HELLO ALL!
I am new to FreeRADIUS and I am looking for a good place to get some
documentation. I know about the wiki and the .org site, but what I am
looking for is somewhere I can get all of that info in a printable
format, I am also interested if anyone knows of some good reference
books.
Does anyone have any experience integrating FreeRADIUS with an FOSS
package called PacketFence? If you do, and are willing, please drop me
a line. Jake.Sallee(at)umhb(dot)edu.
Jake Sallee
Godfather Of Bandwidth
Network Engineer
Fone: 254-295-4658
Phax: 254-295-4221
-
List
I am new to FreeRADIUS so please be patient with me. I am scouring the
docs as I write this but so far I have been stumped. Below I have
included the debug output of my server when I send it a authentication
request.
You will see that the user is found and authenticated by the
ntlm_auth_Cru
Is it possible to have FreeRADIUS send a radius response without first
receiving a request, provided I can feed it the same information the
request would have?
OR
Is it possible for FreeRADIUS to see the request come from one host and
have the response go to another?
Jake Sallee
Godfather Of
Could someone please point me to a good how-to that will explain how to
get either pap or chap running using Microsoft AD as a backend?
Jake Sallee
Godfather Of Bandwidth
Network Engineer
Fone: 254-295-4658
Phax: 254-295-4221
-
List info/subscribe/unsubscribe? See
rg] On Behalf Of Sallee, Stephen (Jake)
Sent: Thursday, July 29, 2010 9:53 AM
To: freeradius-users@lists.freeradius.org
Subject: pap or chap authentication with MS AD Backend
Could someone please point me to a good how-to that will explain how to
get either pap or chap running using Microsoft AD
We will be moving to Server 2008 R2 very soon, thanks for the heads up.
Jake Sallee
Godfather Of Bandwidth
Network Engineer
Fone: 254-295-4658
Phax: 254-295-4221
-Original Message-
From: freeradius-users-bounces+jake.sallee=umhb@lists.freeradius.org
I have a working FreeRADIUS server that will authenticate linux clients
happily, however my windows clients are unable to authenticate. Here is
a snippet
--
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap]
Alan:
The supplicant is sending a certificate that the server doesn't
recognize.
I have turned off everything I can find on the windows box about
verifying certs and the like but still no joy. Is there a way to tell
the FreeRADIUS box to accept the cert?
What strange things show up
Thanks for the info, I have the client setup the way you suggest, in Win
7 almost everything you said were defaults. However I still get the
unknown CA problem. Does anyone know how I can tell the FreeRADIUS
server to accept the client cert automatically?
Jake Sallee
Godfather Of Bandwidth
+jake.sallee=umhb@lists.freeradius.org
[mailto:freeradius-users-bounces+jake.sallee=umhb@lists.freeradius.o
rg] On Behalf Of Sallee, Stephen (Jake)
Sent: Monday, August 02, 2010 7:07 PM
To: FreeRadius users mailing list
Subject: RE: windows users having trouble authenticating
Thanks
+jake.sallee=umhb@lists.freeradius.o
rg] On Behalf Of Alan DeKok
Sent: Tuesday, August 03, 2010 1:47 AM
To: FreeRadius users mailing list
Subject: Re: windows users having trouble authenticating
Sallee, Stephen (Jake) wrote:
I am still getting this error in my debug output:
rlm_eap: SSL error error
The various EAP methods *should* have tied usernames (i.e. domains)
to a field in the certificate. e.g. a cert with CN rad...@example.com
should be sent logins for u...@example.com, but NEVER sent logins
for u...@example.net
How does this workout with child domains? For example: I have two
AMZAING! Alan and John, you guys are on my Christmas card list now! I
had my default eap type set to mschap and was never getting prompted to
accept the server cert, john, you mentioned the mschap vs TLS and it hit
me, set eap to TLS and VOILA, the client is prompted to accept the cert
EXACTLY
One last problem and I think I am ready for production, wohoo!
When my users try to login with the convention usern...@domain the login
fails because I do not think I have FreeRADIUS correctly configured to
parse out the domain, however if they login with the convention
domain\username it works
I am about to generate a CSR for my FreeRADIUS Server. The vast
majority of my clients are Vista and Win 7 with a few MACs, with this in
mind would I be better off going with a 1024 bit cert or would a 2048
bit cert be better?
I know both are quite secure, but for platform interoperability and
@lists.freeradius.org
[mailto:freeradius-users-bounces+jake.sallee=umhb@lists.freeradius.o
rg] On Behalf Of Sallee, Stephen (Jake)
Sent: Tuesday, August 03, 2010 3:11 PM
To: freeradius-users@lists.freeradius.org
Subject: suffix configuration
One last problem and I think I am ready for production, wohoo!
When my
, 2010 1:29 PM
To: freeradius-users@lists.freeradius.org
Subject: Re: suffix configuration
On 2010/08/05 08:17 PM, Sallee, Stephen (Jake) wrote:
Does anyone have any input on this? It is kind of a problem for me
and I could really use some help : )
realms
--
Johan Meiring
Cape PC Services CC
Of Johan Meiring
Sent: Thursday, August 05, 2010 2:03 PM
To: freeradius-users@lists.freeradius.org
Subject: Re: suffix configuration
On 2010/08/05 08:37 PM, Sallee, Stephen (Jake) wrote:
realms
... thank you. Whilst I do appreciate brevity, a single monosyllabic
response seems as though it may
I hope someone can help me.
I have written in about this problem before so please forgive me, but it
is still plaguing me : )
Quickly, my problem is users cannot log in using usern...@domain but can
login fine with domain\username.
One person mentioned the realms module, but when I look at it
-users-bounces+jake.sallee=umhb@lists.freeradius.org
[mailto:freeradius-users-bounces+jake.sallee=umhb@lists.freeradius.o
rg] On Behalf Of Alan DeKok
Sent: Tuesday, August 10, 2010 3:42 PM
To: FreeRadius users mailing list
Subject: Re: Suffix authentication
Sallee, Stephen (Jake) wrote
1)Before running radius -X what all steps should be completed?
... www.deployingradius.com, follow the how to ... and really and I mean
REALLY read the documentation in the conf files ... all of them. Print
them out in color ... all of them. Spread them out all over your work
surface, make
I dont use certificates neither on the server and neither on the
client side.
I read in teh internet that also windows7 should work without
certificates - is that true ?
Strictly speaking this is actually true, However! You need to understand
what is happening:
1) Win7 will not connect to a
I switched to CentOS for my FR server because my Ubuntu install was
being too picky. I was able to get it to work but I had to compile
OpenSSL from source, then the libs are in different places, etc. it was
a headache. CentOS was much easier for me, if you're not forced to use
Debian you may
Have you tried disjoining and rejoining the domain after the upgrade?
It sounds crazy but I have seen similar problems fixed this way.
Jake Sallee
Godfather Of Bandwidth
Network Engineer
Fone: 254-295-4658
Phax: 254-295-4221
-Original Message-
From:
With the (hopefully) impending release of 2.1.10 I thought to ask:
My current FreeRADIUS server I have is compiled from source, when 2.1.10
comes out can I simply recompile and go or do I need to rip out the old
version first?
Jake Sallee
Godfather Of Bandwidth
Network Engineer
Fone:
: Re: 2.1.10 upgrade question
Sallee, Stephen (Jake) wrote:
My current FreeRADIUS server I have is compiled from source, when
2.1.10 comes out can I simply recompile and go or do I need to rip out
the old version first?
Recompile install. It will *not* break anything in your existing
I don't think that is possible, most of the time you would want to either tie
the RADIUS server into your web filter or the web filter into your RADIUS, not
send to both independently. The security risks in doing such a thing are just
too much.
Just My $.02
Jake Sallee
Godfather Of Bandwidth
SORY! I misread your message!
Accounting packets may be different, I was thinking authentication. My
apologies.
Jake Sallee
Godfather Of Bandwidth
Network Engineer
Fone: 254-295-4658
Phax: 254-295-4221
-Original Message-
From:
Your request is correctly being redirected to your inner tunnel, did you
enable MSCHAP in the inner tunnel? Also, there seems to be an issue
with how your realms are setup (if they are at all).
Try setting up your realms and logging in using the usern...@domain
convention.
Realms and make
Just checking but you did see the problem I the following line of config
right?
exec ntlm_auth {
wait = yes
program = ***/PATH/TO/NTLM_AUTH *** --request-nt-key
--domain=MYDOMAIN --username=%{mschap:User-Name}
--password=%{User-Password}
}
I understand if
It may be just me, but when they told you to upgrade they probably meant
to the latest 2.X release.
Is there a specific reason that you need to stay on a 1.X release? I
only ask because you may be needlessly complicating your life by using
ancient software.
Jake Sallee
Godfather Of Bandwidth
2 things:
1) near the bottom of the debug output there is a line that's says you
are passing the username as domain\user, and it asks if you have enabled
the with NT domain hack option?Check your mschap module config to
see if this is enabled, it is commented out by default. You can check
Did you enable the WITH NT DOMAIN HACK in your MSCHAP module?
Jake Sallee
Godfather Of Bandwidth
Network Engineer
Fone: 254-295-4658
Phax: 254-295-4221
From: freeradius-users-bounces+jake.sallee=umhb@lists.freeradius.org
I have to ask ... but what is your server's name? The error is saying
that the name is incompatible with AD, do you have and special
characters, any spaces, or any other weirdness in you server's name?
Jake Sallee
Godfather Of Bandwidth
Network Engineer
Fone: 254-295-4658
Phax: 254-295-4221
I feel your pain, we have the same thing happen form time to time.
Check with your ISP, when it happens to us it is usually their DNS
server caching and old entry or a bad statement in one of their routers.
Good luck!
Jake Sallee
Godfather Of Bandwidth
Network Engineer
Fone: 254-295-4658
To be fair the fact that he is able to get along running such an ancient
release of FreeRADIUS is a testament to the quality of the software...however
it is dangerous to run antiquated versions of well know software, the security
implications are horrendous.
Jake Sallee
Godfather Of Bandwidth
Glad to hear you solved it, care to share so we can all benefit ?
Jake Sallee
Godfather Of Bandwidth
Network Engineer
Fone: 254-295-4658
Phax: 254-295-4221
From: freeradius-users-bounces+jake.sallee=umhb@lists.freeradius.org
I need help generating a Microsoft compatible CSR for my FR server that I can
get signed by a public CA.
The documentation mentions special OID's that need to be present for MS
machines to accept the cert, but I can't find WHAT those OID's are so I can
make sure I include them in the CSR.
I
list
Subject: Re: Generating a Microsoft compatible CSR for FreeRADIUS
Sallee, Stephen (Jake) wrote:
The documentation mentions special OID’s that need to be present for
MS machines to accept the cert, but I can’t find WHAT those OID’s are
so I can make sure I include them in the CSR.
See
, January 20, 2011 1:48 PM
To: FreeRadius users mailing list
Subject: Re: Generating a Microsoft compatible CSR for FreeRADIUS
Sallee, Stephen (Jake) wrote:
Hmmm. I hadn't thought of that attack vector, kind of like a
man-in-the-middle attack, but isn't that what the private key
@lists.freeradius.org
[mailto:freeradius-users-bounces+neil-johnson=uiowa@lists.freeradius.org]
On Behalf Of Sallee, Stephen (Jake)
Sent: Thursday, January 20, 2011 12:28 PM
To: freeradius-users@lists.freeradius.org
Subject: Generating a Microsoft compatible CSR for FreeRADIUS
I need help generating
Has anyone gotten windows clients to work WITHOUT having to do any manual
config on the clients?
Is it even possible?
Also, I have my shiny new publicly signed cert from comodo but my clients are
still rejecting the connection ... i think the error is here:
[peap] TLS 1.0 Alert [length
always some form of cert acceptance for most OS.
- John Douglass, Systems Engineer
Sent from my iPad
On Jan 21, 2011, at 9:33 AM, Phil Mayers p.may...@imperial.ac.uk wrote:
On 21/01/11 14:10, Sallee, Stephen (Jake) wrote:
Has anyone gotten windows clients to work WITHOUT having to do any
@all:
Firstly thank all of you who assisted me in trying to get a public cert
working, regrettably since Microsoft apparently lost all intelligence in
dealing with 802.1x wireless authentication it looks as though I will be using
a private cert.
That being said, I have generated the new
I have imported the ca.der into BOTH the trusted root CA store and the
Third-Party Root CA store, still I get the unknown CA error.
I must be doing something wrong, as per Alan's advice I did visit
deployingradius.com, I there it mentions that the validate server cert check
box must be
As for accomplishing your goal, unfortunately others will have to help you
with that - I don't know FR/LDAP/EAP well enough. But, I don't THINK you
can authenticate EAP requests against LDAP directly because of the no clear
text password issue.
I think he is right ... I know that we had
If you are using ver 1.3.0 then the article is for you ... and you should
REALLY think about upgrading, otherwise use Alan's instructions @
http://deployingradius.com/
Jake Sallee
Godfather Of Bandwidth
Network Engineer
Fone: 254-295-4658
Phax: 254-295-4221
From:
I'm not sure how that would work ... the AAA process is a conversation that
both sides participate in, your production server would churn along happily but
how would your test server talk back to the client to keep the process going?
Jake Sallee
Godfather Of Bandwidth
Network Engineer
Fone:
Two comments about posting logs ...
#1 Post the entire log of radiusd -X (NOT -XX, that has a bunch of timestamps
we don't need) and don't redact anything that's not privileged info, you can
very easily remove the portion of the log that holds the answer to your
questions.
#2 your output of
Just a word of warning, manually setting Authtype = ANTHING is usually a bad
idea. FR is really good about figuring out what to do all on its own, if you
force an auth type it will very likely break something else.
Jake Sallee
Network Engineer
University of Mary Hardin-Baylor
Fone:
While MS ISA is fine for very small deployments it cannot scale very well in my
experience. While FR scales extremely well.
While MS ISA will start to really putter out at about 50-100 NASs (depending on
your hardware) FR will happily hum along with THOUSANDS of NASs.
Jake Sallee
Network
Actually FR is one of the easiest compiles on linux I have ever seen! The
trick is to make sure you have all the necessary DEV packages installed. I
haven't compiled from source in a bit but I know in other programs you have to
have the correct DEV package architecture, IE: even though you
@lists.freeradius.org
[mailto:freeradius-users-bounces+jake.sallee=umhb@lists.freeradius.org] On
Behalf Of Alan DeKok
Sent: Tuesday, May 17, 2011 9:48 AM
To: FreeRadius users mailing list
Subject: Re: Correct RegEX format for virtual server in proxy.conf
Sallee, Stephen (Jake) wrote:
I am trying
It should be logged in the syslog or if you run in debug mode it WILL be
plainly logged in the output.
Jake Sallee
Godfather of Bandwidth
Network Engineer
University of Mary Hardin-Baylor
900 College St.
Belton, Texas
76513
Fone: 254-295-4658
Phax: 254-295-4221
From:
Are you new to this list? If so please remember that this list is maintained
by volunteers, if you want professional support at your fingertips go pay for
it. Also, the debugs you posted are incomplete. Please post the FULL debug
output and wait patiently. Please do not mangle your debugs,
I should also note that all the questions you asked are not in any way related
to FreeRADIUS.
Jake Sallee
Godfather of Bandwidth
System Engineer
University of Mary Hardin-Baylor
900 College St.
Belton, Texas
76513
Fone: 254-295-4658
Phax: 254-295-4221
-Original Message-
From:
If I may butt in here…
IF you are interested in a FOSS captive portal there is a rather good FOSS NAC
called packetfence that can do exactly what Mr. Gatten is saying. It uses
FreeRADIUS for its 802.1x authentication and has all kinds of neat features.
If your interested drop me a line I can
If I may interject... if Gary's hint does not pan out I would suggest also
checking that the ntlm_auth binary is accessible to the FR daemon, I had an
issue on my box that the file permissions were correct but one of the
directories in the path was denying me access. So not only does the file
We did this through our realms see code:
In your proxy.conf
realm ~.*umhb\\.edu$ {
some code here###
###usually the virtual server you want to proxy them to###
}
If I am understanding your question right that should do it, but others may
have a better way .. or I could be on crack ...
On 25 Jul 2011, at 22:20, Sallee, Stephen (Jake) wrote:
We did this through our realms see code:
In your proxy.conf
realm ~.*umhb\\.edu$ {
some code here###
###usually the virtual server you want to proxy them to### }
If I am understanding your question right that should do
On 25 Jul 2011, at 22:49, Sallee, Stephen (Jake) wrote:
Impressive, you've both made up entirely fictitious syntaxes for doing
proxying... Um anyway.
Glad you like it : )
I am still new to FR so forgive me if I am mistaken but that little bit of
unlang would go into the sites-enabled
So my questions are:
There REALLY needs to be a good reason that you are running any 1.X version or
else your question should be, Why haven't I upgraded to the latest and most
secure FreeRADIUS release.
Jake Sallee
Godfather of Bandwidth
System Engineer
University of Mary Hardin-Baylor
900
West
P.O. Box 16850
Salt Lake City, UT 84116
Phone (801) 594-3030
Cell (801) 231-7230
From: freeradius-users-bounces+d.tom.schmitt=l-3com@lists.freeradius.org
[mailto:freeradius-users-bounces+d.tom.schmitt=l-3com@lists.freeradius.org]
On Behalf Of Sallee, Stephen (Jake)
Sent: Monday
I believe you need to install the server cert and any intermediate certs on the
client before the validate server cert option will work.
Jake Sallee
Godfather of Bandwidth
System Engineer
University of Mary Hardin-Baylor
900 College St.
Belton, Texas
76513
Fone: 254-295-4658
Phax: 254-295-4221
by
default when you join the machine to the domain
On Tue, Aug 9, 2011 at 18:29, Sallee, Stephen (Jake)
jake.sal...@umhb.edumailto:jake.sal...@umhb.edu wrote:
I believe you need to install the server cert and any intermediate certs on the
client before the validate server cert option will work
As what user are you attempting to start FreeRADIUS? Most times FR is run as a
daemon, so any user that tries to run FR should have permissions to look at
FR's files, most time this is root or some other super user. What does radiusd
-X say?
Jake Sallee
Godfather of Bandwidth
System Engineer
Hmmm ... are you sure you are root? I am not a MAC guy, but I do know that
MACs are based off Linux (technically FreeBSD with some Steve Jobs magic on
top, but who REALLY makes that distinction any more : ). That being the case
root SHOULD have access to everything, so if as root you are
I just finished a deployment that did exactly that! This may be a subject more
suited for their mailing list (which I am on as well).
Message me on that list and I bet we can get you working. I only say this
because from what you say FreeRADIUS is sending the correct radius attributes
back,
Our Cisco ACS was accidentally made useless by some numbskull (me) by raising
the functionality level of our AD domain, apparently ACS 4.2 is not compatible
with newer MS AD servers ... and once you raise the functionality level ... you
can't go back ... go me :o
So! I am trying to replicate
I found a nifty little tool a while back that has really helped me with
difficult regex's it's called RegexDesigner and runs fine on 64bit Win 7.
There is a simple GUI that shows you the regex, and helps you build it, then
you can give it some input and it will how you the outcome ... handy
There is a tool to test the maximum RADIUS requests per second your setup can
handle.
As for the max number of clients / NAS, that will be determined by the hardware
of the NAS.
As for what type of NAS ... do you really expect us to do your shopping for you?
By bandwidth, I assume you mean
I am sorry, but if you expect people to continue to assist you it is imperative
that you communicate with us correctly. Please run the server in debug mode,
capture the output and post the output here along with a comprehensible
description of the issue. I must assume that the reason you
Ok, I have been watching your discourse from afar and I have to say this:
This kind of QA thing helps no one here! ...
Two things. Number one, he IS answering your questions. He is just not GIVING
you the answer. Number two, the gentleman in question is quite possibly the
preeminent
We are actually looking into doing the same thing.
Although we are probably going to add a custom attribute that we can set to the
vlan of our choice, that way we can find the vlan by a simple ldap query
without adding complex logic to the server. This to us seems the simplest
route. It is
Please forgive the interjection, but does anyone know of a helper module like
ntlm_auth that would work with LDAP, seems like such a tool would make
questions like this a non-issue.
Jake Sallee
Godfather of Bandwidth
System Engineer
University of Mary Hardin-Baylor
900 College St.
Belton, Texas
To save other the trouble I will ask the obvious:
1) what does the RADIUS debug log say, please post it here IN FULL, do not clip
out the portion you think you need.
2) have you checked the config on the client and the AP?
3) What part of this problem do you think is a RADIUS issue, and why?
It may be a misunderstanding on my part but I believe any encrypted protocol
would need a cert of some sort. PEAP is an encrypted tunnel thus you will need
a cert. FR will generate its own certs for testing but for production you
should generate your own. We are making the move to 802.1x in
I have read on the list and the FR wiki that decreasing the MTU value for the
tunnel can help alleviate the pesky EAP session did not finish problem. I
would like to try this as I am getting the same issue on IOS and Android based
phones using the default certs FR ships with.
However I cannot
If you are looking to assign users network permissions may I suggest you look
into the open source enterprise NAC called PacketFence, we are using it with
great success.
No use reinventing the wheel, especially when you can get a really tricked out
wheel for free : )
Jake Sallee
Godfather of
I have no idea which files to check despite the message is clear.
Did you set up this server or did someone else? The NAS is a client to the
freeRADIUS server, normally these are setup in clients.conf.
Also, keep in mind that your password will be sent over the network as text and
processed
Can you paste the output of radiusd -X? Please dont use -XX, we dont need
timestamps.
Jake Sallee
Godfather of Bandwidth
Network Engineer
University of Mary Hardin-Baylor
900 College St.
Belton, Texas
76513
Fone: 254-295-4658
Phax: 254-295-4221
From:
... did you set a default auth type? A lot of old how to docs have you do this
as a test to see if FR is working ... but it is easy to forget to undo when
your done.
Jake Sallee
Godfather of Bandwidth
System Engineer
University of Mary Hardin-Baylor
900 College St.
Belton TX. 76513
Fone:
Am I going about this the wrong way?
Yes, yes you are.
#1) You will REALLY want to check your local laws, you may have just committed
from a class B misdemeanor to a class C felony. Here is a link for states in
the US:
http://www.irongeek.com/i.php?page=computerlaws/state-hacking-laws
#2) It
84 matches
Mail list logo