Cisco confirming Dynamic WEP
OK. I'm having a little problem confirming DynamicWEP usage on my systems. I'm running FreeRadius1.0.0-pre2 on FedoraCore 2 Cisco AP352 Client card is the Cisco AIR352 on WinXP. Everything works and authenticates as expected. However on the client side the ACU (Aironet Client Utility) reports Encryption as NONE. Likewise the AP reports Encryption as NONE. My output from debugging shows (i think) that dynamic keys are being passed to the client computer. If I go into the ACU Profile Manager and in Network Security and set Network Auth to Host Based EAP and enable Dynamic WEP then everyone reports WEP as being used. Is there a setting in FreeRadius that forces the client to use WEP or is that an interplay between client and AP? If anyone can help and needs more info hit me off-list. Thanks. Mark C - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Replies on port 1029
Actually in IP the source port is not of any significance EXCEPT that it exist. On servers we *lock* applications to specific ports so that we can find specific services AND utlize a server in several roles (web, e-mail, radius, etc.). Typically on the client side the system starts at port 1029 and rotates upwards with each successive connection using the next available port. It really isn't important what port the client uses just as long as the server responds back to the same client port. Additionally the client computer will skip over ports that are currently in use. Usually the OS decides what port to use. Mark C. Paul Hampson wrote: Wha?? No it doesn't. FTP opens a _second_ connection for data, but telnet and HTTP both use the existing TCP connection for data back to the client. And an IP connection is defiened by five things: (local address, local port, remote address, remote port, and protocol (TCP)) These things do _not_ change over the life of a connection. Anyway, isn't radius UDP? :-) UDP sockets don't have to care what the remote address and port are, but they still maintain an address and port of their own... And data sent through that socket will come out of that address and port. I expect Alan's right, and there's something in the network translating ports after it leaves FreeRADIUS's socket... local NAT firewall, maybe, that maps the response to an unused port? -- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Client install application
Does anyone know of an installation application that would simplify installation of EAP/TLS and PEAP Client/Root Certificates? Ideally I'd like to give people a Floppy or CD. Have them run D:\setup.exe and have it be done. Anything out there that works like that or am I just hoping for too much? Mark C. smime.p7s Description: S/MIME Cryptographic Signature
Re: Replies on port 1029
There is no typical port used. Unless the application binds the request to a specific port the OS picks for first available port. When doing socket level programming it is best to leave it to the OS to pick a port to send from (client side). The destination is fixed on a specific port so the recieving server application get the request. The server talks back to the client using its fixed port as the source and the clients chosen port as a destination. The source port typically is NOT the same as the destination. Matched source/destination ports sometimes can cause problems. Mark C. Thor Spruyt wrote: This doesn't say anything about which source port that is typically used in case of a radius reply. smime.p7s Description: S/MIME Cryptographic Signature
Re: Replies on port 1029
Check your /etc/services file. If a port is not specified in the radius config, radius looks to /etc/services for the port. If none is specified there then I guess it takes the first non-prevlidged port. Mark C. Brian Andrus wrote: I have been using freeradius .9.1 for some time now. I have been seeing a problem in that the responses are coming back on port 1029 rather than the 1812 expected. I have not found or seen anything that addresses this. It seems that it is grabbing the first non-privledged port, but I may be wrong. How do I force freeradius to respond on port 1812 for requests? Brian Andrus - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: howto set max reauthentication parameter
Ankan, During Authetication the AP just acts as a go-between for the Radius server and the XSupplicant. It just passes info and waits for the radius server to tell it all is OK (that's an over simplication of the process as I understand it). Since the AP is not a participant in the conversation its not a matter of how many attempts but rather how long it takes. In Cisco IOS the default time the AP give the client to autheticate is 30 seconds. If the client does not authenticate in that time interval then the AP dis-associates the client and the association/authentication cycle has to be restarted by the client. That value can be changed to suit your needs. In the WebAdmin interface goto Security | Advanced Security | EAP Authentication and change the EAP Client Timeout. OR from global configuration mode (config t) interface Dot11Radio0 dotx client-timeout seconds Reauthentication happens at regular intervals starting from the time of successful authentication as set by the Radius server OR the AP can force reauthetication at a regular interval of your setting. Note: if you force reauthentication at the AP make sure you use a time interval less then that provided by the radius server. In the WebAdmin interface goto Security | Advanced Security | EAP Authentication and change the EAP Reauthentication Interval. OR from global configuration mode (config t) interface Dot11Radio0 dot1x reauth-period seconds There is no way (that I know of) to automatically force reauthentication at a set time (e.g 9:00am, top of the hour, half-past, etc.). To manually force reauthentication go to the Association menu in WebAdmin and dis-associate the specific client. That restarts the Association/Authentication cycle. If you are running a dynamic key authentication protocal like EAP-TLS or PEAP the radius server *should* serve up new keys with each new authentication. I hope that answers your question. Mark C. [EMAIL PROTECTED] wrote: Hi Mark, Actually I want to know, howto set the total number of authentication/reauthentication params inside CISCO 1100 AP. It means, I want to set the maximum number of authentication attempt after which the trusted port in AP will be finally unauthorized. Also how can I force the AP to start reauthentication? It seems to me that I can set reauthentication interval inside AP, but I am not able to force reauthentication at any time (does not depend on interal) inside AP. Regards Ankan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Porting issue.
I had a problem building freeradius-1.0.0-pre2 on RH Fedora Core2 and was able to figure a workaround. Basically the build stopped because my system lacked the file com_err.h So I installed the current RPM for krb5 and still ran into the problem. It appears that the file is located at /usr/include/et when freeradius is looking for the file at /usr/include. As a quick and dirty fix I soft linked the file in the et directory into /usr/include (ln -s /usr/include/et/com_err.h /usr/include/com_err.h) and the build completed sucessfully. Just thought I let everyone know. Mark C. smime.p7s Description: S/MIME Cryptographic Signature
Re: Rate limit radius requests
Assuming you are running Linux. You would do rate limiting in the OS. Check this out: http://lartc.org/howto/lartc.qdisc.html Matthew Schumacher wrote: List, Is there a way to rate limit radius requests in the freeradius server? Whenever the router guy kicks a router full of DSL connections we get a flood of radius accounting messages which overloads the database server causing There are no DB handles to use! error messages. While the DB can handle the current load, it can get overrun in certain circumstances. I figure some form of rate limiting causing the radius server to only handle so many requests per second might be the solution to this. Another question I have is what exactly happens with that error message is logged? Does radius retry to insert the accounting record or does it simply drop it? Thanks, schu - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html