RE: configure freeradius to use UPN instead of samaccountname
You might want to do an LDAP lookup first on your UPN to find the samAccountName, then use that with ntlm_auth. Stefan From: freeradius-users-bounces+stefan.paetow=diamond.ac...@lists.freeradius.org [mailto:freeradius-users-bounces+stefan.paetow=diamond.ac...@lists.freeradius.org] On Behalf Of Angelica Delgado Sent: 14 October 2013 21:51 To: FreeRadius users mailing list Subject: configure freeradius to use UPN instead of samaccountname We have our freeradius setup to authenticate with Active Directory for EAP. Currently, it uses the samaccountname but we want to use UPN instead. We get NT_STATUS_NO_SUCH_USER when testing with ntlm through command line. ntlm_auth --request-nt-key --domain=test.local --username=tu...@pub.commailto:tu...@pub.com Can you please let us know what needs to be configured to support the UPN? Thanks. -- This e-mail and any attachments may contain confidential, copyright and or privileged material, and are for the use of the intended addressee only. If you are not the intended addressee or an authorised recipient of the addressee please notify us of receipt by returning the e-mail and do not use, copy, retain, distribute or disclose the information in or attached to the e-mail. Any opinions expressed within this e-mail are those of the individual and not necessarily of Diamond Light Source Ltd. Diamond Light Source Ltd. cannot guarantee that this e-mail or any attachments are free from viruses and we cannot accept liability for any damage which you may sustain as a result of software viruses which may be transmitted in or with the message. Diamond Light Source Limited (company no. 4375679). Registered in England and Wales with its registered office at Diamond House, Harwell Science and Innovation Campus, Didcot, Oxfordshire, OX11 0DE, United Kingdom - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: clone break freeradius
Did you also change the MAC address for the network adapter in the VMWare settings? Otherwise VMWare believes (and possibly your network too) the two machines are the same. After changing the MAC address, reconfigure your network settings on the clone and reboot. Delete the trust (computer) account for the original machine from Active Directory. Then retry the net join command for both machines. Stefan From: freeradius-users-bounces+stefan.paetow=diamond.ac...@lists.freeradius.org [mailto:freeradius-users-bounces+stefan.paetow=diamond.ac...@lists.freeradius.org] On Behalf Of trevor obba Sent: 11 October 2013 00:38 To: freeradius-users@lists.freeradius.org Subject: clone break freeradius I configured freeradius version 2.2.0 running on Ubuntu 12.04 to authenticate against active directory and it is working fine until I decide to clone (vmware) the machine. Once the machine is clone I changed the IP address, hostname in (/etc/hosts and /etc/hostname) and also changed the name in /etc/samba/smb.conf Finally I tried to join the clone machine using “net join –U administrator” unfortunately this break the original freeradius machine by no longer authenticating to active directory and the clone machine will not join the Domain also. I think the clone machine is still referring the original machine which breaks the original machine unfortunately I do not know how to fix it. How do I fix the original machine? What else do I change on the clone machine so that I can successfully join it to domain with breaking the original machine? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Generating timing stats for ntlm_auth
authentications (as microsoft call it) - but I'm also looking at samba4 - as it has a new option that will balance ntlm_auth against all known boxes rather than the first box it latches onto - to spread the load. Samba 4 is lurvely... apparently 100% compatible with existing AD installations, although, as always, it's a bit finicky and info is a bit thin on the ground (and I've not written up a guide when I set my test environment up that uses an S4 server for EAP-MSCHAPv2). But at least it exists on RHEL/CentOS as a package. Stefan -- This e-mail and any attachments may contain confidential, copyright and or privileged material, and are for the use of the intended addressee only. If you are not the intended addressee or an authorised recipient of the addressee please notify us of receipt by returning the e-mail and do not use, copy, retain, distribute or disclose the information in or attached to the e-mail. Any opinions expressed within this e-mail are those of the individual and not necessarily of Diamond Light Source Ltd. Diamond Light Source Ltd. cannot guarantee that this e-mail or any attachments are free from viruses and we cannot accept liability for any damage which you may sustain as a result of software viruses which may be transmitted in or with the message. Diamond Light Source Limited (company no. 4375679). Registered in England and Wales with its registered office at Diamond House, Harwell Science and Innovation Campus, Didcot, Oxfordshire, OX11 0DE, United Kingdom - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Generating timing stats for ntlm_auth
it can also BE an AD master etc. anyway, you dont know how tempting it was to yum install samba4 on our production system ;-) Indeed. That's exactly what I'm using it for. :-) I'd certainly like to see some samba3.x versus samba4 benchmarks in this sort of context Yes, versus Windows 2008 R2 or 2012 as well... just for good measure. :-) Stefan -- This e-mail and any attachments may contain confidential, copyright and or privileged material, and are for the use of the intended addressee only. If you are not the intended addressee or an authorised recipient of the addressee please notify us of receipt by returning the e-mail and do not use, copy, retain, distribute or disclose the information in or attached to the e-mail. Any opinions expressed within this e-mail are those of the individual and not necessarily of Diamond Light Source Ltd. Diamond Light Source Ltd. cannot guarantee that this e-mail or any attachments are free from viruses and we cannot accept liability for any damage which you may sustain as a result of software viruses which may be transmitted in or with the message. Diamond Light Source Limited (company no. 4375679). Registered in England and Wales with its registered office at Diamond House, Harwell Science and Innovation Campus, Didcot, Oxfordshire, OX11 0DE, United Kingdom - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Version 3.0.0 has been released
Congratulations! Thank you again for all of the countless hours you spend on improving the best and most flexible RADIUS server. One question though - is there a typo in the V2 upgrade link below? When I click on it I get a 404 error.. Upgrading instructions are available here: https://github.com/FreeRADIUS/freeradius- server/blob/release_branch_3.0.0/raddb/README.rst That's because the branch has been renamed. The file you want is: https://github.com/FreeRADIUS/freeradius-server/blob/v3.0.x/raddb/README.rst :-) Stefan -- This e-mail and any attachments may contain confidential, copyright and or privileged material, and are for the use of the intended addressee only. If you are not the intended addressee or an authorised recipient of the addressee please notify us of receipt by returning the e-mail and do not use, copy, retain, distribute or disclose the information in or attached to the e-mail. Any opinions expressed within this e-mail are those of the individual and not necessarily of Diamond Light Source Ltd. Diamond Light Source Ltd. cannot guarantee that this e-mail or any attachments are free from viruses and we cannot accept liability for any damage which you may sustain as a result of software viruses which may be transmitted in or with the message. Diamond Light Source Limited (company no. 4375679). Registered in England and Wales with its registered office at Diamond House, Harwell Science and Innovation Campus, Didcot, Oxfordshire, OX11 0DE, United Kingdom - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: What does FR 2.2.2 fix?
Yep, those are the ones. :-) Stefan Hmm like these then? Fri Oct 4 11:24:12 2013 : Info: WARNING: Child is hung for request 17630 in com ponent core module thread. Fri Oct 4 11:24:13 2013 : Info: WARNING: Child is hung for request 17635 in com ponent core module thread. Fri Oct 4 11:24:14 2013 : Info: WARNING: Child is hung for request 17634 in com ponent core module thread. Fri Oct 4 11:24:17 2013 : Info: WARNING: Child is hung for request 17636 in com ponent core module thread. Fri Oct 4 11:24:44 2013 : Info: WARNING: Child is hung for request 17633 in com ponent core module thread. Fri Oct 4 11:24:52 2013 : Info: WARNING: Child is hung for request 17635 in com ponent core module thread. Fri Oct 4 11:24:53 2013 : Info: WARNING: Child is hung for request 17634 in com ponent core module thread. Fri Oct 4 11:24:55 2013 : Info: WARNING: Child is hung for request 17636 in com ponent core module thread. Reverted back to 2.2.0 as I never saw these errors with it Rgs A -- This e-mail and any attachments may contain confidential, copyright and or privileged material, and are for the use of the intended addressee only. If you are not the intended addressee or an authorised recipient of the addressee please notify us of receipt by returning the e-mail and do not use, copy, retain, distribute or disclose the information in or attached to the e-mail. Any opinions expressed within this e-mail are those of the individual and not necessarily of Diamond Light Source Ltd. Diamond Light Source Ltd. cannot guarantee that this e-mail or any attachments are free from viruses and we cannot accept liability for any damage which you may sustain as a result of software viruses which may be transmitted in or with the message. Diamond Light Source Limited (company no. 4375679). Registered in England and Wales with its registered office at Diamond House, Harwell Science and Innovation Campus, Didcot, Oxfordshire, OX11 0DE, United Kingdom - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Running RADIUS in permanent debug mode with rotating log
How can we run radiusd -x logname such that we have different logname for each day? Clement, may I suggest a cron job? At midnight, move the log, kill and restart the radius server with a new log in the name? Of course you run the risk of possibly killing any authentication attempts that happen at that point in time, but... that's something you need to take into account? Stefan -- This e-mail and any attachments may contain confidential, copyright and or privileged material, and are for the use of the intended addressee only. If you are not the intended addressee or an authorised recipient of the addressee please notify us of receipt by returning the e-mail and do not use, copy, retain, distribute or disclose the information in or attached to the e-mail. Any opinions expressed within this e-mail are those of the individual and not necessarily of Diamond Light Source Ltd. Diamond Light Source Ltd. cannot guarantee that this e-mail or any attachments are free from viruses and we cannot accept liability for any damage which you may sustain as a result of software viruses which may be transmitted in or with the message. Diamond Light Source Limited (company no. 4375679). Registered in England and Wales with its registered office at Diamond House, Harwell Science and Innovation Campus, Didcot, Oxfordshire, OX11 0DE, United Kingdom - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Active Directory Group Membership filtering query
Simon, Did you enable the 'ldap' entry in the authorize section(s) of your default and inner-tunnel servers? It is commented out by default. Stefan From: freeradius-users-bounces+stefan.paetow=diamond.ac...@lists.freeradius.org [mailto:freeradius-users-bounces+stefan.paetow=diamond.ac...@lists.freeradius.org] On Behalf Of Simon Grierson Sent: 01 October 2013 15:08 To: freeradius-users@lists.freeradius.org Subject: Active Directory Group Membership filtering query Hi there, I'm new to freeradius, and am setting it up purely in a test environment before deploying live. We're using Freeradius 2.2.0 and Ubuntu server 12.04 .3 lts with Active Directory and Fortinet Fortigate based APs We're trying to achieve the following: Authentication via Active Directory, but with access granted depending on AD Group membership. EG: User A Is allowed Wifi access, as they are in Wifi-Users group User B is not as they do not have membership of this group. So we have the Freeradius server up and running, and it can authenticate against AD fine, but I cant figure out the group filtering portion of the setup. The documentation points to configuring the modules/ldap file to point to our LDAP server (I.E. our AD server0, and to configure the /users file with the following line DEFAULT Ldap-Group == CN=sec-eduroam-users,OU=Access,OU=SecurityGroups,OU=Groups,DC=testres,DC=org DEFAULT Auth-Type = Reject When I run freeradius in debug mode, we get all the usual output but no ldap modules mentioned It dues include modules/ldap but little else. FYI I have built this 3 times, 1. With 13.04 Ubuntu Server and Freeradius 2.2.0 from source 2. With 12.04 lts with FR 2.2.1 from source 3. With 12.04 lts with FR from the Launchpad based package ppa:freeradius/stable which is from 2.2.0 I can authenticate against LDAP and pull down group information using command line queries, so I know that LDAP is installed correctly and working in the linux build. What I cant get is LDAP to work through free radius. Am I doing something wrong, is there a better way to do this? Any help appreciated! NOTICE AND DISCLAIMER This e-mail (including any attachments) is intended for the above-named person(s). If you are not the intended recipient, notify the sender immediately, delete this email from your system and do not disclose or use for any purpose. We may monitor all incoming and outgoing emails in line with current legislation. We have taken steps to ensure that this email and attachments are free from any virus, but it remains your responsibility to ensure that viruses do not adversely affect you. Cancer Research UK Registered charity in England and Wales (1089464), Scotland (SC041666) and the Isle of Man (1103) A company limited by guarantee. Registered company in England and Wales (4325234) and the Isle of Man (5713F). Registered Office Address: Angel Building, 407 St John Street, London EC1V 4AD. -- This e-mail and any attachments may contain confidential, copyright and or privileged material, and are for the use of the intended addressee only. If you are not the intended addressee or an authorised recipient of the addressee please notify us of receipt by returning the e-mail and do not use, copy, retain, distribute or disclose the information in or attached to the e-mail. Any opinions expressed within this e-mail are those of the individual and not necessarily of Diamond Light Source Ltd. Diamond Light Source Ltd. cannot guarantee that this e-mail or any attachments are free from viruses and we cannot accept liability for any damage which you may sustain as a result of software viruses which may be transmitted in or with the message. Diamond Light Source Limited (company no. 4375679). Registered in England and Wales with its registered office at Diamond House, Harwell Science and Innovation Campus, Didcot, Oxfordshire, OX11 0DE, United Kingdom - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Active Directory authentication question
In the eap section, the default is md5, set it to ttls
And Roberto, you've emailed the entire FreeRADIUS mailing list. :-)
Stefan
-Original Message-
From: freeradius-users-
bounces+stefan.paetow=diamond.ac...@lists.freeradius.org
[mailto:freeradius-users-
bounces+stefan.paetow=diamond.ac...@lists.freeradius.org] On Behalf Of
Roberto Carna
Sent: 25 September 2013 14:27
To: FreeRadius users mailing list
Subject: Re: Active Directory authentication question
Dear Stephan, just the last question pleasein your guide you say:
In /etc/raddb/eap.conf, change the ttls section as follows:
default_eap_type = mschapv2
copy_request_to_tunnel = yes
use_tunneled_reply = no
That's OKbut what do I have to put in the eap section from eap.conf
file???
eap {
default_eap_type = ttls
default_eap_type=ttls or =mschapv2 ???
Thanks a lot,
Roberto
2013/9/24 stefan.pae...@diamond.ac.uk:
You need the following items on your Debian system to build
eapol_test:
libssl-dev, libnl1, libnl-dev
:-)
Stefan
-Original Message-
From: freeradius-users-
bounces+stefan.paetow=diamond.ac...@lists.freeradius.org
[mailto:freeradius-users-
bounces+stefan.paetow=diamond.ac...@lists.freeradius.org] On Behalf
bounces+Of
Roberto Carna
Sent: 24 September 2013 15:17
To: FreeRadius users mailing list
Subject: Re: Active Directory authentication question
Dear, I'm advancing in the Freeradius + AD authenticationjust a
short question: when I want to make the eapol_test tool, I get this
error:
# make eapol_test
/usr/bin/ld: cannot find -lnl
collect2: error: ld returned 1 exit status
make: *** [eapol_test] Error 1
I've followed all the steps to use this tool, but I can't make it.
What can be the problem ???
Thanks
2013/9/24 stefan.pae...@diamond.ac.uk:
Hi Roberto,
You have to install Kerberos, yes. I believe you'll need the krb5-
user package.
When you install krb5-user, it should install krb5.conf for you,
but
I'm not up to date on Debian specifically.
Stefan
-Original Message-
From: Roberto Carna [mailto:robertocarn...@gmail.com]
Sent: 23 September 2013 19:16
To: Paetow, Stefan (DLSLtd,RAL,LSCI)
Subject: Re: Active Directory authentication question
Dear Stepahn, I use Debian 7 for my Freeradius server and there
I've installed Samba, Winbind and krb5.confnot Kerberos (or
whatever the package is called).
Do I need to install the Kerberos package, or simply install the
krb5.conf and then edit it ???
Thanks again.
Roberto
2013/9/23 stefan.pae...@diamond.ac.uk:
Hi Roberto,
When in the process do you get that error?
Here are my configuration bits. In the [global] section of the
SMB.CONF file I have:
workgroup = DIAMOND
security = ads
realm = DIAMOND.LOCAL (my test domain) password server = IP
address
of
my primary domain controller
Everything else is left as-is (default). My test domain is
called
DIAMOND.LOCAL.
Stefan
-Original Message-
From: Roberto Carna [mailto:robertocarn...@gmail.com]
Sent: 23 September 2013 15:58
To: Paetow, Stefan (DLSLtd,RAL,LSCI)
Subject: Re: Active Directory authentication question
Dear Stephan, can you send me a complete smb.conf file because
I am
a
bit lost in the correct configuration ?
I'm getting the error:
Could not connect to server 10.11.0.64 Connection failed:
NT_STATUS_BAD_NETWORK_NAME
--
This e-mail and any attachments may contain confidential,
copyright
and or privileged material, and are for the use of the intended
addressee only. If you are not the intended addressee or an
authorised recipient of the addressee please notify us of receipt
by returning the e-mail and do not use, copy, retain, distribute
or disclose the information in or attached to the e-mail.
Any opinions expressed within this e-mail are those of the
individual
and not necessarily of Diamond Light Source Ltd.
Diamond Light Source Ltd. cannot guarantee that this e-mail or
any
attachments are free from viruses and we cannot accept liability
for any damage which you may sustain as a result of software
viruses which may be transmitted in or with the message.
Diamond Light Source Limited (company no. 4375679). Registered
in England and Wales with its registered office at Diamond
House,
Harwell
Science and Innovation Campus, Didcot, Oxfordshire, OX11 0DE,
United Kingdom
--
This e-mail and any attachments may contain confidential,
copyright
and or privileged material, and are for the use of the intended
addressee only. If you are not the intended addressee or an
authorised recipient of the addressee please notify us of receipt
RE: Active Directory authentication question
Because your EAP-TLS process works? Remember, you set up EAP-TLS first (which
worked).
You just configured EAP-TTLS with EAP-MSCHAPv2 as an additional authentication
method. Since the default_eap_type is set to ttls, your server *prefers* using
EAP-TTLS with EAP-MSCHAPv2, but it still supports other methods (like EAP-TLS
and PEAP with EAP-MSCHAPv2).
Stefan
-Original Message-
From: freeradius-users-
bounces+stefan.paetow=diamond.ac...@lists.freeradius.org
[mailto:freeradius-users-
bounces+stefan.paetow=diamond.ac...@lists.freeradius.org] On Behalf Of
Roberto Carna
Sent: 25 September 2013 15:44
To: FreeRadius users mailing list
Subject: Re: Active Directory authentication question
Dear Stephan: Notebook with Windows 7 + AP + EAP-TTLS + MSCHAPv2 +
Freeradius + AD is working now !!!
But just a doubt: if I access with my Android device, using EAP-TLS
(not EAP-TTLS) + MSCHAPv2, I can access the same...why ???
Regards and thanks,
Roberto
2013/9/25 stefan.pae...@diamond.ac.uk:
In the eap section, the default is md5, set it to ttls
And Roberto, you've emailed the entire FreeRADIUS mailing list. :-)
Stefan
-Original Message-
From: freeradius-users-
bounces+stefan.paetow=diamond.ac...@lists.freeradius.org
[mailto:freeradius-users-
bounces+stefan.paetow=diamond.ac...@lists.freeradius.org] On Behalf
bounces+Of
Roberto Carna
Sent: 25 September 2013 14:27
To: FreeRadius users mailing list
Subject: Re: Active Directory authentication question
Dear Stephan, just the last question pleasein your guide you
say:
In /etc/raddb/eap.conf, change the ttls section as follows:
default_eap_type = mschapv2
copy_request_to_tunnel = yes
use_tunneled_reply = no
That's OKbut what do I have to put in the eap section from
eap.conf file???
eap {
default_eap_type = ttls
default_eap_type=ttls or =mschapv2 ???
Thanks a lot,
Roberto
2013/9/24 stefan.pae...@diamond.ac.uk:
You need the following items on your Debian system to build
eapol_test:
libssl-dev, libnl1, libnl-dev
:-)
Stefan
-Original Message-
From: freeradius-users-
bounces+stefan.paetow=diamond.ac...@lists.freeradius.org
[mailto:freeradius-users-
bounces+stefan.paetow=diamond.ac...@lists.freeradius.org] On
bounces+Behalf Of
Roberto Carna
Sent: 24 September 2013 15:17
To: FreeRadius users mailing list
Subject: Re: Active Directory authentication question
Dear, I'm advancing in the Freeradius + AD authenticationjust
a short question: when I want to make the eapol_test tool, I get
this
error:
# make eapol_test
/usr/bin/ld: cannot find -lnl
collect2: error: ld returned 1 exit status
make: *** [eapol_test] Error 1
I've followed all the steps to use this tool, but I can't make
it.
What can be the problem ???
Thanks
2013/9/24 stefan.pae...@diamond.ac.uk:
Hi Roberto,
You have to install Kerberos, yes. I believe you'll need the
krb5-
user package.
When you install krb5-user, it should install krb5.conf for
you,
but
I'm not up to date on Debian specifically.
Stefan
-Original Message-
From: Roberto Carna [mailto:robertocarn...@gmail.com]
Sent: 23 September 2013 19:16
To: Paetow, Stefan (DLSLtd,RAL,LSCI)
Subject: Re: Active Directory authentication question
Dear Stepahn, I use Debian 7 for my Freeradius server and
there
I've installed Samba, Winbind and krb5.confnot Kerberos
(or
whatever the package is called).
Do I need to install the Kerberos package, or simply install
the krb5.conf and then edit it ???
Thanks again.
Roberto
2013/9/23 stefan.pae...@diamond.ac.uk:
Hi Roberto,
When in the process do you get that error?
Here are my configuration bits. In the [global] section of
the
SMB.CONF file I have:
workgroup = DIAMOND
security = ads
realm = DIAMOND.LOCAL (my test domain) password server = IP
address
of
my primary domain controller
Everything else is left as-is (default). My test domain is
called
DIAMOND.LOCAL.
Stefan
-Original Message-
From: Roberto Carna [mailto:robertocarn...@gmail.com]
Sent: 23 September 2013 15:58
To: Paetow, Stefan (DLSLtd,RAL,LSCI)
Subject: Re: Active Directory authentication question
Dear Stephan, can you send me a complete smb.conf file
because I am
a
bit lost in the correct configuration ?
I'm getting the error:
Could not connect to server 10.11.0.64 Connection failed:
NT_STATUS_BAD_NETWORK_NAME
--
This e-mail and any attachments may contain confidential,
copyright
and or privileged material, and are for the use
RE: Active Directory authentication question
But in the EAP-TLS section from eap.conf file, I don't see any reference to MSCHAPv2and remember the NTLM authentication query is set up in the MSCHAPv2 module EAP-TLS does not use MSCHAPv2. It uses certificates. I quote Alan DeKok's response to your question on September 18: Dear, I have several Windows 7 clients over WiFi autheticating throug EAP-TLS to a Freeradius 2.1 service against a local MySQL database, it works OK. EAP-TLS doesn't use MySQL for storing credentials. Everything is in the certificate. Because I don't know so much about Windows world, I need to know if I have to use NTLM, LDAP or Kerberos in order to authenticate against the remote AD. For MS-CHAP and PEAP, you use ntlm. You don't have any other choice. For EAP-TLS, you don't use AD or MySQL. -- This e-mail and any attachments may contain confidential, copyright and or privileged material, and are for the use of the intended addressee only. If you are not the intended addressee or an authorised recipient of the addressee please notify us of receipt by returning the e-mail and do not use, copy, retain, distribute or disclose the information in or attached to the e-mail. Any opinions expressed within this e-mail are those of the individual and not necessarily of Diamond Light Source Ltd. Diamond Light Source Ltd. cannot guarantee that this e-mail or any attachments are free from viruses and we cannot accept liability for any damage which you may sustain as a result of software viruses which may be transmitted in or with the message. Diamond Light Source Limited (company no. 4375679). Registered in England and Wales with its registered office at Diamond House, Harwell Science and Innovation Campus, Didcot, Oxfordshire, OX11 0DE, United Kingdom - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Active Directory authentication question
You need the following items on your Debian system to build eapol_test: libssl-dev, libnl1, libnl-dev :-) Stefan -Original Message- From: freeradius-users- bounces+stefan.paetow=diamond.ac...@lists.freeradius.org [mailto:freeradius-users- bounces+stefan.paetow=diamond.ac...@lists.freeradius.org] On Behalf Of Roberto Carna Sent: 24 September 2013 15:17 To: FreeRadius users mailing list Subject: Re: Active Directory authentication question Dear, I'm advancing in the Freeradius + AD authenticationjust a short question: when I want to make the eapol_test tool, I get this error: # make eapol_test /usr/bin/ld: cannot find -lnl collect2: error: ld returned 1 exit status make: *** [eapol_test] Error 1 I've followed all the steps to use this tool, but I can't make it. What can be the problem ??? Thanks 2013/9/24 stefan.pae...@diamond.ac.uk: Hi Roberto, You have to install Kerberos, yes. I believe you'll need the krb5- user package. When you install krb5-user, it should install krb5.conf for you, but I'm not up to date on Debian specifically. Stefan -Original Message- From: Roberto Carna [mailto:robertocarn...@gmail.com] Sent: 23 September 2013 19:16 To: Paetow, Stefan (DLSLtd,RAL,LSCI) Subject: Re: Active Directory authentication question Dear Stepahn, I use Debian 7 for my Freeradius server and there I've installed Samba, Winbind and krb5.confnot Kerberos (or whatever the package is called). Do I need to install the Kerberos package, or simply install the krb5.conf and then edit it ??? Thanks again. Roberto 2013/9/23 stefan.pae...@diamond.ac.uk: Hi Roberto, When in the process do you get that error? Here are my configuration bits. In the [global] section of the SMB.CONF file I have: workgroup = DIAMOND security = ads realm = DIAMOND.LOCAL (my test domain) password server = IP address of my primary domain controller Everything else is left as-is (default). My test domain is called DIAMOND.LOCAL. Stefan -Original Message- From: Roberto Carna [mailto:robertocarn...@gmail.com] Sent: 23 September 2013 15:58 To: Paetow, Stefan (DLSLtd,RAL,LSCI) Subject: Re: Active Directory authentication question Dear Stephan, can you send me a complete smb.conf file because I am a bit lost in the correct configuration ? I'm getting the error: Could not connect to server 10.11.0.64 Connection failed: NT_STATUS_BAD_NETWORK_NAME -- This e-mail and any attachments may contain confidential, copyright and or privileged material, and are for the use of the intended addressee only. If you are not the intended addressee or an authorised recipient of the addressee please notify us of receipt by returning the e-mail and do not use, copy, retain, distribute or disclose the information in or attached to the e-mail. Any opinions expressed within this e-mail are those of the individual and not necessarily of Diamond Light Source Ltd. Diamond Light Source Ltd. cannot guarantee that this e-mail or any attachments are free from viruses and we cannot accept liability for any damage which you may sustain as a result of software viruses which may be transmitted in or with the message. Diamond Light Source Limited (company no. 4375679). Registered in England and Wales with its registered office at Diamond House, Harwell Science and Innovation Campus, Didcot, Oxfordshire, OX11 0DE, United Kingdom -- This e-mail and any attachments may contain confidential, copyright and or privileged material, and are for the use of the intended addressee only. If you are not the intended addressee or an authorised recipient of the addressee please notify us of receipt by returning the e-mail and do not use, copy, retain, distribute or disclose the information in or attached to the e-mail. Any opinions expressed within this e-mail are those of the individual and not necessarily of Diamond Light Source Ltd. Diamond Light Source Ltd. cannot guarantee that this e-mail or any attachments are free from viruses and we cannot accept liability for any damage which you may sustain as a result of software viruses which may be transmitted in or with the message. Diamond Light Source Limited (company no. 4375679). Registered in England and Wales with its registered office at Diamond House, Harwell Science and Innovation Campus, Didcot, Oxfordshire, OX11 0DE, United Kingdom - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- This e-mail and any attachments may contain confidential, copyright and or privileged material, and are for the use of the intended addressee only. If you are not the intended addressee or an authorised recipient of the addressee please notify us of receipt by returning the e-mail and do
RE: Active Directory authentication question
What I mean is that EAP-TLS is easier to me than AD authentication at this point, because I've just put it to work...and if I want to use AD auth I have to take EAP-TLS out and start again with NTLM / AD authenticationis it OK ??? Roberto, you don't have to remove EAP-TLS to support NTLM/MS-CHAPv2 authentication. What you can do in eap.conf is specify which EAP type you want to use by default. If you prefer EAP-TLS, you can specify default_eap_type = tls. But if the client does not support that and asks for EAP-TTLS or PEAP instead, then, if your server is configured correctly, it can support those additional types too. For NTLM authentication, what you *do* need is to add your FreeRADIUS machine to the Windows 2012 domain. Since you're on a flavour of Unix/Linux, you need to install Samba on your Linux box and configure it to talk to the Windows 2012 domain controller (via Kerberos). You may want to read this page, which describes how we've made authentication against Active Directory work with PEAP (specifically PEAP with EAP-MSCHAPv2) and EAP-TTLS with EAP-MSCHAPv2: http://confluence.diamond.ac.uk/display/PAAUTH/Using+Active+Directory+as+authentication+source We don't use PEAP and don't have any test clients that support PEAP, but EAP-TTLS/EAP-MSCHAPv2 works splendidly (which is good enough for our purposes and is widely supported by Windows clients). You can use rad_eap_test (there is information about this on the link above, including how to build the binary) to specify which EAP method you want to use and then which inner authentication to use (where applicable). So you can leave your existing setup (I assume default_eap_type is 'tls') alone and still test your NTLM authencation. Folks, feel free to correct... but that's what worked here. Stefan -- This e-mail and any attachments may contain confidential, copyright and or privileged material, and are for the use of the intended addressee only. If you are not the intended addressee or an authorised recipient of the addressee please notify us of receipt by returning the e-mail and do not use, copy, retain, distribute or disclose the information in or attached to the e-mail. Any opinions expressed within this e-mail are those of the individual and not necessarily of Diamond Light Source Ltd. Diamond Light Source Ltd. cannot guarantee that this e-mail or any attachments are free from viruses and we cannot accept liability for any damage which you may sustain as a result of software viruses which may be transmitted in or with the message. Diamond Light Source Limited (company no. 4375679). Registered in England and Wales with its registered office at Diamond House, Harwell Science and Innovation Campus, Didcot, Oxfordshire, OX11 0DE, United Kingdom - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: free radius setup
The alternative is getting your users to install something like SecureW2 (which I believe requires a license now), and using EAP-TTLS- PAP which submits the users password in plaintext, or I believe more recent flavours of Windows support EAP-TTLS too. If I remember correctly, when using EAP-TTLS-PAP, the top-level default_eap_type should be ttls, and then the default_eap_type in the TTLS section should be gtc (which uses PAP by default). AFAIK (and please correct me if I'm wrong), you cannot set the TTLS default_eap_type setting to PAP. Regards Stefan -- This e-mail and any attachments may contain confidential, copyright and or privileged material, and are for the use of the intended addressee only. If you are not the intended addressee or an authorised recipient of the addressee please notify us of receipt by returning the e-mail and do not use, copy, retain, distribute or disclose the information in or attached to the e-mail. Any opinions expressed within this e-mail are those of the individual and not necessarily of Diamond Light Source Ltd. Diamond Light Source Ltd. cannot guarantee that this e-mail or any attachments are free from viruses and we cannot accept liability for any damage which you may sustain as a result of software viruses which may be transmitted in or with the message. Diamond Light Source Limited (company no. 4375679). Registered in England and Wales with its registered office at Diamond House, Harwell Science and Innovation Campus, Didcot, Oxfordshire, OX11 0DE, United Kingdom - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: free radius setup
That's because EAP-TTLS/PAP doesn't use EAP on the inner tunnel. Just PAP. So default_eap_type is irrelevant. You support EAP-TTLS/PAP by ensuring PAP is working in the inner tunnel - by populating a cleartext or hashed password and calling the pap module in the authorize/authenticate section, or other more specialised configs. Phil, Your email made me look at this configuration again. Turns out that setting set_auth_type in the ldap module to no, leaving copy_request_to_tunnel unset (i.e. set to the default no), and allowing LDAP authentication only in the inner tunnel made things work the same way as what it had been with gtc set. Thanks for that! Another thing to add to the cook book. :-) Stefan -- This e-mail and any attachments may contain confidential, copyright and or privileged material, and are for the use of the intended addressee only. If you are not the intended addressee or an authorised recipient of the addressee please notify us of receipt by returning the e-mail and do not use, copy, retain, distribute or disclose the information in or attached to the e-mail. Any opinions expressed within this e-mail are those of the individual and not necessarily of Diamond Light Source Ltd. Diamond Light Source Ltd. cannot guarantee that this e-mail or any attachments are free from viruses and we cannot accept liability for any damage which you may sustain as a result of software viruses which may be transmitted in or with the message. Diamond Light Source Limited (company no. 4375679). Registered in England and Wales with its registered office at Diamond House, Harwell Science and Innovation Campus, Didcot, Oxfordshire, OX11 0DE, United Kingdom - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: [ANN] Version 3.0.0-rc1
I shall try a RHEL6/CentOS6 compatible build tomorrow or Monday.
Shouldn't be a problem. John D, I'll update my tag, you guys will probably do
the same.
Regards
Stefan
From: freeradius-users-bounces+stefan.paetow=diamond.ac...@lists.freeradius.org
[freeradius-users-bounces+stefan.paetow=diamond.ac...@lists.freeradius.org] on
behalf of Arran Cudbard-Bell [a.cudba...@freeradius.org]
Sent: Friday, September 06, 2013 4:55 PM
To: FreeRadius users mailing list
Subject: [ANN] Version 3.0.0-rc1
We are in feature freeze for 3.0. The configuration format and behaviour for
3.0 will be stable between now and the final release (as it was with
release_3_0_0_rc0).
If you are planning on deploying 3.0 and have an existing 2.x.x configuration
you were planning to migrate when the 3.0 is released, now would be a good time
to try that, and to report any issues or problematic behavior changes you
notice.
To provide a single point to test against, the release_3_0_0_rc1 tag has been
created.
Behaviour changes since release_3_0_0_rc0:
* Fixed many more compiler warnings.
* LDAP schemas to load dynamic clients from LDAP
* the control socket is now marked stable
* Added RFC 6929 dictionary, along with a few others
* Clean up proxy ID allocation / re-allocation
* pairbasicfree() has been replaced by talloc_free()
* Added %{debug_attr:LIST} to print out at attributes in LIST
* The PAP module can now configurably *not* normalize passwords
* Remove support for %{#}, and add %{strlen:} expansion
Bug fixes:
* Corrected more documentation to match the new behavior and config
* Corrected many minor typos and spelling mistakes in documentation
and config files
* If the installation directory exists, don't re-install files
* add crlDistributionPoints to certificates for Windows phones.
* Use documentation IP addresses everywhere (192.0.2/24)
* Build fixes for clang related to the -rdynamic flag
* Allow update sections to update outer.reply
* Re-write module handler to work, the code is significantly cleaner,
and priority overrides work correctly in all cases, #404, #424
* CUI SQL fixes, #412
* Don't die in RB tree re-allocation of proxy ID
* Do a second pass over pre-compiled conditions, #421, #423
* Add delete order to rbtree, #416
Also used by the proxy ID re-allocation code
* Fixed TCP socket close handlers to be simpler and more robust
* Allow ${..} expansion in `strings`
* moved EAP destructors to talloc, which wasn't done in -rc0
* Fix LDAP group comparisons, and other pair comparisons
* NULL terminate strings copied between VALUE_PAIRs correctly
* Fix !* when used with non-string attributes
* Fix `` exec in update sections
* Load libpython within rlm_python to ensure all required symbols are available
* Don't SEGV printing IPv6 Interface ID
* Don't SEGV evaluating dates in rlm_expiration
* Fix ./configure --with-shared-libs=no
* Fix crashes related to opaque request data and regular expressions
* Fix heimdal krb5 build
The tarball is available here:
https://github.com/FreeRADIUS/freeradius-server/archive/release_3_0_0_rc1.tar.gz
Arran Cudbard-Bell a.cudba...@freeradius.org
FreeRADIUS Development Team
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
--
This e-mail and any attachments may contain confidential, copyright and or
privileged material, and are for the use of the intended addressee only. If you
are not the intended addressee or an authorised recipient of the addressee
please notify us of receipt by returning the e-mail and do not use, copy,
retain, distribute or disclose the information in or attached to the e-mail.
Any opinions expressed within this e-mail are those of the individual and not
necessarily of Diamond Light Source Ltd.
Diamond Light Source Ltd. cannot guarantee that this e-mail or any attachments
are free from viruses and we cannot accept liability for any damage which you
may sustain as a result of software viruses which may be transmitted in or with
the message.
Diamond Light Source Limited (company no. 4375679). Registered in England and
Wales with its registered office at Diamond House, Harwell Science and
Innovation Campus, Didcot, Oxfordshire, OX11 0DE, United Kingdom
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Checking TLS-Cert-* and and accept/reject based on them
Agreed on the support contract thing. If something is apparently unsupported when it's broken, just run the supported version on a test system, reproduce the problem, and go from there. If you know the problem is to do with the newer features, forget the paid support and ask here like you just did. If the support is worth anything, of course, then I'm sure they'll be delighted to build later packages for you that include the patch. :-) RedHat does follow this list, so perhaps it is worth contacting them to point out that this patch would really be appreciated, even if it ends up in an EPEL package (which should still be acceptable). That said, I commiserate with the original poster that yes, when the policy is that you're only allowed to use vendor packages, you're limited in what you can and cannot do. Regards Stefan -- This e-mail and any attachments may contain confidential, copyright and or privileged material, and are for the use of the intended addressee only. If you are not the intended addressee or an authorised recipient of the addressee please notify us of receipt by returning the e-mail and do not use, copy, retain, distribute or disclose the information in or attached to the e-mail. Any opinions expressed within this e-mail are those of the individual and not necessarily of Diamond Light Source Ltd. Diamond Light Source Ltd. cannot guarantee that this e-mail or any attachments are free from viruses and we cannot accept liability for any damage which you may sustain as a result of software viruses which may be transmitted in or with the message. Diamond Light Source Limited (company no. 4375679). Registered in England and Wales with its registered office at Diamond House, Harwell Science and Innovation Campus, Didcot, Oxfordshire, OX11 0DE, United Kingdom - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: how to limit the repeating ldap lookups
Yes, Alan B had some comments about that IIRC... I think Apple these days expect administrators to use the Apple iPhone Configuration Utility to create a network profile and import that into your 802.1X settings. Bizarre, but there you are. Stefan -Original Message- Fine, yes, also TLS. But in the wonderful world of Microsoft supplicants PEAP usually specifies PEAP with and MSCHAPv2 inner? and wow did they get rid of the 802.1X profile configuration GUI interface in OSX 10.8? That sucks. -- This e-mail and any attachments may contain confidential, copyright and or privileged material, and are for the use of the intended addressee only. If you are not the intended addressee or an authorised recipient of the addressee please notify us of receipt by returning the e-mail and do not use, copy, retain, distribute or disclose the information in or attached to the e-mail. Any opinions expressed within this e-mail are those of the individual and not necessarily of Diamond Light Source Ltd. Diamond Light Source Ltd. cannot guarantee that this e-mail or any attachments are free from viruses and we cannot accept liability for any damage which you may sustain as a result of software viruses which may be transmitted in or with the message. Diamond Light Source Limited (company no. 4375679). Registered in England and Wales with its registered office at Diamond House, Harwell Science and Innovation Campus, Didcot, Oxfordshire, OX11 0DE, United Kingdom - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: rlm_python
12 with, I know, I know, FreeRADIUS 2.1.10. Python-LDAP was Well... as Alan says, upgrade. Particularly if you know. There is no 'out of the box' version for upgrade on Ubuntu 12 at this point short of having to compile it ourselves, that is (situation is similar to CentOS 6 where the last release is 2.1.12). But that's a discussion best had with the Ubuntu folks. However - embedding python is a pain in the arse. Various versions have issues with the module.so not linking to libpython.so, and not pulling in all the symbols it should. See: http://bugs.python.org/issue4434 ...and try not to despair at the (ahem) confusion of the python dev, and the various mouth-breathers who suggest static linking :o( Try ldd blah/_ldap.so and see if it links to libpython.so. If not, that's your problem, and there isn't much you can do about it because python is broken on your system. I shall check that again (when I bring the box up for that magical third try). But if it's not, that again is probably an Ubuntu-specific issue, and we'll probably raise it with the Python-LDAP folks. The OP in the bug above seems to think it's fixed for him in Python 2.5, but TBH I suspect distro-specific build-time options, rather than any change to the python runtime. Indeed. In the meanwhile I've decided to work around it by using ldap.attrmap with a load of Tmp-String-* entries and hoping to feed those into a standard (non-C-linked) Python module for assembly into a compliant XML string. :-) Thanks for the heads-up. Stefan -- This e-mail and any attachments may contain confidential, copyright and or privileged material, and are for the use of the intended addressee only. If you are not the intended addressee or an authorised recipient of the addressee please notify us of receipt by returning the e-mail and do not use, copy, retain, distribute or disclose the information in or attached to the e-mail. Any opinions expressed within this e-mail are those of the individual and not necessarily of Diamond Light Source Ltd. Diamond Light Source Ltd. cannot guarantee that this e-mail or any attachments are free from viruses and we cannot accept liability for any damage which you may sustain as a result of software viruses which may be transmitted in or with the message. Diamond Light Source Limited (company no. 4375679). Registered in England and Wales with its registered office at Diamond House, Harwell Science and Innovation Campus, Didcot, Oxfordshire, OX11 0DE, United Kingdom - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: rlm_python
Building your own packages on Debian/Ubuntu is trivial. There's really no excuse not to run the latest code. Matthew, I agree with you, but not when the policy is to only use what is published on vendor (i.e. Ubuntu) repositories. But, like I say, that's not a discussion appropriate for the list, but rather one to be held with Ubuntu :-) Stefan -- This e-mail and any attachments may contain confidential, copyright and or privileged material, and are for the use of the intended addressee only. If you are not the intended addressee or an authorised recipient of the addressee please notify us of receipt by returning the e-mail and do not use, copy, retain, distribute or disclose the information in or attached to the e-mail. Any opinions expressed within this e-mail are those of the individual and not necessarily of Diamond Light Source Ltd. Diamond Light Source Ltd. cannot guarantee that this e-mail or any attachments are free from viruses and we cannot accept liability for any damage which you may sustain as a result of software viruses which may be transmitted in or with the message. Diamond Light Source Limited (company no. 4375679). Registered in England and Wales with its registered office at Diamond House, Harwell Science and Innovation Campus, Didcot, Oxfordshire, OX11 0DE, United Kingdom - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
rlm_python
Hello all, I'm currently attempting to use rlm_python to query LDAP (with python-ldap) and then return an XML string in a VSA (SAML-AAA-Assertion). However, when I try to load it, I get the dreaded undefined symbol: PyExc_SystemError error. This is on Ubuntu 12 with, I know, I know, FreeRADIUS 2.1.10. Python-LDAP was built on the local machine for the newest version (although the existing version in the Ubuntu repository has the same problem). Freeradius_samlldap exists in the correct path for Python eggs, and this is the PYTHONPATH (when I print it with Python): /usr/local/lib/python2.7/dist-packages/pysaml2-0.4.2-py2.7.egg,/usr/local/lib/python2.7/dist-packages/repoze.who-1.0.18-py2.7.egg,/usr/local/lib/python2.7/dist-packages/zope.interface-4.0.5-py2.7-linux-x86_64.egg,/usr/local/lib/python2.7/dist-packages/Paste-1.7.5.1-py2.7.egg,/usr/local/lib/python2.7/dist-packages/httplib2-0.8-py2.7.egg,/usr/local/lib/python2.7/dist-packages/decorator-3.4.0-py2.7.egg,/usr/local/lib/python2.7/dist-packages/freeradius_samlldap-0.0.1-py2.7.egg,/usr/local/lib/python2.7/dist-packages/python_ldap-2.4.13-py2.7-linux-x86_64.egg,/etc/freeradius/modules,/usr/local/lib/python2.7/dist-packages,/usr/lib/python2.7,/usr/lib/python2.7/plat-linux2,/usr/lib/python2.7/lib-tk,/usr/lib/python2.7/lib-old,/usr/lib/python2.7/lib-dynload,/usr/lib/python2.7/dist-packages,/usr/lib/pymodules/python2.7 From what I understand, using ldd -r will list several unresolved imports, but that is supposedly correct? Or is that horribly wrong? The usual debug log is below: FreeRADIUS Version 2.1.10, for host x86_64-pc-linux-gnu, built on Sep 24 2012 at 17:58:57 Copyright (C) 1999-2009 The FreeRADIUS server project and contributors. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License v2. Starting - reading configuration files ... including configuration file /etc/freeradius/radiusd.conf including configuration file /etc/freeradius/proxy.conf including configuration file /etc/freeradius/clients.conf including files in directory /etc/freeradius/modules/ including configuration file /etc/freeradius/modules/attr_rewrite including configuration file /etc/freeradius/modules/wimax including configuration file /etc/freeradius/modules/linelog including configuration file /etc/freeradius/modules/saml including configuration file /etc/freeradius/modules/etc_group including configuration file /etc/freeradius/modules/echo including configuration file /etc/freeradius/modules/sqlcounter_expire_on_login including configuration file /etc/freeradius/modules/mschap including configuration file /etc/freeradius/modules/files including configuration file /etc/freeradius/modules/opendirectory including configuration file /etc/freeradius/modules/mac2ip including configuration file /etc/freeradius/modules/realm including configuration file /etc/freeradius/modules/perl including configuration file /etc/freeradius/modules/logintime including configuration file /etc/freeradius/modules/pap including configuration file /etc/freeradius/modules/detail.example.com including configuration file /etc/freeradius/modules/smbpasswd including configuration file /etc/freeradius/modules/sradutmp including configuration file /etc/freeradius/modules/policy including configuration file /etc/freeradius/modules/inner-eap including configuration file /etc/freeradius/modules/dynamic_clients including configuration file /etc/freeradius/modules/smsotp including configuration file /etc/freeradius/modules/umbrella_ldap including configuration file /etc/freeradius/modules/acct_unique including configuration file /etc/freeradius/modules/attr_filter including configuration file /etc/freeradius/modules/chap including configuration file /etc/freeradius/modules/detail including configuration file /etc/freeradius/modules/ntlm_auth including configuration file /etc/freeradius/modules/detail.log including configuration file /etc/freeradius/modules/passwd including configuration file /etc/freeradius/modules/ldap including configuration file /etc/freeradius/modules/cui including configuration file /etc/freeradius/modules/otp including configuration file /etc/freeradius/modules/ippool including configuration file /etc/freeradius/modules/mac2vlan including configuration file /etc/freeradius/modules/unix including configuration file /etc/freeradius/modules/exec including configuration file /etc/freeradius/modules/expr including configuration file /etc/freeradius/modules/expiration including configuration file /etc/freeradius/modules/preprocess including configuration file /etc/freeradius/modules/digest including configuration file /etc/freeradius/modules/radutmp including configuration file /etc/freeradius/modules/counter including configuration file /etc/freeradius/modules/krb5 including configuration file /etc/freeradius/modules/pam including configuration file
RE: Realm attribute population
Alan,
https://confluence.terena.org/display/H2eduroam/freeradius-sp implies that
after v2.1.9, %{Realm} would contain DEFAULT, not whatever the realm
extracted from User-Name was, when used in logging... Hence my question.
Of course, if this is no longer an issue, then I'll happily amend our
instructions to leave the DEFAULT realm as-is. Also, when I wrote DEFAULT {},
it was a shortening (for the sake of brevity) of:
realm DEFAULT {
authhost = blah
etc etc etc
}
I was just trying to save some lines and extraneous text here.
Stefan
-Original Message-
From: freeradius-users-
bounces+stefan.paetow=diamond.ac...@lists.freeradius.org
[mailto:freeradius-users-
bounces+stefan.paetow=diamond.ac...@lists.freeradius.org] On Behalf Of
Alan DeKok
Sent: 25 July 2013 01:47
To: FreeRadius users mailing list
Subject: Re: Realm attribute population
stefan.pae...@diamond.ac.uk wrote:
After FreeRADIUS 2.10, we had to replace the DEFAULT {} stanza with
the below in proxy.conf to ensure that the Realm attribute was
correctly populated:
Huh? That's wrong. The DEFAULT realm works just fine.
And it's not DEFAULT {}. See raddb/proxy.conf for details.
Alan DeKok.
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
--
This e-mail and any attachments may contain confidential, copyright and or
privileged material, and are for the use of the intended addressee only. If you
are not the intended addressee or an authorised recipient of the addressee
please notify us of receipt by returning the e-mail and do not use, copy,
retain, distribute or disclose the information in or attached to the e-mail.
Any opinions expressed within this e-mail are those of the individual and not
necessarily of Diamond Light Source Ltd.
Diamond Light Source Ltd. cannot guarantee that this e-mail or any attachments
are free from viruses and we cannot accept liability for any damage which you
may sustain as a result of software viruses which may be transmitted in or with
the message.
Diamond Light Source Limited (company no. 4375679). Registered in England and
Wales with its registered office at Diamond House, Harwell Science and
Innovation Campus, Didcot, Oxfordshire, OX11 0DE, United Kingdom
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Realm attribute population
Hi,
After FreeRADIUS 2.10, we had to replace the DEFAULT {} stanza with the below
in proxy.conf to ensure that the Realm attribute was correctly populated:
realm ~.+$ {
authhost = host to deal with other realms
:
:
}
Is that still necessary for FR 3.0? I'm just updating some of our internal
documentation here and wanted to make sure that I don't add extraneous stuff
when it's not necessary.
:-)
Stefan Paetow
Software Engineer
+44 1235 778812
Diamond Light Source Ltd.
Diamond House, Harwell Science and Innovation Campus
Didcot, Oxfordshire, OX11 0DE
--
This e-mail and any attachments may contain confidential, copyright and or
privileged material, and are for the use of the intended addressee only. If you
are not the intended addressee or an authorised recipient of the addressee
please notify us of receipt by returning the e-mail and do not use, copy,
retain, distribute or disclose the information in or attached to the e-mail.
Any opinions expressed within this e-mail are those of the individual and not
necessarily of Diamond Light Source Ltd.
Diamond Light Source Ltd. cannot guarantee that this e-mail or any attachments
are free from viruses and we cannot accept liability for any damage which you
may sustain as a result of software viruses which may be transmitted in or with
the message.
Diamond Light Source Limited (company no. 4375679). Registered in England and
Wales with its registered office at Diamond House, Harwell Science and
Innovation Campus, Didcot, Oxfordshire, OX11 0DE, United Kingdom
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: [ANN] Version 3.0.0-rc0
Thanks, John. I'll use that SPEC as base for CentOS 6.x packages :-) Regards Stefan -Original Message- From: freeradius-users- bounces+stefan.paetow=diamond.ac...@lists.freeradius.org [mailto:freeradius-users- bounces+stefan.paetow=diamond.ac...@lists.freeradius.org] On Behalf Of John Dennis Sent: 23 July 2013 00:42 To: FreeRadius users mailing list Subject: Re: [ANN] Version 3.0.0-rc0 FYI I've packaged this for Fedora and built it for rawhide (rawhide is current development which spawns the next Fedora release). You can download the rawhide packages and/or the SRPM from the Koji build: http://koji.fedoraproject.org/koji/buildinfo?buildID=436791 You probably will not be able to simply install the rawhide packages on a current Fedora release due to dependencies/conflicts (not something I've tried). But you can always rebuild the SRPM using rpmbuild. The first Fedora release 3.0 will appear in will be F20 because we don't introduce major new versions of packages in existing releases (especially if they are not configuration compatible). FWIW the F19 train just pulled away from the station so unfortunately it's too late for F19. HTH, John -- John - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- This e-mail and any attachments may contain confidential, copyright and or privileged material, and are for the use of the intended addressee only. If you are not the intended addressee or an authorised recipient of the addressee please notify us of receipt by returning the e-mail and do not use, copy, retain, distribute or disclose the information in or attached to the e-mail. Any opinions expressed within this e-mail are those of the individual and not necessarily of Diamond Light Source Ltd. Diamond Light Source Ltd. cannot guarantee that this e-mail or any attachments are free from viruses and we cannot accept liability for any damage which you may sustain as a result of software viruses which may be transmitted in or with the message. Diamond Light Source Limited (company no. 4375679). Registered in England and Wales with its registered office at Diamond House, Harwell Science and Innovation Campus, Didcot, Oxfordshire, OX11 0DE, United Kingdom - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: certificate expiration proble
Have you opened the certificates you believe to be the latest in something else (like Windows perhaps) and checked that the expiry dates of these certificates is correct? And have you checked that your server's time is correct too? Stefan From: freeradius-users-bounces+stefan.paetow=diamond.ac...@lists.freeradius.orgmailto:freeradius-users-bounces+stefan.paetow=diamond.ac...@lists.freeradius.org [mailto:freeradius-users-bounces+stefan.paetow=diamond.ac...@lists.freeradius.org] On Behalf Of Muhammad Nadeem Sent: 19 July 2013 11:24 To: FreeRadius users mailing list Subject: Re: certificate expiration proble thanx for you reply, but as i said certificates are ok. Please see this log [tls] -- User-Name = 0026826172C4@test_cpe.commailto:0026826172C4@test_cpe.com [tls] -- BUF-Name = wi-tribe Pakistan Certification Authority [tls] -- subject = /C=PK/ST=Fedral Capital/L=Islamabad/O=wi-tribe Pakistan limited/OU=Network Operations/CN=wi-tribe Pakistan Certification Authority/emailAddress=pkwi...@pk.wi-tribe.commailto:pkwi...@pk.wi-tribe.com [tls] -- issuer = /C=PK/ST=Fedral Capital/L=Islamabad/O=wi-tribe Pakistan limited/OU=Network Operations/CN=wi-tribe Pakistan Certification Authority/emailAddress=pkwi...@pk.wi-tribe.commailto:pkwi...@pk.wi-tribe.com [tls] -- verify return:1 -- verify error:num=10:certificate has expired [tls] TLS 1.0 Alert [length 0002], fatal certificate_expired TLS Alert write:fatal:certificate expired TLS_accept: error in SSLv3 read client certificate B rlm_eap: SSL error error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned thanks On Fri, Jul 19, 2013 at 2:58 PM, a.l.m.bu...@lboro.ac.ukmailto:a.l.m.bu...@lboro.ac.uk wrote: Hi, I am trying to configure eap with some customized certificates, I have configured eap.config correctly. But I am getting the error of certificate expired. Although i have the latest certificates. certificate has expired. FreeRADIUS has no reason to lie. check the startup output of 'radiusd -X' - look for when it loads the certs. then use openssl to read those certs to see what the values are - server cert, CA certor client cert. whatever you're using eg openssl x509 -in server.pem -noout -text alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Best Regards Muhammad Nadeem Muhammad Ali Jinnah University -- This e-mail and any attachments may contain confidential, copyright and or privileged material, and are for the use of the intended addressee only. If you are not the intended addressee or an authorised recipient of the addressee please notify us of receipt by returning the e-mail and do not use, copy, retain, distribute or disclose the information in or attached to the e-mail. Any opinions expressed within this e-mail are those of the individual and not necessarily of Diamond Light Source Ltd. Diamond Light Source Ltd. cannot guarantee that this e-mail or any attachments are free from viruses and we cannot accept liability for any damage which you may sustain as a result of software viruses which may be transmitted in or with the message. Diamond Light Source Limited (company no. 4375679). Registered in England and Wales with its registered office at Diamond House, Harwell Science and Innovation Campus, Didcot, Oxfordshire, OX11 0DE, United Kingdom - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: [ANN] Version 3.0.0-rc0
Sorry John, But you do have a tools package. It's called freeradius-utils. :-) I'd guess radattr probably fits nicely into that. Stefan From: freeradius-users-bounces+stefan.paetow=diamond.ac...@lists.freeradius.org [freeradius-users-bounces+stefan.paetow=diamond.ac...@lists.freeradius.org] on behalf of John Dennis [jden...@redhat.com] Sent: Wednesday, July 17, 2013 5:47 PM To: FreeRadius users mailing list Cc: Alan DeKok Subject: Re: [ANN] Version 3.0.0-rc0 On 07/17/2013 12:26 PM, Alan DeKok wrote: John Dennis wrote: The following are installed in either /bin or /usr/sbin but there are no corresponding man pages. Every command installed needs to have a man page. dhcpclient radattr Hmm... those two probably shouldn't be installed. They're really only for testing. Can the spec file just ignore them? Sure it's no problem for the spec file to ignore them but I'm wondering if they are valuable for testing won't others find them useful too? If so shouldn't we keep them and add a man page? Right now we don't have a tools subpackage, this is common for other large packages. A tools subpackage contains useful commands for admins and developers which are not necessary for running the basic package. Perhaps 3.0 is a good time to introduce a tools package and move some of this stuff into tools making it an optional install. This would also bring freeradius in line with other packages. Comments? John - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- This e-mail and any attachments may contain confidential, copyright and or privileged material, and are for the use of the intended addressee only. If you are not the intended addressee or an authorised recipient of the addressee please notify us of receipt by returning the e-mail and do not use, copy, retain, distribute or disclose the information in or attached to the e-mail. Any opinions expressed within this e-mail are those of the individual and not necessarily of Diamond Light Source Ltd. Diamond Light Source Ltd. cannot guarantee that this e-mail or any attachments are free from viruses and we cannot accept liability for any damage which you may sustain as a result of software viruses which may be transmitted in or with the message. Diamond Light Source Limited (company no. 4375679). Registered in England and Wales with its registered office at Diamond House, Harwell Science and Innovation Campus, Didcot, Oxfordshire, OX11 0DE, United Kingdom - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: FreeRadius Authentication against AD or AD LDS (LDAP)
Considering that LDS will still be running Active Directory, give your reception login(s) the permission to administer the Guest-Network OU (i.e. add/delete/edit users), and continue to use the NTLM authentication you use with the primary AD. Active Directory uses MS-CHAPv2, so using the mschap and ntlm modules as per standard FreeRADIUS wiki articles on AD authentication should be sufficient to be able to authenticate the users in your LDS. :-) Stefan From: freeradius-users-bounces+stefan.paetow=diamond.ac...@lists.freeradius.org [mailto:freeradius-users-bounces+stefan.paetow=diamond.ac...@lists.freeradius.org] On Behalf Of limacher david Sent: 16 July 2013 07:03 To: freeradius-users@lists.freeradius.org Subject: FW: FreeRadius Authentication against AD or AD LDS (LDAP) Hello I'm looking for a solution to realize a FreeRadius Server, which can Authenticate against primary a AD and as second method against AD LDS (Lightweight Directory from Windows). We want for our WLAN, that in the Guest-Network employees can use their AD-Login (I already implemented that with ntlm_auth and it works) and also guests can use this network but their login should be in a AD LDS (LDAP), which can be edited by our reception. I would prefer not to store the password for the guests as Cleartext. Is this possible? How could I realize that with FreeRadius? Thanks in advance Dave -- This e-mail and any attachments may contain confidential, copyright and or privileged material, and are for the use of the intended addressee only. If you are not the intended addressee or an authorised recipient of the addressee please notify us of receipt by returning the e-mail and do not use, copy, retain, distribute or disclose the information in or attached to the e-mail. Any opinions expressed within this e-mail are those of the individual and not necessarily of Diamond Light Source Ltd. Diamond Light Source Ltd. cannot guarantee that this e-mail or any attachments are free from viruses and we cannot accept liability for any damage which you may sustain as a result of software viruses which may be transmitted in or with the message. Diamond Light Source Limited (company no. 4375679). Registered in England and Wales with its registered office at Diamond House, Harwell Science and Innovation Campus, Didcot, Oxfordshire, OX11 0DE, United Kingdom - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: [ANN] Version 3.0.0-rc0
Did you mean https://github.com/FreeRADIUS/freeradius-
server/archive/release_3_0_0_rc0.tar.gz ?
I'm afraid I'm getting a build error (from fresh):
HEADER src/include/features.h
HEADER src/include/missing.h
HEADER src/include/tls.h
CC jlibtool.c
CC src/lib/dict.c
CC src/lib/filters.c
CC src/lib/hash.c
CC src/lib/hmac.c
CC src/lib/hmacsha1.c
CC src/lib/isaac.c
CC src/lib/log.c
CC src/lib/misc.c
CC src/lib/missing.c
CC src/lib/md4.c
CC src/lib/md5.c
CC src/lib/print.c
CC src/lib/radius.c
CC src/lib/rbtree.c
CC src/lib/sha1.c
CC src/lib/snprintf.c
CC src/lib/strlcat.c
CC src/lib/strlcpy.c
CC src/lib/token.c
CC src/lib/udpfromto.c
CC src/lib/valuepair.c
CC src/lib/fifo.c
CC src/lib/packet.c
CC src/lib/event.c
CC src/lib/getaddrinfo.c
CC src/lib/heap.c
CC src/lib/tcp.c
CC src/lib/base64.c
/usr/bin/ld: cannot find -lregex
collect2: ld returned 1 exit status
make: *** [build/lib/local/libfreeradius-radius.la] Error 1
This is my configure statement:
configure \
--libdir=%{_libdir}/freeradius \
--with-system-libtool \
--with-system-libltdl \
--disable-ltdl-install \
--with-udpfromto \
--with-gnu-ld \
--with-threads \
--with-thread-pool \
--with-docdir=%{docdir} \
--with-rlm-sql_postgresql-include-dir=/usr/include/pgsql \
--with-rlm-sql-postgresql-lib-dir=%{_libdir} \
--with-rlm-sql_mysql-include-dir=/usr/include/mysql \
--with-mysql-lib-dir=%{_libdir}/mysql \
--with-unixodbc-lib-dir=%{_libdir} \
--with-rlm-dbm-lib-dir=%{_libdir} \
--with-rlm-krb5-include-dir=/usr/kerberos/include \
--with-modules=rlm_wimax \
--without-rlm_yubikey \
--without-rlm_eap_ikev2 \
--without-rlm_eap_tnc \
--without-rlm_eap_pwd \
--without-rlm_sql_iodbc \
--without-rlm_sql_firebird \
--without-rlm_sql_db2 \
--without-rlm_sql_oracle
--
This e-mail and any attachments may contain confidential, copyright and or
privileged material, and are for the use of the intended addressee only. If you
are not the intended addressee or an authorised recipient of the addressee
please notify us of receipt by returning the e-mail and do not use, copy,
retain, distribute or disclose the information in or attached to the e-mail.
Any opinions expressed within this e-mail are those of the individual and not
necessarily of Diamond Light Source Ltd.
Diamond Light Source Ltd. cannot guarantee that this e-mail or any attachments
are free from viruses and we cannot accept liability for any damage which you
may sustain as a result of software viruses which may be transmitted in or with
the message.
Diamond Light Source Limited (company no. 4375679). Registered in England and
Wales with its registered office at Diamond House, Harwell Science and
Innovation Campus, Didcot, Oxfordshire, OX11 0DE, United Kingdom
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: [ANN] Version 3.0.0-rc0
Hi Arran, thanks, that's built now. All, CentOS-compatible RPMS, SRPM and .tar.bz2 are at: https://www.dropbox.com/sh/sbqyy7gvzrd3egt/rCKE7aMnku/FreeRADIUS Regards Stefan -Original Message- From: freeradius-users- bounces+stefan.paetow=diamond.ac...@lists.freeradius.org [mailto:freeradius-users- bounces+stefan.paetow=diamond.ac...@lists.freeradius.org] On Behalf Of Arran Cudbard-Bell Sent: 11 July 2013 16:12 To: FreeRadius users mailing list Subject: Re: [ANN] Version 3.0.0-rc0 On 11 Jul 2013, at 16:01, Olivier Beytrison oliv...@heliosnet.org wrote: On 11.07.2013 16:44, stefan.pae...@diamond.ac.uk wrote: Did you mean https://github.com/FreeRADIUS/freeradius- server/archive/release_3_0_0_rc0.tar.gz ? I'm afraid I'm getting a build error (from fresh): [snip] /usr/bin/ld: cannot find -lregex collect2: ld returned 1 exit status make: *** [build/lib/local/libfreeradius-radius.la] Error 1 Got exactly the same right now on a system which was running fine till now. *sigh* It's required for mingw, i'm surprised it wasn't picked up by the build system. I've pushed a fix and updated the tag. Arran Cudbard-Bell a.cudba...@freeradius.org FreeRADIUS Development Team - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- This e-mail and any attachments may contain confidential, copyright and or privileged material, and are for the use of the intended addressee only. If you are not the intended addressee or an authorised recipient of the addressee please notify us of receipt by returning the e-mail and do not use, copy, retain, distribute or disclose the information in or attached to the e-mail. Any opinions expressed within this e-mail are those of the individual and not necessarily of Diamond Light Source Ltd. Diamond Light Source Ltd. cannot guarantee that this e-mail or any attachments are free from viruses and we cannot accept liability for any damage which you may sustain as a result of software viruses which may be transmitted in or with the message. Diamond Light Source Limited (company no. 4375679). Registered in England and Wales with its registered office at Diamond House, Harwell Science and Innovation Campus, Didcot, Oxfordshire, OX11 0DE, United Kingdom - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Building RPMS from main branch 3.x relase
Hi Divyesh, I'm working on some of this to give Project Moonshot RPMs that are CentOS 6.x compatible. The files you will need between FR 2.x and FR 3.0 are: freeradius.spec freeradius-cert-config.patch freeradius-exclude-config-file.patch freeradius-logrotate freeradius-dhcp_sqlippool.patch freeradius-pam-conf freeradius-radiusd-init freeradius-tmpfiles.conf The first three have had to be changed from their FR 2.2.x versions because of file line changes (and some anchoring functions have moved/disappeared). I'll make those files available on Dropbox soon for others to pick up. :-) Stefan From: freeradius-users-bounces+stefan.paetow=diamond.ac...@lists.freeradius.org [mailto:freeradius-users-bounces+stefan.paetow=diamond.ac...@lists.freeradius.org] On Behalf Of Divyesh Raithatha Sent: 21 June 2013 20:19 To: FreeRadius users mailing list Subject: Building RPMS from main branch 3.x relase Hello, Has anyone successfully built RPM's from the main branch 3.x? I am trying to build one but keep on running into errors. Similar to the ones I saw with the version 2.x.x branch (regarding version numbers, patches, libray file names) until the changes were pushed by Fajar on May 9th. redhat: package all modules in freeradius RPM ?ed336742a6? Browse code ?fajarnugraha authored May 09, 2013 redhat: only keep the last changelog from original spec file ?5240ada0f2? Browse code ?fajarnugraha authored May 09, 2013 redhat: package everything in freeradius rpm ?bcae31b171? Browse code ?fajarnugraha authored May 09, 2013 redhat: removed obsolete patches ?bc38b7d591? Browse code ?fajarnugraha authored May 09, 2013 redhat: README was renamed to README.rst ?766fd283ca? Browse code ?fajarnugraha authored May 09, 2013 redhat: refresh freeradius-cert-config.patch ?69d798819b? Browse code ?fajarnugraha authored May 09, 2013 redhat: add make to BuildRequires list ?50d0bf530b? Browse code ?fajarnugraha authored May 09, 2013 redhat: bump version in specfile to 2.2.1 ?561e929be6? Browse code ?fajarnugraha authored May 09, 2013 Thanks -- This e-mail and any attachments may contain confidential, copyright and or privileged material, and are for the use of the intended addressee only. If you are not the intended addressee or an authorised recipient of the addressee please notify us of receipt by returning the e-mail and do not use, copy, retain, distribute or disclose the information in or attached to the e-mail. Any opinions expressed within this e-mail are those of the individual and not necessarily of Diamond Light Source Ltd. Diamond Light Source Ltd. cannot guarantee that this e-mail or any attachments are free from viruses and we cannot accept liability for any damage which you may sustain as a result of software viruses which may be transmitted in or with the message. Diamond Light Source Limited (company no. 4375679). Registered in England and Wales with its registered office at Diamond House, Harwell Science and Innovation Campus, Didcot, Oxfordshire, OX11 0DE, United Kingdom - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Log auth message
Answer is simple, i don`t know how :) ( i don`t have propert skills ) http://beej.us/guide/bggdb/ Thanks for that Arran, It'll come in handy for Moonshot testing here. :-) Stefan -- This e-mail and any attachments may contain confidential, copyright and or privileged material, and are for the use of the intended addressee only. If you are not the intended addressee or an authorised recipient of the addressee please notify us of receipt by returning the e-mail and do not use, copy, retain, distribute or disclose the information in or attached to the e-mail. Any opinions expressed within this e-mail are those of the individual and not necessarily of Diamond Light Source Ltd. Diamond Light Source Ltd. cannot guarantee that this e-mail or any attachments are free from viruses and we cannot accept liability for any damage which you may sustain as a result of software viruses which may be transmitted in or with the message. Diamond Light Source Limited (company no. 4375679). Registered in England and Wales with its registered office at Diamond House, Harwell Science and Innovation Campus, Didcot, Oxfordshire, OX11 0DE, United Kingdom - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Freeradius 3.0 build process different from 2.0?
Hi, I have more a development question for Arran/Alan D about the build process for FR 3.0... has it changed significantly compared to v2.2.0? The reason I ask is that I would like to get started on a 3.0 build spec for CentOS (since the last version for CentOS 6.4 is v2.1.12, and 2.2.0 is officially only on Fedora 17). I have 'fudged' a build spec for v2.2.0 on CentOS 6 (John D, I can share it with you, if you prefer), so with Project Moonshot, I'd like to get going with a proper package for FR 3.0. With Regards Stefan Paetow Software Engineer +44 1235 778812 Diamond Light Source Ltd. Diamond House, Harwell Science and Innovation Campus Didcot, Oxfordshire, OX11 0DE -- This e-mail and any attachments may contain confidential, copyright and or privileged material, and are for the use of the intended addressee only. If you are not the intended addressee or an authorised recipient of the addressee please notify us of receipt by returning the e-mail and do not use, copy, retain, distribute or disclose the information in or attached to the e-mail. Any opinions expressed within this e-mail are those of the individual and not necessarily of Diamond Light Source Ltd. Diamond Light Source Ltd. cannot guarantee that this e-mail or any attachments are free from viruses and we cannot accept liability for any damage which you may sustain as a result of software viruses which may be transmitted in or with the message. Diamond Light Source Limited (company no. 4375679). Registered in England and Wales with its registered office at Diamond House, Harwell Science and Innovation Campus, Didcot, Oxfordshire, OX11 0DE, United Kingdom - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: module-failure-message in exec module
Andy,
You may want to try and set it in inner-tunnel's post-auth section:
if (Module-Failure-Message) {
update outer.reply {
Module-Failure-Message := %{Module-Failure-Message}
}
}
That way the response is copied to the outer reply.
With Regards
Stefan
-Original Message-
From: freeradius-users-bounces+stefan.paetow=diamond.ac...@lists.freeradius.org
[mailto:freeradius-users-bounces+stefan.paetow=diamond.ac...@lists.freeradius.org]
On Behalf Of Franks Andy (RLZ) IT Systems Engineer
Sent: 07 June 2013 13:47
To: FreeRadius users mailing list
Subject: RE: module-failure-message in exec module
Ok, so the other questions stand, but an update to say the problem is the
variable is not coming back to the default VS from the inner tunnel which I
didn't at first spot. I had this problem recently and couldn't work it out :
how do we copy control attributes from the inner tunnel to the outer in PEAP or
is it not possible..?
Thanks
Andy
-Original Message-
From:
freeradius-users-bounces+andy.franks=sath.nhs...@lists.freeradius.org
[mailto:freeradius-users-bounces+andy.franks=sath.nhs.uk@lists.freeradiu
s.org] On Behalf Of Franks Andy (RLZ) IT Systems Engineer
Sent: 07 June 2013 13:15
To: FreeRadius users mailing list
Subject: RE: module-failure-message in exec module
Hi,
Ok so I've played about and can get a decent failure reply from a script
based solution.
Moving on to those NAS clients that actually do PEAP/MSCHAP .. I would like to
get a response when a failure occurs from them, but it seems that
Failure-Response-Message from the mschap isn't filled out. I've done a test
like :
Authenticate {
..
Auth-Type MS-CHAP {
mschap
if (ok) {
#
}
else {
if (Module-Failure-Message) {
update reply {
reply-message += Failed NTLM auth
}
reject
}
}
But the section never gets parsed - it goes straight to Post_auth reject based
on the mschap module itself returning code 1. So I put this in the post_auth
reject section :
if (Module-Failure-Message) {
update reply {
reply-message := %{Module-Failure-Message}
}
}
But Module-Failure-Message is empty;
++? if (Module-Failure-Message)
? Evaluating (Module-Failure-Message) - FALSE
++? if (Module-Failure-Message) - FALSE
Am I doing something wrong?
I also wondered if I could do something like use the mschap module with a
custom script, returning NT_KEY or a failure string, but then I've no way to
return the failure string because I assume the mschap module doesn't let you
populate variables based on the output like exec does - there's no way of
specifying output or input pairs for example.
I could ditch the mschap module completely, but then am not sure how I would
get all the mschap variables into a script and translate the NT_KEY back. It
seems a bit OTT just to get a failure response written to the linelog/sql.
Any ideas?
Thanks
Andy
-Original Message-
From:
freeradius-users-bounces+andy.franks=sath.nhs...@lists.freeradius.org
[mailto:freeradius-users-bounces+andy.franks=sath.nhs.uk@lists.freeradiu
s.org] On Behalf Of Phil Mayers
Sent: 06 June 2013 17:48
To: freeradius-users@lists.freeradius.org
Subject: Re: module-failure-message in exec module
On 06/06/13 16:48, Franks Andy (RLZ) IT Systems Engineer wrote:
Questions are - does the exec module return to the
Module-Failure-Message variable or another I can use, and why doesn't
No, sorry. mschap does when it does the internal exec, but the exec
module does not. You might be able to emulate this by wrapping your script and
echoing the VPs on stdout.
it process the subsection of the auth-type section on failure?
That's the default return codes - see doc/configurable_failover{,.rst}
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
--
This e-mail and any attachments may contain confidential, copyright and or
privileged material, and are for the use of the intended addressee only. If you
are not the intended addressee or an authorised recipient of the addressee
please notify us of receipt by returning the e-mail and do not use, copy,
retain, distribute or disclose the information in or attached to the e-mail.
Any opinions expressed within this e-mail are those of the individual and not
necessarily of Diamond Light Source Ltd.
Diamond Light Source Ltd. cannot guarantee that this e-mail or any attachments
are free from viruses and we cannot accept liability for any damage which you
may sustain as a result of software viruses which may be transmitted in or with
the message.
Diamond Light Source Limited (company no. 4375679). Registered
Quick question about $ variables
Hi all,
I've been looking at using ${...} variables wherever I can and so far it's been
relatively successful. The only place where I am stuck is using some
comparisons, e.g.
if (%{Attribute} == ${variable}) {
...
}
The Attribute portion expands, the $-variable part does not (although it is in
double-quotes as per the unlang documentation). Quoting the literal value of
the variable works.
Am I correct in saying that this is not supported? Just asking so I know how
far I can push this :-)
Stefan Paetow
Software Engineer
+44 1235 778812
Diamond Light Source Ltd.
Diamond House, Harwell Science and Innovation Campus
Didcot, Oxfordshire, OX11 0DE
--
This e-mail and any attachments may contain confidential, copyright and or
privileged material, and are for the use of the intended addressee only. If you
are not the intended addressee or an authorised recipient of the addressee
please notify us of receipt by returning the e-mail and do not use, copy,
retain, distribute or disclose the information in or attached to the e-mail.
Any opinions expressed within this e-mail are those of the individual and not
necessarily of Diamond Light Source Ltd.
Diamond Light Source Ltd. cannot guarantee that this e-mail or any attachments
are free from viruses and we cannot accept liability for any damage which you
may sustain as a result of software viruses which may be transmitted in or with
the message.
Diamond Light Source Limited (company no. 4375679). Registered in England and
Wales with its registered office at Diamond House, Harwell Science and
Innovation Campus, Didcot, Oxfordshire, OX11 0DE, United Kingdom
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Quick question about $ variables
Thank you very much for the quick answer, Alan.
:-)
Stefan
-Original Message-
From: freeradius-users-bounces+stefan.paetow=diamond.ac...@lists.freeradius.org
[mailto:freeradius-users-bounces+stefan.paetow=diamond.ac...@lists.freeradius.org]
On Behalf Of Alan DeKok
Sent: 28 May 2013 17:15
To: FreeRadius users mailing list
Subject: Re: Quick question about $ variables
stefan.pae...@diamond.ac.uk wrote:
Hi all,
I've been looking at using ${...} variables wherever I can and so far it's
been relatively successful. The only place where I am stuck is using some
comparisons, e.g.
if (%{Attribute} == ${variable}) {
That's wrong. Use:
if (Attribute == ${variable}) {
- Attributes can be referenced just by their name. There's no need to wrap
them in %{...}. That is only for other strings.
- wrapping the ${variable} in means it will *not* get expanded when the
configuration file loads.
The Attribute portion expands, the $-variable part does not (although it is
in double-quotes as per the unlang documentation). Quoting the literal value
of the variable works.
Am I correct in saying that this is not supported? Just asking so I
know how far I can push this :-)
${variable} is not supported, and will not be support.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
--
This e-mail and any attachments may contain confidential, copyright and or
privileged material, and are for the use of the intended addressee only. If you
are not the intended addressee or an authorised recipient of the addressee
please notify us of receipt by returning the e-mail and do not use, copy,
retain, distribute or disclose the information in or attached to the e-mail.
Any opinions expressed within this e-mail are those of the individual and not
necessarily of Diamond Light Source Ltd.
Diamond Light Source Ltd. cannot guarantee that this e-mail or any attachments
are free from viruses and we cannot accept liability for any damage which you
may sustain as a result of software viruses which may be transmitted in or with
the message.
Diamond Light Source Limited (company no. 4375679). Registered in England and
Wales with its registered office at Diamond House, Harwell Science and
Innovation Campus, Didcot, Oxfordshire, OX11 0DE, United Kingdom
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Limit ADSL speed using radius?
Hi Tom, For starters, you will find this link useful for a 'Telkom' dictionary that gets rid of the Vendor-1431-Attr-1 bits. http://sourceforge.net/apps/trac/hotcakes/wiki/YfiTechTelkom (Alan D, perhaps it could be added to the FR distribution if the hotcakes people let you?) Much of the X-Ascend-* AVPs are in the dictionary.ascend.illegal dictionary, but you'll find the Ascend-Dsl-Downstream-Limit, Ascend-Dsl-Rate-Mode and Ascend-Dsl-Upstream-Limit AVPs possibly very useful (they are not in your data, but they are declared in the dictionary.ascend dictionary). With Regards Stefan -Original Message- From: freeradius-users-bounces+stefan.paetow=diamond.ac...@lists.freeradius.org [mailto:freeradius-users-bounces+stefan.paetow=diamond.ac...@lists.freeradius.org] On Behalf Of Cooper, Tom Sent: 21 May 2013 11:34 To: FreeRadius users mailing list Subject: Re: Limit ADSL speed using radius? Here is what is in my logs. Your help is greatly appreciated. I also used the Configuration-Token attribute, but to no avail. Thanks and regards. Packets)4(Stripped-User-Name)fnbc1024(NAS-Port)1881079990(Acct-Delay-Time)0(destinationQueue)/queue/radiusCollectorQueue May 21 12:09:44 pp-radius-01 clamd[13406]: SelfCheck: Database status OK. May 21 12:13:32 pp-radius-01 info: 2013-05-21 12:13:32 (NAS-Port-Type)Virtual(X-Ascend-Connect-Progress)LAN-Session-Up(Acct-Session-Id)7/0/0/31.182_4A6BD20F(Proxy-State)0x 3438(Service-Type)Framed-User(Acct-Unique-Session-Id)5c481685abb41f1f(X-Ascend-Session-Svr-Key)8BA5D87B(Acct-Authentic)RADIUS(Acct-Status-Type)Start(Connect-Info)AutoShape dVC(Realm)pp.fnbconnect.co.za(NAS-IP-Address)196.43.27.25(NAS-Port-Id)7/0/0/31.182(Vendor-1431-Attr-1)0x44534c(SQL-User-Name)fnbc...@pp.fnbconnect.co.za(Calling-Station-Id )0114921873(Framed-Protocol)PPP(User-Name)fnbc...@pp.fnbconnect.co.za(Framed-IP-Address)41.183.11.140(Class)0x495858(Stripped-User-Name)fnbc384(NAS-Port)1881079990(Acct-De lay-Time)0(destinationQueue)/queue/radiusCollectorQueue May 21 12:13:51 pp-radius-01 info: 2013-05-21 12:13:51 (NAS-Port-Type)Virtual(Acct-Unique-Session-Id)5f0a29916ac76901(X-Ascend-Disconnect-Cause)PPP-Rcv-Terminate-Req(Acct- Status-Type)Stop(Connect-Info)AutoShapedVC(Acct-Output-Packets)24(Realm)pp.fnbconnect.co.za(NAS-IP-Address)196.43.27.25(X-Ascend-Pre-Input-Octets)89(Acct-Output-Octets)789 9(Vendor-1431-Attr-1)0x44534c(Acct-Terminate-Cause)User-Request(Acct-Session-Time)19(User-Name)fnbc...@pp.fnbconnect.co.za(Class)0x495858(Framed-IP-Address)41.183.11.140(A cct-Input-Packets)20(Acct-Input-Octets)3262(Acct-Session-Id)7/0/0/31.182_4A6BD20F(X-Ascend-Connect-Progress)LAN-Session-Up(X-Ascend-Data-Rate)384000(Service-Type)Framed-Us er(Proxy-State)0x323036(X-Ascend-PreSession-Time)2(X-Ascend-Session-Svr-Key)8BA5D87B(Acct-Authentic)RADIUS(NAS-Port-Id)7/0/0/31.182(X-Ascend-Xmit-Rate)384000(SQL-User-Name )fnbc...@pp.fnbconnect.co.za(X-Ascend-Pre-Output-Octets)73(Calling-Station-Id)0114921873(Framed-Protocol)PPP(X-Ascend-Pre-Output-Packets)5(X-Ascend-Pre-Input-Packets)4(Stripped-User-Name)fnbc384(NAS-Port)1881079990(Acct-Delay-Time)0(destinationQueue)/queue/radiusCollectorQueue May 21 12:14:31 pp-radius-01 info: 2013-05-21 12:14:31 (NAS-Port-Type)Virtual(X-Ascend-Connect-Progress)LAN-Session-Up(Acct-Session-Id)7/0/0/31.182_4A6BD89F(Proxy-State)0x323431(Service-Type)Framed-User(Acct-Unique-Session-Id)02a1009d8fa9d220(X-Ascend-Session-Svr-Key)E6470475(Acct-Authentic)RADIUS(Acct-Status-Type)Start(Connect-Info)AutoShapedVC(Realm)pp.fnbconnect.co.za(NAS-IP-Address)196.43.27.25(NAS-Port-Id)7/0/0/31.182(Vendor-1431-Attr-1)0x44534c(SQL-User-Name)fnbc...@pp.fnbconnect.co.za(Calling-Station-Id)0114921873(Framed-Protocol)PPP(User-Name)fnbc...@pp.fnbconnect.co.za(Framed-IP-Address)41.183.11.3(Class)0x495858(Stripped-User-Name)fnbc512(NAS-Port)1881079990(Acct-Delay-Time)0(destinationQueue)/queue/radiusCollectorQueue May 21 12:19:44 pp-radius-01 clamd[13406]: SelfCheck: Database status OK. May 21 12:21:18 pp-radius-01 info: 2013-05-21 12:21:17 (NAS-Port-Type)Virtual(Acct-Unique-Session-Id)ecbf13a6d7ba302d(X-Ascend-Disconnect-Cause)PPP-Rcv-Terminate-Req(Acct-Status-Type)Stop(Connect-Info)AutoShapedVC(Acct-Output-Packets)1760(Realm)pp.fnbconnect.co.za(NAS-IP-Address)196.43.27.25(X-Ascend-Pre-Input-Octets)89(Acct-Output-Octets)2166971(Vendor-1431-Attr-1)0x44534c(Acct-Terminate-Cause)User-Request(Acct-Session-Time)399(User-Name)fnbc...@pp.fnbconnect.co.za(Class)0x495858(Framed-IP-Address)41.183.11.3(Acct-Input-Packets)1221(Acct-Input-Octets)415600(Acct-Session-Id)7/0/0/31.182_4A6BD89F(X-Ascend-Connect-Progress)LAN-Session-Up(X-Ascend-Data-Rate)384000(Service-Type)Framed-User(Proxy-State)0x323334(X-Ascend-PreSession-Time)2(X-Ascend-Session-Svr-Key)E6470475(Acct-Authentic)RADIUS(NAS-Port-Id)7/0/0/31.182(X-Ascend-Xmit-Rate)384000(SQL-User-Name)fnbc...@pp.fnbconnect.co.za(X-Ascend-Pre-Output-Octets)73(Calling-Station-Id)0114921873(Framed-Protocol)PPP(X-Ascend-Pre-Outp! ut-Packets)5(X-Ascend-Pre-Input
RE: Does freeradius support EAP PEAP/TLS or EAP PEAP/EAP-TLS ?
It supports EAP with TTLS, TLS and PEAP, yes. Look at EAP.conf - you can configure all supported options in there. Regards Stefan From: freeradius-users-bounces+stefan.paetow=diamond.ac...@lists.freeradius.org [mailto:freeradius-users-bounces+stefan.paetow=diamond.ac...@lists.freeradius.org] On Behalf Of Robert Sent: 20 May 2013 09:03 To: freeradius-users@lists.freeradius.org Subject: Does freeradius support EAP PEAP/TLS or EAP PEAP/EAP-TLS ? Hi I use freeradius v2.1.10 in Debian Squeeze 6.0.1. I want to know if freeradius supports the following methods : l EAP PEAP/TLS l EAP PEAP/EAP-TLS ? The client I use is wpa_supplicant v0.6.9. Regards, Robert -- This e-mail and any attachments may contain confidential, copyright and or privileged material, and are for the use of the intended addressee only. If you are not the intended addressee or an authorised recipient of the addressee please notify us of receipt by returning the e-mail and do not use, copy, retain, distribute or disclose the information in or attached to the e-mail. Any opinions expressed within this e-mail are those of the individual and not necessarily of Diamond Light Source Ltd. Diamond Light Source Ltd. cannot guarantee that this e-mail or any attachments are free from viruses and we cannot accept liability for any damage which you may sustain as a result of software viruses which may be transmitted in or with the message. Diamond Light Source Limited (company no. 4375679). Registered in England and Wales with its registered office at Diamond House, Harwell Science and Innovation Campus, Didcot, Oxfordshire, OX11 0DE, United Kingdom - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Does freeradius support EAP PEAP/TLS or EAP PEAP/EAP-TLS ?
Ahhh. According to this conversation: http://freeradius.1045715.n5.nabble.com/PEAP-EAP-TLS-with-client-and-server-certificate-td2760634.html - FR does support PEAP-EAP-TLS :-) Stefan -Original Message- From: freeradius-users-bounces+stefan.paetow=diamond.ac...@lists.freeradius.org [mailto:freeradius-users-bounces+stefan.paetow=diamond.ac...@lists.freeradius.org] On Behalf Of Phil Mayers Sent: 20 May 2013 10:49 To: freeradius-users@lists.freeradius.org Subject: Re: Does freeradius support EAP PEAP/TLS or EAP PEAP/EAP-TLS ? On 20/05/13 10:25, stefan.pae...@diamond.ac.uk wrote: It supports EAP with TTLS, TLS and PEAP, yes. Look at EAP.conf - you can configure all supported options in there. Not sure you've understood what he's asking there; he wants to know if you can to PEAP with EAP-TLS as an inner. The main advantage to this is anonymous outer ID. I *think* FR supports this, but I can't remember the details or if there are any caveats. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- This e-mail and any attachments may contain confidential, copyright and or privileged material, and are for the use of the intended addressee only. If you are not the intended addressee or an authorised recipient of the addressee please notify us of receipt by returning the e-mail and do not use, copy, retain, distribute or disclose the information in or attached to the e-mail. Any opinions expressed within this e-mail are those of the individual and not necessarily of Diamond Light Source Ltd. Diamond Light Source Ltd. cannot guarantee that this e-mail or any attachments are free from viruses and we cannot accept liability for any damage which you may sustain as a result of software viruses which may be transmitted in or with the message. Diamond Light Source Limited (company no. 4375679). Registered in England and Wales with its registered office at Diamond House, Harwell Science and Innovation Campus, Didcot, Oxfordshire, OX11 0DE, United Kingdom - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Limit ADSL speed using radius?
Hi Tom, Would it be useful to ask Telkom SA and Broadband Infraco for the models of the NASes they use and possibly their dictionaries? Although from what I understand from a GLUG post, that information is... well... difficult to get hold of (even when you're a big fish like Internet Solutions), so you may have some fun ahead at FR. I did see that Telkom intends to deploy (or has already deployed) Huawei equipment for UWB, so you might want to start with Huawei and the big names for NAS devices (Cisco for starters). Regards Stefan -Original Message- From: freeradius-users-bounces+stefan.paetow=diamond.ac...@lists.freeradius.org [mailto:freeradius-users-bounces+stefan.paetow=diamond.ac...@lists.freeradius.org] On Behalf Of Cooper, Tom Sent: 20 May 2013 13:07 To: freeradius-users@lists.freeradius.org Subject: Re: Limit ADSL speed using radius? We are in South Africa and using the local telco company's NAS'es. They have a mixture of them. Problem is that we have in excess of 450 000 users. On 20/05/2013 13:57, Jonathan Bastin wrote: What routers are you using for this. Regards, Jonathan Bastin - Reply message - From: Cooper, Tom tcoo...@fnb.co.za To: freeradius-users@lists.freeradius.org freeradius-users@lists.freeradius.org Subject: Limit ADSL speed using radius? Date: Mon, May 20, 2013 12:50 Hi all, How can one limit the ADSL speed on a per customer basis using freeradius? I have been trying a radiusReplyItem: Microtik-Rate-Limit += 512k/1024k, which people recommend, but it does not look like it is working. I have been surfing the freeradius wiki for days now but no luck. I am using freeradius2-2.1.12-3.el5. Regards, To read FirstRand Bank's Disclaimer for this email click on the following address or copy into your Internet browser: https://www.fnb.co.za/disclaimer.html If you are unable to access the Disclaimer, send a blank e-mail to firstrandbankdisclai...@fnb.co.za and we will send you a copy of the Disclaimer. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- This email (including any attachments) is intended only for the recipient(s) named above. It may contain confidential or privileged information and should not be read, copied or otherwise used by any other person. If you are not the named recipient please contact the sender and delete the email from your system. The author's incumbent expressions, views and thoughts are their own and not necessarily representative of those of the Peer Point Internet Ltd or associated companies. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html To read FirstRand Bank's Disclaimer for this email click on the following address or copy into your Internet browser: https://www.fnb.co.za/disclaimer.html If you are unable to access the Disclaimer, send a blank e-mail to firstrandbankdisclai...@fnb.co.za and we will send you a copy of the Disclaimer. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- This e-mail and any attachments may contain confidential, copyright and or privileged material, and are for the use of the intended addressee only. If you are not the intended addressee or an authorised recipient of the addressee please notify us of receipt by returning the e-mail and do not use, copy, retain, distribute or disclose the information in or attached to the e-mail. Any opinions expressed within this e-mail are those of the individual and not necessarily of Diamond Light Source Ltd. Diamond Light Source Ltd. cannot guarantee that this e-mail or any attachments are free from viruses and we cannot accept liability for any damage which you may sustain as a result of software viruses which may be transmitted in or with the message. Diamond Light Source Limited (company no. 4375679). Registered in England and Wales with its registered office at Diamond House, Harwell Science and Innovation Campus, Didcot, Oxfordshire, OX11 0DE, United Kingdom - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Unlang clarification
The real username in an EAP conversation is inside the encrypted EAP packets,
i.e. inside an EAP-TLS tunnel. The one in plain-text is a throw-away one (often
just @realm or anonymous@realm).
I can only surmise that the update reply in this case wants to ensure that no
User-Name attribute exists in the reply (which is fair enough, the reply
shouldn't need to ship a username around in plain-text).
Stefan
-Original Message-
From: freeradius-users-bounces+stefan.paetow=diamond.ac...@lists.freeradius.org
[mailto:freeradius-users-bounces+stefan.paetow=diamond.ac...@lists.freeradius.org]
On Behalf Of David Peterson
Sent: 20 May 2013 15:30
To: FreeRadius users mailing list
Subject: RE: Unlang clarification
Hmmm...strange. Actually that code was in the post-auth reject sections and
this is in the post-auth section:
update reply {
User-Name !* 0x00 #removes the User-name from the
Access-acc
ept
}
Any thoughts as to why they would add these?
David
-Original Message-
From:
freeradius-users-bounces+davidp=wirelessconnections.net@lists.freeradius
freeradius-users-bounces+.org
[mailto:freeradius-users-bounces+davidp=wirelessconnections.net@lists.freera
dius.org] On Behalf Of Arran Cudbard-Bell
Sent: Monday, May 20, 2013 9:59 AM
To: FreeRadius users mailing list
Subject: Re: Unlang clarification
On 20 May 2013, at 09:34, David Peterson dav...@wirelessconnections.net
wrote:
I am fighting a buggy NAS and was told to add to the
/sites-enabled/default file in the post-auth section this code:
EAP-Message = 0x04040004
User-Name !* 0x00
Message-Authenticator =
%{Message-Authenticator}
Can someone clarify what this would actually do to the EAP response?
You mean:
update reply {
EAP-Message = 0x04040004
...
}
You'd be forcing the server to send an EAP-Failure message, with a static and
probably incorrect ID. Removing any instances of User-Name from the reply, and
setting an invalid value for the message authenticator which would be
overwritten anyway.
-Arran
Arran Cudbard-Bell a.cudba...@freeradius.org FreeRADIUS Development Team
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
--
This e-mail and any attachments may contain confidential, copyright and or
privileged material, and are for the use of the intended addressee only. If you
are not the intended addressee or an authorised recipient of the addressee
please notify us of receipt by returning the e-mail and do not use, copy,
retain, distribute or disclose the information in or attached to the e-mail.
Any opinions expressed within this e-mail are those of the individual and not
necessarily of Diamond Light Source Ltd.
Diamond Light Source Ltd. cannot guarantee that this e-mail or any attachments
are free from viruses and we cannot accept liability for any damage which you
may sustain as a result of software viruses which may be transmitted in or with
the message.
Diamond Light Source Limited (company no. 4375679). Registered in England and
Wales with its registered office at Diamond House, Harwell Science and
Innovation Campus, Didcot, Oxfordshire, OX11 0DE, United Kingdom
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Bug in CUI generation? Is this a known issue?
Thank you, Alan. :-) Stefan -Original Message- From: freeradius-users-bounces+stefan.paetow=diamond.ac...@lists.freeradius.org [mailto:freeradius-users-bounces+stefan.paetow=diamond.ac...@lists.freeradius.org] On Behalf Of Alan DeKok Sent: 13 May 2013 17:28 To: FreeRadius users mailing list Subject: Re: Bug in CUI generation? Is this a known issue? Matthew Newton wrote: Bug. src/main/xlat.c:1077 has: if (isdigit(l[1])) break; which stops looking for a module_name (e.g. md5 if the first character after the : is a digit. Yeah... that's hard to fix in 2.x. The code is rich in material plants like. (If you get my drift) Fixed in 3.0 (see 4fd62ce9 22 August 2012). And with test cases now! See src/tests/xlat.c Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- This e-mail and any attachments may contain confidential, copyright and or privileged material, and are for the use of the intended addressee only. If you are not the intended addressee or an authorised recipient of the addressee please notify us of receipt by returning the e-mail and do not use, copy, retain, distribute or disclose the information in or attached to the e-mail. Any opinions expressed within this e-mail are those of the individual and not necessarily of Diamond Light Source Ltd. Diamond Light Source Ltd. cannot guarantee that this e-mail or any attachments are free from viruses and we cannot accept liability for any damage which you may sustain as a result of software viruses which may be transmitted in or with the message. Diamond Light Source Limited (company no. 4375679). Registered in England and Wales with its registered office at Diamond House, Harwell Science and Innovation Campus, Didcot, Oxfordshire, OX11 0DE, United Kingdom - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Bug in CUI generation? Is this a known issue?
I'm playing around with CUI generation with FreeRADIUS 2.2.0 and discovered
something odd.
In policy.conf I've set cui_require_operator_name = 1 and cui_hash_key =
4c2982f2f3b1dc4804994cf386db8c0a34d4ab2a. As you can see it's a 32-character
string and it looks like a hash.
In radiusd -X output I get this:
Ready to process requests.
rad_recv: Access-Request packet from host 192.168.126.155 port 1814, id=17,
length=113
User-Name = st...@diamond.ac.uk
User-Password = testing
NAS-IP-Address = 127.0.0.1
NAS-Port = 0
Message-Authenticator = 0x80a453196d15a8e68ba13642ba725b24
Proxy-State = 0x30
Operator-Name = 1camford.ac.uk
Chargeable-User-Identity =
Proxy-State = 0x313630
# Executing section authorize from file /etc/raddb/sites-enabled/default
+- entering group authorize {...}
++? if (!(User-Name =~ /@/))
?? Evaluating (User-Name =~ /@/) - TRUE
? Converting !TRUE - FALSE
++? if (!(User-Name =~ /@/)) - FALSE
++? if (User-Name =~ /@$/)
? Evaluating (User-Name =~ /@$/) - FALSE
++? if (User-Name =~ /@$/) - FALSE
++? if (User-Name =~ /@.+?@/)
? Evaluating (User-Name =~ /@.+?@/) - FALSE
++? if (User-Name =~ /@.+?@/) - FALSE
++? if (User-Name =~ /@.+?[^[:alnum:]\\.-]/)
? Evaluating (User-Name =~ /@.+?[^[:alnum:]\\.-]/) - FALSE
++? if (User-Name =~ /@.+?[^[:alnum:]\\.-]/) - FALSE
++? if (User-Name =~ /@[\\.-]/)
? Evaluating (User-Name =~ /@[\\.-]/) - FALSE
++? if (User-Name =~ /@[\\.-]/) - FALSE
++? if (User-Name =~ /@.+?[\\.-]$/)
? Evaluating (User-Name =~ /@.+?[\\.-]$/) - FALSE
++? if (User-Name =~ /@.+?[\\.-]$/) - FALSE
++? if (User-Name =~ /@[^\\.]+$/)
? Evaluating (User-Name =~ /@[^\\.]+$/) - FALSE
++? if (User-Name =~ /@[^\\.]+$/) - FALSE
++? if (User-Name =~ /@.+?\\.\\./)
? Evaluating (User-Name =~ /@.+?\\.\\./) - FALSE
++? if (User-Name =~ /@.+?\\.\\./) - FALSE
++? if (User-Name =~ /@myabc\\.com$/i)
? Evaluating (User-Name =~ /@myabc\\.com$/i) - FALSE
++? if (User-Name =~ /@myabc\\.com$/i) - FALSE
++? if (User-Name =~
/@wlan\\.[[:alnum:]]+\\.[[:alnum:]]+\\.3gppnetwork\\.org$/i)
? Evaluating (User-Name =~
/@wlan\\.[[:alnum:]]+\\.[[:alnum:]]+\\.3gppnetwork\\.org$/i) - FALSE
++? if (User-Name =~
/@wlan\\.[[:alnum:]]+\\.[[:alnum:]]+\\.3gppnetwork\\.org$/i) - FALSE
++? if (User-Name =~ /@gmail\\.co(m|\\.[[:alnum:]][[:alnum:]])$/i)
? Evaluating (User-Name =~ /@gmail\\.co(m|\\.[[:alnum:]][[:alnum:]])$/i) -
FALSE
++? if (User-Name =~ /@gmail\\.co(m|\\.[[:alnum:]][[:alnum:]])$/i) - FALSE
++? if (User-Name =~ /@yahoo\\.co(m|\\.[[:alnum:]][[:alnum:]])$/i)
? Evaluating (User-Name =~ /@yahoo\\.co(m|\\.[[:alnum:]][[:alnum:]])$/i) -
FALSE
++? if (User-Name =~ /@yahoo\\.co(m|\\.[[:alnum:]][[:alnum:]])$/i) - FALSE
++? if (User-Name =~ /@hotmail\\.co(m|\\.[[:alnum:]][[:alnum:]])$/i)
? Evaluating (User-Name =~ /@hotmail\\.co(m|\\.[[:alnum:]][[:alnum:]])$/i) -
FALSE
++? if (User-Name =~ /@hotmail\\.co(m|\\.[[:alnum:]][[:alnum:]])$/i) - FALSE
++? if (User-Name =~ /@\\.?ac\\.uk$/i)
? Evaluating (User-Name =~ /@\\.?ac\\.uk$/i) - FALSE
++? if (User-Name =~ /@\\.?ac\\.uk$/i) - FALSE
++? if (User-Name =~ /@.+?\\.ax\\.uk$/i)
? Evaluating (User-Name =~ /@.+?\\.ax\\.uk$/i) - FALSE
++? if (User-Name =~ /@.+?\\.ax\\.uk$/i) - FALSE
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] Looking up realm diamond.ac.uk for User-Name = st...@diamond.ac.uk
[suffix] Found realm diamond.ac.uk
[suffix] Adding Stripped-User-Name = steve
[suffix] Adding Realm = diamond.ac.uk
[suffix] Authentication realm is LOCAL.
++[suffix] returns ok
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
[files] users: Matched entry steve at line 76
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns updated
Found Auth-Type = PAP
# Executing group from file /etc/raddb/sites-enabled/default
+- entering group PAP {...}
[pap] login attempt with password testing
[pap] Using clear text password testing
[pap] User authenticated successfully
++[pap] returns ok
# Executing section post-auth from file /etc/raddb/sites-enabled/default
+- entering group post-auth {...}
++- entering policy cui_postauth {...}
+++? if (FreeRadius-Proxied-To == 127.0.0.1)
(Attribute FreeRadius-Proxied-To was not found)
? Evaluating (FreeRadius-Proxied-To == 127.0.0.1) - FALSE
+++? if (FreeRadius-Proxied-To == 127.0.0.1) - FALSE
+++- entering else else {...}
? if (!(%{control:Proxy-To-Realm}) Chargeable-User-Identity
!(reply:Chargeable-User-Identity) (Operator-Name ||
!(${policy.cui_require_operator_name})) )
expand: %{control:Proxy-To-Realm} -
?? Evaluating (%{control:Proxy-To-Realm}) - FALSE
? Converting !FALSE - TRUE
? Evaluating (Chargeable-User-Identity ) - TRUE
?? Evaluating (reply:Chargeable-User-Identity) - FALSE
? Converting !FALSE - TRUE
?? Evaluating (Operator-Name ) - TRUE
??? Skipping
RE: Bug in CUI generation? Is this a known issue?
Hi Alan, No, the operator name was 'correct' for our purposes. This is not a live system, we were using 'camford.ac.uk' as the 'visited site' on our test network. In the real world, it would be the correct operator name. :-) So, if I were to download v2.2.1, would a 32-character hex-string in cui_hash_key work or would it still cause the expand: portion to give me an empty value? Regards Stefan -Original Message- From: freeradius-users-bounces+stefan.paetow=diamond.ac...@lists.freeradius.org [mailto:freeradius-users-bounces+stefan.paetow=diamond.ac...@lists.freeradius.org] On Behalf Of a.l.m.bu...@lboro.ac.uk Sent: 10 May 2013 11:00 To: FreeRadius users mailing list Subject: Re: Bug in CUI generation? Is this a known issue? Hi, rad_recv: Access-Request packet from host 192.168.126.155 port 1814, id=17, length=113 User-Name = st...@diamond.ac.uk User-Password = testing NAS-IP-Address = 127.0.0.1 NAS-Port = 0 Message-Authenticator = 0x80a453196d15a8e68ba13642ba725b24 Proxy-State = 0x30 Operator-Name = 1camford.ac.uk this is wrong. please update your config so that you are setting the correct Operator-Name - you seem to have copied some example document verbatim CUI policy has been updated quite a bit - the 3.x has more updates...check the latest 2.2.1 code to see what policy looks like. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- This e-mail and any attachments may contain confidential, copyright and or privileged material, and are for the use of the intended addressee only. If you are not the intended addressee or an authorised recipient of the addressee please notify us of receipt by returning the e-mail and do not use, copy, retain, distribute or disclose the information in or attached to the e-mail. Any opinions expressed within this e-mail are those of the individual and not necessarily of Diamond Light Source Ltd. Diamond Light Source Ltd. cannot guarantee that this e-mail or any attachments are free from viruses and we cannot accept liability for any damage which you may sustain as a result of software viruses which may be transmitted in or with the message. Diamond Light Source Limited (company no. 4375679). Registered in England and Wales with its registered office at Diamond House, Harwell Science and Innovation Campus, Didcot, Oxfordshire, OX11 0DE, United Kingdom - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Bug in CUI generation? Is this a known issue?
Thank you :-) Regards Stefan -Original Message- From: freeradius-users-bounces+stefan.paetow=diamond.ac...@lists.freeradius.org [mailto:freeradius-users-bounces+stefan.paetow=diamond.ac...@lists.freeradius.org] On Behalf Of Matthew Newton Sent: 10 May 2013 12:13 To: FreeRadius users mailing list Subject: Re: Bug in CUI generation? Is this a known issue? Hi, On Fri, May 10, 2013 at 09:49:14AM +, stefan.pae...@diamond.ac.uk wrote: As you can see, the expand: bit shows an empty value. Then I changed my cui_hash_key to 01234567890abcdef01234567890abcdef and it did the same. However, when I set cui_hash_key to a hex string that was not 32 characters in length (abcdef as an example), or a non-hex string of any length, it works ok. So I'm guessing here that if the cui_hash_key happens to be a string that is a potentially valid MD5 hash, the md5 operator in the CUI generation statement does nothing or barfs. Bug. src/main/xlat.c:1077 has: if (isdigit(l[1])) break; which stops looking for a module_name (e.g. md5 if the first character after the : is a digit. Fixed in 3.0 (see 4fd62ce9 22 August 2012). Matthew -- Matthew Newton, Ph.D. m...@le.ac.uk Systems Specialist, Infrastructure Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, ith...@le.ac.uk - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- This e-mail and any attachments may contain confidential, copyright and or privileged material, and are for the use of the intended addressee only. If you are not the intended addressee or an authorised recipient of the addressee please notify us of receipt by returning the e-mail and do not use, copy, retain, distribute or disclose the information in or attached to the e-mail. Any opinions expressed within this e-mail are those of the individual and not necessarily of Diamond Light Source Ltd. Diamond Light Source Ltd. cannot guarantee that this e-mail or any attachments are free from viruses and we cannot accept liability for any damage which you may sustain as a result of software viruses which may be transmitted in or with the message. Diamond Light Source Limited (company no. 4375679). Registered in England and Wales with its registered office at Diamond House, Harwell Science and Innovation Campus, Didcot, Oxfordshire, OX11 0DE, United Kingdom - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: rlm_ippool vs rlm_sqlippool
Here's an entry from the archives where Alan (sort-of) suggests using rlm_sqlippool to fix the same problem you're having: http://lists.cistron.nl/pipermail/freeradius-users/2009-July/039544.html SQL does appear to have better performance/ With Regards Stefan -Original Message- From: freeradius-users-bounces+stefan.paetow=diamond.ac...@lists.freeradius.org [mailto:freeradius-users-bounces+stefan.paetow=diamond.ac...@lists.freeradius.org] On Behalf Of George Chelidze Sent: 30 April 2013 10:57 To: FreeRadius users mailing list Subject: rlm_ippool vs rlm_sqlippool Greetings, We use rlm_ippool for pool management. Each pool is configured with 16K addresses. About 10K are used in the peek time (per pool). I believe we have almost reached our IO capacity, because heavy IO operations like gzipping a 300M file cause freeradius to throw errors like: Error: Discarding duplicate request from client C port 65038 - ID: 109 due to unfinished request 34797335 Error: Discarding duplicate request from client C port 65035 - ID: 98 due to unfinished request 34797336 and a bit later: Error: WARNING: Unresponsive child for request 34797366, in component post-auth module ippool-A Error: WARNING: Unresponsive child for request 34797382, in component post-auth module ippool-A Will it make any sense to switch to rlm_sqlippool? Will it be less IO sensitive? I know it's worth a try, however any additional information would be helpful. Thank you in advance, -- George Chelidze - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- This e-mail and any attachments may contain confidential, copyright and or privileged material, and are for the use of the intended addressee only. If you are not the intended addressee or an authorised recipient of the addressee please notify us of receipt by returning the e-mail and do not use, copy, retain, distribute or disclose the information in or attached to the e-mail. Any opinions expressed within this e-mail are those of the individual and not necessarily of Diamond Light Source Ltd. Diamond Light Source Ltd. cannot guarantee that this e-mail or any attachments are free from viruses and we cannot accept liability for any damage which you may sustain as a result of software viruses which may be transmitted in or with the message. Diamond Light Source Limited (company no. 4375679). Registered in England and Wales with its registered office at Diamond House, Harwell Science and Innovation Campus, Didcot, Oxfordshire, OX11 0DE, United Kingdom - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Question about EAP-TTLS session resumption
Hi,
We're trying to put together an EAP-TTLS authentication solution with another
open-source authentication server (Jasig CAS). We've found that only the first
authentication process succeeds, but everything else after fails. In order for
us to pinpoint whether this is a problem in the CAS software or the JRadius
implementation of the EAP-TTLS Radius authenticator, I'd just like to confirm
with the Radius experts on the list that I have some things right.
As far as I understand RFC5281 (the EAP-TTLS RFC) in general and Section 15.3
(session resumption) more in particular, the EAP-TTLS session should only be
resumed if the client was successfully authenticated with the server. So am I
correct in saying that if an EAP-TTLS session was established and a username
and password were passed through the tunnel that were not successfully
authenticated (i.e. the password was incorrect), the session cannot be resumed
and should start again, i.e. a new tunnel session should be negotiated and the
authentication request retried?
What we've seen is that the radiusd -X output shows a full EAP-TTLS session
negotiation the first time, but then only a resumption (or at least that's what
FreeRADIUS assumes, based on the debug output) of the session to continue.
FreeRADIUS then sees the EAP handler fail.
Should that session (i.e. 'request 7 ID 9') have been renegotiated and
restarted because the user-password combination of 'bob' and 'test' is invalid?
-- begin of debug output --
Ready to process requests.
rad_recv: Access-Request packet from host 172.23.6.33 port 49802, id=2,
length=53
User-Name = bob
EAP-Message = 0x020801626f62
Message-Authenticator = 0xeec2f0280b8274f92fc902a15122729c
# Executing section authorize from file /etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = bob, looking up realm NULL
[suffix] No such realm NULL
++[suffix] returns noop
[eap] EAP packet type response id 0 length 8
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No known good password found for the user. Authentication may
fail because of this.
++[pap] returns noop
Found Auth-Type = EAP
# Executing group from file /etc/raddb/sites-enabled/default
+- entering group authenticate {...}
[eap] EAP Identity
[eap] processing type tls
[tls] Initiate
[tls] Start returned 1
++[eap] returns handled
Sending Access-Challenge of id 2 to 172.23.6.33 port 49802
EAP-Message = 0x010100061520
Message-Authenticator = 0x
State = 0xee0ac522ee0bd0bfaaf533badfdea46d
Finished request 0.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 172.23.6.33 port 49802, id=3,
length=135
User-Name = bob
State = 0xee0ac522ee0bd0bfaaf533badfdea46d
EAP-Message =
0x020100481500160301003d01390301517e66cc1774b02aba3b0067774c719d9a7c24c36fb94a5d97f862a59f866bd3120039003800330032001600130035002f000a0100
Message-Authenticator = 0x93d337adcf53e180ece72e8e881f3022
# Executing section authorize from file /etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = bob, looking up realm NULL
[suffix] No such realm NULL
++[suffix] returns noop
[eap] EAP packet type response id 1 length 72
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /etc/raddb/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/ttls
[eap] processing type ttls
[ttls] Authenticate
[ttls] processing EAP-TLS
[ttls] eaptls_verify returned 7
[ttls] Done initial handshake
[ttls] (other): before/accept initialization
[ttls] TLS_accept: before/accept initialization
[ttls] TLS 1.0 Handshake [length 003d], ClientHello
[ttls] TLS_accept: SSLv3 read client hello A
[ttls] TLS 1.0 Handshake [length 002a], ServerHello
[ttls] TLS_accept: SSLv3 write server hello A
[ttls] TLS 1.0 Handshake [length 085e], Certificate
[ttls] TLS_accept: SSLv3 write certificate A
[ttls] TLS 1.0 Handshake [length 020d], ServerKeyExchange
[ttls] TLS_accept: SSLv3 write key exchange A
[ttls] TLS 1.0 Handshake [length 0004], ServerHelloDone
[ttls] TLS_accept: SSLv3 write server done A
[ttls] TLS_accept: SSLv3 flush data
[ttls] TLS_accept: Need to read more data: SSLv3 read client certificate A
In SSL Handshake Phase
In SSL Accept mode
[ttls] eaptls_process returned 13
++[eap] returns handled
Sending Access-Challenge of id 3 to 172.23.6.33 port 49802
EAP-Message =
RE: Question about EAP-TTLS session resumption
Alan, The user 'bob' does not exist, so FreeRADIUS does the correct thing (i.e. rejecting the user). This has not been in doubt at all. However, when you go to the bottom of the output, where the request for user 'steve' (who is a valid user, and for whom a correct password was supplied) is sent, the request fails. The session for 'steve' is partial and stops prematurely, which leads me to believe that the EAP-TTLS client (the JRadius EAPTTLSAuthenticator bean) is not complying with the RFC, i.e. restart the EAP session, negotiate a fresh tunnel, and then attempt to authenticate the valid user 'steve' with the given password. Based on the debug output, it appears that the client simply re-uses the existing tunnel, which, according to the RFC and your confirmation, is not correct. So thanks for confirming that part of the theory. :-) To prove that, I've just had a bit more of a play-around with the Java webapp, and when we restart it between authentication requests, the correct process is followed, i.e. establish an EAP session, negotiate a tunnel, attempt authentication, and every session is complete. I'll have a word with David over at Coova about the bean in question. Regards Stefan -Original Message- From: freeradius-users-bounces+stefan.paetow=diamond.ac...@lists.freeradius.org [mailto:freeradius-users-bounces+stefan.paetow=diamond.ac...@lists.freeradius.org] On Behalf Of Alan DeKok Sent: 29 April 2013 14:08 To: FreeRadius users mailing list Subject: Re: Question about EAP-TTLS session resumption stefan.pae...@diamond.ac.uk wrote: We're trying to put together an EAP-TTLS authentication solution with another open-source authentication server (Jasig CAS). We've found that only the first authentication process succeeds, but everything else after fails. In order for us to pinpoint whether this is a problem in the CAS software or the JRadius implementation of the EAP-TTLS Radius authenticator, I'd just like to confirm with the Radius experts on the list that I have some things right. Well, TTLS session resumption works with wpa_supplicant, Windows, Macs, etc. As far as I understand RFC5281 (the EAP-TTLS RFC) in general and Section 15.3 (session resumption) more in particular, the EAP-TTLS session should only be resumed if the client was successfully authenticated with the server. So am I correct in saying that if an EAP-TTLS session was established and a username and password were passed through the tunnel that were not successfully authenticated (i.e. the password was incorrect), the session cannot be resumed and should start again, i.e. a new tunnel session should be negotiated and the authentication request retried? Yes. What we've seen is that the radiusd -X output shows a full EAP-TTLS session negotiation the first time, but then only a resumption (or at least that's what FreeRADIUS assumes, based on the debug output) of the session to continue. FreeRADIUS then sees the EAP handler fail. It sees more than that. There's no point in reading only *one* message out of many. The reason the other debug messages exist is because they're *useful*. Should that session (i.e. 'request 7 ID 9') have been renegotiated and restarted because the user-password combination of 'bob' and 'test' is invalid? The debug log *doesn't* show session resumption. If it did, it would have text about session resumption. -- begin of debug output -- Which shows that the inner-tunnel configuration is incapable of authenticating a user bob with password test. This has nothing to do with session resumption. Your inner-tunnel configuration is wrong. You haven't configured a known good password for the user. So how is the server supposed to check that bob/test is a valid user/password? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- This e-mail and any attachments may contain confidential, copyright and or privileged material, and are for the use of the intended addressee only. If you are not the intended addressee or an authorised recipient of the addressee please notify us of receipt by returning the e-mail and do not use, copy, retain, distribute or disclose the information in or attached to the e-mail. Any opinions expressed within this e-mail are those of the individual and not necessarily of Diamond Light Source Ltd. Diamond Light Source Ltd. cannot guarantee that this e-mail or any attachments are free from viruses and we cannot accept liability for any damage which you may sustain as a result of software viruses which may be transmitted in or with the message. Diamond Light Source Limited (company no. 4375679). Registered in England and Wales with its registered office at Diamond House, Harwell Science and Innovation Campus, Didcot, Oxfordshire, OX11 0DE, United Kingdom - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Question about EAP-TTLS session resumption
Thanks again for the confirmation, Alan. :-) Stefan -Original Message- From: freeradius-users-bounces+stefan.paetow=diamond.ac...@lists.freeradius.org [mailto:freeradius-users-bounces+stefan.paetow=diamond.ac...@lists.freeradius.org] On Behalf Of Alan DeKok Sent: 29 April 2013 15:35 To: FreeRadius users mailing list Subject: Re: Question about EAP-TTLS session resumption stefan.pae...@diamond.ac.uk wrote: However, when you go to the bottom of the output, where the request for user 'steve' (who is a valid user, and for whom a correct password was supplied) is sent, the request fails. The session for 'steve' is partial and stops prematurely, which leads me to believe that the EAP-TTLS client (the JRadius EAPTTLSAuthenticator bean) is not complying with the RFC, i.e. restart the EAP session, negotiate a fresh tunnel, and then attempt to authenticate the valid user 'steve' with the given password. Except it's not a request for steve: User-Name = steve EAP-Message = 0x020801626f62 The EAP-Message says that the EAP Identity is for user bob. The EAP client you're using is broken. Fix that before you try anything else. Based on the debug output, it appears that the client simply re-uses the existing tunnel, which, according to the RFC and your confirmation, is not correct. So thanks for confirming that part of the theory. :-) Likely, yes. To prove that, I've just had a bit more of a play-around with the Java webapp, and when we restart it between authentication requests, the correct process is followed, i.e. establish an EAP session, negotiate a tunnel, attempt authentication, and every session is complete. I'll have a word with David over at Coova about the bean in question. Sounds like a plan. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- This e-mail and any attachments may contain confidential, copyright and or privileged material, and are for the use of the intended addressee only. If you are not the intended addressee or an authorised recipient of the addressee please notify us of receipt by returning the e-mail and do not use, copy, retain, distribute or disclose the information in or attached to the e-mail. Any opinions expressed within this e-mail are those of the individual and not necessarily of Diamond Light Source Ltd. Diamond Light Source Ltd. cannot guarantee that this e-mail or any attachments are free from viruses and we cannot accept liability for any damage which you may sustain as a result of software viruses which may be transmitted in or with the message. Diamond Light Source Limited (company no. 4375679). Registered in England and Wales with its registered office at Diamond House, Harwell Science and Innovation Campus, Didcot, Oxfordshire, OX11 0DE, United Kingdom - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
