RE: VMPS fallback vlan
I have the following in my users file. It does a lookup of my vlans
table on the users mac-address(aka Calling-Station-Id) if it can't find
it then it assumes it is a guest and then defaults to vlan 16.
DEFAULT Auth-Type = ntlm_auth
Tunnel-Type = VLAN,
Tunnel-Medium-Type = IEEE-802,
Tunnel-Private-Group-id = %{%{sql:SELECT
radius.vlans.assigned_
vlan FROM radius.vlans WHERE radius.vlans.device_mac =
'%{Calling-Station-Id}'}:
-'16'}
Joseph R. McSparin
Network Administrator
Hill Country Memorial Hospital
830 990 6638 phone
830 990 6623 fax
jmcspa...@hillcountrymemorial.org
-Original Message-
From:
freeradius-users-bounces+jmcsparin=hillcountrymemorial.org@lists.freerad
ius.org
[mailto:freeradius-users-bounces+jmcsparin=hillcountrymemorial.org@lists
.freeradius.org] On Behalf Of Walter Gould
Sent: Thursday, February 09, 2012 9:49 AM
To: freeradius-users@lists.freeradius.org
Subject: VMPS fallback vlan
All,
I have FR vmps configured to query postgresql for a mac address and
return the vlan that is assigned to it. That is working well. However,
I would like to configure vmps to return a fallback or guest vlan for
cases when a mac address is not in the database.
Can anyone give me some suggestions or config examples?
Thanks,
Walter
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
--
This email message and any attachments are for the sole use of the intended
recipient(s) and contain confidential and/or privileged information. Any
unauthorized review, use, disclosure or distribution is prohibited. If you are
not the intended recipient, please contact the sender by reply email and
destroy all copies of the original message and any attachments.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Authenticating Laptop without a Certificate Installed
The CA cert. Joseph R. McSparin Network Administrator Hill Country Memorial Hospital 830 990 6638 phone 830 990 6623 fax jmcspa...@hillcountrymemorial.org -Original Message- From: freeradius-users-bounces+jmcsparin=hillcountrymemorial.org@lists.freerad ius.org [mailto:freeradius-users-bounces+jmcsparin=hillcountrymemorial.org@lists .freeradius.org] On Behalf Of Phil Mayers Sent: Tuesday, January 24, 2012 3:13 PM To: freeradius-users@lists.freeradius.org Subject: Re: Authenticating Laptop without a Certificate Installed On 01/24/2012 08:53 PM, McSparin, Joe wrote: When I connect a mobile phone or a tablet to my wireless network it works fine even though they don't have a certificate installed. I am checking the MAC address and putting them into a public vlan if it is not found. However when I connect a windows laptop that does not have a certificate installed it doesn't allow it. It won't connect and radius says it has an unknown CA I am using PEAP which it is my understanding would allow you to connect with a user name and password and no certificate if you told it not to validate the certificate. It is important that people be able to connect even if they don't have a certificate and I just control it based on the mac address. Frankly this email confused me. WHICH certificate are you talking about? There is: 1. A server cert 2. The CA cert that signs the server cert 3. Optionally (not usually) a client cert PEAP normally REQUIRES that #2 be installed on the clients. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- This email message and any attachments are for the sole use of the intended recipient(s) and contain confidential and/or privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply email and destroy all copies of the original message and any attachments. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
[no subject]
Is There a way to add the removal of delimiters such as - or : to the rewrite_calling_station_id section. Thanks, Joe -- This email message and any attachments are for the sole use of the intended recipient(s) and contain confidential and/or privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply email and destroy all copies of the original message and any attachments. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE:
perfect thanks.
From:
freeradius-users-bounces+jmcsparin=hillcountrymemorial.org@lists.freerad
ius.org
[mailto:freeradius-users-bounces+jmcsparin=hillcountrymemorial.org@lists
.freeradius.org] On Behalf Of Arran Cudbard-Bell
Sent: Monday, January 16, 2012 8:39 AM
To: FreeRadius users mailing list
Subject: Re:
On 16 Jan 2012, at 15:22, McSparin, Joe wrote:
Is There a way to add the removal of delimiters such as - or
: to the rewrite_calling_station_id section.
Course.
Just change
update request {
Called-Station-Id := %{tolower:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}
}
to
update request {
Called-Station-Id := %{tolower:%{1}%{2}%{3}%{4}%{5}%{6}}
}
-Arran
Thanks,
Joe
This email message and any attachments are for the sole use of
the intended recipient(s) and contain confidential and/or privileged
information. Any unauthorized review, use, disclosure or distribution is
prohibited. If you are not the intended recipient, please contact the
sender by reply email and destroy all copies of the original message and
any attachments.
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
Arran Cudbard-Bell
a.cudba...@freeradius.org
Betelwiki, Betelwiki, Betelwiki http://wiki.freeradius.org/ !
--
This email message and any attachments are for the sole use of the intended
recipient(s) and contain confidential and/or privileged information. Any
unauthorized review, use, disclosure or distribution is prohibited. If you are
not the intended recipient, please contact the sender by reply email and
destroy all copies of the original message and any attachments.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Documentation of Setting up dialupadmin
Does anyone where some documentation could be found for setting up dialup admin on FreeBSD. Thanks, Joseph R. McSparin Network Administrator Hill Country Memorial Hospital 830 990 6638 phone 830 990 6623 fax jmcspa...@hillcountrymemorial.org -- This email message and any attachments are for the sole use of the intended recipient(s) and contain confidential and/or privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply email and destroy all copies of the original message and any attachments. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Documentation of Setting up dialupadmin
Ok I have dialup admin up and running. It occurs to me though does it have the ability to interface with active directory or does it only work if your users are stored in sql? Joseph R. McSparin Network Administrator Hill Country Memorial Hospital 830 990 6638 phone 830 990 6623 fax jmcspa...@hillcountrymemorial.org From: freeradius-users-bounces+jmcsparin=hillcountrymemorial.org@lists.freerad ius.org [mailto:freeradius-users-bounces+jmcsparin=hillcountrymemorial.org@lists .freeradius.org] On Behalf Of Leander S. Sent: Wednesday, January 11, 2012 12:35 PM To: FreeRadius users mailing list Subject: Re: Documentation of Setting up dialupadmin Am 11.01.12 18:35, schrieb McSparin, Joe: Does anyone where some documentation could be found for setting up dialup admin on FreeBSD. Thanks, Joseph R. McSparin Network Administrator Hill Country Memorial Hospital 830 990 6638 phone 830 990 6623 fax jmcspa...@hillcountrymemorial.org This email message and any attachments are for the sole use of the intended recipient(s) and contain confidential and/or privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply email and destroy all copies of the original message and any attachments. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html The programmer(s) AFAIK didn't really write a documentation. I used the readme file as aguide when I set it up on FreeBSD. I remember that the entire dialupadmin folder was copied into /usr/dialupadmin/ and then the htdocs folder was simply linked into /usr/local/www/somewhere via a symbolic link ( ln -s ... ) plus you need to tell your apache to make use of *.php3 files as well as of *.php files. I think that covers pretty much it. Detailed guide is as I said in the README or INSTALL file inside of the dialupadmin folder. Greetings L P.S.: dialupadmin also has a php config file where you may want to ajust the paths of the radius binaries ... -- This email message and any attachments are for the sole use of the intended recipient(s) and contain confidential and/or privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply email and destroy all copies of the original message and any attachments. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Connecting Windows XP wirelessly with EAP TKIP
Is there anything special that needs to be done on windows XP to connect wirelessly to an access point using FreeRadius. I was connecting fine with Windows 7 but now tryng to connect windows XP there is nothing even triggering the Radius server I am running in radiusd -X and when I connect the xp box nothing even happens. Anyone ever seen this before? Thanks, Joseph R. McSparin Network Administrator Hill Country Memorial Hospital 830 990 6638 phone 830 990 6623 fax jmcspa...@hillcountrymemorial.org -- This email message and any attachments are for the sole use of the intended recipient(s) and contain confidential and/or privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply email and destroy all copies of the original message and any attachments. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Connecting Windows XP wirelessly with EAP TKIP
That particular how-to describes using eap-tls can windows XP use eap-peap so that I don't have to have a certificate installed on the client side? Joseph R. McSparin Network Administrator Hill Country Memorial Hospital 830 990 6638 phone 830 990 6623 fax jmcspa...@hillcountrymemorial.org -Original Message- From: freeradius-users-bounces+jmcsparin=hillcountrymemorial.org@lists.freerad ius.org [mailto:freeradius-users-bounces+jmcsparin=hillcountrymemorial.org@lists .freeradius.org] On Behalf Of Alan DeKok Sent: Monday, January 09, 2012 12:02 PM To: FreeRadius users mailing list Subject: Re: Connecting Windows XP wirelessly with EAP TKIP McSparin, Joe wrote: Is there anything special that needs to be done on windows XP to connect wirelessly to an access point using FreeRadius. I was connecting fine with Windows 7 but now tryng to connect windows XP there is nothing even triggering the Radius server I am running in radiusd -X and when I connect the xp box nothing even happens. Anyone ever seen this before? Lots. There are tons of reasons why this doesn't work. Most are on the side of Windows XP is misconfigured. See the EAP-TLS howto pointed from my web page or the wiki. It has a step-by-step guide for XP that should work. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- This email message and any attachments are for the sole use of the intended recipient(s) and contain confidential and/or privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply email and destroy all copies of the original message and any attachments. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Distributing Certificates
Now that I have my Radius server configured I need to begin implementation I have 600 computers that will be using it. The question I am wondering is do I have to go around and install a certificate on every one of the computers and then maintain that every year changing out the certificate on 600 computers or is there some way that the server passes out certificates when the machine logs on. Or do I have an incorrect understanding of how to implement 802.1x security. Joseph R. McSparin Network Administrator Hill Country Memorial Hospital 830 990 6638 phone 830 990 6623 fax jmcspa...@hillcountrymemorial.org -- This email message and any attachments are for the sole use of the intended recipient(s) and contain confidential and/or privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply email and destroy all copies of the original message and any attachments. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Distributing Certificates
I don't have any particular desire to use certificates thus far in testing mode have been using PEAP and just ignoring the warning that tells me there is a certificate on the server that doesn't match. I assumed in deployment I would have to install certificates so the users wouldn't be confused when they saw that message. I thought that FreeRadius had to have certificates set up even if they were just example ones. Radiusd -X runs bootstrap which creates example certificates automatically. This led me to believe that certificates were somehow integral to 802.1x. Is that not the case? If so how can you take certificates completely out of the equation? Joseph R. McSparin Network Administrator Hill Country Memorial Hospital 830 990 6638 phone 830 990 6623 fax jmcspa...@hillcountrymemorial.org -Original Message- From: freeradius-users-bounces+jmcsparin=hillcountrymemorial@lists.freeradius.org [mailto:freeradius-users-bounces+jmcsparin=hillcountrymemorial@lists.freeradius.org] On Behalf Of David Mitton Sent: Friday, January 06, 2012 12:44 PM To: freeradius-users@lists.freeradius.org Subject: RE: Distributing Certificates You can do such things as suggested... but you haven't articulated what your goal is and what you will be using the certificates for? 802.1X doesn't require certificates... but you may want to use them depending on what you are trying to do. Dave. Quoting Danner, Mearl jmdan...@samford.edu: If you are using AD and have a CA set up you can create autoenrollment gpo's for domain attached machines. You can issue either user or computer certs. Can also configure the Windows wireless supplicant via gpo. Mearl From: freeradius-users-bounces+jmdanner=samford@lists.freeradius.org [mailto:freeradius-users-bounces+jmdanner=samford@lists.freeradius.org] On Behalf Of McSparin, Joe Sent: Friday, January 06, 2012 10:18 AM To: FreeRadius users mailing list Subject: Distributing Certificates Now that I have my Radius server configured I need to begin implementation I have 600 computers that will be using it. The question I am wondering is do I have to go around and install a certificate on every one of the computers and then maintain that every year changing out the certificate on 600 computers or is there some way that the server passes out certificates when the machine logs on. Or do I have an incorrect understanding of how to implement 802.1x security. Joseph R. McSparin Network Administrator Hill Country Memorial Hospital 830 990 6638 phone 830 990 6623 fax jmcspa...@hillcountrymemorial.org This email message and any attachments are for the sole use of the intended recipient(s) and contain confidential and/or privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply email and destroy all copies of the original message and any attachments. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- This email message and any attachments are for the sole use of the intended recipient(s) and contain confidential and/or privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply email and destroy all copies of the original message and any attachments. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
SQL Statement in users file
Does this seem like a doable scenario in the users file it doesn't
return anything but I'm not sure if it is query issue or if those values
are not available in the users file.
DEFAULT Auth-Type = ntlm_auth
Tunnel-Type = VLAN,
Tunnel-Medium-Type = IEEE-802,
Tunnel-Private-Group-id = %{sql:SELECT
'vlans.assigned_vlan' FROM 'vlans' WHERE 'vlans.device_mac' =
'%{Calling-Station-Id}'}
Joseph R. McSparin
Network Administrator
Hill Country Memorial Hospital
830 990 6638 phone
830 990 6623 fax
jmcspa...@hillcountrymemorial.org
--
This email message and any attachments are for the sole use of the intended
recipient(s) and contain confidential and/or privileged information. Any
unauthorized review, use, disclosure or distribution is prohibited. If you are
not the intended recipient, please contact the sender by reply email and
destroy all copies of the original message and any attachments.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: SQL Statement in users file
With renewed confidence that this would work I found that I just needed
to add the database name and remove the single quotes and it worked. I
am curious about your suggestion to use unlang and post-auth can you
elaborate on that.
Joseph R. McSparin
Network Administrator
Hill Country Memorial Hospital
830 990 6638 phone
830 990 6623 fax
jmcspa...@hillcountrymemorial.org
-Original Message-
From:
freeradius-users-bounces+jmcsparin=hillcountrymemorial.org@lists.freerad
ius.org
[mailto:freeradius-users-bounces+jmcsparin=hillcountrymemorial.org@lists
.freeradius.org] On Behalf Of Phil Mayers
Sent: Thursday, January 05, 2012 10:29 AM
To: freeradius-users@lists.freeradius.org
Subject: Re: SQL Statement in users file
On 05/01/12 15:24, McSparin, Joe wrote:
Does this seem like a doable scenario in the users file it doesn't
return anything but I'm not sure if it is query issue or if those
values
are not available in the users file.
DEFAULT Auth-Type = ntlm_auth
Tunnel-Type = VLAN,
Tunnel-Medium-Type = IEEE-802,
Tunnel-Private-Group-id = %{sql:SELECT 'vlans.assigned_vlan' FROM
'vlans' WHERE 'vlans.device_mac' = '%{Calling-Station-Id}'}
That should work.
What does the debug say?
It is often preferable to use unlang to users files entries in the
current server versions; there's a bit more flexibility, in particular
you can run the SQL query once in post-auth, and in debug mode you get a
better idea of what actually matches. e.g.
post-auth {
update reply {
Tunnel-Type = VLAN,
Tunnel-Medium-Type = IEEE-802,
Tunnel-Private-Group-id = %{sql:SELECT ...}
}
}
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
--
This email message and any attachments are for the sole use of the intended
recipient(s) and contain confidential and/or privileged information. Any
unauthorized review, use, disclosure or distribution is prohibited. If you are
not the intended recipient, please contact the sender by reply email and
destroy all copies of the original message and any attachments.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: SQL Statement in users file
Does anyone know if there is a way in the users file to set the
Tunnel-Private-Group-id = some_default_vlan if the following sql
statement comes back blank.
DEFAULT Auth-Type = ntlm_auth
Tunnel-Type = VLAN,
Tunnel-Medium-Type = IEEE-802,
Tunnel-Private-Group-id = %{sql:SELECT
radius.vlans.assigned_vl
an FROM radius.vlans WHERE radius.vlans.device_mac =
'%{Calling-Station-Id}'}
Joseph R. McSparin
Network Administrator
Hill Country Memorial Hospital
830 990 6638 phone
830 990 6623 fax
jmcspa...@hillcountrymemorial.org
-Original Message-
From:
freeradius-users-bounces+jmcsparin=hillcountrymemorial.org@lists.freerad
ius.org
[mailto:freeradius-users-bounces+jmcsparin=hillcountrymemorial.org@lists
.freeradius.org] On Behalf Of McSparin, Joe
Sent: Thursday, January 05, 2012 10:54 AM
To: FreeRadius users mailing list
Subject: RE: SQL Statement in users file
With renewed confidence that this would work I found that I just needed
to add the database name and remove the single quotes and it worked. I
am curious about your suggestion to use unlang and post-auth can you
elaborate on that.
Joseph R. McSparin
Network Administrator
Hill Country Memorial Hospital
830 990 6638 phone
830 990 6623 fax
jmcspa...@hillcountrymemorial.org
-Original Message-
From:
freeradius-users-bounces+jmcsparin=hillcountrymemorial.org@lists.freerad
ius.org
[mailto:freeradius-users-bounces+jmcsparin=hillcountrymemorial.org@lists
.freeradius.org] On Behalf Of Phil Mayers
Sent: Thursday, January 05, 2012 10:29 AM
To: freeradius-users@lists.freeradius.org
Subject: Re: SQL Statement in users file
On 05/01/12 15:24, McSparin, Joe wrote:
Does this seem like a doable scenario in the users file it doesn't
return anything but I'm not sure if it is query issue or if those
values
are not available in the users file.
DEFAULT Auth-Type = ntlm_auth
Tunnel-Type = VLAN,
Tunnel-Medium-Type = IEEE-802,
Tunnel-Private-Group-id = %{sql:SELECT 'vlans.assigned_vlan' FROM
'vlans' WHERE 'vlans.device_mac' = '%{Calling-Station-Id}'}
That should work.
What does the debug say?
It is often preferable to use unlang to users files entries in the
current server versions; there's a bit more flexibility, in particular
you can run the SQL query once in post-auth, and in debug mode you get a
better idea of what actually matches. e.g.
post-auth {
update reply {
Tunnel-Type = VLAN,
Tunnel-Medium-Type = IEEE-802,
Tunnel-Private-Group-id = %{sql:SELECT ...}
}
}
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
--
This email message and any attachments are for the sole use of the
intended recipient(s) and contain confidential and/or privileged
information. Any unauthorized review, use, disclosure or distribution is
prohibited. If you are not the intended recipient, please contact the
sender by reply email and destroy all copies of the original message and
any attachments.
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
--
This email message and any attachments are for the sole use of the intended
recipient(s) and contain confidential and/or privileged information. Any
unauthorized review, use, disclosure or distribution is prohibited. If you are
not the intended recipient, please contact the sender by reply email and
destroy all copies of the original message and any attachments.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: SQL Statement in users file
Cool that worked. Thanks.
Joseph R. McSparin
Network Administrator
Hill Country Memorial Hospital
830 990 6638 phone
830 990 6623 fax
jmcspa...@hillcountrymemorial.org
-Original Message-
From:
freeradius-users-bounces+jmcsparin=hillcountrymemorial.org@lists.freerad
ius.org
[mailto:freeradius-users-bounces+jmcsparin=hillcountrymemorial.org@lists
.freeradius.org] On Behalf Of Brian Julin
Sent: Thursday, January 05, 2012 12:22 PM
To: FreeRadius users mailing list
Subject: RE: SQL Statement in users file
McSparin, Joe wrote:
Does anyone know if there is a way in the users file to set
the Tunnel-Private-Group-id = some_default_vlan if the
following sql statement comes back blank.
DEFAULT Auth-Type = ntlm_auth
Tunnel-Type = VLAN,
Tunnel-Medium-Type = IEEE-802,
Tunnel-Private-Group-id = %{sql:SELECT
radius.vlans.assigned_vl an FROM radius.vlans WHERE
radius.vlans.device_mac = '%{Calling-Station-Id}'}
maybe %{%{sql:SELECT radius.vlans.assigned_vl an FROM radius.vlans WHERE
radius.vlans.device_mac = '%{Calling-Station-Id}'}:-some_default_vlan}
?
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
--
This email message and any attachments are for the sole use of the intended
recipient(s) and contain confidential and/or privileged information. Any
unauthorized review, use, disclosure or distribution is prohibited. If you are
not the intended recipient, please contact the sender by reply email and
destroy all copies of the original message and any attachments.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Using FreeRadius to override VLAN Assignment
I have put the following into my users files DEFAULT Auth-Type = ntlm_auth Tunnel-Type = VLAN, Tunnel-Medium-Type = IEEE-802, Tunnel-Private-Group-id = 1001 I have told my access point to Allow RADIUS Override on the VLAN Assignment however the VLAN is not getting overridden. Does the Above entry into my users file not actually send back a vlan assignment and if not is there somewhere else this is supposed to be done? Joseph R. McSparin Network Administrator Hill Country Memorial Hospital 830 990 6638 phone 830 990 6623 fax jmcspa...@hillcountrymemorial.org -- This email message and any attachments are for the sole use of the intended recipient(s) and contain confidential and/or privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply email and destroy all copies of the original message and any attachments. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Using FreeRadius to override VLAN Assignment
Here is my radiusd -X it looks to me like the Access-Accept is not returning the vlan with it. # Executing section post-auth from file /usr/local/etc/raddb/sites-enabled/inner-tunnel } # server inner-tunnel [peap] Got tunneled reply code 2 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = 16 MS-MPPE-Encryption-Policy = 0x0001 MS-MPPE-Encryption-Types = 0x0006 MS-MPPE-Send-Key = 0xa15daac8db91138c9543ff1dd79193d8 MS-MPPE-Recv-Key = 0x5b23ada7251bf55e939f78211bc91ee9 EAP-Message = 0x030a0004 Message-Authenticator = 0x User-Name = jmcsparin [peap] Got tunneled reply RADIUS code 2 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = 16 MS-MPPE-Encryption-Policy = 0x0001 MS-MPPE-Encryption-Types = 0x0006 MS-MPPE-Send-Key = 0xa15daac8db91138c9543ff1dd79193d8 MS-MPPE-Recv-Key = 0x5b23ada7251bf55e939f78211bc91ee9 EAP-Message = 0x030a0004 Message-Authenticator = 0x User-Name = jmcsparin [peap] Tunneled authentication was successful. [peap] SUCCESS ++[eap] returns handled Sending Access-Challenge of id 199 to 10.1.1.50 port 35858 EAP-Message = 0x010b002b19001703010020c4f38e69d73c88a387eba5b0923e812f7d609d6c9d329f90 acd78fc19eb2381f Message-Authenticator = 0x State = 0x11074b60180c524471e7db294b4fecfb Sending Access-Accept of id 200 to 10.1.1.50 port 35858 MS-MPPE-Recv-Key = 0x3d7918ad48100976d9f4db012a50f82b6dba74d3777f6bdca2648b0db3eb9650 MS-MPPE-Send-Key = 0xd4fcd3d81bc0e75431a4baa52fff9b7dce70f1cf1025fe2aac060f30f45b35bb EAP-Message = 0x030b0004 Message-Authenticator = 0x User-Name = jmcsparin Finished request 49. Joseph R. McSparin Network Administrator Hill Country Memorial Hospital 830 990 6638 phone 830 990 6623 fax jmcspa...@hillcountrymemorial.org From: freeradius-users-bounces+jmcsparin=hillcountrymemorial.org@lists.freerad ius.org [mailto:freeradius-users-bounces+jmcsparin=hillcountrymemorial.org@lists .freeradius.org] On Behalf Of Brian Julin Sent: Wednesday, January 04, 2012 10:49 AM To: FreeRadius users mailing list Subject: RE: Using FreeRadius to override VLAN Assignment The first order of business would be to freeradius in debug mode, or launch an eapol_test client against it, and look to see whether the attribute is being sent. If you do not know whether the attribute is being sent, you cannot determine whether it is the AP or the freeradius server that needs fixing. From: freeradius-users-bounces+bjulin=clarku@lists.freeradius.org [mailto:freeradius-users-bounces+bjulin=clarku@lists.freeradius.org] On Behalf Of McSparin, Joe Sent: Wednesday, January 04, 2012 11:00 AM To: FreeRadius users mailing list Subject: Using FreeRadius to override VLAN Assignment I have put the following into my users files DEFAULT Auth-Type = ntlm_auth Tunnel-Type = VLAN, Tunnel-Medium-Type = IEEE-802, Tunnel-Private-Group-id = 1001 I have told my access point to Allow RADIUS Override on the VLAN Assignment however the VLAN is not getting overridden. Does the Above entry into my users file not actually send back a vlan assignment and if not is there somewhere else this is supposed to be done? Joseph R. McSparin Network Administrator Hill Country Memorial Hospital 830 990 6638 phone 830 990 6623 fax jmcspa...@hillcountrymemorial.org This email message and any attachments are for the sole use of the intended recipient(s) and contain confidential and/or privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply email and destroy all copies of the original message and any attachments. -- This email message and any attachments are for the sole use of the intended recipient(s) and contain confidential and/or privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply email and destroy all copies of the original message and any attachments. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Using FreeRadius to override VLAN Assignment
If I removed the Auth-Type part would it process it for all requests for testing purposes? Joseph R. McSparin Network Administrator Hill Country Memorial Hospital 830 990 6638 phone 830 990 6623 fax jmcspa...@hillcountrymemorial.org -Original Message- From: freeradius-users-bounces+jmcsparin=hillcountrymemorial@lists.freeradius.org [mailto:freeradius-users-bounces+jmcsparin=hillcountrymemorial@lists.freeradius.org] On Behalf Of Alan Buxey Sent: Wednesday, January 04, 2012 12:34 PM To: FreeRadius users mailing list Subject: Re: Using FreeRadius to override VLAN Assignment Hi, I have put the following into my users files DEFAULT Auth-Type = ntlm_auth Tunnel-Type = VLAN, Tunnel-Medium-Type = IEEE-802, Tunnel-Private-Group-id = 1001 okay - thats a CHECK item - if the Auth-Type = ntlm_auth, followed by a load of reply items. which look like standard VLAN override values (eg that Cisco use) I have told my access point to Allow RADIUS Override on the VLAN Assignment however the VLAN is not getting overridden. Does the Above entry into my users file not actually send back a vlan assignment and if not is there somewhere else this is supposed to be done? this will work if the 'type' is what you think it isrun the server in debug mode and see what it saysin the output you will see if your 'users' file entry is doing anything... we use PERL code to do this work rather than users file - as it can be called where and when we want it called, with lots of wrappers/code around to deal with correct type of user etc alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- This email message and any attachments are for the sole use of the intended recipient(s) and contain confidential and/or privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply email and destroy all copies of the original message and any attachments. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Using FreeRadius to override VLAN Assignment
WooHoo! That got it. Thanks. Joseph R. McSparin Network Administrator Hill Country Memorial Hospital 830 990 6638 phone 830 990 6623 fax jmcspa...@hillcountrymemorial.org -Original Message- From: freeradius-users-bounces+jmcsparin=hillcountrymemorial.org@lists.freerad ius.org [mailto:freeradius-users-bounces+jmcsparin=hillcountrymemorial.org@lists .freeradius.org] On Behalf Of Alan Buxey Sent: Wednesday, January 04, 2012 12:46 PM To: FreeRadius users mailing list Subject: Re: Using FreeRadius to override VLAN Assignment Hi, Here is my radiusd -X it looks to me like the Access-Accept is not returning the vlan with it. copy_request_to_tunnel = yes in your eap.conf alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- This email message and any attachments are for the sole use of the intended recipient(s) and contain confidential and/or privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply email and destroy all copies of the original message and any attachments. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Active Directory with Radius Accounting
I have setup FreeRadius to work with Active Directory for User name Authentication. My next step is going to be to start authenticating the MAC address as well. I have setup my sql database and created the required schema. I have uncommented the lines in radiusd.conf and sql.conf and sites-available/default.conf to start doing radius accounting. My access point is pointing the radius server for accounting. Would it be the acme of foolishness on my part to assume that is all I need to do for my radius server to start logging the information from my connecting clients? Joseph R. McSparin Network Administrator Hill Country Memorial Hospital 830 990 6638 phone 830 990 6623 fax jmcspa...@hillcountrymemorial.org -- This email message and any attachments are for the sole use of the intended recipient(s) and contain confidential and/or privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply email and destroy all copies of the original message and any attachments. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Active Directory with Radius Accounting
=hillcountrymemorial.org@lists .freeradius.org] On Behalf Of Alan DeKok Sent: Tuesday, January 03, 2012 5:00 PM To: FreeRadius users mailing list Subject: Re: Active Directory with Radius Accounting McSparin, Joe wrote: My access point is pointing the radius server for accounting. Would it be the acme of foolishness on my part to assume that is all I need to do for my radius server to start logging the information from my connecting clients? Is the NAS sending accounting packets? As always, see radiusd -X Or, raddebug. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- This email message and any attachments are for the sole use of the intended recipient(s) and contain confidential and/or privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply email and destroy all copies of the original message and any attachments. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Active Directory with Radius Accounting
Never mind I got it the radutmp wasn't in the var/log directory Joseph R. McSparin Network Administrator Hill Country Memorial Hospital 830 990 6638 phone 830 990 6623 fax jmcspa...@hillcountrymemorial.org -Original Message- From: freeradius-users-bounces+jmcsparin=hillcountrymemorial.org@lists.freerad ius.org [mailto:freeradius-users-bounces+jmcsparin=hillcountrymemorial.org@lists .freeradius.org] On Behalf Of Alan DeKok Sent: Tuesday, January 03, 2012 5:00 PM To: FreeRadius users mailing list Subject: Re: Active Directory with Radius Accounting McSparin, Joe wrote: My access point is pointing the radius server for accounting. Would it be the acme of foolishness on my part to assume that is all I need to do for my radius server to start logging the information from my connecting clients? Is the NAS sending accounting packets? As always, see radiusd -X Or, raddebug. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- This email message and any attachments are for the sole use of the intended recipient(s) and contain confidential and/or privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply email and destroy all copies of the original message and any attachments. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Error Reading Certificate file
Get this error when running radiusd -X I checked my passwords in eap.cnf, ca.cnf, server.cnf and client.cnf rlm_eap: SSL error error:0200100D:system library:fopen:Permission denied rlm_eap_tls: Error reading certificate file /usr/local/etc/raddb/certs/server.pem rlm_eap: Failed to initialize type tls /usr/local/etc/raddb/eap.conf[17]: Instantiation failed for module eap /usr/local/etc/raddb/sites-enabled/default[314]: Failed to load module eap. /usr/local/etc/raddb/sites-enabled/default[252]: Errors parsing authenticate section. Joseph R. McSparin Network Administrator Hill Country Memorial Hospital 830 990 6638 phone 830 990 6623 fax jmcspa...@hillcountrymemorial.org -- This email message and any attachments are for the sole use of the intended recipient(s) and contain confidential and/or privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply email and destroy all copies of the original message and any attachments. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Error Reading Certificate file
That got it thanks. I had changed the permission on the files but not the certs directory. Joseph R. McSparin Network Administrator Hill Country Memorial Hospital 830 990 6638 phone 830 990 6623 fax jmcspa...@hillcountrymemorial.org -Original Message- From: freeradius-users-bounces+jmcsparin=hillcountrymemorial.org@lists.freerad ius.org [mailto:freeradius-users-bounces+jmcsparin=hillcountrymemorial.org@lists .freeradius.org] On Behalf Of Alan DeKok Sent: Friday, December 30, 2011 10:22 AM To: FreeRadius users mailing list Subject: Re: Error Reading Certificate file McSparin, Joe wrote: Get this error when running radiusd -X I checked my passwords in eap.cnf, ca.cnf, server.cnf and client.cnf rlm_eap: SSL error error:0200100D:system library:fopen:Permission denied rlm_eap_tls: Error reading certificate file /usr/local/etc/raddb/certs/server.pem' Well... check the permissions. You're likely running the server as radiusd, and the files are readable only by root Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- This email message and any attachments are for the sole use of the intended recipient(s) and contain confidential and/or privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply email and destroy all copies of the original message and any attachments. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
FreeRadius Installation Errors
I got my test server up and running nicely with FreeRadius now I have my
production server that I am installing exact same machine and same
process however this time when I install freeradius from
/usr/ports/net/freeradius2 I get the following errors and no
/usr/local/etc/raddb directory is created
gmake[6]: Leaving directory
`/usr/ports/net/freeradius2/work/freeradius-server-2.1.12/src/modules/rl
m_ippool'
Making all in rlm_krb5...
/usr/local/bin/gmake -w -C rlm_krb5 all
gmake[6]: Entering directory
`/usr/ports/net/freeradius2/work/freeradius-server-2.1.12/src/modules/rl
m_krb5'
/usr/local/bin/libtool --mode=compile cc -O2 -pipe -I/usr/local/include
-L/usr/local/lib -fno-strict-aliasing -Wall -D_GNU_SOURCE -pthread
-DNDEBUG -I/usr/ports/net/freeradius2/work/freeradius-server-2.1.12/src
-DHEIMDAL_KRB5 -I/usr/local/include -I/usr/include/et -DKRB5_DEPRECATED
-c rlm_krb5.c
libtool: compile: cc -O2 -pipe -I/usr/local/include -L/usr/local/lib
-fno-strict-aliasing -Wall -D_GNU_SOURCE -pthread -DNDEBUG
-I/usr/ports/net/freeradius2/work/freeradius-server-2.1.12/src
-DHEIMDAL_KRB5 -I/usr/local/include -I/usr/include/et -DKRB5_DEPRECATED
-c rlm_krb5.c -fPIC -DPIC -o .libs/rlm_krb5.o
In file included from /usr/local/include/krb5.h:846,
from rlm_krb5.c:32:
/usr/local/include/krb5-protos.h:41: error: expected identifier or '('
before numeric constant
/usr/local/include/krb5-protos.h:49: error: expected identifier or '('
before numeric constant
/usr/local/include/krb5-protos.h:402: error: expected identifier or '('
before numeric constant
/usr/local/include/krb5-protos.h:486: error: expected identifier or '('
before numeric constant
/usr/local/include/krb5-protos.h:634: error: expected identifier or '('
before numeric constant
/usr/local/include/krb5-protos.h:843: error: expected identifier or '('
before numeric constant
/usr/local/include/krb5-protos.h:908: error: expected identifier or '('
before numeric constant
/usr/local/include/krb5-protos.h:1007: error: expected identifier or '('
before numeric constant
/usr/local/include/krb5-protos.h:1281: error: expected identifier or '('
before numeric constant
/usr/local/include/krb5-protos.h:1289: error: expected identifier or '('
before numeric constant
/usr/local/include/krb5-protos.h:1297: error: expected identifier or '('
before numeric constant
/usr/local/include/krb5-protos.h:1305: error: expected identifier or '('
before numeric constant
/usr/local/include/krb5-protos.h:1313: error: expected identifier or '('
before numeric constant
/usr/local/include/krb5-protos.h:1321: error: expected identifier or '('
before numeric constant
/usr/local/include/krb5-protos.h:1329: error: expected identifier or '('
before numeric constant
/usr/local/include/krb5-protos.h:1337: error: expected identifier or '('
before numeric constant
/usr/local/include/krb5-protos.h:1600: error: expected identifier or '('
before numeric constant
/usr/local/include/krb5-protos.h:1608: error: expected identifier or '('
before numeric constant
/usr/local/include/krb5-protos.h:1616: error: expected identifier or '('
before numeric constant
/usr/local/include/krb5-protos.h:1624: error: expected identifier or '('
before numeric constant
/usr/local/include/krb5-protos.h:1632: error: expected identifier or '('
before numeric constant
/usr/local/include/krb5-protos.h:1640: error: expected identifier or '('
before numeric constant
/usr/local/include/krb5-protos.h:1648: error: expected identifier or '('
before numeric constant
/usr/local/include/krb5-protos.h:1656: error: expected identifier or '('
before numeric constant
/usr/local/include/krb5-protos.h:1741: error: expected identifier or '('
before numeric constant
/usr/local/include/krb5-protos.h:1844: error: expected identifier or '('
before numeric constant
/usr/local/include/krb5-protos.h:1854: error: expected identifier or '('
before numeric constant
/usr/local/include/krb5-protos.h:1874: error: expected identifier or '('
before numeric constant
/usr/local/include/krb5-protos.h:1919: error: expected identifier or '('
before numeric constant
/usr/local/include/krb5-protos.h:1952: error: expected identifier or '('
before numeric constant
/usr/local/include/krb5-protos.h:1975: error: expected identifier or '('
before numeric constant
/usr/local/include/krb5-protos.h:1983: error: expected identifier or '('
before numeric constant
/usr/local/include/krb5-protos.h:2083: error: expected identifier or '('
before numeric constant
/usr/local/include/krb5-protos.h:2127: error: expected identifier or '('
before numeric constant
/usr/local/include/krb5-protos.h:2142: error: expected identifier or '('
before numeric constant
/usr/local/include/krb5-protos.h:2157: error: expected identifier or '('
before numeric constant
/usr/local/include/krb5-protos.h:2169: error: expected identifier or '('
before numeric constant
/usr/local/include/krb5-protos.h:2181: error: expected identifier or '('
before numeric constant
RE: FreeRadius Installation Errors
I am using kerberos5 though for active directory validating. Joseph R. McSparin Network Administrator Hill Country Memorial Hospital 830 990 6638 phone 830 990 6623 fax jmcspa...@hillcountrymemorial.org -Original Message- From: freeradius-users-bounces+jmcsparin=hillcountrymemorial.org@lists.freerad ius.org [mailto:freeradius-users-bounces+jmcsparin=hillcountrymemorial.org@lists .freeradius.org] On Behalf Of Alan DeKok Sent: Thursday, December 29, 2011 12:57 PM To: FreeRadius users mailing list Subject: Re: FreeRadius Installation Errors McSparin, Joe wrote: I got my test server up and running nicely with FreeRadius now I have my production server that I am installing exact same machine and same process however this time when I install freeradius from /usr/ports/net/freeradius2 I get the following errors and no /usr/local/etc/raddb directory is created Ask the FreeBSD people why their port is broken. gmake[6]: Leaving directory `/usr/ports/net/freeradius2/work/freeradius-server-2.1.12/src/modules/rl m_ippool' Making all in rlm_krb5... /usr/local/bin/gmake -w -C rlm_krb5 all gmake[6]: Entering directory `/usr/ports/net/freeradius2/work/freeradius-server-2.1.12/src/modules/rl m_krb5' If there's an error, just delete that entire directory. You're probably not using Kerberos, so that directory isn't needed. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- This email message and any attachments are for the sole use of the intended recipient(s) and contain confidential and/or privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply email and destroy all copies of the original message and any attachments. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: GUID based Authentication on FreeRadius
Well that answers that then. My goal is, I have users that will connect wirelessly using their NT domain username and password on the hospitals wireless devices. I also however have doctors that will bring in their own laptops and connect. When they connect with their laptops though I do not want them to have the same privileges as when they connect on the hospital wireless devices. If they are connecting with their home laptops even though they use their Ntdomain user name and password which the radius server will accept I want to restrict them to a public vlan. If they connect using a hospital device then I want it to assign them to a vlan based on their NTDomain User Group. Since this is a hospital I have to have pretty strict security regulations with users. Thanks, Joseph R. McSparin Network Administrator Hill Country Memorial Hospital 830 990 6638 phone 830 990 6623 fax jmcspa...@hillcountrymemorial.org -Original Message- From: freeradius-users-bounces+jmcsparin=hillcountrymemorial.org@lists.freerad ius.org [mailto:freeradius-users-bounces+jmcsparin=hillcountrymemorial.org@lists .freeradius.org] On Behalf Of Alan DeKok Sent: Wednesday, December 28, 2011 8:25 AM To: FreeRadius users mailing list Subject: Re: GUID based Authentication on FreeRadius McSparin, Joe wrote: Anyone know if this is possible. I have found information on MAC Based Authentication but nothing on GUID. What does that mean? The GUID isn't sent in a RADIUS packet. So doing GUID authentication makes no sense. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- This email message and any attachments are for the sole use of the intended recipient(s) and contain confidential and/or privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply email and destroy all copies of the original message and any attachments. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: GUID based Authentication on FreeRadius
rlm_passwd looks like the way to go... Thanks. Joseph R. McSparin Network Administrator Hill Country Memorial Hospital 830 990 6638 phone 830 990 6623 fax jmcspa...@hillcountrymemorial.org -Original Message- From: freeradius-users-bounces+jmcsparin=hillcountrymemorial.org@lists.freerad ius.org [mailto:freeradius-users-bounces+jmcsparin=hillcountrymemorial.org@lists .freeradius.org] On Behalf Of Alan DeKok Sent: Wednesday, December 28, 2011 9:57 AM To: FreeRadius users mailing list Subject: Re: GUID based Authentication on FreeRadius McSparin, Joe wrote: My goal is, I have users that will connect wirelessly using their NT domain username and password on the hospitals wireless devices. I also however have doctors that will bring in their own laptops and connect. When they connect with their laptops though I do not want them to have the same privileges as when they connect on the hospital wireless devices. That should be easy. You need to put the hospitals devices into a group (see man rlm_passwd). Those devices get VLAN X, other devices get VLAN Y. You should be able to use Calling-Station-Id, which is normally the MAC of the device. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- This email message and any attachments are for the sole use of the intended recipient(s) and contain confidential and/or privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply email and destroy all copies of the original message and any attachments. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Installing Third Part Certificate on FreeRadius
I have a certificate called AddTrustExternalCARoot.crt that I would like to have FreeRadius start using. I know I need to change the eap.conf to look at the new cert however I was noticing that when the test certificates are created there is both a server.crt and server.pem. Is there a difference and do I need to do something to create a AddTrustExternalCARoot.pem file. Thanks, Joseph R. McSparin Network Administrator Hill Country Memorial Hospital 830 990 6638 phone 830 990 6623 fax jmcspa...@hillcountrymemorial.org -- This email message and any attachments are for the sole use of the intended recipient(s) and contain confidential and/or privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply email and destroy all copies of the original message and any attachments. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Installing Third Part Certificate on FreeRadius
I notice that the existing server.pem file contains the locality and organization name and so forth along with a local key id before it lists the cert chain. Is there something I need to do to generate this? Joseph R. McSparin Network Administrator Hill Country Memorial Hospital 830 990 6638 phone 830 990 6623 fax jmcspa...@hillcountrymemorial.org -Original Message- From: freeradius-users-bounces+jmcsparin=hillcountrymemorial.org@lists.freerad ius.org [mailto:freeradius-users-bounces+jmcsparin=hillcountrymemorial.org@lists .freeradius.org] On Behalf Of Jacob Dawson Sent: Tuesday, December 27, 2011 12:41 PM To: FreeRadius users mailing list Subject: Re: Installing Third Part Certificate on FreeRadius Yup, there's a difference. You'll want to put the cert chain in the pem file so that it's available for clients when you present your cert for the first time. Just put the cert all by itself in the crt file. I'm about to go swap them out on our systems, so I'll review to see if there was anything else odd about it. Jacob M. Dawson Network Research Engineer Virginia Tech On 27 Dec 2011, at 12:41, McSparin, Joe wrote: I have a certificate called AddTrustExternalCARoot.crt that I would like to have FreeRadius start using. I know I need to change the eap.conf to look at the new cert however I was noticing that when the test certificates are created there is both a server.crt and server.pem. Is there a difference and do I need to do something to create a AddTrustExternalCARoot.pem file. Thanks, Joseph R. McSparin Network Administrator Hill Country Memorial Hospital 830 990 6638 phone 830 990 6623 fax jmcspa...@hillcountrymemorial.org This email message and any attachments are for the sole use of the intended recipient(s) and contain confidential and/or privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply email and destroy all copies of the original message and any attachments. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- This email message and any attachments are for the sole use of the intended recipient(s) and contain confidential and/or privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply email and destroy all copies of the original message and any attachments. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
GUID based Authentication on FreeRadius
Anyone know if this is possible. I have found information on MAC Based Authentication but nothing on GUID. Joseph R. McSparin Network Administrator Hill Country Memorial Hospital 830 990 6638 phone 830 990 6623 fax jmcspa...@hillcountrymemorial.org -- This email message and any attachments are for the sole use of the intended recipient(s) and contain confidential and/or privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply email and destroy all copies of the original message and any attachments. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Domain Group Authentication
I currently have FreeRadius setup to authenticate agains Active Directory and it works great. I was wondering though for everyone out there using it if you had any reccomendations for this scenario: I have users that will connect wirelessly using their NT domain username and password on the hospitals wireless devices. I also however have doctors that will bring in their own laptops and connect. When they connect with their laptops though I do not want them to have the same privileges as when they connect on the hospital wireless devices. If they are connecting with their laptops even though they use their Ntdomain user name and password I want to restrict them to a public vlan. Joseph R. McSparin Network Administrator Hill Country Memorial Hospital 830 990 6638 phone 830 990 6623 fax jmcspa...@hillcountrymemorial.org -- This email message and any attachments are for the sole use of the intended recipient(s) and contain confidential and/or privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply email and destroy all copies of the original message and any attachments. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Is it Possible to use FreeRadius without certificates
I would like to just have freeRadius authenticate against my active directory in windows using only the user name and password in Active Directory for authentication. Is this possible to do I don't want to have to mess with installing certificates on the user machines or the server. Is this possible? Thanks, Joseph R. McSparin Network Administrator Hill Country Memorial Hospital 830 990 6638 phone 830 990 6623 fax jmcspa...@hillcountrymemorial.org -- This email message and any attachments are for the sole use of the intended recipient(s) and contain confidential and/or privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply email and destroy all copies of the original message and any attachments. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Error when trying to create certificates
It's a package add from FreeBSD ports. I'll try reinstalling it on another machine and see where it puts it. Thanks, Joseph R. McSparin Network Administrator Hill Country Memorial Hospital 830 990 6638 phone 830 990 6623 fax jmcspa...@hillcountrymemorial.org -Original Message- From: freeradius-users-bounces+jmcsparin=hillcountrymemorial.org@lists.freerad ius.org [mailto:freeradius-users-bounces+jmcsparin=hillcountrymemorial.org@lists .freeradius.org] On Behalf Of Alan DeKok Sent: Thursday, December 22, 2011 5:46 PM To: FreeRadius users mailing list Subject: Re: Error when trying to create certificates McSparin, Joe wrote: It's not located in the /usr/local/etc/raddb directory where my install is but I did a search and it is located here /usr/local/share/examples/freeradius/raddb/certs/xpextensions. Find out who created the packaged (RPM, DEB, etc.) for your system, and file a bug. The default distribution ships the xpextensions file in the /etc/raddb/certs/ directory for a reason. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- This email message and any attachments are for the sole use of the intended recipient(s) and contain confidential and/or privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply email and destroy all copies of the original message and any attachments. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Error when trying to create certificates
It's not located in the /usr/local/etc/raddb directory where my install is but I did a search and it is located here /usr/local/share/examples/freeradius/raddb/certs/xpextensions. Joseph R. McSparin Network Administrator Hill Country Memorial Hospital 830 990 6638 phone 830 990 6623 fax jmcspa...@hillcountrymemorial.org -Original Message- From: freeradius-users-bounces+jmcsparin=hillcountrymemorial@lists.freeradius.org [mailto:freeradius-users-bounces+jmcsparin=hillcountrymemorial@lists.freeradius.org] On Behalf Of Alan Buxey Sent: Thursday, December 22, 2011 1:18 AM To: FreeRadius users mailing list Subject: Re: your mail Hi, Keep getting this error message when running make in my /raddb/certs directory I reinstalled openssl but to no avail. Any thoughts? /usr/bin/openssl ca -batch -keyfile ca.key -cert ca.pem -in server.csr -key `grep output_password ca.cnf | sed 's/.*=//;s/^ *//'` -out server.crt -extensions xpserver_ext -extfile xpextensions -config ./server.cnf Using configuration from ./server.cnf ERROR: loading the config file 'xpextensions' does the 'xpextensions' file exist in your raddb/certs directory? does it have useful permissions? alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- This email message and any attachments are for the sole use of the intended recipient(s) and contain confidential and/or privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply email and destroy all copies of the original message and any attachments. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
[no subject]
Keep getting this error message when running make in my /raddb/certs
directory I reinstalled openssl but to no avail. Any thoughts?
/usr/bin/openssl ca -batch -keyfile ca.key -cert ca.pem -in server.csr
-key `grep output_password ca.cnf | sed 's/.*=//;s/^ *//'` -out
server.crt -extensions xpserver_ext -extfile xpextensions -config
./server.cnf
Using configuration from ./server.cnf
ERROR: loading the config file 'xpextensions'
1149:error:02001002:system library:fopen:No such file or
directory:/usr/src/secure/lib/libcrypto/../../../crypto/openssl/crypto/b
io/bss_file.c:126:fopen('xpextensions','rb')
1149:error:2006D080:BIO routines:BIO_new_file:no such
file:/usr/src/secure/lib/libcrypto/../../../crypto/openssl/crypto/bio/bs
s_file.c:129:
1149:error:0E078072:configuration file routines:DEF_LOAD:no such
file:/usr/src/secure/lib/libcrypto/../../../crypto/openssl/crypto/conf/c
onf_def.c:197:
*** Error code 1
Stop in /usr/local/etc/raddb/certs.
Joseph R. McSparin
Network Administrator
Hill Country Memorial Hospital
830 990 6638 phone
830 990 6623 fax
jmcspa...@hillcountrymemorial.org
--
This email message and any attachments are for the sole use of the intended
recipient(s) and contain confidential and/or privileged information. Any
unauthorized review, use, disclosure or distribution is prohibited. If you are
not the intended recipient, please contact the sender by reply email and
destroy all copies of the original message and any attachments.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
FreeRadius Authentication using Active Directory
I have followed several tutorials for setting up Active Directory with FreeRadius. When I run the ntlm_auth from the command line I get a success message however when I run the radtest with the username and password I get a Access-Reject. I am using FreeRadius 1.8 and I have included the message I get from radiusd -X. Any input would be greatly appreciated. rad_recv: Access-Request packet from host 10.1.174.126:3421, id=26, length=49 User-Name = testuser User-Password = testpassword Processing the authorize section of radiusd.conf modcall: entering group authorize for request 3 modcall[authorize]: module preprocess returns ok for request 3 modcall[authorize]: module chap returns noop for request 3 modcall[authorize]: module mschap returns noop for request 3 rlm_realm: No '@' in User-Name = jmcsparin, looking up realm NULL rlm_realm: No such realm NULL modcall[authorize]: module suffix returns noop for request 3 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module eap returns noop for request 3 modcall[authorize]: module files returns notfound for request 3 rlm_pap: WARNING! No known good password found for the user. Authentication may fail because of this. modcall[authorize]: module pap returns noop for request 3 modcall: leaving group authorize (returns ok) for request 3 auth: No authenticate method (Auth-Type) configuration found for the request: Rejecting the user auth: Failed to validate the user. Joseph R. McSparin Network Administrator Hill Country Memorial Hospital 830 990 6638 phone 830 990 6623 fax jmcspa...@hillcountrymemorial.org -- This email message and any attachments are for the sole use of the intended recipient(s) and contain confidential and/or privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply email and destroy all copies of the original message and any attachments. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: FreeRadius Authentication using Active Directory
I have been trying to upgrade to 2.1.x from 1.1.8 however I keeping getting
this error
In file included from /usr/local/include/krb5.h:846,
from rlm_krb5.c:32:
/usr/local/include/krb5-protos.h:41: error: expected identifier or '(' before
numeric constant
/usr/local/include/krb5-protos.h:49: error: expected identifier or '(' before
numeric constant
/usr/local/include/krb5-protos.h:402: error: expected identifier or '(' before
numeric constant
/usr/local/include/krb5-protos.h:486: error: expected identifier or '(' before
numeric constant
/usr/local/include/krb5-protos.h:634: error: expected identifier or '(' before
numeric constant
/usr/local/include/krb5-protos.h:843: error: expected identifier or '(' before
numeric constant
/usr/local/include/krb5-protos.h:908: error: expected identifier or '(' before
numeric constant
/usr/local/include/krb5-protos.h:1007: error: expected identifier or '(' before
numeric constant
/usr/local/include/krb5-protos.h:1281: error: expected identifier or '(' before
numeric constant
/usr/local/include/krb5-protos.h:1289: error: expected identifier or '(' before
numeric constant
/usr/local/include/krb5-protos.h:1297: error: expected identifier or '(' before
numeric constant
/usr/local/include/krb5-protos.h:1305: error: expected identifier or '(' before
numeric constant
/usr/local/include/krb5-protos.h:1313: error: expected identifier or '(' before
numeric constant
/usr/local/include/krb5-protos.h:1321: error: expected identifier or '(' before
numeric constant
/usr/local/include/krb5-protos.h:1329: error: expected identifier or '(' before
numeric constant
/usr/local/include/krb5-protos.h:1337: error: expected identifier or '(' before
numeric constant
/usr/local/include/krb5-protos.h:1600: error: expected identifier or '(' before
numeric constant
/usr/local/include/krb5-protos.h:1608: error: expected identifier or '(' before
numeric constant
/usr/local/include/krb5-protos.h:1616: error: expected identifier or '(' before
numeric constant
/usr/local/include/krb5-protos.h:1624: error: expected identifier or '(' before
numeric constant
/usr/local/include/krb5-protos.h:1632: error: expected identifier or '(' before
numeric constant
/usr/local/include/krb5-protos.h:1640: error: expected identifier or '(' before
numeric constant
/usr/local/include/krb5-protos.h:1648: error: expected identifier or '(' before
numeric constant
/usr/local/include/krb5-protos.h:1656: error: expected identifier or '(' before
numeric constant
/usr/local/include/krb5-protos.h:1741: error: expected identifier or '(' before
numeric constant
/usr/local/include/krb5-protos.h:1844: error: expected identifier or '(' before
numeric constant
/usr/local/include/krb5-protos.h:1854: error: expected identifier or '(' before
numeric constant
/usr/local/include/krb5-protos.h:1874: error: expected identifier or '(' before
numeric constant
/usr/local/include/krb5-protos.h:1919: error: expected identifier or '(' before
numeric constant
/usr/local/include/krb5-protos.h:1952: error: expected identifier or '(' before
numeric constant
/usr/local/include/krb5-protos.h:1975: error: expected identifier or '(' before
numeric constant
/usr/local/include/krb5-protos.h:1983: error: expected identifier or '(' before
numeric constant
/usr/local/include/krb5-protos.h:2083: error: expected identifier or '(' before
numeric constant
/usr/local/include/krb5-protos.h:2127: error: expected identifier or '(' before
numeric constant
/usr/local/include/krb5-protos.h:2142: error: expected identifier or '(' before
numeric constant
/usr/local/include/krb5-protos.h:2157: error: expected identifier or '(' before
numeric constant
/usr/local/include/krb5-protos.h:2169: error: expected identifier or '(' before
numeric constant
/usr/local/include/krb5-protos.h:2181: error: expected identifier or '(' before
numeric constant
/usr/local/include/krb5-protos.h:2223: error: expected identifier or '(' before
numeric constant
/usr/local/include/krb5-protos.h:2229: error: expected identifier or '(' before
numeric constant
/usr/local/include/krb5-protos.h:2607: error: expected identifier or '(' before
numeric constant
/usr/local/include/krb5-protos.h:2615: error: expected identifier or '(' before
numeric constant
/usr/local/include/krb5-protos.h:2622: error: expected identifier or '(' before
numeric constant
/usr/local/include/krb5-protos.h:2629: error: expected identifier or '(' before
numeric constant
/usr/local/include/krb5-protos.h:3144: error: expected identifier or '(' before
numeric constant
/usr/local/include/krb5-protos.h:3178: error: expected identifier or '(' before
numeric constant
/usr/local/include/krb5-protos.h:3183: error: expected identifier or '(' before
numeric constant
/usr/local/include/krb5-protos.h:3734: error: expected identifier or '(' before
numeric constant
/usr/local/include/krb5-protos.h:4091: error: expected identifier or '(' before
numeric constant
