Re: 802.1x Issue
I haven't tested it, but I found XSupplicant (http://open1x.sourceforge.net/), and it seems to enable 802.11x authentication with PAP, even on e.g. Windows XP Home machines that don't support 802.11x out of the box. That's what they say anyway. Le 30/11/2012 17:23, Brekler Custodio a écrit : Is there any way a Microsoft Notebook authenticate using MD5 or PAP ? By default is only EAP (PEAP) or card/certificate, i need to know if there is anything you guys know that makes windows works on PAP or MD5... Im searching on internet right now to see if i can find, anyways i leave the question open here to anyone who knows. signature.asc Description: OpenPGP digital signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Newbie question about rlm_exec usage
I don't know if I understand the process correctly : as far as I
understand, an authentication request is handled successively by the
listed modules in the authorize {} section, right ?
So, now that I figured that I have to use PAP as phase2, I can have the
cleartext password. But I don't know how I can provide it to the PAP
module : it complains that no known good password had been found for
the user.
What should my executed program return to say that the user is granted
access ?
Le 23/11/2012 21:28, Hoggins! a écrit :
OK, that explains a lot. I guess I need to find a method that lets the
Cleartext-Password go through. I don't know how to do this, actually, as
our passwords are now stored hashed.
Any hint?
signature.asc
Description: OpenPGP digital signature
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Newbie question about rlm_exec usage
Hello everyone,
We're facing an issue with rlm_exec, or at least Ithink our problem
comes from there.
We use FreeRADIUS for a Wifi access point. We userlm_sql, and our
clients authenticate using 802.1x, with a certificate and a pair of
login/password credentials. Everything works just fine, and we just had
to customize a little bit the SQL queries to match our shared tables.
Now, we would like to use another way of authorizing our users on our
Wifi network. Basically, a script should be called by FreeRADIUS, and
the result of the script would determine whether the user is granted
access or not.To be precise, the script uses a curl callwith POST
parameters (over an SSL connexion), andthe returned result happens to be
the authentication request result. The script works perfectly, exiting
with the correct error code, according to what it should return. Yay !
So we just replaced the line sql in the authorize { } with a curl
line, curl being a module we created, copying the echo module. Alas,
it does not work, and mschap complains about the absence of
Cleartext-Password.
So before posting a lotof debug info and our scripts, does this
procedure seem ok to you ?
Thanks in advance,
Hoggins!
signature.asc
Description: OpenPGP digital signature
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Newbie question about rlm_exec usage
OK, that explains a lot. I guess I need to find a method that lets the Cleartext-Password go through. I don't know how to do this, actually, as our passwords are now stored hashed. Any hint? Le 23/11/2012 19:18, Alan Buxey a écrit : eg if using PEAP, the client never sends a password, instead its challenge-response which works because the SQL contains a copy of the password so MSCHAP can derive an agreement signature.asc Description: OpenPGP digital signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Two radius server on same machine
Hello. If I'm right, there's a 2.x.x feature that allows to run several virtual servers on the same machine. So you can configure the same service to listen on different ports and to behave differently. I believe it is well documented, though. Nataniel Klug a écrit : Hello all, I am trying to find some info about running two freeradius servers (on different ports) in the same machine. Can someone help me? I couldn't find any info... - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MySQL connection over SSL possible?
Hello, I assume that data integrity and secrecy is vital for you, between your RADIUS server and your MySQL server. Why not creating an IPSEC tunnel between the two ones ? It doesn't require any programming skills, and it's fully secure if it is well set. It might be any encrypted VPN system, by the way. IPSEC is just an example. Hoggins! Alan DeKok a écrit : Anders Holm wrote: So, that's a yes .. :) Yes. rlm_sql_mysql is the driver, and I'd rather not have my own version running, but would love to see that rolled in, if possible. My only problem with creating a patch and send it in is more that I am not a coder really. I'd be more likely to create more problems then I'd solve .. ;) There are other options. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Listen port problem
{
with_ntdomain_hack = no
}
Module: Checking authorize {...} for more modules to load
Module: Linked to module rlm_preprocess
Module: Instantiating preprocess
preprocess {
huntgroups = /etc/raddb//huntgroups
hints = /etc/raddb//hints
with_ascend_hack = no
ascend_channels_per_line = 23
with_ntdomain_hack = no
with_specialix_jetstream_hack = no
with_cisco_vsa_hack = no
with_alvarion_vsa_hack = no
}
Module: Linked to module rlm_realm
Module: Instantiating suffix
realm suffix {
format = suffix
delimiter = @
ignore_default = no
ignore_null = no
}
Module: Linked to module rlm_files
Module: Instantiating files
files {
usersfile = /etc/raddb//users
acctusersfile = /etc/raddb//acct_users
preproxy_usersfile = /etc/raddb//preproxy_users
compat = no
}
Module: Checking preacct {...} for more modules to load
Module: Linked to module rlm_acct_unique
Module: Instantiating acct_unique
acct_unique {
key = User-Name, Acct-Session-Id, NAS-IP-Address,
Client-IP-Address, NAS-Port
}
Module: Checking accounting {...} for more modules to load
Module: Linked to module rlm_detail
Module: Instantiating detail
detail {
detailfile =
/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d
header = %t
detailperm = 384
dirperm = 493
locking = no
log_packet_header = no
}
Module: Linked to module rlm_radutmp
Module: Instantiating radutmp
radutmp {
filename = /var/log/radius/radutmp
username = %{User-Name}
case_sensitive = yes
check_with_nas = yes
perm = 384
callerid = yes
}
Module: Linked to module rlm_attr_filter
Module: Instantiating attr_filter.accounting_response
attr_filter attr_filter.accounting_response {
attrsfile = /etc/raddb//attrs.accounting_response
key = %{User-Name}
}
Module: Checking session {...} for more modules to load
Module: Checking post-proxy {...} for more modules to load
Module: Checking post-auth {...} for more modules to load
Module: Instantiating attr_filter.access_reject
attr_filter attr_filter.access_reject {
attrsfile = /etc/raddb//attrs.access_reject
key = %{User-Name}
}
}
}
radiusd: Opening IP addresses and Ports
listen {
type = auth
ipaddr = *
port = 0
}
listen {
type = acct
ipaddr = *
port = 0
}
main {
snmp = no
smux_password =
snmp_write_access = no
}
Listening on authentication address * port 45632
Listening on accounting address * port 36936
Ready to process requests.
I don't really understand why it does that. I checked if there wasn't
any other program that would have listened on 1812 before radius.
Do you have an idea ?
Thanks in advance,
Hoggins!
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Listen port problem
Thanks, I'm already rebuilding from source, see what I can get. Specifying the ports in the radiusd.conf doesn't solve the problem. Very weird. Alan DeKok a écrit : Hoggins! wrote: I have a strange problem since I updated my freeradius from 1.x to 2.x, from a simple rpm update. It binds to random ports ! Weird. Either re-build yourself from source, or just specify the ports in radiusd.conf. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRADIUS 2 not listening on right port
Hi,
Exact same problem here... Really thinking about reverting to v1.x
Casartello, Thomas a écrit :
I tried hardcoding them in the listen section. Same result.
Thomas E. Casartello, Jr.
Infrastructure Technician
Linux Specialist
Department of Information Technology
Westfield State College
Wilson 105-A
(413) 572-8245
E-Mail: [EMAIL PROTECTED]
Red Hat Certified Technician (RHCT)
-Original Message-
From:
[EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]
.org] On Behalf Of Alan DeKok
Sent: Thursday, May 15, 2008 2:16 PM
To: FreeRadius users mailing list
Subject: Re: FreeRADIUS 2 not listening on right port
Casartello, Thomas wrote:
Compiling from source did NOT solve the problem.
It looks like Fedora is broken.
The server code does this:
if (port == 0) {
call system function to look up radius port in /etc/services
if (found ) {
port = port found in /etc/services
} else {
port = 1812
}
}
The only way I can see it choosing random ports is if the lookup in
/etc/services returns found, with a random port.
I suggest hard-coding the port numbers (1812/1813) into the listen
sections. Maybe also see if 'radius and radacct are defined in
/etc/services.
Alan DeKok.
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRADIUS 2 not listening on right port
I'm running FC9, by the way... maybe that explains this sudden amount of
same problems, since the FC9 release was on tuesday.
Casartello, Thomas a écrit :
I tried hardcoding them in the listen section. Same result.
Thomas E. Casartello, Jr.
Infrastructure Technician
Linux Specialist
Department of Information Technology
Westfield State College
Wilson 105-A
(413) 572-8245
E-Mail: [EMAIL PROTECTED]
Red Hat Certified Technician (RHCT)
-Original Message-
From:
[EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]
.org] On Behalf Of Alan DeKok
Sent: Thursday, May 15, 2008 2:16 PM
To: FreeRadius users mailing list
Subject: Re: FreeRADIUS 2 not listening on right port
Casartello, Thomas wrote:
Compiling from source did NOT solve the problem.
It looks like Fedora is broken.
The server code does this:
if (port == 0) {
call system function to look up radius port in /etc/services
if (found ) {
port = port found in /etc/services
} else {
port = 1812
}
}
The only way I can see it choosing random ports is if the lookup in
/etc/services returns found, with a random port.
I suggest hard-coding the port numbers (1812/1813) into the listen
sections. Maybe also see if 'radius and radacct are defined in
/etc/services.
Alan DeKok.
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRADIUS 2 not listening on right port
Shouldn't the maintainer of the specific FC9 freeradius package be aware of this critical issue ? I guess a newer release is for very soon. Casartello, Thomas a écrit : Fedora 9 did do a pretty big gcc version jump. Fedora 8 used 4.1.2, while 9 uses 4.3.0. BTW I tested it in Fedora 8 and it worked fine, so it's definitely a 9 issue. Thomas E. Casartello, Jr. Infrastructure Technician Linux Specialist Department of Information Technology Westfield State College Wilson 105-A (413) 572-8245 E-Mail: [EMAIL PROTECTED] Red Hat Certified Technician (RHCT) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] .org] On Behalf Of Alan DeKok Sent: Thursday, May 15, 2008 4:22 PM To: FreeRadius users mailing list Subject: Re: FreeRADIUS 2 not listening on right port Hoggins! wrote: I'm running FC9, by the way... maybe that explains this sudden amount of same problems, since the FC9 release was on tuesday. Maybe someone running FC9 could try debugging the problem. I haven't run a redhat-based system for *years*. Since this works on every other system on the planet, it sounds *very* much like an issue in FC9. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
