Re: Linux Support
Can't you use PAM? The pam stuff works, it just wouldnt do quite what I needed to do with it. On Mon, 18 Aug 2003, Adam Carmichael wrote: > One idea (MCSE in training and I prefer FreeBSD *grin*): > > Active Directory uses LDAP. FreeRADIUS can use LDAP data sources can't it? > Failling that, script something up to import LDAP data into MySQL and cron it (or > Scheduled Tasks, ymmv), then get FreeRADIUS to authenticate against MySQL. > > Good luck > > Adam > > > Adam Carmichael > Network Operations Manager > email: [EMAIL PROTECTED] > web: http://www.no1.com.au > icq: 2207644 > > #1 Computer Services, Empowerment Through Internet Communications. > > - Original Message - > From: arniel > To: [EMAIL PROTECTED] > Sent: Monday, August 18, 2003 4:21 PM > Subject: Fw: Linux Support > > > > > > Hi Everyone, > > Good Day! > > Just want to ask how or is it possible using FreeRadius to get my users to > authenticate to the NT Domain Controller(DC)? > > As far as our simulation is concern, our clients are issued client certificate > which is generated from our Linux Server. Client certificates are also installed in > every workstation, without the certification wireless client cant access the > network. So far at this point we made it work but right now we want the clients to > authenticate also to our Domain Controller. This is where we are having our problem, > I am not sure how to instruct my FreeRadius to get or ask some username and password > to the domain controller(DC) for validation. Is there a way FreeRadius and a Domain > Controller could communicate to each other for authentication? Our expected clients > are Windows XP and Windows 2000 Professional. > > Thank you very much in advance and we are awaiting for your favorable reply. > > > Cheers, > > Arniel > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Linux Support
One idea (MCSE in training and I prefer FreeBSD *grin*): Active Directory uses LDAP. FreeRADIUS can use LDAP data sources can't it? Failling that, script something up to import LDAP data into MySQL and cron it (or Scheduled Tasks, ymmv), then get FreeRADIUS to authenticate against MySQL. Good luck Adam Adam CarmichaelNetwork Operations Manageremail: [EMAIL PROTECTED]web: http://www.no1.com.au icq: 2207644#1 Computer Services, Empowerment Through Internet Communications. - Original Message - From: arniel To: [EMAIL PROTECTED] Sent: Monday, August 18, 2003 4:21 PM Subject: Fw: Linux Support Hi Everyone, Good Day! Just want to ask how or is it possible using FreeRadius to get my users to authenticate to the NT Domain Controller(DC)? As far as our simulation is concern, our clients are issued client certificate which is generated from our Linux Server. Client certificates are also installed in every workstation, without the certification wireless client cant access the network. So far at this point we made it work but right now we want the clients to authenticate also to our Domain Controller. This is where we are having our problem, I am not sure how to instruct my FreeRadius to get or ask some username and password to the domain controller(DC) for validation. Is there a way FreeRadius and a Domain Controller could communicate to each other for authentication? Our expected clients are Windows XP and Windows 2000 Professional. Thank you very much in advance and we are awaiting for your favorable reply. Cheers, Arniel
Fw: Linux Support
Hi Everyone, Good Day! Just want to ask how or is it possible using FreeRadius to get my users to authenticate to the NT Domain Controller(DC)? As far as our simulation is concern, our clients are issued client certificate which is generated from our Linux Server. Client certificates are also installed in every workstation, without the certification wireless client cant access the network. So far at this point we made it work but right now we want the clients to authenticate also to our Domain Controller. This is where we are having our problem, I am not sure how to instruct my FreeRadius to get or ask some username and password to the domain controller(DC) for validation. Is there a way FreeRadius and a Domain Controller could communicate to each other for authentication? Our expected clients are Windows XP and Windows 2000 Professional. Thank you very much in advance and we are awaiting for your favorable reply. Cheers, Arniel
dial_up admin
How to configure dial_up admin - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
MySQL Authentication Logging
Hi All! I'm currently running FreeRADIUS 0.9.0 on several *BSD boxes with MySQL4 for logging accounting and retrieving authentication information. I am interested in knowing how to log authentication attempts and even possibly why an attempt failled. For example, if we have a customer who thinks their dialup account is being exploited - they can change their password, and then see if any authentication requests are being made. (Actually, just thinking about it, the user would not need to change their password, they could just see the times at which their logons (or attempted logons) occur). I have made some Google searches on the list already, and I saw a few posts in which Alan DeKok said that it is possible to do this - however the rest of the replies seemed to wonder away from what I had hoped. Thanks in advance Adam Adam CarmichaelNetwork Operations Manageremail: [EMAIL PROTECTED] web: http://www.no1.com.auicq: 2207644#1 Computer Services, Empowerment Through Internet Communications. BEGIN:VCARD VERSION:2.1 N:Carmichael;Adam FN:Adam Carmichael - #1 NICKNAME:carneeki ORG:#1 Computer Services;Operations TITLE:Network Operations Manager ADR;WORK;ENCODING=QUOTED-PRINTABLE:;;1 Lowing Close=0D=0A;Forrestville;NSW;2087;Australia LABEL;WORK;ENCODING=QUOTED-PRINTABLE:1 Lowing Close=0D=0A=0D=0AForrestville, NSW 2087=0D=0AAustralia X-WAB-GENDER:2 URL;HOME:http://www.no1.com.au URL;WORK:http://www.no1.com.au EMAIL;INTERNET:[EMAIL PROTECTED] EMAIL;PREF;INTERNET:[EMAIL PROTECTED] EMAIL;INTERNET:[EMAIL PROTECTED] EMAIL;INTERNET:[EMAIL PROTECTED] EMAIL;INTERNET:[EMAIL PROTECTED] REV:20030818T033005Z END:VCARD
Re: Freeradius-Users digest, Vol 1 #2201 - 12 msgs
Hi guys, I am emplementing eaptls configuration using cisco aironet 350. Certificates came from my linux server. Just want to ask if do we have to put the username of our client from the /raddb/users file? Because I tried generating a certificate and installed root.der and cert-clt.p12 to the client it still went through even the username is not in the /raddb/user file.. Thanks for some advise.. arniel - Original Message - From: <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Thursday, August 14, 2003 6:15 PM Subject: Freeradius-Users digest, Vol 1 #2201 - 12 msgs > Send Freeradius-Users mailing list submissions to > [EMAIL PROTECTED] > > To subscribe or unsubscribe via the World Wide Web, visit > http://lists.cistron.nl/mailman/listinfo/freeradius-users > or, via email, send a message with subject or body 'help' to > [EMAIL PROTECTED] > > You can reach the person managing the list at > [EMAIL PROTECTED] > > When replying, please edit your Subject line so it is more specific > than "Re: Contents of Freeradius-Users digest..." > > > Today's Topics: > >1. Personal certificate usage problem (Antti Mattila) >2. REPOST: rlm_sqlcounter not working... (Christos Kalantzis) >3. EAP-TTLS and EAP-PEAP support (Janko Kersnik) >4. Re: Personal certificate usage problem (Artur Hecker) >5. EAP-TTLS and EAP-PEAP support (Janko Kersnik) >6. Howto FreeRadius --Cisco350 --client win98/2k/xp (Kent Hansen) >7. Users without a password (Brian Johnson) >8. Memory leak... (Degrande_Samuel) >9. RE: Users without a password (Alan Litster) > 10. RE: Users without a password (Brian Johnson) > 11. RE: Users without a password (Brian Johnson) > 12. dialup_admin - user_finger.php3 (Truong Manh Cuong) > > --__--__-- > > Message: 1 > Date: Thu, 14 Aug 2003 11:08:31 +0300 > From: "Antti Mattila" <[EMAIL PROTECTED]> > To: <[EMAIL PROTECTED]> > Subject: Personal certificate usage problem > Reply-To: [EMAIL PROTECTED] > > Unfortunately you didn't get rid of me yet. > > The problem doesn't relate anymore to Freeradius that much but to = > Certificate installation. > > When I open the Personal certificate and select Details tab->Edit = > properties I have to select Enable only the following purposes and = > deselect all but Client Authentication. Doing this Windows 2000 finds the = > certificate and EAP/TLS authentication goes OK. But if I don't do this it = > says unable to find certificate. > > I can't use the EKU described in Ken Roser's document because if I use it = > Windows 2000 says that the certificate has a non-valid digital signature. = > Does the EKU work only in XP? The detail tab shows only Client authenticati= > on as authentication method on the Personal certificate as I need though. > > I tried editing the openssl.cnf file and setting nsCertType =3D client, = > server (because it give this type to client and server certificate using = > the script). Then I removed the extensions bits from CA.all and made the = > certificate.=20 > > The Personal certificate still shows all the possible usages for the = > certificate and I have to pick the Client authentication to make it work. > > The problem here is that we currently don't have a Certificate server = > installed to distribute the certificates so I would like to make the = > distribution as easy as possible.=20 > > Installing the two certificates is relatively easy. But if you have to = > start MMC-->Add Snap-in-->Go to Personal certificate and enable only the = > client authentication purpose it gets a lot more complicated. > > Any idea how to edit CA.all, OpenSSL.cnf, CA.pl or any other place to give = > the client certificate purpose to only function as client certificate so = > Windows 2000 would find it? > > Best regards and thank you for any help in advance: > > Antti Mattila > -- > [EMAIL PROTECTED] > > > > --__--__-- > > Message: 2 > Date: Thu, 14 Aug 2003 11:03:14 +0300 > From: Christos Kalantzis <[EMAIL PROTECTED]> > To: [EMAIL PROTECTED] > Subject: REPOST: rlm_sqlcounter not working... > Reply-To: [EMAIL PROTECTED] > > Hello, > > I have the same problem, > > have you find any solution to this ? > > Thank you in advance, > Christos Kalantzis > > > I am trying to get the rlm_sqlcounter module working in freeradius-0.8.1 > > and am have a bit of trouble. It appears that the module is not > querying the sql database... > > When running radius -X, I get the following: > > rlm_sqlcounter: Entering module authorize code > rlm_sqlcounter: Could not find Check item value pair > modcall[authorize]: module "allcounter" returns noop > rlm_sqlcounter: Entering module authorize code > rlm_sqlcounter: Could not find Check item value pair > modcall[authorize]: module "dailycounter" returns noop > rlm_sqlcounter: Entering module authorize code > rlm_sqlcounter: Could not find Check item value pair > modcall[authorize]: module "monthlycounter" returns noop > > The configuration directive for the modules are as follows: >
Freeradius solutions
Hi, Im looking to implement a new radius server in the near future, and am currently looking at freeradius. Id like to be able to provide a web interface for the clients to be able to login and change their password (obviously via some form of PHP script). My major problem is, we will also be providing POP3 email access. Is it possible to run freeradius and something like postfix or qmail so both authenticate of a "master database (sql or plain text)", so when a user changes their password, it changes it for both their services (authentication and email). Somebody must be running a similar setup, so any info/help would be extremely appreciated. Regards, Nikolas Geyer. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
FR 0.8.1 Radius Proxy
Hi,
I have one FR 0.8.1 runing as Radius Proxy (radius A).
I got 3 kind of auth packet from one NAS
(1) userid
(2) abc/[EMAIL PROTECTED]
(3) [EMAIL PROTECTED]
I would like auth case (1) locally(radius A) ,
case (2) should be fwd to radius B
case (3) should be fwd to radius C
So I config my proxy.conf in Raidus A
realm Null {
type = radius
authhost= LOCAL:1645
accthost = LOCAL:1646
}
realm abc {
type = radius
authhost= radius B:1645
accthost = radius B:1646
secret
nostrip
}
realm DEFAULT {
type = radius
authhost= radius C:1645
accthost = radius C:1646
secret
nostrip
}
My radius.conf
authorize {
preprocess
# counter
# attr_filter
realmslash
suffix
files
}
The problem I have is Radius A always tread case (1) and case (3) as realm
=
Null
So case (3) can not being properly proxy to Radius C.
It seems "suffix" does not work, only "realmslash" work.
Anybody can help me look at it, how to config my Radius Proxy (radius A).
Thks,
ChenShu
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
rlm_sqlcounter freebsd compile error
hello, i am having a hard time compiling rlm_sqlcounter on a freebsd machine any suggestions? Val - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Amount of data
hi that's difficult to answer precisely without having more details. if i understood correctly, _you_ will be authentifying your users. so, the exact amount of data merely depends on the authentication method chosen for user authentication between you and your user and on the number and type of the authorization tokens included in your answer (radius-attributes). depending on the authentication method, it can be just one Access-Request - Access-Accept exchange involving 1 UDP packet in each direction. however, other authentication methods (and it's not the question of user-name or password length) could require further challenges sent by your server and the number of exchanges can practically rise up to 5-6 and more (i.e. 5-6 UDP packets in each direction). also the packet length would change depending on the kind of challenges and responses sent. now, depending on the authorization tokes included, some of the packets sent by your server will be bigger or smaller, too. i don't know which parameters have to be included according to your politics. what i'm trying to say, is that the best man to answer this question is you. decide, what exactly you want to do, which limitation and rights you want to grant and how you want to authentify. then, grab the radius base RFC and count the bytes (analytic approach). alternatively, try a test authentication and record the data exchanged on the interface (simulative approach). regards, artur -- Artur Hecker artur[at]hecker.info - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Freeradius FAQ (14.3)
After succesfull testing of my radius using radtest, i
tried to test using dial-up connection. It will say
the computer you are dialling cannot establish dial-up
connection. The problem is according to freeradius FAQ
14.3. The NAS has no idea which RADIUS server you use.
I run tcpdump udp on localhost here's the output:
16:27:33.075451 portmaster.mactan.ph.router >
203.177.22.191.router: RIPv1-resp [items 9]:
{dialup-008.mactan.ph}(1) {dialup-
16:27:34.013197 CM-14D.mactan.ph.1046 >
mail.mactan.ph.domain: 3373+ PTR?
188.22.177.203.in-addr.arpa. (45)
16:27:34.013892 mail.mactan.ph.domain >
CM-14D.mactan.ph.1046: 3373* 1/1/1 (135)
16:27:34.014250 CM-14D.mactan.ph.1047 >
mail.mactan.ph.domain: 3374+ PTR?
160.22.177.203.in-addr.arpa. (45)
16:27:34.014909 mail.mactan.ph.domain >
CM-14D.mactan.ph.1047: 3374* 1/1/1 (135)
16:27:34.015109 CM-14D.mactan.ph.1048 >
mail.mactan.ph.domain: 3375+ PTR?
163.22.177.203.in-addr.arpa. (45)
16:27:34.015766 mail.mactan.ph.domain >
CM-14D.mactan.ph.1048: 3375* 1/1/1 (135)
16:27:35.012533 CM-14D.mactan.ph.1049 >
mail.mactan.ph.domain: 3376+ PTR?
151.22.177.203.in-addr.arpa. (45)
16:27:35.013226 mail.mactan.ph.domain >
CM-14D.mactan.ph.1049: 3376* 2/1/1[|domain]
16:28:05.050417 portmaster.mactan.ph.router >
203.177.22.191.router: RIPv1-resp [items 9]:
{dialup-008.mactan.ph}(1) {dialup-
16:28:36.915323 portmaster.mactan.ph.router >
203.177.22.191.router: RIPv1-resp [items 9]:
{dialup-008.mactan.ph}(1) {dialup-
16:28:46.223213 210.23.208.159.1050 >
CM-14D.mactan.ph.netbios-ns: NBT UDP PACKET(137):
QUERY; REQUEST; BROADCAST
16:28:47.013783 CM-14D.mactan.ph.1050 >
mail.mactan.ph.domain: 3377+ PTR?
159.208.23.210.in-addr.arpa. (45)
16:28:47.305273 mail.mactan.ph.domain >
CM-14D.mactan.ph.1050: 3377 NXDomain* 0/1/0 (134)
16:29:08.889632 portmaster.mactan.ph.router >
203.177.22.191.router: RIPv1-resp [items 9]:
{dialup-008.mactan.ph}(1) {dialup-
16:29:40.864544 portmaster.mactan.ph.router >
203.177.22.191.router: RIPv1-resp [items 9]:
{dialup-008.mactan.ph}(1) {dialup-
16:30:12.729307 portmaster.mactan.ph.router >
203.177.22.191.router: RIPv1-resp [items 9]:
{dialup-008.mactan.ph}(1) {dialup-
16:30:24.265651 portmaster.mactan.ph.router >
203.177.22.191.router: RIPv1-resp [items 1]:
{dialup-023.mactan.ph}(16)
16:30:24.305225 CM-14D.mactan.ph.1051 >
mail.mactan.ph.domain: 3378+ PTR?
175.22.177.203.in-addr.arpa. (45)
16:30:24.305888 mail.mactan.ph.domain >
CM-14D.mactan.ph.1051: 3378* 1/1/1 (135)
is my analysis correct? that the NAS dont know where
radius server to use? because when i try to run radius
in debugging mode, it shown nothing but if i use
radtest then here's the output:
rad_recv: Access-Request packet from host
127.0.0.1:1052, id=243, length=60
Thread 2 assigned request 1
--- Walking the entire request list ---
Cleaning up request 0 ID 213 with timestamp 3f3f3713
Nothing to do. Sleeping until we see a request.
Thread 2 handling request 1, (1 handled so far)
User-Name = "apellido"
User-Password = "apellido"
NAS-IP-Address = 255.255.255.255
NAS-Port = 0
modcall: entering group authorize
modcall[authorize]: module "preprocess" returns ok
modcall[authorize]: module "chap" returns noop
rlm_realm: No '@' in User-Name = "apellido",
looking up realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "suffix" returns noop
radius_xlat: 'apellido'
rlm_sql (sql): sql_set_user escaped user -->
'apellido'
radius_xlat: 'SELECT id,UserName,Attribute,Value,op
FROM radcheck WHERE Username = 'apellido' ORDER BY id'
rlm_sql (sql): Reserving sql socket id: 3
radius_xlat: 'SELECT
radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op
FROM radgroupcheck,usergroup WHERE usergroup.Username
= 'apellido' AND usergroup.GroupName =
radgroupcheck.GroupName ORDER BY radgroupcheck.id'
radius_xlat: 'SELECT id,UserName,Attribute,Value,op
FROM radreply WHERE Username = 'apellido' ORDER BY id'
radius_xlat: 'SELECT
radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op
FROM radgroupreply,usergroup WHERE usergroup.Username
= 'apellido' AND usergroup.GroupName =
radgroupreply.GroupName ORDER BY radgroupreply.id'
rlm_sql (sql): Released sql socket id: 3
modcall[authorize]: module "sql" returns ok
modcall[authorize]: module "mschap" returns noop
modcall: group authorize returns ok
auth: type Local
auth: user supplied User-Password matches local
User-Password
Login OK: [apellido/apellido] (from client localhost
port 0)
Sending Access-Accept of id 243 to 127.0.0.1:1052
Framed-Compression = Van-Jacobson-TCP-IP
Framed-Protocol = PPP
Service-Type = Framed-User
Framed-MTU = 1500
Finished request 1
Going to the next request
Thread 2 waiting to be assigned a request
what attributes im missing? thanks in advance
=
[ apellido jr., wilfredo p. ]
+63 034 4880-449
If you can't hear me, it's because i
Re: (no subject)
On Sat, 16 Aug 2003, apellido jr., wilfredo p wrote: > The NAS dont even send any auth request to > radius server. When i run radiusd -xxyz -l stdout the > Log doesnt show even some problem or what just saying > ready to process. Do i need to put some Auth-Type in > my users file? what is it? Thanks Ok, then what makes you think that problem is in any way related to freeradius? Check and double check your NAS configuration to make it authenticate against your radius server. -- _ | | "... Think about all the positive sides in life, they _ | |_ _ _ _ ___ never last forever ... (c)Sentenced | || | | | || |_| || O |+-+ AMD Duron 1300MHz & ATI Radeon +--+ || |_| || | | || | || http://students.oamk.fi/~sijuma00 | | E-mail: [EMAIL PROTECTED] | - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
