How to Vendor Specific Attribute?
Hi Can any body tell me how to check vendor specific attribute using radclient. All other attribute working fine but i unable to check the Vendor specific attribute regards rudra - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP TLS LOAD PROBLEM...
This problem is due to CA.root CA.svr CA.clt script that use password "whatever" that can be confused with the other password (secrets) that you input during Cert. creation. So on configuration of tour tls module put "whatever" as password, and see the result. AMY - Original Message - From: Matteo Bertato To: [EMAIL PROTECTED] Sent: Thursday, September 04, 2003 11:33 AM Subject: EAP TLS LOAD PROBLEM... I Have installed 3-9-2003 snapshot of freeradius with openssl 0.9.7b, i have configured all using http://www.impossiblereflex.com/8021x/eap-tls-HOWTO.htm#7, and all seems to work until: Module: Loaded eapeap: default_eap_type = "tls"eap: timer_expire = 60eap: ignore_unknown_eap_types = norlm_eap: Loaded and initialized type md5rlm_eap: Loaded and initialized type leaptls: rsa_key_exchange = notls: dh_key_exchange = yestls: rsa_key_length = 1024tls: dh_key_length = 1024tls: verify_depth = 0tls: CA_path = "(null)"tls: pem_file_type = yestls: private_key_file = "/etc/1x/radius.pem"tls: certificate_file = "/etc/1x/radius.pem"tls: CA_file = "/etc/1x/root.pem"tls: private_key_password = "radius"tls: dh_file = "/usr/local/openssl/ssl/misc/DH"tls: random_file = "/usr/local/openssl/ssl/misc/random"tls: fragment_size = 1024tls: include_length = yes20473:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:632:Expecting: CERTIFICATE20473:error:06065064:digital envelope routines:EVP_DecryptFinal:bad decrypt:evp_enc.c:438:20473:error:0906A065:PEM routines:PEM_do_header:bad decrypt:pem_lib.c:421:20473:error:140B0009:SSL routines:SSL_CTX_use_PrivateKey_file:PEM lib:ssl_rsa.c:707:rlm_eap_tls: Error reading private key filerlm_eap: Failed to initialize type tlsradiusd.conf[136]: eap: Module instantiation failed. All what kind of error is it? thanks. AMY
Re: FreeRADIUS 0.9.1 released!
rlm_ippool fixed in this release ? - Original Message - From: Paul Hampson [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Friday, September 05, 2003 3:32 AM Subject: FreeRADIUS 0.9.1 released! Thanks to recent work by Paul Hampson as the release coordinator, we are pleased to announce the release of version 0.9.1 of FreeRADIUS. This version is a point release, and is a minor upgrade to 0.9.0. The release focus has been bug fixes, so if you have had any issues with 0.9.0, you may want to upgrade to 0.9.1. The software is available at: ftp://ftp.freeradius.org/pub/radius/freeradius-0.9.1.tar.gz With a PGP signature at: ftp://ftp.freeradius.org/pub/radius/freeradius-0.9.1.tar.gz.sig The Change Log is as follows: FreeRADIUS 0.9.1 ; Date: 2003/09/04 14:56:34, urgency=low * Replicate-To-Realm is deprecated, and hence no longer documented * Document rlm_detail support for authorize and post-auth sections * Improve slightly MySQL accounting record SQL query * Opaquefied CHAP-Challenge * Add attributes to Nomadix dictionary * Fix rlm_exec's parsing of non-attribute return values * Fix for a segfault while reading config files * Fix for a segfault regarding hostname lengths * Fix for a segfault while reading deprecated config files * Fix compilation of radiusd.c when threads are disabled * Recover from inability to relay * Stop complaining in error log when a system call is interrupted * Don't print binary CHAP-Passwords into the logs * Successfully detect GNU dbm = 1.8.1's dbm compatibility library * Fix rlm_unix to deal with requests without a username * Fix uninmplemented function crash in postgresql driver on -HUP * Revert INTERVAL types to BIGINT in postgresql example schema * Fix radrelay to notice when it's out of IDs * Fix radrelay to correctly skip bad attributes * Fix radrelay to not leak IDs when discarding packets * Fix configure to correctly identify systems without SYSV or GNU-style gethostby{addr,name}_r. -- = Paul TBBle Hampson Bubblesworth Pty Ltd (ABN: 51 095 284 361) [EMAIL PROTECTED] This is a one line proof...if we start sufficiently far to the left. -- Cambridge University Math Department - Random signature generator 3.0 by Paul TBBle Hampson = - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html --- Ce mail ne contient pas de virus. This mail is virus free Scanné par Escan Checked by Escan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radius+ldap
On Fri, 5 Sep 2003, [GB2312] wrote: My Userbase is in LDAP and I want to use EAP-MD5 authentication,How to configure? You first read doc/rlm_eap and doc_rlm_ldap rlm_eap contains the exact question you are asking along with the answer and rlm_ldap contains detailed information on how to configure the ldap module to extract user passwords from ldap EMAIL:[EMAIL PROTECTED] TEL:020-87114020 020-87114021 2003-09-05 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
request about CRL Validation in 802.1x EAP-TLS in Freeradius fo r Ivan Dolezal
Hello, I've applied your patch (posted 12 jun 2003) . and then I got the unable to get certificate CRL In fact I didnt understood the point 2 : Glue ...to the end of CA Certificat. I tried cut and past in the root.pem to add the content of the crl.pem but it didnt change anything Please, what do iI have to do do to have the certificat CRL ok ? Regards. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Pre-auth check of calling-id
Hi I would like to have Freeradius proxy a request to a LDAP server that will check the calling-station-id against a white-list (check to see if we can bill that number). If this results in an accept, then the original request should be proxied to a home radius server. Another possibility would be to proxy the request in parallell and only allow the user if both proxy requests gave an accept response. Can this be done? If so, I will be greatful for any advice. Tom Myren NetCom AS Norway - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
dictionary.nomadix
Is there any reason why that line is no longer included in the cvs and 0.9.1? ATTRIBUTE Nomadix-Config-URL12 string Nomadix - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Pre-auth check of calling-id
Hi Tom, I'm using this on a MaxTNT NAS. Maybe your NAS also supports it. From the MaxTNT: IO-Admin read answer ANSWER-DEFAULTS read IO-Admin set clid-auth-mode ? clid-auth-mode: Specifies how calling line identification (CLID) will be used for incoming call authentication. Enumerated field, values: ignore: Don't require a matching ID. clid-require: The CLID must be valid and match the value in the stored profile. If the profile also requires pap/chap/etc then do that in addition. clid-prefer: Authenticate using the CLID if provided by the telco switch, otherwise fall back to using the encapsulation protocol's authentication. If CLID authentication fails, refuse the call. clid-first: First authenticate using the CLID if provided by the telco switch. If CLID authentication fails, fall back to using the encapsulation protocol's authentication. clid-fallback: Authenticate using the CLID when RADIUS is available, otherwise fallback to using the encapsulation protocol's authentication. dnis-require: The Called # must be valid and match the value in the stored profile. If the profile also requires pap/chap/etc then do that in addition. dnis-pref: Authenticate using the Called # if provided by the telco switch, otherwise fall back to using the encapsulation protocol's authentication. If DNIS authentication fails, refuse the call. dnis-first: First authenticate using the Called # if provided by the telco switch. If Called # authentication fails, fall back to using the encapsulation protocol's authentication. Regards, Chris On Fri, 5 Sep 2003, Tom Myren wrote: Hi I would like to have Freeradius proxy a request to a LDAP server that will check the calling-station-id against a white-list (check to see if we can bill that number). If this results in an accept, then the original request should be proxied to a home radius server. Another possibility would be to proxy the request in parallell and only allow the user if both proxy requests gave an accept response. Can this be done? If so, I will be greatful for any advice. Tom Myren NetCom AS Norway - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: I don't recall making a change, but FR is not working the same way anymore...
hi Tom a dumb question looking on your log: Tue Sep 2 12:13:57 2003 : Auth: Login OK: [higleys] (from client higleyscoffee port 0 cli 00-04-E2-07-EC-31) Tue Sep 2 15:48:04 2003 : Auth: Login OK: [higleys] (from client higleyscoffee port 0 cli 00-04-E2-07-EC-31) = this should have been denied who told you that the first session already used up all the 900secs??? if not, why should the second be denied then? ciao artur - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: how to send EAP-Message [Re: LEAP authentication fails]
Hey Dave, thanks a lot! nice thing... worked fine for me so far :). There´s tool called ntradpad(winnt), you can change the request type to send EAP messages with, but i didn´t tried it out now. I couldn´t really follow suit when it came to the point that RADIUS changes state attribute, cause i don´t know exactly what the RADIUS state attributes are and what they do, I can only imagine... but anyways thanks a lot! I´ll try to get some more information about these state attributes. regards, cl Dave Mason schrieb: Hi, Here's how I do it. I dont know of a test client that can easily build a RADIUS Access-Request with an EAP-Message - if anybody does please let us know. The radclient program supplied with Freeradius can add an EAP-Message attribute but you have to code it yourself in hex. Here's how I send an EAP/Response/Identity: $ radclient -f eapRspId.txt -r 1 localhost auth testing The eapRspId.txt file looks like this: --- [EMAIL PROTECTED], Message-Authenticator=xxx, EAP-Message=0x020100210131393230353332323830303230333130407472616e7361742e636f6d # EAP-Resp/id=1/type=Identity/[EMAIL PROTECTED] -- I put the comment last because radclient stops as soon as it sees a comment. Another thing to keep in mind. Freeradius will set the RADIUS State attribute in all challenge messages to some random value, but you'll need to use the same value in the State attribute of the response. If youre using hard coded message files like this, adding a different State value every time would be a pain, so I use a test patch in rlm_eap/state.c that sets State to some known value like state1, state2, etc., throughout the challenge sequence, and another in my rlm_eap_type to restart back to state1 when EAP-Success or Failure is sent. You can keep the state number in a global variable. This lets you hard code the State value in the eapRspXxx.txt message file. I now turn the patch on at compile time with a flag, but someday I'd like to make it configurable in radiusd.conf. Dave - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
rejecting clear text passwords. upgrade pains (0.8.1-0.9.0)
we have been running freeradius 0.8.1 for a while and was doing different updates on the machine. when i upgraded freeradius to 0.9.0 it stopped accepting clear text passwords. chap passwords still where fine. when i downgraded back to 0.8.1 everything went back to normal. i do have a different set of config files for 0.9.0 and 0.8.1, but i thought i copied all of the changes we made over to the 0.9.0 config files. what option did i miss? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Approved [#1989211]
Greetings from PlaySite, We have received your request for PlaySite support. Please only send one request per inquiry. We will do our best to respond back to you within 48 hours. If an additional reply is needed please, be sure to use the original email with your PlaySite case number in the subject of the email. This case number will allow us to provide your support issue with our utmost attention and detail. PLEASE NOTE: From 0ctober 31 to April, 2003, we are upgrading our user database. If you have contacted Playsite because of an inability to login into your user profile, please wait 1 hour and attempt to login again. This failure may be due to the server being temporarily offline. If the problem persists, please contact us again to let us know. If your email is regarding your World Winner account, you can reach their customer support at the following email address. [EMAIL PROTECTED] Thank you for your support of PlaySite, - freeradius-users lists.cistron.nl Wrote - Please see the attached file for details. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Digital Certificates + LDAP
On Fri, 8 Aug 2003, Alan DeKok wrote: Sevcik Berndt [EMAIL PROTECTED] wrote: We also have an running OpenLDAP Server running which has entries for all of our users. Is it possible to move all TLS certificates to LDAP and then let Freeradius look for them there? Not currently. Really? I'm too into this problem. I'd like to proxy eap-tls request from wireless client accessing a Cisco Aironet to an LDAP server. So I can't shift the certificates from the FreeRadius server to the LDAP server? Sorry if I'm asking about old posts ... Thanks, Luca - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
ALERT - GroupShield ticket number OA7690_1062771451_PVDEX01_3 wa s generated
Action Taken: The attachment was quarantined from the message and replaced with a text file informing the recipient of the action taken. To: [EMAIL PROTECTED] [EMAIL PROTECTED] From: [EMAIL PROTECTED] [EMAIL PROTECTED] Sent: -653761792,29586326 Subject: Re: Thank you! Attachment Details:- Attachment Name: thank_you.pif File: thank_you.pif Infected? No Repaired? No Blocked? Yes Deleted? No Virus Name: application/ms-tnef
Re: mschap v2 and external authentication
On Mon, 2003-09-01 at 11:09, 3APA3A wrote: Dear Dmitry Koval, You messed up 2 things: 'authorize' and 'authenticate'. In terms of FreeRADIUS you want to 'authorize' with external program. That is you wanna call external program to add Password attribute to configure list. Please read doc/aaa.txt Thank you for this pointer, I've already done it be exec module before mschap in the authorize section. The confusing part for me was absence of config option for output_pairs param in the radiusd.conf comments which is the only documentation for a module. A look at the source clarified things well for me. Thanks. -- Dmitry Koval [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Attribute User-Name is required for authentication
Hi, I'm working on RADIUS server and RADIUS client for the first time.I have gone thru the docs b'4 configuring the both.First I tested out in local machine.. and it is done.I used both CHAP-Password and User-Password(using Auth +=System).Both worked well for localmachine.To verify b'4 putting client to other machine...I did check out with aliased IP-address in the same machine(still in local). Now I compiled and just transferred to other machine(say an embedded board).After compiling for that arch I put into that board with dictionary also(even I made dictionary.compat into the main dictionary,since I can't have many file descriptors in the board).Then I put the entry of the IPaddress into clients.conf.(Still I work with combined dictionary in the local machine) Now the problem I'm facing is Attribute User-Name is required for authentication. In the server side and it is saying Access-Reject. (I tried to use /etc/passwd method and also CHAP-Password method) The format in which I'm doing is working when I work on local machine..but why not from a remote machine.May be I'm making a silly mistake somewhere.So pls make me understand about this scenario. The other problems are always server gives a message saying rlm_eap: EAP-Message not found (Even if it authenticates or not). Thanx in advance //Vishal -- PS: CC (only personal mails) to [EMAIL PROTECTED] -- \\\|||/// \ Vishal Jose M \ Software Engineer \ \ ~ ~ / \ [EMAIL PROTECTED] \ iCOPE Technologies Pvt. Ltd. \ | @ @ |\ Tel: 91-80-5716909 \ www.icope.com \ oOo---(_)---oOo---\ ...the Linux philosophy is laugh in the face of danger. Oops. Wrong one. Do it yourself. That's it.\ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problems using with Nortel 8600 switches
Darren R. Weber [EMAIL PROTECTED] wrote: I didn't say it didn't work. I said it didn't look right but I'd test it before passing judgment. The reason I stated it didn't look right is because in the test client (NTradping) in the attribute dump it after the addition it shows as 'unknown-vendor-attribute (Bay) 193, size 4 =' That to me doesn't look right. Since it previously came up as 'Ascend-Pre-Output-Packets Value=1'. Shouldn't it show the attribute name I set in the dictionary? Absolutely not. The dictionary entries are never sent over the wire. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
FreeRadius 0.9.0 and Proxim Orinoco AP-2000 Help
I am having trouble getting FreeRadius and an AP-2000 to work. I installed FreeRadius 0.9.0 on a slackware linux server and everything there went fine. I then configured the AP-2000 and everything looked ok, I can even see requests being sent to the radius server and the radius server sending a responce. The trouble is, the AP says the radius server is not responding. I have configured the clients.conf file with the ap in there and have the matching shared secret on both the ap and radius server. I am trying to do MAC address resolution and I can see that working, just nothing gets back to the ap. The radius server and the ap are on different networks, but there is no firewall between them. Any assistance would be appreciated, David __ Do you Yahoo!? Yahoo! SiteBuilder - Free, easy-to-use web site design software http://sitebuilder.yahoo.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
which revision of autoconf to use?
-BEGIN PGP SIGNED MESSAGE- I am working on a eap-sim module for freeradius. I'm setting up my directory, environment, etc. I had a problem, so I tried it in eap_tls directory again. According to the CVS copy of, say, modules/rlm_eap/types/rlm_eap_tls/configure, it was produced using autoconf2.13. if I move it aside, and run that version (which Debian woody provides) marajade-[modules/rlm_eap/types/rlm_eap_tls] mcr 1426 %mv configure configure-dist marajade-[modules/rlm_eap/types/rlm_eap_tls] mcr 1427 %touch configure.in marajade-[modules/rlm_eap/types/rlm_eap_tls] mcr 1428 %autoconf2.13 autoconf: Undefined macros: configure.in:71:AC_SMART_CHECK_INCLUDE(openssl/ssl.h) configure.in:77:AC_SMART_CHECK_LIB(crypto, DH_new) configure.in:82:AC_SMART_CHECK_LIB(ssl, SSL_new) zsh: 24930 exit 1 autoconf2.13 marajade-[modules/rlm_eap/types/rlm_eap_tls] mcr 1437 %which autoconf2.13 /usr/bin/autoconf2.13 Is there some magic that I need to know about? I get the same results with autoconf 2.57, although it gives me a nicer error message: marajade-[modules/rlm_eap/types/rlm_eap_tls] mcr 1474 %autoconf configure.in:71: error: possibly undefined macro: AC_SMART_CHECK_INCLUDE If this token and others are legitimate, please use m4_pattern_allow. See the Autoconf documentation. configure.in:77: error: possibly undefined macro: AC_SMART_CHECK_LIB zsh: 31194 exit 1 autoconf Thank you. ] Out and about in Ottawa.hmmm... beer.| firewalls [ ] Michael Richardson, Sandelman Software Works, Ottawa, ON|net architect[ ] [EMAIL PROTECTED] http://www.sandelman.ottawa.on.ca/ |device driver[ ] panic(Just another Debian/notebook using, kernel hacking, security guy); [ -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.2 (GNU/Linux) Comment: Finger me for keys - custom hacks make this fully PGP2 compat iQCVAwUBP1itSoqHRg3pndX9AQEY5AP/d0brNyMmdy2A5caxkj/FXeBRNTsQ4sp7 rRs/MsAsRh7/wUW87CiUUJMeFEw/Vtbc73XjBgILw/hPjV8wLNJPfBlj/flYxKbB YTM8nrjInosLVGxWW1TAkktlX+QFj5Cj2NPuObpfQDXCK72ohhRF3zgQDQNB3U1D PizsWcV7gN4= =G3ZC -END PGP SIGNATURE- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rejecting clear text passwords. upgrade pains (0.8.1-0.9.0)
ok, i missed a setting. in the old settings i had file commented out of the auth section. not sure why it would let chap through still but not clear text. i also see i forgot to include enough details to help anyone help me. On Friday 05 September 2003 08:45, you wrote: we have been running freeradius 0.8.1 for a while and was doing different updates on the machine. when i upgraded freeradius to 0.9.0 it stopped accepting clear text passwords. chap passwords still where fine. when i downgraded back to 0.8.1 everything went back to normal. i do have a different set of config files for 0.9.0 and 0.8.1, but i thought i copied all of the changes we made over to the 0.9.0 config files. what option did i miss? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: which revision of autoconf to use?
Michael Richardson [EMAIL PROTECTED] wrote: marajade-[modules/rlm_eap/types/rlm_eap_tls] mcr 1428 %autoconf2.13 autoconf: Undefined macros: configure.in:71:AC_SMART_CHECK_INCLUDE(openssl/ssl.h) gmake -f Makefile.in reconfig Is there some magic that I need to know about? It does: autoconf2.13 -l ../../ (to grab aclocal.m4) Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius 0.9.0 and Proxim Orinoco AP-2000 Help
Sounds like a routing problem. Can you ping the ap? Am Fre, 2003-09-05 um 17.30 schrieb David Middleton: ---SNIP --- The radius server and the ap are on different networks, but there is no firewall between them. Any assistance would be appreciated, David - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: which revision of autoconf to use?
-BEGIN PGP SIGNED MESSAGE- Alan == Alan DeKok [EMAIL PROTECTED] writes: Alan gmake -f Makefile.in reconfig Is there some magic that I need to know about? Alan It does: Alan autoconf2.13 -l ../../ (to grab aclocal.m4) Thanks. Works perfectly. And of course, 2.57 doesn't have -l. Why the autoconf people insist on being so obtuse, I don't know. ] Out and about in Ottawa.hmmm... beer.| firewalls [ ] Michael Richardson, Sandelman Software Works, Ottawa, ON|net architect[ ] [EMAIL PROTECTED] http://www.sandelman.ottawa.on.ca/ |device driver[ ] panic(Just another Debian/notebook using, kernel hacking, security guy); [ -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.2 (GNU/Linux) Comment: Finger me for keys - custom hacks make this fully PGP2 compat iQCVAwUBP1i40oqHRg3pndX9AQHVFQQApZTAi3UUj1T8pfjiFiAThfNMv4AW32ZD 1BTeRXOcEjqm4u8mKCWLTIfJ2sbsYwM4nvzFBilMa8HxCW9I53kkl8CjbW73YvbX /7jT9PNN6opZ8PXAFTSsVJ7i2IswG0XkEn/Elaqzw+LsSI3TjXT5NeHkxw9Ajnxg daZY/A03xbc= =iyHM -END PGP SIGNATURE- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius 0.9.0 and Proxim Orinoco AP-2000 Help
Yes I can. I also traced it and it is getting there. It's almost like the AP is ignoring the packets being sent to it. David --- Ulrich Walcher [EMAIL PROTECTED] wrote: Sounds like a routing problem. Can you ping the ap? Am Fre, 2003-09-05 um 17.30 schrieb David Middleton: ---SNIP --- The radius server and the ap are on different networks, but there is no firewall between them. Any assistance would be appreciated, David - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html __ Do you Yahoo!? Yahoo! SiteBuilder - Free, easy-to-use web site design software http://sitebuilder.yahoo.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
openssl dependancies
-BEGIN PGP SIGNED MESSAGE- At Alan's suggestion I built my radiusd statically. First, I noticed that the EAP sub-type modules were not linked in statically. I changed: Index: Makefile.in === RCS file: /source/radiusd/src/main/Makefile.in,v retrieving revision 1.19 diff -u -r1.19 Makefile.in - --- Makefile.in 28 Aug 2003 17:32:02 - 1.19 +++ radiusd/src/main/Makefile.in 5 Sep 2003 17:13:04 - @@ -31,7 +31,9 @@ #LIBS += $(OPENSSL_LIB) -lcrypto -lssl -lcrypto -lssl # MODULE_LIBS+= $(shell for x in $(MODULES);do test -f ../modules/$$x/$$x.la echo -dlpreopen ../modules/$$x/$$x.la;done) +MODULE_LIBS+= $(shell for x in $(MODULES);do test -f ../modules/*/types/$$x/$$x.la echo -dlpreopen ../modules/*/types/$$x/$$x.la;done) MODULE_OBJS+= $(shell for x in $(MODULES);do test -f ../modules/$$x/$$x.la echo ../modules/$$x/$$x.la;done) +MODULE_OBJS+= $(shell for x in $(MODULES);do test -f ../modules/*/types/$$x/$$x.la echo ../modules/*/types/$$x/$$x.la;done) endif all: $(BINARIES) Not the most elegant solution, but it worked. I then got link errors, missing HMAC_CTX_init from eap_tls. So, I threw in - -Werror to see if there were functions with no prototypes, and got: gcc -g -O2 -D_REENTRANT -D_POSIX_PTHREAD_SEMANTICS -Wall -D_GNU_SOURCE -g -Wshadow -Wpointer-arith -Wcast-qual -Wcast-align -Wwrite-strings -Wstrict-prototypes -Wmissing-prototypes -Wmissing-declarations -Wnested-externs -I../../../../include -I../.. -DOPENSSL_NO_KRB5 -Werror -c mppe_keys.c -o mppe_keys.o cc1: warnings being treated as errors mppe_keys.c: In function `P_hash': mppe_keys.c:59: warning: implicit declaration of function `HMAC_CTX_init' mppe_keys.c:61: warning: implicit declaration of function `HMAC_Init_ex' mppe_keys.c:94: warning: implicit declaration of function `HMAC_CTX_cleanup' make: *** [mppe_keys.lo] Error 1 My openssl is too old. It is 0.9.6c-2.woody.3. http://www.openssl.org/docs/crypto/hmac.html confirms this. So, I install 0.9.7b from source. I'm not certain how to do this check, the obvious of duplicating the check for SSL_new for HMAC_CTX_init didn't work. Also, I did: AUTOCONF=autoconf2.13 ./configure ... at the top, but it didn't fill in AUTOCONF= in the Make.in. I'm not sure why this is. ] Out and about in Ottawa.hmmm... beer.| firewalls [ ] Michael Richardson, Sandelman Software Works, Ottawa, ON|net architect[ ] [EMAIL PROTECTED] http://www.sandelman.ottawa.on.ca/ |device driver[ ] panic(Just another Debian/notebook using, kernel hacking, security guy); [ -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.2 (GNU/Linux) Comment: Finger me for keys - custom hacks make this fully PGP2 compat iQCVAwUBP1jIJIqHRg3pndX9AQGxFQQA1N8v/pcwRtfm3cOu0preirqkG3aIhwUj qF5PjsKrfn9YrLyf011v/OgzF9ZJmRNF/IBEtnkVM+DLLs1feQPMHWxi66f+le9J j4RckqYyUz/DctlUDj5dfOB8GxM0wig9vyDTjunSIqSoRH48baH49pogOxdcbi9y EpxyvD9WkQU= =s3pl -END PGP SIGNATURE- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius 0.9.0 and Proxim Orinoco AP-2000 Help
you could log in into the AP and see what happens in there if this is supported. you mean the AP sends the Request, gets the challenge but never answers? ciao artur David Middleton wrote: Yes I can. I also traced it and it is getting there. It's almost like the AP is ignoring the packets being sent to it. David --- Ulrich Walcher [EMAIL PROTECTED] wrote: Sounds like a routing problem. Can you ping the ap? Am Fre, 2003-09-05 um 17.30 schrieb David Middleton: ---SNIP --- The radius server and the ap are on different networks, but there is no firewall between them. Any assistance would be appreciated, David - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html __ Do you Yahoo!? Yahoo! SiteBuilder - Free, easy-to-use web site design software http://sitebuilder.yahoo.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: dictionary.nomadix
Ulrich Walcher [EMAIL PROTECTED] wrote: Is there any reason why that line is no longer included in the cvs and 0.9.1? ATTRIBUTE Nomadix-Config-URL12 string Nomadix It was never in there in the first place. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
ALERT - GroupShield ticket number OA7900_1062786040_PVDEX01_3 wa s generated
Action Taken: The attachment was quarantined from the message and replaced with a text file informing the recipient of the action taken. To: [EMAIL PROTECTED] [EMAIL PROTECTED] From: [EMAIL PROTECTED] [EMAIL PROTECTED] Sent: -802649856,29586360 Subject: Re: Approved Attachment Details:- Attachment Name: details.pif File: details.pif Infected? No Repaired? No Blocked? Yes Deleted? No Virus Name: application/ms-tnef
Re: how to send EAP-Message [Re: LEAP authentication fails]
Hi, No problem - figuring out how to do that is one of my prouder accomplishments with Freeradius. :) I run Linux, so I havent heard of ntradpad, but I'll keep my eyes open. You can start sending EAP-Messages this way to learn how the tools work, but you'll soon see that Freeradius rejects any response with a State that doesnt match the one it sent in the preceding challenge. A little hacking around in a debugger will show you what you need to patch. The example I sent earlier didnt have a State attribute in the input file. To add one for other messages, just add State=state1 (or whatever value you want) to the attribute list. The state attribute is described in RFC 2865, and EAP-Message and Message-Authenticator are in RFC 2869. Good luck, Dave claufer writes: Hey Dave, thanks a lot! nice thing... worked fine for me so far . There=B4s tool called ntradpad(winnt), you can change the request type to= =20 send EAP messages with, but i didn=B4t tried it out now. I couldn=B4t rea= lly=20 follow suit when it came to the point that RADIUS changes state=20 attribute, cause i don=B4t know exactly what the RADIUS state attributes=20 are and what they do, I can only imagine... but anyways thanks a lot! I=B4ll try to get some more information about these state attributes. regards, cl Dave Mason schrieb: Hi, Here's how I do it. I dont know of a test client that can easily build= =20 a RADIUS Access-Request with an EAP-Message - if anybody does please le= t=20 us know. The radclient program supplied with Freeradius can add an=20 EAP-Message attribute but you have to code it yourself in hex. Here's=20 how I send an EAP/Response/Identity: =20 $ radclient -f eapRspId.txt -r 1 localhost auth testing =20 The eapRspId.txt file looks like this: --- [EMAIL PROTECTED], Message-Authenticator=3Dxxx,=20 EAP-Message=3D0x020100210131393230353332323830303230333130407472616e73= 61742e636f6d=20 =20 =20 # EAP-Resp/id=3D1/type=3DIdentity/[EMAIL PROTECTED] -- =20 I put the comment last because radclient stops as soon as it sees a=20 comment. Another thing to keep in mind. Freeradius will set the RADIU= S=20 State attribute in all challenge messages to some random value, but=20 you'll need to use the same value in the State attribute of the=20 response. If youre using hard coded message files like this, adding a=20 different State value every time would be a pain, so I use a test patch= =20 in rlm_eap/state.c that sets State to some known value like state1,=20 state2, etc., throughout the challenge sequence, and another in my=20 rlm_eap_type to restart back to state1 when EAP-Success or Failure=20 is sent. You can keep the state number in a global variable. This let= s=20 you hard code the State value in the eapRspXxx.txt message file. I now= =20 turn the patch on at compile time with a flag, but someday I'd like to=20 make it configurable in radiusd.conf. =20 Dave - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: which revision of autoconf to use?
From: Michael Richardson Sent: Saturday, 6 September 2003 2:25 AM -BEGIN PGP SIGNED MESSAGE- Alan == Alan DeKok [EMAIL PROTECTED] writes: Alan autoconf2.13 -l ../../ (to grab aclocal.m4) Thanks. Works perfectly. And of course, 2.57 doesn't have -l. Why the autoconf people insist on being so obtuse, I don't know. In 2.57, it's -I instead... Mind you, last time we tried 2.57 over the files, it didn't work. :-( -- = Paul TBBle Hampson Bubblesworth Pty Ltd (ABN: 51 095 284 361) [EMAIL PROTECTED] This is a one line proof...if we start sufficiently far to the left. -- Cambridge University Math Department - Random signature generator 3.0 by Paul TBBle Hampson = - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: FreeRADIUS 0.9.1 released!
From: Mohsen Chirara Sent: Friday, 5 September 2003 6:26 PM rlm_ippool fixed in this release ? Nope, sorry. Kostas hasn't provided the new code yet, nor an idea of the problem, and I wasn't going to put a non-widely tested fix in during the last few days... When it's in and shown working, we'll probably release 0.9.2. I expect Kostas will be looking for people to test the new rlm_ippool code fairly soon. -- = Paul TBBle Hampson Bubblesworth Pty Ltd (ABN: 51 095 284 361) [EMAIL PROTECTED] This is a one line proof...if we start sufficiently far to the left. -- Cambridge University Math Department - Random signature generator 3.0 by Paul TBBle Hampson = - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html