Re: Sorry for the insistence. (Logs)
Hi! Thank for your reply! This is result of running the server in debug mode: #radiusd -y -x Starting - reading configuration files ... Ready to process requests. radrecv: Request from host 200.30.71.1 code=1, id=255, length=97 User-Name = "alfonso" Password = "\335\375\312\234_" NAS-IP-Address = 200.30.71.1 NAS-Port-Id = 20105 NAS-Port-Type = Async Service-Type = Framed-User Framed-Protocol = PPP State = "" Calling-Station-Id = "28222153" Framed-IP-Address = 200.30.71.9 Acct-Session-Id = "427071528" Sending Ack of id 255 to 200.30.71.1 (nas asgard) Session-Timeout = 28800 Idle-Timeout = 1800 Framed-Protocol = PPP Framed-Compression = Van-Jacobson-TCP-IP Login OK: [alfonso] (from nas asgard/S20105) I need this information, but in the detail files, every hour. Thanks. -- Diego Andrés Asenjo González Estudiante de Ingeniería en Electrónica y Telecomunicaciones Universidad del Cauca Socio de AVATAR LTDA - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: VLANs + other
hi berndt Radius is now running with EAP/TLS (thanks for the great help for it). But now a few last questions. We are using Enterasys Access Points and they also offer the possibility to assign clients to vlans dynamically. I have searched a lot but found no information about it (for example which attribute to use). Has someone experience with this kind of problem? that's interesting: do they really offer this possibility? or do they merely map SSIDs to VLAN-IDs? if they do, the radius server probably has to send a Enterasys VSA back to the AP, this has nothing to do with freeradius list, you should ask at Enterasys. Is it possible to disengage a certificate from users so that the radius server will not accept it any more. One possible solution of disabling an account is to set Auth-Type to Reject but an other user can still use the certificate so I don`t like it really. this is out of scope, too. you've aswered your own question: in radius, it's much easier to disable the user account (e.g. by authorization), whatever authentication method is used. if you want to "devaluate" the certificate, you will need a PKI with CRL support. this is basically completely out of scope, BUT remember that using CRL you will probably do the following: (-install and manage a CRL) - put an invalid user's certificate in the CRL that means that each process using certificates will have to be updated in order to check the CRL in the first place. that's more complicated than it sounds, since the most software doesn't care about CRLs (freeradius doesn't e.g.) at the moment. also, the CRL management is complicated (in general). for each process, you will have to change the configuration, too (which CRL repository, what to do, how often). - when you finally applied all this, you will have to decide the following: do you want to check the CRL regularly (how often?) or do you want to do an online check of the CRL? the advantage of the first is that the CRL (~PKI) doesn't have to be online at the moment of the verification (which so often has been advertised as a main advantage of PKIs). however, you have a problem: in which intervals should the CRL be contacted by the process? the processes will have to store the obtained CRL locally etc and so changes propagate slowly through network (e.g. you cancel a certificate, but the user can still log on till to the next CRL download). this is far from optimal, so you will probably decide to ask your CRL at the login time - this is the state of the art in the PKI research. however, with CRL being online (and thus always available, the "main" PKI advantage gone...) you will have to use some protocol to ask the CRL about the validity. first: those protocols are still all in development, there is no accepted standard. second: since a CRL is a central repository, the procedure will increase your login delay (which can be an issue). third: what happens, if the CRL is not available (things happen...)? this is a problem, since normally CRL will only contain few certificates compared to the user-number, so blocking all users if the CRL is not available seems exaggerated, no? however, if you don't, invalid users can login... and finally, having all this set up, you'll see that basically it is exactly the same principle as with radius, only one level higher. now, radius (and every other service) will have to ask some central authority if somebody can login. why bother? my opinion: set Auth-Type:=Reject in radius. logically, i would defend this position as following: when your security agent at the entrance blocks a user because he doesn't know him, he doesn't try to cancel his ID card. in contrary, he accepts his ID and THUS prohibits entrance. why shouldn't the radius server simply do the same? let the certificate be the (abstract) identity and then we'll see if we let him enter. if he can't, we don't need to follow him and take away his identity. in this model, you probably don't want to certify real names of users. rather certify their abstract logins or their email adresses etc. for the duration of their studies at your school or for a year (semester, etc.) of studies. Our Access Point also support EAP-TTLS. Will freeradius support this in future? no, your access point doesn't support EAP-TTLS and never will. your access point supports 802.1X and thus EAPOL and EAP in RADIUS. the truth is that the Access Point doesn't know *anything* about TLS, TTLS or whatever other EAP method you use. an AP can't support something like that because there is nothing to support in the first place. i think, there is some development work on EAP/TTLS in freeradius, likewise for PEAP. And a last question! We are a school with about 2000 pupils. Has someone experience with the distribution of certificates and what you should care about it? The problem is we are using openssl to build our certificates. So we have to program something to make it easy for
a question about freeradius & mssql2000
I am now trying to connect my freeradius to mssql2000 on freeBSD4.8, keeping getting failure: I am doing as below: setup unixODBC at /usr/apps/unixODBC compile and install freeTDS0.61 with --with-unixODBC at /usr/local/freetds complie and isntall freeradius 0.7.1 at /usr/apps/radius then I set the ini files as below: odbc.ini - [MyServer70] Description = MS SQLServer2000 Driver = TDS Server = 192.168.0.34 Database= master UID = sa PWD = 262721 Port= 1433 TDS_Version = 7.0 odbcinst.ini [TDS] Description = FreeTDS v0.60 Driver = /usr/local/freetds/lib/libtdsodbc.so FileUsage = 5 freetds.conf --- # A typical Microsoft SQL Server 7.0 configuration [MyServer70] host = 192.168.0.34 port = 1433 tds version = 7.0 sql.conf of freeradius: - driver = "rlm_sql_unixodbc" server = "MyServer70" login = "temp5" password = "" radius_db = "master" then I install the ODBC at /usr/apps/unixODBC/bin as below: odbcinst -i -d -f ../etc/odbcinst.ini odbcinst -i -s -f ../etc/odbc.ini and the next, I have a test : /isql -v MyServer70 temp5 It works fine.(I noticed that whereever I place the freetds.conf for even I delete it from the computer, isql works fine ) and then , I start radius and got the trace info as below: rlm_sql: Driver rlm_sql_unixodbc loaded and linked rlm_sql: Attempting to connect to [EMAIL PROTECTED]:/master rlm_sql: starting 0 rlm_sql: Attempting to connect #0 rlm_sql_unixodbc: Connection failed rlm_sql: Failed to connect DB handle #0 rlm_sql: starting 1 rlm_sql: starting 2 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Log file
Thanks for your reply. It was a big error. I'm new to freeradius and I couldn't find help in google. I have another question .. Can I see more information in the log ?? I want to see disconnection causes, phone numbers, etc .. I'm just seeing something like that: Mon Aug 11 09:27:10 2003 : Auth: Login OK: [marmejia] (from client asgard port 20132 cli 28239904) Mon Aug 11 09:27:11 2003 : Auth: Login OK: [marmejia] (from client asgard port 20132 cli 28239904) Mon Aug 11 09:27:56 2003 : Auth: Login OK: [marmejia] (from client asgard port 20106 cli 28239904) Mon Aug 11 09:27:56 2003 : Auth: Login OK: [marmejia] (from client asgard port 20106 cli 28239904) Mon Aug 11 09:28:39 2003 : Auth: Login OK: [marmejia] (from client asgard port 20111 cli 28239904) Mon Aug 11 09:29:50 2003 : Auth: Login OK: [davelasco] (from client asgard port 20126 cli 28230577) I mean, something like with the -x parameter but in the log file. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Log file
Hi, thanks for your reply! How often is created this file, I'm seeing the logs but not the detail files. Do I need a special configuration ?? Do I have to run the daemon with the -A parameter ? Thanks! Bye .. and long life to Linux! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
How-to install FreeRadius on a target (not build) machine?
Hi All: Has anyone installed FreeRadius on a target machine other than build machine? Both the target and build machine are of same type (Solaris). "make install" installs the package on the build machine, which includes all the documentation (man pages, etc), but on the target machine I need not install those documents, man pages, etc all. One way would be to install on the build machine, tar & gzip the install directory and copy it over to the target machine. But I am not sure of any dependencies in this method. If anyone has done it before, can you please let me know, so that I can use the information w/o digging into the logs and find out the files to package and install. Another question, In doing so, is there any issues that I should be aware of (like the library dependency, path_to_install, etc) ? Thanks in advance, Regards, Sudhagar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: authorization with Framed-IP-Address
On Tue, Aug 12, 2003 at 11:16:30AM +0500, Dmitry Melekhov wrote: > rad_recv: Access-Request packet from host 192.168.22.211:32796, id=235, > length=75 > User-Name = "chr" > User-Password = "j\260"\332\211\017p\265\332\253C\302\311\220Bd" > NAS-IP-Address = 192.168.22.211 > NAS-Identifier = "testgk" > NAS-Port-Type = Virtual > Service-Type = Login-User > Framed-IP-Address = 192.168.22.1 > > I have following info for it: > > chr Auth-Type := Local, User-Password == "chr" > Framed-IP-Address = 192.168.22.2 > > How can I force radius to check Framed-IP-Address in authorization? chr Auth-Type := Local, User-Password == "chr", Framed-IP-Address = 192.168.22.2 Note: your Access-Request has no User-Password attribute, and authorization against this entry will fail because of this. Oliver. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: inquiry
i can't give you the final detail for this answer but the principle is the following: windows can login either as computer or as a user. that depends on where you put the client certificates in the xp repository. being admin you can verify this with mmc. the certificates should be computer certificates. in the 802.1X authentication tab you can also check the box "authenticate as computer". if i understand this correctly, this will make windows authenticate and establish the wireless link even without a user logon i.e. before ctrl-alt-del. that's what you want. ciao artur arniel wrote: Hi Guys, Just want to ask something regarding user authentication of freeradius. I am implementing wireless EAP-TLS, with CISCO Aironet 350, my certificates are generated from my LINUX BOX. So I am getting the cer-clt.p12 and root.der and install it to my clients PC. We also have a Microsoft 2000 domain controller and at the same time DHCP server, my problem right now is that my XP workstation and MS 2000 Pro cant logon to the domain. As what I understood, upon PC boot up you have to press cntrl-alt-del and choose either to logon to a domain or this computer At this point, the PC is not yet certified to access the network because the re-certification will take place after you logon. If choosing domain, my workstation cant logon but if choosing this computer its OK only I can not run a script to MAP to the domain server. And if I am going to access the server from Network Places its going to ask me the domain username and password which is expected coz I did not logon to the domain in the first place. How can I configure the freeradius to authenticate first before the ctrl-alt-del window comes up. How can I configure my radius.conf or my radius in such a way that it is going to ask the user to input the password from the Linux radius first and after successful verification its going to ask the domain password. For sure in this way we can now logon to the domain. The typical boot up procedure for windows 2000 PRO and XP is that you have to click or press ctrl-alt-del to logon and you can either choose this computer or a certain domain and after it its going to check the certificate. Can we reverse the process? Can we verify the certificate first before domain logon option? Please help... Has anyone have tried Freeradius EAP-TLS with Microsoft Domain logon integrated? Thank you... Arniel - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: checkrad always returning 0?
On Wednesday 06 August 2003 22:13, you wrote: > for one thing, download latest release 0.9 something and try the > checkrad which comes inside... > then did you set etc/clients.conf and etc/naspasswd ? what did you set ? > the important thing is nastype login and password ... > what kind of nas do you have? etc. if you use snmp, did you try to see > manually if you can connect to nas? do you have ucd snmp... > and blah blah, and if you use telnet is Net::Telnet installed? perl > module... etc/clients.conf and etc/naspassword are setup, but since i'm only calling checkrad manually at this point, only the naspassword file has any affect. i was getting an error about bad password before setting up naspassword, but the error message and documentation already got me past that problem. nas: i'm told it is USR/Total Control, but when i manually telnet into it and mimic the commands of the tc module, it doesn't do what it should. but the commands in the module for netserver are correct, so i'm using that. as for Net::Telnet, it is installed (3.02) snmp isn't being used since i'm not using a nas that checkrad needs snmp for, i'm not sure which version of snmp i have, but it doesn't seem like that would matter in this case where the modules are using telnet to check the nas. > > Ray wrote: > > trying to setup Simultaneous-Use and it is working so far, but i haven't > > succesfully setup checkrad with it. > > > > using freeRadius 0.8.1 > > > > checkrad -d netserver xx.xx.xx.4 366 user 22544538 > > and it keeps outputting > > Returning 0 (login ok) > > even when the user is on. > > > > i'm using MySQL for accounting and using > > NASIPAddress NASPortId UserName AcctSessionId > > from radacct for the paramaters to test checkrad > > > > what should i check or change to get that working? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Failed authentication failure
Looking for feedback from anyone who may have experienced problems with authentication failure Q. is port 0 a valid port for request Q2 Does this look familiar to anyone FAILED Authentication Failure ^m^L Brian ** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote also confirms that this email message has been swept by MIMEsweeper for the presence of computer viruses. www.newtelsolutions.com ** - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FR SQL flexibility
That's it, thank you very much! -- Best Regards, Sinisa Burina - Original Message - From: "Oliver Graf" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Monday, August 11, 2003 05:52 Subject: Re: FR SQL flexibility > Define multiple sql instances with different queries. > > Use huntgroups to set an Auth-Type. > > Use the Auth-Type to select the correct SQL instance. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html