Re: sql auth problems with 2.0.0-pre
Hi, got cvs tree today. The read_groups configuration check is not included in rlm_sql.c for some reason. Adding: {read_groups, PW_TYPE_BOOLEAN, offsetof(SQL_CONFIG,read_groups), NULL, yes}, into static const CONF_PARSER module_config[] = { .. } helped a lot. Now my config from 1.1.6 is almost working. Thanks a lot. -- Sincerely Yours, Alexander - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius Auth via LDAP against Active Directory Server 2003
I haven't been following your (quite extensive) queries, so apologies if I've missed something fundamental. I honestly don't know why this is proving so difficult. I've just tested this against our own 2k3 AD service, and although I'm pretty familiar with FR it took under 5 minutes. Try following the instructions below. These were tested with FreeRadius 1.1.4 1. First, create or locate an existing account which FreeRadius can bind and do it's searches as. Record the following variables: SEARCHDN=the DN of the account SEARCHPW=the password BASEDN=the DN below which all your accounts live in AD ADHOST=hostname of the AD controller you'll search against For example, these might be: SEARCHDN=CN=freeradius,OU=Users,OU=My Site,DC=mysite,DC=com SEARCHPW=blahblah BASEDN=OU=My Site,DC=mysite,DC=com 2. Next, take the default radiusd.conf 3. Find the start of the modules section: modules { ... Delete this line and all the following lines 4. Insert the following config: modules { ldap { server = $ADHOST identity = $SEARCHDN password = $SEARCHPW basedn = $BASEDN filter = (sAMAccountName=%{Stripped-User-Name:-%{User-Name}}) dictionary_mapping = ${raddbdir}/ldap.attrmap ldap_connections_number = 5 timeout = 4 timelimit = 3 net_timeout = 1 } preprocess { huntgroups = ${confdir}/huntgroups hints = ${confdir}/hints with_ascend_hack = no ascend_channels_per_line = 23 with_ntdomain_hack = no with_specialix_jetstream_hack = no with_cisco_vsa_hack = no } detail { detailfile = ${radacctdir}/%{Client-IP-Address}/detail-%Y%m%d detailperm = 0644 } } instantiate { } authorize { preprocess ldap } authenticate { Auth-Type LDAP { ldap } } preacct { preprocess } accounting { detail } session { } post-auth { } pre-proxy { } post-proxy { } 5. Start the server with -X 6. Run radtest to send a checking PAP request It should work. The above config is the ABSOLUTE BARE MINIMUM server config which will check PAP requests ONLY against an AD LDAP server. I do NOT recommend you go into service with this config. Try to look at it, understand how it's doing what it's doing, *then* start again with the default FreeRadius config and make the absolute minimum changes to get back to that point. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: 1.1.6: PAP and MySQL-stored NT-Password don't work
radius_xlat: 'SELECT id, UserName, Attribute, Value, op FROM radcheck WHERE Username = 'swinter' ORDER BY id' radius_xlat: 'SELECT radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE usergroup.Username = 'swinter' AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id' What do these two SQL queries return if you run them in the CLI SQL client? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: SQL for return attributes only?
Hugh Messenger wrote: ObDisclaimer: I have googled my best google, and read all the docs I can find, so please be gentle if this is a dumb question. Is it possible with freeradius to use SQL to retrieve certain return attributes (in this case rate limiting values for PPPOE sessions), whilst still handling authentication through PAM? Yes. However, in the current code there must be *something* that matches in the radcheck or radgroupcheck table for the user/group, else the radreply/radgrouprelpy table won't be used. Maybe easiest to put this in radcheck: insert into radcheck (username,attribute,op,value) values ( 'theuser', 'Pam-Auth', ':=', 'thepamservice' ) ...then put your per-user attributes in radreply. Alternatively you could defined a local attribute in the dictionary: Attribute My-Fake-Item3000string ...and set that. There are probably cleaner ways to do it using SQL groups and/or the search on not found / default profile stuff, but I must admit to not groking that part of the 1.1 SQL code. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Win XP with 802.1x PEAP (EAP-MSCHAP V2)
This incorrect password issue was solved once the proper server certificate was used by FreeRADIUS' EAP.conf file. Thanks for all you help! Marc Solution to get correct cert to work with Windows XP SP2 supplicant: 1) From Linux box: openssl genrsa -des3 -out server1.key 2048 You will be prompted for password, this server1.key and the password assigned are used in eap.conf file. openssl req -new -key server1.key -out server1.csr 2) Get server1.csr to a Windows workstation that will reach the Microsoft 2003 CA. Easiest way might be to use FTP. The URL to our CA is: http://10.10.10.10/certsrv 3) On Web access to CA: - click Request a Certificate - click Advanced certificate request - click Submit a certificate request by using a base-64-encoded CMC or PKCS #10 file, or submit a renewal request by using a base-64-encoded PKCS #7 file. - click Browse for a file to insert. and browse to ohisles1.csr then click READ button. - select Web Server for certificate template and click Submit - keep DER encoded selected then click Download certificate, save file as server1.cer 4) Get this file server1.cer back to Linux server with FTP 5) Issue OpenSSL command openssl x509 -inform DER -in ohisles1.cer -out ohisles1.pem - update eap.conf to point to this server certificate. 6) Use same OPENSSL command on the CER file of the root certificate from the Microsoft CA to convert it to PEM format. Use this root certificate, we named it root.pem and point to it in the eap.conf 7) FreeRADISU with: RADIUSD -X 8) Windows XP supplicant should work fine. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
cert Trust settings on MAC client
Any one has an idea of getting rid of The server certificate is not trusted because there are no explicit trust settings on MAC OSX 10.4.9 without selecting always trust this certificate == Benjamin K. Eshun - Message d'origine De : Alan DeKok [EMAIL PROTECTED] À : FreeRadius users mailing list freeradius-users@lists.freeradius.org Envoyé le : Vendredi, 27 Avril 2007, 17h47mn 46s Objet : Re: Performance with Freeradius-1.1.4 nikitha george wrote: I am using freeradius-1.1.4 with PEAP-MSCHAPV2. Each session starting from Access-Request till Access-Accept it takes more than 250ms to complete. Is it the normal performance of freeradius-1.1.4 or anything suspicious in this regard? It depends on your CPU speed, etc. But it's not out of line. Almost all of that time is spent in OpenSSL, doing cryptography. When i try to send many Request simultaneously then there is no response from the server for the latest requests as the server is busy processing first request. Only the first request gets response after 250ms. Are you sure you're not running the server in single threaded mode? Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html ___ Découvrez une nouvelle façon d'obtenir des réponses à toutes vos questions ! Profitez des connaissances, des opinions et des expériences des internautes sur Yahoo! Questions/Réponses http://fr.answers.yahoo.com- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
FR 1.1.6 EAP - TLS rlm_eap_tls: TLS 1.0 Alert [length 0002], fatal bad_certificate
Hi, I just upgrade FR 1.1.4 to 1.1.6 on FreeBSD 6.1. And FR has always worked wonderfully for me in the past. I saw in the changelog something about terminating the SSL session in EAP on errors. What can I do to fix this error? Regards, Remy. --- Walking the entire request list --- Waking up in 6 seconds... rad_recv: Access-Request packet from host 10.0.1.250:3072, id=1, length=256 User-Name = [EMAIL PROTECTED] NAS-IP-Address = 10.0.1.250 Called-Station-Id = 0012176fb399 Calling-Station-Id = 0013022105d3 NAS-Identifier = 0012176fb399 NAS-Port = 55 Framed-MTU = 1400 State = 0x99e6bf386c1693ffe99cc51011c78c22 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x0201006e0d800064160301005f015b030146338b7df93bc3ecee992b73b782861f b83b032ad4e5d0e367a50e96a5f4d07e3400390038003500160013000a00330032002f00 6600050004006500640063006200610060001500120009001400110008000600030100 Message-Authenticator = 0xd1dcd23d54281665000ddf314423cf61 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 1 modcall[authorize]: module preprocess returns ok for request 1 radius_xlat: '/var/log/radacct/10.0.1.250/auth-detail-20070428' rlm_detail: /var/log/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/radacct/10.0.1.250/auth-detail-20070428 modcall[authorize]: module auth_log returns ok for request 1 modcall[authorize]: module chap returns noop for request 1 modcall[authorize]: module mschap returns noop for request 1 rlm_realm: Looking up realm unix-asp.com for User-Name = [EMAIL PROTECTED] rlm_realm: No such realm unix-asp.com modcall[authorize]: module suffix returns noop for request 1 rlm_eap: EAP packet type response id 1 length 110 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module eap returns updated for request 1 users: Matched entry DEFAULT at line 152 modcall[authorize]: module files returns ok for request 1 modcall: leaving group authorize (returns updated) for request 1 rad_check_password: Found Auth-Type EAP auth: type EAP Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 1 rlm_eap: Request found, released from the list rlm_eap: EAP/tls rlm_eap: processing type tls rlm_eap_tls: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Length Included eaptls_verify returned 11 (other): before/accept initialization TLS_accept: before/accept initialization rlm_eap_tls: TLS 1.0 Handshake [length 005f], ClientHello TLS_accept: SSLv3 read client hello A rlm_eap_tls: TLS 1.0 Handshake [length 004a], ServerHello TLS_accept: SSLv3 write server hello A rlm_eap_tls: TLS 1.0 Handshake [length 02ca], Certificate TLS_accept: SSLv3 write certificate A rlm_eap_tls: TLS 1.0 Handshake [length 00a9], CertificateRequest TLS_accept: SSLv3 write certificate request A TLS_accept: SSLv3 flush data TLS_accept: Need to read more data: SSLv3 read client certificate A In SSL Handshake Phase In SSL Accept mode eaptls_process returned 13 modcall[authenticate]: module eap returns handled for request 1 modcall: leaving group authenticate (returns handled) for request 1 Sending Access-Challenge of id 1 to 10.0.1.250 port 3072 EAP-Message = 0x010203d60d8003cc160301004a0246030146338b7ad2b5446adeec2e4c5dbeebbf 060ca75333f41f2cd07136ceb4f1e16020c03cc6c37f378e3a121feb1d2b2ff0720a72311530 9f56d0f8db9efb1334024f00350016030102ca0b0002c60002c30002c0308202bc30820225a0 0302010202020122300d06092a864886f70d0101050500308196310b3009060355040613024e 4c3110300e06035504081307557472656368743110300e060355040713075574726563687431 153013060355040a130c554e49582d4153502e434f4d3110300e060355040b1307537570706f 7274311530130603550403130c756e69782d6173702e636f6d31 EAP-Message = 0x23302106092a864886f70d0109011614737570706f727440756e69782d6173702e636f6d30 1e170d3037303432383137343331325a170d3038303432373137343331325a308196310b3009 060355040613024e4c3110300e06035504081307557472656368743110300e06035504071307 5574726563687431153013060355040a130c554e49582d4153502e434f4d3110300e06035504 0b1307537570706f7274311530130603550403130c756e69782d6173702e636f6d3123302106 092a864886f70d0109011614737570706f727440756e69782d6173702e636f6d30819f300d06 092a864886f70d010101050003818d0030818902818100c4d9ff EAP-Message = 0x25696b959b20ce440ea32876f9083badb184a2a86c2269205ca4442c6c386546face2e2ec0 5b6a0af3d11094e0fe389198023ee39fafb456de6832483e99c29231034840334c91ccafeb80 f7bd019f3493977c03b7e8ed7824395ec401a2f5eb1540db144670038cc6ca8308c982ac3038 1da8228a479740e4049ef8870203010001a317301530130603551d25040c300a06082b060105 05070301300d06092a864886f70d010105050003818100741dcc0890f8e7cb9651648a76005c
Re: FR 1.1.6 EAP - TLS rlm_eap_tls: TLS 1.0 Alert [length 0002], fatal bad_certificate
Hi Remy and everyone, In message [EMAIL PROTECTED], Remy de Ruysscher [EMAIL PROTECTED] writes I just upgrade FR 1.1.4 to 1.1.6 on FreeBSD 6.1. And FR has always worked wonderfully for me in the past. I'm the maintainer of the FreeBSD port. My 6.2-RELEASE-p2 i386 system uses EAP-TLS - and it works fine, so it is probably something with your setup. I'm assuming you're using the port - though you didn't say so specifically. I use the OpenSSL port - and suggest you do too, as the version of OpenSSL in the base system is rather old. If you've got the OpenSSL port installed, the FreeRADIUS port will notice and make use of it automatically. The package, meanwhile, uses the base OpenSSL. If you install the OpenSSL port, you'll need to rebuild the FreeRADIUS port for FreeRADIUS to use it. If you have portupgrade installed, and want to switch to using the OpenSSL port, try: portupgrade -N security/openssl portupgrade -f net/freeradius /usr/local/etc/rc.d/radius start I suggest you also rebuild any other ports that use OpenSSL if you've installed the OpenSSL port for the first time. Use portupgrade -f or similar. Of course, it could be that your server certificate is actually bad. Do the results of: openssl verify -CAfile demoCA/cacert.pem -verbose cert-srv.pem and openssl x509 -in cert-srv.pem -noout -text look OK? You may need to adjust the filenames according to your environment - I'm presuming that you're in your raddb certificates folder. If you have the OpenSSL port installed, I suggest you explicitly use /usr/local/bin/openssl instead of openssl in the commands above. The handling of raddb upgrading has changed significantly from version 1.1.4 of the port to 1.1.6. It's just possible that your certificates have got stomped on if they are in /usr/local/etc/raddb/certs (adjusted accordingly if you have a non-standard ${PREFIX}), but I can't think why, as the script is fairly careful in checking before overwriting anything in raddb. That said, the new behaviour on uninstallation is to check any files in raddb against the distribution, and delete unmodified files. On installation, it copies the distribution files to raddb unless there's already a file of the same name. It's possible that your upgrade to 1.1.6 has created mixed versions (new uncustomised files and your customisations based on a rather older version of FreeRADIUS) - and that's introduced a problem, though I feel this is unlikely. My favourite is either there's something wrong with your server certificate, or it's a problem with the base system OpenSSL that you can cure by moving to the OpenSSL port. I'd be interested to know how you get on, particularly if the problem turns out to be something different. If you want a tarball of the 1.1.4 port, email me - I can pull out the last version of 1.1.4 from my local Subversion repository before I upgraded the port to 1.1.5. There were a lot of fixes in the 1.1.4 timeframe - there was a 1.1.4 port on 15 January 2007, 1.1.4_1 on 18 January 2007, and a rewrap of 1.1.4_1 on 23 January 2007. The 15 January - 18 January transition merely disabled rlm_sql_firebird (otherwise the port failed to build with experimental modules disabled). The 18 January - 23 January 2007 update contained a bunch of fixes, including the first version of the revised raddb handling (the very first time that the port touched files other than those suffixed .sample in raddb). http://www.freshports.org/net/freeradius/ will walk you through the changes in more detail, though my local Subversion repository is more finely grained. There were two further changes before I upgraded to 1.1.5 - support for the freeradius-mysql slave port, and a change to the current version of raddb handling. However, I hope we can get the 1.1.6 port working on your machine, and I don't have to unravel the many changes made from the last version of 1.1.4_1 through 1.1.5 to 1.1.6. Best wishes, David -- David Wood [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html