Re: DHCP in FreeRADIUS 2
Am Dienstag, 10. Februar 2009 08:25:36 schrieb Andrew Rikhlivsky: > Hi all. > > Where I can read information about using DHCP opt. 82 in FreeRADIUS 2 ? > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html raddb/sites-available/dhcp -- Dr. Michael Schwartzkopff MultiNET Services GmbH Addresse: Bretonischer Ring 7; 85630 Grasbrunn; Germany Tel: +49 - 89 - 45 69 11 0 Fax: +49 - 89 - 45 69 11 21 mob: +49 - 174 - 343 28 75 mail: mi...@multinet.de web: www.multinet.de Sitz der Gesellschaft: 85630 Grasbrunn Registergericht: Amtsgericht München HRB 114375 Geschäftsführer: Günter Jurgeneit, Hubert Martens --- PGP Fingerprint: F919 3919 FF12 ED5A 2801 DEA6 AA77 57A4 EDD8 979B Skype: misch42 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
DHCP in FreeRADIUS 2
Hi all. Where I can read information about using DHCP opt. 82 in FreeRADIUS 2 ? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
outer identity anonymous is being rejected
My FR 2.1 is set to authenticate users via PEAP + EAP-TTLS, this works fine but some users are being rejected because their wireless client allows the setting of an outer identity: anonymous or something else, which is not a valid username. So it's being rejected. How do I get the inner identity which contains a valid username to be processed instead of the outer identity. I've seen some posts about using* Autz-type INNER* options but have merely succeded in breaking my test system when tryng it out. At present this is my users file: #If you are not in either group, no access is allowed #FreeRADIUS 2.1 #These are the groups we are checking for Lunar Building staff DEFAULT Ldap-Group == "lunar-staff" Aruba-User-Role = "employee" DEFAULT Ldap-Group == "lunar-member" Aruba-User-Role = "member" DEFAULT SQL-Group == "Guests" Aruba-User-Role = "guest" DEFAULT Ldap-group != "lunar-staff", Auth-Type := Reject DEFAULT Ldap-group != "lunar-member", Auth-Type := Reject #End - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
PEAP/MS-CHAPv2 for some, Kerberos (or PAM) for others...
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi folks, First off, thanks to Alan and the "Configuring Authentication against Active Directory" HOWTO[1] for assistance in getting 802.1X authenticating against AD for WPA2 Enterprise. I currently have PEAP/MS-CHAPv2 authenticating against AD, TTLS/PAP against MIT Kerberos 5, and PEAP/MS-CHAPv2 against krb5 via KCRAP[2], thanks to a colleague who was already hacking on KCRAP for another project. (My supervisor wanted options...) Separately, they each work very smoothly, and PEAP/MS-CHAPv2/KCRAP will be going to production shortly. It would seem there are potentially multiple ways to execute my next task, and I wanted to ping the group for ideas on the most elegant way to do it. It seems like it could get complicated pretty quickly, and I'd like to avoid unnecessary config bloat. If I have to run two RADIUS servers to maintain sanity, that's fine. I'd like to integrate the function of an older RADIUS server (FR 1.0.1) into the new one (FR 2.1.3), which handles 802.1X. The old FR box handles authentication for a VPN concentrator. It has some static users defined, then defaults to PAM (which, in this context, means krb5). Krb5 works fine on the FR 2.1.3 config if I append: DEFAULT Auth-Type := Kerberos to the users file. Doing so breaks all tunneled EAP methods (which reading leads me to believe is predictable). Using PAM gives similar results, and I figured it better to use FR's native krb5 support anyway. I started down the path indicated in a seemingly-similar thread[3] from February of 2008, but my understanding of FR is still not good enough that I can parlay those (mostly FR1.x) instructions into a valid FR2.x config, in spite of Phil Mayers' general comments re: using 2.x's virtual server functionality. Are EAP and DEFAULTs mutually-exclusive? If not, what's the most effective way to approach this? Your thoughts on the matter are appreciated. I apologize in advance if there's already a wiki page or thread that deals with this, and accept links to such posts with great gusto. :-) Cheers, - -sth [1]http://deployingradius.com/documents/configuration/active_directory.html [2]http://www.spock.org/kcrap [3]http://www.nabble.com/PEAP-EAP-TTLS-acquires-DEFAULT-reply-attributes-via-outer-identity-td15578550.html sam hooker|http://www.noiseplant.com -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.8 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAkmQqIoACgkQX8KByLv3aQ1YxgCgsrheI8q4pzFfHfkMJrHEVd7l NFQAmwX1Us7zhDQi8MRop1qUapJ5d8I+ =ptp9 -END PGP SIGNATURE- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Installation Problem
Alan DeKok, Marcelo Freitas, >> I'm getting the same Make error when I try to compile this version >> (v2.1.3) on openSUSE 11.1 (x64). I took your advice to Marcelo & >> restarted from a fresh source tree, but got the same result both times. >> The ./configure script ran without errors. Here's a bit more of the >> output I got. > Hm... I'm not sure what to say. This is really a libtool / libltdl >problem. It works on all other systems I have access to (*BSD, Linux, >MAC...) I'm not sure if this was a libtool or libltdl issue. I downloaded your latest stable snapshot from the GIT repository (alandekok-freeradius-server-1fba1996886e7cf8188bea59c0f109a763bbc757.tar.gz), and that version built without errors on this platform, using the default configure options. I just thought I should share this change in results. Marcelo, try building this newer version. You can download the latest snapshot (as a tar.gz or zip archive), without needing to use GIT, at "http://git.freeradius.org/";. Regards, Will Spann - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem with udpfromto in version 2.1.1 - please help
Alan DeKok, >> Unfortunately, I'm getting the same negative results when running the >> recommended initial radtest test "radtest test test localhost 0 >> testing123". The following is the output I get. >> >> radclient: socket: cannot initialize udpfromto: Function not implemented >> >> I'm not sure where to go from here. I'm still running with the default >> configuration. > You need to re-build the server without support for udpfromto. I read up on udpfromto, and from what I can tell the openSUSE 11.1 (x64) package for v2.1.1 DOESN'T have udpfromto support compiled in. I believe this to be the case, because changing my radiusd.conf so that the server is only listening on a single IP, instead of the default of *, fixed my problem. radtest now gets a reply, and no longer issues an error. With this configuration, udpfromto isn't needed, so there is no more problem. Thanks for pointing me in the right direction. Will Spann - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Override pam_auth in virtual server
Hi, I'm using freeradius 2.1.1 (openSUSE 11.1 version). I want to implement two virtual hosts, both using pam authentication, but different pam config. According to the comments in modules/pam, pam_auth can be overridden in authorize config, but unfortunately I don't know how. I just wrote the pam_auth = radiusd_svn into the authorize (also tried authenticate) section, but got the following errors: server svn-external { modules { Module: Checking authenticate {...} for more modules to load /etc/raddb/sites-enabled/svn-extern[269]: Entry is not a reference to a module /etc/raddb/sites-enabled/svn-extern[236]: Errors parsing authenticate section. } } server svn-external { modules { Module: Checking authenticate {...} for more modules to load Module: Checking authorize {...} for more modules to load /etc/raddb/sites-enabled/svn-extern[141]: Entry is not a reference to a module /etc/raddb/sites-enabled/svn-extern[68]: Errors parsing authorize section. } } Any hints? :) Markus - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Error binding port to ipv6 address
Try just 'ps -e|grep radius' that will catch freeradius aswell as radiusd which it is called on some. -- Leigh On Mon, Feb 9, 2009 at 12:02 PM, D'AVELLA STEFANO < stefano.dave...@alcatel-lucent.com> wrote: > *Be sure that no other freeradius is running and also that you have > enough rights to open such a port.* > * > * > *Look in your inet.d or similar to avoid that another service is run > instead of the planned freeradius.* > > Thanks for the quick answer. I have thought the same because also some old > mailing list post seemed to be related to this problem. > I checked this possible problem before posting, but as far as I can see > there is no other instance of freeradius running (ps -e | grep freeradius > returns empty), and nothing is listening on that port (according to > netstat). I also tried to change port several times but it's not working > In /etc/services the port 1812 both tcp and udp are correctly assigned to > radius (in fact in the error message it correctly use the port 1812). > > Regards, > > -- > Stefano D'Avella > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Error binding port to ipv6 address
Be sure that no other freeradius is running and also that you have enough rights to open such a port. Look in your inet.d or similar to avoid that another service is run instead of the planned freeradius. Thanks for the quick answer. I have thought the same because also some old mailing list post seemed to be related to this problem. I checked this possible problem before posting, but as far as I can see there is no other instance of freeradius running (ps -e | grep freeradius returns empty), and nothing is listening on that port (according to netstat). I also tried to change port several times but it's not working In /etc/services the port 1812 both tcp and udp are correctly assigned to radius (in fact in the error message it correctly use the port 1812). Regards, -- Stefano D'Avella - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PAP authentication and multiple LDAP userpassword attributes
Christophe Saillard wrote: > I'm working on upgrading from FR 1.1.7 to FR 2.1.3. > > I use FR for EAP-TTLS/PAP authentication with LDAP. > > FR 1.1.7 successfully authenticates users with multiple LDAPuserpassword > attributes which are stored with crypt and/or MD5 hash, the passwords > are not the same (even it's better if the are) : No. In 1.1.7, the server is doing LDAP "bind as user" for authentication. It is *completely* ignoring the crypt/MD5 passwords. ... > rlm_ldap: Added password {MD5}x in check items > rlm_ldap: Added password {crypt}x in check items ... > Processing the authenticate section of radiusd.conf > modcall: entering group LDAP_OSIRIS for request 29 > rlm_ldap: - authenticate > rlm_ldap: login attempt by "saillard" with password "mycleartextpassword" > rlm_ldap: user DN: uid=mylogin,ou=uds,ou=people,o=annuaire > rlm_ldap: (re)connect to ldaps://ldapuds.u-strasbg.fr, authentication 1 > rlm_ldap: setting TLS mode to 1 > rlm_ldap: bind as uid=mylogin,ou=uds,ou=people,o=annuaire/polopackvih+ > to ldaps://ldapuds.u-strasbg.fr > rlm_ldap: waiting for bind result ... > rlm_ldap: Bind was successful > rlm_ldap: user mylogin authenticated succesfully See? LDAP "bind as user". > Now with FR 2.1.3, it looks like only the first password attribute is > used : In 2.1.3, the "bind as user" functionality isn't used if the LDAP server returns a "known good" password. ... > [ldap] Added User-Password = {crypt}x in check items > [ldap] Added User-Password = {MD5}x in check items ... > ++[pap] returns updated > Found Auth-Type = PAP > +- entering group authenticate {...} > [pap] login attempt with password "mycleartextpassword" > [pap] Using CRYPT encryption. > [pap] Passwords don't match The solution is simple: (1) fix it so that the passwords are NOT returned from LDAP or (2) force "Auth-Type := LDAP" inside of the TTLS tunnel. This might break other things, but it will make the server work the same way as in 1.1.7. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Error binding port to ipv6 address
Am 09.02.2009 um 17:17 schrieb D'AVELLA STEFANO: Hello, I am new to Freeradius. I am running Freeradius 2.1.0 on Ubuntu 8.10, built from source. I have already read all the documentation I could find in the config files and in the wiki. The machine has two network interfaces, eth0 and eth1, the first configured with ipv4 and the second with ipv6. I am interested on using freeradius with ipv6 support so I would like to test it using it only on eth1 interface. The point of my testbed will be to define a new attribute and transfer it to the client when it is authorized. But before doing it I am finding some problems in opening the ip6 socket in the server. In fact I configured users and clients.conf to allow my ip6 client to connect to the server, and then in the radiusd.conf file I commented the ip4 listening option and uncommented the ip6 one. (I also commented the accounting listening part because I am not interested in it). The problem is that when I run the server it exits saying (last lines): Module: Checking session {...} for more modules to load Module: Checking post-proxy {...} for more modules to load Module: Checking post-auth {...} for more modules to load } radiusd: Opening IP addresses and Ports listen { type = "auth" ipv6addr = :: IPv6 address [::] port = 0 /etc/freeradius/radiusd.conf[236]: Error binding to port for :: port 1812 Be sure that no other freeradius is running and also that you have enough rights to open such a port. Look in your inet.d or similar to avoid that another service is run instead of the planned freeradius. I checked if the ip6 interface is properly configured, and it seems so (i can ping other ip6 nodes, and also writing another little c program to bind an ip6 socket works fine) Changing port doesn't solve the issue. Commenting or uncommenting the "interface" line in radiusd.conf doesn't change anything. Trying different types of ip6 addresses (::1, or manually assigned ones) doesn't work either. Obviously with ip4 I don't have any kind of problem. I can't understand if it a freeradius configuration problem or a system configuration one. Thank you for you help! Regards, Have a nice day! -- Stefano D'Avella - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/ users.html Nicolas Goutte extragroup GmbH - Karlsruhe Waldstr. 49 76133 Karlsruhe Germany Geschäftsführer: Stephan Mönninghoff, Hans Martin Kern, Tilman Haerdle Registergericht: Amtsgericht Münster / HRB: 5624 Steuer Nr.: 337/5903/0421 / UstID: DE 204607841 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Error binding port to ipv6 address
Hello, I am new to Freeradius. I am running Freeradius 2.1.0 on Ubuntu 8.10, built from source. I have already read all the documentation I could find in the config files and in the wiki. The machine has two network interfaces, eth0 and eth1, the first configured with ipv4 and the second with ipv6. I am interested on using freeradius with ipv6 support so I would like to test it using it only on eth1 interface. The point of my testbed will be to define a new attribute and transfer it to the client when it is authorized. But before doing it I am finding some problems in opening the ip6 socket in the server. In fact I configured users and clients.conf to allow my ip6 client to connect to the server, and then in the radiusd.conf file I commented the ip4 listening option and uncommented the ip6 one. (I also commented the accounting listening part because I am not interested in it). The problem is that when I run the server it exits saying (last lines): Module: Checking session {...} for more modules to load Module: Checking post-proxy {...} for more modules to load Module: Checking post-auth {...} for more modules to load } radiusd: Opening IP addresses and Ports listen { type = "auth" ipv6addr = :: IPv6 address [::] port = 0 /etc/freeradius/radiusd.conf[236]: Error binding to port for :: port 1812 I checked if the ip6 interface is properly configured, and it seems so (i can ping other ip6 nodes, and also writing another little c program to bind an ip6 socket works fine) Changing port doesn't solve the issue. Commenting or uncommenting the "interface" line in radiusd.conf doesn't change anything. Trying different types of ip6 addresses (::1, or manually assigned ones) doesn't work either. Obviously with ip4 I don't have any kind of problem. I can't understand if it a freeradius configuration problem or a system configuration one. Thank you for you help! Regards, -- Stefano D'Avella - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Reading triplets from HLR
bruno.fa...@indt.org.br wrote: > I'm trying to use EAP-SIM authentication for interworking between > WLAN/3G networks. > We have a 2G/3G HLR wich operates both SS7 and SIGTRAN. > I'm wondering if FreeRadius has any mechanism to fecth authentication > vectors from the HLR. No. You will have to see your HLR documentation for how the vectors can be exported. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Inner identity in accounting logs
Arran Cudbard-Bell wrote: As far as i'm aware this has never worked, which is why I still return attributes from the inner tunnel and get it that way. eap { peap { use_tunneled_reply = yes virtual_server = "local.user.inner" } } server local.user.inner { post-auth { # # Return inner identity to use in final accept # update reply { User-Name := "%{Stripped-User-Name}" } } } This is pretty much the config I had already. My eap.conf already specifies a virtual inner server. The only difference was that I had 'use_tunneled_reply = no', so I changed that to 'yes'. My inner virtual server, 'inner-tunnel' already had an 'update reply' block identical to yours. But with this change I still get the outer identities in my accounting logs. Any ideas what's up? You can then apply your authorisation policy in post-auth where it should be already :P . The reason for authorising before we authenticate is because the database query for authorisation is much faster then the request to the AD controllers, and this saves unnecessary load on the AD controllers. I know it's not really best practice. Many thanks, Jonathan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Reading triplets from HLR
Hi Users of FreeRadius, I'm trying to use EAP-SIM authentication for interworking between WLAN/3G networks. We have a 2G/3G HLR wich operates both SS7 and SIGTRAN. I'm wondering if FreeRadius has any mechanism to fecth authentication vectors from the HLR. I've seen a topic this the same question but there was no answer. Is there any work regarding this issue? Thanks you, Bruno Faria Electrical Engineer INdT - Instituto Nokia de Tecnologia Network Technologies - Telecom LAB Manaus, AM - Brasil - 69048-660 Mobile: +55 92 9213 6310 Office: +55 92 2126 1118 www.indt.org.br bruno.fa...@indt.org.br / ext-bruno.fa...@nokia.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: sqlippool : undefined symbol: rlm_sql_query
Sebastian Krieger wrote: > I want to get freeradius running with the sqlippool module and mysql > backend on Ubuntu 8.04 LTS Server. > Everything works so far, but it seems still impossible to enable the > sqlippool on Debian based systems. This should be fixed in 2.1.4 when it's released. Or, you can download the "stable" version. See git.freeradius.org for instructions. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
sqlippool : undefined symbol: rlm_sql_query
Hi, I want to get freeradius running with the sqlippool module and mysql backend on Ubuntu 8.04 LTS Server. Everything works so far, but it seems still impossible to enable the sqlippool on Debian based systems. At first I tried the freeradius 1.1.7-1build4 packages supplied by the distribution, but then I always received the following error: freeradius: symbol lookup error: /usr/lib/freeradius/rlm_sqlippool.so: undefined symbol: sql_get_socket After that I gave the backport packages of version 2.1.0 a try, because I have read somewhere that this error should be solved since version 2.0.4. But unfortunately I had the same result with it. freeradius_2.1.0+dfsg-0ubuntu2~hardy1_i386.deb freeradius-common_2.1.0+dfsg-0ubuntu2~hardy1_all.deb freeradius-mysql_2.1.0+dfsg-0ubuntu2~hardy1_i386.deb freeradius-utils_2.1.0+dfsg-0ubuntu2~hardy1_i386.deb libfreeradius2_2.1.0+dfsg-0ubuntu2~hardy1_i386.deb Now I tried to compile freeradius version 2.1.3 on this server and to build a fresh deb package with success, but using sqlippool now results into a slightly different error message. freeradius: symbol lookup error: /usr/lib/freeradius/rlm_sqlippool-2.1.3.so: undefined symbol: rlm_sql_query In this message a patch to this problem is mentioned. http://lists.cistron.nl/pipermail/freeradius-devel/2009-January/012736.html And here someone relinked rlmsqlippool to rlm_sql to get rid of this issue. http://www.nabble.com/sqlippool-symbol-error-td20331823.html What should I do to get sqlippool working? I don't know how to relink the it. Thanks a lot. Sebastian --- There seems to be a syntax error at line 24 in /usr/local/etc/raddb/sql/mysql/ippool.conf. At the end of the line "\" is missing. including configuration file /usr/local/etc/raddb/sql/mysql/ippool.conf /usr/local/etc/raddb/sql/mysql/ippool.conf[24]: Expecting section start brace '{' after "AND nasipaddress" Errors reading /usr/local/etc/raddb/radiusd.conf WHERE expiry_time <= NOW() - INTERVAL 1 SECOND \ AND nasipaddress = '%{Nas-IP-Address}'" - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
users
Hello, This is my users file. It works. But I have the impression that this could be optimized. Any suggestions? DEFAULT Auth-Type = opendirectory Fall-Through = 1 DEFAULT Ldap-Group == "wlan_test", Airespace-Wlan-Id == 4 Auth-Type := opendirectory, Service-Type = Login-User, Reply-Message = "wlan_test: WLAN-44 accept", Fall-Through = 1 DEFAULT Ldap-Group == "vpn_users" Auth-Type := opendirectory, Service-Type = Login-User, Reply-Message = "VPN-User: accepted", Fall-Through = 1 DEFAULT Ldap-Group != "all_wlan", NAS-IP-Address == 192.168.3.20, Auth- Type := Reject Reply-Message = "No all_wlan user: tc-29 rejected!!!", DEFAULT Ldap-Group == "employees" Auth-Type := opendirectory, Service-Type = Login-User, Reply-Message = "employees: accepted", Fall-Through = 1 DEFAULT Ldap-Group == "teacher", Airespace-Wlan-Id == 3 Auth-Type := opendirectory, Service-Type = Login-User, Reply-Message = "Lehrer: WLAN-44 accept", Fall-Through = 1 DEFAULT Ldap-Group == "teacher", Airespace-Wlan-Id == 4 Auth-Type := opendirectory, Service-Type = Login-User, Reply-Message = "Lehrer: WLAN-45 accept", Fall-Through = 1 DEFAULT Ldap-Group == "pupil", Airespace-Wlan-Id == 4 Auth-Type := opendirectory, Reply-Message = "Schueler: WLAN-45 accept", Fall-Through = 1 DEFAULT Ldap-Group == "pupil", Airespace-Wlan-Id != 4, Auth-Type := Reject Reply-Message = "Schueler: Wrong WLAN!!!", DEFAULT Ldap-Group == "schooladministration", Airespace-Wlan-Id == 6 Auth-Type := opendirectory, Service-Type = Login-User, Reply-Message = "schooladministration: WLAN-47 accept", Fall-Through = 1 DEFAULT Service-Type == Framed-User Framed-IP-Address = 255.255.255.254, Framed-MTU = 576, Service-Type = Framed-User, Fall-Through = Yes DEFAULT Framed-Protocol == PPP Framed-Protocol = PPP, Framed-Compression = Van-Jacobson-TCP-IP DEFAULT Hint == "CSLIP" Framed-Protocol = SLIP, Framed-Compression = Van-Jacobson-TCP-IP DEFAULT Hint == "SLIP" Framed-Protocol = SLIP Thanks for your help Qrt- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html