Re: question about freeradius
Hi, I am just wondering if I can use freeradius for hotspot and dial up accounts on same box or does it have to be separate box for hotspot and dial up accounts? that would depend on how you configured it and had each function isolated when not needing same resources etc. we use ours for 802.1X federated access, local 802.1X, captive portal, router/switch admin login, VLAN allocations via VMPS, VPN login etc - each function is undertaken by seperate virtual server definitions in sites-enabled (with different policies applied) and seperate module calls when different requirements for authentications are needed. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Question about EAP-TTLS session resumption
stefan.pae...@diamond.ac.uk wrote: We're trying to put together an EAP-TTLS authentication solution with another open-source authentication server (Jasig CAS). We've found that only the first authentication process succeeds, but everything else after fails. In order for us to pinpoint whether this is a problem in the CAS software or the JRadius implementation of the EAP-TTLS Radius authenticator, I'd just like to confirm with the Radius experts on the list that I have some things right. Well, TTLS session resumption works with wpa_supplicant, Windows, Macs, etc. As far as I understand RFC5281 (the EAP-TTLS RFC) in general and Section 15.3 (session resumption) more in particular, the EAP-TTLS session should only be resumed if the client was successfully authenticated with the server. So am I correct in saying that if an EAP-TTLS session was established and a username and password were passed through the tunnel that were not successfully authenticated (i.e. the password was incorrect), the session cannot be resumed and should start again, i.e. a new tunnel session should be negotiated and the authentication request retried? Yes. What we've seen is that the radiusd -X output shows a full EAP-TTLS session negotiation the first time, but then only a resumption (or at least that's what FreeRADIUS assumes, based on the debug output) of the session to continue. FreeRADIUS then sees the EAP handler fail. It sees more than that. There's no point in reading only *one* message out of many. The reason the other debug messages exist is because they're *useful*. Should that session (i.e. 'request 7 ID 9') have been renegotiated and restarted because the user-password combination of 'bob' and 'test' is invalid? The debug log *doesn't* show session resumption. If it did, it would have text about session resumption. -- begin of debug output -- Which shows that the inner-tunnel configuration is incapable of authenticating a user bob with password test. This has nothing to do with session resumption. Your inner-tunnel configuration is wrong. You haven't configured a known good password for the user. So how is the server supposed to check that bob/test is a valid user/password? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Question about EAP-TTLS session resumption
Alan, The user 'bob' does not exist, so FreeRADIUS does the correct thing (i.e. rejecting the user). This has not been in doubt at all. However, when you go to the bottom of the output, where the request for user 'steve' (who is a valid user, and for whom a correct password was supplied) is sent, the request fails. The session for 'steve' is partial and stops prematurely, which leads me to believe that the EAP-TTLS client (the JRadius EAPTTLSAuthenticator bean) is not complying with the RFC, i.e. restart the EAP session, negotiate a fresh tunnel, and then attempt to authenticate the valid user 'steve' with the given password. Based on the debug output, it appears that the client simply re-uses the existing tunnel, which, according to the RFC and your confirmation, is not correct. So thanks for confirming that part of the theory. :-) To prove that, I've just had a bit more of a play-around with the Java webapp, and when we restart it between authentication requests, the correct process is followed, i.e. establish an EAP session, negotiate a tunnel, attempt authentication, and every session is complete. I'll have a word with David over at Coova about the bean in question. Regards Stefan -Original Message- From: freeradius-users-bounces+stefan.paetow=diamond.ac...@lists.freeradius.org [mailto:freeradius-users-bounces+stefan.paetow=diamond.ac...@lists.freeradius.org] On Behalf Of Alan DeKok Sent: 29 April 2013 14:08 To: FreeRadius users mailing list Subject: Re: Question about EAP-TTLS session resumption stefan.pae...@diamond.ac.uk wrote: We're trying to put together an EAP-TTLS authentication solution with another open-source authentication server (Jasig CAS). We've found that only the first authentication process succeeds, but everything else after fails. In order for us to pinpoint whether this is a problem in the CAS software or the JRadius implementation of the EAP-TTLS Radius authenticator, I'd just like to confirm with the Radius experts on the list that I have some things right. Well, TTLS session resumption works with wpa_supplicant, Windows, Macs, etc. As far as I understand RFC5281 (the EAP-TTLS RFC) in general and Section 15.3 (session resumption) more in particular, the EAP-TTLS session should only be resumed if the client was successfully authenticated with the server. So am I correct in saying that if an EAP-TTLS session was established and a username and password were passed through the tunnel that were not successfully authenticated (i.e. the password was incorrect), the session cannot be resumed and should start again, i.e. a new tunnel session should be negotiated and the authentication request retried? Yes. What we've seen is that the radiusd -X output shows a full EAP-TTLS session negotiation the first time, but then only a resumption (or at least that's what FreeRADIUS assumes, based on the debug output) of the session to continue. FreeRADIUS then sees the EAP handler fail. It sees more than that. There's no point in reading only *one* message out of many. The reason the other debug messages exist is because they're *useful*. Should that session (i.e. 'request 7 ID 9') have been renegotiated and restarted because the user-password combination of 'bob' and 'test' is invalid? The debug log *doesn't* show session resumption. If it did, it would have text about session resumption. -- begin of debug output -- Which shows that the inner-tunnel configuration is incapable of authenticating a user bob with password test. This has nothing to do with session resumption. Your inner-tunnel configuration is wrong. You haven't configured a known good password for the user. So how is the server supposed to check that bob/test is a valid user/password? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- This e-mail and any attachments may contain confidential, copyright and or privileged material, and are for the use of the intended addressee only. If you are not the intended addressee or an authorised recipient of the addressee please notify us of receipt by returning the e-mail and do not use, copy, retain, distribute or disclose the information in or attached to the e-mail. Any opinions expressed within this e-mail are those of the individual and not necessarily of Diamond Light Source Ltd. Diamond Light Source Ltd. cannot guarantee that this e-mail or any attachments are free from viruses and we cannot accept liability for any damage which you may sustain as a result of software viruses which may be transmitted in or with the message. Diamond Light Source Limited (company no. 4375679). Registered in England and Wales with its registered office at Diamond House, Harwell Science and Innovation Campus, Didcot, Oxfordshire, OX11 0DE, United Kingdom - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Question about EAP-TTLS session resumption
stefan.pae...@diamond.ac.uk wrote: However, when you go to the bottom of the output, where the request for user 'steve' (who is a valid user, and for whom a correct password was supplied) is sent, the request fails. The session for 'steve' is partial and stops prematurely, which leads me to believe that the EAP-TTLS client (the JRadius EAPTTLSAuthenticator bean) is not complying with the RFC, i.e. restart the EAP session, negotiate a fresh tunnel, and then attempt to authenticate the valid user 'steve' with the given password. Except it's not a request for steve: User-Name = steve EAP-Message = 0x020801626f62 The EAP-Message says that the EAP Identity is for user bob. The EAP client you're using is broken. Fix that before you try anything else. Based on the debug output, it appears that the client simply re-uses the existing tunnel, which, according to the RFC and your confirmation, is not correct. So thanks for confirming that part of the theory. :-) Likely, yes. To prove that, I've just had a bit more of a play-around with the Java webapp, and when we restart it between authentication requests, the correct process is followed, i.e. establish an EAP session, negotiate a tunnel, attempt authentication, and every session is complete. I'll have a word with David over at Coova about the bean in question. Sounds like a plan. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Question about EAP-TTLS session resumption
Thanks again for the confirmation, Alan. :-) Stefan -Original Message- From: freeradius-users-bounces+stefan.paetow=diamond.ac...@lists.freeradius.org [mailto:freeradius-users-bounces+stefan.paetow=diamond.ac...@lists.freeradius.org] On Behalf Of Alan DeKok Sent: 29 April 2013 15:35 To: FreeRadius users mailing list Subject: Re: Question about EAP-TTLS session resumption stefan.pae...@diamond.ac.uk wrote: However, when you go to the bottom of the output, where the request for user 'steve' (who is a valid user, and for whom a correct password was supplied) is sent, the request fails. The session for 'steve' is partial and stops prematurely, which leads me to believe that the EAP-TTLS client (the JRadius EAPTTLSAuthenticator bean) is not complying with the RFC, i.e. restart the EAP session, negotiate a fresh tunnel, and then attempt to authenticate the valid user 'steve' with the given password. Except it's not a request for steve: User-Name = steve EAP-Message = 0x020801626f62 The EAP-Message says that the EAP Identity is for user bob. The EAP client you're using is broken. Fix that before you try anything else. Based on the debug output, it appears that the client simply re-uses the existing tunnel, which, according to the RFC and your confirmation, is not correct. So thanks for confirming that part of the theory. :-) Likely, yes. To prove that, I've just had a bit more of a play-around with the Java webapp, and when we restart it between authentication requests, the correct process is followed, i.e. establish an EAP session, negotiate a tunnel, attempt authentication, and every session is complete. I'll have a word with David over at Coova about the bean in question. Sounds like a plan. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- This e-mail and any attachments may contain confidential, copyright and or privileged material, and are for the use of the intended addressee only. If you are not the intended addressee or an authorised recipient of the addressee please notify us of receipt by returning the e-mail and do not use, copy, retain, distribute or disclose the information in or attached to the e-mail. Any opinions expressed within this e-mail are those of the individual and not necessarily of Diamond Light Source Ltd. Diamond Light Source Ltd. cannot guarantee that this e-mail or any attachments are free from viruses and we cannot accept liability for any damage which you may sustain as a result of software viruses which may be transmitted in or with the message. Diamond Light Source Limited (company no. 4375679). Registered in England and Wales with its registered office at Diamond House, Harwell Science and Innovation Campus, Didcot, Oxfordshire, OX11 0DE, United Kingdom - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Question about EAP-TTLS session resumption
The user 'bob' does not exist, so FreeRADIUS does the correct thing (i.e. rejecting the user). This has not been in doubt at all. Instantiate a new EAPTTLSAuthenticator() for each authentication session and you should be fine. The Authenticator class is there to maintain a context through a single authentication session, generally. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: question about freeradius
El abr 28, 2013 10:13 p.m., Tim Reichhart t...@nwohiobb.com escribió: Hey Guys I am just wondering if I can use freeradius for hotspot and dial up accounts on same box or does it have to be separate box for hotspot and dial up accounts? Tim - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html In same box, with virtual seves. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Question on certificates before deep dive into EAP-TLS
Mathieu Simon wrote: Telling students how to install a internal CA root isn't going to work, it already didn't work for teachers in the past ... Yes. That is a problem. But allowing only (internal) devices with certs from the internal CA through CA_file would allow us to more easily integrate those non-personal but school-owned devices. That would work. I just hope I'm not telling complete bullshit... ;-) Nope. Thank you Alan for your time to answer! It's what I do. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Question about differences between possibilities of authentication
Bas Penris wrote: Everything is working as it should so no worries there, but I'm curious about something. I configured the proxies and the local realm. When I did a radtest like this: radtest che...@localdomain.nl password 127.0.0.1 1 secret I would get an Accept-Accept. That's the easy part. The debug output would show that first a bind and then an LDAP search is performed in our eDirectory. Okay! Fun times I thought, let's try it on my mobile phone because a test account I got from an academic institution in the UK worked so local authentication should work as well! I entered the credentials but now comes the difference. Using a Wifi device made the LDAP search fail because it tried to authenticate the u...@domain.nl in stead of stripping the suffix. Don't test from a mobile device until you've done complete EAP testing yourself. You'll get a LOT more useful information. See my web page: http://deployingradius.com I've been staring at the config files to see if I got the LDAP-filter defined two times somewhere but that doesn't seem to be the case. Now, this wasn't a really big problem because users can be pretty stupid and we decided to let them authenticate using their email address in stead of their username@domain which would to too much confusion for them. It's usually best to use the full email address. It simplifies a lot of issues. The LDAP filter was: filter = (uid=%{Stripped-User-Name:-%{User-Name}}) Is now: filter = (|(cn=%{Stripped-User-Name:-%{User-Name}})(mail=%{User-Name})) The proxy.conf lines right before it's defaulted to eduroam: realm ettyhillesumlyceum.nl { } So.. you're posting tiny pieces of the config. But not the debug output as suggested in the FAQ, README, man page, web pages, and daily on this list? Anyone has an idea why radtest would behave differently from an 802.1x login? Because it's doing different searches. See the debug output for more information. It's all in there. Really. That's why we tell people to read it, and to post it here. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Betr.: Re: Question about differences between possibilities of authentication
Hi Alan, The reason I didn't post the debugs and config files was because I thought there might be an easy explanation which one of you would be able to spoon up without any trouble. Especially because nothing is broken and everything works as it's supposed to. I'll get back with a debug log and the config after the weekend. Regards, Bas Alan DeKok al...@deployingradius.com 12-04-13 15:52 Bas Penris wrote: Everything is working as it should so no worries there, but I'm curious about something. I configured the proxies and the local realm. When I did a radtest like this: radtest che...@localdomain.nl password 127.0.0.1 1 secret I would get an Accept-Accept. That's the easy part. The debug output would show that first a bind and then an LDAP search is performed in our eDirectory. Okay! Fun times I thought, let's try it on my mobile phone because a test account I got from an academic institution in the UK worked so local authentication should work as well! I entered the credentials but now comes the difference. Using a Wifi device made the LDAP search fail because it tried to authenticate the u...@domain.nl in stead of stripping the suffix. Don't test from a mobile device until you've done complete EAP testing yourself. You'll get a LOT more useful information. See my web page: http://deployingradius.com I've been staring at the config files to see if I got the LDAP-filter defined two times somewhere but that doesn't seem to be the case. Now, this wasn't a really big problem because users can be pretty stupid and we decided to let them authenticate using their email address in stead of their username@domain which would to too much confusion for them. It's usually best to use the full email address. It simplifies a lot of issues. The LDAP filter was: filter = (uid=%{Stripped-User-Name:-%{User-Name}}) Is now: filter = (|(cn=%{Stripped-User-Name:-%{User-Name}})(mail=%{User-Name})) The proxy.conf lines right before it's defaulted to eduroam: realm ettyhillesumlyceum.nl { } So.. you're posting tiny pieces of the config. But not the debug output as suggested in the FAQ, README, man page, web pages, and daily on this list? Anyone has an idea why radtest would behave differently from an 802.1x login? Because it's doing different searches. See the debug output for more information. It's all in there. Really. That's why we tell people to read it, and to post it here. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Betr.: Re: Question about differences between possibilities of authentication
Bas Penris wrote: The reason I didn't post the debugs and config files was because I thought there might be an easy explanation which one of you would be able to spoon up without any trouble. We need certain information to answer questions. One piece of which is the debug output. That's why we ask for it DAILY on this list. There is NO excuse for not posting it when you're trying to debug a problem. Especially because nothing is broken and everything works as it's supposed to. So you said it didn't do what you wanted, but that it works? I'll get back with a debug log and the config after the weekend. Did I ask for the configuration? No. I asked for the debug output. That's what I want. I don't want copies of your configuration. If I had wanted copies of the configuration, I would have asked for them. Please follow instructions. A MAJOR reason why people have trouble is that they refuse to follow instructions. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Question on certificates before deep dive into EAP-TLS
Mathieu Simon wrote: Usually I've seen example for EAP-TLS setups that used a server-side certificate issued from the same CA as the one it should allow EAP-TLS clients who present their certificate to FR. Yes. Am I guessing correctly that CA_file can contain a different list of CA(s) than the server certificate that is shown to the client? Yes. It contains a list of valid CAs. The real-life example would be that people could use PEAP-MSCHAPv2 for credential-based logins (server certificate being signed by a trusted external CA) While that works, it's not recommended. It means that the client will trust *any* certificate signed by that CA, for network access. It's usually a bad idea. while some devices could login using EAP-TLS but only when they present a certificate from an internal CA (that usually isn't being trusted by devices outside of control of IT department). That works. The client will need *both* CAs. But why be this complicated? Just use one CA, which is for both EAP-TLS and PEAP. It can issue client certs to some machines, and *not* issue client certs to others. You don't need one CA per EAP method. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Question on certificates before deep dive into EAP-TLS
Hi Am 11.04.2013 20:08, schrieb Alan DeKok: snip! The real-life example would be that people could use PEAP-MSCHAPv2 for credential-based logins (server certificate being signed by a trusted external CA) While that works, it's not recommended. It means that the client will trust *any* certificate signed by that CA, for network access. It's usually a bad idea. Correct, that for sure isn't what I'd want :-) certificate_file - the server-side certificate - would contain the certificate (and it's trust chain) by the trusted CA. CA_file would only contain the internal CA, such as that only those signed by the one internal CA IT has control over it, would be accepted by FR. (oh and I'd want to have a regularly up-to-date revocation list...) snip! You don't need one CA per EAP method. Sure, I am only looking for the server-side certificate (certificate_file) being signed by a CA that most devices trust - since most of the users are going to use PEAP-MSCHAPv2 with devices not under direct controll of IT. Telling students how to install a internal CA root isn't going to work, it already didn't work for teachers in the past ... But allowing only (internal) devices with certs from the internal CA through CA_file would allow us to more easily integrate those non-personal but school-owned devices. I just hope I'm not telling complete bullshit... ;-) Thank you Alan for your time to answer! -- Mathieu - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Question about interaction Between Vmware View 5.1 and smsotp
Hello Stéphane, can you please send a screenshot of your View Radius Configuration, your full configuration and the full debugging output which includes an authentication request from pap_challenge_request.pl and from View. Cheers, Thomas - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Question about interaction Between Vmware View 5.1 and smsotp
Hello Stéphane, It works. Thank you. Yes, the radiusd process listen on some multiples ports and i was wrong when i put the value 1812 on VMware View. for the list. The problem was that View was configured to port 1812 which does not do SMSOTP with my configuration, so we reconfigured it to port 11812 and it worked. A little question, this is normal workflow = Client view ask for user/pass AD = ASk for OTP = ask again for user/passAD? If I remeber correctly you either should put the username as: domain\username or usern...@full.realm.de than it should ask only once. But the last time I configured it with View is one year ago. Cheers, Thomas - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Question : EAP-SIM without RANDs, SRESs, KCs ?
b...@indoakses-online.com wrote: I found same problem of old topic posted back in Feb-2012 For ref : http://lists.freeradius.org/pipermail/freeradius-users/2012-February/058868.html ... Look like The device didn\'t send : ... If so, How to fix it ? Fix the device. You can't fix it by poking FreeRADIUS. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Question : EAP-SIM without RANDs, SRESs, KCs ?
... Look like The device didn\\\'t send : ... If so, How to fix it ? Fix the device. You can\'t fix it by poking FreeRADIUS. Alan DeKok. Dear Alan What I want to know is it common for device telling AAA that it use EAP-SIM but it don\'t send RAND,SRES, and KC ? I Asking this because Gnubie (Back in 2012) and me (Now) found the same case. If it common, I think it\'ll be great if FreeRadius can adjut to this. but if it un-common, I think I\'ll need to find new device. Sincerely -bino- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Question : EAP-SIM without RANDs, SRESs, KCs ?
b...@indoakses-online.com wrote: What I want to know is it common for device telling AAA that it use EAP-SIM but it don\'t send RAND,SRES, and KC ? Read RFC 4186. Those fields are required for EAP-SIM to work. If it common, I think it\'ll be great if FreeRadius can adjut to this. but if it un-common, I think I\'ll need to find new device. Some device manufacturers don't bother reading the specifications. You should ask for your money back. Or, throw the devices in the garbage. If they don't bother to test their device against existing implementations, they might as well be writing code and shipping it as soon as it compiles. They're incompetent, and uncaring. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Question : EAP-SIM without RANDs, SRESs, KCs ?
Read RFC 4186. Those fields are required for EAP-SIM to work. If it common, I think it\\\'ll be great if FreeRadius can adjut to this. but if it un-common, I think I\\\'ll need to find new device. Some device manufacturers don\'t bother reading the specifications. You should ask for your money back. Or, throw the devices in the garbage. Dear Alan and All My Apologize. I think all the needed data is there. I Just need to use some kind of SIM-Reader and software like AGSM to find all the data and put it in my user db Just for ref : ++ Page/slide #23 of http://agsm.sourceforge.net/talk/EAP-SIM.ppt And the screenshoot at http://agsm.sourceforge.net/screenshots/agsm-3gpp-aka.png I Really appreciate your help Sincerely -bino- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Question : EAP-SIM without RANDs, SRESs, KCs ?
b...@indoakses-online.com wrote: My Apologize. I think all the needed data is there. The EAP-SIM code disagrees with you. And since you haven't bothered read the specifications, or the code, or running the server in debugging mode as suggested in the FAQ, web pages, man page, and daily on this list... you're not thinking correctly. I Really appreciate your help No, you don't. I've explained, and you've told me I'm wrong. This isn't being appreciative. This is being argumentative. You're so smart that you know more about EAP-SIM than the code, the specifications, and the people on this list. You don't need any help to solve this problem, as you already know all of the answers. You're wasting everyones time by being rude. Stop it. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Question : EAP-SIM without RANDs, SRESs, KCs ?
Dear Alan and All I Really sorry b...@indoakses-online.com wrote: My Apologize. I think all the needed data is there. The EAP-SIM code disagrees with you. And since you haven\'t bothered read the specifications, or the code, or running the server in debugging mode as suggested in the FAQ, web pages, \man\ page, and daily on this list... you\'re not thinking correctly. May be I have to replace \'I Think\' with \'I Guest\' Yes I read that RFC before I post the question, I Also run the server in debug mode as Sugested. I just didn\'t post my debug to the list since it\'s (more or less) the same as the one posted by gnubie I Really appreciate your help No, you don\'t. I\'ve explained, and you\'ve told me I\'m wrong. This isn\'t being appreciative. This is being argumentative. You\'re so smart that you know more about EAP-SIM than the code, the specifications, and the people on this list. You don\'t need any help to solve this problem, as you already know all of the answers. You\'re wasting everyones time by being rude. Stop it. I don\'t know what and How to say. I Read the specification but I don\'t understand it, thats why I came to this list .. wish to got more knowledge. While waiting response from the list, I keep reading and hunt for more docs. And Sir, Could you please help me to evaluate my manner by point me my rudeness? I really need it. It\'s ok for me if you do it in public, but if you think it\'ll ruin the list I\'ll more then happy if you send me private email. Sincerely -bino- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Question : EAP-SIM without RANDs, SRESs, KCs ?
You see to have a problem understanding me. I will try one last time to explain. If you keep arguing, you will be be unsubscribed, and banned from the list. FreeRADIUS says that data is missing from EAP-SIM. It needs that data to do EAP-SIM. If you don't understand that, then you don't understand anything. If you think the data is really there, you're wrong. You're being rude by asking a question, and then arguing with the answer. You're not a RADIUS expert. You're not an EAP-SIM expert. Yet you refuse to believe the messages from FreeRADIUS, and you refuse to believe the answers I've given you. You're obsessed with believing messages from shitty software that doesn't work. You're refusing to believe messages from the worlds best RADIUS server. You're refusing to believe answers from one of the world experts in RADIUS. You're respecting the author of crappy software more that you're respecting me. That's rude, annoying, and ignorant. Stop it. And don't email me privately. I've already given you my answers, and they won't change in private email. And stop arguing. It will only get you banned. I've had it with people who ask questions and argue about the answers. If you're so damned smart, go fix the problem yourself. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Question on attributes
On 17/01/13 11:29, Tiago wrote: Hello everyone, I'm struggling with something that should be simple to fix. I have a rp-pppoe NAS server here that correctly understand a few attributes (radreply) that come from freeradius 1.x (w/mysql database). Example: Download (for download rates) attribute Simple real example, from pppoe server: # cat /var/run/radattr.ppp479 Framed-Compression Van-Jacobson-TCP-IP Framed-Protocol PPP Framed-MTU 1500 Download 12000 Upload 3072 Download and Upload aren't standard attributes. Where are these defined in dictionary files? Sending Access-Accept of id 192 to NASPPPOE01 port 48956 Framed-Protocol = PPP Framed-Compression = Van-Jacobson-TCP-IP Cliente = \000\000\000\000\000\000\000\000\000\000\000\000\000\000\000 Framed-MTU = 1500 WISPr-Bandwidth-Max-Down = 256000 WISPr-Bandwidth-Max-Up = 256000 Finished request 0. Going to the next request What I'm missing? it seems like the attributes are not being sent to NAS, but I could be wrong Correct. Check the attributes are actually defined in a dictionary on the 2.x installation; check raddb/dictionary on the 1.x installation, see if they were defined as custom VSAs or similar. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Question on attributes
Hello Phil, Thanks for your answer. I have these: ATTRIBUTE Download78 integer ATTRIBUTE Upload 79 integer On /etc/freeradius/dictionary file that is being included as debug showed. including dictionary file /etc/freeradius/dictionary on freeradius v2. Maybe I need to create a separate dictionary file and have a include on this file? What I'm doing wrong? 2013/1/17 Phil Mayers p.may...@imperial.ac.uk: On 17/01/13 11:29, Tiago wrote: Hello everyone, I'm struggling with something that should be simple to fix. I have a rp-pppoe NAS server here that correctly understand a few attributes (radreply) that come from freeradius 1.x (w/mysql database). Example: Download (for download rates) attribute Simple real example, from pppoe server: # cat /var/run/radattr.ppp479 Framed-Compression Van-Jacobson-TCP-IP Framed-Protocol PPP Framed-MTU 1500 Download 12000 Upload 3072 Download and Upload aren't standard attributes. Where are these defined in dictionary files? Sending Access-Accept of id 192 to NASPPPOE01 port 48956 Framed-Protocol = PPP Framed-Compression = Van-Jacobson-TCP-IP Cliente = \000\000\000\000\000\000\000\000\000\000\000\000\000\000\000 Framed-MTU = 1500 WISPr-Bandwidth-Max-Down = 256000 WISPr-Bandwidth-Max-Up = 256000 Finished request 0. Going to the next request What I'm missing? it seems like the attributes are not being sent to NAS, but I could be wrong Correct. Check the attributes are actually defined in a dictionary on the 2.x installation; check raddb/dictionary on the 1.x installation, see if they were defined as custom VSAs or similar. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Question on attributes
Tiago wrote: I have these: ATTRIBUTE Download78 integer ATTRIBUTE Upload 79 integer On /etc/freeradius/dictionary file that is being included as debug showed. They are wrong. Delete them. including dictionary file /etc/freeradius/dictionary on freeradius v2. Maybe I need to create a separate dictionary file and have a include on this file? What I'm doing wrong? The documentation describes how the dictionaries work. If you're editing the dictionary file, then READ IT. It contains DOCUMENTATION describing how to add new attributes. I honestly don't know why I write *any* documentation. It seems that the bulk of problems on this list are people who fanatically avoid all existing documentation. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Question on attributes
Alan, Sorry, I did that. But I think I didn't understod it correctly, maybe due english not being my first lang. From man I have: The names have no meaning outside of the RADIUS server itself, and are never exchanged between server and clients. That is, editing the dictionaries will have NO EFFECT on anything other than the server that is reading those files. Adding new attributes to the dictioâ naries will have NO EFFECT on RADIUS clients, and will not make RADIUS clients magically understand those attributes. The dictionaries are solely for local administrator convenience, and are specific to each version of FreeRADIUS. May I ask you a bit of patience helping me on this? So, can I conclude that adding attributes to dictionary file will not make freeradius to send those to NAS? But are they necessary to create sql pairs and so got from sql radreply? Yet, On the dictionary file I have: # If you want to add entries to the dictionary file, # which are NOT going to be placed in a RADIUS packet, # add them here. The numbers you pick should be between # 3000 and 4000. So I didnt understand that, so entries with 3000-4000 numbers aren't placed on radius packet, can I conclude that the others are? but on the man it says that attributes are never exchanged. So I'm a bit confused here. What I need to do to radius server send the attributes that are collected from my mysql database (radreply attrib)? Thanks again. 2013/1/17 Alan DeKok al...@deployingradius.com: Tiago wrote: I have these: ATTRIBUTE Download78 integer ATTRIBUTE Upload 79 integer On /etc/freeradius/dictionary file that is being included as debug showed. They are wrong. Delete them. including dictionary file /etc/freeradius/dictionary on freeradius v2. Maybe I need to create a separate dictionary file and have a include on this file? What I'm doing wrong? The documentation describes how the dictionaries work. If you're editing the dictionary file, then READ IT. It contains DOCUMENTATION describing how to add new attributes. I honestly don't know why I write *any* documentation. It seems that the bulk of problems on this list are people who fanatically avoid all existing documentation. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Question on attributes
Tiago wrote: From man I have: Please don't quote the documentation here. I've read it. May I ask you a bit of patience helping me on this? So, can I conclude that adding attributes to dictionary file will not make freeradius to send those to NAS? That is what the documentation says. But are they necessary to create sql pairs and so got from sql radreply? I'm not sure what you mean by that. So I didnt understand that, so entries with 3000-4000 numbers aren't placed on radius packet, can I conclude that the others are? No. but on the man it says that attributes are never exchanged. So I'm a bit confused here. It says the NAMES are never exchanged. NAMES. Not ATTRIBUTES. What I need to do to radius server send the attributes that are collected from my mysql database (radreply attrib)? Use attributes that are *supposed* to go into a RADIUS packet. It has nothing to do with MySQL. The attributes can come from anywhere. You can't simply invent attribute numbers. They are assigned via a controlled process. The numbers you used 78 and 79 are *already* assigned to different attributes. You need to read the documentation for the PPOE server to see which attributes it understands. There's also a dictionary.roaringpenguin file distributed with FreeRADIUS. It defines attributes for the RP PPPoE server, for upload and download rate limiting. Use that. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Question on attributes
Alan, 2013/1/17 Alan DeKok al...@deployingradius.com: Tiago wrote: From man I have: Please don't quote the documentation here. I've read it. May I ask you a bit of patience helping me on this? So, can I conclude that adding attributes to dictionary file will not make freeradius to send those to NAS? That is what the documentation says. But are they necessary to create sql pairs and so got from sql radreply? I'm not sure what you mean by that. So I didnt understand that, so entries with 3000-4000 numbers aren't placed on radius packet, can I conclude that the others are? No. but on the man it says that attributes are never exchanged. So I'm a bit confused here. It says the NAMES are never exchanged. NAMES. Not ATTRIBUTES. What I need to do to radius server send the attributes that are collected from my mysql database (radreply attrib)? Use attributes that are *supposed* to go into a RADIUS packet. It has nothing to do with MySQL. The attributes can come from anywhere. You can't simply invent attribute numbers. They are assigned via a controlled process. The numbers you used 78 and 79 are *already* assigned to different attributes. You need to read the documentation for the PPOE server to see which attributes it understands. There's also a dictionary.roaringpenguin file distributed with FreeRADIUS. It defines attributes for the RP PPPoE server, for upload and download rate limiting. Use that. Thanks, can I add an attribute to dictionary.roaringpenguin besides the ones listed there? I'm asking that to avoid broking my production environment. I saw there this (dictionary.roaringpenguin): # Downstream speed limit in kb/s ATTRIBUTE RP-Downstream-Speed-Limit 2 integer Can I add at the end? ATTRIBUTE Download 6 integer Do I need to make any attribute number change on my pppoe/nas server to understand the new defined here? I'm asking that because the old freeradius/pppoe are working using those attributes numbers, which is already defined by another attributes as you stated. Thanks Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Question on attributes
On 17/01/13 12:42, Tiago wrote: Hello Phil, Thanks for your answer. I have these: ATTRIBUTE Download78 integer ATTRIBUTE Upload 79 integer On /etc/freeradius/dictionary file that is being included as debug showed. including dictionary file /etc/freeradius/dictionary on freeradius v2. Maybe I need to create a separate dictionary file and have a include on this file? What I'm doing wrong? These attributes are already allocated; you've stolen them from the main attribute space, and are probably having problems with dictionary precedence - IIRC there were changes in this area in FR2. The correct thing to do is either use a valid, allocated attribute, or assign your own from a valid, allocated enterprise number that you own. What is processing these attributes? Since you are using rp-pppoe, I suspect you are using an ip-up script and processing them in shell script? In that case, find an allocated attribute with similar purpose, and use that. Use grep to search the dictionaries. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Question on attributes
Tiago wrote: Alan, Please also learn to edit the messages to this list. There is NO need to quote the entire message again. Thanks, can I add an attribute to dictionary.roaringpenguin besides the ones listed there? I'm asking that to avoid broking my production environment. Are you in charge of roaring penguin? I saw there this (dictionary.roaringpenguin): # Downstream speed limit in kb/s ATTRIBUTE RP-Downstream-Speed-Limit 2 integer Can I add at the end? ATTRIBUTE Download 6 integer Why? And where did you get the number 6 from? Did you just invent it? In case it was not clear before: DO NOT EDIT THE DICTIONARIES. DO NOT INVENT NUMBERS. YOU DO NOT CONTROL VENDOR DICTIONARIES. DO NOT EDIT THEM. Is that clearer? Do I need to make any attribute number change on my pppoe/nas server to understand the new defined here? You have absolutely no idea how RADIUS works. As a result, you have NO BUSINESS editing the dictionaries. I'm asking that because the old freeradius/pppoe are working using those attributes numbers, which is already defined by another attributes as you stated. How about reading the roaring penguin documentation to see which attributes it needs? You are obsessed with editing the dictionaries. DON'T DO THAT. Instead, read the documentation. It's not hard. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Question on attributes
2013/1/17 Phil Mayers p.may...@imperial.ac.uk: On 17/01/13 12:42, Tiago wrote: Hello Phil, Thanks for your answer. I have these: ATTRIBUTE Download78 integer ATTRIBUTE Upload 79 integer On /etc/freeradius/dictionary file that is being included as debug showed. including dictionary file /etc/freeradius/dictionary on freeradius v2. Maybe I need to create a separate dictionary file and have a include on this file? What I'm doing wrong? These attributes are already allocated; you've stolen them from the main attribute space, and are probably having problems with dictionary precedence - IIRC there were changes in this area in FR2. Thanks for clarification. The correct thing to do is either use a valid, allocated attribute, or assign your own from a valid, allocated enterprise number that you own. Any suggestion/tip on how can I migrate from v1 to v2 considering that I have few invalid attributes on production today (Download/Upload for example) that it was implemented using the numbers I already mentioned here, so I don't need to mess with 11,000 of customers radreply attributes (that are configured with Download/Upload values) without naming-change? Maybe it will not be there best thing to do, but as a next step. What is processing these attributes? Since you are using rp-pppoe, I suspect you are using an ip-up script and processing them in shell script? In that case, find an allocated attribute with similar purpose, and use that. Use grep to search the dictionaries. Yes, that's correct, its being processed on ip-up. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Question about the behavior of sql.conf
On 12/27/2012 06:20 AM, Fajar A. Nugraha wrote: On Thu, Dec 27, 2012 at 1:00 PM, ichiro tanaka i_tan...@hotmail.co.jp wrote: I made a set of 'safe-character' connection config of the sql.conf. However,the safe-character's being used in connection is the last(B) (When I use the A.but B will be used in this case) Do you think there is a reason what is this? Short version: known problem, hard to fix. http://www.mail-archive.com/freeradius-users@lists.freeradius.org/msg72933.html Actually - not any more! Fixed in HEAD/3.0. We re-worked the xlat stuff to pass context arguments to xlat functions. So, safe-characters is now per-instance. I need to add SQL driver-based escaping next. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Question about the behavior of sql.conf
On 12/27/2012 06:00 AM, ichiro tanaka wrote: Hello I'm using freeradius 2.1.12. I'm trying to set up sql.conf. But there is one question. I made a set of 'safe-character' connection config of the sql.conf. However,the safe-character's being used in connection is the last(B) (When I use the A.but B will be used in this case) Do you think there is a reason what is this? This is a limitation of 2.x It is fixed in the master branch, which will become 3.0 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Question about the behavior of sql.conf
On Thu, Dec 27, 2012 at 1:00 PM, ichiro tanaka i_tan...@hotmail.co.jp wrote: I made a set of 'safe-character' connection config of the sql.conf. However,the safe-character's being used in connection is the last(B) (When I use the A.but B will be used in this case) Do you think there is a reason what is this? Short version: known problem, hard to fix. http://www.mail-archive.com/freeradius-users@lists.freeradius.org/msg72933.html -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Question setting up Virtual Servers with unique clients / users files.
Zach Simpson wrote: What I'm having issues with is creating user file rules for each group of devices. I have a few rules in the users file that look like this: DEFAULT Ldap-Group == Switch Admins Reply-Message = Welcome Switch Admin! DEFAULT Ldap-Group == Router Admins Reply-Message = Welcome Router Admin! But the issue is that if a user is a member of both groups, it stops at the first match. You can use Fall-Through to have it continue processing the file. See the rest of the comments / examples in the users file, and man users. Is there a way to specify a specific users file for each entry in the Clients file? I'm thinking that to do this I will need to setup a virtual server for each client group, but I'm not finding much in the ways of sample configurations that let me specify the users file as well. In the latest version of the server, see raddb/modules/files Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Question setting up Virtual Servers with unique clients / users files.
Am 31.08.2012 19:22, schrieb Zach Simpson: What I'm having issues with is creating user file rules for each group of devices. I have a few rules in the users file that look like this: DEFAULT Ldap-Group == Switch Admins Reply-Message = Welcome Switch Admin! DEFAULT Ldap-Group == Router Admins Reply-Message = Welcome Router Admin! But the issue is that if a user is a member of both groups, it stops at the first match. Your problem as well as the solution is descriped in the top of the users file: # A special user named DEFAULT matches on all usernames. # You can have several DEFAULT entries. All entries are processed # in the order they appear in this file. The first entry that # matches the login-request will stop processing unless you use # the Fall-Through variable. You therefore should use the following: DEFAULT Ldap-Group == Switch Admins Reply-Message = Welcome Switch Admin! Fall-Through = Yes DEFAULT Ldap-Group == Router Admins Reply-Message = Welcome Router Admin! Fall-Through = Yes Cheers, Klaus - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Question setting up Virtual Servers with unique clients / users files.
Am 31.08.2012 20:35, schrieb Klaus Klein: ... long text ... - Ups, to late. Next time I try to type faster. ;-) Klaus - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Question about SQLcounter and reject sessions
Thanks Fajar!! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Question about SQLcounter and reject sessions
On Wed, Aug 8, 2012 at 8:34 PM, Andres Gomez Ruiz andres.go...@urbalink.co wrote: I have some users that I need to reject their sessions at midnight, because of that Im using the dailycounter... IIRC that's not what dailycounter is for. but I need that user can't login again (the user is valid only 1 day). In this moment the user can login again the next day. How can I do to invalid the user after midnight? One way to do that was mentioned in the past. Try reading the archives: http://freeradius.1045715.n5.nabble.com/Unix-TimeStamp-Based-Login-td5708187.html . In particular, look at Phil's post. -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Question on Cisco-AVPair = device-traffic-class=voice
On Sat, Jun 23, 2012 at 08:35:31AM +0800, John wrote: With this solution, both Ip phone or other device will be marked as 'voice', right? Yes Can we distinguish it is a 'voice' device? then add Cisco-AVPair = device-traffic-class=voice . otherwise, don't add this attribute. I hit exactly this issue this week. It depends on what your NAS sends in the request. Annoyingly it seems that Cisco doesn't send anything useful apart from the MAC address in Calling-Station-Id (that I can find), or the username or certificate checks if you're using 802.1x rather than MAB. (In my case, at this stage, I'm less concerned about the security and would more like logging and an easy way to block a MAC address, so if the switch send device class details, or even PoE state, from LLDP or CDP, it would be much more useful, but I haven't yet found a way to get it to do that.) So you either look it up in a database, or check the MAC prefix. Something like if (Calling-Station-Id =~ /^001122/) { update reply... } As I said before - man unlang Cisco specifically say in their documentation that you can't check the mac address prefix if you're using Cisco phones, though, as unlike some other more useful manufacturers they use many different prefixes for their phones. That pushes you to have to use a database of some kind if you use their system (which thankfully we don't). Cheers, Matthew -- Matthew Newton, Ph.D. m...@le.ac.uk Systems Architect (UNIX and Networks), Network Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, ith...@le.ac.uk - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Question on Cisco-AVPair = device-traffic-class=voice
On Sat, Jun 23, 2012 at 06:24:40AM +0800, John wrote: Is there a way that freeradius can tell it is a VOICE device? Like ACS server: Cisco-AVPair = device-traffic-class=voice. man unlang update reply { cisco-avpair := device-traffic-class=voice } Matthew -- Matthew Newton, Ph.D. m...@le.ac.uk Systems Architect (UNIX and Networks), Network Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, ith...@le.ac.uk - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Question on Cisco-AVPair = device-traffic-class=voice
Thanks. Matthew With this solution, both Ip phone or other device will be marked as 'voice', right? Can we distinguish it is a 'voice' device? then add Cisco-AVPair = device-traffic-class=voice . otherwise, don't add this attribute. Hangjun --- 12年6月23日,周六, Matthew Newton m...@leicester.ac.uk 写道: 发件人: Matthew Newton m...@leicester.ac.uk 主题: Re: Question on Cisco-AVPair = device-traffic-class=voice 收件人: FreeRadius users mailing list freeradius-users@lists.freeradius.org 日期: 2012年6月23日,周六,上午6:52 On Sat, Jun 23, 2012 at 06:24:40AM +0800, John wrote: Is there a way that freeradius can tell it is a VOICE device? Like ACS server: Cisco-AVPair = device-traffic-class=voice. man unlang update reply { cisco-avpair := device-traffic-class=voice } Matthew -- Matthew Newton, Ph.D. m...@le.ac.uk Systems Architect (UNIX and Networks), Network Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, ith...@le.ac.uk - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Question: which 3rd party CA for EAP
Hi, We are trying to setup eap for different mobile devices. We don't need certificates for each user, we want to authorize againt the radius with username and password only. With self signed certificates its working if the mobile devices installs the root ca certifcate. We tried several 3rd party certificates: StartSSL, united ssl, godaddy, test certificates from thawte. Apple and windows clients are claiming, that the certificate is not trusted. Has anybody a working solution with 3rd party certificates and can tell us which certifcate could be used and what needs to be configured in eap.conf? You should be aware that the trusted status of a CA is completely independent in bowsers vs. for EAP. Browsers have a (large|too large) set of CAs which they consider trusted. EAP supplicants typically trust NO CA unless explicitly configured to. In the Windows case, the supplicant will trust the 3rd party certs just fine as soon as you open the EAP properties and check the box of that CA. So, very often you will require extra manual/scripted configuration whether you use a self-signed CA or not; merely the actual import of the certificate file can be omitted if the CA is shipped. I.e. you don't gain a lot, and spend more money when using a trusted CA, so in the vast majority of cases, it is the wiser way to use a self-signed CA. Greetings, Stefan Winter Kind Regards Uwe - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Stefan WINTER Ingenieur de Recherche Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg Tel: +352 424409 1 Fax: +352 422473 signature.asc Description: OpenPGP digital signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Question on logging EAP/PEAP authentication rejections
It's a section, just like any other section. This is documented in man unlang. You put modules or unlang rules there. This is documented in man unlang. Thanks!! That is exactly what I needed. I did not know to look in that man page. Awesome! If there is documentation on Post-Auth-Type REJECT { that is more than a paragraph please point me to it I'd be very interested in it. I cant follow advice thats not given to me or to read documentation that seems to be impossible to find? Im just confused on the replys I received. Oh well. The documentation assumes some amount of independent thought. *This* is the cause of most of the contention on this list. Some people want to be spoon-fed every possible piece of information. They get testy when that doesn't happen. I get frustrated when people don't bother reading the documentation I wrote. I give direct opinions when they express how bad the documentation is... that they haven't read. Im sorry I upset you. I could have worded the last part better. Freeradius is so full of great features that sometimes the doc is not where you expect it which is why I needed help finding where this was documented. I did figure it out without it in the end anyways. The man unlang advice was exactly what I needed and the doc is very clear. Thanks. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Question on logging EAP/PEAP authentication rejections
Well I eventually found and switched to using linelog to log access rejects since I can define my own variables that are logged. Oddly enough freeradius was showing a packet-type of Access-Request for eap authentication failures. Since I was calling linelog only from the post_auth_reject spot I just changed the Access-Request= definition to: Access-Request = Rejected access: %{User-Name} SSID: %{NAS-Port-Id} and the filename= line to be: ${logdir}/authrejectlog-%Y%m%d.log (yep I could make a subsection to linelog with those changes but chose not to). So I am now logging username rejects as well as the SSID they are trying to connect to. Im not sure why people kept telling me to read the spot above the Post-Auth-Type Reject section. Here is a paste of the text above that section. # Access-Reject packets are sent through the REJECT sub-section of the # post-auth section. # # Add the ldap module name (or instance) if you have set # 'edir_account_policy_check = yes' in the ldap module configuration # This section was of no help to why usernames were not getting logged in the detail logs for rejections. From my emails I believe I conveyed that I was reading documentation and doing the best I could on my own without being a mooch. The only reason I can think of such short and erroneous replies is that some people helping on the list are generally annoyed by any questions. That is too bad. A quick reply of use linelog would have been helpful. Why not help people? -Josh On Mon, Mar 19, 2012 at 9:15 PM, Josh Hiner j...@remc1.org wrote: Alan. Thanks for the reply. One of my previous emails I did put reply_log in the post auth reject spot. Im also copying the user from the inner tunnel to the outer tunnel. I am getting reject logs but without the username. I swear I have read the section above the post auth reject spot in my default file under sites enabled and I do have stuff in that section as it clues me to. I must be missing something though obviously. Thanks -josh Sent from my iPhone On Mar 19, 2012, at 6:32 PM, Alan Buxey a.l.m.bu...@lboro.ac.uk wrote: Hi, Ok I went back, looked at the config, and used some common sense to figure part of it out. I have it now logging replys for rejects using the ...to remind you what Alan said: �Read raddb/sites-available/default. �Look for Post-Auth-Type Reject. �This is documented. in post-auth section Post-Auth-Type REJECT { attr_filter.access_reject } put things in that bit alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Question on logging EAP/PEAP authentication rejections
Hi, being a mooch. The only reason I can think of such short and erroneous replies is that some people helping on the list are generally annoyed by any questions. That is too bad. A quick reply of use linelog would have been helpful. Why not help people? ...or it could be that we've been running FreeRADIUS for a long long time and the method we said works for usbut you've decided on some other way of path. back in the 0.x days you'd have been SOOL, in 1.x days it would have been code changes...in 2.x days there are a few ways you can do it. you were told the best way of doing it - but you chose another valid way. shrug alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Question on logging EAP/PEAP authentication rejections
Ok. I did follow this advice: snip Ok I went back, looked at the config, and used some common sense to figure part of it out. I have it now logging replys for rejects using the ...to remind you what Alan said: �Read raddb/sites-available/default. �Look for Post-Auth-Type Reject. �This is documented. in post-auth section Post-Auth-Type REJECT { attr_filter.access_reject } put things in that bit snip What advice didnt I follow? Thats all the advice I was given. Put stuff in there (Post-Auth-Type REJECT) which I did do. First I tried reply_log (which didnt log username) so after much trial I modified linelog. I couldnt find documentation even with searching online about what to put in there. I pretty much guessed in the end. If there is documentation on Post-Auth-Type REJECT { that is more than a paragraph please point me to it I'd be very interested in it. I cant follow advice thats not given to me or to read documentation that seems to be impossible to find? Im just confused on the replys I received. Oh well. Thanks -Josh On Tue, Mar 20, 2012 at 4:27 PM, Alan Buxey a.l.m.bu...@lboro.ac.uk wrote: Hi, being a mooch. The only reason I can think of such short and erroneous replies is that some people helping on the list are generally annoyed by any questions. That is too bad. A quick reply of use linelog would have been helpful. Why not help people? ...or it could be that we've been running FreeRADIUS for a long long time and the method we said works for usbut you've decided on some other way of path. back in the 0.x days you'd have been SOOL, in 1.x days it would have been code changes...in 2.x days there are a few ways you can do it. you were told the best way of doing it - but you chose another valid way. shrug alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Question on logging EAP/PEAP authentication rejections
Josh Hiner wrote: ...to remind you what Alan said: �Read raddb/sites-available/default. �Look for Post-Auth-Type Reject. �This is documented. in post-auth section Post-Auth-Type REJECT { attr_filter.access_reject } *This* is the cause of contention on the list. You've ignored the comment just above that... which documents how the Post-Auth-Type Reject section works. What advice didnt I follow? Thats all the advice I was given. The advice assumes that you have an open mind. Put stuff in there (Post-Auth-Type REJECT) which I did do. First I tried reply_log (which didnt log username) It logs the replies. It will log User-Name if it's in the reply. so after much trial I modified linelog. I couldnt find documentation even with searching online about what to put in there. I pretty much guessed in the end. It's a section, just like any other section. This is documented in man unlang. You put modules or unlang rules there. This is documented in man unlang. If there is documentation on Post-Auth-Type REJECT { that is more than a paragraph please point me to it I'd be very interested in it. I cant follow advice thats not given to me or to read documentation that seems to be impossible to find? Im just confused on the replys I received. Oh well. The documentation assumes some amount of independent thought. It doesn't describe all possible configurations. It can't. Instead, it describes how the systems works. It describes how how *you* can use the tools at your disposal to solve any problem. *This* is the cause of most of the contention on this list. Some people want to be spoon-fed every possible piece of information. They get testy when that doesn't happen. I get frustrated when people don't bother reading the documentation I wrote. I give direct opinions when they express how bad the documentation is... that they haven't read. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Question on logging EAP/PEAP authentication rejections
Josh Hiner wrote: Im not sure why people kept telling me to read the spot above the Post-Auth-Type Reject section. Because it describes how the Post-Auth-Type Reject section works. Note: no text saying it magically doesn't log User-Names Here is a paste of the text above that section. Because we haven't seen it before, right? This section was of no help to why usernames were not getting logged in the detail logs for rejections. From my emails I believe I conveyed that I was reading documentation and doing the best I could on my own without being a mooch. The only reason I can think of such short and erroneous replies is that some people helping on the list are generally annoyed by any questions. No... they're annoyed at people who ask questions that are answered in the documentation. That is too bad. A quick reply of use linelog would have been helpful. Why not help people? Are you really implying I haven't spent 12 years writing free software and helping people? If that is what you're implying, I have nothing polite to say to you. If that's not what you're implying, then you're admitting that the question is rude and inflammatory. Honestly, why are so many people insistent on pissing off the people who help them for free? You're getting free software, free support, and free bug fixes. Yet that isn't good enough. We have to spend MORE time because the answers we give aren't good enough for you. Why not just unsubscribe? If you insist on denigrating me, I'll just do it for you. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Question on logging EAP/PEAP authentication rejections
Ok I went back, looked at the config, and used some common sense to figure part of it out. I have it now logging replys for rejects using the reply_log section of ./modules/detail.log (I also enabled copy tunneled reply to the outer tunnel in eap.conf). In the logged rejections Im not getting the user-name though. I tried disabling the attr_filter.access_reject line in ./sites-enabled/default to see if the attributes were getting filtered but that didnt do anything as I expected. I know that Access-Reject logs are only supposed to have certain info (per attr_filter.access_reject doc). Is there a way to modify the reply_log to include the User-Name in the rejection or should I be using something other than reply_log? Thanks! -Josh On Fri, Mar 16, 2012 at 4:58 PM, Alan DeKok al...@deployingradius.comwrote: Josh Hiner wrote: Hello. Im running freeradius 2.1.6 and logging to /var/log/radius in file/detail format. Currently connection logging is working if the user authenticates correctly. I cant get access rejects to log though. Ive turned on reply detail but that is only showing successful attempts too. Read raddb/sites-available/default. Look for Post-Auth-Type Reject. This is documented. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Question on logging EAP/PEAP authentication rejections
Along with enabling user_tunneled_reply=yes etc.. I am also updating the outer tunnel with the inner tunnel username like this: update outer.reply { User-Name = %{request:User-Name} } in ./sites-enabled/inner-tunnel Watching radius debug I can even see attr_filter.access_reject expand User-Name because it uses it as its key. I do have sql reject logging fine in other radius server setups. I read the short doc here: http://freeradius.org/radiusd/doc/Post-Auth-Type and have searched via google. Im sorry I just cannot figure this one out. I even see attr_filter. I cannot get Freeradius to log the username in eap/peap login rejects. Thanks again. -Josh On Fri, Mar 16, 2012 at 4:55 PM, Josh Hiner j...@remc1.org wrote: Hello. Im running freeradius 2.1.6 and logging to /var/log/radius in file/detail format. Currently connection logging is working if the user authenticates correctly. I cant get access rejects to log though. Ive turned on reply detail but that is only showing successful attempts too. I have : use_tunneled_reply = yes and copy_request_to_tunnel = yes in eap.conf (need that to do group checking in the users file) but this does not seem to effect the issue of no rejected logins being logged. Searched this email list as well as online. Sorry to bother. Any info would be great. I appreciate your time. Thanks!!! -Josh - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Question on logging EAP/PEAP authentication rejections
Hi, Ok I went back, looked at the config, and used some common sense to figure part of it out. I have it now logging replys for rejects using the ...to remind you what Alan said: �Read raddb/sites-available/default. �Look for Post-Auth-Type Reject. �This is documented. in post-auth section Post-Auth-Type REJECT { attr_filter.access_reject } put things in that bit alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Question on logging EAP/PEAP authentication rejections
Alan. Thanks for the reply. One of my previous emails I did put reply_log in the post auth reject spot. Im also copying the user from the inner tunnel to the outer tunnel. I am getting reject logs but without the username. I swear I have read the section above the post auth reject spot in my default file under sites enabled and I do have stuff in that section as it clues me to. I must be missing something though obviously. Thanks -josh Sent from my iPhone On Mar 19, 2012, at 6:32 PM, Alan Buxey a.l.m.bu...@lboro.ac.uk wrote: Hi, Ok I went back, looked at the config, and used some common sense to figure part of it out. I have it now logging replys for rejects using the ...to remind you what Alan said: �Read raddb/sites-available/default. �Look for Post-Auth-Type Reject. �This is documented. in post-auth section Post-Auth-Type REJECT { attr_filter.access_reject } put things in that bit alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Question on logging EAP/PEAP authentication rejections
Josh Hiner wrote: Hello. Im running freeradius 2.1.6 and logging to /var/log/radius in file/detail format. Currently connection logging is working if the user authenticates correctly. I cant get access rejects to log though. Ive turned on reply detail but that is only showing successful attempts too. Read raddb/sites-available/default. Look for Post-Auth-Type Reject. This is documented. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Question about certs and Microsoft
Scott McLane Gardner wrote: But I use a certificate authority, so later on in the documentation, it says: If you have an existing certificate authority, and wish to create a certificate signing request for the server certificate, edit server.cnf as above, and type the following command. $ make server.csr You will have to ensure that the certificate contains the XP extensions needed by Microsoft clients. The default configuration includes the XP extensions. How do I go about ensuring this? Do I have to request them to be added from the CA? The default configuration does this. You shouldn't need to do anything. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Question about certs and Microsoft
Excellent, thank you. The default configuration does this. You shouldn't need to do anything. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Question about WARNING in rlm_sql_mysql
On Tue, Jan 31, 2012 at 4:31 PM, Krzysztof Grobelak kgrobe...@airspeed.ie wrote: Hello all, Can somebody shed some light what the 'You probably need to lower min' means. I just installed fresh freeradius from git. All my settings are the same as in the last version but apart from the radiusd -X not working Which part is not working? (but the radiusd -lxx -l stdout is) radius.log displays this warning about lowering number of sql connections. Can anybody give some advice?? git blame and git show to the rescue :) $ git show a966a18e commit a966a18e757bff638bbf725d6f9150b5026fe07d Author: Alan T. DeKok al...@freeradius.org Date: Sun Nov 6 11:02:44 2011 +0100 Print WARNING if we fall below min connections We want to close idle sessions, sessions with max lifetime or max uses. BUT we want to enforce min. The code will currently close a connection, notice num min, and spawn a new one. We warn the user that this is happening, so that they can fix their configuration. -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Question about WARNING in rlm_sql_mysql
Krzysztof Grobelak wrote: Can somebody shed some light what the 'You probably need to lower min' means. See raddb/modules/sql in the latest git repository. The values and functionality are documented there. I just installed fresh freeradius from git. All my settings are the same as in the last version but apart from the radiusd -X not working (but the radiusd -lxx -l stdout is) radius.log displays this warning about lowering number of sql connections. Can anybody give some advice?? Try lowering the minimum number of connections? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Question about WARNING in rlm_sql_mysql
Krzysztof Grobelak wrote: I did lower it, as it recommends but i did not have to do it in previous versions and I wanted to understand what has changed in the new release. Read raddb/mods-available/sql Really. You managed to edit that file. This means you saw the comments in that file describing what changed. And thanks for handy git commands Fajar. The radiusd -X command does not start the debug. It advises to use the radiusd -lxx -l stdout command to start it. I thought that freeradius is compiled with threads usage by default. Yes, it is. But debug mode is single threaded. And if you want to use radsec, you MUST use threaded mode for debugging. The message describes what to do. If you don't use radsec, then delete raddb/sites-enabled/tls Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Question at certificates
Andreas Rudat wrote: I'm a little bit confused, I configure radius with self signed cert, peap+mschap, so if I tried to connect with an android or apple device I get the question if I want to accept the server cert, thats ok, but with windows or linux I get the error that there is no cert, but it still works, why these clients don't download the cert? I can manually add them sure but why is that so different? That's how they work. Ask Microsoft why they designed their system that way. We have no idea. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Question regarding multivalued attributes in control list.
No your check will not iterate over every instance of a value. In order to do that you'll need to use FreeRADIUS 3.x and use the foreach unlang construct or perl. Plus the way you're doing policies is weird. Why don't you just use the policy module (policy.conf)? It'd be way more memory efficient if you're using the same policy multilple times, and you gain the ability to overload module calls... -Arran On 2 Sep 2011, at 15:47, Olivier Beytrison wrote: Hello, I'm trying since two week to do some multi-valued attribute checking on my radius infrastructure. I've been looking to checkval, using the users file and such but with no luck. I'm running two FR 2.1.10 on ubuntu for the eduroam project. The local authentication is made against an Novell eDirectory ldap server. I'm fetching a multi-valued attribute from the ldap into the control list, and based on its content, I set the correct Airespace-Interface-Name value. At the beginning I was using unlang to match the value, and it works perfectly since 90% of the people only have one attribute. But some people have multiple attributes. So far, that's what I've been using : In virtual server, at the end of authorize {} if (NAS-IP-Address =~ /160\.98\.156\..*/) { $INCLUDE ${confdir}/secure-hefr.policy } secure-hefr.policy content : if ( control:HESSO-MEMBER-KEY =~ /RORG-MASO.*RCA$/ ) { update reply { Airespace-Interface-Name := wifi_eia-etu } } elsif ( control:HESSO-MEMBER-KEY =~ /RORG-HEFR-EIFR.*RSM$/ ) { update reply { Airespace-Interface-Name := wifi_eia-col } } elsif { } [ ... ] Some debug from a user who is multi-valued : server eduroam-inner-tunnel-peap { # Executing section authorize from file /etc/freeradius/sites-enabled/eduroam-inner-tunnel-peap +- entering group authorize {...} ++[mschap] returns noop [suffix] Looking up realm hefr.ch for User-Name = didier.perr...@hefr.ch [suffix] Found realm hefr.ch [suffix] Adding Realm = hefr.ch [suffix] Authentication realm is LOCAL. ++[suffix] returns ok ++[control] returns ok [eap] EAP packet type response id 11 length 6 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated [auth_log] expand: /var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d - /var/log/freeradius/radacct/160.98.156.6/auth-detail-20110902 [auth_log] /var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/freeradius/radacct/160.98.156.6/auth-detail-20110902 [auth_log] expand: %t - Fri Sep 2 15:45:08 2011 ++[auth_log] returns ok [linelog] expand: %{Packet-Type} - Access-Request [linelog] expand: %{%{Packet-Type}:-format} - Access-Request [linelog] expand: /var/log/freeradius/linelog - /var/log/freeradius/linelog [linelog] expand: Requested access: %{User-Name} - Requested access: didier.perr...@hefr.ch ++[linelog] returns ok ++? if (User-Name =~ /(.*)@.*hefr.ch$/) ? Evaluating (User-Name =~ /(.*)@.*hefr.ch$/) - TRUE ++? if (User-Name =~ /(.*)@.*hefr.ch$/) - TRUE ++- entering if (User-Name =~ /(.*)@.*hefr.ch$/) {...} expand: %{1} - didier.perroud +++[request] returns ok ++- if (User-Name =~ /(.*)@.*hefr.ch$/) returns ok ++[files] returns noop [ldap] performing user authorization for didier.perroud [ldap] expand: (uid=%{Stripped-User-Name}) - (uid=didier.perroud) [ldap] expand: ou=courant,ou=people,o=hefr - ou=courant,ou=people,o=hefr [ldap] ldap_get_conn: Checking Id: 0 [ldap] ldap_get_conn: Got Id: 0 [ldap] performing search in ou=courant,ou=people,o=hefr, with filter (uid=didier.perroud) [ldap] Added the eDirectory password *** in check items as Cleartext-Password [ldap] No default NMAS login sequence [ldap] looking for check items in directory... [ldap] hessoRoleMemberKey - HESSO-MEMBER-KEY == RORG-HEFR-EIFR-TICO-TLCO-$-RSM [ldap] hessoRoleMemberKey - HESSO-MEMBER-KEY == RORG-MASO-$-RCA [ldap] hessoRoleMemberKey - HESSO-MEMBER-KEY == RACA-TICO-MSEI-MTIC-$-RCA [ldap] looking for reply items in directory... [ldap] hessoRoleMemberKey - Class = 0x524f52472d484546522d454946522d5449434f2d544c434f2d242d52534d [ldap] hessoRoleMemberKey - Class = 0x524f52472d4d41534f2d242d524341 [ldap] hessoRoleMemberKey - Class = 0x524143412d5449434f2d4d5345492d4d5449432d242d524341 [ldap] user didier.perroud authorized to use remote access [ldap] ldap_release_conn: Release Id: 0 ++[ldap] returns ok [pap] WARNING: Auth-Type already set. Not setting to PAP ++[pap] returns noop ++? if (NAS-IP-Address =~ /160\.98\.156\..*/) ? Evaluating (NAS-IP-Address =~ /160\.98\.156\..*/) - TRUE ++? if (NAS-IP-Address =~ /160\.98\.156\..*/) - TRUE ++- entering if (NAS-IP-Address =~ /160\.98\.156\..*/) {...} +++? if (control:HESSO-MEMBER-KEY =~ /RORG-HEFR-EIFR-INTR-INFO-.-RSM/ ) ? Evaluating (control:HESSO-MEMBER-KEY =~
Re: Question regarding multivalued attributes in control list.
Thanks Arran for those answers, No your check will not iterate over every instance of a value. In order to do that you'll need to use FreeRADIUS 3.x and use the foreach unlang construct or perl. hmm, FreeRADIUS 3.x? Is it suitable for production environnement ? Or i'll simply fall back to rlm_perl. But not on a friday evening, it will wait till monday! Plus the way you're doing policies is weird. Why don't you just use the policy module (policy.conf)? It'd be way more memory efficient if you're using the same policy multilple times, and you gain the ability to overload module calls... You're right, i'll move this in the policy file, didn't think about it. Regards, Olivier B. -Arran On 2 Sep 2011, at 15:47, Olivier Beytrison wrote: Hello, I'm trying since two week to do some multi-valued attribute checking on my radius infrastructure. I've been looking to checkval, using the users file and such but with no luck. I'm running two FR 2.1.10 on ubuntu for the eduroam project. The local authentication is made against an Novell eDirectory ldap server. I'm fetching a multi-valued attribute from the ldap into the control list, and based on its content, I set the correct Airespace-Interface-Name value. At the beginning I was using unlang to match the value, and it works perfectly since 90% of the people only have one attribute. But some people have multiple attributes. So far, that's what I've been using : In virtual server, at the end of authorize {} if (NAS-IP-Address =~ /160\.98\.156\..*/) { $INCLUDE ${confdir}/secure-hefr.policy } secure-hefr.policy content : if ( control:HESSO-MEMBER-KEY =~ /RORG-MASO.*RCA$/ ) { update reply { Airespace-Interface-Name := wifi_eia-etu } } elsif ( control:HESSO-MEMBER-KEY =~ /RORG-HEFR-EIFR.*RSM$/ ) { update reply { Airespace-Interface-Name := wifi_eia-col } } elsif { } [ ... ] Some debug from a user who is multi-valued : server eduroam-inner-tunnel-peap { # Executing section authorize from file /etc/freeradius/sites-enabled/eduroam-inner-tunnel-peap +- entering group authorize {...} ++[mschap] returns noop [suffix] Looking up realm hefr.ch for User-Name = didier.perr...@hefr.ch [suffix] Found realm hefr.ch [suffix] Adding Realm = hefr.ch [suffix] Authentication realm is LOCAL. ++[suffix] returns ok ++[control] returns ok [eap] EAP packet type response id 11 length 6 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated [auth_log] expand: /var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d - /var/log/freeradius/radacct/160.98.156.6/auth-detail-20110902 [auth_log] /var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/freeradius/radacct/160.98.156.6/auth-detail-20110902 [auth_log] expand: %t - Fri Sep 2 15:45:08 2011 ++[auth_log] returns ok [linelog] expand: %{Packet-Type} - Access-Request [linelog] expand: %{%{Packet-Type}:-format} - Access-Request [linelog] expand: /var/log/freeradius/linelog - /var/log/freeradius/linelog [linelog] expand: Requested access: %{User-Name} - Requested access: didier.perr...@hefr.ch ++[linelog] returns ok ++? if (User-Name =~ /(.*)@.*hefr.ch$/) ? Evaluating (User-Name =~ /(.*)@.*hefr.ch$/) - TRUE ++? if (User-Name =~ /(.*)@.*hefr.ch$/) - TRUE ++- entering if (User-Name =~ /(.*)@.*hefr.ch$/) {...} expand: %{1} - didier.perroud +++[request] returns ok ++- if (User-Name =~ /(.*)@.*hefr.ch$/) returns ok ++[files] returns noop [ldap] performing user authorization for didier.perroud [ldap] expand: (uid=%{Stripped-User-Name}) - (uid=didier.perroud) [ldap] expand: ou=courant,ou=people,o=hefr - ou=courant,ou=people,o=hefr [ldap] ldap_get_conn: Checking Id: 0 [ldap] ldap_get_conn: Got Id: 0 [ldap] performing search in ou=courant,ou=people,o=hefr, with filter (uid=didier.perroud) [ldap] Added the eDirectory password *** in check items as Cleartext-Password [ldap] No default NMAS login sequence [ldap] looking for check items in directory... [ldap] hessoRoleMemberKey - HESSO-MEMBER-KEY == RORG-HEFR-EIFR-TICO-TLCO-$-RSM [ldap] hessoRoleMemberKey - HESSO-MEMBER-KEY == RORG-MASO-$-RCA [ldap] hessoRoleMemberKey - HESSO-MEMBER-KEY == RACA-TICO-MSEI-MTIC-$-RCA [ldap] looking for reply items in directory... [ldap] hessoRoleMemberKey - Class = 0x524f52472d484546522d454946522d5449434f2d544c434f2d242d52534d [ldap] hessoRoleMemberKey - Class = 0x524f52472d4d41534f2d242d524341 [ldap] hessoRoleMemberKey - Class = 0x524143412d5449434f2d4d5345492d4d5449432d242d524341 [ldap] user didier.perroud authorized to use remote access [ldap] ldap_release_conn: Release Id: 0 ++[ldap] returns ok [pap] WARNING: Auth-Type already set. Not setting to PAP ++[pap] returns noop ++? if (NAS-IP-Address =~ /160\.98\.156\..*/) ?
Re: Question regarding multivalued attributes in control list.
On 2 Sep 2011, at 16:25, Olivier Beytrison wrote: Thanks Arran for those answers, No your check will not iterate over every instance of a value. In order to do that you'll need to use FreeRADIUS 3.x and use the foreach unlang construct or perl. hmm, FreeRADIUS 3.x? Is it suitable for production environnement ? Or i'll simply fall back to rlm_perl. But not on a friday evening, it will wait till monday! Tentative yes :) It'll only get truly production ready if people test it and report the bugs. But yes, it's good enough to build configs on, and good enough to test. If you do a git-clone then you can establish basic version control with something like: #!/bin/bash cd /usr/local/src/freeradius git pull make clean hash=`git log -n 1 --pretty=format:%h` ./configure --prefix=/usr/local/freeradius-$hash --enable-developer make make install rm /usr/local/freeradius ln -s /usr/local/freeradius-$hash /usr/local/freeradius Once you find a commit that does all you want, stick with it until there's an official 3.x release and then upgrade. For certain fixes you'll be able to use git cherry-pick to pull in individual commits. -Arran -Arran On 2 Sep 2011, at 15:47, Olivier Beytrison wrote: Hello, I'm trying since two week to do some multi-valued attribute checking on my radius infrastructure. I've been looking to checkval, using the users file and such but with no luck. I'm running two FR 2.1.10 on ubuntu for the eduroam project. The local authentication is made against an Novell eDirectory ldap server. I'm fetching a multi-valued attribute from the ldap into the control list, and based on its content, I set the correct Airespace-Interface-Name value. At the beginning I was using unlang to match the value, and it works perfectly since 90% of the people only have one attribute. But some people have multiple attributes. So far, that's what I've been using : In virtual server, at the end of authorize {} if (NAS-IP-Address =~ /160\.98\.156\..*/) { $INCLUDE ${confdir}/secure-hefr.policy } secure-hefr.policy content : if ( control:HESSO-MEMBER-KEY =~ /RORG-MASO.*RCA$/ ) { update reply { Airespace-Interface-Name := wifi_eia-etu } } elsif ( control:HESSO-MEMBER-KEY =~ /RORG-HEFR-EIFR.*RSM$/ ) { update reply { Airespace-Interface-Name := wifi_eia-col } } elsif { } [ ... ] Some debug from a user who is multi-valued : server eduroam-inner-tunnel-peap { # Executing section authorize from file /etc/freeradius/sites-enabled/eduroam-inner-tunnel-peap +- entering group authorize {...} ++[mschap] returns noop [suffix] Looking up realm hefr.ch for User-Name = didier.perr...@hefr.ch [suffix] Found realm hefr.ch [suffix] Adding Realm = hefr.ch [suffix] Authentication realm is LOCAL. ++[suffix] returns ok ++[control] returns ok [eap] EAP packet type response id 11 length 6 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated [auth_log] expand: /var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d - /var/log/freeradius/radacct/160.98.156.6/auth-detail-20110902 [auth_log] /var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/freeradius/radacct/160.98.156.6/auth-detail-20110902 [auth_log] expand: %t - Fri Sep 2 15:45:08 2011 ++[auth_log] returns ok [linelog] expand: %{Packet-Type} - Access-Request [linelog] expand: %{%{Packet-Type}:-format} - Access-Request [linelog] expand: /var/log/freeradius/linelog - /var/log/freeradius/linelog [linelog] expand: Requested access: %{User-Name} - Requested access: didier.perr...@hefr.ch ++[linelog] returns ok ++? if (User-Name =~ /(.*)@.*hefr.ch$/) ? Evaluating (User-Name =~ /(.*)@.*hefr.ch$/) - TRUE ++? if (User-Name =~ /(.*)@.*hefr.ch$/) - TRUE ++- entering if (User-Name =~ /(.*)@.*hefr.ch$/) {...} expand: %{1} - didier.perroud +++[request] returns ok ++- if (User-Name =~ /(.*)@.*hefr.ch$/) returns ok ++[files] returns noop [ldap] performing user authorization for didier.perroud [ldap] expand: (uid=%{Stripped-User-Name}) - (uid=didier.perroud) [ldap] expand: ou=courant,ou=people,o=hefr - ou=courant,ou=people,o=hefr [ldap] ldap_get_conn: Checking Id: 0 [ldap] ldap_get_conn: Got Id: 0 [ldap] performing search in ou=courant,ou=people,o=hefr, with filter (uid=didier.perroud) [ldap] Added the eDirectory password *** in check items as Cleartext-Password [ldap] No default NMAS login sequence [ldap] looking for check items in directory... [ldap] hessoRoleMemberKey - HESSO-MEMBER-KEY == RORG-HEFR-EIFR-TICO-TLCO-$-RSM [ldap] hessoRoleMemberKey - HESSO-MEMBER-KEY == RORG-MASO-$-RCA [ldap] hessoRoleMemberKey - HESSO-MEMBER-KEY == RACA-TICO-MSEI-MTIC-$-RCA [ldap] looking for reply items in directory... [ldap] hessoRoleMemberKey - Class =
Re: Question regarding multivalued attributes in control list.
Arran Cudbard-Bell a.cudba...@freeradius.org wrote: No your check will not iterate over every instance of a value. In order to do that you'll need to use FreeRADIUS 3.x and use the foreach unlang construct or perl. Last time I checked[1] it seemed trivial to backport to 2.1.x. Cheers [1] http://lists.cistron.nl/pipermail/freeradius-users/2011-June/msg00334.html -- Alexander Clouter .sigmonster says: An algorithm must be seen to be believed. -- D. E. Knuth - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Question regarding multivalued attributes in control list.
On 2 Sep 2011, at 23:16, Alexander Clouter wrote: Arran Cudbard-Bell a.cudba...@freeradius.org wrote: No your check will not iterate over every instance of a value. In order to do that you'll need to use FreeRADIUS 3.x and use the foreach unlang construct or perl. Last time I checked[1] it seemed trivial to backport to 2.1.x. Cheers Shhh we need more guinea pigs, I mean users... Arran Cudbard-Bell a.cudba...@freeradius.org RADIUS - Half the complexity of Diameter - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Question about Access-Challenge
On Fri, Jul 8, 2011 at 10:14 AM, Jamshid Abedi udptele...@gmail.com wrote: Hello, I've got Mobile OTP to work with FreeRadius, I'd like to take this one step further and turn this into a two phase process. The objective is to first take the pin, authenticate that and then communicate to the NAS with a challenge to receive the OTP from the user. I think this can be done via an access-challenge reply to the NAS. My question is how do I get FreeNAS to send an Access-Challenge once it has verified the PIN is correct? If anyone can kindly give me some hints or point me in the right direction. IMHO the simplest way would be just concatenate them together. e.g. if: - your pin is 4 digits - your OTP is 12 digits - you use PAP then you can ask your users to put the 4 digit pin followed by 12 digit OTP, so the password will be 16 digits. And since you use PAP, you get User-Password attribute in the request which can easly be split using unlang/regex into two components, which you can then verifiy. -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Question about Access-Challenge
Yes, it works this way. But the requirements are for a two phase authentication. Sent from my iPhone On Jul 8, 2011, at 2:11 AM, Fajar A. Nugraha l...@fajar.net wrote: On Fri, Jul 8, 2011 at 10:14 AM, Jamshid Abedi udptele...@gmail.com wrote: Hello, I've got Mobile OTP to work with FreeRadius, I'd like to take this one step further and turn this into a two phase process. The objective is to first take the pin, authenticate that and then communicate to the NAS with a challenge to receive the OTP from the user. I think this can be done via an access-challenge reply to the NAS. My question is how do I get FreeNAS to send an Access-Challenge once it has verified the PIN is correct? If anyone can kindly give me some hints or point me in the right direction. IMHO the simplest way would be just concatenate them together. e.g. if: - your pin is 4 digits - your OTP is 12 digits - you use PAP then you can ask your users to put the 4 digit pin followed by 12 digit OTP, so the password will be 16 digits. And since you use PAP, you get User-Password attribute in the request which can easly be split using unlang/regex into two components, which you can then verifiy. -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: question re inner tunnel / virtual server
Michael Arndt wrote: i try to get a better grip in understanding the virtual server for inner eap tunnel. The TLS-based EAP methods involve setting up a TLS tunnel between the client PC and the RADIUS server. Processing of the TLS tunnel is done by the default virtual server. Just the same as CHAP, PAP, EAP-MD5, etc. Once the TLS tunnel is set up, authentication data is sent inside of the tunnel. The server treats this data just as if it was another authentication request, *but* processes it through the inner-tunnel virtual server. This allows the inner-tunnel policies to be different from the ones for the default virtual server. The policies *should* be different because it's a different kind of authentication: inside of a TLS tunnel. -The eap module can map tunneled requests to a virtual server ( inner tunnel ) That's vague to the point of being meaningless. What's map ? - It knows where to communicate by freeradius reading the virtual servers configs in sites-enabled I have no idea what that means. -So the Port configured for the inner tunnel virtual server (statement valid only for this inner tunnel VS) is only relevant wrt external for testing purposes in order to test correct freeradius config wrt EAP That sounds right. -freeradius handles the communication to the inner tunnel with the above mentioned mapping of the eap module. So in productive use there is no need to reference the Port for the inner tunnel ( except when proxying or using the test for EAP to check for a valid config ) No. Proxying has nothing to do with the listen section in the inner-tunnel. -the main goal of the inner tunnel virtual server is to allow completely independent policies for outer / inner tunneled sessions. Yes. When trying to understand things, keep the descriptions concrete, and fact-based. Saying requests can map to something is vague. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Question about authentication
matteo wrote: Hello list, suppose I want to authenticate a device capable of using PEAP with EAP-MS-CHAP v2 or EAP-GTC and TTLS with EAP-MS-CHAP v2 or MS-CHAPv2 and I have user password stored in LDAP (linux) with the crypt scheme and freeradius server 2.1.9. Is there any mechanism to successfully authenticate the client? No. It's impossible. http://deployingradius.com/documents/protocols/compatibility.html Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Question regarding nested WiMAX TLV formatting
Adrien Demarez wrote: I wish to deploy FreeRadius on a WiMAX setup, ... Lots of people do this, I'm not sure why. :( INSERT INTO `radgroupreply` (`id`, `groupname`, `attribute`, `op`, `value`) VALUES (1, 'Gold', 'WiMAX-Packet-Flow-Descriptor-v2', ':=', '??') (2, 'Gold', 'WiMAX-PFDv2-Packet-Data-Flow-Id', ':=', '1') # inside the first one Now. You just specify WiMAX-PFDv2-Packet-Data-Flow-Id, an the server will Do The Right Thing. The server *knows* that it's a TLV, and will pack the attributes appropriately. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Question on Radius logs
--On Tuesday, February 01, 2011 08:41:54 -0800 Brett Littrell blittr...@musd.org wrote: Hi All, Real quick and I am sure easy question here. I read through the unlang man page, really helped in getting a clue. One thing I was wondering though, is there a way to output text to the log based on a condition? What I mean is something like if x!=y then printf( x did not equal y). This would be for debugging and log review. Currently we use Cisco ACS, which with all it's limitations the one thing that is great about it is it's pass/fail logs. Our techs use them all the time to diagnose problems. If I could inject text strings into the logs when certain issues occur it would make it a lot easier to figure out scripts as well as make common issues easier for techs to troubleshoot. From what I can tell in the unlang man page it did not mention this, perhaps I missed it though. Hi Brett, It sounds like the linelog module may do what you need, in conjunction with unlang for the conditionals: https://github.com/alandekok/freeradius-server/blob/v2.1.x/raddb/modules/linelog Regards, James -- James J J Hooper Network Specialist Information Services University of Bristol http://www.wireless.bristol.ac.uk -- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Question on Radius logs
Hi James, That looks perfect for the tech logs, thanks. The debugging side was a little different, I was thinking about inputting text strings in the middle of unlang scripts. Usually when I write say a C program I will pop in a lot of printf's with variables so I know what a variable is in a program, well use to anyway debuggers make that to easy now to waste time on it. For freeradius I was not sure if there was similar functionality. I am guessing there is not, I was kind of thinking it may be a stretch to add something like that in a config file. Thanks for the linelog module, that will really help a lot!!. Brett Littrell Network Manager MUSD CISSP, CCSP, CCVP, MCNE On Tuesday, February 01, 2011 at 9:02 AM, in message 57DE4B8C2C2D9555B06A9046@valium, James J J Hooper jjj.hoo...@bristol.ac.uk wrote: --On Tuesday, February 01, 2011 08:41:54 -0800 Brett Littrell blittr...@musd.org wrote: Hi All, Real quick and I am sure easy question here. I read through the unlang man page, really helped in getting a clue. One thing I was wondering though, is there a way to output text to the log based on a condition? What I mean is something like if x!=y then printf( x did not equal y). This would be for debugging and log review. Currently we use Cisco ACS, which with all it's limitations the one thing that is great about it is it's pass/fail logs. Our techs use them all the time to diagnose problems. If I could inject text strings into the logs when certain issues occur it would make it a lot easier to figure out scripts as well as make common issues easier for techs to troubleshoot. From what I can tell in the unlang man page it did not mention this, perhaps I missed it though. Hi Brett, It sounds like the linelog module may do what you need, in conjunction with unlang for the conditionals: https://github.com/alandekok/freeradius-server/blob/v2.1.x/raddb/modules/linelog Regards, James -- James J J Hooper Network Specialist Information Services University of Bristol http://www.wireless.bristol.ac.uk -- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Question on Radius logs
Hi, as James says...unlang with linelog module.. if you want to do more, then thats easy too - just use PERL module and use unlang with a call to a logging PERL module - the world is your oyster at that stage regarding what you can do - with your printf's etc :-) alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Question on Radius logs
Thanks Alan, Did not think about calling the perl module, that should work very well... thanks Brett Littrell Network Manager MUSD CISSP, CCSP, CCVP, MCNE On Tuesday, February 01, 2011 at 10:15 AM, in message 20110201181525.ga9...@lboro.ac.uk, Alan Buxey a.l.m.bu...@lboro.ac.uk wrote: Hi, as James says...unlang with linelog module.. if you want to do more, then thats easy too - just use PERL module and use unlang with a call to a logging PERL module - the world is your oyster at that stage regarding what you can do - with your printf's etc :-) alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Question on Radius logs
The debugging side was a little different, I was thinking about inputting text strings in the middle of unlang scripts If you run radiusd -X you will see the output of expansions, so you can do if (DEBUG: I am looking at %{foo} and %{bar}) { } and you'll see the text in the log. Experimentation suggests that the closing brace can't be on the same line as the opening brace though. Actually, there is a %{debug:} expansion, but it just sets the debug level to the (integer) argument, and doesn't actually send a debug message. Setting the Reply-Message attribute can be useful for debugging too. HTH, Brian. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Question on Radius logs
Brett Littrell wrote: For freeradius I was not sure if there was similar functionality. I am guessing there is not, I was kind of thinking it may be a stretch to add something like that in a config file. See radmin, and raddebug. They can print full debugging logs for a particular user, while the server is running in daemon mode. *Much* more useful than printf. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Question on Virtual Servers and inner-tunnel
On 01/25/2011 11:18 PM, Brett Littrell wrote: with inner-tunnel requests. So my question is wether naming the server inner-tunnel causes it to exclusively handle inner-tunnel requests, in other word is inner-tunnel a hard coded name that has to be used for handling inner-tunnel requests? No. It is set in eap.conf; see the virtual_server option under the peap and ttls stanzas. You can also override (per-request) to use a different virtual server in the outer tunnel e.g. /etc/raddb/sites-available/default: authorize { ... if (EAP-Message) { if (...some lookup...) { update control { # this directs the inner tunnel from this EAP # session to the named virtual server Virtual-Server := somedifferentthing } } } ... } Something that might not be obvious also - the virtual server name actually comes from the: server NAME { authorize { .. } } ...NAME option on the server{} block. By convention and to avoid confusion the filename in /etc/raddb/sites-{available,enabled} is the same, but it doesn't need to be (and in fact doesn't need to be in a separate file) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
OT: email fail [was Re: Question on Virtual Servers and inner-tunnel]
Gary Gatten ggat...@waddell.com wrote: And I don't have control over what our half dozen email processors do to my email after I send it. You live in a country that prevents you using any other SMTP server other than the one allocated to you? Unable to get a freebie email address (Gborg) that comes with SMTP submission? Unable to run your own SMTP server and/or buy your own domain. That's a terrible place to live, let me know so I know never to visit. If that's not the case, learn to use a n...@waddell.com email address though you undoubtedly have. Cheers -- Alexander Clouter .sigmonster says: Everything ends badly. Otherwise it wouldn't end. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: OT: email fail [was Re: Question on Virtual Servers and inner-tunnel]
Hmmm, build/use a different email system? Genius! Why didn't I think of that - Original Message - From: freeradius-users-bounces+ggatten=waddell@lists.freeradius.org freeradius-users-bounces+ggatten=waddell@lists.freeradius.org To: freeradius-users@lists.freeradius.org freeradius-users@lists.freeradius.org Sent: Wed Jan 26 02:56:23 2011 Subject: OT: email fail [was Re: Question on Virtual Servers and inner-tunnel] Gary Gatten ggat...@waddell.com wrote: And I don't have control over what our half dozen email processors do to my email after I send it. You live in a country that prevents you using any other SMTP server other than the one allocated to you? Unable to get a freebie email address (Gborg) that comes with SMTP submission? Unable to run your own SMTP server and/or buy your own domain. That's a terrible place to live, let me know so I know never to visit. If that's not the case, learn to use a n...@waddell.com email address though you undoubtedly have. Cheers -- Alexander Clouter .sigmonster says: Everything ends badly. Otherwise it wouldn't end. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html font size=1 div style='border:none;border-bottom:double windowtext 2.25pt;padding:0in 0in 1.0pt 0in' /div This email is intended to be reviewed by only the intended recipient and may contain information that is privileged and/or confidential. If you are not the intended recipient, you are hereby notified that any review, use, dissemination, disclosure or copying of this email and its attachments, if any, is strictly prohibited. If you have received this email in error, please immediately notify the sender by return email and delete this email from your system. /font - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Question on Virtual Servers and inner-tunnel
Brett Littrell wrote: Hope this is not to stupid of a question but I have been checking out the inner-tunnel virtual server under sites-enabled. I read up a little on virtual servers and it looks like the inner-tunnel virtual server is just a regular old virtual server Yes. yet in the comments is says it specifically handles inner tunnel requests. So? Some families have two cars. One for each of two adults. I went through the default config for the inner-tunnel and did not see any commands that were un-commented that seemed to specify that the server exclusively dealt with inner-tunnel requests. It's *designed* work with inner-tunnel requests. But see the file in version 2.1.10: you can use it as a normal server for testing. So my question is wether naming the server inner-tunnel causes it to exclusively handle inner-tunnel requests, in other word is inner-tunnel a hard coded name that has to be used for handling inner-tunnel requests? See eap.conf. Look for inner-tunnel Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Question on Virtual Servers and inner-tunnel
Hi All, You guys really explained it well, appreciate it. I really wanted to know to try and get an idea of how this works and figure out the best way to set this up and clarifying that really helped. And yes I did get Gary joking and I do not mind a little eldow in the ribs joking, just as long as he does not mind pay backs in other email..HeHe:) I do appreciate Alex popping is on my behalf as well, it is nice to see someone out there helping out the new guys. Anyway, I think I have enough info to do some damage, hopefully I won't spam the list with to many more questions:) FYI: You guys are great, and I think I speak for everyone new to freeradius that we appreciate your help. PS: What is up with Garys email? or is it my threaded view? Gary's email keeps popping up as a new email and not as a threaded response? Brett Littrell Network Manager MUSD CISSP, CCSP, CCVP, MCNE - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Question on Virtual Servers and inner-tunnel
Brett Littrell blittr...@musd.org wrote: PS: What is up with Garys email? or is it my threaded view? Gary's email keeps popping up as a new email and not as a threaded response? I guess corporate policy is to use a broken email client as well as an SMTP server that adds a 'legally-holds-no-water' disclaimer. The last mail client I saw doing this was Novell Groupwise shudder/ Incase you did not know, if you look at the headers for the other emails here, you will see a 'References' line, that is what makes threading work...it's also the tell tell sign when folk hit 'Reply' rather than 'Compose' when they want to post a *new* thread to the mailing list. Now if you fix your email client for text/plain only... :) /email-nazi -- Alexander Clouter .sigmonster says: Serving coffee on aircraft causes turbulence. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Question on Virtual Servers and inner-tunnel
Must have been a really old version of GW, I use GW here and it seems to thread fine but we are on the latest version. Thanks again.. Brett Littrell Network Manager MUSD CISSP, CCSP, CCVP, MCNE On Wednesday, January 26, 2011 at 8:48 AM, in message vrv518-hm1@chipmunk.wormnet.eu, Alexander Clouter a...@digriz.org.uk wrote: Brett Littrell blittr...@musd.org wrote: PS: What is up with Garys email? or is it my threaded view? Gary's email keeps popping up as a new email and not as a threaded response? I guess corporate policy is to use a broken email client as well as an SMTP server that adds a 'legally-holds-no-water' disclaimer. The last mail client I saw doing this was Novell Groupwise shudder/ Incase you did not know, if you look at the headers for the other emails here, you will see a 'References' line, that is what makes threading work...it's also the tell tell sign when folk hit 'Reply' rather than 'Compose' when they want to post a *new* thread to the mailing list. Now if you fix your email client for text/plain only... :) /email-nazi -- Alexander Clouter .sigmonster says: Serving coffee on aircraft causes turbulence. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Question on Virtual Servers and inner-tunnel
That's a stupid question for someone with so many certs! ;) jus givn ya $hit. AKAIK it's not hard coded. In a config file somewhere is probably something like: if request type is 'x' then server inner-tunnel. Its been some time since I looked at the conf files so I can't say for sure which one and where. From: freeradius-users-bounces+ggatten=waddell@lists.freeradius.org freeradius-users-bounces+ggatten=waddell@lists.freeradius.org To: freeradius-users@lists.freeradius.org freeradius-users@lists.freeradius.org Sent: Tue Jan 25 17:18:57 2011 Subject: Question on Virtual Servers and inner-tunnel Hi All, Hope this is not to stupid of a question but I have been checking out the inner-tunnel virtual server under sites-enabled. I read up a little on virtual servers and it looks like the inner-tunnel virtual server is just a regular old virtual server yet in the comments is says it specifically handles inner tunnel requests. I went through the default config for the inner-tunnel and did not see any commands that were un-commented that seemed to specify that the server exclusively dealt with inner-tunnel requests. So my question is wether naming the server inner-tunnel causes it to exclusively handle inner-tunnel requests, in other word is inner-tunnel a hard coded name that has to be used for handling inner-tunnel requests? Brett Littrell Network Manager MUSD CISSP, CCSP, CCVP, MCNE font size=1 div style='border:none;border-bottom:double windowtext 2.25pt;padding:0in 0in 1.0pt 0in' /div This email is intended to be reviewed by only the intended recipient and may contain information that is privileged and/or confidential. If you are not the intended recipient, you are hereby notified that any review, use, dissemination, disclosure or copying of this email and its attachments, if any, is strictly prohibited. If you have received this email in error, please immediately notify the sender by return email and delete this email from your system. /font - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Question on Virtual Servers and inner-tunnel
You could define new ones, change the existing one, both, etc. Generally speaking the default config just works unless you're doing something interesting. I can't say how/what you should do without knowing more about it. And then I prolly still can't, but others could. Since you're so self motivated, perhaps you could draft curriculum and tests for an FR cert? From: freeradius-users-bounces+ggatten=waddell@lists.freeradius.org freeradius-users-bounces+ggatten=waddell@lists.freeradius.org To: 'freeradius-users@lists.freeradius.org' freeradius-users@lists.freeradius.org Sent: Tue Jan 25 17:50:53 2011 Subject: Re: Question on Virtual Servers and inner-tunnel So I guess the follow up question is then, if I want to create multiple virtual servers, I am going to have to find this config file if I want those servers to deal with the inner-tunnel requests or are you suppose to just define another server in the inner-tunnel file if you want a second virtual server that deals with inner-tunnel requests? That was a lot of certs? I have a lot more, those are just the most recentHeHe... I would attempt a cert in freeradius so I can pick it up faster but I never heard of a class for it much less a certification or training materials... Thanks for the fast response. Brett Littrell Network Manager MUSD CISSP, CCSP, CCVP, MCNE On Tuesday, January 25, 2011 at 3:40 PM, in message 13923_1295998812_4d3f5f5c_13923_216_1_d9b37353831173459fdaa836d3b43499ae519...@wadpmbxv0.waddell.com, Gary Gatten ggat...@waddell.com wrote: That's a stupid question for someone with so many certs! ;) jus givn ya $hit. AKAIK it's not hard coded. In a config file somewhere is probably something like: if request type is 'x' then server inner-tunnel. Its been some time since I looked at the conf files so I can't say for sure which one and where. From: freeradius-users-bounces+ggatten=waddell@lists.freeradius.org freeradius-users-bounces+ggatten=waddell@lists.freeradius.org To: freeradius-users@lists.freeradius.org freeradius-users@lists.freeradius.org Sent: Tue Jan 25 17:18:57 2011 Subject: Question on Virtual Servers and inner-tunnel Hi All, Hope this is not to stupid of a question but I have been checking out the inner-tunnel virtual server under sites-enabled. I read up a little on virtual servers and it looks like the inner-tunnel virtual server is just a regular old virtual server yet in the comments is says it specifically handles inner tunnel requests. I went through the default config for the inner-tunnel and did not see any commands that were un-commented that seemed to specify that the server exclusively dealt with inner-tunnel requests. So my question is wether naming the server inner-tunnel causes it to exclusively handle inner-tunnel requests, in other word is inner-tunnel a hard coded name that has to be used for handling inner-tunnel requests? Brett Littrell Network Manager MUSD CISSP, CCSP, CCVP, MCNE This email is intended to be reviewed by only the intended recipient and may contain information that is privileged and/or confidential. If you are not the intended recipient, you are hereby notified that any review, use, dissemination, disclosure or copying of this email and its attachments, if any, is strictly prohibited. If you have received this email in error, please immediately notify the sender by return email and delete this email from your system. font size=1 div style='border:none;border-bottom:double windowtext 2.25pt;padding:0in 0in 1.0pt 0in' /div This email is intended to be reviewed by only the intended recipient and may contain information that is privileged and/or confidential. If you are not the intended recipient, you are hereby notified that any review, use, dissemination, disclosure or copying of this email and its attachments, if any, is strictly prohibited. If you have received this email in error, please immediately notify the sender by return email and delete this email from your system. /font - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Question on Virtual Servers and inner-tunnel
The inner tunnel virtual server can be specified in the eap configuration. By default it is the inner tunnel virtual server. J See the ttls/peap/etc sections of eap.conf Ben From: freeradius-users-bounces+wiechman.lists=gmail@lists.freeradius.org [mailto:freeradius-users-bounces+wiechman.lists=gmail.com@lists.freeradius.o rg] On Behalf Of Brett Littrell Sent: Tuesday, January 25, 2011 5:51 PM To: 'freeradius-users@lists.freeradius.org' Subject: Re: Question on Virtual Servers and inner-tunnel So I guess the follow up question is then, if I want to create multiple virtual servers, I am going to have to find this config file if I want those servers to deal with the inner-tunnel requests or are you suppose to just define another server in the inner-tunnel file if you want a second virtual server that deals with inner-tunnel requests? That was a lot of certs? I have a lot more, those are just the most recentHeHe... I would attempt a cert in freeradius so I can pick it up faster but I never heard of a class for it much less a certification or training materials... Thanks for the fast response. Brett Littrell Network Manager MUSD CISSP, CCSP, CCVP, MCNE On Tuesday, January 25, 2011 at 3:40 PM, in message 13923_1295998812_4D3F5F5C_13923_216_1_D9B37353831173459FDAA836D3B43499AE519 c...@wadpmbxv0.waddell.com, Gary Gatten ggat...@waddell.com wrote: That's a stupid question for someone with so many certs! ;) jus givn ya $hit. AKAIK it's not hard coded. In a config file somewhere is probably something like: if request type is 'x' then server inner-tunnel. Its been some time since I looked at the conf files so I can't say for sure which one and where. _ From: freeradius-users-bounces+ggatten=waddell@lists.freeradius.org freeradius-users-bounces+ggatten=waddell@lists.freeradius.org To: freeradius-users@lists.freeradius.org freeradius-users@lists.freeradius.org Sent: Tue Jan 25 17:18:57 2011 Subject: Question on Virtual Servers and inner-tunnel Hi All, Hope this is not to stupid of a question but I have been checking out the inner-tunnel virtual server under sites-enabled. I read up a little on virtual servers and it looks like the inner-tunnel virtual server is just a regular old virtual server yet in the comments is says it specifically handles inner tunnel requests. I went through the default config for the inner-tunnel and did not see any commands that were un-commented that seemed to specify that the server exclusively dealt with inner-tunnel requests. So my question is wether naming the server inner-tunnel causes it to exclusively handle inner-tunnel requests, in other word is inner-tunnel a hard coded name that has to be used for handling inner-tunnel requests? Brett Littrell Network Manager MUSD CISSP, CCSP, CCVP, MCNE This email is intended to be reviewed by only the intended recipient and may contain information that is privileged and/or confidential. If you are not the intended recipient, you are hereby notified that any review, use, dissemination, disclosure or copying of this email and its attachments, if any, is strictly prohibited. If you have received this email in error, please immediately notify the sender by return email and delete this email from your system. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Question on Virtual Servers and inner-tunnel
Gary Gatten ggat...@waddell.com wrote: [-- multipart/alternative, encoding 7bit, 1 lines --] [-- text/plain, encoding base64, charset: utf-8, 38 lines --] That's a stupid question for someone with so many certs! ;) jus givn ya $hit. [snipped] font size=1 div style='border:none;border-bottom:double windowtext 2.25pt;padding:0in 0in 1.0pt 0in' /div This email is intended to be reviewed by only the intended recipient and may contain information that is privileged and/or confidential. If you are not the intended recipient, you are hereby notified that any review, use, dissemination, disclosure or copying of this email and its attachments, if any, is strictly prohibited. If you have received this email in error, please immediately notify the sender by return email and delete this email from your system. /font [-- text/html, encoding base64, charset: utf-8, 48 lines --] [-- text/plain, encoding 7bit, charset: us-ascii, 2 lines --] ...says the guy sending HTML emails with a retarded 'disclaimer' attached to all outbound email. Before you pick on someone, please learn how to use your email client, it otherwise leaves you looking like a puppy curling one out on the carpet. Cheers -- Alexander Clouter .sigmonster says: Beam me up, Scotty! It ate my phaser! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Question on Virtual Servers and inner-tunnel
Did you read the part where I said I was just giving him $hit? OP did, and he got it. And I don't have control over what our half dozen email processors do to my email after I send it. But, just for you I'll see what I can do. Thanks. - Original Message - From: freeradius-users-bounces+ggatten=waddell@lists.freeradius.org freeradius-users-bounces+ggatten=waddell@lists.freeradius.org To: freeradius-users@lists.freeradius.org freeradius-users@lists.freeradius.org Sent: Wed Jan 26 00:49:27 2011 Subject: Re: Question on Virtual Servers and inner-tunnel Gary Gatten ggat...@waddell.com wrote: [-- multipart/alternative, encoding 7bit, 1 lines --] [-- text/plain, encoding base64, charset: utf-8, 38 lines --] That's a stupid question for someone with so many certs! ;) jus givn ya $hit. [snipped] font size=1 div style='border:none;border-bottom:double windowtext 2.25pt;padding:0in 0in 1.0pt 0in' /div This email is intended to be reviewed by only the intended recipient and may contain information that is privileged and/or confidential. If you are not the intended recipient, you are hereby notified that any review, use, dissemination, disclosure or copying of this email and its attachments, if any, is strictly prohibited. If you have received this email in error, please immediately notify the sender by return email and delete this email from your system. /font [-- text/html, encoding base64, charset: utf-8, 48 lines --] [-- text/plain, encoding 7bit, charset: us-ascii, 2 lines --] ...says the guy sending HTML emails with a retarded 'disclaimer' attached to all outbound email. Before you pick on someone, please learn how to use your email client, it otherwise leaves you looking like a puppy curling one out on the carpet. Cheers -- Alexander Clouter .sigmonster says: Beam me up, Scotty! It ate my phaser! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html font size=1 div style='border:none;border-bottom:double windowtext 2.25pt;padding:0in 0in 1.0pt 0in' /div This email is intended to be reviewed by only the intended recipient and may contain information that is privileged and/or confidential. If you are not the intended recipient, you are hereby notified that any review, use, dissemination, disclosure or copying of this email and its attachments, if any, is strictly prohibited. If you have received this email in error, please immediately notify the sender by return email and delete this email from your system. /font - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Question about NAS-Port attribute when using freeradiusclient
Ali Majdzadeh wrote: Hello All I am using freeradiusclient in combination with PPP in order to setup RADIUS authentication for PPTP users. Actually, I managed to authenticate users using RADIUS but I noticed that the NAS-Port attribute which is sent to RADIUS server is always 0. Is this normal? Is there any way to generate proper values for NAS-Port? Is this attribute set by radiusclient or is it extracted from somewhere else? (PPP, maybe?) It's set by the code in PPP that calls radiusclient. If you want it changed, go fix PPP. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Question about NAS-Port attribute when using freeradiusclient
Alan, Thanks a lot. Warm Regards Ali Majdzadeh Kohbanani 2010/10/8 Alan DeKok al...@deployingradius.com Ali Majdzadeh wrote: Hello All I am using freeradiusclient in combination with PPP in order to setup RADIUS authentication for PPTP users. Actually, I managed to authenticate users using RADIUS but I noticed that the NAS-Port attribute which is sent to RADIUS server is always 0. Is this normal? Is there any way to generate proper values for NAS-Port? Is this attribute set by radiusclient or is it extracted from somewhere else? (PPP, maybe?) It's set by the code in PPP that calls radiusclient. If you want it changed, go fix PPP. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Question about NAS-Port attribute when using freeradiusclient
Alan, Sorry for this extra post, but, what about Interim-Update attribute? Is there anyway to instruct the PPTP VPN connection to send interim accounting packets to the RADIUS server? Warm Regards Ali Majdzadeh Kohbanani 2010/10/8 Ali Majdzadeh ali.majdza...@gmail.com Alan, Thanks a lot. Warm Regards Ali Majdzadeh Kohbanani 2010/10/8 Alan DeKok al...@deployingradius.com Ali Majdzadeh wrote: Hello All I am using freeradiusclient in combination with PPP in order to setup RADIUS authentication for PPTP users. Actually, I managed to authenticate users using RADIUS but I noticed that the NAS-Port attribute which is sent to RADIUS server is always 0. Is this normal? Is there any way to generate proper values for NAS-Port? Is this attribute set by radiusclient or is it extracted from somewhere else? (PPP, maybe?) It's set by the code in PPP that calls radiusclient. If you want it changed, go fix PPP. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Question about NAS-Port attribute when using freeradiusclient
Alan, Sorry for this third post, I managed to instruct PPTP VPN server (NAS) to send Interim-Update packet by adding the following line to /etc/radiusclient/dictionary: ATTRIBUTEAcct-Interim-Interval 85 integer Of course, I had set Acct-Interim-Interval attribute to 60 for the specific test user in users file of the RADIUS server. Is this OK? Why the above definition is not added to freeradiusclient's dictionary? Warm Regards Ali Majdzadeh Kohbanani 2010/10/8 Ali Majdzadeh ali.majdza...@gmail.com Alan, Sorry for this extra post, but, what about Interim-Update attribute? Is there anyway to instruct the PPTP VPN connection to send interim accounting packets to the RADIUS server? Warm Regards Ali Majdzadeh Kohbanani 2010/10/8 Ali Majdzadeh ali.majdza...@gmail.com Alan, Thanks a lot. Warm Regards Ali Majdzadeh Kohbanani 2010/10/8 Alan DeKok al...@deployingradius.com Ali Majdzadeh wrote: Hello All I am using freeradiusclient in combination with PPP in order to setup RADIUS authentication for PPTP users. Actually, I managed to authenticate users using RADIUS but I noticed that the NAS-Port attribute which is sent to RADIUS server is always 0. Is this normal? Is there any way to generate proper values for NAS-Port? Is this attribute set by radiusclient or is it extracted from somewhere else? (PPP, maybe?) It's set by the code in PPP that calls radiusclient. If you want it changed, go fix PPP. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Question about rlm-unix authentication
James S. Smith wrote: I'm trying to get FreeRadius to authenticate against the local server's usernames and passwords. I have a fresh installation and I've confirmed that authentication is working with a test entry in the /etc/raddb/users file. I've also tested authentication from another system and it works too.I then try to authentication against a unix account I have on the system (testrad). It comes back as Access-Reject, which seems to suggest it tried to look for the user account and felt it wasn't there and in the radiusd -X the unix module reports notfound. I've confirmed I can log in via Unix with this account, so it definitely works. I also made a test program that makes the same calls as rlm_unix and it was able to successfully lookup the user account. Well.. if the user isn't found in /etc/passwd, then it isn't found. There aren't too many reasons why a passwd lookup won't work. What about file/user permissions? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Question about sending VLAN attributes to Access Points
On Tue, Sep 21, 2010 at 12:41:08PM +0100, Alan Buxey wrote: Hi, is it possible to send attributes based on the used SSID? yes. as that can be gained from RADIUS attributes sent to the RADIUS server . where you do them, and how you do them - ie unlang, users, SQL huntgroups etc etc is down to you What I needed: DEFAULT Auth-Type = ntlm_auth Exec-Program-Wait = /usr/local/sbin/radius-vlan-attribute.pl %{User-Name} %{Called-Station-Id} Now I am able to ask various Active Directory servers by using Net::LDAPS. This enables me to put the following parameters into relation: - DOMAIN - username - SSID And it makes me more flexible when I have to deal with complex Active Directory forest structures. The script returns something like Tunnel-Type = 13, Tunnel-Medium-Type = 6, Tunnel-Private-Group-ID = 1234 or nothing at all. So long, Aiko -- :wq ✉ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Question about sending VLAN attributes to Access Points
Aiko Barz a...@chroot.de wrote: Now I am able to ask various Active Directory servers by using Net::LDAPS. This enables me to put the following parameters into relation: - DOMAIN - username - SSID And it makes me more flexible when I have to deal with complex Active Directory forest structures. The script returns something like Tunnel-Type = 13, Tunnel-Medium-Type = 6, Tunnel-Private-Group-ID = 1234 or nothing at all. You could do that, or do like the rest of us do and use rlm_ldap with some unlang... Cheers -- Alexander Clouter .sigmonster says: You will probably marry after a very brief courtship. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Question on proxy setting
柴崎 昌一 wrote: We want to re-send Accounting-Request again by using the Proxy server. Because our NAS doesn't send Accounting-Request again. We want to set it to Synchronous=no. Can I make it to Synchronous=no? No. See raddb/sites-available/robust-proxy-accounting Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Question about configurable module fail-over
Ana Gallardo wrote: I want to return an error code if my freeradius can't contact with the backend. Here is my authorize section: authorize { . . . switch %{Realm} { ... } if (fail) { That won't work, unfortunately. The return codes of *modules* can be over-written. The return code of a switch statement cannot be. This issue is largely due to the fact that the configuration files have had functionality piled on top of old code. We want to be backwards compatible, so breaking existing systems isn't an option. But this limits the capabilities of the new functions. In short: re-write the rules so that you don't use switch. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Question: How do I forcibly accept all rest requests??
Difan Zhao wrote: So I want to make all rest devices to be authenticated. It will be even better if I can assign them to a specific VLAN. I was reading ./sites-avaliable/default and I found that forcibly accept the user (Auth-Type := Accept). Where do I put it? I tried: post-auth { Post-Auth-Type REJECT { # attr_filter.access_reject Auth-Type := Accept } } It's too late to over-ride the reject at that point. And I doubt that this will prevent the icon from appearing on their desktop. The icon means that the *PC* believes it wasn't authenticated. The config above tells the *NAS* to allow them in, but does not convince the *PC* that it has been authenticated. There is no substitute for running the authentication protocol correctly. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Question: How do I forcibly accept all rest requests??
Alan, Thank you for quick reply! However if you can fool the NAS to let it believe that the device is authenticated, will the switch also send an EAP success message to the laptop to fool him as well? If the laptop is configured to use PEAP and to validate certificate, then you are right, there is nothing we can do. If the laptop is configured not to validate the certificate, then when the Server (freeradiusd) sends a challenge in the TLS tunnel and received a hashed reply, can it be configured to simply send a success back anyway? If the laptop is configured to use MD5, then I think it's even easier to make this happen...? I apologize if I got any EAP/Radius theory totally wrong... The company I work for serves hotels. They want their staff to be put in right VLAN for admin management purpose while guests put in guest VLAN. Now my setup is pissing some guests off because they don't like to see failed on their laptops. It's kind of important... I will really appreciate if you can come up with a solution for it... Thank you! Guest-tek, Difan Zhao difan.z...@guest-tek.com www.guest-tek.com Office: 403-509-1010 ext 3048 Cell: 403-689-7514 -Original Message- From: freeradius-users-bounces+difan.zhao=guest-tek@lists.freeradius.org [mailto:freeradius-users-bounces+difan.zhao=guest-tek@lists.freeradi us.org] On Behalf Of Alan DeKok Sent: Tuesday, March 30, 2010 4:43 PM To: FreeRadius users mailing list Subject: Re: Question: How do I forcibly accept all rest requests?? Difan Zhao wrote: So I want to make all rest devices to be authenticated. It will be even better if I can assign them to a specific VLAN. I was reading ./sites-avaliable/default and I found that forcibly accept the user (Auth-Type := Accept). Where do I put it? I tried: post-auth { Post-Auth-Type REJECT { # attr_filter.access_reject Auth-Type := Accept } } It's too late to over-ride the reject at that point. And I doubt that this will prevent the icon from appearing on their desktop. The icon means that the *PC* believes it wasn't authenticated. The config above tells the *NAS* to allow them in, but does not convince the *PC* that it has been authenticated. There is no substitute for running the authentication protocol correctly. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Question: How do I forcibly accept all rest requests??
Difan Zhao wrote: However if you can fool the NAS to let it believe that the device is authenticated, will the switch also send an EAP success message to the laptop to fool him as well? No. Even if it does, the laptop will ignore it. There is no substitute for running the authentication protocol correctly. If the laptop is configured to use PEAP and to validate certificate, then you are right, there is nothing we can do. If the laptop is configured not to validate the certificate, then when the Server (freeradiusd) sends a challenge in the TLS tunnel and received a hashed reply, can it be configured to simply send a success back anyway? That's not the way PEAP works. So no, it's impossible. If the laptop is configured to use MD5, then I think it's even easier to make this happen...? It's still impossible. I apologize if I got any EAP/Radius theory totally wrong... The company I work for serves hotels. They want their staff to be put in right VLAN for admin management purpose while guests put in guest VLAN. Now my setup is pissing some guests off because they don't like to see failed on their laptops. It's kind of important... I will really appreciate if you can come up with a solution for it... shrug That's the way networks work. And you expect me to come up with a solution (for free) that you're charging for? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html