Re: Guide: Upgrading to version 2
07/23/2009 10:43 AM, Rakotomandimby Mihamina: Waiting for some answer... I got: Ready to buy it. (dunno what reasonnable is) -- Architecte Informatique: Administration Systeme, Recherche & Developpement + 261 32 11 401 65 Pensez a l'environnement avant d'imprimer ce message - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Guide: Upgrading to version 2
07/23/2009 10:13 AM, Alan DeKok: I need to decide what else to do with the document. Knowing how many people are interested in it is a first step. I am interested in. I just asked my boss if he would be tempted on buying: Waiting for some answer... -- Architecte Informatique: Administration Systeme, Recherche & Developpement + 261 32 11 401 65 Pensez a l'environnement avant d'imprimer ce message - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Guide: Upgrading to version 2
I've written a 40 page guide on how to upgrade from version 0.X to the latest version of the server. It is currently available to customers of Network RADIUS who have purchased support agreements. The document covers all of the configuration items in radiusd.conf, and also the common modules. It documents when the configuration first appeared, and how its behavior changed over time. For configurations that have been deprecated or removed, it documents suggested replacements. It talks about how to manage the upgrade process, along with potential downgrades if something goes wrong. If anyone else is interested in the document, please email me privately: al...@networkradius.com I need to decide what else to do with the document. Knowing how many people are interested in it is a first step. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Conversion to Version 2
Doug Hardie wrote: > I finally got a chance to try to update the Wiki again. It worked fine > today. Anyway, there are now instructions for creating modules for both > Version 1 and Version 2. Thanks. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Conversion to Version 2
I finally got a chance to try to update the Wiki again. It worked fine today. Anyway, there are now instructions for creating modules for both Version 1 and Version 2. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Conversion to Version 2
Doug Hardie wrote: > I am unable to update the Wiki. It says I am blocked by aland. Hmm... email me your account name offline, and I'll see what I can do. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Conversion to Version 2
I am unable to update the Wiki. It says I am blocked by aland. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Conversion to Version 2
>>> Thanks. Those are pretty obtuse comments. I finally figured out by
>>> trial and error you have to create those two sections as they are not in
>>> the file.
>>
>> No.
>
> From raddb/sites-available/README:
Which I wrote. I *do* understand how the server works.
The *default* install does not require you to add "authorize" or
"authenticate" sections to radiusd.conf. The *default* install includes
a "default" virtual server, with those sections already defined. The
*intent* as per the "man" page and other documentation, is for that
default server to be used as the basis for your own policies.
The only time you *have* to add "authorize" and "authenticate"
sections to radiusd.conf is when you've edited the default install to
remove all references to virtual servers.
>> They were removed from radiusd.conf because (a) they were getting too
>> big, and (b) it enabled example files per virtual server.
>
> Actually a good idea. Its just not obvious. The previously mentioned
> README is very helpful. I think its in the wrong place. It should be
> in raddb where its easier to find. Perhaps there should also be an
> UPDATING file that points to it. The new structure needs a road map
> because things are quite difficult to find until you really understand
> the structure.
Feel free to send a first draft of suggested documentation.
> One significant change that took mw quite awhile to figure out was that
> the request arguments are addressed differently. You have to be careful
> in using the proper pointer for the data type. However, anything with
> an IPv4 address, e.g. Freamed-IP-Address, is handled quite differently.
> Version 1 would give you a string ("10.0.1.1") whereas Version 2 gives
> you the binary version as 4 bytes. I haven't checked all the other data
> types for changes like that. The other ones I use maintained the same
> format.
Yes. The internal data structures change. See libradius.h for
complete definitions.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Conversion to Version 2
On Feb 27, 2009, at 21:34, Alan DeKok wrote:
Doug Hardie wrote:
Thanks. Those are pretty obtuse comments. I finally figured out by
trial and error you have to create those two sections as they are
not in
the file.
No.
From raddb/sites-available/README:
The virtual servers do NOT have to be set up with the
"sites-available" and "sites-enabled" directories. You can still have
one "radiusd.conf" file, and put the server configuration there:
The contents that *used* to be in radiusd.conf are now in
raddb/sites-available/default.
They were removed from radiusd.conf because (a) they were getting too
big, and (b) it enabled example files per virtual server.
Actually a good idea. Its just not obvious. The previously mentioned
README is very helpful. I think its in the wrong place. It should be
in raddb where its easier to find. Perhaps there should also be an
UPDATING file that points to it. The new structure needs a road map
because things are quite difficult to find until you really understand
the structure.
I now have one module completely working and the other one most
probably working. I don't have the complete environment on the test
machine yet so it won't do everything yet. I hope to start updating
the WIKI on Monday. My initial approach is to retain the existing
module page but identify it as Version 1 and create a new one that is
for Version 2. One significant change that took mw quite awhile to
figure out was that the request arguments are addressed differently.
You have to be careful in using the proper pointer for the data type.
However, anything with an IPv4 address, e.g. Freamed-IP-Address, is
handled quite differently. Version 1 would give you a string
("10.0.1.1") whereas Version 2 gives you the binary version as 4
bytes. I haven't checked all the other data types for changes like
that. The other ones I use maintained the same format.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Conversion to Version 2
Doug Hardie wrote: > Thanks. Those are pretty obtuse comments. I finally figured out by > trial and error you have to create those two sections as they are not in > the file. No. The contents that *used* to be in radiusd.conf are now in raddb/sites-available/default. They were removed from radiusd.conf because (a) they were getting too big, and (b) it enabled example files per virtual server. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Conversion to Version 2
On Feb 27, 2009, at 16:05, wrote: I finally figured out how to compile the module. Its actually quite simple once you figure out the new structure. The problem I still have is how to incorporate that into the new conf file. There used to be authorize and accounting sections that listed the modules. I can't find where that has been placed in the new structure. - Read the comments near the end of the radiusd.conf file (where those sections used to be). Thanks. Those are pretty obtuse comments. I finally figured out by trial and error you have to create those two sections as they are not in the file. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Conversion to Version 2
>I finally figured out how to compile the module. Its actually quite >simple once you figure out the new structure. The problem I still >have is how to incorporate that into the new conf file. There used to >be authorize and accounting sections that listed the modules. I can't >find where that has been placed in the new structure. >- Read the comments near the end of the radiusd.conf file (where those sections used to be). Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Conversion to Version 2
I finally figured out how to compile the module. Its actually quite simple once you figure out the new structure. The problem I still have is how to incorporate that into the new conf file. There used to be authorize and accounting sections that listed the modules. I can't find where that has been placed in the new structure. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Conversion to Version 2
Doug Hardie wrote: > Are there any worked examples. I have not figured out how to get it > done yet. There are no worked examples. However, you should just have to set CFLAGS=-I/path/to/include, where that directory contains /freeradius/libradius.h, etc. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Conversion to Version 2
On Feb 26, 2009, at 21:52, Alan DeKok wrote: Doug Hardie wrote: Is there still a way to compile the module away from the freeradius source structure like there was for version 1? That was difficult to do in version 1. It should be a lot easier now, as all of the include files have been cleaned up and regularized. Are there any worked examples. I have not figured out how to get it done yet. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Conversion to Version 2
Doug Hardie wrote: > Is there still a way to compile the module away from the freeradius > source structure like there was for version 1? That was difficult to do in version 1. It should be a lot easier now, as all of the include files have been cleaned up and regularized. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Conversion to Version 2
On Oct 6, 2008, at 02:22, Alan DeKok wrote: Doug Hardie wrote: Thats not that big a deal as for the basic stuff, the code is quite straight forward. However, the bigger issue is for modules. The wiki page is still completely oriented towards version 1 as I have never tried version 2. What has to be changed with modules to use them with version 2? A fair bit. But much of it should be simple renaming of functions. A lot of "librad_*" names have moved to "fr_*", etc. The main module structure has changed a little. But the basic functioning of the module is pretty much the same. There are still authorize, etc. functions which take the same arguments. I suspect that the wiki page will quickly lose its value otherwise. Feel free to update the Wiki. Is there still a way to compile the module away from the freeradius source structure like there was for version 1? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Conversion to Version 2
>However, the bigger issue is for modules. The wiki >page is still completely oriented towards version 1 as I have never >tried version 2. What has to be changed with modules to use them with >version 2? I suspect that the wiki page will quickly lose its value >otherwise. > Nothing needs to be changed in modules to make them work. Modules have just been copied from radiusd.conf and pasted into a different file. If you haven't made any changes to the module in 1.x you won't need to change anything in 2.x either. If you have (for instance configured ntlm_auth in mschap module) - you need to do te same in the new version. It's just not where it used to be (in radiusd.conf) but in a separate file in raddb/modules directory. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Conversion to Version 2
Doug Hardie wrote: > Thats not that big a deal as for the basic stuff, the code is quite > straight forward. However, the bigger issue is for modules. The wiki > page is still completely oriented towards version 1 as I have never > tried version 2. What has to be changed with modules to use them with > version 2? A fair bit. But much of it should be simple renaming of functions. A lot of "librad_*" names have moved to "fr_*", etc. The main module structure has changed a little. But the basic functioning of the module is pretty much the same. There are still authorize, etc. functions which take the same arguments. > I suspect that the wiki page will quickly lose its value > otherwise. Feel free to update the Wiki. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Conversion to Version 2
On Oct 6, 2008, at 01:07, [EMAIL PROTECTED] wrote: Hi, No question about that. I read about all the new authentication features and its amazing how anyone can keep up with all that stuff. However, if converting my modules is going to be a big deal, I don't see any real advantage. it 'it works for me, i cant see why I should upgrade' is your viewpoint, then fair enough. keep with 1.x - but dont expect support for it on this list for much longer ; *that* is the gotcha. Thats not that big a deal as for the basic stuff, the code is quite straight forward. However, the bigger issue is for modules. The wiki page is still completely oriented towards version 1 as I have never tried version 2. What has to be changed with modules to use them with version 2? I suspect that the wiki page will quickly lose its value otherwise. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Conversion to Version 2
Hi, > No question about that. I read about all the new authentication > features and its amazing how anyone can keep up with all that stuff. > However, if converting my modules is going to be a big deal, I don't see > any real advantage. it 'it works for me, i cant see why I should upgrade' is your viewpoint, then fair enough. keep with 1.x - but dont expect support for it on this list for much longer ; *that* is the gotcha. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Conversion to Version 2
On Oct 5, 2008, at 13:27, [EMAIL PROTECTED] wrote: Hi, I have been using FreeRadius 1.x for a number of years. It has worked just fine. All I am using it for is to authenticate and authorize dial-in users (its about as simple as you can get). The only unusual item is I have a couple of fairly complex modules for authorization and accounting. The question is should I bother to upgrade to 2.x. I don't have a need for any of the new features it provides. I don't even use most of the features in 1.x. My largest concern is the modules. I don't recall seeing anything here about what changes would be required for them other than I believe they have to be compiled with the server. Currently the modules are compiled separately and placed in /usr/local/lib and everything just works. in your case, reasons would be, stability, I have never had a stability issue with FreeRadius - it just works without any attention from me. speed, Perhaps, but with about 10-20 authentication requests per hour thats not much of an issue. bug fixes, Don't seem to have seen any bugs with the portions I use. new server statistics access (SNMP and radmin tool), I have all the stats I need (not much but with just dial-in there is no need for much). easy debugging of single users or NAS etc. Possibly, but never had a need for that - it just works. the new version provides all of this for you - and more for others due to its extensibility. No question about that. I read about all the new authentication features and its amazing how anyone can keep up with all that stuff. However, if converting my modules is going to be a big deal, I don't see any real advantage. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Conversion to Version 2
Hi, > I have been using FreeRadius 1.x for a number of years. It has worked > just fine. All I am using it for is to authenticate and authorize > dial-in users (its about as simple as you can get). The only unusual > item is I have a couple of fairly complex modules for authorization and > accounting. The question is should I bother to upgrade to 2.x. I don't > have a need for any of the new features it provides. I don't even use > most of the features in 1.x. My largest concern is the modules. I don't > recall seeing anything here about what changes would be required for them > other than I believe they have to be compiled with the server. Currently > the modules are compiled separately and placed in /usr/local/lib and > everything just works. in your case, reasons would be, stability, speed, bug fixes, new server statistics access (SNMP and radmin tool), easy debugging of single users or NAS etc. the new version provides all of this for you - and more for others due to its extensibility. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Conversion to Version 2
I have been using FreeRadius 1.x for a number of years. It has worked just fine. All I am using it for is to authenticate and authorize dial-in users (its about as simple as you can get). The only unusual item is I have a couple of fairly complex modules for authorization and accounting. The question is should I bother to upgrade to 2.x. I don't have a need for any of the new features it provides. I don't even use most of the features in 1.x. My largest concern is the modules. I don't recall seeing anything here about what changes would be required for them other than I believe they have to be compiled with the server. Currently the modules are compiled separately and placed in /usr/local/lib and everything just works. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Version 2 running on Red Hat 5
Hi, > All, > > > > Is someone being able to run version 2 on Red Hat 5.x? yes - what is your problem with it? alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Version 2 running on Red Hat 5
Dubreuil, Gilles wrote: All, Is someone being able to run version 2 on Red Hat 5.x? Yes - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Version 2 running on Red Hat 5
All, Is someone being able to run version 2 on Red Hat 5.x? ** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. ** _ This e-mail has been scanned for viruses by MCI's Internet Managed Scanning Services - powered by MessageLabs. For further information visit http://www.mci.com- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problems using EAP-TLS with freeradius version 2
>> You have to install the ca certificate and the client certificate on the >> client-computer, why should client cert by signed from the server cert? > > Because the idea is to authenticate those users to *that* server, not to > *every* server that got the certificate from that CA. With your approach the > user would be admitted to some other network if their server was issued a > certificate by the same CA. If you are using commercial certificates there > might be thousands of servers with certificates issued by the same CA. And > the user will be able to get onto all of them (if they use EAP-TLS). Thanks for the clarification, this is a good argument! In my case there is (and will be) only one server with uses the CA so it makes no difference, but in many other cases, you are right, signing with the CA is not what you really want. Thanks again and best wishes Stefan Puch - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problems using EAP-TLS with freeradius version 2
>You have to install the ca certificate and the client certificate on the >client-computer, why should client cert by signed from the server cert? Because the idea is to authenticate those users to *that* server, not to *every* server that got the certificate from that CA. With your approach the user would be admitted to some other network if their server was issued a certificate by the same CA. If you are using commercial certificates there might be thousands of servers with certificates issued by the same CA. And the user will be able to get onto all of them (if they use EAP-TLS). Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problems using EAP-TLS with freeradius version 2
@Arran Cudbard-Bell
> / Is the prefix and suffix to the regular expression string. Any
> characters after the / suffix are used as modifiers. FreeRadius only
> supports the i modifier to make matches case insensitive.
>
> resolves to a literal back-slash. Regular expressions use the \ char as
> an escape char so it needs to be escaped with itself. FR also uses \ as an
> escape char so it has to be escaped with itself too. Hence the \ -> \\
> -> \
>
> This regular expression was written to stop *stupid* *stupid* *stupid*
> students from breaking authentication by entering something in the domain
> field. They kept entering sussex.ac.uk and [EMAIL PROTECTED] in the User Box
> in the windows supplicant, which resulted in. ... The regexp parses these as
> :
>
> "%{1}" = user "%{2}" = domain
>
> or
>
> "%{1}" = user "%{2}" =
Thanks again for the detailed comment, it saved me a lot of time and I will try
to get more familiar with that kind of regular expressions. I will take your
first solution, the domain was only excluded to see that the test certificates
work which could bee generated with the Makefile provided in the FreeRadius
Source.
>> Now where the test certificates are working (on Win XP AND Windows Mobile)
>> I will have to investigate again in my old certificates, because my one are
>> only working with Windows XP supplicant and wpa_supplicant using Linux. The
>> Windows Mobile supplicant cannot use them correctly although the
>> certificates are the same one. Very strange!
Yesterday evening I found the solution, why my certificates doesn't work with
the Windows Mobile supplicant although the Windows XP supplicant does:
I'm using TinyCA to create and mange my certificates. By default the
certificates are generates with a Keylength of 4096 using RSA encryption and
SHA-1 as Signature Algorithm. When I took a look into the Makefile which
generates the test certificates in the freeradius source a Keylength of only
2048 is used and MD5 as Signature Algorithm, so the devil must be in there
somewhere. And indeed, it doesn't matter, which Algorithm you are using for
signing (MD5 or SHA-1) but the Keylength seems to be very important for Windows
Mobile devices. All certificates I generated with a Keylength of 2048 are
working fine, all certificates wit a Keylength of 4096 doesn't work on the
Mobile device (although they work fine on a Windows XP system).
In short:
The build in supplicant of the Windows Mobile devices (I tested one with Windows
Mobile 2003SE and one with Windows Mobile 6 Professional) doesn't like
certificates with a Keylength of 4096!!!
Thanks again for all help I got here on the mailing list, the next days/weeks
I'm going to write some HOWTO for Mobile Devices in order to give something back
to you :-)
@Alan DeKok
Wont it be better, to change the signing process in te provided Makefile so that
a client certificate is signed by the ca certificate instead from the server
certificate? When using TinyCA every certificate is signed from the ca
certificate, too. I know both will work, if you specify the correct ca-cert in
eap.conf, but changing that point would make the process (in my opinion) more
consistent:
You have to install the ca certificate and the client certificate on the
client-computer, why should client cert by signed from the server cert? When I
looked around in Web previous to find some god HOWTO's about setting up
Freeradius using EAP-TLS I always found it that way, that the ca cert signs all
other certs and by the way, the HOWTO in the freeradius Wiki (EAPTLS.pdf)
explains it that way, too ;-)
Best regards
Stefan Puch
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problems using EAP-TLS with freeradius version 2
Stefan Puch wrote:
@Arran Cudbard-Bell
> Write a regular expression to strip off the proceeding \
Heres one I did earlier If I remember correctly it's to escape to
one \ in the username ... \\ To escape it in the RegExp string, \\ to make \
literal in the regular expression...
I'm not so familiar with regular expressions, but your example works" Thank you
very much! :-)
To make the test certificate being accepted I only hat to remove the leading
"@", beacuse the username in there is "[EMAIL PROTECTED]" and if stripped to
only
"user" not accepted by the radius server.
http://www.regular-expressions.info/
This is the best reference for regular expressions, depending on the
libraries the servers are built against, the RegExp flavour is usually
PCRE (Perl Compatible Regular Expressions).
# This one work with the test certificate, too
if("%{User-Name}" =~ /?([^]+)@?([-[:alnum:]._]*)?$/) {
update request {
Stripped-User-Name = "%{1}"
}
}
/ Is the prefix and suffix to the regular expression string. Any
characters after the / suffix are used as modifiers. FreeRadius only
supports the i modifier to make matches case insensitive.
resolves to a literal back-slash. Regular expressions use the \
char as an escape char so it needs to be escaped with itself. FR also
uses \ as an escape char so it has to be escaped with itself too. Hence
the \ -> \\ -> \
This regular expression was written to stop *stupid* *stupid* *stupid*
students from breaking authentication by entering something in the
domain field. They kept entering sussex.ac.uk and [EMAIL PROTECTED] in
the User Box in the windows supplicant, which resulted in.
[EMAIL PROTECTED]
or sussex.ac.uk\user
The regexp parses these as :
"%{1}" = user
"%{2}" = domain
or
"%{1}" = user
"%{2}" =
if("%{User-Name}" =~ /?([^]+)$/) {
update request {
Stripped-User-Name = "%{1}"
}
}
If you don't need the domain information separately, the above
expression might work better for you. The ? will always try to match
the first '\' but will actually match the last '\' because of the greedy
capture. Then the greedy capture which will capture anything but \ .
Should also work for just straight [EMAIL PROTECTED] as the '\' prefix is
optional.
We use the domain part of the user identifier for proxying.
Is there anywhere a more detailed HOWTO for understanding this regular
expression? I would like to understand "fully" what this example does...
Probably I just have to do some "googling"
Now where the test certificates are working (on Win XP AND Windows Mobile) I
will have to investigate again in my old certificates, because my one are only
working with Windows XP supplicant and wpa_supplicant using Linux. The Windows
Mobile supplicant cannot use them correctly although the certificates are the
same one. Very strange!
Finally I can start writing the HOWTO for Windows Mobile devices ;-)
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
--
Arran Cudbard-Bell ([EMAIL PROTECTED])
Authentication, Authorisation and Accounting Officer
Infrastructure Services | ENG1 E1-1-08
University Of Sussex, Brighton
EXT:01273 873900 | INT: 3900
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problems using EAP-TLS with freeradius version 2
@Arran Cudbard-Bell
> Write a regular expression to strip off the proceeding \
> Heres one I did earlier If I remember correctly it's to escape to
> one \ in the username ... \\ To escape it in the RegExp string, \\ to make \
> literal in the regular expression...
I'm not so familiar with regular expressions, but your example works" Thank you
very much! :-)
To make the test certificate being accepted I only hat to remove the leading
"@", beacuse the username in there is "[EMAIL PROTECTED]" and if stripped to
only
"user" not accepted by the radius server.
# This one work with the test certificate, too
if("%{User-Name}" =~ /?([^]+)@?([-[:alnum:]._]*)?$/) {
update request {
Stripped-User-Name = "%{1}"
}
}
> if("%{User-Name}" =~ /?([EMAIL PROTECTED])@?([-[:alnum:]._]*)?$/) {
> update request {
> Stripped-User-Name = "%{1}"
>}
>}
Is there anywhere a more detailed HOWTO for understanding this regular
expression? I would like to understand "fully" what this example does...
Probably I just have to do some "googling"
Now where the test certificates are working (on Win XP AND Windows Mobile) I
will have to investigate again in my old certificates, because my one are only
working with Windows XP supplicant and wpa_supplicant using Linux. The Windows
Mobile supplicant cannot use them correctly although the certificates are the
same one. Very strange!
Finally I can start writing the HOWTO for Windows Mobile devices ;-)
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problems using EAP-TLS with freeradius version 2
> For using EAP-TLS with the Windows Mobile devices I still have to solve
> one
> problem, which I think would be no problem for you, the problem with the
> username of the devices.
>
> If I disable the option "check_cert_cn = %{User-Name}" in eap.conf I get a
> working configuration, but finally it should work also with that Option
> enabled.
> The problem of the Windows Mobile devices is, that they always submit as
> username "DOMAIN\user". If you leave the DOMAINNAME blank still "\user" is
> used.
Hi,
in version 1.1.7 i used following configuration to cut off the "host/" in front
of the username.
in users-file:
DEFAULT Prefix == "host/"
the new value will be written in the attribute "stripped-user-name". so i had
to change the value in eap.conf to the following setting:
check_cert_cn = %{Stripped-User-Name}
Maybe that will work in your configuration...
Sebastian
--
Pt! Schon vom neuen GMX MultiMessenger gehört?
Der kann`s mit allen: http://www.gmx.net/de/go/multimessenger
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problems using EAP-TLS with freeradius version 2
Stefan Puch wrote:
@Alan DeKok
I'll bet that if you posted the final Access-Accept from 1.1.7 and from
2.0.1, that they would be *different*. If you make them the same, I'll also
bet that the NAS will accept the user.
You were right (you win the bet), I accidentally commented out an entry in the
"default"-file, which setting were included in radiusd.conf in previous version
of freeradius
Stop fighting with the certificates. You're wasting your time, and confusing
yourself. Start looking at the contents of the Access-Accept, which is the
only thing that really matters.
With that hint I was able to get Windows and Linux Laptops working again using
EAP-TLS and freeradius 2.0.1. I also managed to get a WM2003 and a WM6 PDA
connecting using EAP-PEAP.
For using EAP-TLS with the Windows Mobile devices I still have to solve one
problem, which I think would be no problem for you, the problem with the
username of the devices.
If I disable the option "check_cert_cn = %{User-Name}" in eap.conf I get a
working configuration, but finally it should work also with that Option enabled.
The problem of the Windows Mobile devices is, that they always submit as
username "DOMAIN\user". If you leave the DOMAINNAME blank still "\user" is used.
Since the radiusd.conf hints say, that I should NOT use the option
"with_ntdomain_hack" (and when I tested it still didn't work for me) I wanted to
use the "Realm module".
But at the moment I didn't fully understand how realms work, although I did read
the Posting on this mailinglist (from 2004) and the manpage.
I Know that I will have to use the realm module
You dont... your using 2.01 ?
Write a regular expression to strip off the proceeding \
Heres one I did earlier If I remember correctly it's to escape
to one \ in the username ... \\ To escape it in the RegExp string, \\ to
make \ literal in the regular expression...
authorize {
# USERNAME FORMATTING
# User-Name Formatting, extracts Realm, User. Ignores NT domain
# This will accept
# * user
# * [EMAIL PROTECTED]
# * ntdomain\\user
# * [EMAIL PROTECTED]
if("%{User-Name}" =~ /?([EMAIL PROTECTED])@?([-[:alnum:]._]*)?$/) {
update request {
Stripped-User-Name = "%{1}"
}
}
...
}
You then use:
check_cert_cn = %{Stripped-User-Name}
PS: When I've got a working configuration for the Windows Mobile devices, I'm
going to write a little HOWTO like the one "EAP/TLS Setup for FreeRADIUS and
Windows XP Supplicant" just for Mobile PDA's
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
--
Arran Cudbard-Bell ([EMAIL PROTECTED])
Authentication, Authorisation and Accounting Officer
Infrastructure Services | ENG1 E1-1-08
University Of Sussex, Brighton
EXT:01273 873900 | INT: 3900
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problems using EAP-TLS with freeradius version 2
@Alan DeKok
> I'll bet that if you posted the final Access-Accept from 1.1.7 and from
> 2.0.1, that they would be *different*. If you make them the same, I'll also
> bet that the NAS will accept the user.
You were right (you win the bet), I accidentally commented out an entry in the
"default"-file, which setting were included in radiusd.conf in previous version
of freeradius
> Stop fighting with the certificates. You're wasting your time, and confusing
> yourself. Start looking at the contents of the Access-Accept, which is the
> only thing that really matters.
With that hint I was able to get Windows and Linux Laptops working again using
EAP-TLS and freeradius 2.0.1. I also managed to get a WM2003 and a WM6 PDA
connecting using EAP-PEAP.
For using EAP-TLS with the Windows Mobile devices I still have to solve one
problem, which I think would be no problem for you, the problem with the
username of the devices.
If I disable the option "check_cert_cn = %{User-Name}" in eap.conf I get a
working configuration, but finally it should work also with that Option enabled.
The problem of the Windows Mobile devices is, that they always submit as
username "DOMAIN\user". If you leave the DOMAINNAME blank still "\user" is used.
Since the radiusd.conf hints say, that I should NOT use the option
"with_ntdomain_hack" (and when I tested it still didn't work for me) I wanted to
use the "Realm module".
But at the moment I didn't fully understand how realms work, although I did read
the Posting on this mailinglist (from 2004) and the manpage.
I Know that I will have to use the realm module
# 'domain\user'
realm ntdomain {
format = prefix
delimiter = "\\"
}
therefore, but what else do I have to configure when I want to use a "blank"
domain? First I tried with a domain called "bla" which is configured in
proxy.conf:
realm bla {
authhost= LOCAL
accthost= LOCAL
}
The attached logfile shows, that the username is stripped correctly, but
obviously the stripped username in not passed correctly to the eap module. Can
anyone tell me, what else I have to configure? My goal is simply to strip the
"empty" domain from the username, so that eap-tls work with the option
"check_cert_cn = %{User-Name}" enabled in eap.conf
In short:
How do I specify an empty domain (realm "" {authhost = LOCAL, accthost = LOCAL}
doesn't work)?
What else do I have to configure, when the realm ntdomain is set in radiusd.conf
(I have also set ntdomain in "authorize" and "preacct" section)
Best regards and thanks in advance
Stefan Puch
PS: When I've got a working configuration for the Windows Mobile devices, I'm
going to write a little HOWTO like the one "EAP/TLS Setup for FreeRADIUS and
Windows XP Supplicant" just for Mobile PDA's
FreeRADIUS Version 2.0.1, for host i586-mandriva-linux-gnu, built on Jan 24
2008 at 21:20:10
Copyright (C) 1999-2008 The FreeRADIUS server project and contributors.
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE.
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License.
Starting - reading configuration files ...
including configuration file /etc/raddb/radiusd.conf
including configuration file /etc/raddb/proxy.conf
including configuration file /etc/raddb/clients.conf
including configuration file /etc/raddb/snmp.conf
including configuration file /etc/raddb/eap.conf
including configuration file /etc/raddb/policy.conf
including files in directory /etc/raddb/sites-enabled/
including configuration file /etc/raddb/sites-enabled/default
including dictionary file /etc/raddb/dictionary
main {
prefix = "/usr"
localstatedir = "/var"
logdir = "/var/log/radius"
libdir = "/usr/lib/freeradius"
radacctdir = "/var/log/radius/radacct"
hostname_lookups = no
max_request_time = 30
cleanup_delay = 5
max_requests = 1024
allow_core_dumps = no
pidfile = "/var/run/radiusd/radiusd.pid"
user = "radius"
group = "radius"
checkrad = "/usr/sbin/checkrad"
debug_level = 0
proxy_requests = yes
security {
max_attributes = 200
reject_delay = 1
status_server = no
}
}
client 127.0.0.1 {
require_message_authenticator = no
secret = "test"
shortname = "localhost"
}
client 192.168.0.8 {
require_message_authenticator = no
secret = "test"
shortname = "AP-Tower"
}
radiusd: Loading Realms and Home Servers
proxy server {
retry_delay = 5
retry_count = 3
default_fallback = no
dead_time = 120
wake_all_if_all_dead = no
}
home_server localhost {
ipaddr = 127.0.0.1
port = 1812
type = "auth"
secret = "testing123"
response_window = 20
max_outstanding = 65536
zombie_period = 40
status_check = "status-server"
ping_check = "none
Re: Problems using EAP-TLS with freeradius version 2
Jeffrey Hutzelman wrote on 04.02.2008 00:43: > --On Thursday, January 31, 2008 05:42:50 PM +0100 "Reimer Karlsen-Masur, > DFN-CERT" <[EMAIL PROTECTED]> wrote: > >> If the "Microsoft Smartcard Logon" extendedKeyUsage *is part* of your >> client certificates they might not work with Windows build-in supplicant. > > This is not surprising, if that is the only EKU in the cert. I was talking about a set of EKUs like MS Smartcard Logon in combination with clientAuth and eg. e-mail protection...even if I did not state that clearly enough. Windows does not like to use EE-certs containing EKUs clientAuth and MS Smartcard Logon for EAP-TLS with its build-in supplicant. -- Beste Gruesse / Kind Regards Reimer Karlsen-Masur DFN-PKI FAQ: https://www.pki.dfn.de/faqpki 15 Jahre DFN-CERT + 15. DFN-Workshop "Sicherheit in vernetzten Systemen" am 13./14. Februar 2008 im CCH Hamburg - https://www.dfn-cert.de/ws2008/ -- Dipl.-Inform. Reimer Karlsen-Masur (PKI Team), Phone +49 40 808077-615 DFN-CERT Services GmbH, https://www.dfn-cert.de, Phone +49 40 808077-555 Sitz / Register: Hamburg, AG Hamburg, HRB 88805, Ust-IdNr.: DE 232129737 Sachsenstr. 5, 20097 Hamburg/Germany, CEO: Dr. Klaus-Peter Kossakowski smime.p7s Description: S/MIME Cryptographic Signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problems using EAP-TLS with freeradius version 2
--On Thursday, January 31, 2008 05:42:50 PM +0100 "Reimer Karlsen-Masur, DFN-CERT" <[EMAIL PROTECTED]> wrote: If the "Microsoft Smartcard Logon" extendedKeyUsage *is part* of your client certificates they might not work with Windows build-in supplicant. This is not surprising, if that is the only EKU in the cert. In fact, in that situation, no correct server should accept the certificate for EAP-TLS, because the presence of any EKU means the certificate may _only_ be used for listed usages, and EAP-TLS is not smartcard-based logon. If you want to use a certificate for both purposes, then it must have both id-kp-ms-sc-logon and one of anyExtendedKeyUsage (2.5.29.37.0) or [sigh] id-kp-clientAuth (1.3.6.1.5.5.7.3.2). Unfortunately, RFC2716 does not discuss the details of certificate validation, but the rules for handling extended key usages are the same for all uses of PKIX; for details, see RFC3280 section 4.2.1.13. The replacement for RFC2716 is draft-simon-emu-rfc2716bis-13.txt, which was just approved as a Proposed Standard in the past week. It does discuss the details of certificate validation for EAP-TLS, in section 5.3. -- Jeffrey T. Hutzelman (N3NHS) <[EMAIL PROTECTED]> Carnegie Mellon University - Pittsburgh, PA - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problems using EAP-TLS with freeradius version 2
> > The first question I would like to get an answer for is: Which certificate > is > needed to sign the client certificate, the CA certificate or the server > certificate? It's nonsense, that the server certificate signs the client certificate... it must be signed by the ca certificate. Sebastian -- Pt! Schon vom neuen GMX MultiMessenger gehört? Der kann`s mit allen: http://www.gmx.net/de/go/multimessenger - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problems using EAP-TLS with freeradius version 2
Stefan Puch wrote: > - running "bootstrap" creates ca.pem, server.pem, dh and random which are used > with the radius server (server.pem is signed with ca.pem) > > - running make client.pem creates a client certificate which is signed by the > server certificate (in my opinion that cannot work I guess all of the people using that exact scenario are deluding themselves. > - when trying to connect to the radius server the validation fails with > following output from "radiusd -X" (because the the client cert is not signed > with ca.pem): No. It's failing because the server hasn't been told that it's server certificate is a known CA. SSL is weird that way. > - Then I changed the Makefile, so that the client cert is signed with the > ca.pem > like the server certificate is (wouldn't be that the correct way?) No. But it *will* work, too. It may take less effort to get it to work. > The problem is, that after the "Login OK" nothing futher happens, e.g. the > clients cannot carry using dhcp. The dhcp-client is started, but the request > doesn't reach the dhcp-server. The "login OK" message is nothing more than a suggestion in the radius logs. What is *important* is: - was an Access-Accept sent back? The rest of the debug log that you deleted should show that - was the Access-Accept understood and processed by the NAS? See the NAS for details. If the server sent an Access-Accept, and the user still doesn't have network access, then the NAS chose to disconnect the user. This is basic RADIUS knowledge. > So I downgraded again from 2.0.1 to freeradius 1.1.7 and tested everything > again: The first client certificate, which was signed with der server > certificate didn't work, the second one worked fine AND the when after "Login > OK" the dhcp-client is started, the dhcp-server gets the requests and can > answer. You're stuck on the wrong pieces of information. The certificates are irrelevant. What is actually happening is that you've configured 2.0.1 and 1.1.7 *differently*. The contents of the final Access-Accept sent by 2.0.1 are different from the contents sent by 1.1.7. Since you configured the contents, you are responsible for making sure that the contents are identical, and that the NAS accepts them. The NAS doesn't look at the certificates. It doesn't care. It *does* care if it isn't told the right information in the Access-Accept. I'll bet that if you posted the final Access-Accept from 1.1.7 and from 2.0.1, that they would be *different*. If you make them the same, I'll also bet that the NAS will accept the user. > The first question I would like to get an answer for is: Which certificate is > needed to sign the client certificate, the CA certificate or the server > certificate? Either. It depends on how you want to do it. > The second question is: Are there any further suggestions or do I have to make > an ethereal trace? Perhaps you can send me some test certs that should really > work, so that I can exclude the certs when debugging/analyzing the rest? The certificates are fine. Don't claim that the certificates don't work. Many people have them working in real-world and test environments. Stop fighting with the certificates. You're wasting your time, and confusing yourself. Start looking at the contents of the Access-Accept, which is the only thing that really matters. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problems using EAP-TLS with freeradius version 2
Stefan Puch wrote on 01.02.2008 09:57: > @Reimer Karlsen-Masur >> If the "Microsoft Smartcard Logon" extendedKeyUsage *is part* of your client >> certificates you could work around this by disabling the trust setting of >> valid certificate usage "Microsoft Smartcard Logon" in the CAs properties in >> Windows build-in certificate store on the PDA. > As the "Microsoft Smartcard Logon" extendedKeyUsage *is NOT part* of the > client > certificates there should be no problem. Something different seems to be not > correct. > > Did you get a PDA using Windows Mobile working with EAP-TLS with Windows > build-in supplicant and freeradius? I am afraid, we do not have a Win Mob PDA to test things available. Problems with the non-repudiation keyUsage occured with a SymbianOS based PDA. -- Beste Gruesse / Kind Regards Reimer Karlsen-Masur DFN-PKI FAQ: https://www.pki.dfn.de/faqpki 15 Jahre DFN-CERT + 15. DFN-Workshop "Sicherheit in vernetzten Systemen" am 13./14. Februar 2008 im CCH Hamburg - https://www.dfn-cert.de/ws2008/ -- Dipl.-Inform. Reimer Karlsen-Masur (PKI Team), Phone +49 40 808077-615 DFN-CERT Services GmbH, https://www.dfn-cert.de, Phone +49 40 808077-555 Sitz / Register: Hamburg, AG Hamburg, HRB 88805, Ust-IdNr.: DE 232129737 Sachsenstr. 5, 20097 Hamburg/Germany, CEO: Dr. Klaus-Peter Kossakowski smime.p7s Description: S/MIME Cryptographic Signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problems using EAP-TLS with freeradius version 2
@Reimer Karlsen-Masur > If the "Microsoft Smartcard Logon" extendedKeyUsage *is part* of your client > certificates you could work around this by disabling the trust setting of > valid certificate usage "Microsoft Smartcard Logon" in the CAs properties in > Windows build-in certificate store on the PDA. As the "Microsoft Smartcard Logon" extendedKeyUsage *is NOT part* of the client certificates there should be no problem. Something different seems to be not correct. Did you get a PDA using Windows Mobile working with EAP-TLS with Windows build-in supplicant and freeradius? If yes, can you tell me which freeradius version? I did one get a Windows Mobile working using the build-in supplicant and EAP-PEAP using mschapv2 and freeradius 1.1.7 @Alan DeKok I didn't find any test certificates that come with 2.0.1. I think you talk about the "bootstrap" script which can create some test certificates, don't you? If so, here are the results: - running "bootstrap" creates ca.pem, server.pem, dh and random which are used with the radius server (server.pem is signed with ca.pem) - running make client.pem creates a client certificate which is signed by the server certificate (in my opinion that cannot work but I did). I used that certificate and ca.pem (according to the README) with wpa_supplicant on my linux laptop - when trying to connect to the radius server the validation fails with following output from "radiusd -X" (because the the client cert is not signed with ca.pem): ... ... +- entering group authenticate rlm_eap: Request found, released from the list rlm_eap: EAP/tls rlm_eap: processing type tls rlm_eap_tls: Authenticate rlm_eap_tls: processing TLS eaptls_verify returned 7 rlm_eap_tls: Done initial handshake rlm_eap_tls: <<< TLS 1.0 Handshake [length 038d], Certificate --> verify error:num=20:unable to get local issuer certificate rlm_eap_tls: >>> TLS 1.0 Alert [length 0002], fatal unknown_ca TLS Alert write:fatal:unknown CA TLS_accept:error in SSLv3 read client certificate B rlm_eap: SSL error error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned rlm_eap_tls: SSL_read failed in a system call (-1), TLS session fails. eaptls_process returned 13 rlm_eap: Freeing handler ++[eap] returns reject auth: Failed to validate the user. Login incorrect: [EMAIL PROTECTED]/] (from client AP-Tower port 1 cli 00095BC95B52) Found Post-Auth-Type Reject +- entering group REJECT ++- group REJECT returns noop -- - Then I changed the Makefile, so that the client cert is signed with the ca.pem like the server certificate is (wouldn't be that the correct way?) - when trying to connect to the radius server the validation success with following output from "radiusd -X": ... ... +- entering group authenticate rlm_eap: Request found, released from the list rlm_eap: EAP/tls rlm_eap: processing type tls rlm_eap_tls: Authenticate rlm_eap_tls: processing TLS eaptls_verify returned 7 rlm_eap_tls: Done initial handshake rlm_eap_tls: <<< TLS 1.0 Handshake [length 0750], Certificate chain-depth=1, error=0 --> User-Name = [EMAIL PROTECTED] --> BUF-Name = Example Certificate Authority --> subject = /C=FR/ST=Radius/L=Somewhere/O=Example Inc./[EMAIL PROTECTED]/CN=Example Certificate Authority --> issuer = /C=FR/ST=Radius/L=Somewhere/O=Example Inc./[EMAIL PROTECTED]/CN=Example Certificate Authority --> verify return:1 chain-depth=0, error=0 --> User-Name = [EMAIL PROTECTED] --> BUF-Name = [EMAIL PROTECTED] --> subject = /C=FR/ST=Radius/O=Example Inc./[EMAIL PROTECTED]/[EMAIL PROTECTED] --> issuer = /C=FR/ST=Radius/L=Somewhere/O=Example Inc./[EMAIL PROTECTED]/CN=Example Certificate Authority --> verify return:1 TLS_accept: SSLv3 read client certificate A rlm_eap_tls: <<< TLS 1.0 Handshake [length 0086], ClientKeyExchange TLS_accept: SSLv3 read client key exchange A rlm_eap_tls: <<< TLS 1.0 Handshake [length 0106], CertificateVerify TLS_accept: SSLv3 read certificate verify A rlm_eap_tls: <<< TLS 1.0 ChangeCipherSpec [length 0001] rlm_eap_tls: <<< TLS 1.0 Handshake [length 0010], Finished TLS_accept: SSLv3 read finished A rlm_eap_tls: >>> TLS 1.0 ChangeCipherSpec [length 0001] TLS_accept: SSLv3 write change cipher spec A rlm_eap_tls: >>> TLS 1.0 Handshake [length 0010], Finished TLS_accept: SSLv3 write finished A TLS_accept: SSLv3 flush data (other): SSL negotiation finished successfully SSL Connection Established eaptls_process returned 13 ++[eap] returns handled Sending Access-Challenge of id 23 to 192.168.0.8 port 1140 EAP-Message = 0x010800450d80003b140301000101160301003031e600309274b2c95b4c91d60b518c86b678535f6f72e1ea9786b7ff77f6f405392a8 b9ddcd13285e0683603d2669f42 Message-Authenticator = 0x State = 0x80a5541786ad5978313d7a01a03396c4 Finished request 6. Going to the next r
Re: Problems using EAP-TLS with freeradius version 2
Stefan Puch wrote: > Therefore the Makefile is used in the same directory. I'm not really sure, but > in Line 93 where the "client.pem" is created it must be > -passin pass:$(PASSWORD_CLIENT) instead of -passin pass:$(PASSWORD_SERVER) Thanks. I've fixed that. > It would also be helpful to integrate the following command into the ca > section, > when generating a self-signed CA certificate, because using Windows you need > the > CA in DER-format: > openssl x509 -inform PEM -outform DER -in ca.pem -out ca.der Thanks. I've added that, too. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problems using EAP-TLS with freeradius version 2
Stefan Puch wrote on 31.01.2008 17:05: > Hello again, ... > @Reimer Karlsen-Masur >> We know of problems with EE certificates in PDAs containing the >> "non-repudiation" flag. If the "non-repudiation" keyUsage *is part* of your client certificates they might not work with some PDAs build-in supplicants. We found this out by try and error... >> Additionally Windows build-in supplicants don't like EE certificates with >> the extendedKeyUsage "Microsoft Smartcard Logon" (1.3.6.1.4.1.311.20.2.2) >> when doing EAP-TLS. > >> Apparently the latter issue can also be solved by just disabling the valid >> certificate usage of Microsoft Smartcard Logon in the issuing CAs trusted >> usages properties on the system. > I'm not sure if understand correctly what you want to say to me (I'm stupid > :-)) > First I've used TinyCA to generate my certificates, now I will try the > Makefile > provided in the source-code of freeradius. I think the extendedKeyUsage > "Microsoft Smartcard Logon" should not be set in both variants. If the "Microsoft Smartcard Logon" extendedKeyUsage *is part* of your client certificates they might not work with Windows build-in supplicant. If the "Microsoft Smartcard Logon" extendedKeyUsage *is not part* of your client certificates this causes less problems with Windows build-in supplicant. > Or do you mean > that the extendedKeyUsage "Microsoft Smartcard Logon" must be disabled on the > PDA? If the "Microsoft Smartcard Logon" extendedKeyUsage *is part* of your client certificates you could work around this by disabling the trust setting of valid certificate usage "Microsoft Smartcard Logon" in the CAs properties in Windows build-in certificate store on the PDA. -- Beste Gruesse / Kind Regards Reimer Karlsen-Masur DFN-PKI FAQ: https://www.pki.dfn.de/faqpki 15 Jahre DFN-CERT + 15. DFN-Workshop "Sicherheit in vernetzten Systemen" am 13./14. Februar 2008 im CCH Hamburg - https://www.dfn-cert.de/ws2008/ -- Dipl.-Inform. Reimer Karlsen-Masur (PKI Team), Phone +49 40 808077-615 DFN-CERT Services GmbH, https://www.dfn-cert.de, Phone +49 40 808077-555 Sitz / Register: Hamburg, AG Hamburg, HRB 88805, Ust-IdNr.: DE 232129737 Sachsenstr. 5, 20097 Hamburg/Germany, CEO: Dr. Klaus-Peter Kossakowski smime.p7s Description: S/MIME Cryptographic Signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Problems using EAP-TLS with freeradius version 2
Hello again, @Alan DeKok > But I would first suggest trying to use the test certificates that come with > 2.0.1. If those work, then the issue isn't 2.0.0 versus 1.1.7, it's that > there is something special about the certificates you're using. I tried to generate some test certificates using the README file provided in the source-code under "freeradius-server-2.0.1/raddb/certs/" Therefore the Makefile is used in the same directory. I'm not really sure, but in Line 93 where the "client.pem" is created it must be -passin pass:$(PASSWORD_CLIENT) instead of -passin pass:$(PASSWORD_SERVER) Most of the time you will not recognize, because in server.cnf and client.cnf all the passwords are set to "whatever" so they are identical, but when you set them, you will get an error (like me). It would also be helpful to integrate the following command into the ca section, when generating a self-signed CA certificate, because using Windows you need the CA in DER-format: openssl x509 -inform PEM -outform DER -in ca.pem -out ca.der This evening I will try to test if this certificates are working. @Reimer Karlsen-Masur > We know of problems with EE certificates in PDAs containing the > "non-repudiation" flag. > Additionally Windows build-in supplicants don't like EE certificates with > the extendedKeyUsage "Microsoft Smartcard Logon" (1.3.6.1.4.1.311.20.2.2) > when doing EAP-TLS. > Apparently the latter issue can also be solved by just disabling the valid > certificate usage of Microsoft Smartcard Logon in the issuing CAs trusted > usages properties on the system. I'm not sure if understand correctly what you want to say to me (I'm stupid :-)) First I've used TinyCA to generate my certificates, now I will try the Makefile provided in the source-code of freeradius. I think the extendedKeyUsage "Microsoft Smartcard Logon" should not be set in both variants. Or do you mean that the extendedKeyUsage "Microsoft Smartcard Logon" must be disabled on the PDA? Best regards and thanks in advance Stefan Puch - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Problems using EAP-TLS with freeradius version 2
Hello everyone, I've got some problems with the new version of freeradius, but before I'm going to open a new bugreport or post long debugtraces from "radiusd -X" I want to ask here if someone else has made similar experiences. I've set up a freeradius server version 1.1.7 in our club to authenticate several Notebooks. This worked fine with Windows XP, Windows Vista and Linux clients using EAP-TLS certificates (many thanks for the good documentation of the OIDs in the TLS certificate). Then some people came with their mobile devices which are running Windows Mobile 2003, Windows Mobile 5 (WM5) or Windows Mobile6 (WM6) and the problems began. The same EAP-TLS certificate which worked fine on a Windows XP machine doesn't work on e.g. Windows Mobile 6 PDA. So first I updated the freeradius version to the latest release (2.0.1), checked and modified all configuration files and so on, but that didn't solve the problem, it made them getting worser. With the new version 2.0.1 the Windows and Linux Laptops are not able to authenticate any more with the freeradius server (the certificates are still the same). The server sends an ACCESS, but the behavior is like described in the FAQ "PEAP or EAP-TLS Doesn't Work with a Windows machine". Downgrading to the previous version of freeradius 1.1.7 makes them work again, freeradius version 2.0.0 doesn't work either. Does anyone of the experts here know what could be the problem (a guess, perhaps what changed from version 1.1.7 to version 2.0.1)? My goal is first to make the clients using Windows XP, Vista and Linux work again with freeradius version2 and EAP-TLS. After fixing that it would be fine, if freeradius would also work the different Windows Mobile systems. So, what would be helpful to analyze the problem? All config files or just the output from radiusd -X from both versions in order to make a diff or should I open a new bug in the tracking system as well? I would like to provide USEFULL debug-traces, so that it is easier for the experts to solve the problem and not to much work for me when providing useless informations. Best regards and thanks in advance Stefan Puch - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problems using EAP-TLS with freeradius version 2
Stefan Puch wrote: > Then some people came with their mobile devices which are running Windows > Mobile > 2003, Windows Mobile 5 (WM5) or Windows Mobile6 (WM6) and the problems began. > The same EAP-TLS certificate which worked fine on a Windows XP machine doesn't > work on e.g. Windows Mobile 6 PDA. You have to love Microsoft... > With the new version 2.0.1 the Windows and Linux Laptops are not able to > authenticate any more with the freeradius server (the certificates are still > the > same). The server sends an ACCESS, but the behavior is like described in the > FAQ > "PEAP or EAP-TLS Doesn't Work with a Windows machine". Downgrading to the > previous version of freeradius 1.1.7 makes them work again, freeradius version > 2.0.0 doesn't work either. The EAP-TLS code was substantially re-worked in 2.0.0. It was tested with Vista, XP SP1, XP SP2, Linux systems, MAC. It's working "live" in environments with many, may different OS's and architectures. So it *should* work. > So, what would be helpful to analyze the problem? All config files or just the > output from radiusd -X from both versions in order to make a diff or should I > open a new bug in the tracking system as well? ethereal packet traces of the RADIUS traffic would help. But I would first suggest trying to use the test certificates that come with 2.0.1. If those work, then the issue isn't 2.0.0 versus 1.1.7, it's that there is something special about the certificates you're using. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problems using EAP-TLS with freeradius version 2
Stefan Puch wrote on 30.01.2008 11:13: > Hello everyone, > > I've got some problems with the new version of freeradius, but before I'm > going > to open a new bugreport or post long debugtraces from "radiusd -X" I want to > ask > here if someone else has made similar experiences. > > I've set up a freeradius server version 1.1.7 in our club to authenticate > several Notebooks. This worked fine with Windows XP, Windows Vista and Linux > clients using EAP-TLS certificates (many thanks for the good documentation of > the OIDs in the TLS certificate). > > Then some people came with their mobile devices which are running Windows > Mobile > 2003, Windows Mobile 5 (WM5) or Windows Mobile6 (WM6) and the problems began. We know of problems with EE certificates in PDAs containing the "non-repudiation" flag. Additionally Windows build-in supplicants don't like EE certificates with the extendedKeyUsage "Microsoft Smartcard Logon" (1.3.6.1.4.1.311.20.2.2) when doing EAP-TLS. Apparently the latter issue can also be solved by just disabling the valid certificate usage of Microsoft Smartcard Logon in the issuing CAs trusted usages properties on the system. -- Beste Gruesse / Kind Regards Reimer Karlsen-Masur DFN-PKI FAQ: https://www.pki.dfn.de/faqpki 15 Jahre DFN-CERT + 15. DFN-Workshop "Sicherheit in vernetzten Systemen" am 13./14. Februar 2008 im CCH Hamburg - https://www.dfn-cert.de/ws2008/ -- Dipl.-Inform. Reimer Karlsen-Masur (PKI Team), Phone +49 40 808077-615 DFN-CERT Services GmbH, https://www.dfn-cert.de, Phone +49 40 808077-555 Sitz / Register: Hamburg, AG Hamburg, HRB 88805, Ust-IdNr.: DE 232129737 Sachsenstr. 5, 20097 Hamburg/Germany, CEO: Dr. Klaus-Peter Kossakowski smime.p7s Description: S/MIME Cryptographic Signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problems using EAP-TLS with freeradius version 2
Stefan Puch wrote: >> Then some people came with their mobile devices which are running Windows >> Mobile 2003, Windows Mobile 5 (WM5) or Windows Mobile6 (WM6) and the >> problems began. The same EAP-TLS certificate which worked fine on a Windows >> XP machine doesn't work on e.g. Windows Mobile 6 PDA. > > You have to love Microsoft... Hmm, most of the time I'm using Linux, but 90% of the others only have a Microsoft system :-( > The EAP-TLS code was substantially re-worked in 2.0.0. It was tested with > Vista, XP SP1, XP SP2, Linux systems, MAC. It's working "live" in > environments with many, may different OS's and architectures. > > So it *should* work. I was afraid that someone says that, because I didn't believe that a new version would be released without testing. By the way, when you have tested so many different Windows systems you will have to Microsoft as well, won't you ;-) > ethereal packet traces of the RADIUS traffic would help. But I would first > suggest trying to use the test certificates that come with 2.0.1. If those > work, then the issue isn't 2.0.0 versus 1.1.7, it's that there is something > special about the certificates you're using. OK, then I will start with the provided certificates, well knowing that if then do work I will have to make new certificates for all current users... If the certificates that come with 2.0.1 also fail I will provide some ethereal packet traces. Thanks for the quick response Stefan Puch - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Version 2 bzip file is gzip
John Horne wrote: > It seems that the bzip2 file of the new version 2.0.0 is actually a gzip > file: Fixed, thanks. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Version 2 bzip file is gzip
Hi, It seems that the bzip2 file of the new version 2.0.0 is actually a gzip file: freeradius-server-2.0.0.tar.bz2: gzip compressed data, from Unix, last modified: Thu Jan 10 13:33:14 2008 I downloaded this from the main FreeRADIUS web site. Just something to be aware of :-) John. -- --- John Horne, University of Plymouth, UK Tel: +44 (0)1752 233914 E-mail: [EMAIL PROTECTED] Fax: +44 (0)1752 233839 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Server Version 2
Kent Thomas wrote: > Hello all, > I'm wondering where to start looking to figure out what would cause a Bus > Error when attempting to start the Server? doc/bugs Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Server Version 2
Hello all, I'm wondering where to start looking to figure out what would cause a Bus Error when attempting to start the Server? I've checked the config files and they appear to all be in the correct places. Thanks for any help you can give. Kent Here's the error log. g5dp020:~ root# radiusd -Xxxx -A Fri Sep 14 07:22:34 2007 : Info: FreeRADIUS Version 2.0.0-pre2, for host powerpc-apple-darwin8.10.0, built on Sep 13 2007 at 15:37:40 Fri Sep 14 07:22:34 2007 : Info: Copyright (C) 2000-2007 The FreeRADIUS server project. Fri Sep 14 07:22:34 2007 : Info: There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A Fri Sep 14 07:22:34 2007 : Info: PARTICULAR PURPOSE. Fri Sep 14 07:22:34 2007 : Info: You may redistribute copies of FreeRADIUS under the terms of the Fri Sep 14 07:22:34 2007 : Info: GNU General Public License. Fri Sep 14 07:22:34 2007 : Debug: Config: including file: /etc/raddb/radiusd.conf Bus error - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re : version 2; I cant wait
Alan, great, I cant wait for the magic ..:-). == Benjamin K. Eshun - Message d'origine De : Alan DeKok <[EMAIL PROTECTED]> À : FreeRadius users mailing list Envoyé le : Samedi, 17 Mars 2007, 17h46mn 18s Objet : Re: version 2 Norbert Wegener wrote: > On http://wiki.freeradius.org/Fail-over > I find an interesting feature, that would be very useful in some > configurations: ... > As mentioned there, it is available in version 2 of the server. > Is it already foreseeable, when approximately the version 2 of > freeradius will be available? Soon. I know I've been saying that for a while (too long now), but it looks pretty good. I have some code that has cleaned up a lot of the odd things in the server core, so I'm much more comfortable releasing a 2.0. So far, the features look like: - if/then/else in radiusd.conf - full IPv6 support - much more stable handling of home servers - separation of realms from home servers - addition of "home server pools", for failover & load balancing - magic feature 1 - magic feature 2 - :) I won't say what the magic features are. One will cause mild surprise. The other will cause great surprise. My plan right now is to test the code privately with a few early adopters who are sworn to secrecy. Once it looks like it works, the code will be made public, and a 2.0-pre0 will be announced. From my research on Google, the features will quadruple FreeRADIUS's potential install base. The features will also enable network administrators to do things that are currently impossible to do with open source software. And it looks like it's only 3k-4k lines of code. :) Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html ___ Découvrez une nouvelle façon d'obtenir des réponses à toutes vos questions ! Profitez des connaissances, des opinions et des expériences des internautes sur Yahoo! Questions/Réponses http://fr.answers.yahoo.com- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: version 2
Tease!! ;) -Original Message- From: Alan DeKok <[EMAIL PROTECTED]> Date: Sat, 17 Mar 2007 17:46:18 To:FreeRadius users mailing list Subject: Re: version 2 Norbert Wegener wrote: > On http://wiki.freeradius.org/Fail-over > I find an interesting feature, that would be very useful in some > configurations: ... > As mentioned there, it is available in version 2 of the server. > Is it already foreseeable, when approximately the version 2 of > freeradius will be available? Soon. I know I've been saying that for a while (too long now), but it looks pretty good. I have some code that has cleaned up a lot of the odd things in the server core, so I'm much more comfortable releasing a 2.0. So far, the features look like: - if/then/else in radiusd.conf - full IPv6 support - much more stable handling of home servers - separation of realms from home servers - addition of "home server pools", for failover & load balancing - magic feature 1 - magic feature 2 - :) I won't say what the magic features are. One will cause mild surprise. The other will cause great surprise. My plan right now is to test the code privately with a few early adopters who are sworn to secrecy. Once it looks like it works, the code will be made public, and a 2.0-pre0 will be announced. From my research on Google, the features will quadruple FreeRADIUS's potential install base. The features will also enable network administrators to do things that are currently impossible to do with open source software. And it looks like it's only 3k-4k lines of code. :) Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: version 2
Norbert Wegener wrote: > On http://wiki.freeradius.org/Fail-over > I find an interesting feature, that would be very useful in some > configurations: ... > As mentioned there, it is available in version 2 of the server. > Is it already foreseeable, when approximately the version 2 of > freeradius will be available? Soon. I know I've been saying that for a while (too long now), but it looks pretty good. I have some code that has cleaned up a lot of the odd things in the server core, so I'm much more comfortable releasing a 2.0. So far, the features look like: - if/then/else in radiusd.conf - full IPv6 support - much more stable handling of home servers - separation of realms from home servers - addition of "home server pools", for failover & load balancing - magic feature 1 - magic feature 2 - :) I won't say what the magic features are. One will cause mild surprise. The other will cause great surprise. My plan right now is to test the code privately with a few early adopters who are sworn to secrecy. Once it looks like it works, the code will be made public, and a 2.0-pre0 will be announced. From my research on Google, the features will quadruple FreeRADIUS's potential install base. The features will also enable network administrators to do things that are currently impossible to do with open source software. And it looks like it's only 3k-4k lines of code. :) Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
version 2
On http://wiki.freeradius.org/Fail-over
I find an interesting feature, that would be very useful in some
configurations:
authorize {
...
sql
if notfound {
ldap1
}
else {
ldap2
}
As mentioned there, it is available in version 2 of the server.
Is it already foreseeable, when approximately the version 2 of
freeradius will be available?
Norbert Wegener
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Log files not being updated (version 2)
Hugo Heriz-Smith <[EMAIL PROTECTED]> wrote: > If I type this: > > radtest hugo test 127.0.0.1 1812 *** > > then I get the following (but nothing shows up in the log). Authentication != accounting > I'm sure i didn't change anything, but now, it is saying System is an > unknown value? Is this problem perhaps bigger than I realize -or am I > just not thinking clearly... If it says System is unknown, you changed the default config to break it. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Log files not being updated (version 2)
If I type this:
radtest hugo test 127.0.0.1 1812 ***
then I get the following (but nothing shows up in the log).
Strangely, what I do see in the log are a few lines from last
weekend, when I was trying to get this to work (as I mentioned, I was
changing the user this runs under from 'nobody'back to 'root'.
Sat Jun 3 22:09:11 2006 : Info: rlm_exec: Wait=yes but no output
defined. Did you mean output=none?
Sat Jun 3 22:09:11 2006 : Info: rlm_eap_tls: Loading the certificate
file as a chain
Sat Jun 3 22:09:11 2006 : Info: Ready to process requests.
Below is the output I got when I ran the radtest command.
Ready to process requests.
rad_recv: Access-Request packet from host 127.0.0.1:33086, id=59,
length=56
User-Name = "hugo"
User-Password = "test"
NAS-IP-Address = 255.255.255.255
NAS-Port = 1812
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 0
modcall[authorize]: module "preprocess" returns ok for request 0
radius_xlat: '/var/log/radius/radacct/127.0.0.1/auth-detail-20060605'
rlm_detail: /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%
Y%m%d expands to /var/log/radius/radacct/127.0.0.1/auth-detail-20060605
modcall[authorize]: module "auth_log" returns ok for request 0
modcall[authorize]: module "chap" returns noop for request 0
modcall[authorize]: module "mschap" returns noop for request 0
rlm_realm: No '@' in User-Name = "hugo", looking up realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "suffix" returns noop for request 0
rlm_eap: No EAP-Message, not doing EAP
modcall[authorize]: module "eap" returns noop for request 0
users: Matched entry DEFAULT at line 152
users: Matched entry hugo at line 216
modcall[authorize]: module "files" returns ok for request 0
modcall: leaving group authorize (returns ok) for request 0
rad_check_password: Found Auth-Type System
auth: type "System"
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 0
modcall[authenticate]: module "unix" returns notfound for request 0
modcall: leaving group authenticate (returns notfound) for request 0
auth: Failed to validate the user.
Login incorrect: [hugo/test] (from client localhost port 1812)
Delaying request 0 for 1 seconds
Finished request 0
Going to the next request
--- Walking the entire request list ---
Waking up in 1 seconds...
--- Walking the entire request list ---
Waking up in 1 seconds...
--- Walking the entire request list ---
Sending Access-Reject of id 59 to 127.0.0.1 port 33086
Waking up in 4 seconds...
--- Walking the entire request list ---
Cleaning up request 0 ID 59 with timestamp 448458e9
Nothing to do. Sleeping until we see a request.
And, when I ran it once more before I mailed this, just to make sure
I was getting everything straight, I got this as part of the output:
modcall: leaving group authorize (returns ok) for request 0
rad_check_password: Found Auth-Type System
auth: type "System"
ERROR: Unknown value specified for Auth-Type. Cannot perform
requested action.
auth: Failed to validate the user.
Login incorrect: [hugo/test] (from client localhost port 1812)
I'm sure i didn't change anything, but now, it is saying System is an
unknown value? Is this problem perhaps bigger than I realize -or am I
just not thinking clearly...
thanks,
Hugo
On Jun 5, 2006, at 11:43 AM, Alan DeKok wrote:
Hugo Heriz-Smith <[EMAIL PROTECTED]> wrote:
I wonder if there's anything obvious to anyone in the output I get
when I start freeradius (pasted below).
And what does it say when you send it a packet?
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/
users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Log files not being updated (version 2)
Hugo Heriz-Smith <[EMAIL PROTECTED]> wrote: > I wonder if there's anything obvious to anyone in the output I get > when I start freeradius (pasted below). And what does it say when you send it a packet? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Log files not being updated (version 2)
Hello, I meant to send this the other day, I goofed and just sent the output at the bottom - my apologies. I am running version 1.1.1 on FedoraCore 4. I am trying to get freeradius to work with our SkyPilot Extender DualBand AP as part of 802.1x. This is a very new to subject to me, but so far I've been able to install freeradius and I even had it running using MySQL successfully - I was able to test it using ntradping, and it responded as expected and the logs were added to properly. As part of the 802.1x setup, it turns out we need to be using eap and a few other things that I did not have running in this initial setup. The vendor was kind enough to send me a copy of a working raddb directory that they had along with some instructions. Because they were running version 1.1, I didn't want to just dump their files over mine.I first turned of the MySQL integration, tested again and it worked fine reading the text config files. I then compared their files to mine and made the changes that seemed appropriate. Now, when I start freeradius with 'radiusd -Xyfff', it boots up, and responds to requests as it should - but nothing gets added to the log file anymore. When this was originally working as expected, i was running radius as root. When I was comparing our files with the vendors and making the changes, my reading of the comments in the radius.conf file led me to believe I should run it as nobody instead. My first thought was that maybe I then had permission wrong on the log file -but changing the owner:group to nobody on the log didn't make a difference. I then changed it back to root and run radius as root (as I had been before) but no luck there either. I wonder if there's anything obvious to anyone in the output I get when I start freeradius (pasted below). I am hoping that don't have to revert to 1.1,but if that's the best way to get this to work, I'll do it for sure. Thanks for any suggestions. Hugo # radiusd -Xyfff Starting - reading configuration files ... reread_config: reading radiusd.conf Config: including file: /usr/local/etc/raddb/proxy.conf Config: including file: /usr/local/etc/raddb/clients.conf Config: including file: /usr/local/etc/raddb/snmp.conf Config: including file: /usr/local/etc/raddb/eap.conf Config: including file: /usr/local/etc/raddb/sql.conf main: prefix = "/usr/local" main: localstatedir = "/usr/local/var" main: logdir = "/var/log/radius" main: libdir = "/usr/local/lib" main: radacctdir = "/var/log/radius/radacct" main: hostname_lookups = no main: max_request_time = 30 main: cleanup_delay = 5 main: max_requests = 1024 main: delete_blocked_requests = 0 main: port = 0 main: allow_core_dumps = no main: log_stripped_names = yes main: log_file = "/var/log/radius/radius.log" main: log_auth = yes main: log_auth_badpass = yes main: log_auth_goodpass = no main: pidfile = "/usr/local/var/run/radiusd/radiusd.pid" main: user = "root" main: group = "root" main: usercollide = no main: lower_user = "no" main: lower_pass = "no" main: nospace_user = "no" main: nospace_pass = "no" main: checkrad = "/usr/local/sbin/checkrad" main: proxy_requests = no proxy: retry_delay = 5 proxy: retry_count = 3 proxy: synchronous = no proxy: default_fallback = yes proxy: dead_time = 120 proxy: post_proxy_authorize = no proxy: wake_all_if_all_dead = no security: max_attributes = 200 security: reject_delay = 1 security: status_server = no main: debug_level = 0 read_config_files: reading dictionary read_config_files: reading naslist Using deprecated naslist file. Support for this will go away soon. read_config_files: reading clients read_config_files: reading realms radiusd: entering modules setup Module: Library search path is /usr/local/lib Module: Loaded exec exec: wait = yes exec: program = "(null)" exec: input_pairs = "request" exec: output_pairs = "(null)" exec: packet_type = "(null)" rlm_exec: Wait=yes but no output defined. Did you mean output=none? Module: Instantiated exec (exec) Module: Loaded expr Module: Instantiated expr (expr) Module: Loaded PAP pap: encryption_scheme = "crypt" Module: Instantiated pap (pap) Module: Loaded CHAP Module: Instantiated chap (chap) Module: Loaded MS-CHAP mschap: use_mppe = yes mschap: require_encryption = no mschap: require_strong = no mschap: with_ntdomain_hack = no mschap: passwd = "(null)" mschap: authtype = "MS-CHAP" mschap: ntlm_auth = "(null)" Module: Instantiated mschap (mschap) Module: Loaded System unix: cache = no unix: passwd = "(null)" unix: shadow = "/etc/shadow" unix: group = "(null)" unix: radwtmp = "/var/log/radius/radwtmp" unix: usegroup = no unix: cache_reload = 600 Module: Instantiated unix (unix) Module: Loaded eap eap: default_eap_type = "peap" eap: timer_expire = 60 eap: ignore_unknown_eap_types = no eap: cisco_accounting_username_bug = no rlm_eap: Loaded and initialized type md5 rlm_eap: Loaded and initialized type leap gtc: challenge = "Password: " gtc: auth_type = "
How do you setup password encryption from Apache version 2 with Freeradius using a mysql database.
Hi, I am looking for information on hot to implement password encryption through Freeradius using a mysql database and Apache 2 I have also installed OpenSSL. I have setup Apache, FreeRadius and mysql and can access the user information but I am looking to encrypt the password at this point. I need to know what the settings are for the configurations files. Thank you, Frank ReissImpeva Labs, Inc.Phone: 1-850-872-7099 COMPANY CONFIDENTIAL NOTICEThis electronic mail transmission and any accompanying documents containinformation belonging to the sender which may be company confidential and legallyprivileged. If you are not the intended recipient, any disclosure, copying,distribution or action taken in reliance on the message is strictlyprohibited. If you have received this message in error, please delete it.Thank You - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
