Re: Fwd: Requesting Decent Freeradius + ADS 2003 + LDAP howto
Hi, http://www.linuxhomenetworking.com/wiki/index.php/Quick_HOWTO_:_Ch31_:_Centralized_Logins_Using_LDAP_and_RADIUS#Configuring_The_.2Fetc.2Fraddb.2Fradiusd.conf_File Another howto that instructs you to set DEFAULT Auth-Type := LDAP which is wrong. in the past it worked - and it still does if you REALLY know whats going on and have no care for the server capabilities - and even edited the source code. there is no need to set it. questioning this wont change the fact. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Add a secondary ldap server to radiusd.conf
On 23 Apr 2007 at 18:00, Jacob Jarick wrote: Hubert would you mind showing me how you map the ldap password to the radius password. Ive Tried checkItem userPassword User-Password but the radius debug logs complain that it Needs User-Password still :| On 4/23/07, Hubert Kupper [EMAIL PROTECTED] wrote: Hello, how can I add a secondary ldap server to radiusd.conf for failover? Jacob, we authenticate freeradius requests against Novell eDirectory with ldap. password_attribute = nspmPassword Regard Boert - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FR + ADS 2003 + ntlm_auth
Hi, good docs, link it or shutup). I will now no longer be replying to you alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FR + ADS 2003 + ntlm_auth (including config files)
Jacob Jarick wrote: I have gone back to ntlm_auth for the time being instead of ldap due to the incredibly frustrating lack of good documentation (if there are good docs, link it or shutup). A large part of the problem is that you seem to be making random changes, and following various bits of various documentation. The way to get it to work is this: 1. Start with the default configuration. ALWAYS start with the default configuration. 2. Make one small change. 3. Test it. 4. If it works, go back to step 2 and make another change 5. If it doesn't work, try again. Also, keep backups of everything. If something works, make a copy. Also, in step 4, repeat all of the tests that worked earlier. None of the howtos/ tutorials I have followed end in success its always some ldap error of some kind. Then fix the LDAP errors before trying to debug FreeRADIUS. If FreeRADIUS can't connect to the LDAP server, then your setup won't work. At least 1/2 the FR + LDAP howtos say to set DEFAULT Auth-Type := LDAP which I have been told by Alan is incorrect. It's wrong. It's not needed. You can believe the random people on the net who don't understand FreeRADIUS, or you can believe the people here, who do understand it. I followed Alans Active Directory Intergation tutorial and everything is setup as the guide says, But eap fails with this message: rlm_eap: Handler failed in EAP/peap rlm_eap: Failed in EAP select modcall[authenticate]: module eap returns invalid for request 7 modcall: leaving group authenticate (returns invalid) for request 7 auth: Failed to validate the user. You are NOT reading the whole debug output. That's part of the reason you're finding this so difficult. The real cause of the authentication failure, AND THE SUGGESTED FIX are in the debugging output: Exec-Program-Wait: plaintext: winbind client not authorized to use winbindd_pam_auth_crap. Ensure permissions on /var/cache/samba/winbindd_privileged are set correctly. (0xc022) What part of that is not clear? It also looks like you did NOT follow my guide, which says to run ntlm_auth from the command line first. On another note Id like to volenteer to help update some of the documentation out there on FR, some is horribly out of date and makes for a very frustrating introduction for people. It's almost as frustrating to write documentation and then have it ignored. When the documentation says 10 times read the debugging output, it really, truly, honestly, means that you should read it. Looking at the last few lines that say authentication failed is useless. The rest of the output contains the information as to WHY it failed. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_ldap: Attribute User-Password is required for authentication. HELP Please
Jacob Jarick wrote: So the big question is, what Auth-Type do I use ? You have been told that you should not set it. That means You should not set it. It does not mean use another value. If LDAP is not permitted (still confuses me as I only need / want radius to authenticate against LDAP) what Auth-Type do I set in the users file so that Wireless users can authenticate using their ADS username and passwords. You're confused because you're not believing the messages on this list. LDAP is not an authentication server. When you say authenticate against LDAP, you are talking nonsense. Other people have FreeRADIUS authenticating against Active Directory. They have done so by carefully following the guides. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Add a secondary ldap server to radiusd.conf
Sigh, I should just tell my employers to buy novell edirectory, it does look very nice. On 4/24/07, Hubert Kupper [EMAIL PROTECTED] wrote: On 23 Apr 2007 at 18:00, Jacob Jarick wrote: Hubert would you mind showing me how you map the ldap password to the radius password. Ive Tried checkItem userPassword User-Password but the radius debug logs complain that it Needs User-Password still :| On 4/23/07, Hubert Kupper [EMAIL PROTECTED] wrote: Hello, how can I add a secondary ldap server to radiusd.conf for failover? Jacob, we authenticate freeradius requests against Novell eDirectory with ldap. password_attribute = nspmPassword Regard Boert - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FR + ADS 2003 + ntlm_auth
Sorry to offend, But I have been seeing alot of Docs warn u of this etc but seeing as there are so many conflicting documents seeing the generic reply when I have read / googled high and low is quite frustrating. On 4/24/07, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: Hi, good docs, link it or shutup). I will now no longer be replying to you alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: NAS not accepting the Access-Accept?
Matt Ashfield wrote: HI, I have a network switch that I'm trying to configure to allow Console port authentication via RADIUS. In the documentation of the switch it says: To provide each user with appropriate levels of access to the switch, set the following username attributes on your RADIUS server: - R/W access -- Set the Service-Type field value to Administrative - Read-Only -- set the Service-Type field value to NAS-Prompt So, in my users file, I have defined a user: testuser NAS-IP-Address == 172.16.8.30, Cleartext-Password := testing, Service-Type ==Administrative-User Which matches if there's a request for administrative user. You also have to acknowledge that request in the response, otherwise the NAS will not let the administrator in: testuser NAS-IP-Address == 172.16.8.30, Cleartext-Password := testing, Service-Type ==Administrative-User Service-Type := Administrative-User However, when I run a packet capture, I see that no Radius attributes are being passed back to the NAS device. Shouldn't I be seeing the Administrative-User attribute? If you don't tell the server to send it back, no. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PEAP/EAP-TLS with client and server certificate
Marcelo Augusto Rodrigues Pimentel wrote: I´m trying to configure freeradius with PEAP + EAP-TLS, but I´m making some confusion to configure the radiusd.conf (sections authorize and authentication) and eap.conf. Have someone implemented this configuration? Yes. Many people. In the eap.conf file the default eap type is TLS or PEAP? If you're doing PEAP, then it should be peap. What I´ve to configure in the authorize and authentication sections? For basic peap, not much. Just configure eap.conf. *FreeRADIUS Version 1.0.1* Why not run 1.1.6, which has many more bug fixes and features? Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FR + ADS 2003 + ntlm_auth
Jacob Jarick wrote: Sorry to offend, But I have been seeing alot of Docs warn u of this etc but seeing as there are so many conflicting documents seeing the generic reply when I have read / googled high and low is quite frustrating. The authors of the program you're using have told you what works and what doesn't. You have a hard time believing them, because of some random web page that isn't associated with the project. Is that really what you're saying? If your boss tells you to come in to work at 9am, do you show up at noon, claiming confusion, because the 10 year old newspaper boy down the street said you could show up at noon? Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_ldap: Attribute User-Password is required for authentication. HELP Please
Alan, I try to understand I can only get answers from you guys when available so yes I do go off and try random howtos (literally anything I can find) I the hopes I learn a bit more. But yes, I am now 100% clear on not setting Auth-Type. Thanks again Alan. On 4/24/07, Alan DeKok [EMAIL PROTECTED] wrote: Jacob Jarick wrote: So the big question is, what Auth-Type do I use ? You have been told that you should not set it. That means You should not set it. It does not mean use another value. If LDAP is not permitted (still confuses me as I only need / want radius to authenticate against LDAP) what Auth-Type do I set in the users file so that Wireless users can authenticate using their ADS username and passwords. You're confused because you're not believing the messages on this list. LDAP is not an authentication server. When you say authenticate against LDAP, you are talking nonsense. Other people have FreeRADIUS authenticating against Active Directory. They have done so by carefully following the guides. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FR + ADS 2003 + ntlm_auth
radiusd -X -f: http://pastebin.ca/455497 Alan, I have been trying todo my groundwork / homework is all, ie research before asking. Its simply a case of taking whatever support is available and not always being aware who the devs are. When nothing you have tried works try something you havent. Its rare to be told, dont google, ask. Anyway, I appoligize for getting testy, I should have said if there is a doc I should be reading paste the link, rather than have me google, find the incorrect one then be told the howto/document is incorrect. Now regarding your document Alan, Page 12 of 20 Make sure that fhe following lines are uncommented and that the value is the same as indicated here authtype = MS-CHAP Is this the line in question # An example configuration for using /etc/smbpasswd. # #passwd etc_smbpasswd { # filename = /etc/smbpasswd # format = *User-Name::LM-Password:NT-Password:SMB-Account-CTRL-TEXT:: # authtype = MS-CHAP # hashsize = 100 # ignorenislike = no # allowmultiplekeys = no #} I have checked through the tutorial again, all my config files were in order but ntlm_auth was failing for some reason, a reboot later and all was well again. Here is the output of my testing ntlm_auth, so you know I have the samba side working. [EMAIL PROTECTED] ~]# net join -U Administrator Administrator's password: Using short domain name -- TFXSCHOOL Joined 'LOCALHOST' to realm 'TFXSCHOOL.INTERNAL' [EMAIL PROTECTED] ~]# wbinfo -a jacob%pass plaintext password authentication failed error code was NT_STATUS_NO_SUCH_USER (0xc064) error messsage was: No such user Could not authenticate user jacob%pass with plaintext password challenge/response password authentication succeeded [EMAIL PROTECTED] ~]# ntlm_auth --request-nt-key --domain=tfxschool --username=jacob password: NT_STATUS_OK: Success (0x0) [EMAIL PROTECTED] ~]# So thats samba checking passwords fine. I ask because it is not under the # Microsoft CHAP authentication section at all. I went through the whole log this time (sorry bad habbit of scrolling up for the last error then working on that 1 1st) modcall: entering group MS-CHAP for request 6 rlm_mschap: No User-Password configured. Cannot create LM-Password. rlm_mschap: No User-Password configured. Cannot create NT-Password. rlm_mschap: Told to do MS-CHAPv2 for jacob with NT-Password ^ Does that mean it did not get sent the password, or simply that it didnt find User-Password so its using the found NT-Password ?. And just below that (mem feels silly) I see: Exec-Program: /usr/bin/ntlm_auth --request-nt-key --username=jacob --domain=TFXSCHOOL --challenge=a1a6b069c8d565ac --nt-response=abd3d6a8f9fdef0cf50b4ea12325cbaa9fbeccfd716c07ec Exec-Program output: winbind client not authorized to use winbindd_pam_auth_crap. Ensure permissions on /var/cache/samba/winbindd_privileged are set correctly. (0xc022) Exec-Program-Wait: plaintext: winbind client not authorized to use winbindd_pam_auth_crap. Ensure permissions on /var/cache/samba/winbindd_privileged are set correctly. (0xc022) Exec-Program: returned: 1 rlm_mschap: External script failed. rlm_mschap: FAILED: MS-CHAP2-Response is incorrect modcall[authenticate]: module mschap returns reject for request 6 modcall: leaving group MS-CHAP (returns reject) for request 6 Looking at resolving that issue right now. On 4/24/07, Alan DeKok [EMAIL PROTECTED] wrote: Jacob Jarick wrote: Sorry to offend, But I have been seeing alot of Docs warn u of this etc but seeing as there are so many conflicting documents seeing the generic reply when I have read / googled high and low is quite frustrating. The authors of the program you're using have told you what works and what doesn't. You have a hard time believing them, because of some random web page that isn't associated with the project. Is that really what you're saying? If your boss tells you to come in to work at 9am, do you show up at noon, claiming confusion, because the 10 year old newspaper boy down the street said you could show up at noon? Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
How to add OTP validation to FreeRadius
Hi all, I have to find a solution that integrates the use of OTP (One Time Password ) as a second factor authentication in addition to the first factor authentication (witch is generally username and password) to an existing authentication System. This solution should be integrated easily to the existing authentication system regardless the protocol used for authentication (Rdius, Kerberos, Http, EAP, etc) and regardless the OS. My questions are: 1- What are the possibilities and the facilities offered by FreeRadius?? 2- I though about tow solutions : a- Developing a plug-in that could be integrated to the existing authentication system. This plug-in will interact with the OTP-Server for otp validation. b- Installing a radius server in front of the existing IT system. This server will be configured in a way it will redirect first factor authentication requests (exple : username/password) to the existing authentication system and the OTP second factor authentication to the OTP services Server hosted and give access to user only when this 2 factors are valide. I have no idea about Radius. And these are general ideas and I want someone to tell me if these solutions are possible and how to proceed. Wats is best or better to do? Is there any other solution? Waiting for your response. Thanks in advance. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FR + ADS 2003 + ntlm_auth
For any1 else who might have the same problem, it was resolved by the following cmd: chgrp radiusd /var/cache/samba/winbindd_privileged/ original article: http://www.members.optushome.com.au/~wskwok/poptop_ads_howto_10.htm Thanks to google and Alan for tipping me off. Yes I am about to backup everything :P before resuming ldap. On 4/24/07, Jacob Jarick [EMAIL PROTECTED] wrote: radiusd -X -f: http://pastebin.ca/455497 Alan, I have been trying todo my groundwork / homework is all, ie research before asking. Its simply a case of taking whatever support is available and not always being aware who the devs are. When nothing you have tried works try something you havent. Its rare to be told, dont google, ask. Anyway, I appoligize for getting testy, I should have said if there is a doc I should be reading paste the link, rather than have me google, find the incorrect one then be told the howto/document is incorrect. Now regarding your document Alan, Page 12 of 20 Make sure that fhe following lines are uncommented and that the value is the same as indicated here authtype = MS-CHAP Is this the line in question # An example configuration for using /etc/smbpasswd. # #passwd etc_smbpasswd { # filename = /etc/smbpasswd # format = *User-Name::LM-Password:NT-Password:SMB-Account-CTRL-TEXT:: # authtype = MS-CHAP # hashsize = 100 # ignorenislike = no # allowmultiplekeys = no #} I have checked through the tutorial again, all my config files were in order but ntlm_auth was failing for some reason, a reboot later and all was well again. Here is the output of my testing ntlm_auth, so you know I have the samba side working. [EMAIL PROTECTED] ~]# net join -U Administrator Administrator's password: Using short domain name -- TFXSCHOOL Joined 'LOCALHOST' to realm 'TFXSCHOOL.INTERNAL' [EMAIL PROTECTED] ~]# wbinfo -a jacob%pass plaintext password authentication failed error code was NT_STATUS_NO_SUCH_USER (0xc064) error messsage was: No such user Could not authenticate user jacob%pass with plaintext password challenge/response password authentication succeeded [EMAIL PROTECTED] ~]# ntlm_auth --request-nt-key --domain=tfxschool --username=jacob password: NT_STATUS_OK: Success (0x0) [EMAIL PROTECTED] ~]# So thats samba checking passwords fine. I ask because it is not under the # Microsoft CHAP authentication section at all. I went through the whole log this time (sorry bad habbit of scrolling up for the last error then working on that 1 1st) modcall: entering group MS-CHAP for request 6 rlm_mschap: No User-Password configured. Cannot create LM-Password. rlm_mschap: No User-Password configured. Cannot create NT-Password. rlm_mschap: Told to do MS-CHAPv2 for jacob with NT-Password ^ Does that mean it did not get sent the password, or simply that it didnt find User-Password so its using the found NT-Password ?. And just below that (mem feels silly) I see: Exec-Program: /usr/bin/ntlm_auth --request-nt-key --username=jacob --domain=TFXSCHOOL --challenge=a1a6b069c8d565ac --nt-response=abd3d6a8f9fdef0cf50b4ea12325cbaa9fbeccfd716c07ec Exec-Program output: winbind client not authorized to use winbindd_pam_auth_crap. Ensure permissions on /var/cache/samba/winbindd_privileged are set correctly. (0xc022) Exec-Program-Wait: plaintext: winbind client not authorized to use winbindd_pam_auth_crap. Ensure permissions on /var/cache/samba/winbindd_privileged are set correctly. (0xc022) Exec-Program: returned: 1 rlm_mschap: External script failed. rlm_mschap: FAILED: MS-CHAP2-Response is incorrect modcall[authenticate]: module mschap returns reject for request 6 modcall: leaving group MS-CHAP (returns reject) for request 6 Looking at resolving that issue right now. On 4/24/07, Alan DeKok [EMAIL PROTECTED] wrote: Jacob Jarick wrote: Sorry to offend, But I have been seeing alot of Docs warn u of this etc but seeing as there are so many conflicting documents seeing the generic reply when I have read / googled high and low is quite frustrating. The authors of the program you're using have told you what works and what doesn't. You have a hard time believing them, because of some random web page that isn't associated with the project. Is that really what you're saying? If your boss tells you to come in to work at 9am, do you show up at noon, claiming confusion, because the 10 year old newspaper boy down the street said you could show up at noon? Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: NAS not accepting the Access-Accept?
testuser NAS-IP-Address == 172.16.8.30, Cleartext-Password := testing, Service-Type ==Administrative-User Service-Type := Administrative-User Hmm, not all NAS will request Service-Type 6 (Administrative-User) all ours Request Service-Type 7 (NAS-Prompt-User) . But still respect the access level sent back in the reply... To make matters even more interesting, ours support user elevation via the command line, in which case it will sent a request with Service-Type 6 ... So for your final implementation , it's best to support both and then decide on a access level on a per user basis. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
EAP-TLS: getting updated CRLs via cron for use with check_crl = yes option for EAP-TLS client-authN
Hi, here is a pointer to a useful script I use to fetch updated CRLs for client-certificate issuing CAs from their http CDPs via cron. http://dist.eugridpma.info/distribution/util/fetch-crl/ Just add a restart for the radiusd to make it aware of new CRLs. -- Kind Regards Reimer Karlsen-Masur DFN-PKI FAQ: https://www.pki.dfn.de/faqpki -- Dipl.-Inform. Reimer Karlsen-Masur (PKI Team), Phone +49 40 808077-615 DFN-CERT Services GmbH, https://www.dfn-cert.de, Phone +49 40 808077-555 Sitz / Register: Hamburg, AG Hamburg, HRB 88805, Ust-IdNr.: DE 232129737 smime.p7s Description: S/MIME Cryptographic Signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
EAP MD5 with Accounting
Hi All, I was wondering if I were to perform authentication using EAP MD5, does it accommodate for Accounting in FreeRADIUS? Many Thanks. _ Check it out! Windows Live Spaces is here! http://spaces.live.com/?mkt=en-my Its easy to create your own personal Web site. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP MD5 with Accounting
Hi, Hi All, I was wondering if I were to perform authentication using EAP MD5, does it accommodate for Accounting in FreeRADIUS? accounting is something that your NAS does. if the NAS does accounting and can account for such sessions then it'll just work(tm) alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Autotools related problems in freeradius 1.1.6
On Mon, Apr 23, 2007 at 04:39:22PM +0200, Alan DeKok wrote: Kostas Zorbadelos wrote: If I do ./configure --prefix=/opt/freeradius the build scripts presume that --enable-developer is true. That may be an issue only in 1.1.6. You should be able to change it by doing --disable-developer. This is exactly what I did. The reason I mention it is because I think the default should be sane in future releases of freeradius (that is developer options switched off by default). This has the effect that -DNDEBUG is not defined in CFLAGS during compilation, among other things, so the rad_assert() function can abort freeradius operation in production environments. Which is not necessarily a bad thing. Yes, it's bad for your RADIUS server to go down. It's arguably worse for the RADIUS server to keep running, and doing... something... after it notices that internal sanity checks have failed. I disagree with you on this one Alan. I discovered all these issues I mention the hard way, after our radius server stopped running in random times (after a failure in rad_assert() in request_list.c around the section ... static int refresh_request(REQUEST *request, void *data) ... /* * If the request is marked as a delayed reject, AND it's * time to send the reject, then do so now. */ if (request-finished ((request-options RAD_REQUEST_OPTION_DELAYED_REJECT) != 0)) { rad_assert(request-child_pid == NO_SUCH_CHILD_PID); ...) In production environments the server should be able to at least report the errors it encounters and continue operations. Service availability is the most important. In our case, after I recompiled freeradius with -DNDEBUG option set, we noticed no further noticable problems in our radius service. I believe that by default, --enable-developer should be false unless explicitly set during configure. Let me know if you need anything else to trace the issue. It's just a couple of lines of shell scripting in configure.in. As far as I can tell, the following minor patch should take care of the issue of having developer flags switched off be default: --- configure.in.orig Tue Apr 24 12:02:13 2007 +++ configure.inTue Apr 24 12:02:40 2007 @@ -278,11 +278,11 @@ AC_ARG_ENABLE(developer, [ --enable-developer Enables features of interest to developers.], [ case $enableval in -no) - developer=no +yes) + developer=yes ;; *) - developer=yes + developer=no esac ] ) Moreover, in a Solaris 9 environment --enable-developer or --disable-developer seem to be ignored and someone should define CFLAGS explicitly in the configure command to define -NDEBUG macro. I didn't manage to undestand however why in a Solaris environment, --disable-developer seems to be ignored. Even if I set --disable-developer in configure, the -DNDEBUG macro is not passed in compilation options. Find attached (a gzipped) BUILD log in my environment. Thanks, Kostas Zorbadelos Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html BUILD.solaris-disable-developer.log.gz Description: Binary data - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Autotools related problems in freeradius 1.1.6
Kostas Zorbadelos wrote: This is exactly what I did. The reason I mention it is because I think the default should be sane in future releases of freeradius (that is developer options switched off by default). That's the intent, yes. I disagree with you on this one Alan. I discovered all these issues I mention the hard way, after our radius server stopped running in random times (after a failure in rad_assert() in request_list.c around the section ... In production environments the server should be able to at least report the errors it encounters and continue operations. Service availability is the most important. My point was that it should continue doing *what*? The assertions are there to catch catastrophic failures in the code. If the assertion trips, it's doing so because the error is non-recoverable. If you disable the assertions, the server may look like it's still running. But there's no guarantee that it will do anything useful. It may crash randomly later, for reasons that are difficult to track down. The only *safe* thing to do is to revert to a known working state. i.e. restart from scratch. As far as I can tell, the following minor patch should take care of the issue of having developer flags switched off be default: OK, thanks. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Potgres query error
From time to time a im getting this kind of error ( after for example serving 2-3k requests), and after tha freeradius just hangs and takes 90% of CPU. I am using freeradius 1.1.6 with threads. I tried to make it happen again and log it but i could not meet such data, that causes the error. Maybe you have idea what is happening that error, and moreover why freeradius hangs. Tue Apr 24 13:22:40 2007 : Error: rlm_sql_postgresql: PostgreSQL Query failed Error: ERROR: invalid message format -- Dariusz Dwornikowski [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: NAS not accepting the Access-Accept?
Ok thanks! I am definitely seeing the NAS request Administrative-User in the Access-Request packet. I guess I wsen't returning it! Thanks for your help. Matt -Original Message- From: Alan DeKok [mailto:[EMAIL PROTECTED] Sent: April 24, 2007 3:21 AM To: [EMAIL PROTECTED]; FreeRadius users mailing list Subject: Re: NAS not accepting the Access-Accept? Matt Ashfield wrote: HI, I have a network switch that I'm trying to configure to allow Console port authentication via RADIUS. In the documentation of the switch it says: To provide each user with appropriate levels of access to the switch, set the following username attributes on your RADIUS server: - R/W access -- Set the Service-Type field value to Administrative - Read-Only -- set the Service-Type field value to NAS-Prompt So, in my users file, I have defined a user: testuser NAS-IP-Address == 172.16.8.30, Cleartext-Password := testing, Service-Type ==Administrative-User Which matches if there's a request for administrative user. You also have to acknowledge that request in the response, otherwise the NAS will not let the administrator in: testuser NAS-IP-Address == 172.16.8.30, Cleartext-Password := testing, Service-Type ==Administrative-User Service-Type := Administrative-User However, when I run a packet capture, I see that no Radius attributes are being passed back to the NAS device. Shouldn't I be seeing the Administrative-User attribute? If you don't tell the server to send it back, no. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Autotools related problems in freeradius 1.1.6
On Tue, Apr 24, 2007 at 01:12:26PM +0200, Alan DeKok wrote: Kostas Zorbadelos wrote: I disagree with you on this one Alan. I discovered all these issues I mention the hard way, after our radius server stopped running in random times (after a failure in rad_assert() in request_list.c around the section ... In production environments the server should be able to at least report the errors it encounters and continue operations. Service availability is the most important. My point was that it should continue doing *what*? The assertions are there to catch catastrophic failures in the code. If the assertion trips, it's doing so because the error is non-recoverable. If you disable the assertions, the server may look like it's still running. But there's no guarantee that it will do anything useful. It may crash randomly later, for reasons that are difficult to track down. The only *safe* thing to do is to revert to a known working state. i.e. restart from scratch. In the code snippet I sent, from what I can tell, nothing catastrophic happens. The code checks to see if it is time to send a delayed reject back to the client and asserts that there is no child thread that works on that request. Anyway, if the developer flags are switched off rad_assert() does nothing. This is the way it is defined: #ifdef NDEBUG #define rad_assert(expr) ((void) (0)) #else #define rad_assert(expr) \ ((void) ((expr) ? 0 : \ rad_assert_fail (__FILE__, __LINE__))) #endif So if someone compiles freeradius without developer flags he actually de-activates all assertions :) As far as I can tell, the following minor patch should take care of the issue of having developer flags switched off be default: OK, thanks. There is the Solaris issue however. I will try to track it down and send a patch for this too if I can. Kostas Zorbadelos Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: override ldap reply attribute
O/H [EMAIL PROTECTED] έγραψε: Here is the full debug-log. Airespace-Interface-Name value in ldap: 310 vlaue in users-file: 777 as you can see, it doesnt override :-( users-file line 54, which matches: DEFAULT Called-Station-Id == 00-1A-30-2E-C9-60:Test99, Airespace-Interface-Name := 777 Airespace-Interface-Name is a reply item while you are seting it as a check item. Correct way: DEFAULT Called-Station-Id == 00-1A-30-2E-C9-60:Test99 Airespace-Interface-Name := 777 radiusd.conf authorize section: authorize { preprocess eap ldap_wlan files } as you can see, its wlan-authentication with EAP on SSID:Test99 dont know what i can try else :-( thanks in advance for your help! -- Kostas Kalevras - Network Operations Center National Technical University of Athens http://kkalev.wordpress.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: override ldap reply attribute
Kostas Kalevras wrote O/H [EMAIL PROTECTED] έγραψε: Here is the full debug-log. Airespace-Interface-Name value in ldap: 310 vlaue in users-file: 777 as you can see, it doesnt override :-( users-file line 54, which matches: DEFAULT Called-Station-Id == 00-1A-30-2E-C9-60:Test99, Airespace-Interface-Name := 777 Airespace-Interface-Name is a reply item while you are seting it as a check item. Correct way: DEFAULT Called-Station-Id == 00-1A-30-2E-C9-60:Test99 Airespace-Interface-Name := 777 IT WORKS! thanks a LOT :-) radiusd.conf authorize section: authorize { preprocess eap ldap_wlan files } as you can see, its wlan-authentication with EAP on SSID:Test99 dont know what i can try else :-( thanks in advance for your help! -- Kostas Kalevras - Network Operations Center National Technical University of Athens http://kkalev.wordpress.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Feel free - 10 GB Mailbox, 100 FreeSMS/Monat ... Jetzt GMX TopMail testen: http://www.gmx.net/de/go/topmail - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Huntgroups/preprocess issue 1.1.6
If this is already a known issue, forgive me - I did not find anything in the archives or bug database that appeared relevant. I'm trying to upgrade from FreeRADIUS 1.1.2 to 1.1.6 - building from source on Debian Linux (sarge). The build goes without a hitch, but when running the new version and using the existing configuration files I get the following (relevant output from 'radiusd -X'): ... Module: Loaded preprocess preprocess: huntgroups = /s/freeradius-1.1/etc/raddb/huntgroups preprocess: hints = /s/freeradius-1.1/etc/raddb/hints preprocess: with_ascend_hack = no preprocess: ascend_channels_per_line = 23 preprocess: with_ntdomain_hack = no preprocess: with_specialix_jetstream_hack = no preprocess: with_cisco_vsa_hack = no preprocess: with_alvarion_vsa_hack = no /s/freeradius-1.1/etc/raddb/huntgroups[30]: Parse error (check) for entry snt-console: Unknown value 1-22 for attribute NAS-Port rlm_preprocess: Error reading /s/freeradius-1.1/etc/raddb/huntgroups radiusd.conf[249]: preprocess: Module instantiation failed. radiusd.conf[341] Unknown module preprocess. radiusd.conf[340] Failed to parse authorize section. The section in the huntgroups file it is choking on is this: snt-console NAS-IP-Address == aaa.bbb.ccc.ddd, NAS-Port == 1-22 If I comment that line out, it also chokes on this entry with a slightly different error ( = expected): nci-console NAS-IP-Address == aaa.bbb.ccc.ddd, NAS-Port == 1,25-32 So - did the syntax for huntgroups change or is this a real bug ? This config works fine with 1.1.2 - I have not tried any of the versions between 1.1.2 and 1.1.6 to narrow down the issue. I can send the full debug output if needed but I didn't want to clobber the list unnecessarily. Thanks, Craig - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RES: Re: PEAP/EAP-TLS with client and server certificate
I?m trying to configure freeradius with PEAP + EAP-TLS, but I?m making some confusion to configure the radiusd.conf (sections authorize and authentication) and eap.conf. Have someone implemented this configuration? Yes. Many people. In the eap.conf file the default eap type is TLS or PEAP? If you're doing PEAP, then it should be peap. What I?ve to configure in the authorize and authentication sections? For basic peap, not much. Just configure eap.conf. OK. But I´m trying to use peap to make an encrypted tunnel validating the server certificate and then I want to authenticate the clients whith EAP-TLS using client/server certificate. The TLS tunnel is working fine, but the second part of EAP-TLS authentication not. So in the peap section in the eap.conf, what I´ve to configure for default eap type? Is tls ? If I configure tls, I´ve to create a tls section in the peap section or the tls section of the eap.conf is enough. I´ve attached my eap.conf file. Thank´s !! eap.conf eap { default_eap_type = peap timer_expire = 60 ignore_unknown_eap_types = no cisco_accounting_username_bug = no # Supported EAP-types # EAP-TLS tls { private_key_password = x private_key_file = ${raddbdir}/certs/freeradius_key.pem certificate_file = ${raddbdir}/certs/freeradius_cert.pem CA_file = ${raddbdir}/certs/demoCA/cacert.pem dh_file = ${raddbdir}/certs/dh random_file = ${raddbdir}/certs/random fragment_size = 1024 include_length = yes } peap { default_eap_type = tls } #tls { #private_key_password = x #private_key_file = ${raddbdir}/certs/freeradius_key.pem #certificate_file = ${raddbdir}/certs/freeradius_cert.pem #CA_file = ${raddbdir}/certs/demoCA/cacert.pem #dh_file = ${raddbdir}/certs/dh #random_file = ${raddbdir}/certs/random #fragment_size = 1024 #include_length = yes #} #mschapv2 { #} } *FreeRADIUS Version 1.0.1* Why not run 1.1.6, which has many more bug fixes and features? Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog Mensagem protegida por sigilo profissional. Sua utilização indevida sujeita o infrator às penas da lei. Não sendo seu destinatário, por favor, elimine-a e informe o equívoco ao emitente. This e-mail message and any attachment are intended exclusively for the named addressee. They may contain confidential information which may also be protected by professional secrecy. Unless you are the named addressee (or authorised to receive for the addressee) you may not copy or use this message or any attachment or disclose the contents to anyone else. If this e-mail was sent to you by mistake please notify the sender immediately and delete this e-mail. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Huntgroups/preprocess issue 1.1.6
The build goes without a hitch, but when running the new version and using the existing configuration files I get the following (relevant output from 'radiusd -X'): the problem IMHO is in using the existing configuration: I had similar issues until I ported mine to the new configuration files, half an hour of work. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Huntgroups/preprocess issue 1.1.6
inverse wrote: The build goes without a hitch, but when running the new version and using the existing configuration files I get the following (relevant output from 'radiusd -X'): the problem IMHO is in using the existing configuration: I had similar issues until I ported mine to the new configuration files, half an hour of work. That is sort of the question - what is there to port ? I don't see any documentation saying the format of the huntgroups file changed from 1.1.2 to 1.1.6. I can understand having to port config files when making a major version leap (e.g. 0.9.3 = 1.1.x), but for a minor version change ? --Craig - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
radius accounting problem on Wintendo
Hi. Freeradius on wintendo, seems to have problem with accounting. It send the accounting data as hex values. Bay-Networks-Attr-196 = 0x73686f77206c6f672066696c65207461696c Bay-Networks-Attr-196 = 0x65786974 The strange is that this works on Linux and Sun. And the dictionary.bay doesn't contain Attr-196 nor on Linux and Windows. Any Clue ? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Potgres query error
I am getting more of that... What is happening. thread pool isbig enough, also the pg connection pool. Tue Apr 24 15:30:13 2007 : Error: rlm_sql_postgresql: PostgreSQL Query failed Error: Tue Apr 24 15:30:13 2007 : Auth: Login OK: [CMD chemx001 0126850030 [EMAIL PROTECTED]/no User-Password attribute] (from client openser port 0) Tue Apr 24 15:30:13 2007 : Auth: Login OK: [CMD lloyd001 00442082067000 [EMAIL PROTECTED]/no User-Password attribute] (from client openser port 0) Tue Apr 24 15:30:13 2007 : Error: Discarding duplicate request from client openser:33770 - ID: 182 due to unfinished request 525 Tue Apr 24 15:30:14 2007 : Error: Discarding duplicate request from client openser:33771 - ID: 183 due to unfinished request 526 Tue Apr 24 15:30:14 2007 : Auth: Login OK: [CMD andrzejr001 0612810807 [EMAIL PROTECTED]/no User-Password attribute] (from client openser port 0) Tue Apr 24 15:30:14 2007 : Error: Discarding duplicate request from client openser:33772 - ID: 184 due to unfinished request 527 Tue Apr 24 15:30:14 2007 : Auth: Login OK: [CMD promesa012 0413445101 [EMAIL PROTECTED]/no User-Password attribute] (from client openser port 0) Tue Apr 24 15:30:14 2007 : Auth: Login OK: [CMD poligrafiap002 0618221153 [EMAIL PROTECTED]/no User-Password attribute] (from client openser port 0) Tue Apr 24 15:30:14 2007 : Auth: Login OK: [CMD komptom001 0426373848 [EMAIL PROTECTED]/no User-Password attribute] (from client openser port 0) Tue Apr 24 15:30:14 2007 : Error: Discarding duplicate request from client openser:33776 - ID: 187 due to unfinished request 530 On 2007-04-24, at 13:34, Dariusz Dwornikowski wrote: From time to time a im getting this kind of error ( after for example serving 2-3k requests), and after tha freeradius just hangs and takes 90% of CPU. I am using freeradius 1.1.6 with threads. I tried to make it happen again and log it but i could not meet such data, that causes the error. Maybe you have idea what is happening that error, and moreover why freeradius hangs. Tue Apr 24 13:22:40 2007 : Error: rlm_sql_postgresql: PostgreSQL Query failed Error: ERROR: invalid message format -- Dariusz Dwornikowski [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/ users.html -- Dariusz Dwornikowski [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
rlm_eap_tls: SSL_read failed in a system call
Hello all, I saw there was a bit of talk in 2006 over this issue, but, I wasn't able to track down a definitive solution. We're running FreeRADIUS 1.1.5 with EAP/TTLS (openSSL 0.9.8d) on Solaris 10. The server will come up and process clients for a few days, but, every now and then it begins denying all auth-requests with the following error: Apr 24 09:56:12 as2.villanova.edu radiusd[1033]: [ID 702911 daemon.notice] Login incorrect (rlm_ldap: User not found): [anonymous] (from client VillanovaWireless port 5191 cli 000b.7d22.b3a9) Apr 24 09:56:12 as2.villanova.edu radiusd[1033]: [ID 702911 daemon.error] TLS Alert write:fatal:bad record mac Apr 24 09:56:12 as2.villanova.edu radiusd[1033]: [ID 702911 daemon.error] TLS_accept:error in SSLv3 read certificate verify A Apr 24 09:56:12 as2.villanova.edu radiusd[1033]: [ID 702911 daemon.error] rlm_eap: SSL error error:1408F119:SSL routines:SSL3_GET_RECORD:decryption failed or bad record mac Apr 24 09:56:12 as2.villanova.edu radiusd[1033]: [ID 702911 daemon.error] rlm_eap_tls: SSL_read failed in a system call (-1), TLS session fails. A restart makes the server happy and it goes back to properly auth'ing clients... As of the moment I'm compiling FreeRADIUS 1.1.6 and hoping for some improvement, but, does anyone have any additional advice or experience with this issue. .. or better yet, does anyone know the fix? Thanks for your time! ..Sean. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Huntgroups/preprocess issue 1.1.6
Craig Huckabee wrote: That is sort of the question - what is there to port ? I don't see any documentation saying the format of the huntgroups file changed from 1.1.2 to 1.1.6. It didn't, but the parser got more careful. It used to accept (and ignore) things that the server didn't support. It now complains about them. I can understand having to port config files when making a major version leap (e.g. 0.9.3 = 1.1.x), but for a minor version change ? Your previous configuration didn't do what you expected. It's not porting, it's bug fixing, because the error messages just got better. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: RES: Re: PEAP/EAP-TLS with client and server certificate
Marcelo Augusto Rodrigues Pimentel wrote: OK. But I´m trying to use peap to make an encrypted tunnel validating the server certificate and then I want to authenticate the clients whith EAP-TLS using client/server certificate. The TLS tunnel is working fine, but the second part of EAP-TLS authentication not. What second part of EAP-TLS? The server supports authenticating via client certificates, and nothing else. So in the peap section in the eap.conf, what I´ve to configure for default eap type? Is tls ? No. You can leave it alone. It's fine. If I configure tls, I´ve to create a tls section in the peap section or the tls section of the eap.conf is enough. I´ve attached my eap.conf file. If you want to use just TLS, you don't need the PEAP section. If you want to use PEAP, you need the TLS section. The comments in the eap.conf file explain this. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radius accounting problem on Wintendo
Peder Bach wrote: Freeradius on wintendo, seems to have problem with accounting. It send the accounting data as hex values. No. It's *printing* them as hex, because it doesn't know what they are. Bay-Networks-Attr-196 = 0x73686f77206c6f672066696c65207461696c Bay-Networks-Attr-196 = 0x65786974 The strange is that this works on Linux and Sun. And the dictionary.bay doesn't contain Attr-196 nor on Linux and Windows. See? It doesn't know what attribute 196 is. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
libradius error
Hi, I'm having a small problem with radwho/libradius. When I give a 'radwho' command, I receive the following error: radwho: error while loading shared libraries: libradius-1.1.6.so: cannot open shared object file: No such file or directory I've installed FreeRadius following the guidelines for Debian from de wiki, including mysql support. FreeRadius itself works fine, as does access to the mysql base. The mentioned libradius file is in /usr/lib/freeradius, and the radius.conf file has the following entry(it's the pre-installed entry, I didn't change it): libdir = /usr/lib/freeradius So freeradius should find the library file. I'm running FreeRadius version 1.1.6, in a fresh Debian Etch install. Any Ideas? Thank you very much, Marcos Roberto Greiner The -x entry from freeradius is the following (although, as I said, FreeRadius itself works fine). Starting - reading configuration files ... Using deprecated naslist file. Support for this will go away soon. Module: Loaded exec rlm_exec: Wait=yes but no output defined. Did you mean output=none? Module: Instantiated exec (exec) Module: Loaded expr Module: Instantiated expr (expr) Module: Loaded PAP Module: Instantiated pap (pap) Module: Loaded CHAP Module: Instantiated chap (chap) Module: Loaded MS-CHAP Module: Instantiated mschap (mschap) Module: Loaded eap rlm_eap: Loaded and initialized type md5 rlm_eap: Loaded and initialized type leap rlm_eap: Loaded and initialized type gtc rlm_eap: Loaded and initialized type mschapv2 Module: Instantiated eap (eap) Module: Loaded preprocess Module: Instantiated preprocess (preprocess) Module: Loaded realm Module: Instantiated realm (suffix) Module: Loaded files Module: Instantiated files (files) Module: Loaded SQL rlm_sql (sql): Driver rlm_sql_mysql (module rlm_sql_mysql) loaded and linked rlm_sql (sql): Attempting to connect to [EMAIL PROTECTED]:/radius rlm_sql (sql): starting 0 rlm_sql (sql): Attempting to connect rlm_sql_mysql #0 rlm_sql_mysql: Starting connect to MySQL server for #0 rlm_sql (sql): Connected new DB handle, #0 rlm_sql (sql): starting 1 rlm_sql (sql): Attempting to connect rlm_sql_mysql #1 rlm_sql_mysql: Starting connect to MySQL server for #1 rlm_sql (sql): Connected new DB handle, #1 rlm_sql (sql): starting 2 rlm_sql (sql): Attempting to connect rlm_sql_mysql #2 rlm_sql_mysql: Starting connect to MySQL server for #2 rlm_sql (sql): Connected new DB handle, #2 rlm_sql (sql): starting 3 rlm_sql (sql): Attempting to connect rlm_sql_mysql #3 rlm_sql_mysql: Starting connect to MySQL server for #3 rlm_sql (sql): Connected new DB handle, #3 rlm_sql (sql): starting 4 rlm_sql (sql): Attempting to connect rlm_sql_mysql #4 rlm_sql_mysql: Starting connect to MySQL server for #4 rlm_sql (sql): Connected new DB handle, #4 rlm_sql (sql): - generate_sql_clients rlm_sql (sql): Query: SELECT * FROM nas rlm_sql (sql): Reserving sql socket id: 4 rlm_sql (sql): Read entry nasname=localhost,shortname=local,secret=foobar rlm_sql (sql): Adding client 127.0.0.1 (local) to clients list rlm_sql (sql): Read entry nasname=a.b.c.d,shortname=xxx,secret=s3mf!o/ rlm_sql (sql): Adding client a.b.c.d (xxx) to clients list rlm_sql (sql): Read entry Cut = more entries from the nas table in mysql rlm_sql (sql): Released sql socket id: 4 Module: Instantiated sql (sql) Module: Loaded Acct-Unique-Session-Id Module: Instantiated acct_unique (acct_unique) Module: Loaded detail Module: Instantiated detail (detail) Module: Loaded System Module: Instantiated unix (unix) Module: Loaded radutmp Module: Instantiated radutmp (radutmp) Initializing the thread pool... Listening on authentication *:1812 Listening on accounting *:1813 Ready to process requests. -- - Marcos Roberto Greiner Os otimistas acham que estamos no melhor dos mundos Os pessimistas tem medo de que isto seja verdade Murphy - - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RES: Re: RES: Re: PEAP/EAP-TLS with client and server certificate
Marcelo Augusto Rodrigues Pimentel wrote: OK. But I?m trying to use peap to make an encrypted tunnel validating the server certificate and then I want to authenticate the clients whith EAP-TLS using client/server certificate. The TLS tunnel is working fine, but the second part of EAP-TLS authentication not. What second part of EAP-TLS? The server supports authenticating via client certificates, and nothing else. I said two parts, because those parts of my configuration uses TLS: The first part is making the encrypt tunnel using PEAP -- Only validates server certificate to create the tunnel. The second part is the authenticathion inner the tunnel with EAP-TLS -- Mutual validation of client and server certificate. This configuration is like Geroge Ou said below: ... PEAP-EAP-TLS is an improved version of the original EAP-TLS protocol that goes further to encrypt client digital certificate information. Both PEAP-EAP-TLS and EAP-TLS have the same server and client side digital certificate requirements. ... Reference: Wireless LAN security guide -- Level 3: Medium to large Enterprise WLAN security http://www.lanarchitect.net/Articles/Wireless/SecurityRating/ Thank´s ! So in the peap section in the eap.conf, what I?ve to configure for default eap type? Is tls ? No. You can leave it alone. It's fine. If I configure tls, I?ve to create a tls section in the peap section or the tls section of the eap.conf is enough. I?ve attached my eap.conf file. If you want to use just TLS, you don't need the PEAP section. If you want to use PEAP, you need the TLS section. The comments in the eap.conf file explain this. Mensagem protegida por sigilo profissional. Sua utilização indevida sujeita o infrator às penas da lei. Não sendo seu destinatário, por favor, elimine-a e informe o equívoco ao emitente. This e-mail message and any attachment are intended exclusively for the named addressee. They may contain confidential information which may also be protected by professional secrecy. Unless you are the named addressee (or authorised to receive for the addressee) you may not copy or use this message or any attachment or disclose the contents to anyone else. If this e-mail was sent to you by mistake please notify the sender immediately and delete this e-mail. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
More on double free or corruption errors
I strongly suspect its a Fedora problem, not a Freeradius problem. (Or else I made a boo-boo configuring the OS) Alan DeKok replied to matthew zeier: Let me clear: I cannot reproduce this problem here. No one else has seen the same problem. May or may not be relevant, but I've got two supposedly identical Fedora 6 machines, one gets a similar error, the other doesn't!. Both upgraded with yum to current level, followed by manual install and configure of Freeradius 1.1.5 - I cut and pasted the commands from one machine to the other and I FTPed the files including ones I modified. (And the one it works on is the SECOND one I installed, so its not a failure to copy correctly!) I think there must be some difference in my /usr/local/lib/libltdl.so.3.1.4 - they are slightly different sizes. I have no idea why, I used the same commands to install both systems. I will compare them. Just in case it means anything to anyone I attach the command output, but as I said my guess is its a Fedora problem [EMAIL PROTECTED] raddb]# radiusd -v radiusd: FreeRADIUS Version 1.1.5, for host i686-pc-linux-gnu, built on Mar 9 2007 at 13:16:16 Copyright (C) 2000-2006 The FreeRADIUS server project. [EMAIL PROTECTED] raddb]# radiusd -X Starting - reading configuration files ... reread_config: reading radiusd.conf Config: including file: /usr/local/etc/raddb/proxy.conf Config: including file: /usr/local/etc/raddb/clients.conf Config: including file: /usr/local/etc/raddb/snmp.conf Config: including file: /usr/local/etc/raddb/eap.conf Config: including file: /usr/local/etc/raddb/sql.conf main: prefix = /usr/local main: localstatedir = /usr/local/var main: logdir = /usr/local/var/log/radius main: libdir = /usr/local/lib main: radacctdir = /usr/local/var/log/radius/radacct main: hostname_lookups = no main: max_request_time = 30 main: cleanup_delay = 5 main: max_requests = 1024 main: delete_blocked_requests = 0 main: port = 0 main: allow_core_dumps = no main: log_stripped_names = no main: log_file = /usr/local/var/log/radius/radius.log main: log_auth = no main: log_auth_badpass = no main: log_auth_goodpass = no main: pidfile = /usr/local/var/run/radiusd/radiusd.pid main: user = (null) main: group = (null) main: usercollide = no main: lower_user = no main: lower_pass = no main: nospace_user = no main: nospace_pass = no main: checkrad = /usr/local/sbin/checkrad main: proxy_requests = yes proxy: retry_delay = 5 proxy: retry_count = 3 proxy: synchronous = no proxy: default_fallback = yes proxy: dead_time = 120 proxy: post_proxy_authorize = no proxy: wake_all_if_all_dead = no security: max_attributes = 200 security: reject_delay = 1 --More--*** glibc detected *** radiusd: double free or corruption (fasttop): 0x81029498 *** === Backtrace: = /lib/libc.so.6[0x24b09d] /lib/libc.so.6(cfree+0x90)[0x24e6f0] /usr/local/lib/libltdl.so.3[0x14151b] /usr/local/lib/libltdl.so.3(lt_dlopenext+0xbe)[0x141eae] radiusd(find_module_instance+0x317)[0x8000cbb7] radiusd(setup_modules+0x1d8)[0x8000d168] radiusd(main+0x45c)[0x8001079c] /lib/libc.so.6(__libc_start_main+0xdc)[0x1faf2c] radiusd[0x80004771] === Memory map: 0011-00123000 r-xp fd:00 13959203 /lib/libpthread-2.5.so 00123000-00124000 r-xp 00012000 fd:00 13959203 /lib/libpthread-2.5.so 00124000-00125000 rwxp 00013000 fd:00 13959203 /lib/libpthread-2.5.so 00125000-00127000 rwxp 00125000 00:00 0 00127000-0013c000 r-xp fd:00 13087333 /usr/local/lib/libradius-1.1.5.so 0013c000-0013d000 rwxp 00014000 fd:00 13087333 /usr/local/lib/libradius-1.1.5.so 0013d000-0013e000 rwxp 0013d000 00:00 0 0013e000-00143000 r-xp fd:00 13086902 /usr/local/lib/libltdl.so.3.1.4 00143000-00144000 rwxp 4000 fd:00 13086902 /usr/local/lib/libltdl.so.3.1.4 00144000-0014b000 r-xp fd:00 13087742 /usr/lib/libkrb5support.so.0.1 0014b000-0014c000 rwxp 6000 fd:00 13087742 /usr/lib/libkrb5support.so.0.1 0014e000-0014f000 r-xp 0014e000 00:00 0 [vdso] 0014f000-00161000 r-xp fd:00 13082790 /usr/lib/libz.so.1.2.3 00161000-00162000 rwxp 00011000 fd:00 13082790 /usr/lib/libz.so.1.2.3 00162000-0016b000 r-xp fd:00 13959208 /lib/libnss_files-2.5.so 0016b000-0016c000 r-xp 8000 fd:00 13959208 /lib/libnss_files-2.5.so 0016c000-0016d000 rwxp 9000 fd:00 13959208 /lib/libnss_files-2.5.so 0016d000-00171000 r-xp fd:00 13959206 /lib/libnss_dns-2.5.so 00171000-00172000 r-xp 3000 fd:00 13959206 /lib/libnss_dns-2.5.so 00172000-00173000 rwxp 4000 fd:00 13959206 /lib/libnss_dns-2.5.so 00173000-0017e000 r-xp fd:00 13959199 /lib/libgcc_s-4.1.1-20070105.so.1 0017e000-0017f000 rwxp a000 fd:00 13959199 /lib/libgcc_s-4.1.1-20070105.so.1 001a-001e1000 r-xp fd:00 13959361 /lib/libssl.so.0.9.8b 001e1000-001e5000 rwxp 0004 fd:00 13959361 /lib/libssl.so.0.9.8b 001e5000-0031c000 r-xp fd:00
Re: Potgres query error
On Tue 24 Apr 2007, Dariusz Dwornikowski wrote: I am getting more of that... What is happening. thread pool isbig enough, also the pg connection pool. This is probably because your backend is getting too slow to keep up. Check that your indexes are correct, and that you have autovacuum enabled. Alternatively there could be a memory leak or something else nasty. Please check your memory stats... -- Peter Nixon http://www.peternixon.net/ PGP Key: http://www.peternixon.net/public.asc - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Potgres query error
On 2007-04-24, at 21:55, Peter Nixon wrote: On Tue 24 Apr 2007, Dariusz Dwornikowski wrote: I am getting more of that... What is happening. thread pool isbig enough, also the pg connection pool. This is probably because your backend is getting too slow to keep up. Check that your indexes are correct, and that you have autovacuum enabled. Alternatively there could be a memory leak or something else nasty. Please check your memory stats... nope It is not database, It works very fast. There are indexes. -- Peter Nixon http://www.peternixon.net/ PGP Key: http://www.peternixon.net/public.asc - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/ users.html -- Dariusz Dwornikowski [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
User /etc/shadow for Authentication
How do I setup users tester-a to use /etc/shadow for authentication? Currently I have tester-a Auth-Type := Local, User-Password == superuser cisco-avpair = shell:priv-lvl=15, Service-Type = Administrative-User Norman - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: User /etc/shadow for Authentication
Norman Zhang wrote: How do I setup users tester-a to use /etc/shadow for authentication? Currently I have tester-a Auth-Type := Local, User-Password == superuser cisco-avpair = shell:priv-lvl=15, Service-Type = Administrative-User I would start by reading radiusd.conf. Look for every instance of the word shadow and read those comments. Then setup the unix module properly. Make sure the user/group that radiusd runs as can read /etc/shadow. Make sure you are *only* using PAP. CHAP encrypts the password over the wire and you cannot compare crypt to crypt. One of them needs to be cleartext (this is a limitation of encryption, not FreeRADIUS). See the table here: http://deployingradius.com/documents/protocols/compatibility.html (you are using Unix Crypt). Make sure you have the unix module referenced in the *authorize* section at the bottom of the conf file. Oh, and obviously you'll want to remove (or at least change) that entry in the users file. Run the server in debug mode (radiusd -X) and test. I've never tried to use /etc/shadow myself, but the comments in the config file should get you 90% there. -- Dennis Skinner Systems Administrator BlueFrog Internet http://www.bluefrog.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: User /etc/shadow for Authentication
Dennis Skinner wrote: Norman Zhang wrote: How do I setup users tester-a to use /etc/shadow for authentication? Currently I have tester-a Auth-Type := Local, User-Password == superuser cisco-avpair = shell:priv-lvl=15, Service-Type = Administrative-User I would start by reading radiusd.conf. Look for every instance of the word shadow and read those comments. Then setup the unix module properly. Make sure the user/group that radiusd runs as can read /etc/shadow. Thanks. Changed /etc/shadow to 444 for now. Also unix { password = /etc/password group = /etc/group shadow = /etc/shadow } are uncommented in radiusd.conf Make sure you are *only* using PAP. CHAP encrypts the password over the wire and you cannot compare crypt to crypt. One of them needs to be cleartext (this is a limitation of encryption, not FreeRADIUS). See the table here: http://deployingradius.com/documents/protocols/compatibility.html (you are using Unix Crypt). pap { encryption_scheme = crypt } chap { authtype = CHAP } still fails. I guess I need to configure users. Will run radiusd -X to debug. Norman - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: libradius error
Roberto Greiner wrote: When I give a 'radwho' command, I receive the following error: radwho: error while loading shared libraries: libradius-1.1.6.so: cannot open shared object file: No such file or directory Try doing: ldd radwho The mentioned libradius file is in /usr/lib/freeradius Hmm... that's likely the issue. The dynamic linker doesn't know about /usr/lib/freeradius, and radwho isnt' smart enough to read the config files set up libdir appropriately. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: RES: Re: RES: Re: PEAP/EAP-TLS with client and server certificate
Marcelo Augusto Rodrigues Pimentel wrote: I said two parts, because those parts of my configuration uses TLS: The first part is making the encrypt tunnel using PEAP -- Only validates server certificate to create the tunnel. The second part is the authenticathion inner the tunnel with EAP-TLS -- Mutual validation of client and server certificate. FreeRADIUS doesn't support EAP-TLS inside of PEAP. It's also unnecessary. PEAP can have client certificates, and therefore doesn't need an inner TLS stage for client certificates. This configuration is like Geroge Ou said below: Which isn't supported in FreeRADIUS. If you tried using it on the client side, and running the server in debugging mode, the server would tell you it isn't supported. I'm not even sure that the Windows supplicant supports it. If you want the server to support it, there are a number of options open to you. Send in patches, or fund someone to write the patches. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP MD5 with Accounting
accounting is something that your NAS does. if the NAS does accounting and can account for such sessions then it'll just work(tm) I notice that there are accounting section in some of the configuration files such as, radius.conf. If accounting is performed by my NAS, then what does the accounting in FreeRADIUS does? Maybe you can elaborate on what do you mean? I'm new to FreeRADIUS. Any help is appreciated. Thanks! From: [EMAIL PROTECTED] Reply-To: FreeRadius users mailing list freeradius-users@lists.freeradius.org To: FreeRadius users mailing list freeradius-users@lists.freeradius.org Subject: Re: EAP MD5 with Accounting Date: Tue, 24 Apr 2007 10:58:16 +0100 Hi, Hi All, I was wondering if I were to perform authentication using EAP MD5, does it accommodate for Accounting in FreeRADIUS? accounting is something that your NAS does. if the NAS does accounting and can account for such sessions then it'll just work(tm) alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html _ Try PC Magazines 2007 editors choice for best Web mailaward-winning Windows Live Hotmail. http://get.live.com/en-my/mail/features - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
MySQL MSSQL
Hello list Have anybody of you manage to configure freeradius to pull authorization iformation from MySQL and MSSQL (via ODBC/freetds) at the same time?? I have presently a working configuration Freeradius + Mysql + passwd + userfiles + NIS (via PAM) And I'm actually able to do Freeradius + MSSQL + passwd + userfiles + NIS (via PAM) But I'm not able to do all of them at the same time Freeradius + MSSQL + Mysql + passwd + userfiles + NIS (via PAM) Only switching lines in the radius.conf file #$INCLUDE ${confdir}/sql.conf #$INCLUDE ${confdir}/mssql.conf But, is there a way to configure a failover to ask MSSQL and then MySQL and have both modules running at the same time?? Thank in advance list users, any help will be appreciated! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
pam_radius: mutiple bad logins hitting radius server
I'm running pam_radius 1.3.16 on Solaris 10 using a Cisco ACS backend that authenticates to an MS AD server. I'm running into an issue where a user will fail a single login attempt (one username/password challenge with a bad password) and the ACS will record 3 attempts from the client (the Solaris 10 server). after a single attempt (or a valid login with a local password) the 3 fails bollixes up the AD login attempts and locks the user out. Am I missing a compile option to only attempt a single RADIUS login per authentication or do I possible have pam.conf misconfigured. I use sshd-kbdint and sshd-password with the same results. Otherwise the system works well. # pam_radius_auth configuration file. Copy to: /etc/raddb/server # # For proper security, this file SHOULD have permissions 0600, # that is readable by root, and NO ONE else. If anyone other than # root can read this file, then they can spoof responses from the server! # # There are 3 fields per line in this file. There may be multiple # lines. Blank lines or lines beginning with '#' are treated as # comments, and are ignored. The fields are: # # server[:port] secret [timeout] # # the port name or number is optional. The default port name is # radius, and is looked up from /etc/services The timeout field is # optional. The default timeout is 3 seconds. # # If multiple RADIUS server lines exist, they are tried in order. The # first server to return success or failure causes the module to return # success or failure. Only if a server fails to response is it skipped, # and the next server in turn is used. # # The timeout field controls how many seconds the module waits before # deciding that the server has failed to respond. # # server[:port] shared_secret timeout (s) #127.0.0.1 secret 1 #other-serverother-secret 3 localhost secret 3 10.0.0.10:2048 3 # # having localhost in your radius configuration is a Good Thing. # # See the INSTALL file for pam.conf hints. bash-3.00# cat /etc/pam.conf # #ident @(#)pam.conf 1.2804/04/21 SMI # # Copyright 2004 Sun Microsystems, Inc. All rights reserved. # Use is subject to license terms. # # PAM configuration # # Unless explicitly defined, all services use the modules # defined in the other section. # # Modules are defined with relative pathnames, i.e., they are # relative to /usr/lib/security/$ISA. Absolute path names, as # present in this file in previous releases are still acceptable. # # Authentication management # # login service (explicit because of pam_dial_auth) # login auth sufficient /usr/lib/security/pam_radius_auth.so.1 debug login auth requisite pam_authtok_get.so.1 login auth required pam_dhkeys.so.1 login auth required pam_unix_cred.so.1 login auth required pam_unix_auth.so.1 login auth required pam_dial_auth.so.1 # telnet authsufficient /usr/lib/security/pam_radius_auth.so.1 debug #telnet authrequired/usr/lib/security/pam_unix.so.1 # # rlogin service (explicit because of pam_rhost_auth) # rlogin auth sufficient pam_rhosts_auth.so.1 rlogin auth requisite pam_authtok_get.so.1 rlogin auth required pam_dhkeys.so.1 rlogin auth required pam_unix_cred.so.1 rlogin auth required pam_unix_auth.so.1 # # Kerberized rlogin service # krlogin auth required pam_unix_cred.so.1 krlogin auth bindingpam_krb5.so.1 krlogin auth required pam_unix_auth.so.1 # # rsh service (explicit because of pam_rhost_auth, # and pam_unix_auth for meaningful pam_setcred) # rsh auth sufficient pam_rhosts_auth.so.1 rsh auth required pam_unix_cred.so.1 # # Kerberized rsh service # krshauth required pam_unix_cred.so.1 krshauth bindingpam_krb5.so.1 krshauth required pam_unix_auth.so.1 # # Kerberized telnet service # ktelnet auth required pam_unix_cred.so.1 ktelnet auth bindingpam_krb5.so.1 ktelnet auth required pam_unix_auth.so.1 # # PPP service (explicit because of pam_dial_auth) # ppp auth requisite pam_authtok_get.so.1 ppp auth required pam_dhkeys.so.1 ppp auth required pam_unix_cred.so.1 ppp auth required pam_unix_auth.so.1 ppp auth required pam_dial_auth.so.1 # # Default definitions for Authentication management # Used when service name is not explicitly mentioned for authentication # other auth requisite pam_authtok_get.so.1 other auth required pam_dhkeys.so.1 other auth required pam_unix_cred.so.1 other auth required pam_unix_auth.so.1 # # passwd command (explicit because of a different authentication module) # passwd auth required pam_passwd_auth.so.1 # # cron service (explicit because of non-usage of pam_roles.so.1) # cronaccount