Re: Virtual Server not setting attributes on reply
well, looking from the log, your virtual_server doesnt appear to set any attribute in its post-auth stage. calling the right thing or SQL table? post-auth, yes, see the virtual server config below. Remember TEST1 and TEST2 are the same virtual server, just proxying to them via different methods. That's why I was getting confused, They behave differently if you proxy to them in different ways. my initial thought was your attr_filter wasnt allowing that attribute through from the virtual_server (much like it would strip it out if the domain/realm wasnt allowed - check pre-proxy and post-proxy parts) No attr filters. Ok I think we're getting somewhere with the pre- and post- proxy parts. When I tried having the sql methods in there I got the following (Note 2 starts in debug 1 for pre, 1 for post) Module: Checking pre-proxy {...} for more modules to load /etc/freeradius/sites-enabled/test[59]: SQL modules aren't allowed in 'pre-proxy' sections -- they have no such method. /etc/freeradius/sites-enabled/test[58]: Errors parsing pre-proxy section. Module: Checking post-proxy {...} for more modules to load /etc/freeradius/sites-enabled/test[62]: SQL modules aren't allowed in 'post-proxy' sections -- they have no such method. /etc/freeradius/sites-enabled/test[61]: Errors parsing post-proxy section. server test { listen { # ipaddr = * ipaddr = 127.0.0.1 port = 11812 type = auth } listen { # ipaddr = * ipaddr = 127.0.0.1 port = 11813 type = acct } authorize { # preprocess sql expiration logintime pap } authenticate { Auth-Type PAP { pap } Auth-Type MD5 { pap } Auth-Type CHAP { chap } Auth-Type MS-CHAP { mschap } unix eap } preacct { preprocess acct_unique files } accounting { detail unix radutmp } session { radutmp # See Simultaneous Use Checking Queries in sql.conf # sql } post-auth { sql } pre-proxy { # sql } post-proxy { # sql # attr_rewrite eap } } - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Compile freeradius with wimax support
Drazen Milosevic wrote: Hello all, I'm trying to compile freeradius with wimax support but no success. Perhaps you could try posting the error messages that are produced. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Compile freeradius with wimax support
On Tuesday 22 December 2009 11:39:18 Alan DeKok wrote: Drazen Milosevic wrote: Hello all, I'm trying to compile freeradius with wimax support but no success. Perhaps you could try posting the error messages that are produced. Alan DeKok. There are no errors, configure just ends with all modules included except rlm_wimax? The version of freeradius is 2.1.7. signature.asc Description: This is a digitally signed message part. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Compile freeradius with wimax support
Drazen Milosevic wrote: There are no errors, configure just ends with all modules included except rlm_wimax? Why didn't you say that the first time? The version of freeradius is 2.1.7. do: $./configure --with-experimental-modules ... Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Compile freeradius with wimax support
Freeradius get's compiled and installed with make install. But when I uncomment wimax in sites-enabled and start radius -X I get /usr/local/freeradius/etc/raddb/modules/wimax[92]: Failed to link to module 'rlm_wimax': rlm_wimax.so: cannot open shared object file: No such file or directory /usr/local/freeradius/etc/raddb/sites-enabled/default[104]: Failed to find module wimax. /usr/local/freeradius/etc/raddb/sites-enabled/default[62]: Errors parsing authorize section. On Tuesday 22 December 2009 11:50:35 Timothy wrote: He's asking what happens when you run make without the Tim Drazen Milosevic wrote: On Tuesday 22 December 2009 11:39:18 Alan DeKok wrote: Drazen Milosevic wrote: Hello all, I'm trying to compile freeradius with wimax support but no success. Perhaps you could try posting the error messages that are produced. Alan DeKok. There are no errors, configure just ends with all modules included except rlm_wimax? The version of freeradius is 2.1.7. signature.asc Description: This is a digitally signed message part. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
ttls+eap-md5
Hello,Alan DeKok!Thank you very much for the clear answer. Now i encounter a new problem and would be very appreciated if you could give me some advice. My problem:The authentication is failed.Part of the information from freeradius server is: ... [eap]Handler failed in EAP/md5 [eap]Failed in EAP select ++[eap]returns invalid Failed to authenticate the usr Using Post-Auth-Type Reject +-entering group REJECT{...} [attr_filter.access_reject] expand: %{User-Name} - anh attr_filter:Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 6 for 1 seconds Going to the next request ... - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
check_crl = yes leads to verify error:num=3:unable to get certificate CRL
Hi, I'm doing something wrong with my Certificate Revocation List but I can't seem to understand what. I'm using freeradius 2.1.7 and openssl 0.9.8k. I'm self-signing the certificates. With check_crl = no everything works well. However, authentication does not work with check_crl = yes and I get an unable to get certificate CRL error. How can I debug this and understand why it can't get the CRL? Here are the steps I perform: # cd /etc/ssl # openssl ca -gencrl -keyfile FHM-CA/certs/radius_client_D_831_key.pem -cert FHM-CA/certs/radius_client_D_831_cert.pem -out FHM-CA/crl/FHM_crl.pem -crldays 60 # c_rehash FHM-CA/crl # cp FHM-CA/cacert.pem /etc/raddb/certs/FHM/ # cat FHM-CA/crl/FHM_crl.pem /etc/raddb/certs/FHM/cacert.pem # openssl verify -CApath FHM-CA/crl FHM-CA/crl/radius_client_D_831_cert.pem FHM-CA/crl/radius_client_D_831_cert.pem: OK eap.conf tls { certdir = ${confdir}/certs cadir = ${confdir}/certs private_key_password = x private_key_file = ${certdir}/FHM/radius_server_keycert.pem certificate_file = ${certdir}/FHM/radius_server_keycert.pem CA_file = ${cadir}/FHM/cacert.pem dh_file = ${certdir}/FHM/dh random_file = ${certdir}/FHM/random # Check the Certificate Revocation List # # 1) Copy CA certificates and CRLs to same directory. # 2) Execute 'c_rehash CA certsCRLs Directory'. #'c_rehash' is OpenSSL's command. # 3) uncomment the line below. # 5) Restart radiusd check_crl = yes CA_path = /etc/ssl/FHM-CA/crl/ crl_file = /etc/ssl/FHM-CA/crl/FHM_crl.pem crl_path = /etc/ssl/FHM-CA/crl/FHM_crl.pem The supplicant has the radius_client_D_831_cert.p12 certificate but I get this error on the freeradius server: +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS TLS Length 1812 [peap] Length Included [peap] eaptls_verify returned 11 [peap] TLS 1.0 Handshake [length 05fe], Certificate -- verify error:num=3:unable to get certificate CRL [peap] TLS 1.0 Alert [length 0002], fatal unknown_ca TLS Alert write:fatal:unknown CA TLS_accept:error in SSLv3 read client certificate B rlm_eap: SSL error error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned SSL: SSL_read failed in a system call (-1), TLS session fails. TLS receive handshake failed during operation Any ideas are greatly appreciated. Vieri - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ttls+eap-md5
anyi_9 wrote: Hello,Alan DeKok!Thank you very much for the clear answer. Now i encounter a new problem and would be very appreciated if you could give me some advice. My problem:The authentication is failed.Part of the information from freeradius server is: ... [eap]Handler failed in EAP/md5 [eap]Failed in EAP select You've deleted the earlier error messages. Those contain the useful information we need to help you. Or, reading them yourself should help, too. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Compile freeradius with wimax support
On Tuesday 22 December 2009 11:57:05 Alan DeKok wrote: Drazen Milosevic wrote: There are no errors, configure just ends with all modules included except rlm_wimax? Why didn't you say that the first time? The version of freeradius is 2.1.7. do: $./configure --with-experimental-modules ... Alan DeKok. Yeah, that was the solution. signature.asc Description: This is a digitally signed message part. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
FR 2.1.7 and Hints File
The problem I'm trying to solve relates to Windows users who leave that Automatically use my Windows login name and password property checked. At my site, we authenticate with PEAPv0/MSCHAPv2 with usernames and mschapv2 password hashes stored in an ldap database, not in a Windows Domain. I'd like to get FreeRadius to strip off the computer name and password for these requests based on regular expression. As things are right now my hints file looks something like this. DEFAULT Prefix == DOMAIN\\, Strip-User-Name = Yes Hint = CAMPUS DEFAULT Prefix == DOMAIN.EDU\\, Strip-User-Name = Yes Hint = CAMPUS DEFAULT Prefix == @DOMAIN.EDU\\, Strip-User-Name = Yes Hint = CAMPUS And I have a bunch of these but not every computer name of course. My users file uses this for the hint. DEFAULT Hint == CAMPUS, MS-CHAP-Use-NTLM-Auth := No Session-Timeout == 10800, Fall-Through = No I'd like to set the hint with something like this, but I have not been able to get anything to work nor do I know if it is even possible to use regular expressions in the hints file. I have made sure freeradius was compiled with extended regular expression support. DEFAULTPrefix =~ ^(.*[]+), Strip-User-Name = Yes Hint = CAMPUS None of these have worked, even with a subset of requests. DEFAULTPrefix =~ ^DOMAIN User-Name := %{Stripped-User-Name}, Hint = CAMPUS DEFAULTPrefix =~ /*/, Strip-User-Name = Yes searchfor = ^(.*[\\/]+) DEFAULTPrefix =~ ^(.*[]+), Strip-User-Name = Yes Hint = CAMPUS - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
NTLM, Kerberos 5 or LDAP
Greetings, I am trying to authenticate my network against Windows 2003 Active Directory. With help from Ivan Kalik, I was able to use NTLM to communicate with Windows 2003 server and authenticate EAP clients. On the EAP side I am using PEAP since they are mostly windows XP clients and I don't think there is another choice (please correct me if I am wrong). However on the Radius server side, I seem to have options. It seems that I can use NTLM, Kerberos 5 or LDAP to authenticate with Windows Domain Controller. So my questions are: Can I use any of them? If yes, could you send me helpful links about how to use Kerberos 5 and LDAP? Which one is the most recommended and why? You may have noticed that I have posted several questions these days and I really appreciate your help! Now I am really a fan of FreeRadius. I really want to learn it well and understand what it's capable of. I am a Cisco guy and I have some Linux experience but no programming experience. Can any of you recommend me a book about how to use FreeRadius? I think that will stop me asking stupid questions... Thank you! Difan Zhao Network Engineer difan.z...@guest-tek.com www.guest-tek.com http://www.guest-tek.com/ Office: 403-509-1010 ext 3048 Cell: 403-689-7514 image002.jpg- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ttls+eap-md5
Hi, Hello,Alan DeKok!Thank you very much for the clear answer. Now i encounter a new problem and would be very appreciated if you could give me some advice. My problem:The authentication is failed.Part of the information from freeradius server is: your problem is you havent supplied the full debug. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
David Suarez De Lis/UN24956/OPERACION Y MANTENIMIENTO /TSM está ausente de la oficina.
Estaré ausente de la oficina desde el 22/12/2009 y no volveré hasta el 28/12/2009. Responderé a su mensaje cuando regrese. Si tiene alguna emergencia, puede contactar con accesos_...@telefonica (900 111 245 opción 3, 2)o Jose Manuel Gomez Perez (jmgo...@telefonica.es) ___ Este mensaje se dirige exclusivamente a su destinatario y puede contener información privilegiada o confidencial. Si no es vd. el destinatario indicado, queda notificado de que la lectura, utilización, divulgación y/o copia sin autorización está prohibida en virtud de la legislación vigente. Si ha recibido este mensaje por error, le rogamos que nos lo comunique inmediatamente por esta misma vía y proceda a su destrucción. El correo electrónico vía Internet no permite asegurar la confidencialidad de los mensajes que se transmiten ni su integridad o correcta recepción. Telefónica no asume ninguna responsabilidad por estas circunstancias. This message is intended exclusively for its addressee and may contain information that is CONFIDENTIAL and protected by a professional privilege or whose disclosure is prohibited by law.If you are not the intended recipient you are hereby notified that any read, dissemination, copy or disclosure of this communication is strictly prohibited by law. If this message has been received in error, please immediately notify us via e-mail and delete it. Internet e-mail neither guarantees the confidentiality nor the integrity or proper receipt of the messages sent. Telefónica does not assume any liability for those circumstances. ___ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MAC authentication bypass --- How am I supposed to?edit?theusersfile to include multiple MAC addresses??
So..., Alan suggested using unlang. I am actually reading un-language (5). If I use it, where or what file do I put your script in? =Script that Alan wrote authorise { if(%{User-Name} =~ /[0-9a-z]{12}/i %{Huntgroup-Name} == MAB-switches){ update control { Auth-Type := MAB } ok = return } } authenticate { Auth-Type MAB { ok } } I do understand that I need to revise it to make it only authenticate the right MAC addresses and only respond if the request meets certain criteria or have certain attributes. Can I include these logics in unlang such as User-Name == Calling-Station-Id or Service-Type == Call-Check? In addition, I want to assign these devices to a specific VLAN. Can I add the attributes here as well? Is this vlan assignment part of authentication or authorization? Alexander, I did read the links you gave me very carefully and I guess I understand the logic... However it seems that I have to edit many files. I am new to the FreeRadius and I don't have any programming experience... Is there a document which can tell me briefly what these files are for and how FreeRadius is using them? I don't really want to edit those files when I don't know enough about them... Thank you both for your advice! Difan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: NTLM, Kerberos 5 or LDAP
I am trying to authenticate my network against Windows 2003 Active Directory. With help from Ivan Kalik, I was able to use NTLM to communicate with Windows 2003 server and authenticate EAP clients. On the EAP side I am using PEAP since they are mostly windows XP clients and I don't think there is another choice (please correct me if I am wrong). However on the Radius server side, I seem to have options. It seems that I can use NTLM, Kerberos 5 or LDAP to authenticate with Windows Domain Controller. So my questions are: Can I use any of them? No. Kerberos requires clear password in radius request, so it can't be used with peap. AD is sort of a (deliberately) broken ldap server. It won't pass the clear text password to non-Windows radius server - only to IAS. So you can't use AD as ldap for peap either. ntlm_auth it is. Ivan Kalik - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MAC authentication bypass --- How am I supposed to?edit?theusersfile to include multiple MAC addresses??
Alexander, I did read the links you gave me very carefully and I guess I understand the logic... However it seems that I have to edit many files. I am new to the FreeRadius and I don't have any programming experience... Is there a document which can tell me briefly what these files are for and how FreeRadius is using them? I don't really want to edit those files when I don't know enough about them... As suggested in main README - doc/README. Ivan Kalik - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Virtual Server not setting attributes on reply
post-auth, yes, see the virtual server config below. Remember TEST1 and TEST2 are the same virtual server, just proxying to them via different methods. That's why I was getting confused, They behave differently if you proxy to them in different ways. my initial thought was your attr_filter wasnt allowing that attribute through from the virtual_server (much like it would strip it out if the domain/realm wasnt allowed - check pre-proxy and post-proxy parts) No attr filters. Ok I think we're getting somewhere with the pre- and post- proxy parts. When I tried having the sql methods in there I got the following (Note 2 starts in debug 1 for pre, 1 for post) Module: Checking pre-proxy {...} for more modules to load /etc/freeradius/sites-enabled/test[59]: SQL modules aren't allowed in 'pre-proxy' sections -- they have no such method. /etc/freeradius/sites-enabled/test[58]: Errors parsing pre-proxy section. Use sql.authorize instead. Ivan Kalik - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
escape in the radius accept
hello folks, I am working on a EAP issue. the user could authenticated ok. however, if the username is like this: edu\nntest (wihch is ' 45 44 55 5c 6e 6e 74 65 73 74) then in the radius accept, the username changed to edu'0x0a'ntest (45 44 55 0a 6e 74 65 73 74) so the '\n' has been converted to 0x0a. this doesn't affect the authentication but it does affect the display on the authenticator. I tried to search the list but couldn't find similar question. if anyone has any workaround, please advise. I don't have the radius debug log since this is on a production server but I don't have the packet capture in case someone is interested. Regards, -ns - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: escape in the radius accept
Ning Shi wrote: hello folks, I am working on a EAP issue. the user could authenticated ok. however, if the username is like this: edu\nntest (wihch is ' 45 44 55 5c 6e 6e 74 65 73 74) then in the radius accept, the username changed to edu'0x0a'ntest (45 44 55 0a 6e 74 65 73 74) so the '\n' has been converted to 0x0a. this doesn't affect the authentication but it does affect the display on the authenticator. I tried to search the list but couldn't find similar question. if anyone has any workaround, This was fixed in 2.1.7. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
How to set servers file in radiusclient-ng install ?
hi friend, i see the tutorial in the url http://svn.dd-wrt.com:8000/dd-wrt/browser/src/router/asterisk/doc/radius.txt it says : Each line contains hostname of a RADIUS server and shared secret used in communication with that server. is that say i must set the hostname of a RADIUS server, could i set IP addr of the RADIUS server? Thanks! -- Regards, Sucan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html