only accept PEAP-MSCHAPv2 with EAP-TLS-Require-Client-Cert = Yes
Hi, I setup freeradius to accept authentications using PEAP-MSCHAPv2 with client certificates via EAP-TLS-Require-Client-Cert = Yes. However, clients who authenticate via EAP-TLS also succeed. How can I reject all auth types except PEAP-MSCHAPv2 with EAP-TLS-Require-Client-Cert = Yes? (ie. I require both client certificates and username/password.) Thanks, Vieri - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On-line debugging tool
I've put a debugging tool online at: http://networkradius.com/ Click on the debug tool link on the left, under News. The page contains instructions for how to get debug output into the form. The main purpose of the tool is to teach people what is important in the debug output, and what can be safely ignored. Important data is highlighted (red, yellow, blue), and less important data is de-emphasized (text is light grey). Each packet received / sent is put into its own text box. This separation allows you to quickly find the output for just one packet out of many. The tool is in beta, and likely produces less useful output when the server is proxying packets. It's best used to debug local authentication issues. We hope you find the web tool useful. Please send any feedback privately to me. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Calling-Station-Id
Michel Bulgado mic...@casa.co.cu writes: Try this way, remember the operator. |312|t...@internet.quimefa.cu|Calling-Station-Id | += | 72061490 |298|t...@internet.quimefa.cu|MD5-Password | := | password |313|t...@internet.quimefa.cu|Calling-Station-Id | += | 72061490 Please read the manual. In this case, that's users(5): Attribute += Value Always matches as a check item, and adds the current attribute with value to the list of configuration items. As a reply item, it has an identical meaning, but the attribute is added to the reply items. This means that the 3 lines |312|t...@internet.quimefa.cu|Calling-Station-Id | += | 72061490 |298|t...@internet.quimefa.cu|MD5-Password | := | password |313|t...@internet.quimefa.cu|Calling-Station-Id | += | 72061490 are identical to the single line |298|t...@internet.quimefa.cu|MD5-Password | := | password and the user will be accepted regardless of Calling-Station-Id. suffix] Looking up realm internet.quimefa.cu for User-Name = t...@internet.quimefa.cu [suffix] No such realm internet.quimefa.cu This is normal, and no problem. You may define a realm using LOCAL authentication to avoid it, but it won't change anything except remove the debug message. sql] User t...@internet.quimefa.cu not found ++[sql] returns notfound The sql module returns notfound if the check items don't match. This is expected in this case as I explained: Two different equality tests on a single attribute will never match. But in the end because it connects the user's which is declared in the file users. apparently you have stated that locate the user in the database and also in this file, you must define where you will store your users and then put the phone number. The debug output showed that the user matched a DEFAULT entry in users. That's a perfectly normal configuration. In fact, there is no problem defining the same user in both users and sql (and possibly other modules as well). The control and reply lists of the matching entries just add up, and the final result is then evaluated. But I agree that for simplicity it's probably best to define the specific user entries in one place. And that's what Osmany has done. The DEFAULT entry is probably just adding something generic, which is common for all users. Bjørn - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: On-line debugging tool
Alan DeKok al...@deployingradius.com wrote: I've put a debugging tool online at: http://networkradius.com/ Click on the debug tool link on the left, under News. The page contains instructions for how to get debug output into the form. Is there a plan to add to FreeRADIUS a debug output mangling option? So things like Cleartext-Password and User-Password are obscured. For example, you get the user to run FreeRADIUS with '-XO', then just before printing to the screen the value of the 'secret' attributes are md5'd and the hashes are shown instead (should be a constant, unless there is actually a mismatch). Of course you could have a '-o attr1,attr2' to protect other attributes at runtime too. Only something to add to the wishlist. :) Cheers -- Alexander Clouter .sigmonster says: Straw? No, too stupid a fad. I put soot on warts. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: On-line debugging tool
Alexander Clouter wrote: Is there a plan to add to FreeRADIUS a debug output mangling option? So things like Cleartext-Password and User-Password are obscured. Send a patch. ;) For example, you get the user to run FreeRADIUS with '-XO', then just before printing to the screen the value of the 'secret' attributes are md5'd and the hashes are shown instead (should be a constant, unless there is actually a mismatch). Of course you could have a '-o attr1,attr2' to protect other attributes at runtime too. The problem is that it's hard to do. The passwords can be used in multiple places, so knowing *when* to mangle them is awkward. We could do a few simple things like not print client secrets or User-Passwords from the received packets. But anything past that quickly becomes very, very, difficult. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: On-line debugging tool
Hi, Is there a plan to add to FreeRADIUS a debug output mangling option? So things like Cleartext-Password and User-Password are obscured. For example, you get the user to run FreeRADIUS with '-XO', then just before printing to the screen the value of the 'secret' attributes are md5'd and the hashes are shown instead (should be a constant, unless there is actually a mismatch). Of course you could have a '-o attr1,attr2' to protect other attributes at runtime too. Only something to add to the wishlist. :) agreed - yes, understand that debug mode should show ervything - because then you can prove the password is wrong etc etc but if that debug is then being put somewhere is needs to be obfuscated or removed - heck, even just replaced with the word PASSWORD (and hope some people arent that dumb! ;-) ) - likewise any other 'sensitive' data. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Default to ack unhandled accounting requests? (was: Re: Radiusd process exited without notice)
Just stumbled across a semi-related issue (all accounting modules returned noop for a request) which made me wonder if not the recently added documentation for handling noop accounting requests should be promoted to enabled by default? It does not make much sense to ignore valid accounting requests just because no module knows how to handle them. It just cause problems as the NAS will retransmit the requests forever. Bjørn - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Calling-Station-Id
On Thu, 2010-01-07 at 11:32 +0100, Bjørn Mork wrote: Michel Bulgado mic...@casa.co.cu writes: Try this way, remember the operator. |312|t...@internet.quimefa.cu|Calling-Station-Id | += | 72061490 |298|t...@internet.quimefa.cu|MD5-Password | := | password |313|t...@internet.quimefa.cu|Calling-Station-Id | += | 72061490 Please read the manual. In this case, that's users(5): Attribute += Value Always matches as a check item, and adds the current attribute with value to the list of configuration items. As a reply item, it has an identical meaning, but the attribute is added to the reply items. This means that the 3 lines |312|t...@internet.quimefa.cu|Calling-Station-Id | += | 72061490 |298|t...@internet.quimefa.cu|MD5-Password | := | password |313|t...@internet.quimefa.cu|Calling-Station-Id | += | 72061490 are identical to the single line |298|t...@internet.quimefa.cu|MD5-Password | := | password and the user will be accepted regardless of Calling-Station-Id. suffix] Looking up realm internet.quimefa.cu for User-Name = t...@internet.quimefa.cu [suffix] No such realm internet.quimefa.cu This is normal, and no problem. You may define a realm using LOCAL authentication to avoid it, but it won't change anything except remove the debug message. sql] User t...@internet.quimefa.cu not found ++[sql] returns notfound The sql module returns notfound if the check items don't match. This is expected in this case as I explained: Two different equality tests on a single attribute will never match. But in the end because it connects the user's which is declared in the file users. apparently you have stated that locate the user in the database and also in this file, you must define where you will store your users and then put the phone number. This time I used: |298|t...@internet.quimefa.cu|MD5-Password | := | password |313|t...@internet.quimefa.cu|Calling-Station-Id | =~ | 6480342|55 and it still accepts the user from regardless of the phone number it's using. this is what comes up in the debug. rad_recv: Access-Request packet from host 192.168.25.10 port 17968, id=239, length=148 User-Name = t...@internet.quimefa.cu User-Password = password NAS-IP-Address = 192.168.25.10 NAS-Port = 98 Service-Type = Framed-User Framed-Protocol = PPP Called-Station-Id = 60110 Calling-Station-Id = 72061490 NAS-Identifier = BVISTA NAS-Port-Type = Async Connect-Info = 41333/31200 V90/V42bis/LAPM +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] Looking up realm internet.quimefa.cu for User-Name = t...@internet.quimefa.cu [suffix] No such realm internet.quimefa.cu ++[suffix] returns noop [eap] No EAP-Message, not doing EAP ++[eap] returns noop ++[unix] returns notfound [files] users: Matched entry DEFAULT at line 172 ++[files] returns ok expand: %{User-Name} - t...@internet.quimefa.cu [sql] sql_set_user escaped user -- 't...@internet.quimefa.cu' rlm_sql (sql): Reserving sql socket id: 3 expand: SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id - SELECT id, username, attribute, value, op FROM radcheck WHERE username = 't...@internet.quimefa.cu' ORDER BY id expand: %{Calling-Station-Id} - 72061490 [sql] User found in radcheck table expand: SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id - SELECT id, username, attribute, value, op FROM radreply WHERE username = 't...@internet.quimefa.cu' ORDER BY id expand: SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority - SELECT groupname FROM radusergroup WHERE username = 't...@internet.quimefa.cu' ORDER BY priority rlm_sql (sql): Released sql socket id: 3 ++[sql] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] Normalizing MD5-Password from hex encoding ++[pap] returns updated Found Auth-Type = PAP +- entering group PAP {...} [pap] login attempt with password password [pap] Using MD5 encryption. [pap] User authenticated successfully ++[pap] returns ok +- entering group post-auth {...} expand: %{User-Name} - t...@internet.quimefa.cu [sql] sql_set_user escaped user -- 't...@internet.quimefa.cu' as you can see the phone number that user test is using is different from the ones I have specified in the radcheck table and it comes up with the sql module returning ok and accepts the user in. I notice that the pap module also works and returns ok, but I read that this is mandatory, otherwise no user will be accepted no matter what. - List
Re: Default to ack unhandled accounting requests?
Bjørn Mork wrote: Just stumbled across a semi-related issue (all accounting modules returned noop for a request) which made me wonder if not the recently added documentation for handling noop accounting requests should be promoted to enabled by default? You mean tell the NAS we logged something that wasn't really logged? It does not make much sense to ignore valid accounting requests just because no module knows how to handle them. They might be valid... but the whole point of accounting is to *do* something with the packets. I understand your point... but I'm a little wary of ACKing packets when we didn't do anything with them. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Calling-Station-Id
Bjørn Mork wrote: Michel Bulgado mic...@casa.co.cu writes: Try this way, remember the operator. |312|t...@internet.quimefa.cu|Calling-Station-Id | += | 72061490 |298|t...@internet.quimefa.cu|MD5-Password | := | password |313|t...@internet.quimefa.cu|Calling-Station-Id | += | 72061490 Please read the manual. In this case, that's users(5): Attribute += Value Always matches as a check item, and adds the current attribute with value to the list of configuration items. As a reply item, it has an identical meaning, but the attribute is added to the reply items. This means that the 3 lines |312|t...@internet.quimefa.cu|Calling-Station-Id | += | 72061490 |298|t...@internet.quimefa.cu|MD5-Password | := | password |313|t...@internet.quimefa.cu|Calling-Station-Id | += | 72061490 are identical to the single line |298|t...@internet.quimefa.cu|MD5-Password | := | password and the user will be accepted regardless of Calling-Station-Id. suffix] Looking up realm internet.quimefa.cu for User-Name = t...@internet.quimefa.cu [suffix] No such realm internet.quimefa.cu This is normal, and no problem. You may define a realm using LOCAL authentication to avoid it, but it won't change anything except remove the debug message. sql] User t...@internet.quimefa.cu not found ++[sql] returns notfound The sql module returns notfound if the check items don't match. This is expected in this case as I explained: Two different equality tests on a single attribute will never match. But in the end because it connects the user's which is declared in the file users. apparently you have stated that locate the user in the database and also in this file, you must define where you will store your users and then put the phone number. The debug output showed that the user matched a DEFAULT entry in users. That's a perfectly normal configuration. In fact, there is no problem defining the same user in both users and sql (and possibly other modules as well). The control and reply lists of the matching entries just add up, and the final result is then evaluated. But I agree that for simplicity it's probably best to define the specific user entries in one place. And that's what Osmany has done. The DEFAULT entry is probably just adding something generic, which is common for all users. Bjørn - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Thanks for the class, as we say in our country: Every day you learn something new. There are no problems is to define a user, in fact he did on both sides, in the file users and database sql. I would do it in one place, so you do not go crazy when you add a user or update any information of it, for example the phone number where you will be connected. Although the problem persists, the user can connect from any other phone number and may not be a problem of operator, but this by specifying the number in a single place, and not in the sql file users. Assuming this well held on both sides and again I'm wrong, maybe in the section authorize I miss you to use the module checkval. Even so if you could post your configuration, would be useful. Don't you think? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Calling-Station-Id
Osmany osm...@oc.quimefa.cu writes: This time I used: |298|t...@internet.quimefa.cu|MD5-Password | := | password |313|t...@internet.quimefa.cu|Calling-Station-Id | =~ | 6480342|55 and it still accepts the user from regardless of the phone number it's using. this is what comes up in the debug. [..] [sql] sql_set_user escaped user -- 't...@internet.quimefa.cu' rlm_sql (sql): Reserving sql socket id: 3 expand: SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id - SELECT id, username, attribute, value, op FROM radcheck WHERE username = 't...@internet.quimefa.cu' ORDER BY id expand: %{Calling-Station-Id} - 72061490 [sql] User found in radcheck table I do not understand this. It can't happen if what you've got in the database is what you tell us above. Bjørn - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: only accept PEAP-MSCHAPv2 with EAP-TLS-Require-Client-Cert = Yes
Vieri wrote: I setup freeradius to accept authentications using PEAP-MSCHAPv2 with client certificates via EAP-TLS-Require-Client-Cert = Yes. However, clients who authenticate via EAP-TLS also succeed. How can I reject all auth types except PEAP-MSCHAPv2 with EAP-TLS-Require-Client-Cert = Yes? (ie. I require both client certificates and username/password.) Put this in the users file: DEFAULT EAP-Type == EAP-TLS, Auth-Type := Reject Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Calling-Station-Id
This time I used: |298|t...@internet.quimefa.cu|MD5-Password | := | password |313|t...@internet.quimefa.cu|Calling-Station-Id | =~ | 6480342|55 and it still accepts the user from regardless of the phone number it's using. this is what comes up in the debug. [..] [sql] sql_set_user escaped user -- 't...@internet.quimefa.cu' rlm_sql (sql): Reserving sql socket id: 3 expand: SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id - SELECT id, username, attribute, value, op FROM radcheck WHERE username = 't...@internet.quimefa.cu' ORDER BY id expand: %{Calling-Station-Id} - 72061490 [sql] User found in radcheck table I do not understand this. It can't happen if what you've got in the database is what you tell us above. Bjørn Try removing the radreply entry with auth-type := accept. Won't that allow the user in regardless of the check items? Ben - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Calling-Station-Id
On Thu, 2010-01-07 at 08:42 -0500, Michel Bulgado wrote: Bjørn Mork wrote: Michel Bulgado mic...@casa.co.cu writes: Try this way, remember the operator. |312|t...@internet.quimefa.cu|Calling-Station-Id | += | 72061490 |298|t...@internet.quimefa.cu|MD5-Password | := | password |313|t...@internet.quimefa.cu|Calling-Station-Id | += | 72061490 Please read the manual. In this case, that's users(5): Attribute += Value Always matches as a check item, and adds the current attribute with value to the list of configuration items. As a reply item, it has an identical meaning, but the attribute is added to the reply items. This means that the 3 lines |312|t...@internet.quimefa.cu|Calling-Station-Id | += | 72061490 |298|t...@internet.quimefa.cu|MD5-Password | := | password |313|t...@internet.quimefa.cu|Calling-Station-Id | += | 72061490 are identical to the single line |298|t...@internet.quimefa.cu|MD5-Password | := | password and the user will be accepted regardless of Calling-Station-Id. suffix] Looking up realm internet.quimefa.cu for User-Name = t...@internet.quimefa.cu [suffix] No such realm internet.quimefa.cu This is normal, and no problem. You may define a realm using LOCAL authentication to avoid it, but it won't change anything except remove the debug message. sql] User t...@internet.quimefa.cu not found ++[sql] returns notfound The sql module returns notfound if the check items don't match. This is expected in this case as I explained: Two different equality tests on a single attribute will never match. But in the end because it connects the user's which is declared in the file users. apparently you have stated that locate the user in the database and also in this file, you must define where you will store your users and then put the phone number. The debug output showed that the user matched a DEFAULT entry in users. That's a perfectly normal configuration. In fact, there is no problem defining the same user in both users and sql (and possibly other modules as well). The control and reply lists of the matching entries just add up, and the final result is then evaluated. But I agree that for simplicity it's probably best to define the specific user entries in one place. And that's what Osmany has done. The DEFAULT entry is probably just adding something generic, which is common for all users. Bjørn - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Thanks for the class, as we say in our country: Every day you learn something new. There are no problems is to define a user, in fact he did on both sides, in the file users and database sql. I would do it in one place, so you do not go crazy when you add a user or update any information of it, for example the phone number where you will be connected. Although the problem persists, the user can connect from any other phone number and may not be a problem of operator, but this by specifying the number in a single place, and not in the sql file users. Assuming this well held on both sides and again I'm wrong, maybe in the section authorize I miss you to use the module checkval. Even so if you could post your configuration, would be useful. Don't you think? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Indeed I think Bjorn's comments are very useful. Anyway, this is my authorize section in the sites-enabled/default file: authorize { preprocess # auth_log # chap # mschap # digest # IPASS # suffix # ntdomain eap { ok = return } # unix # files sql # etc_smbpasswd # ldap # daily # checkval expiration logintime pap # Autz-Type Status-Server { # # } } - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: On-line debugging tool
Alan DeKok al...@deployingradius.com wrote: Is there a plan to add to FreeRADIUS a debug output mangling option? So things like Cleartext-Password and User-Password are obscured. Send a patch. ;) Yeah yeah...however as you are not ACK'ing my gtc/ldap patches it's hardly a motivator to contribute :-/ *sigh* ...alternatively we create a FreeRADIUS debug equilivent to the kernels 'checkpatch.pl' which would be better still I would argue. Then no need to worry about privacy of the spiel outputed, plus we *all* can then add extra clauses/checks ourselves as we find them. This means the checking tool comes with FreeRADIUS. It can also gives the users something to paste to the mailing list incase of problems (although it probably be less useful than the raw '-X' output, and if they are including anything they might aswell give us the full spiel). For example, you get the user to run FreeRADIUS with '-XO', then just before printing to the screen the value of the 'secret' attributes are md5'd and the hashes are shown instead (should be a constant, unless there is actually a mismatch). Of course you could have a '-o attr1,attr2' to protect other attributes at runtime too. The problem is that it's hard to do. The passwords can be used in multiple places, so knowing *when* to mangle them is awkward. We could do a few simple things like not print client secrets or User-Passwords from the received packets. But anything past that quickly becomes very, very, difficult. I was not really thinking past the common ones, however thinking about things more so, I actually prefer the checkpatch.pl-esque approach, then we can all contribute and fix things :) Cheers -- Alexander Clouter .sigmonster says: I'm so broke I can't even pay attention. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Default to ack unhandled accounting requests?
Alan DeKok al...@deployingradius.com writes: Bjørn Mork wrote: Just stumbled across a semi-related issue (all accounting modules returned noop for a request) which made me wonder if not the recently added documentation for handling noop accounting requests should be promoted to enabled by default? You mean tell the NAS we logged something that wasn't really logged? The way I see it, we tell the NAS that we processed the request. Whether the processing involved writing to a log or not is irrelevant. There are accounting requests which do not need to be logged. At least in our network. Some of the NASes insist on sending Accounting-On when they're booted. We could discuss the usefulness of this, and we could of course just log the requests, but I see no reason to do so. Not a big matter. I can of course implement this in my setup. Just thought that the issue might bite someone else too. I believe the missing ACKs on NOOP is a change from FreeRADIUS 1.0.x (which we used prior to upgrading to 2.1.8)? Only the NASes bootet after the upgrade were continously resending their reboot accounting requests, so the old RADIUS servers must have ACKed them. And the config is pretty much unchanged. It does not make much sense to ignore valid accounting requests just because no module knows how to handle them. They might be valid... but the whole point of accounting is to *do* something with the packets. I understand your point... but I'm a little wary of ACKing packets when we didn't do anything with them. Well, looking at them and verifying that they need no further action *is* doing something. Bjørn - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Calling-Station-Id
Ben Wiechman wiechman.li...@gmail.com writes: Try removing the radreply entry with auth-type := accept. Won't that allow the user in regardless of the check items? It should not be in the radreply table in any case so that should certainly be removed. But I don't think it makes any difference. The radcheck lookup should fail and the radreply table should therefore not be searched at all. Bjørn - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: On-line debugging tool
Alexander Clouter wrote: Yeah yeah...however as you are not ACK'ing my gtc/ldap patches it's hardly a motivator to contribute :-/ *sigh* I've looked at them. Now that 2.1.x is stable, I am less worried about pulling them into a 2.2.x branch. i.e. they should be applied in the coming weeks, along with a lot of other patches. ...alternatively we create a FreeRADIUS debug equilivent to the kernels 'checkpatch.pl' which would be better still I would argue. Then no need to worry about privacy of the spiel outputed, plus we *all* can then add extra clauses/checks ourselves as we find them. Sure.. This means the checking tool comes with FreeRADIUS. It can also gives the users something to paste to the mailing list incase of problems (although it probably be less useful than the raw '-X' output, and if they are including anything they might aswell give us the full spiel). Yes. And the tool could *also* take care of running the server in debugging mode, and doing a bunch of sanity checks. I was not really thinking past the common ones, however thinking about things more so, I actually prefer the checkpatch.pl-esque approach, then we can all contribute and fix things :) Sure. That's a lot easier to integrate than server patches. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius proxy with 802.1x termination
Thanks for the tips guys. Been doing some more digging and learning a lot... but maybe I should take a step back here and explain what I am trying to accomplish My client Ubiquity Nanostation only supports EAP-TTLS MSCHAPv2. My NAS, only supports access-requests using PAP/CHAP passwords in clear-text. I am attempting to setup a Radius Proxy that terminates the EAP-TTLS outer, and takes MSCHAPv2 inner tunnel, and forwards a clear-text user/pass to the NAS for authentication. The more I read, the more I am getting the impression that this is not possible. Is that the case? John On Wed, Jan 6, 2010 at 3:43 PM, Alan DeKok al...@deployingradius.com wrote: John Gammons wrote: After doing some more digging, I think I am catching onto this... somewhat. It sounds like I need to have the Radius Proxy, authenticate the Outer Identity of the EAP-TTLS session locally, while the Inner Identity is proxied to the Home Radius server. Yes. I have setup the Outer identity to be anonym...@outer which is proxied to LOCAL, Er... no. Don't proxy it. while the Inner identity is @inner and proxied to Home Radius. The problem is that when I run radiusd -x, I never see the @outer message, so the @inner is getting forwarded as an EAP, instead of only as a MS-CHAP-V2. See eap.conf, proxy_tunneled_request_as_eap. Anyone know what I am overlooking? I have a crude understanding of this entire process at best, I know. :) See doc/aaa.txt for a simple introduction to the process. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius proxy with 802.1x termination
John Gammons wrote: My client Ubiquity Nanostation only supports EAP-TTLS MSCHAPv2. My NAS, only supports access-requests using PAP/CHAP passwords in clear-text. What does that mean? I am attempting to setup a Radius Proxy that terminates the EAP-TTLS outer, and takes MSCHAPv2 inner tunnel, and forwards a clear-text user/pass to the NAS for authentication. The NAS is a RADIUS client. It originates Access-Requests. It doesn't receive them, and it definitely doesn't do authentication. The more I read, the more I am getting the impression that this is not possible. Is that the case? You can't convert MS-CHAP into PAP or CHAP. And I have no idea what you mean when you say the NAS does authentication. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
cisco_vsa_hack
Does turning on the hack do anything to the attributes other than adding the value to matching defined attributes? From the code: if ((vp-attribute 0x) == 1) { const char *p; DICT_ATTR *dattr; p = vp-vp_strvalue; gettoken(p, newattr, sizeof(newattr)); if (((dattr = dict_attrbyname(newattr)) != NULL) (dattr-type == PW_TYPE_STRING)) { VALUE_PAIR *newvp; /* * Make a new attribute. */ newvp = pairmake(newattr, ptr + 1, T_OP_EQ); if (newvp) { pairadd(vp, newvp); } } } else {/* h322-foo-bar = h323-foo-bar = baz */ /* * We strip out the duplicity from the * value field, we use only the value on * the right side of the '=' character. */ strlcpy(newattr, ptr + 1, sizeof(newattr)); strlcpy((char *)vp-vp_strvalue, newattr, sizeof(vp-vp_strvalue)); vp-length = strlen((char *)vp-vp_strvalue); } - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Cisco-AVpair accounting client-mac-address with unlang
I have this in preacct, and it works. if (%{Cisco-AVpair[3]} =~ /^client-mac-address=(.+)$/) { if (!Calling-Station-Id) { update request { Calling-Station-Id := %{1} } } } However this is ugly. I dont want to have to know which Cisco-AVpair it is, it should work whichever the order or number there is. It does not seem to work any other way. I know other directions to head include cisco_vsa_hack or the rlm_policy and others. I would appreciate any tips. Thanks, Joe - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Calling-Station-Id
On Thu, 2010-01-07 at 09:06 -0500, Osmany wrote: On Thu, 2010-01-07 at 08:42 -0500, Michel Bulgado wrote: Bjørn Mork wrote: Michel Bulgado mic...@casa.co.cu writes: Try this way, remember the operator. |312|t...@internet.quimefa.cu|Calling-Station-Id | += | 72061490 |298|t...@internet.quimefa.cu|MD5-Password | := | password |313|t...@internet.quimefa.cu|Calling-Station-Id | += | 72061490 It finally worked. I kept the user attributes and everything just like I mentioned above but I had one thing missing in the authorize section in the sites-enabled/default file. I had the checkval line commented out. I just uncommented it and that's it. I also went further but commenting all of the modules that I did not need in the authorize section as well as in the preacct section. so things like the suffix, mschap, chap, etc I commented out so that freeradius doesn't use these modules unnecessarily. so finally I have everything working just fine. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
mschap2 over peap, how to use cleartext password defined on the freeradius server instead of using Windows AD?
Greetings! I did read the mschap module file and I did see that in order to use a cleartext password, I need to set MS-CHAP-Use-NTLM-Auth := No however I don't know where to set it. I tried to set it in hints file like the following. I added it to the beginning of the file and the rest is just default. enseo_stb MS-CHAP-Use-NTLM-Auth := No The enseo_stb is the username. I do see that it matched the line in the preprocess in the debug however the authentication still failed. I don't have this user account set in Windows AD. I do have it set in my users file. Enseo_stb Cleartext-Password := password Any advice?? Thank you!! Difan Zhao Network Engineer difan.z...@guest-tek.com www.guest-tek.com http://www.guest-tek.com/ Office: 403-509-1010 ext 3048 Cell: 403-689-7514 image002.jpg rad_recv: Access-Request packet from host 172.17.254.100 port 1645, id=30, length=152 User-Name = enseo_stb Service-Type = Framed-User Framed-MTU = 1500 Called-Station-Id = 00-1D-E5-9C-29-05 Calling-Station-Id = 00-21-F8-00-24-B3 EAP-Message = 0x0202000e01656e73656f5f737462 Message-Authenticator = 0x8ba26525d2f95b1d79a0c62d87f854de NAS-Port-Type = Ethernet NAS-Port = 50103 NAS-Port-Id = FastEthernet1/0/3 NAS-IP-Address = 172.17.254.100 +- entering group authorize {...} [preprocess] hints: Matched enseo_stb at 36 ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = enseo_stb, looking up realm NULL [suffix] No such realm NULL ++[suffix] returns noop [eap] EAP packet type response id 2 length 14 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[unix] returns notfound [files] users: Matched entry enseo_stb at line 34 ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] Found existing Auth-Type, not changing it. ++[pap] returns noop ++- entering policy rewrite_calling_station_id {...} +++? if (request:Calling-Station-Id =~ /00-A0-08-([0-9A-F]{2})-([[0-9A-F]{2})-([[0-9A-F]{2})/i) ? Evaluating (request:Calling-Station-Id =~ /00-A0-08-([0-9A-F]{2})-([[0-9A-F]{2})-([[0-9A-F]{2})/i) - FALSE +++? if (request:Calling-Station-Id =~ /00-A0-08-([0-9A-F]{2})-([[0-9A-F]{2})-([[0-9A-F]{2})/i) - FALSE +++- entering else else {...} [noop] returns noop +++- else else returns noop ++- policy rewrite_calling_station_id returns noop ++? if ((Service-Type == 'Call-Check') (User-Name =~ /^%{Calling-Station-ID}$/i)) ?? Evaluating (Service-Type == 'Call-Check') - FALSE ?? Skipping (User-Name =~ /^%{Calling-Station-ID}$/i) ++? if ((Service-Type == 'Call-Check') (User-Name =~ /^%{Calling-Station-ID}$/i)) - FALSE Found Auth-Type = EAP +- entering group authenticate {...} [eap] EAP Identity [eap] processing type tls [tls] Initiate [tls] Start returned 1 ++[eap] returns handled Sending Access-Challenge of id 30 to 172.17.254.100 port 1645 EAP-Message = 0x010300061920 Message-Authenticator = 0x State = 0xf13fdb9cf13cc2e40d991f43b28399d7 Finished request 1. Going to the next request Waking up in 3.9 seconds. rad_recv: Access-Request packet from host 172.17.254.100 port 1645, id=31, length=370 User-Name = enseo_stb Service-Type = Framed-User Framed-MTU = 1500 Called-Station-Id = 00-1D-E5-9C-29-05 Calling-Station-Id = 00-21-F8-00-24-B3 EAP-Message = 0x020300d6190016030100cb01c70301386d438ca276cc49f14dfbd77fc35c74edf79c4fb7a13e77365d80e4db3ff4e15ac014c00a0039003800880087c00fc00500350084c012c00800160013c00dc003000ac013c00900330032009a009900450044c00ec004002f009600410007c011c007c00cc00200050004001500120009001400110008000600030144000b000403000102000a00340032000100020003000400050006000700080009000a000b000c000d000e000f00100011001200130014001500160017001800190023 Message-Authenticator = 0xf22b9ef298b95a509e7aa414d6bda163 NAS-Port-Type = Ethernet NAS-Port = 50103 NAS-Port-Id = FastEthernet1/0/3 State = 0xf13fdb9cf13cc2e40d991f43b28399d7 NAS-IP-Address = 172.17.254.100 +- entering group authorize {...} [preprocess] hints: Matched enseo_stb at 36 ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = enseo_stb, looking up realm NULL [suffix] No such realm NULL ++[suffix] returns noop [eap] EAP packet type response id 3 length 214 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] (other): before/accept initialization [peap] TLS_accept: before/accept initialization [peap] TLS 1.0 Handshake [length 00cb], ClientHello [peap] TLS_accept: SSLv3
Re: radiusd -X On First Boot
On 01/05/2010 06:09 PM, Josip Rodin wrote: On Tue, Jan 05, 2010 at 03:37:25PM -0500, John Dennis wrote: I am running RHEL 5.3 and FreeRADIUS Version 2.1.8. When I install freeradius and attempt to start it for the first time using the /etc/init.d/radiusd start script it always fails (only right after freeradius is installed), once i run freeradius with -X (in debug mode) it creates all the keys and such then I can cntrl + c and start free radius from that point forward using the init script... my question is why do I have to do this? Is there anyway around this? probably because when run from the init script it cannot actually start the daemon (due to requirements to create the key etc). if everything is in place correctly beforehand then it will work. I guess the question , then, is - can the RPM do the required creation of example/test keys etc rather than require the admin to jump through the hoops - and thats a question for the distro maintainers. The RPM could initially create the temporary certificates. There are two reasons why it doesn't at the moment. 1) It would deviate from everything written here on this list and the wiki. Discrepancies like that usually causes more problems than would be solved by it. People have a hard enough time following instructions in the first place (this list is pure evidence of that). If they then have to modify the instructions based on the distribution they'll be hopelessly confused :-( 2) The certificates created are *temporary* and *not* intended for production use. As such it's always a good idea to bring this crucial fact to the attention of the person installing the server. No better way to make them aware of this than forcing them to perform a manual step. Otherwise they'll blindly think everything is hokey-dokey and deploy the server with temporary self-signed certs. If you really think this is needs to change then file a bug. When I enabled EAP+SSL modules in the 2.1.8 Debian package, the eap.conf defaults kicked in, so I added the use of snakeoil certificates explicitly because I don't want to break all the new installations as well as upgrades. It would piss off users by default, and that kind of behavior would IMHO be significantly worse than either of those things you mentioned above. These changes didn't make it into 2.1.8 (git) before upstream release, but nevertheless you can see them at the patch tracker: http://patch-tracker.debian.org/package/freeradius/2.1.8+dfsg-1 I've modified the RPM to run /etc/raddb/certs/bootstrap if it's the initial install (not an upgrade) and /etc/raddb/certs/server.pem does not exist. This should remove the need to run the server in debug mode initially. Actually I had opened a bug report to myself a few months ago to do automatic cert generation but I had forgotten about it, FWIW the bug was: https://bugzilla.redhat.com/show_bug.cgi?id=526559 -- John Dennis jden...@redhat.com Looking to carve out IT costs? www.redhat.com/carveoutcosts/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: mschap2 over peap, how to use cleartext password defined on the freeradius server instead of using Windows AD?
On 07/01/2010 18:57, Difan Zhao wrote: Greetings! I did read the “*mschap*” module file and I did see that in order to use a *cleartext* password, I need to set “*MS-CHAP-Use-NTLM-Auth := No*” however I don’t know where to set it. I tried to set it in “*hints*” file like the following. I added it to the beginning of the file and the rest is just default. enseo_stb MS-CHAP-Use-NTLM-Auth := No The “*enseo_stb*” is the username. I do see that it matched the line in the *preprocess* in the debug however the authentication still failed. I don’t have this user account set in Windows AD. I do have it set in my *users* file. Enseo_stb Cleartext-Password := password Any advice?? Thank you!! In the config file for your EAP _inner-tunnel_: server inner-tunnel-server { authorize { ... update control { MS-CHAP-Use-NTLM-Auth := 0 } mschap ... } ... you could use unlang to wrap it in an if statement if you wanted to be selective about when to apply it. -James -- James J J Hooper Network Specialist Information Services University of Bristol http://www.wireless.bristol.ac.uk http://www.jamesjj.net -- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Cisco-AVpair accounting client-mac-address with unlang
Been there, done that . . . search the mailing list archives from last month for this topic. The hack turns the av-pair strings into attributes (if you add them to the dictionary). Then you just have to adjust your SQL to address them for writing to the database. Again . . . search the mailing list archives. This has been done before by at least a dozen people. bbc Joe Maimon wrote: I have this in preacct, and it works. if (%{Cisco-AVpair[3]} =~ /^client-mac-address=(.+)$/) { if (!Calling-Station-Id) { update request { Calling-Station-Id := %{1} } } } However this is ugly. I dont want to have to know which Cisco-AVpair it is, it should work whichever the order or number there is. It does not seem to work any other way. I know other directions to head include cisco_vsa_hack or the rlm_policy and others. I would appreciate any tips. Thanks, Joe - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius proxy with 802.1x termination
Sorry, by NAS I was referring to the Home Radius Server (guess my terminology was incorrect), but I guess that answers the question anyways. John On Thu, Jan 7, 2010 at 12:55 PM, Alan DeKok al...@deployingradius.com wrote: John Gammons wrote: My client Ubiquity Nanostation only supports EAP-TTLS MSCHAPv2. My NAS, only supports access-requests using PAP/CHAP passwords in clear-text. What does that mean? I am attempting to setup a Radius Proxy that terminates the EAP-TTLS outer, and takes MSCHAPv2 inner tunnel, and forwards a clear-text user/pass to the NAS for authentication. The NAS is a RADIUS client. It originates Access-Requests. It doesn't receive them, and it definitely doesn't do authentication. The more I read, the more I am getting the impression that this is not possible. Is that the case? You can't convert MS-CHAP into PAP or CHAP. And I have no idea what you mean when you say the NAS does authentication. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Cisco-AVpair accounting client-mac-address with unlang
I have searched. I am unsatisfied with the results. The cisco_vsa_hack may have unintended consequences. unlang should properly loop over the vp list, like other paircompares do. I have patched this kind of oversight before elsewhere, not sure if thats the right approach here. Bryan Campbell wrote: Been there, done that . . . search the mailing list archives from last month for this topic. The hack turns the av-pair strings into attributes (if you add them to the dictionary). Then you just have to adjust your SQL to address them for writing to the database. Again . . . search the mailing list archives. This has been done before by at least a dozen people. bbc Joe Maimon wrote: I have this in preacct, and it works. if (%{Cisco-AVpair[3]} =~ /^client-mac-address=(.+)$/) { if (!Calling-Station-Id) { update request { Calling-Station-Id := %{1} } } } However this is ugly. I dont want to have to know which Cisco-AVpair it is, it should work whichever the order or number there is. It does not seem to work any other way. I know other directions to head include cisco_vsa_hack or the rlm_policy and others. I would appreciate any tips. Thanks, Joe - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
ld.so.1: radiusd: fatal: relocation error: file /usr/local/lib/rlm_sql_mysql-2.1.7.so: symbol mysql_next_result: referenced symbol not found
Hi all! I am testing my FreeRADIUS configuration using the NTRadPing Test Utility, but as soon as I send the user/password to the server I get the the error ld.so.1: radiusd: fatal: relocation error: file /usr/local/lib/rlm_sql_mysql-2.1.7.so: symbol mysql_next_result: referenced symbol not found and process radiusd is killed. I am not familiar with FreeRADIUS (This is my first installation) Could you help me? SUN Netra 210 FreeRADIUS Version 2.1.7 SO Solaris 10 MySQL 5.0.88 (32 bits) Packages installed: - SMCdb db - SMCgccgcc - SMClgcc346libgcc - SMClibidl libidl - SMClibt libtool - SMCliconv libiconv - SMCmake make - SMCmysql mysql - SMColdap openldap - SMCossl openssl - SMCsasl sasl Here's what I got from the radiusd debug bash-3.00# rad_recv: Access-Request packet from host 147.1.4.228 port 4138, id=4, length=44 User-Name = test User-Password = radius123 +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = test, looking up realm NULL [suffix] No such realm NULL ++[suffix] returns noop [eap] No EAP-Message, not doing EAP ++[eap] returns noop ++[unix] returns notfound ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING! No known good password found for the user. Authentication may fail because of this. ++[pap] returns noop [sql] expand: %{User-Name} - test [sql] sql_set_user escaped user -- 'test' rlm_sql (sql): Reserving sql socket id: 4 [sql] expand: SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id - SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'test' ORDER BY id ld.so.1: radiusd: fatal: relocation error: file /usr/local/lib/rlm_sql_mysql-2.1.7.so: symbol mysql_next_result: referenced symbol not found [1]+ Killed radiusd -X This is how I executed the configure command: /opt/RADUIS/FreeRADIUSv2/freeradius/freeradius-server-2.1.7 bash-3.00# ./configure --with-mysql-lib-dir=/usr/local/mysql/lib --with-mysql-include-dir=/usr/local/mysql/include --with-openssl --with-openssl-includes=/usr/sfw/include/openssl --with-openssl-libraries=/usr/sfw/bin/openssl | grep WARNI config.status: WARNING: ./Make.inc.in seems to ignore the --datarootdir setting config.status: WARNING: ./src/include/build-radpaths-h.in seems to ignore the --datarootdir setting configure: WARNING: silently not building rlm_eap_ikev2. configure: WARNING: FAILURE: rlm_eap_ikev2 requires: libeap-ikev2 EAPIKEv2/connector.h. configure: WARNING: silently not building rlm_eap_peap. configure: WARNING: FAILURE: rlm_eap_peap requires: OpenSSL. configure: WARNING: silently not building rlm_eap_tls. configure: WARNING: FAILURE: rlm_eap_tls requires: OpenSSL. configure: WARNING: the TNCS library isn't found! configure: WARNING: silently not building rlm_eap_tnc. configure: WARNING: FAILURE: rlm_eap_tnc requires: -lTNCS. configure: WARNING: silently not building rlm_eap_ttls. configure: WARNING: FAILURE: rlm_eap_ttls requires: OpenSSL. configure: WARNING: neither krb5 'k5crypto' nor 'crypto' libraries are found! configure: WARNING: the comm_err library isn't found! configure: WARNING: silently not building rlm_krb5. configure: WARNING: FAILURE: rlm_krb5 requires: krb5.h. configure: WARNING: silently not building rlm_otp. configure: WARNING: FAILURE: rlm_otp requires: openssl-libs openssl-includes openssl-includes openssl-includes openssl-includes openssl-includes. configure: WARNING: silently not building rlm_perl. configure: WARNING: FAILURE: rlm_perl requires: EXTERN.h perl.h libperl.so libperl.so. configure: WARNING: silently not building rlm_python. configure: WARNING: FAILURE: rlm_python requires: Python.h libpython2.3. configure: WARNING: silently not building rlm_sql_iodbc. configure: WARNING: FAILURE: rlm_sql_iodbc requires: libiodbc isql.h. configure: WARNING: oracle headers not found. Use --with-oracle-home-dir=path. configure: WARNING: silently not building rlm_sql_oracle. configure: WARNING: FAILURE: rlm_sql_oracle requires: oci.h. configure: WARNING: silently not building rlm_sql_unixodbc. configure: WARNING: FAILURE: rlm_sql_unixodbc requires: libodbc sql.h. Thanks! Nere - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
FreeBSD 8.0 port + perl hook problem
I'm having problems getting the latest FreeBSD port of freeradius2 to work with a perl hook that requires the IO perl module. I realize this is likely a FreeBSD ports compilation problem but I am hoping someone here can shed some light. There seems to be some kind of shared library linking issue between the freeradius2 and perl packages compiled from RELEASE_8_0 ports tree branch. If one tries to use freeradius in conjunction with a perl hook (script) for authentication, and the perl script requires a perl module relying on a compiled shared object file (e.g., IO), then freeradius will fail to load the perl script and throws errors. Below is a dump that should make it easy to replicate the problem. This was done after freshly installing 8.0-RELEASE-i386 onto a system from the official ISO. Note that I have also tried to compile the ports myself and run into the same problem on i386 and amd64 architectures. I am going to try and compile the ports using portupgrade as suggested by someone on this list and see if that changes anything. Any further help would be greatly appreciated. Thanks! # uname -a FreeBSD 8.0-RELEASE FreeBSD 8.0-RELEASE #0: Sat Nov 21 15:48:17 UTC 2009 r...@almeida.cse.buffalo.edu:/usr/obj/usr/src/sys/GENERIC i386 # pkg_info # # # pkg_add -r freeradius Fetching ftp://ftp.freebsd.org/pub/FreeBSD/ports/i386/packages-8.0-release/Latest/freeradius.tbz... Done. Fetching ftp://ftp.freebsd.org/pub/FreeBSD/ports/i386/packages-8.0-release/All/python26-2.6.2_3.tbz... Done. Note that some of the standard modules are provided as separate ports since they require extra dependencies: bsddb databases/py-bsddb gdbmdatabases/py-gdbm sqlite3 databases/py-sqlite3 tkinter x11-toolkits/py-tkinter Install them as needed. Fetching ftp://ftp.freebsd.org/pub/FreeBSD/ports/i386/packages-8.0-release/All/perl-5.8.9_3.tbz... Done. Removing stale symlinks from /usr/bin... Skipping /usr/bin/perl Skipping /usr/bin/perl5 Done. Creating various symlinks in /usr/bin... Symlinking /usr/local/bin/perl5.8.9 to /usr/bin/perl Symlinking /usr/local/bin/perl5.8.9 to /usr/bin/perl5 Done. Cleaning up /etc/make.conf... Done. Spamming /etc/make.conf... Done. Cleaning up /etc/manpath.config... Done. Spamming /etc/manpath.config... Done. Fetching ftp://ftp.freebsd.org/pub/FreeBSD/ports/i386/packages-8.0-release/All/libltdl-2.2.6a.tbz... Done. Fetching ftp://ftp.freebsd.org/pub/FreeBSD/ports/i386/packages-8.0-release/All/gdbm-1.8.3_3.tbz... Done. Fetching ftp://ftp.freebsd.org/pub/FreeBSD/ports/i386/packages-8.0-release/All/libiconv-1.13.1.tbz... Done. Fetching ftp://ftp.freebsd.org/pub/FreeBSD/ports/i386/packages-8.0-release/All/gettext-0.17_1.tbz... Done. Fetching ftp://ftp.freebsd.org/pub/FreeBSD/ports/i386/packages-8.0-release/All/gmake-3.81_3.tbz... Done. === Created group freeradius === Created user freeradius === Setting user and group in radiusd.conf === Bootstrapping default certificates, please wait... === Adjusting ownership of directory /usr/local/etc/raddb === Adjusting ownership of directory /var/log/radacct === Adjusting ownership of directory /var/run/radiusd === Adjusting ownership of /var/log/radius.log === Adjusting ownership of /var/log/radutmp === Adjusting ownership of /var/log/radwtmp === Updating libdir in /usr/local/etc/raddb/radiusd.conf === To enable FreeRADIUS, put the following line in /etc/rc.conf radiusd_enable=YES The sample configuration can be found at /usr/local/share/examples/freeradius/raddb If you are upgrading FreeRADIUS, you are advised to use this as a reference for updating your configuration. FreeRADIUS will look for its configuration directory at /usr/local/etc/raddb by default. If you did not already have a configuration at this location, the sample configuration has been copied to this location and has been bootstrapped. If you wish to point FreeRADIUS to a configuration at a different location, put the following line in /etc/rc.conf radiusd_flags=-d /path/to/raddb To start the server in normal (daemon) mode, run: /usr/local/etc/rc.d/radiusd start and to stop the server, run: /usr/local/etc/rc.d/radiusd stop To start the server in debugging mode, run: /usr/local/etc/rc.d/radiusd debug You are advised to make cautious changes to the configuration, and to test frequently, using debugging mode where necessary. Try to resist the temptation to disable or delete things that you don't understand - you may well break things! The documentation has been installed at /usr/local/share/doc/freeradius Useful configuration advice can be found in the FreeRADIUS Wiki at http://wiki.freeradius.org === # # pkg_info en-freebsd-doc-20090913 Documentation from the FreeBSD Documentation Project freeradius-2.1.6A free RADIUS server implementation gdbm-1.8.3_3
Windows Authentication Failing After Changing IP
Hello everyone, I recently changed the IP address of our RADIUS server and changed domain controllers for Windows Authentication. Besides that change we decided to use LDAP instead of LDAPS on the new domain controller. I didn't think I would run into a problem with my test lab on the changes that were made. I'm stumped why the devices can no longer authenticate. Anyone have any ideas as I'm getting familiar with FreeRADIUS and Linux. I appreciate any input... Below is an output of the debug: Listening on authentication address * port 1812 Listening on accounting address * port 1813 Listening on command file /usr/local/var/run/radiusd/radiusd.sock Listening on proxy address * port 1814 Ready to process requests. rad_recv: Access-Request packet from host 192.168.213.254 port 1645, id=13, length=85 NAS-IP-Address = 192.168.213.254 NAS-Port = 1 NAS-Port-Type = Virtual User-Name = edwinadmin Calling-Station-Id = 192.168.213.207 User-Password = Teddy133 +- entering group authorize {...} ++[preprocess] returns ok ++[digest] returns noop [suffix] No '@' in User-Name = edwinadmin, looking up realm NULL [suffix] No such realm NULL ++[suffix] returns noop [ntdomain] No '\' in User-Name = edwinadmin, looking up realm NULL [ntdomain] No such realm NULL ++[ntdomain] returns noop [eap] No EAP-Message, not doing EAP ++[eap] returns noop ++[unix] returns notfound ++[files] returns noop [ldap] performing user authorization for edwinadmin [ldap] expand: ((objectCategory=user)(samaccountname=%{user-name})(memberOf=cn=MIS-NetworkAdmins-All,OU=Security Groups,OU=MIS Admin,DC=EIDEV,DC=COM)) - ((objectCategory=user)(samaccountname=edwinadmin)(memberOf=cn=MIS-NetworkAdmins-All,OU=Security Groups,OU=MIS Admin,DC=EIDEV,DC=COM)) [ldap] expand: dc=eidev,dc=com - dc=eidev,dc=com rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to eidev-dc6.eidev.com:389, authentication 0 rlm_ldap: bind as eidev\radius/N3tw0rkd3^ to eidev-dc6.eidev.com:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: performing search in dc=eidev,dc=com, with filter ((objectCategory=user)(samaccountname=edwinadmin)(memberOf=cn=MIS-NetworkAdmins-All,OU=Security Groups,OU=MIS Admin,DC=EIDEV,DC=COM)) rlm_ldap: ldap_search() failed: Operations error [ldap] search failed rlm_ldap: ldap_release_conn: Release Id: 0 ++[ldap] returns fail Invalid user: [edwinadmin] (from client EIDEV LAB port 1 cli 192.168.213.207) Using Post-Auth-Type Reject +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} - edwinadmin attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 0 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 0 Sending Access-Reject of id 13 to 192.168.213.254 port 1645 Waking up in 4.9 seconds. Cleaning up request 0 ID 13 with timestamp +50 Ready to process requests. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Windows Authentication Failing After Changing IP
Edwin Isada wrote: .. rlm_ldap: performing search in dc=eidev,dc=com, with filter ((objectCategory=user)(samaccountname=edwinadmin)(memberOf=cn=MIS-NetworkAdmins-All,OU=Security Groups,OU=MIS Admin,DC=EIDEV,DC=COM)) rlm_ldap: ldap_search() failed: Operations error In 2.1.8, read raddb/modules/ldap, and look for operations error. In older versions... upgrade. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeBSD 8.0 port + perl hook problem
Nick Rogers wrote: I'm having problems getting the latest FreeBSD port of freeradius2 to work with a perl hook that requires the IO perl module. I realize this is likely a FreeBSD ports compilation problem but I am hoping someone here can shed some light. It's likely a problem resolving global symbols in libraries. Download 2.1.8, and look for HAVE_LT_DLADVISE_INIT in src/main/modules.c. That code isn't build because it hasn't been tested. But it's *supposed* to solve these kinds of issues. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ld.so.1: radiusd: fatal: relocation error: file /usr/local/lib/rlm_sql_mysql-2.1.7.so: symbol mysql_next_result: referenced symbol not found
Nereida Bernal wrote: I am testing my FreeRADIUS configuration using the NTRadPing Test Utility, but as soon as I send the user/password to the server I get the the error ld.so.1: radiusd: fatal: relocation error: file /usr/local/lib/rlm_sql_mysql-2.1.7.so: symbol mysql_next_result: referenced symbol not found and process radiusd is killed. Be sure that you have the libmysqlclient library on your system, and that the dynamic linker can find it. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Cisco-AVpair accounting client-mac-address with unlang
Joe Maimon wrote: I have searched. I am unsatisfied with the results. The cisco_vsa_hack may have unintended consequences. Like... ? unlang should properly loop over the vp list, like other paircompares do. I would prefer that behavior to be *explicit* rather than *implicit*. I have patched this kind of oversight before elsewhere, not sure if thats the right approach here. Maybe something like: if (*Cisco-AVpair =~ /^client-mac-address=(.+)$/) { i.e. * means any one matches Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: cisco_vsa_hack
Joe Maimon wrote: Does turning on the hack do anything to the attributes other than adding the value to matching defined attributes? ? It doesn't add the value. It turns: Cisco-AVPair = foo = bar into foo = bar or foo = foo = bar into foo = bar I would say I have no idea why Cisco did it that way... but I know some of the people involved, and they thought it was a great idea. sigh Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html