TLS: unable to get common name from peer certificate
I can authenticate against a ldap server. That server also offers ldaps, which I would like to use. When trying ldaps connection I get: [ldap] expand: dc=dom,dc=MYCOMPANY,dc=NET - dc=dom,dc=MYCOMPANY,dc=NET [ldap] ldap_get_conn: Checking Id: 0 [ldap] ldap_get_conn: Got Id: 0 [ldap] attempting LDAP reconnection [ldap] (re)connect to 10.0.2.13:636, authentication 0 [ldap] setting TLS mode to 1 [ldap] bind as a...@dom.mycompany.net/secret to 10.0.2.13:636 TLS: unable to get common name from peer certificate. [ldap] a...@dom.mycompany.net bind to 10.0.2.13:636 failed: Can't contact LDAP server [ldap] (re)connection attempt failed Is this a problem of freeradius (I am using 2.1.12) or something with the ldap server? With best regards, Norbert Wegener - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Please ignore - unable to get common name from peer certificate
Please ignore. There was a typo in my config. With best regards, Norbert Wegener - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
distinguish between revoked and expired certificates
Is it possible to distinguish between expired and revoked certificates and assign a special vlan in the first case while rejecting the user in the second one? As in both cases the certificate is invalid, I suppose the answer is no. The probably best way would be to organize the the renewal of certificates appropriately. With best regards, Norbert Wegener - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
crl handling
As far as I know freeradius uses openssl to handle crls. openssl also has an option -use_deltas to enable support for delta CRLs. Is this option available in freeradius? According to eap.conf it is necessary to restart radiusd if a new version of a crl is published. Are there plans to enable reading of a new crl without restarting the server? Thanks Norbert Wegener - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
building 2.1.12 Debian package: 'lt_dladvise' undeclared
According to http://wiki.freeradius.org/Build#Building+Debian+packages a debian package can be compiled from freeradius sources. On squeeze it fails. Mabe it has to do with libtool? Is there a known workaround? libtool: compile: gcc -g -O2 -O2 -Wall -D_GNU_SOURCE -D_REENTRANT -D_POSIX_PTHREAD_SEMANTICS -g -Wshadow -Wpointer-arith -Wcast-qual -Wcast-align -Wwrite-strings -Wstrict-prototypes -Wmissing-prototypes -Wmissing-declarations -Wnested-externs -W -Wredundant-decls -Wundef -I/root/radius/freeradius-server-2.1.12/src -DHOSTINFO=\arm-unknown-linux-gnueabi\ -DRADIUSD_VERSION=\2.1.12\ -DOPENSSL_NO_KRB5 -DRADIUSD_MAJOR_VERSION=2 -DRADIUSD_MINOR_VERSION=1.12 -c modules.c -fPIC -DPIC -o .libs/modules.o modules.c: In function 'fr_dlopenext': modules.c:216: error: 'lt_dladvise' undeclared (first use in this function) modules.c:216: error: (Each undeclared identifier is reported only once modules.c:216: error: for each function it appears in.) modules.c:216: error: expected ';' before 'advise' modules.c:218: warning: implicit declaration of function 'lt_dladvise_init' modules.c:218: warning: nested extern declaration of 'lt_dladvise_init' modules.c:218: error: 'advise' undeclared (first use in this function) modules.c:219: warning: implicit declaration of function 'lt_dladvise_ext' modules.c:219: warning: nested extern declaration of 'lt_dladvise_ext' modules.c:220: warning: implicit declaration of function 'lt_dladvise_global' modules.c:220: warning: nested extern declaration of 'lt_dladvise_global' modules.c:221: warning: implicit declaration of function 'lt_dlopenadvise' modules.c:221: warning: nested extern declaration of 'lt_dlopenadvise' modules.c:224: warning: implicit declaration of function 'lt_dladvise_destroy' modules.c:224: warning: nested extern declaration of 'lt_dladvise_destroy' modules.c: In function 'setup_modules': modules.c:1409: warning: nested extern declaration of 'lt_preloaded_symbols' make[5]: *** [modules.lo] Error 1 make[5]: Leaving directory `/root/radius/freeradius-server-2.1.12/src/main' make[4]: *** [main] Error 2 make[4]: Leaving directory `/root/radius/freeradius-server-2.1.12/src' make[3]: *** [all] Error 2 make[3]: Leaving directory `/root/radius/freeradius-server-2.1.12/src' make[2]: *** [src] Error 2 make[2]: Leaving directory `/root/radius/freeradius-server-2.1.12' make[1]: *** [all] Error 2 make[1]: Leaving directory `/root/radius/freeradius-server-2.1.12' make: *** [build-arch-stamp] Error 2 dpkg-buildpackage: error: debian/rules build gave error exit status 2 With best regards, Norbert Wegener Atos IT Solutions and Services AIS MS NC PSU SDC Bruchstraße 5 45883 Gelsenkirchen, Germany Tel.: +49 (209) 94565716 Fax: +49 (201) 8165581284 mailto:norbert.wege...@atos.net Atos IT Solutions and Services GmbH; Geschäftsführung: Winfried Holz, Christian Oecking, Rainer-Christian Koppitz; Vorsitzender des Aufsichtsrats: Charles Dehelly; Sitz der Gesellschaft: München, Deutschland; Registergericht: München, HRB 184933. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
AW: building 2.1.12 Debian package: 'lt_dladvise' undeclared
Unfortunately that has not been the solution. I grabbed the latest git version, verified --without-rlm_sql_unixodbc \ --with-system-libtool \ --with-system-libltdl but: /usr/bin/libtool --mode=compile gcc -I/root/git/freeradius-server -I/root/git/freeradius-server/src -g -O2 -O2 -Wall -D_GNU_SOURCE -D_REENTRANT -D_POSIX_PTHREAD_SEMANTICS -g -Wshadow -Wpointer-arith -Wcast-qual -Wcast-align -Wwrite-strings -Wstrict-prototypes -Wmissing-prototypes -Wmissing-declarations -Wnested-externs -W -Wredundant-decls -Wundef -I/root/git/freeradius-server/src -DHOSTINFO=\arm-unknown-linux-gnueabi\ -DRADIUSD_VERSION=\2.2.0\ -DOPENSSL_NO_KRB5 -DRADIUSD_MAJOR_VERSION=2 -DRADIUSD_MINOR_VERSION=2.0 -DWITH_SYSTEM_LTDL -c modules.c libtool: compile: gcc -I/root/git/freeradius-server -I/root/git/freeradius-server/src -g -O2 -O2 -Wall -D_GNU_SOURCE -D_REENTRANT -D_POSIX_PTHREAD_SEMANTICS -g -Wshadow -Wpointer-arith -Wcast-qual -Wcast-align -Wwrite-strings -Wstrict-prototypes -Wmissing-prototypes -Wmissing-declarations -Wnested-externs -W -Wredundant-decls -Wundef -I/root/git/freeradius-server/src -DHOSTINFO=\arm-unknown-linux-gnueabi\ -DRADIUSD_VERSION=\2.2.0\ -DOPENSSL_NO_KRB5 -DRADIUSD_MAJOR_VERSION=2 -DRADIUSD_MINOR_VERSION=2.0 -DWITH_SYSTEM_LTDL -c modules.c -fPIC -DPIC -o .libs/modules.o modules.c: In function 'fr_dlopenext': modules.c:216: error: 'lt_dladvise' undeclared (first use in this function) modules.c:216: error: (Each undeclared identifier is reported only once modules.c:216: error: for each function it appears in.) modules.c:216: error: expected ';' before 'advise' modules.c:218: warning: implicit declaration of function 'lt_dladvise_init' modules.c:218: warning: nested extern declaration of 'lt_dladvise_init' modules.c:218: error: 'advise' undeclared (first use in this function) modules.c:219: warning: implicit declaration of function 'lt_dladvise_ext' modules.c:219: warning: nested extern declaration of 'lt_dladvise_ext' modules.c:220: warning: implicit declaration of function 'lt_dladvise_global' modules.c:220: warning: nested extern declaration of 'lt_dladvise_global' modules.c:221: warning: implicit declaration of function 'lt_dlopenadvise' modules.c:221: warning: nested extern declaration of 'lt_dlopenadvise' modules.c:224: warning: implicit declaration of function 'lt_dladvise_destroy' modules.c:224: warning: nested extern declaration of 'lt_dladvise_destroy' modules.c: In function 'setup_modules': modules.c:1409: warning: nested extern declaration of 'lt_preloaded_symbols' make[5]: *** [modules.lo] Error 1 make[5]: Leaving directory `/root/git/freeradius-server/src/main' make[4]: *** [main] Error 2 make[4]: Leaving directory `/root/git/freeradius-server/src' make[3]: *** [all] Error 2 make[3]: Leaving directory `/root/git/freeradius-server/src' make[2]: *** [src] Error 2 make[2]: Leaving directory `/root/git/freeradius-server' make[1]: *** [all] Error 2 make[1]: Leaving directory `/root/git/freeradius-server' make: *** [build-arch-stamp] Error 2 dpkg-buildpackage: error: debian/rules build gave error exit status 2 With best regards, Norbert Wegener Atos IT Solutions and Services AIS MS NC PSU SDC Bruchstraße 5 45883 Gelsenkirchen, Germany Tel.: +49 (209) 94565716 Fax: +49 (201) 8165581284 mailto:norbert.wege...@atos.net Atos IT Solutions and Services GmbH; Geschäftsführung: Winfried Holz, Christian Oecking, Rainer-Christian Koppitz; Vorsitzender des Aufsichtsrats: Charles Dehelly; Sitz der Gesellschaft: München, Deutschland; Registergericht: München, HRB 184933. Von: freeradius-users-bounces+norbert.wegener=atos@lists.freeradius.org [freeradius-users-bounces+norbert.wegener=atos@lists.freeradius.org]quot; im Auftrag von quot;Alan DeKok [al...@deployingradius.com] Gesendet: Montag, 21. November 2011 13:38 Bis: FreeRadius users mailing list Betreff: Re: building 2.1.12 Debian package: 'lt_dladvise' undeclared Wegener, Norbert wrote: According to http://wiki.freeradius.org/Build#Building+Debian+packages a debian package can be compiled from freeradius sources. On squeeze it fails. Mabe it has to do with libtool? Is there a known workaround? Arg... the system has lt_dladvise_init(), but not lt_dladvise(). What are the configure flags? You may need: --with-system-libtool \ --with-system-libltdl The latest git version of debian/rules has this change. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
AW: building 2.1.12 Debian package: 'lt_dladvise' undeclared
Removing --enable-developer \ in debian/rules solved that problem. With best regards, Norbert Wegener Atos IT Solutions and Services AIS MS NC PSU SDC Bruchstraße 5 45883 Gelsenkirchen, Germany Tel.: +49 (209) 94565716 Fax: +49 (201) 8165581284 mailto:norbert.wege...@atos.net Atos IT Solutions and Services GmbH; Geschäftsführung: Winfried Holz, Christian Oecking, Rainer-Christian Koppitz; Vorsitzender des Aufsichtsrats: Charles Dehelly; Sitz der Gesellschaft: München, Deutschland; Registergericht: München, HRB 184933. Von: freeradius-users-bounces+norbert.wegener=atos@lists.freeradius.org [freeradius-users-bounces+norbert.wegener=atos@lists.freeradius.org]quot; im Auftrag von quot;Wegener, Norbert [norbert.wege...@atos.net] Gesendet: Montag, 21. November 2011 14:59 Bis: FreeRadius users mailing list Betreff: AW: building 2.1.12 Debian package: 'lt_dladvise' undeclared Unfortunately that has not been the solution. I grabbed the latest git version, verified --without-rlm_sql_unixodbc \ --with-system-libtool \ --with-system-libltdl but: /usr/bin/libtool --mode=compile gcc -I/root/git/freeradius-server -I/root/git/freeradius-server/src -g -O2 -O2 -Wall -D_GNU_SOURCE -D_REENTRANT -D_POSIX_PTHREAD_SEMANTICS -g -Wshadow -Wpointer-arith -Wcast-qual -Wcast-align -Wwrite-strings -Wstrict-prototypes -Wmissing-prototypes -Wmissing-declarations -Wnested-externs -W -Wredundant-decls -Wundef -I/root/git/freeradius-server/src -DHOSTINFO=\arm-unknown-linux-gnueabi\ -DRADIUSD_VERSION=\2.2.0\ -DOPENSSL_NO_KRB5 -DRADIUSD_MAJOR_VERSION=2 -DRADIUSD_MINOR_VERSION=2.0 -DWITH_SYSTEM_LTDL -c modules.c libtool: compile: gcc -I/root/git/freeradius-server -I/root/git/freeradius-server/src -g -O2 -O2 -Wall -D_GNU_SOURCE -D_REENTRANT -D_POSIX_PTHREAD_SEMANTICS -g -Wshadow -Wpointer-arith -Wcast-qual -Wcast-align -Wwrite-strings -Wstrict-prototypes -Wmissing-prototypes -Wmissing-declarations -Wnested-externs -W -Wredundant-decls -Wundef -I/root/git/freeradius-server/src -DHOSTINFO=\arm-unknown-linux-gnueabi\ -DRADIUSD_VERSION=\2.2.0\ -DOPENSSL_NO_KRB5 -DRADIUSD_MAJOR_VERSION=2 -DRADIUSD_MINOR_VERSION=2.0 -DWITH_SYSTEM_LTDL -c modules.c -fPIC -DPIC -o .libs/modules.o modules.c: In function 'fr_dlopenext': modules.c:216: error: 'lt_dladvise' undeclared (first use in this function) modules.c:216: error: (Each undeclared identifier is reported only once modules.c:216: error: for each function it appears in.) modules.c:216: error: expected ';' before 'advise' modules.c:218: warning: implicit declaration of function 'lt_dladvise_init' modules.c:218: warning: nested extern declaration of 'lt_dladvise_init' modules.c:218: error: 'advise' undeclared (first use in this function) modules.c:219: warning: implicit declaration of function 'lt_dladvise_ext' modules.c:219: warning: nested extern declaration of 'lt_dladvise_ext' modules.c:220: warning: implicit declaration of function 'lt_dladvise_global' modules.c:220: warning: nested extern declaration of 'lt_dladvise_global' modules.c:221: warning: implicit declaration of function 'lt_dlopenadvise' modules.c:221: warning: nested extern declaration of 'lt_dlopenadvise' modules.c:224: warning: implicit declaration of function 'lt_dladvise_destroy' modules.c:224: warning: nested extern declaration of 'lt_dladvise_destroy' modules.c: In function 'setup_modules': modules.c:1409: warning: nested extern declaration of 'lt_preloaded_symbols' make[5]: *** [modules.lo] Error 1 make[5]: Leaving directory `/root/git/freeradius-server/src/main' make[4]: *** [main] Error 2 make[4]: Leaving directory `/root/git/freeradius-server/src' make[3]: *** [all] Error 2 make[3]: Leaving directory `/root/git/freeradius-server/src' make[2]: *** [src] Error 2 make[2]: Leaving directory `/root/git/freeradius-server' make[1]: *** [all] Error 2 make[1]: Leaving directory `/root/git/freeradius-server' make: *** [build-arch-stamp] Error 2 dpkg-buildpackage: error: debian/rules build gave error exit status 2 With best regards, Norbert Wegener Atos IT Solutions and Services AIS MS NC PSU SDC Bruchstraße 5 45883 Gelsenkirchen, Germany Tel.: +49 (209) 94565716 Fax: +49 (201) 8165581284 mailto:norbert.wege...@atos.net Atos IT Solutions and Services GmbH; Geschäftsführung: Winfried Holz, Christian Oecking, Rainer-Christian Koppitz; Vorsitzender des Aufsichtsrats: Charles Dehelly; Sitz der Gesellschaft: München, Deutschland; Registergericht: München, HRB 184933. Von: freeradius-users-bounces+norbert.wegener=atos@lists.freeradius.org [freeradius-users-bounces+norbert.wegener=atos@lists.freeradius.org]quot; im Auftrag von quot;Alan DeKok [al...@deployingradius.com] Gesendet: Montag, 21. November 2011 13:38 Bis: FreeRadius users mailing list Betreff: Re: building 2.1.12 Debian
2.1.10 crashes on debian/arm
radius crashes sometimes on arm architecture. Version is: radiusd: FreeRADIUS Version 2.1.10, for host armv5tel-unknown-linux-gnu, built on Nov 20 2011 at 17:41:56 From gdb output: Maybe this is the reason?(around line 550) #1 0x00034428 in radius_do_cmp (request=0x14b9b98, modreturn=value optimized out, depth=value optimized out, ptr=value optimized out, evaluate_it=Cannot access memory at address 0x630 ) at evaluate.c:528 The complete gdb output is a bit longer and can be found at: http://www.wegener-net.de/freeradius/radius-crash-gdb.txt With best regards, Norbert Wegener Atos IT Solutions and Services AIS MS NC PSU SDC Bruchstraße 5 45883 Gelsenkirchen, Germany Tel.: +49 (209) 94565716 Fax: +49 (201) 8165581284 mailto:norbert.wege...@atos.net Atos IT Solutions and Services GmbH; Geschäftsführung: Winfried Holz, Christian Oecking, Rainer-Christian Koppitz; Vorsitzender des Aufsichtsrats: Charles Dehelly; Sitz der Gesellschaft: München, Deutschland; Registergericht: München, HRB 184933. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
AW: 2.1.10 crashes on debian/arm
Thank you, I will give 2.1.12 a try. With best regards, Norbert Wegener Atos IT Solutions and Services AIS MS NC PSU SDC Bruchstraße 5 45883 Gelsenkirchen, Germany Tel.: +49 (209) 94565716 Fax: +49 (201) 8165581284 mailto:norbert.wege...@atos.net Atos IT Solutions and Services GmbH; Geschäftsführung: Winfried Holz, Christian Oecking, Rainer-Christian Koppitz; Vorsitzender des Aufsichtsrats: Charles Dehelly; Sitz der Gesellschaft: München, Deutschland; Registergericht: München, HRB 184933. Von: freeradius-users-bounces+norbert.wegener=atos@lists.freeradius.org [freeradius-users-bounces+norbert.wegener=atos@lists.freeradius.org]quot; im Auftrag von quot;Alan DeKok [al...@deployingradius.com] Gesendet: Sonntag, 20. November 2011 21:07 Bis: FreeRadius users mailing list Betreff: Re: 2.1.10 crashes on debian/arm Wegener, Norbert wrote: radius crashes sometimes on arm architecture. ... From gdb output: Maybe this is the reason?(around line 550) #1 0x00034428 in radius_do_cmp (request=0x14b9b98, modreturn=value optimized out, depth=value optimized out, ptr=value optimized out, evaluate_it=Cannot access memory at address 0x630 ) at evaluate.c:528 The complete gdb output is a bit longer and can be found at: http://www.wegener-net.de/freeradius/radius-crash-gdb.txt If I recall correctly, that's been fixed in 2.1.11 2.1.12. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
AW: 2.1.10 crashes on debian/arm
Yes, this is around the configuration in a larger production environment. In this case here I wanted to see how much of that load can be put on an embedded system. With best regards, Norbert Wegener Atos IT Solutions and Services AIS MS NC PSU SDC Bruchstraße 5 45883 Gelsenkirchen, Germany Tel.: +49 (209) 94565716 Fax: +49 (201) 8165581284 mailto:norbert.wege...@atos.net Atos IT Solutions and Services GmbH; Geschäftsführung: Winfried Holz, Christian Oecking, Rainer-Christian Koppitz; Vorsitzender des Aufsichtsrats: Charles Dehelly; Sitz der Gesellschaft: München, Deutschland; Registergericht: München, HRB 184933. Von: freeradius-users-bounces+norbert.wegener=atos@lists.freeradius.org [freeradius-users-bounces+norbert.wegener=atos@lists.freeradius.org]quot; im Auftrag von quot;Phil Mayers [p.may...@imperial.ac.uk] Gesendet: Sonntag, 20. November 2011 21:14 Bis: freeradius-users@lists.freeradius.org Betreff: Re: 2.1.10 crashes on debian/arm On 11/20/2011 07:53 PM, Wegener, Norbert wrote: The complete gdb output is a bit longer and can be found at: A *bit* longer?!? Are you deliberately starting 256 threads? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
AW: Dynamic Attributes Based on NAS Type !
The general idea is to setup a virtual server for each type of NAS and make sure, that every NAS is loaded into the correct virtual server. With best regards, Norbert Wegener Siemens IT Solutions and Services AIS MS NC PSU SDC Bruchstraße 5 45883 Gelsenkirchen, Germany Tel.: +49 (209) 94565716 Fax: +49 (201) 8165581284 mailto:norbert.wege...@atos.net Atos IT Solutions and Services GmbH; Geschäftsführung: Winfried Holz, Christian Oecking, Rainer-Christian Koppitz; Vorsitzender des Aufsichtsrats: Charles Dehelly; Sitz der Gesellschaft: München, Deutschland; Registergericht: München, HRB 184933. Von: freeradius-users-bounces+norbert.wegener=atos@lists.freeradius.org [freeradius-users-bounces+norbert.wegener=atos@lists.freeradius.org] im Auftrag von Suman Dash [sumand...@gmail.com] Gesendet: Samstag, 8. Oktober 2011 16:39 Bis: FreeRadius users mailing list Betreff: Dynamic Attributes Based on NAS Type ! Hi Everyone ... Currently i am planning to integrate freeradius with different NAS like Chillispot , Cisco etc and enable roaming users so that they can log in from any of the NAS. As the reply items are different with different NAS , i am looking for ideas how to enable a single user to roam and connect from different NAS. In my case i think static reply items are not possible per user wise or per groupwise so my question is what trick can be used to achieve the same. I had not tried anything as i have no clue on the same so some highlights on the approach will be a good starting point for me. Cheers Suman - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
AW: RadSQLRelay
Thanks Alan, acct relay works fine now using proxy.conf and copy-acct-to-home-server! One final question: Is it possible to replicate the Users table (mysql) using FreeRadius2? The idea is never having to worry if a new user was properly created on both servers (or deleted on both servers). Easiest way seems to be updating the php script to talk to two databases, but if FreeRadius can compare and update its user tables itself it might be even more reliable. This is more a database topic. If you configure your two databases as master resp. slave you only have to feed the master ith the data. The slave gets it by database means. Norbert Wegener - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
AW: AW: mschap/peap question
Just for information: It also does not work with the most recent version of samba 3.5.4. It definitely works with 3.0.30. Norbert Wegener An: FreeRadius users mailing list Betreff: Re: AW: mschap/peap question Wegener, Norbert wrote: I installed samba 3..4.8 and it produces the same errors as the previous version. Should the only workaround really be downgrading back to samba/winbind 3.0.30. Quite possibly. as suggested in https://bugzilla.samba.org/show_bug.cgi?id=6563 ? It is hard to believe that the only way to use peap/mschap in this context requires that old versions of samba :-( I'm impressed with the amount of work that the Samba people have done. Integrating with MS is *hard*. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
AW: mschap/peap question
I installed samba 3..4.8 and it produces the same errors as the previous version. Should the only workaround really be downgrading back to samba/winbind 3.0.30. as suggested in https://bugzilla.samba.org/show_bug.cgi?id=6563 ? It is hard to believe that the only way to use peap/mschap in this context requires that old versions of samba :-( Norbert Wegener ... Hi, Using the users file it works. So samba can be blamed even in the current version 3.4.7 :-( I've had several reports that 3.4.8 works - which isnt even the latest version (thats 3.5.4!) 3.4.x is old but I personally have no experience of whether any 3.5.x works alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
mschap/peap question
With 2.1.8 and the configuration from
http://deployingradius.com/scripts/eapol_test/peap-mschapv2.conf
I want to test a radius configuration. The linux server running radius is
member
of the AD domain, mschap succeeds but finally the authentication fails.
freeradius sends Challenges to which eapol_test will not respond.
This should not be the behaviour mentioned in eap.conf regarding windows
compatibility
as eapol_test says:
...
EAP-MSCHAPV2: RX identifier 11 mschapv2_id 10
EAP-MSCHAPV2: Received success
EAP-MSCHAPV2: Invalid authenticator response in success request
EAP: method process - ignore=FALSE methodState=MAY_CONT decision=FAIL
and finally fails.
What is going wrong when freeradius says:
++[mschap] returns ok^M
MSCHAP Success
while eapol_test declares:
EAP-MSCHAPV2: Invalid authenticator response in success request ?
Thie result is the same whether eapol_test and radius run on the same host or
on different machines.
Below an extract from radius debug and eapol_test output.
The complete logs are at http://tinyurl.com/36wn5lz
...
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/mschapv2
[eap] processing type mschapv2
[mschapv2] +- entering group MS-CHAP {...}
[mschap] Told to do MS-CHAPv2 for Z1EC-TST with NT-Password
[mschap]expand: --username=%{mschap:User-Name} -
--username=Z1EC-TST
[mschap] mschap2: c9
[mschap]expand: --challenge=%{mschap:Challenge:-00} -
--challenge=8dcf3f854091b5b0
[mschap]expand: --nt-response=%{mschap:NT-Response:-00} -
--nt-response=32025f3e02109f45a23b3468721d538944af5d633f31afe2
Exec-Program output: NT_KEY: F2203599C0AD93B00507898A198A3698
Exec-Program-Wait: plaintext: NT_KEY: F2203599C0AD93B00507898A198A3698
Exec-Program: returned: 0
[mschap] adding MS-CHAPv2 MPPE keys
++[mschap] returns ok
MSCHAP Success
++[eap] returns handled
} # server inner-tunnel
[peap] Got tunneled reply code 11
EAP-Message =
0x010b00331a030a002e533d35423746314132333037313436343646314439373138453036333834454238383541454432384246
Message-Authenticator = 0x
State = 0x6aef51466be44b4f70ee0c4182d406d0
[peap] Got tunneled reply RADIUS code 11
EAP-Message =
0x010b00331a030a002e533d35423746314132333037313436343646314439373138453036333834454238383541454432384246
Message-Authenticator = 0x
State = 0x6aef51466be44b4f70ee0c4182d406d0
[peap] Got tunneled Access-Challenge
++[eap] returns handled
Sending Access-Challenge of id 10 to 127.0.0.1 port 58631
EAP-Message =
0x010b005b19001703010050de110c863ab2d5e21f07b010fc9adbfcda106b35f8cee8549fde8851ad1ba75da7bd114c1481cf7d9edb8adc3b2e4d8d2b5f7e62ba0fcea0b7e8e7e6e3edf45c2a1847d9195e7a0421a854d5ce12a3cf
Message-Authenticator = 0x
State = 0x3cecf09536e7e9bedf3400a6b087488e
Finished request 10.
Going to the next request
Waking up in 4.5 seconds.
eapol_test :
...
Received RADIUS message
RADIUS message: code=11 (Access-Challenge) identifier=10 length=149
Attribute 79 (EAP-Message) length=93
Value: 01 0b 00 5b 19 00 17 03 01 00 50 31 9a b2 e5 49 18 04 ab eb 62 5c
cc 03 11 93 ba e9 60 5d 66 bc 6b fb 67 97 92 75 f3 cd d7 d7 1b 5b ae bc aa 12
1f c1 a2 a5 41 2a e7 10 11 c1 b9 6f 3d 39 87 04 6e f8 b8 a5 0a a7 9d f8 79 91
cd 6d 3f 32 e1 2e fc df 43 4b 4c 96 99 fc 14 07 2c
Attribute 80 (Message-Authenticator) length=18
Value: b0 cf e3 2a 75 f5 18 48 50 99 4b b4 e3 c8 50 70
Attribute 24 (State) length=18
Value: 65 71 c9 7b 6f 7a d0 fc 26 6f 03 8b 5c fc f1 85
STA 02:00:00:00:00:01: Received RADIUS packet matched with a pending request,
round trip time 0.09 sec
RADIUS packet matching with station
decapsulated EAP packet (code=1 id=11 len=91) from RADIUS server:
EAP-Request-PEAP (25)
EAPOL: Received EAP-Packet frame
EAPOL: SUPP_BE entering state REQUEST
EAPOL: getSuppRsp
EAP: EAP entering state RECEIVED
EAP: Received EAP-Request id=11 method=25 vendor=0 vendorMethod=0
EAP: EAP entering state METHOD
SSL: Received packet(len=91) - Flags 0x00
EAP-PEAP: received 85 bytes encrypted data for Phase 2
EAP-PEAP: Decrypted Phase 2 EAP - hexdump(len=47): 1a 03 0a 00 2e 53 3d 35 33
36 46 30 44 42 30 36 42 43 45 36 42 43 37 32 31 34 33 33 37 39 46 39 38 33 35
46 33 41 31 37 38 41 43 46 44 43 39
EAP-PEAP: received Phase 2: code=1 identifier=11 length=51
EAP-PEAP: Phase 2 Request: type=26
EAP-MSCHAPV2: RX identifier 11 mschapv2_id 10
EAP-MSCHAPV2: Received success
EAP-MSCHAPV2: Invalid authenticator response in success request
EAP: method process - ignore=FALSE methodState=MAY_CONT decision=FAIL
EAP: EAP entering state SEND_RESPONSE
EAP: EAP entering state IDLE
EAPOL: startWhen -- 0
EAPOL test timed out
EAP: deinitialize previously used EAP method (25, PEAP) at EAP deinit
ENGINE: engine deinit
MPPE keys OK: 0 mismatch: 1
FAILURE
Thanks
Norbert Wegener
With best regards,
Norbert
AW: mschap/peap question
Using the users file it works. So samba can be blamed even in the current version 3.4.7 :-( With best regards, Norbert Wegener Siemens AG Siemens IT Solutions and Services SIS GO NW PSU SDC ASINS Bruchstraße 5 45883 Gelsenkirchen, Germany Tel.: +49 (209) 94565716 Fax: +49 (201) 8165581284 mailto:norbert.wege...@siemens.com Siemens Aktiengesellschaft: Chairman of the Supervisory Board: Gerhard Cromme; Managing Board: Peter Loescher, Chairman, President and Chief Executive Officer; Wolfgang Dehen, Heinrich Hiesinger, Joe Kaeser, Barbara Kux, Hermann Requardt, Siegfried Russwurm, Peter Y. Solmssen; Registered offices: Berlin and Munich, Germany; Commercial registries: Berlin Charlottenburg, HRB 12300, Munich, HRB 6684; WEEE-Reg.-No. DE 23691322 Von: freeradius-users-bounces+norbert.wegener=siemens@lists.freeradius.org [freeradius-users-bounces+norbert.wegener=siemens@lists.freeradius.org] im Auftrag von Alan DeKok [al...@deployingradius.com] Gesendet: Freitag, 2. Juli 2010 17:23 An: FreeRadius users mailing list Betreff: Re: mschap/peap question Wegener, Norbert wrote: With 2.1.8 and the configuration from http://deployingradius.com/scripts/eapol_test/peap-mschapv2.conf I want to test a radius configuration. The linux server running radius is member of the AD domain, mschap succeeds but finally the authentication fails. freeradius sends Challenges to which eapol_test will not respond. This should not be the behaviour mentioned in eap.conf regarding windows compatibility as eapol_test says: ... EAP-MSCHAPV2: RX identifier 11 mschapv2_id 10 EAP-MSCHAPV2: Received success EAP-MSCHAPV2: Invalid authenticator response in success request EAP: method process - ignore=FALSE methodState=MAY_CONT decision=FAIL and finally fails. If you're running Samba... it's a Samba bug. Like most of these issues, try it with a test user password in the users file. If it works there, but not when Samba is used: blame Samba. See eap.conf in 2.1.8 for pointers to the bug URL. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
AW: Pre-release of Version 2.1.8
Building an rpm on Suse10.3 fails with: Processing files: freeradius-server-dialupadmin-2.1.8-0 Processing files: freeradius-server-devel-2.1.8-0 Processing files: freeradius-server-debuginfo-2.1.8-0 Checking for unpackaged file(s): /usr/lib/rpm/check-files /var/tmp/freeradius-server-2.1.8-build error: Installed (but unpackaged) file(s) found: /etc/raddb/sql/ndb/README RPM build errors: File listed twice: /usr/sbin/rcfreeradius File listed twice: /usr/sbin/rcfreeradius-relay Installed (but unpackaged) file(s) found: /etc/raddb/sql/ndb/README diff -Nru ../SOURCES/freeradius-server-2.1.8/suse/freeradius.spec freeradius-mod.spec --- ../SOURCES/freeradius-server-2.1.8/suse/freeradius.spec 2009-12-04 18:56:04.0 +0100 +++ freeradius-mod.spec 2009-12-04 20:20:58.0 +0100 @@ -304,8 +304,6 @@ /etc/init.d/freeradius-relay %config /etc/pam.d/radiusd %config /etc/logrotate.d/radiusd -/usr/sbin/rcfreeradius -/usr/sbin/rcfreeradius-relay %dir %attr(755,radiusd,radiusd) /var/lib/radiusd # configs %dir %attr(750,-,radiusd) /etc/raddb @@ -333,6 +331,7 @@ %attr(640,-,radiusd) %config(noreplace) /etc/raddb/users %attr(640,-,radiusd) %config(noreplace) /etc/raddb/experimental.conf %dir %attr(750,-,radiusd) /etc/raddb/certs +/etc/raddb/sql/ndb/README /etc/raddb/certs/Makefile /etc/raddb/certs/README /etc/raddb/certs/xpextensions solves this. With best regards, Norbert Wegener Siemens AG Siemens IT Solutions and Services SIS GO NW PSU SDC ASINS Bruchstraße 5 45883 Gelsenkirchen, Germany Tel.: +49 (209) 94565716 Fax: +49 (201) 8165581284 mailto:norbert.wege...@siemens.com Siemens Aktiengesellschaft: Chairman of the Supervisory Board: Gerhard Cromme; Managing Board: Peter Loescher, Chairman, President and Chief Executive Officer; Wolfgang Dehen, Heinrich Hiesinger, Joe Kaeser, Barbara Kux, Hermann Requardt, Siegfried Russwurm, Peter Y. Solmssen; Registered offices: Berlin and Munich, Germany; Commercial registries: Berlin Charlottenburg, HRB 12300, Munich, HRB 6684; WEEE-Reg.-No. DE 23691322 Von: freeradius-users-bounces+norbert.wegener=siemens@lists.freeradius.org [freeradius-users-bounces+norbert.wegener=siemens@lists.freeradius.org] im Auftrag von Alan DeKok [al...@deployingradius.com] Gesendet: Freitag, 4. Dezember 2009 18:54 An: FreeRadius users mailing list Betreff: Re: Pre-release of Version 2.1.8 Bjørn Mork wrote: Alan DeKok al...@deployingradius.com writes: I've put a pre-release of version 2.1.8 on the web site: http://git.freeradius.org/pre/ Hmm, they were both a bit small. I see 14 and 20 bytes. Something probably went wrong with the packacking script? Yup. Let me fix that in a bit... Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Failed to add duplicate client problem
We have a vpn gateway with different URLs for different user groups. For each URL a specific radius server has to be defined. Up to now those different radius servers have been installed on different machines. When trying to consolidate those servers within different virtual servers on one single machine freeradius refuses to start with the Failed to add duplicate client xx to clients list. Maybe there's a duplicate? message. Yes, there is a duplicate and it is on purpose. Is there a way to cirumvent this? Mit freundlichen Grüßen Norbert Wegener - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
AW: Failed to add duplicate client problem
If you post your config, my guess is that you have *global* clients, and then are defining the same client IP twice. The clients are read from an sql database. As every client has a corresponding server attached in that database it could be assumed that every client is local to the that virtual server. This obviously is not true. Having distinct sql*conf files for each server and different nas_query in dialup*.conf solves the problem. Thank you. Norbert Wegener - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
AW: EAP errors in 2.1.1
-Ursprüngliche Nachricht- Von: freeradius-users-bounces+norbert.wegener=siemens@lists.freeradius.org [mailto:freeradius-users-bounces+norbert.wegener=siemens@lists.freeradius.org] Im Auftrag von Alan DeKok Gesendet: Donnerstag, 30. Juli 2009 15:21 An: FreeRadius users mailing list Betreff: Re: EAP errors in 2.1.1 Wegener, Norbert wrote: We are seeing an increasing number of eap error messages: Error: rlm_eap: No EAP session matching the State variable .. The error you're seeing is usually caused by EAP packets coming in 60 seconds apart. When the EAP session takes too long to process, the server deletes the context. See timer_expire in eap.conf. Another possible reason for the error is that the NAS is sending EAP packets from different source IP's. The EAP sessions are keyed by (source IP, EAP Id, State). We noticed at one of the involved windows clients that for an unknown reason its system clock changed while the eap session has been started. Might such a change of system time also lead to that kind of problem? Norbert Wegener - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
EAP errors in 2.1.1
We are seeing an increasing number of eap error messages: Error: rlm_eap: No EAP session matching the State variable As mentioned in the Changelog in later version an eap error has been detected and fixed in 2.1.4 Fix EAP-TLS bug. Patch from Arnaud Ebalard Is this bug-fix related to the error messageabove so that upgrading alone would help? Norbert Wegener - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
chase_referrals and rebind in 2.1.6
I am having some problems with an AD and FreeRADIUS. rlm_ldap debug lets me assume that there might be a relation to chase_referrals and rebind. According to the Changelog there have been changes regarding this in 2.1.6: Added chase_referrals and rebind configuration to rlm_ldap. This helps with Active Directory. See raddb/modules/ldap Unfortunately I do not find anything about it in that file. ~/freeradius-server-2.1.6$ grep -r -l -i chase_ref * debian/changelog doc/ChangeLog src/modules/rlm_ldap/rlm_ldap.c Similar result for rebind. What options might be configured for chase_referrals and rebind? Norbert Wegener - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
AW: freeradius 2.1.6 ldap + mschapv2 to authenticate
Not only I have to thank Alan for this or that hint and the great software. Nowadays I find his answers amusing. They sound like a mantra: Read the documentation, post the debug output, don't change too much in the default configuration What is wrong with that answer? And knowing that one might get this kind of answer: Maybe one thinks twice and reads a bit more through the docs before posting a question. In my opinion there are worse things than thinking twice. I know people that behave exactly this way just for that reason. And they solved most of their problems this way. FreeRADIUS is a project with a comprehensive documentation. Many -if not most - of the questions on the list could be answered by reading the wiki and the rest of the documentation. Knowing this I personally would find it hard to impossible to answer the same questions over and over again. Thanks Alan. Norbert Wegener Von: freeradius-users-bounces+norbert.wegener=siemens@lists.freeradius.org [freeradius-users-bounces+norbert.wegener=siemens@lists.freeradius.org] im Auftrag von Alan DeKok [al...@deployingradius.com] Gesendet: Donnerstag, 25. Juni 2009 08:20 An: daverum...@boothcreek.com; FreeRadius users mailing list Betreff: Re: freeradius 2.1.6 ldap + mschapv2 to authenticate daverum...@boothcreek.com wrote: So funny you say that, I was just talking about that with a co worker. I almost find myself searching for his emails and thinking that poor person who is looking for help. Asking people to read the debug log, as suggested in the FAQ, README, INSTALL, man page, every single howto, and daily on this list? For shame. It's really quite simple. It's a choice. People DON'T read the documentation. They DON'T follow instructions. They DON'T read the debug log. But they get incensed when they get told to read it, and they get incensed when told to follow instructions. Happily, there is a solution. Along with Christopher, you're now the new cut paste master. Please spend a few short hours every day answering questions on this list by cutting pasting answers from the existing documentation. Also, you will need to explain to people that they should run the server in debugging mode. Feel free to *continue* explaining why this is necessary after they have gotten angry at you for not immediately solving their problem. Complaining about *my* behavior is not an option until you've contributed something to the project. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
