Re: Setting VLAN from inner-tunnel
On Mon, Mar 29, 2010 at 01:02:09PM +0100, Leighton Man wrote: > > >>Is there any way to make this work? > > I have it working with: > > > update reply { > Tunnel-Type = "VLAN" > Tunnel-Medium-Type = "IEEE-802" > Tunnel-Private-Group-Id = 141 > } Thanks, but unless I'm missing somthing I don't understand how this can this work from the inner tunnel without "update outer.reply" ? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Setting VLAN from inner-tunnel
Hi I am trying to assign a VLAN for PEAP and TTLS clients using a section like this in the inner-tunnel configuration:- update outer.reply { Tunnel-Private-Group-ID := 123 Tunnel-Type := VLAN Tunnel-Medium-Type := IEEE-802 } However, I can't get it to work. The attributes are added and in the debug I can see that they go to the NAS in the access-challenge sections but they are not present in the final access-accept. Is there any way to make this work? Thanks -- Ben Thompson - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Problem with HUP occurs after upgrade from 2.1.5
Hi I have a server running 2.1.5 which has been running happily for a long time with the same config. However, I recenlty tried upgrading to 2.1.8 and found that after HUP the server dies :- Mon Mar 8 22:05:58 2010 : Info: Loaded virtual server inner-tunnel Mon Mar 8 22:05:58 2010 : Info: Loaded virtual server Mon Mar 8 22:05:59 2010 : Error: ASSERT FAILED modcall.c[106]: (p->type > MOD_SINGLE) && (p->type <= MOD_POLICY) I also tried 2.1.6 and this also had the problem. Can anyone advise what this error means? Thanks Ben - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
poptop - received RADIUS server response with invalid length
Hi We are running a poptop vpn server which authenticates via radiusclient and freeradius. Some people have reported problems logging in so I decided to investigate. Here is a log from the vpn server :- Nov 14 11:26:12 nassrv3 pppd[15621]: sent [LCP ConfReq id=0x1 ] Nov 14 11:26:12 nassrv3 pppd[15621]: rcvd [LCP ConfAck id=0x1 ] Nov 14 11:26:12 nassrv3 pppd[15621]: sent [LCP EchoReq id=0x0 magic=0xa7836037] Nov 14 11:26:12 nassrv3 pppd[15621]: sent [CHAP Challenge id=0x9 , name = "pptpd"] Nov 14 11:26:12 nassrv3 pptpd[15620]: CTRL: Ignored a SET LINK INFO packet with real ACCMs! Nov 14 11:26:12 nassrv3 pppd[15621]: rcvd [LCP Ident id=0x2 magic=0x76cf2fdd "MSRASV5.10"] Nov 14 11:26:12 nassrv3 pppd[15621]: rcvd [LCP Ident id=0x3 magic=0x76cf2fdd "MSRAS-0-ANNA"] Nov 14 11:26:12 nassrv3 pppd[15621]: rcvd [LCP EchoRep id=0x0 magic=0x76cf2fdd] Nov 14 11:26:12 nassrv3 pppd[15621]: rcvd [CHAP Response id=0x9 <4166d4713ef8cec048e88644889a7fbcadcaef9a0709f7576bad0ce28f82ed7e5fb6e8c193a192bb00>, name = "ozw1"] Nov 14 11:26:12 nassrv3 pppd[15621]: rc_check_reply: received RADIUS server response with invalid length Nov 14 11:26:12 nassrv3 pppd[15621]: rc_avpair_gen: received attribute with invalid length Nov 14 11:26:12 nassrv3 pppd[15621]: Peer ozw1 failed CHAP authentication Nov 14 11:26:12 nassrv3 pppd[15621]: sent [CHAP Failure id=0x9 ""] Nov 14 11:26:12 nassrv3 pppd[15621]: sent [LCP TermReq id=0x2 "Authentication failed"] Nov 14 11:26:12 nassrv3 pppd[15621]: rcvd [LCP TermAck id=0x2 "Authentication failed"] Nov 14 11:26:12 nassrv3 pppd[15621]: Connection terminated. Nov 14 11:26:12 nassrv3 pppd[15621]: Exit. Nov 14 11:26:12 nassrv3 pptpd[15620]: GRE: read(fd=6,buffer=5109c0,len=8196) from PTY failed: status = -1 error = Input/output error, usually caused by unexpected termination of pppd, check option syntax and pppd logs Nov 14 11:26:12 nassrv3 pptpd[15620]: CTRL: PTY read or GRE write failed (pty,gre)=(6,7) Nov 14 11:26:12 nassrv3 pptpd[15620]: CTRL: Reaping child PPP[15621] Nov 14 11:26:12 nassrv3 pptpd[15620]: CTRL: Client 81.132.112.97 control connection finished Here is the relevent part of radius.log :- Wed Nov 14 11:26:12 2007 : Auth: Login OK: [ozw1] (from client vpnvirtualip port 0 cli 1.18) Here is a packet capture showing the radius conversation :- 11:26:12.567346 IP vpn.york.ac.uk.33286 > nasaaa2.york.ac.uk.radius: RADIUS, Access Request (1), id: 0xc1 length: 140 11:26:12.568107 IP nasaaa2.york.ac.uk.radius > vpn.york.ac.uk.33286: RADIUS, Access Accept (2), id: 0xc1 length: 179 11:26:12.568122 IP vpn.york.ac.uk > nasaaa2.york.ac.uk: ICMP vpn.york.ac.uk udp port 33286 unreachable, length 215 Can anyone suggest what might be the problem here? I don't understand the "upd port unreachable" or the "received RADIUS server response with invalid length" messages. Thanks Ben Thompson - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_eap_tls sometimes fails to read files after HUP
On Thu, 2006-03-23 at 12:15 -0500, Alan DeKok wrote: > Ben Thompson <[EMAIL PROTECTED]> wrote: > > Could someone advise how to go about debugging this problem? > b) look at the logs to see what SSL errors are being returned right > before the "Error reading certificate file" message. Hi Thanks for the help, here is the log :- Fri Mar 24 15:37:19 2006 : Info: Reloading configuration files. Fri Mar 24 15:37:19 2006 : Info: Using deprecated naslist file. Support for this will go away soon. Fri Mar 24 15:37:19 2006 : Info: rlm_eap_tls: Loading the certificate file as a chain Fri Mar 24 15:37:19 2006 : Error: rlm_eap: SSL error error:0906D06C:PEM routines:PEM_read_bio:no start line Fri Mar 24 15:37:19 2006 : Error: rlm_eap_tls: Error reading certificate file Fri Mar 24 15:37:19 2006 : Error: rlm_eap: Failed to initialize type tls Fri Mar 24 15:37:19 2006 : Error: radiusd.conf[9]: eap: Module instantiation failed. Fri Mar 24 15:37:19 2006 : Error: radiusd.conf[1719] Unknown module "eap". Fri Mar 24 15:37:19 2006 : Error: radiusd.conf[1666] Failed to parse authenticate section. -- Ben Thompson University of York - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Version 1.1.1 stops responding
On Thu, 2006-03-23 at 09:24 -0500, King, Michael wrote: > So I built 1.1.1 on Debian. > > After a period of so many hours (variable) it stops responding. > (Sometimes 2hours, sometimes 16hours) > > Now here's where it get's weird, (and makes me suspect it might not be > freeRADIUS at the root cause) > > > If I stop and restart the freeRADIUS service, it continues to ignore > RADIUS packets. I am seeing a similar problem on RedHat. I originally thought it was only happening when I sent a HUP signal, but it turns out this is not the case. However in my case all I have to do to fix it is restart the service (I do not need to reboot the entire operating system). Ben - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
rlm_eap_tls sometimes fails to read files after HUP
Hi I have just upgraded to FreeRADIUS 1.1.1 after previously using the 1.0.1 RedHat package. At first startup it works fine but sometimes when the server receives a HUP signal (we do this every 15 mins) to re-read the config files I am getting the following errors :- Wed Mar 22 16:48:45 2006 : Info: Reloading configuration files. Wed Mar 22 16:48:47 2006 : Info: rlm_eap_tls: Loading the certificate file as a chain Wed Mar 22 16:48:47 2006 : Error: rlm_eap_tls: Error reading certificate file Wed Mar 22 16:48:47 2006 : Error: rlm_eap: Failed to initialize type tls Wed Mar 22 16:48:47 2006 : Error: radiusd.conf[9]: eap: Module instantiation failed. Wed Mar 22 16:48:47 2006 : Error: radiusd.conf[1719] Unknown module "eap". Wed Mar 22 16:48:47 2006 : Error: radiusd.conf[1666] Failed to parse authenticate section. At this point I have to restart. As I said this only happens sometimes, at other times it is successful and I just get this :- Wed Mar 22 16:47:36 2006 : Info: Reloading configuration files. Wed Mar 22 16:47:36 2006 : Info: rlm_eap_tls: Loading the certificate file as a chain Wed Mar 22 16:47:37 2006 : Info: Ready to process requests. Could someone advise how to go about debugging this problem? Thanks Ben Thompson - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
D-Link Airplus Supplicant MSCHAP2 error
Hi We run a WPA/TKIP/PEAP wireless network with FreeRADIUS 1.0.1 on Redhat. Most client machines tend to be Windows XP and we they are usually set up to use the Microsoft built in supplicant. Occasionally someone comes along with a Windows 2000 box and we have to set them up using whatever software came with the network card as there is no wireless configuration tool included in the OS. Usernames are specified using the format [EMAIL PROTECTED] and we normally reject anything without a realm using the following entry in the users file :- DEFAULT Realm == "NULL", Auth-Type := Reject we also have :- DEFAULT FreeRADIUS-Proxied-To == 127.0.0.1 User-Name = "%{User-Name}", Fall-Through = Yes and in eap.conf :- peap { default_eap_type = mschapv2 copy_request_to_tunnel = yes use_tunneled_reply = yes } The other day someone came along with a Win2K box with D-Link wireless card and we attempted to set it up to access the network. We could not get it to work and noticed the following output from FreeRADIUS :- modcall: entering group Auth-Type for request 6 rlm_mschap: No User-Password configured. Cannot create LM-Password. rlm_mschap: Found NT-Password rlm_mschap: Told to do MS-CHAPv2 for [EMAIL PROTECTED] with NT-Password rlm_mschap: FAILED: MS-CHAP2-Response is incorrect modcall[authenticate]: module "mschap" returns reject for request 6 modcall: group Auth-Type returns reject for request 6 rlm_eap: Freeing handler modcall[authenticate]: module "eap" returns reject for request 6 modcall: group authenticate returns reject for request 6 auth: Failed to validate the user. PEAP: Got tunneled reply RADIUS code 3 Tunnel-Type:1 := VLAN Tunnel-Medium-Type:1 := IEEE-802 Tunnel-Private-Group-Id:1 := "4025" User-Name = "[EMAIL PROTECTED]" MS-CHAP-Error = "\007E=691 R=1" EAP-Message = 0x04070004 Message-Authenticator = 0x PEAP: Processing from tunneled session code 0xc15ca10 3 Tunnel-Type:1 := VLAN Tunnel-Medium-Type:1 := IEEE-802 Tunnel-Private-Group-Id:1 := "4025" User-Name = "[EMAIL PROTECTED]" MS-CHAP-Error = "\007E=691 R=1" EAP-Message = 0x04070004 Message-Authenticator = 0x PEAP: Tunneled authentication was rejected. rlm_eap_peap: FAILURE modcall[authenticate]: module "eap" returns handled for request 6 modcall: group authenticate returns handled for request 6 Sending Access-Challenge of id 168 to 144.32.226.208:1645 Tunnel-Type:1 := VLAN Tunnel-Medium-Type:1 := IEEE-802 Tunnel-Private-Group-Id:1 := "3970" EAP-Message = 0x0108004819001703010018e031d8fca1c0cbfedb0cfcdce46b9a4c46758441f22e0ba417030100203027372cc858586642a97e40254bb292c08bd9e461560f21dd2c8e77b66450ee Message-Authenticator = 0x State = 0x73386b81b01f285fe325fdeb408f2f43 Finished request 6 Just for testing we removed the NULL realm reject from the users file and tested the client with username entered on its own and found that this worked OK. Does this point to a problem with the D-link supppicant or could it be a problem with our setup? The MSCHAP2 response is incorrect when I specify the realm. Does this mean the supplicant is incorrectly handling the username and stripped username? Thanks Ben Thompson University of York - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Installing a signed SSL certificate
On Fri, 2005-12-02 at 10:03 -0800, Laker Netman wrote: > I am considering use of a CA-signed SSL certificate. > Comodo (instantssl.com) offers an "Intranet SSL" > certificate good on a single, internal host. All of > their documentation refers to set up with a web server > or for email verification. Would it also work with FR? Are you doing PEAP on a wireless network with Windows clients? If so, you need to check that the certificate includes the server authentication oid 1.3.6.1.5.5.7.3.1 in the enhanced usage section. Cheers Ben - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Intel PEAP client "Roaming Identity"
On Thu, 2005-09-15 at 13:54 -0400, Alan DeKok wrote: > Ben Thompson <[EMAIL PROTECTED]> wrote: > > Could anyone advise me whether it is possible to configure my server so > > that the actual username used get's logged in the accounting records > > instead of this roaming identity string? > > Configure peap{} & ttls{} with "use_tunneled_reply = yes". > > Add the following to the top of the "users" file: > > DEFAULT FreeRADIUS-Proxied-To == 127.0.0.1 > User-Name = "%{User-Name}", > Fall-Through = Yes > > This will send the inner tunnel user name back to the AP, which is > *supposed* to then use it in accounting packets. > > Alan DeKok. Thanks Alan, that's done the trick. Ben - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Intel PEAP client "Roaming Identity"
Hi We have a 802.1x/PEAP wireless network using freeRADIUS 1.0.1 on RedHat AS 4. It is important for us to know who is using the network at any given time so the accounting logs are very useful to us. The other day someone came along with a laptop using an Intel wireless adapter and client software. In the configuration settings for this program there was a place to enter a username and password for PEAP authentication and there was also a field named "Roaming Identity" which as default was set to "[EMAIL PROTECTED]". The client conected up fine, but when I checked the RADIUS accounting logs I noticed that the username for that client was listed as [EMAIL PROTECTED] instead of the one I expected. After a bit of googling in found this link on the Dell website which describes that the roaming identity is only required for MS RADIUS servers :- http://support.dell.com/support/edocs/network/P72721/en/UtilAdv.htm Could anyone advise me whether it is possible to configure my server so that the actual username used get's logged in the accounting records instead of this roaming identity string? Many Thanks Ben Thompson - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Require realm suffix
On Tue, 2005-09-06 at 10:49 +0200, Nicolas Baradakis wrote: > Ben Thompson wrote: > > > I have set up FreeRADIUS so that I am using the relam format > > [EMAIL PROTECTED] I have succesfully got this working by adding the > > relevent realm to proxy.conf and setting authhost and acchost to LOCAL. > > Currently when someone logs without specifying a realm, they are still > > authenticated and I would like to know if it is possible to change this > > behavoir so that users must specify the realm suffix. > > Perhaps you could uncomment the realm "NULL" in proxy.conf and add in > the users file: > > DEFAULT Realm == "NULL", Auth-Type := Reject Hi That worked perfectly. Thanks Ben - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Require realm suffix
Hi I have set up FreeRADIUS so that I am using the relam format [EMAIL PROTECTED] I have succesfully got this working by adding the relevent realm to proxy.conf and setting authhost and acchost to LOCAL. Currently when someone logs without specifying a realm, they are still authenticated and I would like to know if it is possible to change this behavoir so that users must specify the realm suffix. Thanks Ben Thompson - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: more on server certificates
On Sat, 2005-08-27 at 13:07 +0100, Phil Mayers wrote: > I am surprised no-one else is offering that EKU oid. Have you tried > speaking to someone technically knowledgeable at one of the other CAs - > it may be something they can do as a specific request, even if it's not > a default option. Hi I found out yesterday that the "Secure Server" and "Secure Server Pro" certificate offerngs from Verisgn do contain the EKU oid. These can be bought on-line using conventional methods, so it looks like I can use one of those. Thanks again, Ben Thompson - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
more on server certificates
Hi Has anybody got a digital certificate (with the extended key usage attributes required for PEAP) installed on their FreeRADIUS box that has been signed by a commercial trusted CA? I have come to suspect that this is impossible due to the fact that Verisign are the only company marketing such a product and it can only be installed on a Windows server (as the online purchase system only works if done from the target machine using Internet Explorer and Xenroll). Thanks Ben - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Server Certificate for use with Windows PEAP Clients
On Mon, 2005-08-22 at 12:12 -0400, Alan DeKok wrote: > Ben Thompson <[EMAIL PROTECTED]> wrote: > > I have read about the requirement for the certificate to include the > > Server Authentication (1.3.6.1.5.5.7.3.1) OID in the Enhanced Key Usage > > section and I would like to know if anyone else has had experience of > > this. > > Yes. Use it, it works. > > > I have also heard about the special WLAN certificate available from > > Verisign which sounds like it will do the job, but I would like to > > hear from anyone who knows about an alternative as this one is a bit > > pricey. > > See the "scripts" directory. You can create certificates, with the > OID, for free. > > Alan DeKok. Hi Thanks for the info. I would like to get a certificate installed that has been signed by one of the trusted CA's if possible. I am not sure about the Verisign certificate as they seem to want people to buy online and download using some sort of automated certificate installation feature in Internet Explorer on the target machine. As described here : http://www.microsoft.com/downloads/details.aspx?FamilyID=1971d43c-d2d9-408d-bd97-139afc60996b&DisplayLang=en Cheers Ben - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Server Certificate for use with Windows PEAP Clients
Hi I'd like to get certificates installed on two of our FreeRADIUS boxes to satisfy the requirements of the Windows built in PEAP client when it does it's "Validate server certificate" bit. I have read about the requirement for the certificate to include the Server Authentication (1.3.6.1.5.5.7.3.1) OID in the Enhanced Key Usage section and I would like to know if anyone else has had experience of this. I have also heard about the special WLAN certificate available from Verisign which sounds like it will do the job, but I would like to hear from anyone who knows about an alternative as this one is a bit pricey. Thanks Ben Thompson - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Require NAS dependant radius return attributes
On Wed, 2005-08-17 at 10:51 -0400, Alan DeKok wrote: > Ben Thompson <[EMAIL PROTECTED]> wrote: > > Thanks for that advice. I can see that I could end up with a very large > > users file using this method. Is there any limit on the size of the > > users file? > > Memory. Also, the CPU time required to walk it's internal > representation (linked list). > > > In the near future we may have something like 80 entries in > > there. Is this where you would normally look to use a database > > backend? > > Yes. Or, if the mappings are relatively simple, you could look at > rlm_passwd, which does simple mappins. It uses a hash to look up > data, so it should be fast. > > Alan DeKok. Hi Thanks for the info, I will have a look at rlm_passwd. Meanwhile I have tested a setup using the huntgroups file combined with the use of mutliple DEFAULT entries in the users file like this :- huntgroups file >>>> group1 NAS-Identifier == "accesspoint5" group1 NAS-Identifier == "accesspoint2" group2 NAS-Identifier == "switch6" group2 NAS-Identifier == "switch3" etc.. >>>> users file >>>> user1 NT-Password := "35C8397B2320E568467904961A2AF40F" Fall-Through = Yes user2 NT-Password := "35C8397B2320E568467904961A2AF40F" Fall-Through = Yes DEFAULT Tunnel-Type:1 := VLAN, Tunnel-Medium-Type:1 := IEEE-802, Fall-Through = Yes DEFAULT Huntgroup-Name == group1 Tunnel-Private-Group-ID:1 := 3970, Fall-Through = Yes DEFAULT Huntgroup-Name == group2 Tunnel-Private-Group-ID:1 := 4025 >>>> This cuts the potential size of my users file down to about 2 entries and the huntgroups file to about 50 entries. Does this sound reasonable? I am currently running on a dual Xeon 2.8Ghz with 2GB of RAM which is dedicated to running FreeRADIUS. Many Thanks Ben Thompson - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Require NAS dependant radius return attributes
> Ben Thompson wrote: > > > The trouble is I need to assign different VLAN's to users depending > > which access point they connect from. What I would like to know is if it > > is possible to use Huntgroups to look up the VLAN id based on something > > like the IP address of the access point? > > You could test the variable "Client-IP-Address" in the users file. > > testuser Client-IP-Address == 10.0.0.1, Password := "azerty" > Tunnel-Private-Group-ID:1 := 1, > Fall-Through = Yes > > testuser Client-IP-Address == 10.0.0.2, Password := "azerty" > Tunnel-Private-Group-ID:1 := 2, > Fall-Through = Yes > > -- > Nicolas Baradakis Hi Thanks for that advice. I can see that I could end up with a very large users file using this method. Is there any limit on the size of the users file? In the near future we may have something like 80 entries in there. Is this where you would normally look to use a database backend? Thanks Ben - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Require NAS dependant radius return attributes
Hi I have a problem which I want to find out if I can solve using FreeRADIUS. I am setting up an 802.1x based network where I want to use RADIUS assigned VLAN's. I have succesfully tested this with Cisco wireless access point's and FreeRADIUS 1.0.1 using a users file like this :- >>>snip>>> test3999NT-Password := "35C8397B2320E568467904861A2AF40F" Tunnel-Private-Group-ID:1 = 3999, Fall-Through = Yes test4025 NT-Password := "35C8397B2320E568467904861A2AF40F" Tunnel-Private-Group-ID:1 = 4025, Fall-Through = Yes DEFAULT Tunnel-Type:1 = VLAN, Tunnel-Medium-Type:1 = IEEE-802 >>>snip>>> The trouble is I need to assign different VLAN's to users depending which access point they connect from. What I would like to know is if it is possible to use Huntgroups to look up the VLAN id based on something like the IP address of the access point? Example: Let's say I have two access points called AP1 and AP2. If a user connects to AP1, I want the RADIUS server to look up from somewhere what is the correct VLAN to assign to people using AP1 and return the correct attributes to suit. If the same user connects to AP2 I want the VLAN id to be the correct one for AP2 which may be different to AP1. Any advice would be appreciated, Ben Thompson - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html