medium-Type:1 := IEEE-802
Tunnel-Private-Group-Id:1 := 4025
User-Name = [EMAIL PROTECTED]
MS-CHAP-Error = \007E=691 R=1
EAP-Message = 0x04070004
Message-Authenticator = 0x
PEAP: Processing from tunneled session code 0xc15ca10 3
Tunnel-Type:1 := VLAN
Tunnel-Medium-Type:1 := IEEE-802
Tunnel-Private-Group-Id:1 := 4025
User-Name = [EMAIL PROTECTED]
MS-CHAP-Error = \007E=691 R=1
EAP-Message = 0x04070004
Message-Authenticator = 0x
PEAP: Tunneled authentication was rejected.
rlm_eap_peap: FAILURE
modcall[authenticate]: module eap returns handled for request 6
modcall: group authenticate returns handled for request 6
Sending Access-Challenge of id 168 to 144.32.226.208:1645
Tunnel-Type:1 := VLAN
Tunnel-Medium-Type:1 := IEEE-802
Tunnel-Private-Group-Id:1 := 3970
EAP-Message =
0x0108004819001703010018e031d8fca1c0cbfedb0cfcdce46b9a4c46758441f22e0ba417030100203027372cc858586642a97e40254bb292c08bd9e461560f21dd2c8e77b66450ee
Message-Authenticator = 0x
State = 0x73386b81b01f285fe325fdeb408f2f43
Finished request 6
Just for testing we removed the NULL realm reject from the users file
and tested the client with username entered on its own and found that
this worked OK. Does this point to a problem with the D-link supppicant
or could it be a problem with our setup? The MSCHAP2 response is
incorrect when I specify the realm. Does this mean the supplicant is
incorrectly handling the username and stripped username?
Thanks
Ben Thompson
University of York
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Installing a signed SSL certificate
On Fri, 2005-12-02 at 10:03 -0800, Laker Netman wrote: I am considering use of a CA-signed SSL certificate. Comodo (instantssl.com) offers an Intranet SSL certificate good on a single, internal host. All of their documentation refers to set up with a web server or for email verification. Would it also work with FR? Are you doing PEAP on a wireless network with Windows clients? If so, you need to check that the certificate includes the server authentication oid 1.3.6.1.5.5.7.3.1 in the enhanced usage section. Cheers Ben - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Intel PEAP client Roaming Identity
On Thu, 2005-09-15 at 13:54 -0400, Alan DeKok wrote:
Ben Thompson [EMAIL PROTECTED] wrote:
Could anyone advise me whether it is possible to configure my server so
that the actual username used get's logged in the accounting records
instead of this roaming identity string?
Configure peap{} ttls{} with use_tunneled_reply = yes.
Add the following to the top of the users file:
DEFAULT FreeRADIUS-Proxied-To == 127.0.0.1
User-Name = %{User-Name},
Fall-Through = Yes
This will send the inner tunnel user name back to the AP, which is
*supposed* to then use it in accounting packets.
Alan DeKok.
Thanks Alan, that's done the trick.
Ben
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Intel PEAP client Roaming Identity
Hi We have a 802.1x/PEAP wireless network using freeRADIUS 1.0.1 on RedHat AS 4. It is important for us to know who is using the network at any given time so the accounting logs are very useful to us. The other day someone came along with a laptop using an Intel wireless adapter and client software. In the configuration settings for this program there was a place to enter a username and password for PEAP authentication and there was also a field named Roaming Identity which as default was set to [EMAIL PROTECTED]. The client conected up fine, but when I checked the RADIUS accounting logs I noticed that the username for that client was listed as [EMAIL PROTECTED] instead of the one I expected. After a bit of googling in found this link on the Dell website which describes that the roaming identity is only required for MS RADIUS servers :- http://support.dell.com/support/edocs/network/P72721/en/UtilAdv.htm Could anyone advise me whether it is possible to configure my server so that the actual username used get's logged in the accounting records instead of this roaming identity string? Many Thanks Ben Thompson - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Require realm suffix
On Tue, 2005-09-06 at 10:49 +0200, Nicolas Baradakis wrote: Ben Thompson wrote: I have set up FreeRADIUS so that I am using the relam format [EMAIL PROTECTED] I have succesfully got this working by adding the relevent realm to proxy.conf and setting authhost and acchost to LOCAL. Currently when someone logs without specifying a realm, they are still authenticated and I would like to know if it is possible to change this behavoir so that users must specify the realm suffix. Perhaps you could uncomment the realm NULL in proxy.conf and add in the users file: DEFAULT Realm == NULL, Auth-Type := Reject Hi That worked perfectly. Thanks Ben - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Require realm suffix
Hi I have set up FreeRADIUS so that I am using the relam format [EMAIL PROTECTED] I have succesfully got this working by adding the relevent realm to proxy.conf and setting authhost and acchost to LOCAL. Currently when someone logs without specifying a realm, they are still authenticated and I would like to know if it is possible to change this behavoir so that users must specify the realm suffix. Thanks Ben Thompson - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: more on server certificates
On Sat, 2005-08-27 at 13:07 +0100, Phil Mayers wrote: I am surprised no-one else is offering that EKU oid. Have you tried speaking to someone technically knowledgeable at one of the other CAs - it may be something they can do as a specific request, even if it's not a default option. Hi I found out yesterday that the Secure Server and Secure Server Pro certificate offerngs from Verisgn do contain the EKU oid. These can be bought on-line using conventional methods, so it looks like I can use one of those. Thanks again, Ben Thompson - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
more on server certificates
Hi Has anybody got a digital certificate (with the extended key usage attributes required for PEAP) installed on their FreeRADIUS box that has been signed by a commercial trusted CA? I have come to suspect that this is impossible due to the fact that Verisign are the only company marketing such a product and it can only be installed on a Windows server (as the online purchase system only works if done from the target machine using Internet Explorer and Xenroll). Thanks Ben - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Server Certificate for use with Windows PEAP Clients
Hi I'd like to get certificates installed on two of our FreeRADIUS boxes to satisfy the requirements of the Windows built in PEAP client when it does it's Validate server certificate bit. I have read about the requirement for the certificate to include the Server Authentication (1.3.6.1.5.5.7.3.1) OID in the Enhanced Key Usage section and I would like to know if anyone else has had experience of this. I have also heard about the special WLAN certificate available from Verisign which sounds like it will do the job, but I would like to hear from anyone who knows about an alternative as this one is a bit pricey. Thanks Ben Thompson - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Server Certificate for use with Windows PEAP Clients
On Mon, 2005-08-22 at 12:12 -0400, Alan DeKok wrote: Ben Thompson [EMAIL PROTECTED] wrote: I have read about the requirement for the certificate to include the Server Authentication (1.3.6.1.5.5.7.3.1) OID in the Enhanced Key Usage section and I would like to know if anyone else has had experience of this. Yes. Use it, it works. I have also heard about the special WLAN certificate available from Verisign which sounds like it will do the job, but I would like to hear from anyone who knows about an alternative as this one is a bit pricey. See the scripts directory. You can create certificates, with the OID, for free. Alan DeKok. Hi Thanks for the info. I would like to get a certificate installed that has been signed by one of the trusted CA's if possible. I am not sure about the Verisign certificate as they seem to want people to buy online and download using some sort of automated certificate installation feature in Internet Explorer on the target machine. As described here : http://www.microsoft.com/downloads/details.aspx?FamilyID=1971d43c-d2d9-408d-bd97-139afc60996bDisplayLang=en Cheers Ben - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Require NAS dependant radius return attributes
Ben Thompson wrote: The trouble is I need to assign different VLAN's to users depending which access point they connect from. What I would like to know is if it is possible to use Huntgroups to look up the VLAN id based on something like the IP address of the access point? You could test the variable Client-IP-Address in the users file. testuser Client-IP-Address == 10.0.0.1, Password := azerty Tunnel-Private-Group-ID:1 := 1, Fall-Through = Yes testuser Client-IP-Address == 10.0.0.2, Password := azerty Tunnel-Private-Group-ID:1 := 2, Fall-Through = Yes -- Nicolas Baradakis Hi Thanks for that advice. I can see that I could end up with a very large users file using this method. Is there any limit on the size of the users file? In the near future we may have something like 80 entries in there. Is this where you would normally look to use a database backend? Thanks Ben - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Require NAS dependant radius return attributes
On Wed, 2005-08-17 at 10:51 -0400, Alan DeKok wrote: Ben Thompson [EMAIL PROTECTED] wrote: Thanks for that advice. I can see that I could end up with a very large users file using this method. Is there any limit on the size of the users file? Memory. Also, the CPU time required to walk it's internal representation (linked list). In the near future we may have something like 80 entries in there. Is this where you would normally look to use a database backend? Yes. Or, if the mappings are relatively simple, you could look at rlm_passwd, which does simple mappins. It uses a hash to look up data, so it should be fast. Alan DeKok. Hi Thanks for the info, I will have a look at rlm_passwd. Meanwhile I have tested a setup using the huntgroups file combined with the use of mutliple DEFAULT entries in the users file like this :- huntgroups file group1 NAS-Identifier == accesspoint5 group1 NAS-Identifier == accesspoint2 group2 NAS-Identifier == switch6 group2 NAS-Identifier == switch3 etc.. users file user1 NT-Password := 35C8397B2320E568467904961A2AF40F Fall-Through = Yes user2 NT-Password := 35C8397B2320E568467904961A2AF40F Fall-Through = Yes DEFAULT Tunnel-Type:1 := VLAN, Tunnel-Medium-Type:1 := IEEE-802, Fall-Through = Yes DEFAULT Huntgroup-Name == group1 Tunnel-Private-Group-ID:1 := 3970, Fall-Through = Yes DEFAULT Huntgroup-Name == group2 Tunnel-Private-Group-ID:1 := 4025 This cuts the potential size of my users file down to about 2 entries and the huntgroups file to about 50 entries. Does this sound reasonable? I am currently running on a dual Xeon 2.8Ghz with 2GB of RAM which is dedicated to running FreeRADIUS. Many Thanks Ben Thompson - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Require NAS dependant radius return attributes
Hi I have a problem which I want to find out if I can solve using FreeRADIUS. I am setting up an 802.1x based network where I want to use RADIUS assigned VLAN's. I have succesfully tested this with Cisco wireless access point's and FreeRADIUS 1.0.1 using a users file like this :- snip test3999NT-Password := 35C8397B2320E568467904861A2AF40F Tunnel-Private-Group-ID:1 = 3999, Fall-Through = Yes test4025 NT-Password := 35C8397B2320E568467904861A2AF40F Tunnel-Private-Group-ID:1 = 4025, Fall-Through = Yes DEFAULT Tunnel-Type:1 = VLAN, Tunnel-Medium-Type:1 = IEEE-802 snip The trouble is I need to assign different VLAN's to users depending which access point they connect from. What I would like to know is if it is possible to use Huntgroups to look up the VLAN id based on something like the IP address of the access point? Example: Let's say I have two access points called AP1 and AP2. If a user connects to AP1, I want the RADIUS server to look up from somewhere what is the correct VLAN to assign to people using AP1 and return the correct attributes to suit. If the same user connects to AP2 I want the VLAN id to be the correct one for AP2 which may be different to AP1. Any advice would be appreciated, Ben Thompson - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
