RE: TLS / SSL negotiation fails when behind Cisco IP phone
There is a switch in the Cisco phone. All my experience is with a 7945.
There are some ethernet settings in the phone settings - under device
configuration. They can be controlled locally and some are controlled in Cisco
Call Manager.
Might look there as a start.
-Original Message-
From: freeradius-users-bounces+jmdanner=samford@lists.freeradius.org
[mailto:freeradius-users-bounces+jmdanner=samford@lists.freeradius.org] On
Behalf Of Dan Lundström
Sent: Sunday, September 09, 2012 9:02 AM
To: freeradius-users@lists.freeradius.org
Subject: TLS / SSL negotiation fails when behind Cisco IP phone
Hi!
We are using EAP/TLS for wired authentication on our networks, in one of our
sites the SSL negotiation fails when the client is connected behind a Cisco
7962 IP phone. We have this same setup working on other sites.
The phone model varies between the sites, but I cannot find any information
about incompatibilities for the particular phone model saying it should be the
phone that is causing the problem.
I figured that the problem was caused by fragmentation but after adjusting the
fragment_size parameter in eap.conf, according to the comments..;
# This can never exceed the size of a RADIUS
# packet (4096 bytes), and is preferably half
# that, to accomodate other attributes in
# RADIUS packet. On most APs the MAX packet
# length is configured between 1500 - 1600
# In these cases, fragment size should be
# 1024 or less.
..without any result, i am not sure anymore.
When I connect the client directly to a switch port, without the IP phone
in-between, everything works perfect.
Here comes the relevant part of RADIUS debug output, first session - Without IP
phone, directly connected to the switch [ client - switch ];
--
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/tls
[eap] processing type tls
[tls] Authenticate
[tls] processing EAP-TLS
[tls] eaptls_verify returned 7
[tls] Done initial handshake
[tls] TLS 1.0 Handshake [length 0b2e], Certificate
[tls] chain-depth=2,
[tls] error=0
[tls] -- User-Name = host/US-LAPJAMIESON.us..yyy
[tls] -- BUF-Name = Xxxx Root CA
[tls] -- subject = /C=SE/O=Xxxx Communications AB/OU=IT-group/CN=Xxxx Root CA
[tls] -- issuer = /C=SE/O=Xxxx Communications AB/OU=IT-group/CN=Xxxx Root CA
[tls] -- verify return:1
[tls] chain-depth=1,
[tls] error=0
[tls] -- User-Name = host/US-LAPJAMIESON.us..yyy
[tls] -- BUF-Name = Xxxx Sub CA
[tls] -- subject = /DC=com/DC=/CN=Xxxx Sub CA
[tls] -- issuer = /C=SE/O=Xxxx Communications AB/OU=IT-group/CN=Xxxx Root CA
[tls] -- verify return:1
[tls] chain-depth=0,
[tls] error=0
[tls] -- User-Name = host/US-LAPJAMIESON.us..yyy
[tls] -- BUF-Name = US-LAPJAMIESON.us..yyy
[tls] -- subject = /CN=US-LAPJAMIESON.us..yyy
[tls] -- issuer = /DC=com/DC=/CN=Xxxx Sub CA
[tls] -- verify return:1
[tls] TLS_accept: SSLv3 read client certificate A
[tls] TLS 1.0 Handshake [length 0086], ClientKeyExchange
[tls] TLS_accept: SSLv3 read client key exchange A
[tls] TLS 1.0 Handshake [length 0106], CertificateVerify
[tls] TLS_accept: SSLv3 read certificate verify A
[tls] TLS 1.0 ChangeCipherSpec [length 0001]
[tls] TLS 1.0 Handshake [length 0010], Finished
[tls] TLS_accept: SSLv3 read finished A
[tls] TLS 1.0 ChangeCipherSpec [length 0001]
[tls] TLS_accept: SSLv3 write change cipher spec A
[tls] TLS 1.0 Handshake [length 0010], Finished
[tls] TLS_accept: SSLv3 write finished A
[tls] TLS_accept: SSLv3 flush data
[tls] (other): SSL negotiation finished successfully
SSL Connection Established
--
--
Second part - With IP phone in-between [ client - ipphone - switch ];
--
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/tls
[eap] processing type tls
[tls] Authenticate
[tls] processing EAP-TLS
[tls] eaptls_verify returned 7
[tls] Done initial handshake
[tls] TLS 1.0 Handshake [length 0b2e], Certificate
[tls] chain-depth=2,
[tls] error=0
[tls] -- User-Name = host/US-LAPJAMIESON.us..yyy
[tls] -- BUF-Name = Xxxx Root CA
[tls] -- subject = /C=SE/O=Xxxx Communications AB/OU=IT-group/CN=Xxxx Root CA
[tls] -- issuer = /C=SE/O=Xxxx Communications AB/OU=IT-group/CN=Xxxx Root CA
[tls] -- verify return:1
[tls] chain-depth=1,
[tls] error=0
[tls] -- User-Name = host/US-LAPJAMIESON.us..yyy
RE: TLS / SSL negotiation fails when behind Cisco IP phone
Good info if we start doing wired 802.1x
Thanks
-Original Message-
From: freeradius-users-bounces+jmdanner=samford@lists.freeradius.org
[mailto:freeradius-users-bounces+jmdanner=samford@lists.freeradius.org] On
Behalf Of Dan Lundström
Sent: Sunday, September 09, 2012 12:11 PM
To: FreeRadius users mailing list
Subject: RE: TLS / SSL negotiation fails when behind Cisco IP phone
The problem was firmware, I works as expected with both older and newer
versions. So basically don't use firmware version 8.5(2).
Also might be good to know that all of the following phones use the same code
base;
IP Phones - 7906, 7911, 7931, 7941, 7942, 7945, 7961, 7962, 7965, 7970, 7971
7975
//Dan
-Original Message-
From: freeradius-users-
bounces+dan.lundstrom=axis@lists.freeradius.org [mailto:freeradius-
users-bounces+dan.lundstrom=axis@lists.freeradius.org] On Behalf Of
Dan Lundström
Sent: den 9 september 2012 17:53
To: FreeRadius users mailing list
Subject: RE: TLS / SSL negotiation fails when behind Cisco IP phone
I have been looking at possible changes to make on the phone and call
manager, but cannot find anything that would relate to the behavior we have.
Is there a way to change MTU value on the phones, I can't find it.
We have the 7945 model on another site as well and there everything works,
I have tried with a 7942 here as well and it does not work. I am quite sure
that
the problem is related to the internal switch in the phone, but since the EAP
package gets through to the authenticating switch there should be a way to
get it to work. I don't have any other phone models here to test with, and I
can't find any information about hardware/switch differences in the 7962 and
the 7954 phones.
Can anyone tell from the below sessions if the SSL negotiation fails because
of fragmentation?
I just found this article;
https://supportforums.cisco.com/thread/163050
Seems like it might be a firmware issue, I will upgrade/downgrade and let
you know the outcome.
/Dan
-Original Message-
From: freeradius-users-
bounces+dan.lundstrom=axis@lists.freeradius.org
bounces+[mailto:freeradius-
users-bounces+dan.lundstrom=axis@lists.freeradius.org] On Behalf
users-bounces+Of
Danner, Mearl
Sent: den 9 september 2012 16:37
To: FreeRadius users mailing list
Subject: RE: TLS / SSL negotiation fails when behind Cisco IP phone
There is a switch in the Cisco phone. All my experience is with a 7945.
There are some ethernet settings in the phone settings - under device
configuration. They can be controlled locally and some are controlled
in Cisco Call Manager.
Might look there as a start.
-Original Message-
From: freeradius-users-
bounces+jmdanner=samford@lists.freeradius.org [mailto:freeradius-
users-bounces+jmdanner=samford@lists.freeradius.org] On Behalf Of
Dan Lundström
Sent: Sunday, September 09, 2012 9:02 AM
To: freeradius-users@lists.freeradius.org
Subject: TLS / SSL negotiation fails when behind Cisco IP phone
Hi!
We are using EAP/TLS for wired authentication on our networks, in one
of our sites the SSL negotiation fails when the client is connected
behind a Cisco
7962 IP phone. We have this same setup working on other sites.
The phone model varies between the sites, but I cannot find any
information about incompatibilities for the particular phone model
saying it should be the phone that is causing the problem.
I figured that the problem was caused by fragmentation but after
adjusting the fragment_size parameter in eap.conf, according to the
comments..;
# This can never exceed the size of a RADIUS
# packet (4096 bytes), and is preferably half
# that, to accomodate other attributes in
# RADIUS packet. On most APs the MAX packet
# length is configured between 1500 - 1600
# In these cases, fragment size should be
# 1024 or less.
..without any result, i am not sure anymore.
When I connect the client directly to a switch port, without the IP
phone in- between, everything works perfect.
Here comes the relevant part of RADIUS debug output, first session -
Without IP phone, directly connected to the switch [ client - switch
];
--
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list [eap] EAP/tls [eap]
processing type tls [tls] Authenticate [tls] processing EAP-TLS [tls]
eaptls_verify returned
7 [tls] Done initial handshake [tls] TLS 1.0 Handshake [length
0b2e], Certificate [tls] chain-depth=2, [tls] error=0 [tls] --
User-Name = host/US
RE: Error
ulimit? -Original Message- From: freeradius-users-bounces+jmdanner=samford@lists.freeradius.org [mailto:freeradius-users-bounces+jmdanner=samford@lists.freeradius.org] On Behalf Of David Peterson Sent: Tuesday, March 06, 2012 10:04 AM To: FreeRadius users mailing list Subject: Error Has anyone run across this: Couldn't open dictionary /usr/local/share/freeradius/dictionary: Too many open files | David Peterson | Senior Engineer | Wireless Connections | | Office: 419.660.6100 ext 2287 | Cell: 419.706.7355| Fax: 419.668.4077 | www.wirelessconnections.net | | 166 Milan Ave | Norwalk OH 44857 | - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Conditional attributes with AD
Can you expand on how this is done? I am a freeradius newbie and don't really understand how all the pieces fit together. First is authentication - configure with Samba, ntlmauth RE: http://wiki.freeradius.org/FreeRADIUS-Active-Directory-Integration-HOWTO Next authorization - configured as Matthew suggested in previous post. Probably need to get the memberOf attribute of the userid match will be FQDN of group, i.e.: CN=Group,OU=someou,dc=something,dc=else,dc=again - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Distributing Certificates
If you are using AD and have a CA set up you can create autoenrollment gpo's for domain attached machines. You can issue either user or computer certs. Can also configure the Windows wireless supplicant via gpo. Mearl From: freeradius-users-bounces+jmdanner=samford@lists.freeradius.org [mailto:freeradius-users-bounces+jmdanner=samford@lists.freeradius.org] On Behalf Of McSparin, Joe Sent: Friday, January 06, 2012 10:18 AM To: FreeRadius users mailing list Subject: Distributing Certificates Now that I have my Radius server configured I need to begin implementation I have 600 computers that will be using it. The question I am wondering is do I have to go around and install a certificate on every one of the computers and then maintain that every year changing out the certificate on 600 computers or is there some way that the server passes out certificates when the machine logs on. Or do I have an incorrect understanding of how to implement 802.1x security. Joseph R. McSparin Network Administrator Hill Country Memorial Hospital 830 990 6638 phone 830 990 6623 fax jmcspa...@hillcountrymemorial.org This email message and any attachments are for the sole use of the intended recipient(s) and contain confidential and/or privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply email and destroy all copies of the original message and any attachments. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Example configuration that proxy PEAP MSCHAPv2 to an IAS server
Might be the LAN Manager authentication level on the 2K8 servers. It needs to
be downgraded. Probably to Send LM and NTLM.
Samba used to put a note about that in the documentation.
It still bugs that ntlm_auth would not authenticate to the domain
controllers the challenge and nt-response.
I assume no one else is having any issues using ntlm_auth to W2008
servers? It may be some Windows GPO at our site for all I know.
On 8/27/11 5:01 AM, Phil Mayers wrote:
On 08/26/2011 10:40 PM, Glenn Machin wrote:
I using radiusd: FreeRADIUS Version 2.1.11.
I cannot seem to get the RHEL5 (2.6.18-238.9.1.el5) ntlm_auth program to
properly authenticate the challenge and nt-response packets.
If I set the password using clear-text and also set
MS-CHAP-Use-NTLM-Auth, the authentication works fine. The version of
ntlm_auth is Version 3.5.4-0.83.el5
If you supply the debugging output of radiusd -X, perhaps someone
can help you with that.
So my next step is to try to filter PEAP MSCHAPv2 requests and proxy
them off to an IAS server. However I still want PEAP GTC packets handled
on this server.
Can't be done cleanly. You can only proxy the inner-EAP conversation,
since it's only there that you know the inner-EAP type. But the
problem is you need to proxy the *entire* inner EAP conversation, and
that includes the EAP-Identity packet, which comes before any EAP type
has been decided.
You could proxy the inner EAP-MSCHAP as plain-MSCHAP, but you still
have to set the proxy up early enough; something like this might work:
server inner-tunnel {
authorize {
...
# use horrible technique to find EAP-MSCHAP packets
if (EAP-Message =~ /^0x02..00061a..$/) {
update control {
Proxy-To-Realm := IAS_SERVERS
}
}
}
}
...and in eap.conf:
eap {
peap {
proxy_tunneled_request_as_eap = no
}
}
...but that solution has problems of its own, namely the EAP-MSCHAP -
plain-MSCHAP conversion is a step that, personally, I think is
dangerous and fiddly, and to be avoided if possible.
As I said; I would avoid this. Try to get Samba working if at all
possible.
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Password oddity
Sounds like it's authenticating but failing on authorization. If it authenticates correctly but the proper attributes aren't returned it will fail on authorization and the edirectory code will force a failed login by changing a character in the password. If edirectory is set up to lock the account on a number of failed logins a repeated attempt to login when not authorized to use wireless will lock out the account. Make sure you have the proper radius attributes in the edirectory schema and the users are properly set up for radius authentication. That's about all I can help with. We ditched edirectory a few years back so I can't go much further than that. -Original Message- From: freeradius-users-bounces+jmdanner=samford@lists.freeradius.org [mailto:freeradius-users-bounces+jmdanner=samford@lists.freeradius.org] On Behalf Of discgolfer72 Sent: Wednesday, December 15, 2010 5:36 PM To: freeradius-users@lists.freeradius.org Subject: Password oddity Set up FreeRadius on SLES 10. Using the NTRadPing utility we can authenticate to our back end LDAP server (eDirectory) w/o problem. However, when we enabled Radius authentication on two separate Wireless access points (Linksys WRT54 and DLink WBR 1310), they both fail authentication because the password they pass (or how FreeRadius interprets the password) changes one letter of the password. For example, we set up a radtest user with a password of radtest. FreeRadius server in debug shows the request come in but passes a password value of aadtest. So, as a test we changed the password to aadtest for the radtest user. The password then came across as badtest. So, we thought we'd change the password to cadtest to see what would happen. Now the password was sent/received as aadtest again. Using NTRadPing utility, we see the request come in, get processed and then login... Running FreeRadius 1.1.0 as this is the version that Novell supports. Please don't yell at me on this. Their documentation is based on this version and not the latest version... Has anyone seen this behavior before and if so, know how to fix it? TIA!! -- View this message in context: http://freeradius.1045715.n5.nabble.com/Password-oddity-tp3307174p3307174.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: need help - force EAP-TTLS to validate the server certificate
EAP/PEAP requires a server certificate. You can opt for the M$ supplicant to verify it but it does not use a client certificate. That's why there is no option to pick the client cert when setting up PEAP. -Original Message- From: freeradius-users-bounces+jmdanner=samford@lists.freeradius.org [mailto:freeradius-users-bounces+jmdanner=samford@lists.freeradius.org] On Behalf Of Klaus Laus Sent: Tuesday, September 21, 2010 5:17 AM To: FreeRadius users mailing list Subject: Re: need help - force EAP-TTLS to validate the server certificate The message is clear. Yes I created a client certificate and imported it into the client. When I use TLS to connect to the freeradius server I can choose the client certificate in the TLS dialog and the client can login successfully. When I use PEAP to login I have to type in my username and password in the PEAP dialog from windows but I can not select a client certificate, the certificate is imported successfully in the windows certificate manager. Should I be able to choose a client certificate in the PEAP dialog or should it work when the certificate is saved in the windows certificate manager and I only have to type in my username and password in the PEAP dialog? I want to allow only PEAP logins (or username/password logins) with client certificate. Original-Nachricht Datum: Tue, 21 Sep 2010 09:33:29 +0200 Von: Alan DeKok al...@deployingradius.com An: FreeRadius users mailing list freeradius-users@lists.freeradius.org Betreff: Re: need help - force EAP-TTLS to validate the server certificate Klaus Laus wrote: I tried to login from another client, but it´s the same problem. TLS Alert write:fatal:handshake failure TLS_accept:error in SSLv3 read client certificate B rlm_eap: SSL error error:140890C7:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:peer did not return a certificate SSL: SSL_read failed in a system call (-1), TLS session fails. That message should be clear. The supplicant didn't send a client certificate. Did you create a client certificate? If so, did you copy it to the client? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- GRATIS: Spider-Man 1-3 sowie 300 weitere Videos! Jetzt freischalten! http://portal.gmx.net/de/go/maxdome - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: RE: need help - force EAP-TTLS to validate the server certificate
Not possible with the Microsoft supplicant as far as I know. PEAP encapsulation doesn't support client certificates. Probably what you want is EAP-TTLS which is not supported by Microsoft. You'll need a third party supplicant for it. Might look at this for reference: http://en.wikipedia.org/wiki/Extensible_Authentication_Protocol -Original Message- From: freeradius-users-bounces+jmdanner=samford@lists.freeradius.org [mailto:freeradius-users-bounces+jmdanner=samford@lists.freeradius.org] On Behalf Of Klaus Laus Sent: Tuesday, September 21, 2010 10:30 AM To: FreeRadius users mailing list Subject: Re: RE: need help - force EAP-TTLS to validate the server certificate A lot of thanks for your answer Mearl Danner, I read the pages of M$ but I didn´t found any possibilitys to configure the clients so, that the client is use a username/password and certificate. Do you know how I can do these settings or if it´s generelly not possible? thanks again Original-Nachricht Datum: Tue, 21 Sep 2010 08:02:27 -0500 Von: Danner, Mearl jmdan...@samford.edu An: FreeRadius users mailing list freeradius-users@lists.freeradius.org Betreff: RE: need help - force EAP-TTLS to validate the server certificate EAP/PEAP requires a server certificate. You can opt for the M$ supplicant to verify it but it does not use a client certificate. That's why there is no option to pick the client cert when setting up PEAP. -Original Message- From: freeradius-users-bounces+jmdanner=samford@lists.freeradius.org [mailto:freeradius-users-bounces+jmdanner=samford@lists.freeradius.org] On Behalf Of Klaus Laus Sent: Tuesday, September 21, 2010 5:17 AM To: FreeRadius users mailing list Subject: Re: need help - force EAP-TTLS to validate the server certificate The message is clear. Yes I created a client certificate and imported it into the client. When I use TLS to connect to the freeradius server I can choose the client certificate in the TLS dialog and the client can login successfully. When I use PEAP to login I have to type in my username and password in the PEAP dialog from windows but I can not select a client certificate, the certificate is imported successfully in the windows certificate manager. Should I be able to choose a client certificate in the PEAP dialog or should it work when the certificate is saved in the windows certificate manager and I only have to type in my username and password in the PEAP dialog? I want to allow only PEAP logins (or username/password logins) with client certificate. Original-Nachricht Datum: Tue, 21 Sep 2010 09:33:29 +0200 Von: Alan DeKok al...@deployingradius.com An: FreeRadius users mailing list freeradius-users@lists.freeradius.org Betreff: Re: need help - force EAP-TTLS to validate the server certificate Klaus Laus wrote: I tried to login from another client, but it´s the same problem. TLS Alert write:fatal:handshake failure TLS_accept:error in SSLv3 read client certificate B rlm_eap: SSL error error:140890C7:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:peer did not return a certificate SSL: SSL_read failed in a system call (-1), TLS session fails. That message should be clear. The supplicant didn't send a client certificate. Did you create a client certificate? If so, did you copy it to the client? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- GRATIS: Spider-Man 1-3 sowie 300 weitere Videos! Jetzt freischalten! http://portal.gmx.net/de/go/maxdome - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- GRATIS: Spider-Man 1-3 sowie 300 weitere Videos! Jetzt freischalten! http://portal.gmx.net/de/go/maxdome - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: PEAP - AD Disabled
Have you checked the certificate? That's one major difference. ntlm-auth is the auth after the cert conversation in PEAP is done. Maybe a radiusd -X log to help us along? From: freeradius-users-bounces+jmdanner=samford@lists.freeradius.org [mailto:freeradius-users-bounces+jmdanner=samford@lists.freeradius.org] On Behalf Of Nathan McDavit-Van Fleet Sent: Friday, June 25, 2010 8:22 AM To: 'FreeRadius users mailing list' Subject: PEAP - AD Disabled Okay, I've had a working config with the following for the past month. TTLS-LDAP PEAP-AD PEAP-Local Users File After a month running everything perfectly, 3 days ago the PEAP-AD portion of the AAA failed. This is for wireless auth. Strangely, I can still auth from the CLI using ntlm_auth and wbinfo. So it appears as if the Samba connection to the AD is fine. Nothing has changed config wise between then and now, and I haven't found any interesting log information. You just get a Login incorrect when you try to login via PEAP-AD. Everything else is verified as working. Aside from Freeradius itself, what are the differences between using ntlm_auth via CLI and via Freeradius? Nathan Van Fleet Telecommunications Analyst Network Assessment and Integration IITS Concordia University (514) 848-2424 Extension:5434 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Setting up FreeRADIUS 2.0.4 with OpenLDAP backend to do wireless auth
-Original Message- From: freeradius-users- bounces+jmdanner=samford@lists.freeradius.org [mailto:freeradius- users-bounces+jmdanner=samford@lists.freeradius.org] On Behalf Of Jonathan Amiez Sent: Thursday, January 28, 2010 11:46 AM To: FreeRadius users mailing list Subject: Re: Setting up FreeRADIUS 2.0.4 with OpenLDAP backend to do wireless auth Le jeudi 28 janvier 2010 18:18:01, Alan DeKok a écrit : Jonathan Amiez wrote: Therefore, I have again trouble in setting up this configuration. The problem is EAP/PEAP related, and I am not able to resolve it. Post the debug log into: http://networkradius.com/freeradius.html And look for the red text. Thanks for this tool. It gives me this red line in several packets. rlm_eap: SSL error error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca In debian, certs are linked from the snakeoil openSSL certs. So I removed the links, got the FR sources and copy the raddb/certs contents into /etc/freeradius/certs. Then I ran make to generate new certs, but the problem's still there. Did you install the new cert on the client? Regards -- *** Jonathan Amiez Administrateur système j...@edatis.com *** - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
HTML posts
Since we seem to have several posters that don't seem capable of sending plain-text posts can we ask the list-owner to set Mailman to strip HTML? It's an option that can be set per list by the list admin. We use that on several of the 200+ Mailman lists that we host. Only caveat is that some mailers - Hotmail for example - don't send the plaintext with the HTML. Creates a blank post. Maybe then they'll find out how to send a plaintext post. Another way would be to set all HTML posters to receive an inline digest. After they see the crap that HTML mailers throw in they'd fix it fast. If you think NAS/radius compliance is a snakepit - try email clients. Mearl - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Freeradius start at boot
Thu Oct 1 08:44:52 2009 : Error: Failed binding to authentication address * port 1812: Address already in use Thu Oct 1 08:44:52 2009 : Error: /etc/raddb/radiusd.conf[240]: Error binding to port for 0.0.0.0 port 1812 Sounds like something is already using the port. You need to find out what it is and stop it. Check /etc/rc.d/rc3.d and see if there are two links to radius servers. Could be the first one is being started and the second instance fails because the port was bound. From: freeradius-users-bounces+jmdanner=samford@lists.freeradius.org [mailto:freeradius-users-bounces+jmdanner=samford@lists.freeradius.org] On Behalf Of Paul Blalock Sent: Thursday, October 01, 2009 9:18 AM To: freeradius-users@lists.freeradius.org Subject: Re: Freeradius start at boot So I have gone through all the responses and will post everything asked for here. My user account is not in the sudoers list, not sure how to add it and not sure if this is a problem since I use su and then issued the sudo commands. When I log into the box as a user, not root, radiusd auto starts, but does not start, until I log in as a user. service radiusd status radiusd (pid 1444) is running... /var/log/radius/radius.log Thu Oct 1 08:44:52 2009 : Info: Loaded virtual server inner-tunnel Thu Oct 1 08:44:52 2009 : Info: Loaded virtual server default Thu Oct 1 08:44:52 2009 : Error: Failed binding to authentication address * port 1812: Address already in use Thu Oct 1 08:44:52 2009 : Error: /etc/raddb/radiusd.conf[240]: Error binding to port for 0.0.0.0 port 1812 Thu Oct 1 08:44:58 2009 : Info: Loaded virtual server inner-tunnel Thu Oct 1 08:44:58 2009 : Info: Loaded virtual server default Thu Oct 1 08:44:58 2009 : Error: Failed binding to authentication address * port 1812: Address already in use Thu Oct 1 08:44:58 2009 : Error: /etc/raddb/radiusd.conf[240]: Error binding to port for 0.0.0.0 port 1812 Thu Oct 1 08:45:03 2009 : Info: Exiting normally. Thu Oct 1 08:45:07 2009 : Info: Loaded virtual server inner-tunnel Thu Oct 1 08:45:07 2009 : Info: Loaded virtual server default Thu Oct 1 08:45:07 2009 : Info: Ready to process requests. Thu Oct 1 08:48:27 2009 : Info: Exiting normally. Thu Oct 1 08:49:08 2009 : Info: Loaded virtual server inner-tunnel Thu Oct 1 08:49:08 2009 : Info: Loaded virtual server default Thu Oct 1 08:49:08 2009 : Info: Ready to process requests. radiusd -X FreeRADIUS Version 2.1.7, for host i386-redhat-linux-gnu, built on Sep 15 2009 at 11:31:29 Copyright (C) 1999-2009 The FreeRADIUS server project and contributors. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License v2. Starting - reading configuration files ... including configuration file /etc/raddb/radiusd.conf including configuration file /etc/raddb/proxy.conf including configuration file /etc/raddb/clients.conf including files in directory /etc/raddb/modules/ including configuration file /etc/raddb/modules/logintime including configuration file /etc/raddb/modules/detail.log including configuration file /etc/raddb/modules/attr_filter including configuration file /etc/raddb/modules/files including configuration file /etc/raddb/modules/mschap including configuration file /etc/raddb/modules/smbpasswd including configuration file /etc/raddb/modules/ippool including configuration file /etc/raddb/modules/sql_log including configuration file /etc/raddb/modules/chap including configuration file /etc/raddb/modules/etc_group including configuration file /etc/raddb/modules/preprocess including configuration file /etc/raddb/modules/sqlcounter_expire_on_login including configuration file /etc/raddb/modules/perl including configuration file /etc/raddb/modules/detail including configuration file /etc/raddb/modules/digest including configuration file /etc/raddb/modules/passwd including configuration file /etc/raddb/modules/echo including configuration file /etc/raddb/modules/linelog including configuration file /etc/raddb/modules/counter including configuration file /etc/raddb/modules/otp including configuration file /etc/raddb/modules/exec including configuration file /etc/raddb/modules/policy including configuration file /etc/raddb/modules/sradutmp including configuration file /etc/raddb/modules/detail.example.comhttp://detail.example.com including configuration file /etc/raddb/modules/checkval including configuration file /etc/raddb/modules/pap including configuration file /etc/raddb/modules/always including configuration file /etc/raddb/modules/acct_unique including configuration file /etc/raddb/modules/radutmp including configuration file /etc/raddb/modules/attr_rewrite including configuration file /etc/raddb/modules/pam including configuration file /etc/raddb/modules/expr including configuration file /etc/raddb/modules/realm including configuration file /etc/raddb/modules/expiration including configuration
RE: Start Freeradius at boot
Have you checked the appropriate logs? Any info in /var/log/radius/radius.log? Please post the contents. How do you start it and as what user? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: freeradius 2.1.6 ldap + mschapv2 to authenticate
-Original Message- From: freeradius-users- bounces+jmdanner=samford@lists.freeradius.org [mailto:freeradius- users-bounces+jmdanner=samford@lists.freeradius.org] On Behalf Of John Dennis Sent: Thursday, June 25, 2009 8:54 AM To: FreeRadius users mailing list Subject: Re: freeradius 2.1.6 ldap + mschapv2 to authenticate Alan often replies immediately with useful information, often for questions which are constantly repeated. I'm personally impressed with his tireless dedication, not only in being one of the primary help desk roles but also in developing the software, both of which you're getting for *free*. I think Alan (and some others) deserve a note of thanks from this community. Folks, get real, this is open source. That means it's a community of volunteers. In open source if you think something is deficient your job is to step up to the plate and contribute for the betterment of everyone. But if instead you feel you need to complain and not contribute then please walk away. John - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html I agree wholeheartedly. The documentation is more than adequate. Surprising how much you'll learn by reading it. If you'd prefer Alan spend time answering already answered questions rather than refining/developing freeradius Mearl - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: rlm eap problem
Do these files exist?
dh_file = ${certdir}/dh
random_file = ${certdir}/random
Hints here:
http://www.mail-archive.com/freeradius-us...@lists.cistron.nl/msg09589.html
-Original Message-
From: freeradius-users-
bounces+jmdanner=samford@lists.freeradius.org [mailto:freeradius-
users-bounces+jmdanner=samford@lists.freeradius.org] On Behalf Of
Michael Ziemann
Sent: Friday, May 29, 2009 9:19 AM
To: FreeRadius users mailing list
Subject: AW: rlm eap problem
Hi there,
Yes, of course you were right, the file was named server.pem :) - bad
mistake, sry...
But now I get following errors, but now I don't know what's to do...
rlm_eap: SSL error error::lib(0):func(0):reason(0)
rlm_eap_tls: Error loading randomness
rlm_eap: Failed to initialize type tls
/mypath/freeradius/etc/raddb/eap.conf[17]: Instantiation failed for
module eap
/mypath/freeradius/etc/raddb/sites-enabled/inner-tunnel[223]: Failed to
find module eap.
/mypath/freeradius/etc/raddb/sites-enabled/inner-tunnel[176]: Errors
parsing authenticate section.
}
}
Errors initializing modules
Sorry guys, but I don't have any experience with certificates ...
Thanks
Michael
That's my eap.conf:
# -*- text -*-
##
## eap.conf -- Configuration for EAP types (PEAP, TTLS, etc.)
##
##$Id$
###
#
# Whatever you do, do NOT set 'Auth-Type := EAP'. The server
# is smart enough to figure this out on its own. The most
# common side effect of setting 'Auth-Type := EAP' is that the
# users then cannot use ANY other authentication method.
#
# EAP types NOT listed here may be supported via the eap2 module.
# See experimental.conf for documentation.
#
eap {
# Invoke the default supported EAP type when
# EAP-Identity response is received.
#
# The incoming EAP messages DO NOT specify which EAP
# type they will be using, so it MUST be set here.
#
# For now, only one default EAP type may be used at a
time.
#
# If the EAP-Type attribute is set by another module,
# then that EAP type takes precedence over the
# default type configured here.
#
default_eap_type = md5
# A list is maintained to correlate EAP-Response
# packets with EAP-Request packets. After a
# configurable length of time, entries in the list
# expire, and are deleted.
#
timer_expire = 60
# There are many EAP types, but the server has support
# for only a limited subset. If the server receives
# a request for an EAP type it does not support, then
# it normally rejects the request. By setting this
# configuration to yes, you can tell the server to
# instead keep processing the request. Another module
# MUST then be configured to proxy the request to
# another RADIUS server which supports that EAP type.
#
# If another module is NOT configured to handle the
# request, then the request will still end up being
# rejected.
ignore_unknown_eap_types = no
# Cisco AP1230B firmware 12.2(13)JA1 has a bug. When given
# a User-Name attribute in an Access-Accept, it copies one
# more byte than it should.
#
# We can work around it by configurably adding an extra
# zero byte.
cisco_accounting_username_bug = no
#
# Help prevent DoS attacks by limiting the number of
# sessions that the server is tracking. Most systems
# can handle ~30 EAP sessions/s, so the default limit
# of 2048 is more than enough.
max_sessions = 2048
# Supported EAP-types
#
# We do NOT recommend using EAP-MD5 authentication
# for wireless connections. It is insecure, and does
# not provide for dynamic WEP keys.
#
md5 {
}
# Cisco LEAP
#
# We do not recommend using LEAP in new deployments. See:
# http://www.securiteam.com/tools/5TP012ACKE.html
#
# Cisco LEAP uses the MS-CHAP algorithm (but not
# the MS-CHAP attributes) to perform it's authentication.
#
# As a result, LEAP *requires* access to the plain-text
# User-Password, or the NT-Password attributes.
# 'System'
RE: looking for a good best practices for campus-wide Freeradius installation
Best resource for this is EDUCAUSE's Wireless LAN list. Join at: http://listserv.educause.edu/cgi-bin/wa.exe?SUBED1=WIRELESS-LANA=1 Lot's of higher ed guys on the list. Mearl -Original Message- From: freeradius-users- bounces+jmdanner=samford@lists.freeradius.org [mailto:freeradius- users-bounces+jmdanner=samford@lists.freeradius.org] On Behalf Of john Sent: Monday, April 27, 2009 3:11 PM To: FreeRadius users mailing list Subject: looking for a good best practices for campus-wide Freeradius installation Hi all, I'd would like to install .1x for all wired and wireless users across our campus by next fall. I'm looking for a really good howto/best practices for educational institutions. I hope folks on the list can point me to some good resources as I plan for deployment. Thanks! John - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: FreeRADIUS and Active Directory
Install samba and winbind. That's the proper way to pass auth to AD. Forget likewise-open. It works quite well the way that's documented in the wiki. You'll probably waste a lot of time doing it any other way. Mearl -Original Message- From: freeradius-users- bounces+jmdanner=samford@lists.freeradius.org [mailto:freeradius- users-bounces+jmdanner=samford@lists.freeradius.org] On Behalf Of Tomas Sent: Wednesday, February 18, 2009 6:06 AM To: FreeRadius users mailing list Subject: FreeRADIUS and Active Directory Dear all, I'm trying to setup my FreeRADIUS to verify user credentials from windows AD (at the moment I'm using users file). I have no experience in joining Linux based machine to windows domain, I had a look at few guides and found that the easiest way is to use likewise-open. I've joined my radius server to the domain and noticed that likewise did not use samba's winbind or ntml_auth. Which according to wiki I've been reading is a must to enable authentication using AD. http://wiki.freeradius.org/FreeRADIUS_Active_Directory_Integration_HOWT O Can I install winbind and samba manually, or should I start again and not use likewise-open at all? Thanks for your help! Tomas - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: FreeRADIUS without Universal Password
Universal Password is encrypted. It's attribute name is npsmDistributionPassword I believe. As a further protection it is only readable by admin roles. You'll have to set up freeradius to bind with such a login and get the password and decrypt it. That function has been in freeradius for quite a while. That process will give freeradius (internally) a cleartext password to use for mschapv2. We moved to all M$ products a while back, but used freeradius against eDirectory for a couple of years before we moved to all Windows servers. It was low maintenance and worked well for us. The only issue was the moving auth target that M$ eap clients presented us. That's why we use IAS presently. At least when it breaks it's their fault. Mearl -Original Message- From: freeradius-users- bounces+jmdanner=samford@lists.freeradius.org [mailto:freeradius- users-bounces+jmdanner=samford@lists.freeradius.org] On Behalf Of Jason C Brown Sent: Thursday, February 05, 2009 10:45 AM To: FreeRadius users mailing list Subject: Re: FreeRADIUS without Universal Password I had to ask, I have people telling me that this is a limitation of only FreeRADIUS and not all RADIUS servers in general. There is a concern that the UP is being stored in clear text in Novell and we need to turn off that service and only use simple password. Since I am no Novell admin I really do not have a clue if we can encrypt the UP that is stored on the server or what other implications there are in turning off UP. Jason Brown - RHCT, Security+, Linux+, Network+ Systems Administrator Enterprise Technology Services Ferris State University (231) 591-2687 On Feb 5, 2009, at 1:48 AM, Alan DeKok wrote: Jason C Brown wrote: Do you by chance know if every RADIUS server acts the same way? For instance would Steel Belted RADIUS require the use of UP as well? Please read this explanation again: The Novell password is not stored as an attribute unless Universal password is enabled. It exists in eDirectory, can be created/ modified by ldap as userpassword but cannot be returned in an ldap search. The password can't be seen by *any* RADIUS server until it's stored as a Universal password. This is a limitation of Novell's LDAP server, and applies to all LDAP clients, whether they are RADIUS servers, command-line clients, web servers, or anything else. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: FreeRADIUS without Universal Password
In a word no. The Novell password is not stored as an attribute unless Universal password is enabled. It exists in eDirectory, can be created/modified by ldap as userpassword but cannot be returned in an ldap search. Otherwise you'd have to create an attribute and store the password in it as an nt hash or something and decrypt it to provide it to freeradius. Mearl -Original Message- From: freeradius-users- bounces+jmdanner=samford@lists.freeradius.org [mailto:freeradius- users-bounces+jmdanner=samford@lists.freeradius.org] On Behalf Of Jason C Brown Sent: Wednesday, February 04, 2009 4:42 PM To: FreeRadius users mailing list Subject: FreeRADIUS without Universal Password Is there a way to integrate FreeRADIUS without having to use the universal password in Novell? Jason Brown - RHCT, Security+, Linux+, Network+ Systems Administrator Enterprise Technology Services Ferris State University (231) 591-2687 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: FreeRADIUS without Universal Password
I have no idea. You'll need to ask them. Mearl -Original Message- From: freeradius-users- bounces+jmdanner=samford@lists.freeradius.org [mailto:freeradius- users-bounces+jmdanner=samford@lists.freeradius.org] On Behalf Of Jason C Brown Sent: Wednesday, February 04, 2009 5:45 PM To: FreeRadius users mailing list Subject: Re: FreeRADIUS without Universal Password Do you by chance know if every RADIUS server acts the same way? For instance would Steel Belted RADIUS require the use of UP as well? Thanks Jason Brown - RHCT, Security+, Linux+, Network+ Systems Administrator Enterprise Technology Services Ferris State University (231) 591-2687 On Feb 4, 2009, at 6:15 PM, Danner, Mearl wrote: In a word no. The Novell password is not stored as an attribute unless Universal password is enabled. It exists in eDirectory, can be created/ modified by ldap as userpassword but cannot be returned in an ldap search. Otherwise you'd have to create an attribute and store the password in it as an nt hash or something and decrypt it to provide it to freeradius. Mearl -Original Message- From: freeradius-users- bounces+jmdanner=samford@lists.freeradius.org [mailto:freeradius- users-bounces+jmdanner=samford@lists.freeradius.org] On Behalf Of Jason C Brown Sent: Wednesday, February 04, 2009 4:42 PM To: FreeRadius users mailing list Subject: FreeRADIUS without Universal Password Is there a way to integrate FreeRADIUS without having to use the universal password in Novell? Jason Brown - RHCT, Security+, Linux+, Network+ Systems Administrator Enterprise Technology Services Ferris State University (231) 591-2687 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: 802.1x problems
The passwords need to be extracted from eDirectory and passed to freeradius. This guide is old - I haven't seen what needs to be done with the freeradius config, but it will tell you what you need to do on the Novell end. http://freeradius.org/doc/radiusadmin.pdf Mearl -Original Message- From: freeradius-users-bounces+jmdanner=samford@lists.freeradius.org [mailto:freeradius-users-bounces+jmdanner=samford@lists.freeradius.o rg] On Behalf Of Keith Ledford Sent: Thursday, January 15, 2009 2:41 PM To: FreeRadius users mailing list Subject: Re: 802.1x problems On Thursday, January 15, 2009 at 20:36:00, t...@kalik.net wrote: Where is his password supposed to be? Ldap auth can't work with mschap, so you need to send the password to freeradius. You need to enable ldap instances in inner-tunnel virtual server (that will be doing mschap auth). The passwords are in the ldap server (Novell). I don't understand what you mean by so you need to send the password to freeradius Can you either explain or point me to the proper doc? If ldap auth can't work with mschap what does everyone do to work with standard windows clients? I did enable ldap in the inner-tunnel config file. I did miss that before. Thanks! -- Keith Ledford kledford AT uga DOT edu Network Administrator EITS Network Engineering 706.542.0723 phone - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Conf PEAP
-Original Message- From: freeradius-users- bounces+jmdanner=samford@lists.freeradius.org [mailto:freeradius- users-bounces+jmdanner=samford@lists.freeradius.org] On Behalf Of Martin Silvero Sent: Thursday, December 18, 2008 8:31 AM To: freeradius-users@lists.freeradius.org Subject: Re: Conf PEAP - and how, exactly, does the EAP tunnel get set up if you dont have a common certificate to enable such a construct? you've got to have a CA - and, if done properly, you've got to have the validate check as well! Suppose a person who comes from outside the company, and wants to connect to my network, do not have the certificates. through PEAP can I give you access with a username and password without install certificates? What I suggest? We opted to purchase a Verisign cert for our FreeRadius server. Verisign is recognized as a trusted root by most OS's. There are less expensive certs available, but you'll definitely need a commercial cert to address your concerns. Mearl () - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: authenticating to an Windows AD
http://wiki.freeradius.org/FreeRADIUS_Active_Directory_Integration_HOWTO worked for me. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] rg] On Behalf Of Mike Diggins Sent: Tuesday, November 18, 2008 3:43 PM To: FreeRadius users mailing list Subject: Re: authenticating to an Windows AD I should have mentioned it's FreeRadius 2.1.1. -Mike On Tue, 18 Nov 2008, Mike Diggins wrote: Folks, I have freeradius running on a fedora linux box. I want to use it for authentication from an Apache web server using the radius interface. That part is working, and I'm able to authenticate web users only if they have a local account on the freeradius server. I want freeradius to authenticate against a Windows Active Directory. I installed Samba and am running Winbind, and wbinfo/ntlm_auth both are able to authenticate from the command line assuming I give it a valid username and password. What module in freeradius do I use to authenticate through Winbind? Could someone point me in the right direction please. -Mike - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: FreeRADIUS 2 not listening on right port
You're not running NAT/PAT through iptables are you?
It'll translate 1812/1813 inside to some high port/some high port outside.
Not sure how the server will pick that up. Maybe the port after translation.
If so you'll need to not port translate the radius ports. I can do it in a Pix,
but haven't used iptables for translation in a long while.
Mearl
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Casartello,
Thomas
Sent: Thursday, May 15, 2008 12:31 PM
To: FreeRadius users mailing list
Subject: RE: FreeRADIUS 2 not listening on right port
Compiling from source did NOT solve the problem.
Thomas E. Casartello, Jr.
Infrastructure Technician
Linux Specialist
Department of Information Technology
Westfield State College
Wilson 105-A
(413) 572-8245
E-Mail: [EMAIL PROTECTED]
Red Hat Certified Technician (RHCT)
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Casartello,
Thomas
Sent: Thursday, May 15, 2008 1:16 PM
To: freeradius-users@lists.freeradius.org
Subject: FreeRADIUS 2 not listening on right port
I just upgraded by FreeRADIUS server from the version 1 to version 2 family. I
have the listen {} statements configured as follows:
radiusd: Opening IP addresses and Ports
listen {
type = auth
ipaddr = *
port = 1812
}
listen {
type = acct
ipaddr = *
port = 1813
}
main {
snmp = no
smux_password =
snmp_write_access = no
}
Listening on authentication address * port 41045
Listening on accounting address * port 54893
Listening on proxy address * port 38374
Ready to process requests.
However as you can see if always listens on random ports. What am I doing
wrong? I am using version 2.0.2 which was distributed with Fedora 9.
Thomas E. Casartello, Jr.
Infrastructure Technician
Linux Specialist
Department of Information Technology
Westfield State College
Wilson 105-A
(413) 572-8245
E-Mail: [EMAIL PROTECTED]
Red Hat Certified Technician (RHCT)
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: FreeRADIUS 2 not listening on right port
Have you tried binding to a specific IP address rather than *?
-Original Message-
From: freeradius-users-
[EMAIL PROTECTED] [mailto:freeradius-
[EMAIL PROTECTED] On Behalf Of
Casartello, Thomas
Sent: Thursday, May 15, 2008 12:44 PM
To: FreeRadius users mailing list
Subject: RE: FreeRADIUS 2 not listening on right port
No I am not doing any kind of NAT. I actually have IPTables disabled
right now.
Thomas E. Casartello, Jr.
Infrastructure Technician
Linux Specialist
Department of Information Technology
Westfield State College
Wilson 105-A
(413) 572-8245
E-Mail: [EMAIL PROTECTED]
Red Hat Certified Technician (RHCT)
-Original Message-
From: freeradius-users-
[EMAIL PROTECTED] [mailto:freeradius-
[EMAIL PROTECTED] On Behalf Of
Danner, Mearl
Sent: Thursday, May 15, 2008 1:42 PM
To: FreeRadius users mailing list
Subject: RE: FreeRADIUS 2 not listening on right port
You're not running NAT/PAT through iptables are you?
It'll translate 1812/1813 inside to some high port/some high port
outside.
Not sure how the server will pick that up. Maybe the port after
translation.
If so you'll need to not port translate the radius ports. I can do it
in a Pix, but haven't used iptables for translation in a long while.
Mearl
From: freeradius-users-
[EMAIL PROTECTED] [mailto:freeradius-
[EMAIL PROTECTED] On Behalf Of
Casartello, Thomas
Sent: Thursday, May 15, 2008 12:31 PM
To: FreeRadius users mailing list
Subject: RE: FreeRADIUS 2 not listening on right port
Compiling from source did NOT solve the problem.
Thomas E. Casartello, Jr.
Infrastructure Technician
Linux Specialist
Department of Information Technology
Westfield State College
Wilson 105-A
(413) 572-8245
E-Mail: [EMAIL PROTECTED]
Red Hat Certified Technician (RHCT)
From: freeradius-users-
[EMAIL PROTECTED] [mailto:freeradius-
[EMAIL PROTECTED] On Behalf Of
Casartello, Thomas
Sent: Thursday, May 15, 2008 1:16 PM
To: freeradius-users@lists.freeradius.org
Subject: FreeRADIUS 2 not listening on right port
I just upgraded by FreeRADIUS server from the version 1 to version 2
family. I have the listen {} statements configured as follows:
radiusd: Opening IP addresses and Ports
listen {
type = auth
ipaddr = *
port = 1812
}
listen {
type = acct
ipaddr = *
port = 1813
}
main {
snmp = no
smux_password =
snmp_write_access = no
}
Listening on authentication address * port 41045
Listening on accounting address * port 54893
Listening on proxy address * port 38374
Ready to process requests.
However as you can see if always listens on random ports. What am I
doing wrong? I am using version 2.0.2 which was distributed with Fedora
9.
Thomas E. Casartello, Jr.
Infrastructure Technician
Linux Specialist
Department of Information Technology
Westfield State College
Wilson 105-A
(413) 572-8245
E-Mail: [EMAIL PROTECTED]
Red Hat Certified Technician (RHCT)
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: 802.1x, EAP and LDAP
The binddn configured in freeradius needs to have admin privileges to
extract a password. It then binds with the userdn and extracted
password. That gets an positive authentication. You also need radius
specific ldap attributes the pass the authorization phase.
We used the freeradius/eDirectory integration for over a year
successfully.
Download instructions from the document:
How to integrate freeradius and eDirectory
http://www.novell.com/coolsolutions/appnote/16745.html
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]
rg] On Behalf Of Phil Mayers
Sent: Tuesday, March 04, 2008 5:19 AM
To: freeradius-users@lists.freeradius.org
Subject: Re: 802.1x, EAP and LDAP
Mike Richardson wrote:
On Tue, Mar 04, 2008 at 10:35:29AM +, Phil Mayers wrote:
rlm_ldap: ldap_release_conn: Release Id: 0
modcall[authorize]: module ldap returns ok for request 0
rlm_pap: WARNING! No known good password found for the user.
Authentication may fail because of this.
modcall[authorize]: module pap returns noop for request 0
The ldap module didn't find a password for the user, thus the PAP
module
couldn't authenticate the user.
I don't know enough about eDirectory to help much more; I can say
that a
normal LDAP server might contain entries of the form:
dn: cn=user,ou=
cn: user
objectClass: top
objectClass: person
userPassword: {CRYPT}
...or similar, and the ldap module is smart enough to figure it out.
As Ivan has pointed out, I suspect this line higher up is the issue:
rlm_ldap: No default NMAS login sequence
A quick read through the source code indicates the mysterious NMAS is
novell universal auth / password / blah.
How does the PAP module attempt to do the authentication? Does it do
an
authenticated bind as the user or does it get the password variable
and
compare it to something stored?
The latter.
Basically rlm_pap takes the User-Password in the request, and compares
it against the correct password for the user.
The ldap module is expected to have extracted the password from LDAP
(see below).
There is another mode where PAP requests can be authenticated by
rlm_ldap, using simple bind against the LDAP server - that's the
authenticate {
Auth-Type LDAP {
ldap
}
}
...stuff, but you should avoid doing that if at all possible. In
particular it won't support PEAP/MS-CHAP, the only really useful EAP
type supported by the windows XP/vista 802.1x supplicants.
I've tried it against openldap with the same result but I've not spent
much
time on the openldap config. I have to get this working with eDiretory
unfortunately...
I don't know specifically what the NMAS nonsense is, but a glance at the
rlm_ldap source code indicates it's a Novell-proprietary LDAP extension
which the LDAP client (in this case, FreeRadius) has to call to get at
the plaintext password for the user.
In all probability your Novell administrators need to grant some extra
permissions to the binddn so that it can do this - it's (obviously) a
privileged operation.
Moving to OpenLDAP won't help - it doesn't support NMAS at all (I
assume) so you'll just be trying to run operations against the LDAP
server it doesn't support, and if you need to eventually get it working
against Novell it's not time well spent anyway.
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Freeradius and eDirectory
Somewhere, can't remember where, the password gets changed like that to force an authentication failure in eDirectory. If there are enough tries it will trigger eDirectory's intruder detection lockout - if it's enabled. Are you sure the user is authorized? Since you didn't send a debug log I'm assuming that you did not have one. The only way you can see if the user is authorized by freeradius is through the debug log. Any other reference to authorized - as in the wireless connect dialogue from Windows - is not what freeradius is talking about. We saw this behavior when the userid in eDirectory did not have the proper radius attributes set. It has to have them and eDirectory has to return them in order for the user to be authorized. Then freeradius binds to eDirectory with the userid and password for authentication. Mearl -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] rg] On Behalf Of Alan DeKok Sent: Friday, January 04, 2008 11:35 AM To: FreeRadius users mailing list Subject: Re: Freeradius and eDirectory Generic Generic wrote: I'm setting up Freeradius 1.1.4 on a SUSE 10 server for our wireless users with XP SP2 using PEAP. Because we use eDirectory I strip the computer name from the username, not every users uses the Novell client. The user get authorize but I can't get the authentication to work. For some reason the first character of the users password is change for a a, if the first character is a a then it is change for something else. ??? The default configuration of FreeRADIUS doesn't re-write passwords this way. In fact, it doesn't re-write passwords at all. Either you changed something on your local system to re-write the passwords like this, OR this is actually how the passwords are being received by FreeRADIUS. If this is how the passwords are being received by FreeRADIUS, then it is NOT a FreeRADIUS problem. Go fix the client, or use a client that works. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Recommended AP for test purposes.
I use a Linksys WRT54G. Works great. Mearl -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] rg] On Behalf Of Garvin Haslett Sent: Tuesday, July 10, 2007 10:39 AM To: freeradius-users@lists.freeradius.org Subject: Recommended AP for test purposes. Further to a previous I believe I'm using an AP that does not act as a NAS. In particular there are no aspects of the security page that ask for Radius configuration. I'm using a Belkin Wireless G Universal Range Extender/Access Point (FCC: K7SF5D7132A). Can anyone confirm my suspicions? If so, can anyone recommend a reliable AP suitable for doing some testing on. Thanks in anticipation of replies, Garvin. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: FreeRadius+AD integration
Why not try this? Worked for us. http://wiki.freeradius.org/FreeRADIUS_Active_Directory_Integration_HOWTO Note that the first thing configured is the Samba server. It doesn't even mention installing the Freeradius server until after the Samba configuration is completed. Hi, It must be you. so your are the right person to tell me what is causing ntlm_auth to send OK. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Radius says client is unknown.
Also check if the distro had freeradius already installed. The start script in
/etc/init.d, unless replaced, will call the preinstalled version - not the one
you installed.
rpm -q freeradius (for rpm based distros).
Do which radiusd to see if the one in the path is the one you want to call.
The path to radiusd.conf is part of the compile and a preinstalled version will
usually look in /etc/raddb unless otherwide instructed.
Mearl
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of M. Onur ERGiN
Sent: Tuesday, February 27, 2007 4:08 PM
To: FreeRadius users mailing list
Subject: RE: Radius says client is unknown.
:) thank you. how confusing it is: I have both radiusd.conf under /etc/raddb
and under /usr/local/etc/raddb .. The correct one is that under /usr/ I
don't know why but when I type something wrong into the one under /etc/raddb;
radiusd still returns error. May be I must remove everything and reinstall
freeradius from the beginning.
Then let me ask one more question;
Now I can send my user/password over my AP. but I receive access-reject and it
says:
rad_check_password: Found Auth-Type Local
auth: type Local
auth: No User-Password or CHAP-Password attribute in the request
auth: Failed to validate the user.
Delaying request 0 for 1 seconds
Finished request 0
Can it be my certificate again? I edited eap.conf so that it includes
default_eap_type = peap
peap {
default_eap_type = mschapv2
}
and I uncommented the default certificate lines under tls{..}
Best regards,
Onur.
King, Michael [EMAIL PROTECTED] wrote:
Simple question
Is the config file your ediiting the one that Freeradius is using?
(I've done this before)
Us the locate radiusd.conf and see all the instances.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Looking for earth-friendly autos?
Browse Top Cars by Green Rating at Yahoo! Autos' Green Center.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
