Re: sql auth problems with 2.0.0-pre
Hi,
got cvs tree today.
The read_groups configuration check is not included in rlm_sql.c for
some reason.
Adding:
{read_groups, PW_TYPE_BOOLEAN,
offsetof(SQL_CONFIG,read_groups), NULL, yes},
into
static const CONF_PARSER module_config[] = {
..
} helped a lot.
Now my config from 1.1.6 is almost working. Thanks a lot.
--
Sincerely Yours,
Alexander
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius Auth via LDAP against Active Directory Server 2003
I haven't been following your (quite extensive) queries, so apologies if
I've missed something fundamental.
I honestly don't know why this is proving so difficult. I've just tested
this against our own 2k3 AD service, and although I'm pretty familiar
with FR it took under 5 minutes. Try following the instructions below.
These were tested with FreeRadius 1.1.4
1. First, create or locate an existing account which FreeRadius can bind
and do it's searches as. Record the following variables:
SEARCHDN=the DN of the account
SEARCHPW=the password
BASEDN=the DN below which all your accounts live in AD
ADHOST=hostname of the AD controller you'll search against
For example, these might be:
SEARCHDN=CN=freeradius,OU=Users,OU=My Site,DC=mysite,DC=com
SEARCHPW=blahblah
BASEDN=OU=My Site,DC=mysite,DC=com
2. Next, take the default radiusd.conf
3. Find the start of the modules section:
modules {
...
Delete this line and all the following lines
4. Insert the following config:
modules {
ldap {
server = $ADHOST
identity = $SEARCHDN
password = $SEARCHPW
basedn = $BASEDN
filter = (sAMAccountName=%{Stripped-User-Name:-%{User-Name}})
dictionary_mapping = ${raddbdir}/ldap.attrmap
ldap_connections_number = 5
timeout = 4
timelimit = 3
net_timeout = 1
}
preprocess {
huntgroups = ${confdir}/huntgroups
hints = ${confdir}/hints
with_ascend_hack = no
ascend_channels_per_line = 23
with_ntdomain_hack = no
with_specialix_jetstream_hack = no
with_cisco_vsa_hack = no
}
detail {
detailfile = ${radacctdir}/%{Client-IP-Address}/detail-%Y%m%d
detailperm = 0644
}
}
instantiate {
}
authorize {
preprocess
ldap
}
authenticate {
Auth-Type LDAP {
ldap
}
}
preacct {
preprocess
}
accounting {
detail
}
session {
}
post-auth {
}
pre-proxy {
}
post-proxy {
}
5. Start the server with -X
6. Run radtest to send a checking PAP request
It should work.
The above config is the ABSOLUTE BARE MINIMUM server config which will
check PAP requests ONLY against an AD LDAP server. I do NOT recommend
you go into service with this config. Try to look at it, understand how
it's doing what it's doing, *then* start again with the default
FreeRadius config and make the absolute minimum changes to get back to
that point.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: 1.1.6: PAP and MySQL-stored NT-Password don't work
radius_xlat: 'SELECT id, UserName, Attribute, Value, op FROM radcheck WHERE Username = 'swinter' ORDER BY id' radius_xlat: 'SELECT radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE usergroup.Username = 'swinter' AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id' What do these two SQL queries return if you run them in the CLI SQL client? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: SQL for return attributes only?
Hugh Messenger wrote: ObDisclaimer: I have googled my best google, and read all the docs I can find, so please be gentle if this is a dumb question. Is it possible with freeradius to use SQL to retrieve certain return attributes (in this case rate limiting values for PPPOE sessions), whilst still handling authentication through PAM? Yes. However, in the current code there must be *something* that matches in the radcheck or radgroupcheck table for the user/group, else the radreply/radgrouprelpy table won't be used. Maybe easiest to put this in radcheck: insert into radcheck (username,attribute,op,value) values ( 'theuser', 'Pam-Auth', ':=', 'thepamservice' ) ...then put your per-user attributes in radreply. Alternatively you could defined a local attribute in the dictionary: Attribute My-Fake-Item3000string ...and set that. There are probably cleaner ways to do it using SQL groups and/or the search on not found / default profile stuff, but I must admit to not groking that part of the 1.1 SQL code. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Win XP with 802.1x PEAP (EAP-MSCHAP V2)
This incorrect password issue was solved once the proper server certificate was used by FreeRADIUS' EAP.conf file. Thanks for all you help! Marc Solution to get correct cert to work with Windows XP SP2 supplicant: 1) From Linux box: openssl genrsa -des3 -out server1.key 2048 You will be prompted for password, this server1.key and the password assigned are used in eap.conf file. openssl req -new -key server1.key -out server1.csr 2) Get server1.csr to a Windows workstation that will reach the Microsoft 2003 CA. Easiest way might be to use FTP. The URL to our CA is: http://10.10.10.10/certsrv 3) On Web access to CA: - click Request a Certificate - click Advanced certificate request - click Submit a certificate request by using a base-64-encoded CMC or PKCS #10 file, or submit a renewal request by using a base-64-encoded PKCS #7 file. - click Browse for a file to insert. and browse to ohisles1.csr then click READ button. - select Web Server for certificate template and click Submit - keep DER encoded selected then click Download certificate, save file as server1.cer 4) Get this file server1.cer back to Linux server with FTP 5) Issue OpenSSL command openssl x509 -inform DER -in ohisles1.cer -out ohisles1.pem - update eap.conf to point to this server certificate. 6) Use same OPENSSL command on the CER file of the root certificate from the Microsoft CA to convert it to PEM format. Use this root certificate, we named it root.pem and point to it in the eap.conf 7) FreeRADISU with: RADIUSD -X 8) Windows XP supplicant should work fine. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
cert Trust settings on MAC client
Any one has an idea of getting rid of The server certificate is not trusted because there are no explicit trust settings on MAC OSX 10.4.9 without selecting always trust this certificate == Benjamin K. Eshun - Message d'origine De : Alan DeKok [EMAIL PROTECTED] À : FreeRadius users mailing list freeradius-users@lists.freeradius.org Envoyé le : Vendredi, 27 Avril 2007, 17h47mn 46s Objet : Re: Performance with Freeradius-1.1.4 nikitha george wrote: I am using freeradius-1.1.4 with PEAP-MSCHAPV2. Each session starting from Access-Request till Access-Accept it takes more than 250ms to complete. Is it the normal performance of freeradius-1.1.4 or anything suspicious in this regard? It depends on your CPU speed, etc. But it's not out of line. Almost all of that time is spent in OpenSSL, doing cryptography. When i try to send many Request simultaneously then there is no response from the server for the latest requests as the server is busy processing first request. Only the first request gets response after 250ms. Are you sure you're not running the server in single threaded mode? Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html ___ Découvrez une nouvelle façon d'obtenir des réponses à toutes vos questions ! Profitez des connaissances, des opinions et des expériences des internautes sur Yahoo! Questions/Réponses http://fr.answers.yahoo.com- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
FR 1.1.6 EAP - TLS rlm_eap_tls: TLS 1.0 Alert [length 0002], fatal bad_certificate
Hi,
I just upgrade FR 1.1.4 to 1.1.6 on FreeBSD 6.1. And FR has always worked
wonderfully for me in the past.
I saw in the changelog something about terminating the SSL session in EAP on
errors.
What can I do to fix this error?
Regards,
Remy.
--- Walking the entire request list ---
Waking up in 6 seconds...
rad_recv: Access-Request packet from host 10.0.1.250:3072, id=1, length=256
User-Name = [EMAIL PROTECTED]
NAS-IP-Address = 10.0.1.250
Called-Station-Id = 0012176fb399
Calling-Station-Id = 0013022105d3
NAS-Identifier = 0012176fb399
NAS-Port = 55
Framed-MTU = 1400
State = 0x99e6bf386c1693ffe99cc51011c78c22
NAS-Port-Type = Wireless-802.11
EAP-Message =
0x0201006e0d800064160301005f015b030146338b7df93bc3ecee992b73b782861f
b83b032ad4e5d0e367a50e96a5f4d07e3400390038003500160013000a00330032002f00
6600050004006500640063006200610060001500120009001400110008000600030100
Message-Authenticator = 0xd1dcd23d54281665000ddf314423cf61
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 1
modcall[authorize]: module preprocess returns ok for request 1
radius_xlat: '/var/log/radacct/10.0.1.250/auth-detail-20070428'
rlm_detail: /var/log/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands
to /var/log/radacct/10.0.1.250/auth-detail-20070428
modcall[authorize]: module auth_log returns ok for request 1
modcall[authorize]: module chap returns noop for request 1
modcall[authorize]: module mschap returns noop for request 1
rlm_realm: Looking up realm unix-asp.com for User-Name =
[EMAIL PROTECTED]
rlm_realm: No such realm unix-asp.com
modcall[authorize]: module suffix returns noop for request 1
rlm_eap: EAP packet type response id 1 length 110
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module eap returns updated for request 1
users: Matched entry DEFAULT at line 152
modcall[authorize]: module files returns ok for request 1
modcall: leaving group authorize (returns updated) for request 1
rad_check_password: Found Auth-Type EAP
auth: type EAP
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 1
rlm_eap: Request found, released from the list
rlm_eap: EAP/tls
rlm_eap: processing type tls
rlm_eap_tls: Authenticate
rlm_eap_tls: processing TLS
rlm_eap_tls: Length Included
eaptls_verify returned 11
(other): before/accept initialization
TLS_accept: before/accept initialization
rlm_eap_tls: TLS 1.0 Handshake [length 005f], ClientHello
TLS_accept: SSLv3 read client hello A
rlm_eap_tls: TLS 1.0 Handshake [length 004a], ServerHello
TLS_accept: SSLv3 write server hello A
rlm_eap_tls: TLS 1.0 Handshake [length 02ca], Certificate
TLS_accept: SSLv3 write certificate A
rlm_eap_tls: TLS 1.0 Handshake [length 00a9], CertificateRequest
TLS_accept: SSLv3 write certificate request A
TLS_accept: SSLv3 flush data
TLS_accept: Need to read more data: SSLv3 read client certificate A
In SSL Handshake Phase
In SSL Accept mode
eaptls_process returned 13
modcall[authenticate]: module eap returns handled for request 1
modcall: leaving group authenticate (returns handled) for request 1
Sending Access-Challenge of id 1 to 10.0.1.250 port 3072
EAP-Message =
0x010203d60d8003cc160301004a0246030146338b7ad2b5446adeec2e4c5dbeebbf
060ca75333f41f2cd07136ceb4f1e16020c03cc6c37f378e3a121feb1d2b2ff0720a72311530
9f56d0f8db9efb1334024f00350016030102ca0b0002c60002c30002c0308202bc30820225a0
0302010202020122300d06092a864886f70d0101050500308196310b3009060355040613024e
4c3110300e06035504081307557472656368743110300e060355040713075574726563687431
153013060355040a130c554e49582d4153502e434f4d3110300e060355040b1307537570706f
7274311530130603550403130c756e69782d6173702e636f6d31
EAP-Message =
0x23302106092a864886f70d0109011614737570706f727440756e69782d6173702e636f6d30
1e170d3037303432383137343331325a170d3038303432373137343331325a308196310b3009
060355040613024e4c3110300e06035504081307557472656368743110300e06035504071307
5574726563687431153013060355040a130c554e49582d4153502e434f4d3110300e06035504
0b1307537570706f7274311530130603550403130c756e69782d6173702e636f6d3123302106
092a864886f70d0109011614737570706f727440756e69782d6173702e636f6d30819f300d06
092a864886f70d010101050003818d0030818902818100c4d9ff
EAP-Message =
0x25696b959b20ce440ea32876f9083badb184a2a86c2269205ca4442c6c386546face2e2ec0
5b6a0af3d11094e0fe389198023ee39fafb456de6832483e99c29231034840334c91ccafeb80
f7bd019f3493977c03b7e8ed7824395ec401a2f5eb1540db144670038cc6ca8308c982ac3038
1da8228a479740e4049ef8870203010001a317301530130603551d25040c300a06082b060105
05070301300d06092a864886f70d010105050003818100741dcc0890f8e7cb9651648a76005c
Re: FR 1.1.6 EAP - TLS rlm_eap_tls: TLS 1.0 Alert [length 0002], fatal bad_certificate
Hi Remy and everyone,
In message [EMAIL PROTECTED], Remy de
Ruysscher [EMAIL PROTECTED] writes
I just upgrade FR 1.1.4 to 1.1.6 on FreeBSD 6.1. And FR has always
worked wonderfully for me in the past.
I'm the maintainer of the FreeBSD port. My 6.2-RELEASE-p2 i386 system
uses EAP-TLS - and it works fine, so it is probably something with your
setup. I'm assuming you're using the port - though you didn't say so
specifically.
I use the OpenSSL port - and suggest you do too, as the version of
OpenSSL in the base system is rather old. If you've got the OpenSSL port
installed, the FreeRADIUS port will notice and make use of it
automatically. The package, meanwhile, uses the base OpenSSL. If you
install the OpenSSL port, you'll need to rebuild the FreeRADIUS port for
FreeRADIUS to use it.
If you have portupgrade installed, and want to switch to using the
OpenSSL port, try:
portupgrade -N security/openssl
portupgrade -f net/freeradius
/usr/local/etc/rc.d/radius start
I suggest you also rebuild any other ports that use OpenSSL if you've
installed the OpenSSL port for the first time. Use portupgrade -f or
similar.
Of course, it could be that your server certificate is actually bad. Do
the results of:
openssl verify -CAfile demoCA/cacert.pem -verbose cert-srv.pem
and
openssl x509 -in cert-srv.pem -noout -text
look OK?
You may need to adjust the filenames according to your environment - I'm
presuming that you're in your raddb certificates folder.
If you have the OpenSSL port installed, I suggest you explicitly use
/usr/local/bin/openssl instead of openssl in the commands above.
The handling of raddb upgrading has changed significantly from version
1.1.4 of the port to 1.1.6. It's just possible that your certificates
have got stomped on if they are in /usr/local/etc/raddb/certs (adjusted
accordingly if you have a non-standard ${PREFIX}), but I can't think
why, as the script is fairly careful in checking before overwriting
anything in raddb.
That said, the new behaviour on uninstallation is to check any files in
raddb against the distribution, and delete unmodified files. On
installation, it copies the distribution files to raddb unless there's
already a file of the same name. It's possible that your upgrade to
1.1.6 has created mixed versions (new uncustomised files and your
customisations based on a rather older version of FreeRADIUS) - and
that's introduced a problem, though I feel this is unlikely.
My favourite is either there's something wrong with your server
certificate, or it's a problem with the base system OpenSSL that you can
cure by moving to the OpenSSL port.
I'd be interested to know how you get on, particularly if the problem
turns out to be something different.
If you want a tarball of the 1.1.4 port, email me - I can pull out the
last version of 1.1.4 from my local Subversion repository before I
upgraded the port to 1.1.5. There were a lot of fixes in the 1.1.4
timeframe - there was a 1.1.4 port on 15 January 2007, 1.1.4_1 on 18
January 2007, and a rewrap of 1.1.4_1 on 23 January 2007.
The 15 January - 18 January transition merely disabled rlm_sql_firebird
(otherwise the port failed to build with experimental modules disabled).
The 18 January - 23 January 2007 update contained a bunch of fixes,
including the first version of the revised raddb handling (the very
first time that the port touched files other than those suffixed .sample
in raddb).
http://www.freshports.org/net/freeradius/ will walk you through the
changes in more detail, though my local Subversion repository is more
finely grained. There were two further changes before I upgraded to
1.1.5 - support for the freeradius-mysql slave port, and a change to the
current version of raddb handling.
However, I hope we can get the 1.1.6 port working on your machine, and I
don't have to unravel the many changes made from the last version of
1.1.4_1 through 1.1.5 to 1.1.6.
Best wishes,
David
--
David Wood
[EMAIL PROTECTED]
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
