Ssl help
I am trying to set up a Fedora Core 6 computer as a FreeRadius Server. It is currently running, and authenticating via mac address. I also want to set the same computer up as a CA using openssl. When I run the CA script, I get the following output: CA certificate filename (or enter to create) Making CA certificate ... Generating a 1024 bit RSA private key ..++ ..++ writing new private key to './CAtop/private/./cakey.pem' Enter PEM pass phrase: Verifying - Enter PEM pass phrase: - You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. - Country Name (2 letter code) [US]: State or Province Name (full name) [**]: * []: Organization Name (eg, company) [**]: Organizational Unit Name (eg, section) [MIS]: Hillary Marek []: [EMAIL PROTECTED] []: Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []: Using configuration from /etc/pki/tls/openssl.cnf Enter pass phrase for ./CAtop/private/./cakey.pem: I am unable to access the ../../CA/newcerts directory ../../CA/newcerts: No such file or directory It seems to run finde until that last error. Any ideas? All answers are appreciated. Hazen Paper Company maintains and takes affirmative steps to protect and secure confidential, privileged, and proprietary information. If you have received such information in error, or information related to trademarks, or other confidential or proprietary information, Hazen Paper Company does not waive any claim it may have for such unintended delivery or damage arising from any use, copying, communication, transmission or failure to notify Hazen Paper Company of the error. Hazen Paper Company will exercise its rights against persons mistakenly or fraudulently communicating or receiving the above described or any other information not intended by Hazen Paper Company for transmittal by the Company. Although this email and any attachments are believed to be free of any virus or other defect that might affect any computer system into which it is received and opened, it is the responsibility of the recipient to ensure that it is virus free and no responsibility is accepted by ! the Hazen Paper Company or its affiliates either jointly or severally, for any loss or damage arising in any way from its use. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
wep encryption
Hello. I have a FreeRadius 1.1.4 server setup on Fedora Core 6. Right Now I have it set up to filter Mac addresses and to authenticate against Active Directory. I am looking to add encryption, but unfortunately many of my wireless devices are older 802.11b devices that can't handle wpa. I am also restricted in how much I am allowed to put the end user through. Is there a way to cenralize a wep key in the server, as I have 26 access points that I would hope not to have to go into individually to add encryption (I already need to set up 70+ devices). Because I can't put any truly strong protection on the network, and I can't take the wlan off of the main network, I am trying to add as many layers of lesser protection as I can. Does anyone have any other ideas for me? Thanks Hillary Marek Hazen Paper Co. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re[2]: FreeRadius+mysql+crypted passwords
Hi. Thanks for a reply. Have you any idea to configure it with crypted passwords stored in the database and with cisco accesspoint clients autentification? Now im using EAP/PEAP in cisco ap to authorize windows xp client (PEAP required). Thanks for any idea. Alan, dňa 21. júla 2006 ste napísali: Marek Soha - intrak.sk [EMAIL PROTECTED] wrote: I have configured FreeRadius+EAP/PEAP+mysql in working state...But now, i want to have encrypted passwords stored in mysql database (in that table where plaintext passwords are stored now). Can you give me an advice how to do that? If you store the passwords in encrypted form, then PEAP will stop working. Alan DeKok. Best regards S prianim pekneho dna ,_,Marek Soha (O,O) Student FEI, Odbor Informatika, TU Kosice ( ) [EMAIL PROTECTED] [EMAIL PROTECTED] 146-284-791 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
FreeRadius+mysql+crypted passwords
Hi all FreeRadius users. I have configured FreeRadius+EAP/PEAP+mysql in working state...But now, i want to have encrypted passwords stored in mysql database (in that table where plaintext passwords are stored now). Can you give me an advice how to do that? Best regards S prianim pekneho dna ,_,Marek Soha (O,O) Student FEI, Odbor Informatika, TU Kosice ( ) [EMAIL PROTECTED] [EMAIL PROTECTED] 146-284-791 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Attributes and LDAP
Alan DeKok wrote: Marek Gradzki [EMAIL PROTECTED] wrote: I would like to setup some common attribute values in the group profile, which is also stored in the LDAP server but in the other subtree, and import them to user profile during authentication. Now it does not work. See the FAQ for it doesn't work. Honestly, why post the config when the FAQ, README, INSTALL, and half of the posts on this list tell you to run the server in debugging mode? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html First of all: I can't run radius in the debug mode because it is working configuration so if You have about 1000 users active You can see nothing or too much (depends on the point of view) in the output from the radius debug mode. It is not the case where You can stop the radius server analyze You debug utput, make adjustments and go ahead. Second: Finally I found the solution. Problem dissapeared when I changed the order of the lines ldap and files to files, ldap in the authorization module definition. Marek Gradzki - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Attributes and LDAP
Hi.
I am currently using FreeRadius server 1.0.2 on Solaris 8 with LDAP
authentication and MySQL accounting
for PPPoE sessions with ADSL technology.
Everything works fine, but some problems appeared lately.
User profiles are stored in some subtree of LDAP server. Each user has
an attribute radiusGroupName set to test
(for example). I would like to setup some common attribute values in
the group profile, which is also stored in
the LDAP server but in the other subtree, and import them to user
profile during authentication.
Now it does not work. Unfortunately I do not have much space to
experiment because it is working
configration and I really do not have an idea how to setup this kind of
behaviour.
Parts of my config files are below:
huntgroups:
cisco
NAS-IP-Address == 192.168.0.211
clients.conf:
client 192.168.0.211 {
secret = cisco
nastype = cisco
shortname = c7200vxr
}
radiusd.conf:
# MODULE CONFIGURATION
modules {
pap {
encryption_scheme = crypt
}
chap {
authtype = CHAP
}
pam {
pam_auth = radiusd
}
unix {
cache = no
cache_reload = 600
radwtmp = ${logdir}/radwtmp
}
$INCLUDE ${confdir}/eap.conf
mschap {
authtype = MS-CHAP
}
ldap {
server = "ds1i.ostisp.intra ds2i.ostisp.intra"
identity = "cn=freeradius,ou=admins,o=radius,dc=ostnet,dc=pl"
password = radius
basedn = "ou=users,ou=adsl,o=radius,dc=ostnet,dc=pl"
filter = "(cn=%{Stripped-User-Name:-%{User-Name}})"
base_filter = "(objectclass=radiusprofile)"
password_attribute = userPassword
# access_attr = "dialupAccess"
dictionary_mapping = ${raddbdir}/ldap_ext.attrmap
groupname_attribute = radiusGroupName
groupmembership_filter =
"(cn=%{Stripped-User-Name:-%{User-Name}})(objectclass=radiusprofile)"
groupmembership_attribute = radiusGroupName
ldap_connections_number = 40
timeout = 4
timelimit = 3
net_timeout = 1
}
realm IPASS {
format = prefix
delimiter = "/"
ignore_default = no
ignore_null = no
}
realm suffix {
format = suffix
delimiter = "@"
ignore_default = no
ignore_null = no
}
realm realmpercent {
format = suffix
delimiter = "%"
ignore_default = no
ignore_null = no
}
realm ntdomain {
format = prefix
delimiter = "\\"
ignore_default = no
ignore_null = no
}
checkval {
item-name = Calling-Station-Id
check-name = Calling-Station-Id
data-type = string
}
preprocess {
huntgroups = ${confdir}/huntgroups
hints = ${confdir}/hints
with_ascend_hack = no
ascend_channels_per_line = 23
with_ntdomain_hack = no
with_specialix_jetstream_hack = no
with_cisco_vsa_hack = no
}
files {
usersfile = ${confdir}/users
acctusersfile = ${confdir}/acct_users
compat = no
}
detail {
detailfile = ${radacctdir}/%{Client-IP-Address}/detail-%Y%m%d
detailperm = 0600
}
detail auth_log {
detailfile =
${radacctdir}/%{Client-IP-Address}/auth-detail-%Y%m%d
}
detail reply_log {
detailfile =
${radacctdir}/%{Client-IP-Address}/reply-detail-%Y%m%d
detailperm = 0600
}
acct_unique {
key = "User-Name, Acct-Session-Id, NAS-IP-Address,
Client-IP-Address, NAS-Port"
}
radutmp {
filename = ${logdir}/radutmp
# username = %{User-Name}
username = %{Stripped-User-Name:-%{User-Name}}
case_sensitive = no
check_with_nas = yes
perm = 0600
callerid = "no"
}
attr_filter {
attrsfile = ${confdir}/attrs
}
counter daily {
filename = ${raddbdir}/db.daily
key = User-Name
count-attribute = Acct-Session-Time
reset = daily
counter-name = Daily-Session-Time
check-name = Max-Daily-Session
allowed-servicetype = Framed-User
cache-size = 5000
}
always fail {
rcode = fail
}
always reject {
rcode = reject
}
always ok {
rcode = ok
simulcount = 0
mpp = no
}
expr {
}
digest {
}
exec {
wait = yes
input_pairs = request
}
exec echo {
wait = yes
program = "/bin/echo %{User-Name}"
input_pairs = request
output_pairs = reply
}
$INCLUDE ${confdir}/sql.conf
}
# Instantiation
instantiate {
expr
detail
}
authorize {
preprocess
chap
ldap
files
}
# Authentication.
authenticate {
Auth-Type CHAP {
chap
}
Auth-Type LDAP {
ldap
}
Auth-Type PAP {
pap
}
unix
}
#
# Pre-accounting.
ippool corrections
Hi there! I have installed and run FreeRadius Server on Solaris 8 (x86 and sparc). Authorization and authentication works with LDAP protocol with OpenLDAP server. Accounting is processed by SQL database (PostgreSQL). I use these radius servers to perform AAA operations as a response to request send from device terminating PPPoE sessions. Also I have to use radius server feature to dynamically assign IP addresses to client sessions. So I have assumed that rlm_ippool module is right for this task. But unfortunately all sessions that are terminated in the box working with radius come to this device by the same port. So I had to rewrite a little bit rlm_ippool module to verify used ip addresses not only by nas device and nas port but also by user name. Unfortunately I have no opportunity to test this rewriten module in orther configurations. If anyone is interested in testing this module please email me, because I would like to be sure that this module will work in other configuration (maybe not everyone), no only in mine. Anyway I will have to verify my corrections because rlm_ippool_tools displays some strange informations on teh screen. [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
CHAP and FreeRadius
Hi there. I am new user of FreeRADIUS. I would like to know how to setup CHAP authorization from files (at the beginning) on FreeRADIUS. I am currently using 1.02 FreeRADIUS version on Solaris 2.8. Thanks for help. Marek Gradzki - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
problem with IP 127.0.0.1
hello,
I have freeradius configured to use postgresql database.
in sql.conf I have
authorize_check_query = SELECT id,UserName,Attribute,Value,op,
FROM ${authcheck_table} WHERE Username = '%{SQL-User-Name}' and
ip='%{NAS-IP-Address}'
ORDER BY id
I have Motorola wifi Cable modem SBG900.
I try to authenticate username and password withh freeradius.
anything was all right, when i didnt use NAS-IP-Address. but, I have
to use ip address from my database, to check if username can appear
behind ip.
so, when I looking to postgresl log, I see:
SELECT id,UserName,Attribute,Value,op, ip FROM v_wifi_auth WHERE
Username = 'john' and ip='10.23.31.101' ORDER BY id ;
and this is ok. user john, has cable modem which IP is 10.23.31.101.
BUT!
in next lines I see query like that:
SELECT id,UserName,Attribute,Value,op, ip FROM v_wifi_auth WHERE
Username = 'john' and ip='127.0.0.1' ORDER BY id ;
^
of course there is no modem with that address.
server logs says:
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 5
modcall[authorize]: module preprocess returns ok for request 5
rlm_checkval: Item Name: NAS-IP-Address, Value: 127.0.0.1
rlm_checkval: Could not find attribute named Calling-Station-Id in
check pairs
modcall[authorize]: module checkval returns notfound for request 5
.
i was looking googole to solve my problem, but I didt find answer.
so, I'm asking for help.
I don't want 127.0.0.1 in my db queries.
where can I 'disable' asking for ip 127.0.0.1?
please, help.
thanks
--
Marek Bartnikowski
All mail clients suck. This one just sucks less.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: problem with IP 127.0.0.1
: SELECT id,UserName,Attribute,Value,op, ip FROM v_wifi_auth WHERE : Username = 'john' and ip='127.0.0.1' ORDER BY id ; : : Yes. The NAS-IP-Address is put into the RADIUS packet by the NAS, : and it can have ANY value. : : I don't want 127.0.0.1 in my db queries. : where can I 'disable' asking for ip 127.0.0.1? : : You can't. It's the value of NAS-IP-Address. If you look at the : debug log, you will see that the NAS is sending that value to the : server. : : The solution is to NOT use NAS-IP-Address, but Client-IP-Address. : It's the IP address that the packet came from, and it's generated by : FreeRADIUS, so you know it's correct. helo again. when I changed NAS-IP-Address to Client-IP-Address I still have the SAME problem. I see first valid IP addres and next 127.0.0.1 any sugestions? thanks. -- Marek Bartnikowski All mail clients suck. This one just sucks less. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: acct_users - Exec-Program not working
Hi Thor, thank you very much for replay, I will try to be more specific. I have freeradius 1.01 working on RedHat 9. It is working accepting users, creating detail files from few Cisco NAS boxes and START and STOP records are inserted into MySQL database. What I would like to do is to update the above records with Alive records. So I was thinking (right?) that if I will add in acct_users definition of Alive record everything will work but is not. Can you help? regards Marek Any personal or sensitive information contained in this email and attachments must be handled in accordance with the Victorian Information Privacy Act 2000, the Health Records Act 2001 or the Privacy Act 1988 (Commonwealth), as applicable. This email, including all attachments, is confidential. If you are not the intended recipient, you must not disclose, distribute, copy or use the information contained in this email or attachments. Any confidentiality or privilege is not waived or lost because this email has been sent to you in error. If you have received it in error, please let us know by reply email, delete it from your system and destroy any copies. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: acct_users - Exec-Program not working
Hi, maybe this is a stupid question but I can't figure it out. I am trying to get Alive updates for accounting side of the freeradius. In my detail files I have Alive records but they are not updating mysql database. What has to be done to archive that? Any pointers or answers would be appreciated. thank you very much Marek - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Can I use radclient to simulate accouting?
On Wednesday 13 October 2004 08:46, Yyc wrote: hi all, I have no NAS ,but i want to test how to accouting with freeradius. echo User-Name = test,Password = secret, Acct-Status-Type == Start | radclient -s localhost acct testing123 echo User-Name = test,Password = secret, Acct-Status-Type == Stop | radclient -s localhost acct testing123 there is an alternative, if someone want http://developer.berlios.de/projects/radiusclient-ng/ -- - Marek Cervenka Centrum Vypocetni Techniky CVT - http://cvt.fpf.slu.cz FPF SLU OPAVA - http://www.fpf.slu.cz = - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
realm + accounting
hi,
i need store acct data on two places when send acct to realm
is this possible or some way like that?
realm serv.com {
type= radius
authhost= radius2.serv.com:1645
accthost= LOCAL, radius2.serv.com:1813
}
thanks
--
-
Marek Cervenka
Centrum Vypocetni Techniky
CVT - http://cvt.fpf.slu.cz
FPF SLU OPAVA - http://www.fpf.slu.cz
=
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
