Re: TLS and TTLS
Buy yourself a D-Link 900AP+ and see if it does TTLS. Just a thought. MB <> mikro network solutions * http://www.mikro-net.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to tag attributes ?
On Thu, 25 Sep 2003 14:28:33 +0200 Thomas MARCHESSEAU <[EMAIL PROTECTED]> wrote: > Hi All, > > Specs: > - Freeradius 0.9.1, on debian woody > - 2 Radius servers , 2 radius proxys (sharing a virtual IP) > > Everything is working fine except that i would like to add (or > increment) tags to freeradius attributes ie: > > [EMAIL PROTECTED]:~$ ./radtest [EMAIL PROTECTED] ipdyn 172.16.129.4 1812 > testing123 Sending Access-Request of id 186 to 172.16.129.4:1812 > User-Name = "[EMAIL PROTECTED]" > User-Password = "ipdyn" > NAS-IP-Address = 172.16.69.1 > NAS-Port = 1812 > rad_recv: Access-Accept packet from host 172.16.129.4:1812, id=186, > length=188 > Session-Timeout = 86400 > Idle-Timeout = 180 > Tunnel-Medium-Type:0 = IP > <= > Here > Tunnel-Server-Endpoint:0 = "172.18.21.3" <= > here > etc ... > Tunnel-Assignment-Id:0 = "tunnel-172.16.21.3" > Tunnel-Client-Auth-Id:0 = "LNS-NET7-1" > Tunnel_Local_Name = "LNS-NET7-1" > Tunnel-Type:0 = L2TP > Tunnel-Server-Auth-Id:0 = "srv44-2.idf1.realm.net" > Tunnel_Remote_Name = "srv44-2.idf1.realm.net" > Proxy-State = 0x31 > Service-Type = Framed-User > [EMAIL PROTECTED]:~$ > > The tag is 0 , but i would like to obtain something like that > > Tunnel-Server-Endpoint:1 = "172.18.21.3" > > Any idea ? > Is there anything that prevents you from saying [EMAIL PROTECTED] Password == "ipdyn" Tunnel-Server-Endpoint:0 = "172.18.21.3", Tunnel-Server-Endpoint:1 += "172.18.21.3", etc. ? Or did you want the tag to change somewhere? Or did I completely miss your question? Actually, the RFC (2868) says that tag-numbering is 0x01 thru 0x1F, which means you should start on 1, although 0 is valid, meaning "no tag". I'm not sure if there are radius clients, that are very particular about this. -- best regards Nils Ronhovde Telenor - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: TLS and TTLS
Quoting Artur Hecker <[EMAIL PROTECTED]>: > sorry, that's still wrong. they either support EAP or not. it is > completely irrelevant which kind of EAP. be it TLS, MD5, TTLS, PEAP or > whichever EAP scheme might EVER come out one day in the future, they > support it already. nice, he? > My point is EAP pass-through not the type! (So we agree but you do not see...) Such nitpicking. I did not mention md5 because it is IRRELEVANT to me! NOT ALL AP's PROVIDE EAP PASS-THROUGH FOR AUTH. That was my point. Michael Brown. <> mikro network solutions * http://www.mikro-net.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_sqlcounter : file not found
Hi I must appologise, by mistake I included some user list in my email to all my friends and our customers Regards Bogdan - Original Message - From: "Josephine" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Friday, August 09, 2002 1:26 PM Subject: RE: rlm_sqlcounter : file not found > Aaron Weiker wrote : > >>Before compile pass --with-experimental-modules to the configure script. > >>This should compile it in. You may get other modules that fail to > >>compile, what I had to do was just remove their directory and then run > >>configure again. > > > > Hi Aaron, > I can't get what you mean 'remove their directory and then run > configure'. Which directory you are referring ? > > Please advise. Thanks in advance. > > > Josephine. > > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How is PEAP going?
Dave Mason <[EMAIL PROTECTED]> wrote: > Before flaming me, I searched the archives back to June and saw posts > from people working on PEAP, but nothing about any expected arrival > date. Multiple people claim to have been working on it. No patches yet, though. > We would like to use a Freeradius implementation but need some > idea of it's availability for our planning. Even a ballpark figure > would help - December? March? I understand that TTLS is in the CVS > head, so maybe some common code is done? From what I can tell of reading the specs, TTLS is TLS + Diameter in the TLS tunnel. PEAP is TLS + EAP in the TLS tunnel. So from that perspective, 99% of the work for PEAP should already be done, because TTLS is already in the server. There's a problem, though. It's name is Microsoft. Not only do they not know how to program, they don't know how to design protocols, or how to write specs, or how to impement those specs. They did *all* of those stages wrong with PEAP. When I did the TTLS work, I read the spec, wrote some code, poked around wit TLS certificates, and got it working pretty quickly. In fact, the major portion of the work for TTLS was re-arranging the EAP module & server core to allow the later TTLS code to work. The implementation of TTLS itself is simple, as the TTLS module is small. But PEAP is different. It's not EAP inside of TLS. It's something that's not quite EAP, inside of something that's not quite TLS. Further, there are three versions of the protocol: 0, 1, and 2. To be completely inter-operable, any PEAP module will have to implement all 3 versions. But even that isn't good enough. Read some of the PEAP related articles on the net. There's the Microsoft implementation of PEAP, and the Cisco implementation of PEAP. They don't inter-operate. There are multiple PEAP clients, each of which have different bugs, and which implement the protocol slightly differently. So PEAP isn't one protocol. It's more like 5-10 closely related protocols. My conclusion is that PEAP sucks. PEAP sucks horribly. It's an incredibly stupid protocol, described in a poorly written spec, and implemented even more poorly. In contrast, TTLS is wonderful, beautiful, and simple. It's designed correctly, described well, and implemented almost trivially. My suggestion for people wanting PEAP (and who've read this far in the rant), is for them to get PEAP packet traces for multiple clients and servers, and post them on the net. Include packet data from inside & outside of the TLS tunnel, and also which clients & server software you're using. Post the URL to the list, and I'll start collecting the data for anyone implementing PEAP. And if you're worried about client/server licenses forbidding "reverse engineering", do that work and post it in a free country like Canada, where those clauses are unenforceable, and the DMCA doesn't exist. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
How is PEAP going?
Hi all, Before flaming me, I searched the archives back to June and saw posts from people working on PEAP, but nothing about any expected arrival date. We would like to use a Freeradius implementation but need some idea of it's availability for our planning. Even a ballpark figure would help - December? March? I understand that TTLS is in the CVS head, so maybe some common code is done? Regards, Dave - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to tag attributes ?
Thomas MARCHESSEAU <[EMAIL PROTECTED]> wrote: > no idea ? The server isn't set up to do that. It's something that no one else has had the need for. I suggest writing a small module to do it. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: TLS and TTLS
hi i don't think it's correct unless you have some dumb option to explicitly block TTLS. you should post some server logs in order to prove that nothing is coming. let me explain myself: in _EACH_ EAP method the first packet incoming at the RADIUS server will be either EAPOL Start OR EAP Response/Identity message. i want to see a log file, where the Response/Identity of the TLS is arriving and the response identity of the TTLS is not - knowing that the both packets are exactly the same. i don't see, why the following packets wouldn't be forwarded to the server. prove it. i personally think that the problem is the client-server interaction. something is wrong and your client is not responding and you don't know why, so you suppose it's the AP but it's not. ciao artur Nixon, Anthony S. wrote: Thanks very much for the education on AP's, but this still does not answer the question of why an AP will pass EAP-MD5 and EAP-TLS, but might not pass EAP-TTLS? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: [dictionary] How to add vendor specific attribute of arbitrary format ?
"Sunil Kulkarni" <[EMAIL PROTECTED]> wrote: > Given the well structured freeradius code, > it was simpler for me to add a new type "raw" that just copies the > given octets immediatly after the vendor-id in the RADIUS send > packet. It solved my problem. The server already supports the 'octets' data type, which is exactly the same as 'raw'. That's not the problem. The problem is that the rad_recv() function doesn't know about dictionary entries, or vendors. This makes me think we've got to re-arrange some of the code. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Dialup Admin & Users File
On Mon, 29 Sep 2003, Matt wrote: > Is it possible to use Dialup Admin with a plain users file? If so how? No it isn't possible. > > Matt > > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Dialup Admin & Users File
Is it possible to use Dialup Admin with a plain users file? If so how? Matt - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: TLS and TTLS
"Nixon, Anthony S." <[EMAIL PROTECTED]> wrote: ... Please don't top post. It's annoying. e.g. A: Because it sucks. Q: Why is top posting bad? Posting things in order is nice, as in: > > Funk may not implement TTLS correctly... > > Umm, forgive me, but I thought they wrote the spec? Yes. So? Search the net for TTLS. You'll discover that the spec says one thing, and that Funk has implemented something slightly different, for part of the TTLS protocol. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: TLS and TTLS
Umm 802.1X was designed by meetinghouse www.mtghouse.com for incorporation with HP for their Procurve line of products. Funk Software co-invented EAP-TTLS with Certicom. Jeremy -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Nixon, Anthony S. Sent: Monday, September 29, 2003 9:35 AM To: '[EMAIL PROTECTED]' Subject: RE: TLS and TTLS Umm, forgive me, but I thought they wrote the spec? -Original Message- From: Alan DeKok [mailto:[EMAIL PROTECTED] Sent: Thursday, September 25, 2003 6:33 AM To: [EMAIL PROTECTED] Subject: Re: TLS and TTLS "Nixon, Anthony S." <[EMAIL PROTECTED]> wrote: > When I switch it over to authenticate with TTLS, I get a "Failure - > Authentication rejected by server" on the Funk 2.22 client. Funk may not implement TTLS correctly... Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html This message, including any attachments, is intended only for the use of the addressee and contains information that is PRIVILEGED and CONFIDENTIAL. It may be used only by the addressee and may not be divulged without the express consent of the sender. If you have received this communication in error, please erase all copies of the message and its attachments and notify us immediately. Thank you. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: pap ldap
Ossama Suleiman <[EMAIL PROTECTED]> wrote:
> but still do i get the same error:*
> *rlm_pap: No password (or empty password) to check against for for user soe
...
> rlm_ldap: Password header not found in password {CRYPT}wCXDeZp/uLRGE for
> user soe
You might try fixing that error. See the configuration for the
'ldap' module.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: auth detail module
"Roberto Pioli" <[EMAIL PROTECTED]> wrote: > I try to explain but my english is not so good. That's fine. It's just that it's easier to understand what you mean when you type longer, and more descriptive sentences. That gives enough information so that your meaning can be figured out from context. > My question is: can I add attribute to log in this file? Some modules can add attributes to the request, which are then logged along with all others in the detail file. If you want the NAS to send more attributes, see the FAQ. There's nothing you can do to the server to create attributes with "good" values, when the NAS doesn't send them. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: auth detail module
> There is no auth_detail module. And I'm not sure what you mean by
> changing "the" attribute.
I try to explain but my english is not so good.
In the last version i can log authentication information with
detail auth_log {
detailfile = ${radacctdir}/%{Client-IP-Address}/auth-detail-%Y%m%d
detailperm = 0600
}
The log file auth_detailx created have some attributes logged like:
Framed-Protocol = PPP
User-Name = "[EMAIL PROTECTED]"
MS-CHAP-Challenge =
MS-CHAP-Response =
NAS-Port-Type = Virtual
NAS-Port = 31
Service-Type = Framed-User
NAS-IP-Address = xxx
Client-IP-Address =
Timestamp = 1064842369
My question is: can I add attribute to log in this file?
Thanks
TEB!
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
pap ldap
dear all,
i am using freeradius 0.9.1 on rh. linux 9
i have a running system using ldap, which is working really fine,
what i wanted to do is to switch Auth-Type from LDAP to Auth-Type :=PAP
so i modified the ldap entries to Auth-Type :=PAP,
when i tried the same using the users file and lettin Auth-Type:=PAP it
was working ok.
i tried to add a default section to the users file:
DEFAULT Auth-Type = PAP ( i got this from a previous posting from kostas)
but still do i get the same error:*
*rlm_pap: No password (or empty password) to check against for for user soe
everytime i try to authenticate i get the following error:
snippet of radiusd -X:
---
rad_recv: Access-Request packet from host 127.0.0.1:33322, id=6, length=43
User-Name = "soe"
User-Password = "cross4"
modcall: entering group authorize
modcall[authorize]: module "preprocess" returns ok
modcall[authorize]: module "chap" returns noop
rlm_realm: No '@' in User-Name = "soe", looking up realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "suffix" returns noop
modcall[authorize]: module "files" returns ok
modcall[authorize]: module "mschap" returns noop
rlm_ldap: - authorize
rlm_ldap: performing user authorization for soe
radius_xlat: '(uid=soe)'
radius_xlat: 'xxx'
ldap_get_conn: Got Id: 0
rlm_ldap: attempting LDAP reconnection
rlm_ldap: (re)connect to localhost:389, authentication 0
rlm_ldap: bind as xxx to localhost:389
rlm_ldap: waiting for bind result ...
rlm_ldap: performing search in xxx, with filter (uid=soe)
rlm_ldap: checking if remote access for soe is allowed by dialupAccess
rlm_ldap: Adding radiusSimultaneousUse as Simultaneous-Use, value 1 & op=21
rlm_ldap: Adding radiusFramedCompression as Framed-Compression, value
Van-Jacobsen-TCP-IP & op=11
rlm_ldap: Adding radiusFramedMTU as Framed-MTU, value 1500 & op=11
rlm_ldap: Adding radiusFramedRouting as Framed-Routing, value None & op=11
rlm_ldap: Adding radiusFramedIPNetmask as Framed-IP-Netmask, value
255.255.255.255 & op=11
rlm_ldap: Adding radiusFramedProtocol as Framed-Protocol, value PPP & op=11
rlm_ldap: Adding radiusServiceType as Service-Type, value Framed-User &
op=11
rlm_ldap: Password header not found in password {CRYPT}wCXDeZp/uLRGE for
user soe
rlm_ldap: looking for check items in directory...
rlm_ldap: Adding radiusAuthType as Auth-Type, value PAP & op=21
rlm_ldap: extracted attribute NAS-Port-Type from generic item
NAS-Port-Type == "ISDN"
rlm_ldap: looking for reply items in directory...
rlm_ldap: user soe authorized to use remote access
ldap_release_conn: Release Id: 0
modcall[authorize]: module "ldap" returns ok
modcall: group authorize returns ok
* rad_check_password: Found Auth-Type PAP
auth: type "PAP"
modcall: entering group Auth-Type
rlm_pap: login attempt by "soe" with password 123
rlm_pap: No password (or empty password) to check against for for user soe
modcall[authenticate]: module "pap" returns invalid
modcall: group Auth-Type returns invalid
auth: Failed to validate the user.*
Login incorrect (rlm_pap: User password not available): [soe/123] (from
client localhost port 0)
Delaying request 0 for 1 seconds
Finished request 0
--
in radiusd.conf the conf look like following:
ldap section:
password_header = "{crypt}"
password_attribute = userPassword
authorize section:
authorize {
preprocess
chap
suffix
files
mschap
ldap
}
authentication section:
authenticate {
Auth-Type PAP {
pap
}
Auth-Type CHAP {
chap
}
Auth-Type MS-CHAP {
mschap
}
Auth-Type LDAP {
ldap
}
}
any help please??
thank you
best regards
ossama
--
Ossama Suleiman
Systems Engineer
TE Data S.A.E
Email: [EMAIL PROTECTED]
Web: www.tedata.net
Phone: +(202)-416-6600, EXT: 1105
"Learn from yesterday, live for today, hope for tomorrow."
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: auth detail module
"Roberto Pioli" <[EMAIL PROTECTED]> wrote: > Where can I change the attribute logged with the auth_detail module? There is no auth_detail module. And I'm not sure what you mean by changing "the" attribute. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: pam_radius-1.3.16 and Red Hat 9
Alasdair Morison <[EMAIL PROTECTED]> wrote: > I have copied the pam_radius_auth.so to /lib/security/pam_radius_auth.so > > My problem now starts, which files to I have to configure in redhat to get > this working, The documentation which comes with the module explains how to configure PAM to use the module for a particular application. The PAM docs further explain how to configure PAM for applications. There are PAM files included with RedHat. Try doing: $ locate pam | grep ssh and see what's there. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: sizelimit on user record?
Nils-Henner Krueger <[EMAIL PROTECTED]> wrote: > It seems to us that there could be a limit around 4kb, > that means radiusd gets killed after sending user > records exceeding 4kb, but that's more blind guessing > than accurate debugging. radiusd -X only says "bus error", > nothing usefull. Ah, yes. I know exactly what the problem is, and how to fix it. I'll commit a fix to he CVS head later today. The problem is that the fix will prevent bus errors, but it still won't do what you want. The RADIUS RFC's define the maximum size of a RADIUS packet as 4k. So if you're trying to send more data than that, it just won't work. I suggest that you look for an alternate way to get those large ACL's to the NAS. RADIUS simply isn't good enoug for what you're trying to do. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP TLS SSL_read Error
[EMAIL PROTECTED] wrote: > Authentication method is EAP-TLS. After (I suppose) successful > generation of root, server and client certifcates I get > the following output from FreeRADIUS. > What does this mean? ... > rlm_eap_tls: SSL_read Error ... > SSL Error . 2 It means that SSL wants more data, and it's not happy that it has to wait for the next RADIUS packet. In short, it means nothing is wrong. The error message has been removed from the latest CVS snapshots of FreeRADIUS. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: sizelimit on user record?
Alan DeKok wrote: > Nils-Henner Krueger <[EMAIL PROTECTED]> wrote: > > We're observing segfaults of freeradius 0.9.1 on Solaris 8 > > immediatly after delivering large user records (that means > > many reply items per user) to the client. > > That's bad. > > > Is there any kind of limit on the maximum number of reply > > items, expressed in bytes or no of items? > > Nope. > > Are you using Ascend "data filter" attributes? There's a patch > pending to fix some issues with them. That may help. We are using large amounts of cisco-avpair lines to set user-based acls, resulting in user records with more than 100 lines and more than 6000 bytes. It seems to us that there could be a limit around 4kb, that means radiusd gets killed after sending user records exceeding 4kb, but that's more blind guessing than accurate debugging. radiusd -X only says "bus error", nothing usefull. Anybody else whith large user records and similar problems? nhk - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: TLS and TTLS
Thanks very much for the education on AP's, but this still does not answer the question of why an AP will pass EAP-MD5 and EAP-TLS, but might not pass EAP-TTLS? This message, including any attachments, is intended only for the use of the addressee and contains information that is PRIVILEGED and CONFIDENTIAL. It may be used only by the addressee and may not be divulged without the express consent of the sender. If you have received this communication in error, please erase all copies of the message and its attachments and notify us immediately. Thank you. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: TLS and TTLS
Umm, forgive me, but I thought they wrote the spec? -Original Message- From: Alan DeKok [mailto:[EMAIL PROTECTED] Sent: Thursday, September 25, 2003 6:33 AM To: [EMAIL PROTECTED] Subject: Re: TLS and TTLS "Nixon, Anthony S." <[EMAIL PROTECTED]> wrote: > When I switch it over to authenticate with TTLS, I get a "Failure - > Authentication rejected by server" on the Funk 2.22 client. Funk may not implement TTLS correctly... Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html This message, including any attachments, is intended only for the use of the addressee and contains information that is PRIVILEGED and CONFIDENTIAL. It may be used only by the addressee and may not be divulged without the express consent of the sender. If you have received this communication in error, please erase all copies of the message and its attachments and notify us immediately. Thank you. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
EAP TLS SSL_read Error
Hi, I'm in the process of up FreeRADIUS together with CiscoAP1200, xsupplicant from open1x.org. Authentication method is EAP-TLS. After (I suppose) successful generation of root, server and client certifcates I get the following output from FreeRADIUS. What does this mean? TLS_accept: SSLv3 write certificate request A TLS_accept: SSLv3 flush data TLS_accept:error in SSLv3 read client certificate A rlm_eap_tls: SSL_read Error 1445:error:0906D06C:lib(9):func(109):reason(108):pem_lib.c:634:Expecting: DH PARAMETERS Error code is . 2 SSL Error . 2 modcall[authenticate]: module "eap" returns ok The SSL version is a SNAP version (downloaded about 2 weeks ago). Regards, Olaf [EMAIL PROTECTED] root]# ./run-radius -X -A + LD_LIBRARY_PATH=/usr/local/openssl/lib + export LD_LIBRARY_PATH LD_PRELOAD + /usr/local/sbin/radiusd -X -A Starting - reading configuration files ... reread_config: reading radiusd.conf Config: including file: /usr/local/etc/raddb/proxy.conf Config: including file: /usr/local/etc/raddb/clients.conf Config: including file: /usr/local/etc/raddb/snmp.conf Config: including file: /usr/local/etc/raddb/sql.conf main: prefix = "/usr/local" main: localstatedir = "/usr/local/var" main: logdir = "/usr/local/var/log/radius" main: libdir = "/usr/local/lib" main: radacctdir = "/usr/local/var/log/radius/radacct" main: hostname_lookups = no main: max_request_time = 30 main: cleanup_delay = 5 main: max_requests = 1024 main: delete_blocked_requests = 0 main: port = 0 main: allow_core_dumps = no main: log_stripped_names = no main: log_file = "/usr/local/var/log/radius/radius.log" main: log_auth = no main: log_auth_badpass = no main: log_auth_goodpass = no main: pidfile = "/usr/local/var/run/radiusd/radiusd.pid" main: user = "root" main: group = "root" main: usercollide = no main: lower_user = "no" main: lower_pass = "no" main: nospace_user = "no" main: nospace_pass = "no" main: checkrad = "/usr/local/sbin/checkrad" main: proxy_requests = no proxy: retry_delay = 5 proxy: retry_count = 3 proxy: synchronous = no proxy: default_fallback = yes proxy: dead_time = 120 proxy: post_proxy_authorize = yes proxy: wake_all_if_all_dead = no security: max_attributes = 200 security: reject_delay = 1 security: status_server = no main: debug_level = 0 read_config_files: reading dictionary read_config_files: reading naslist Using deprecated naslist file. Support for this will go away soon. read_config_files: reading clients Using deprecated clients file. Support for this will go away soon. read_config_files: reading realms Using deprecated realms file. Support for this will go away soon. radiusd: entering modules setup Module: Library search path is /usr/local/lib Module: Loaded expr Module: Instantiated expr (expr) Module: Loaded PAP pap: encryption_scheme = "crypt" Module: Instantiated pap (pap) Module: Loaded CHAP Module: Instantiated chap (chap) Module: Loaded MS-CHAP mschap: use_mppe = yes mschap: require_encryption = no mschap: require_strong = no mschap: passwd = "(null)" mschap: authtype = "MS-CHAP" Module: Instantiated mschap (mschap) Module: Loaded System unix: cache = no unix: passwd = "(null)" unix: shadow = "(null)" unix: group = "(null)" unix: radwtmp = "/usr/local/var/log/radius/radwtmp" unix: usegroup = no unix: cache_reload = 600 Module: Instantiated unix (unix) Module: Loaded eap eap: default_eap_type = "tls" eap: timer_expire = 60 rlm_eap: Loaded and initialized the type md5 rlm_eap: Loaded and initialized the type leap tls: rsa_key_exchange = no tls: dh_key_exchange = yes tls: rsa_key_length = 512 tls: dh_key_length = 512 tls: verify_depth = 0 tls: CA_path = "(null)" tls: pem_file_type = yes tls: private_key_file = "/etc/1x/r/cert-srv.pem" tls: certificate_file = "/etc/1x/r/cert-srv.pem" tls: CA_file = "/etc/1x/r/root.pem" tls: private_key_password = "whatever" tls: dh_file = "/etc/1x/r/dh" tls: random_file = "/etc/1x/r/random" tls: fragment_size = 1750 tls: include_length = yes rlm_eap_tls: conf N ctx stored rlm_eap: Loaded and initialized the type tls Module: Instantiated eap (eap) Module: Loaded preprocess preprocess: huntgroups = "/usr/local/etc/raddb/huntgroups" preprocess: hints = "/usr/local/etc/raddb/hints" preprocess: with_ascend_hack = no preprocess: ascend_channels_per_line = 23 preprocess: with_ntdomain_hack = no preprocess: with_specialix_jetstream_hack = no preprocess: with_cisco_vsa_hack = no Module: Instantiated preprocess (preprocess) Module: Loaded realm realm: format = "suffix" realm: delimiter = "@" Module: Instantiated realm (suffix) Module: Loaded files files: usersfile = "/usr/local/etc/raddb/users" files: acctusersfile = "/usr/local/etc/raddb/acct_users" files: preproxy_usersfile = "/usr/local/etc/raddb/preproxy_users" files: compat = "no" Module: Instantiated files (files) Module: Loaded Acct-Unique-Session-Id acct_unique: key = "User-Name, Acct-Session-Id, NAS-IP-Address, Cli
RES: Using Mysql for Authentication / Usando MySql para Autenticação
Title: Mensagem Olá, Bruno, Eu já consegui configurar isso. Terei prazer em te ajudar. Acho que fica melhor em portugues. Pode me mandar mail em PVT. Abraços. -Mensagem original-De: Bruno Gianelli Braido - IG [mailto:[EMAIL PROTECTED] Enviada em: segunda-feira, 29 de setembro de 2003 10:24Para: FreeradiusAssunto: Using Mysql for Authentication / Usando MySql para Autenticação Hi there everybody, I'd like a example setting Freeradius using Mysql for authentication. If someone know where can I get it, please reply to me. Thanks for help. --- Olá pra todos, Eu gostaria de um exemplo de configuração do Freeradius usando o Mysql para autenticação. Se alguém saber onde eu posso conseguir, por favor me responda. Obrigado pela ajuda. [],Bruno Gianelli BraidoLinux User# 32000ICQ:71059588[EMAIL PROTECTED]
Using Mysql for Authentication / Usando MySql para Autenticação
Hi there everybody, I'd like a example setting Freeradius using Mysql for authentication. If someone know where can I get it, please reply to me. Thanks for help. --- Olá pra todos, Eu gostaria de um exemplo de configuração do Freeradius usando o Mysql para autenticação. Se alguém saber onde eu posso conseguir, por favor me responda. Obrigado pela ajuda. [],Bruno Gianelli BraidoLinux User# 32000ICQ:71059588[EMAIL PROTECTED]
teste
teste
auth detail module
Where can I change the attribute logged with the auth_detail module? Thanks TEB! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: users file woes
Sunil Kulkarni wrote: For multple instances of an attribute try using "+=" operator: foo Auth-Type:=Local, User-Password=="bar" Colubris-AVPair += "Something", Colubris-AVPair += "Something more", Colubris-AVPair += "third instance" This has always worked for me. thanks, that works! everything is working perfectly now as long as i compile the 0.9.1 tarball with the 0.7.1 valuepairs.c code. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
pam_radius-1.3.16 and Red Hat 9
Hi, Just wondered if someone can help me out here, I have downloaded the pam_radius-1.3.16.tar file and have extracted and run the make command. I have copied the pam_radius_auth.so to /lib/security/pam_radius_auth.so My problem now starts, which files to I have to configure in redhat to get this working, also I would like to use radius to authenticate users that use ssh to connect to the server. Any help would be greatly appreciated. Thanks Alasdair - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: TLS and TTLS
hi Of course they do: whether they SUPPORT (act as a pass-through device for) these auth schemes or not. sorry, that's still wrong. they either support EAP or not. it is completely irrelevant which kind of EAP. be it TLS, MD5, TTLS, PEAP or whichever EAP scheme might EVER come out one day in the future, they support it already. nice, he? I KNOW they have nothing to do with the actual auth beside that fact, but you can't use EAP-TLS or TTLS with just any old AP, now can you? of course you can, as long as it supports 802.1X. Such nitpicking. no, sorry. you've just never understood why EAP has been developped. so, you suggest that the problem could be a 802.1X aware AP which is - in your opinion - the problem for TTLS not passing through. that's _completely_ wrong, so the guy having problem has been put on the wrong way, i've only corrected this mistake, be it important or not. ciao artur hardly ever. the APs have NOTHING to do with neither TTLS nor TLS. ciao artur Michael Brown wrote: I know the Linksys WAP/WRT54G accepts TTLS auth, but I don't know a D-Link product that does TTLS. That is most likely your problem. Michael Brown - - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Proxy Issue
"Alan DeKok" <[EMAIL PROTECTED]> wrote: > Huh? You have *two* NULL realms, and two DEFAULT realms? I don't >expect that to work at all. > > In fact, it's intendend to NOT work. > :) I can guarantee to you that it is working. I'm not using a 'round robin' method, so I really was expecting that it will send accounting packets to all servers specified in the list. > > In this case it works fine, but if I want to proxy it > > to one additional server it doesn't work. > > The proxy only sends the accounting data to the first server on the list > > and leaves one copy for itself. > > See 'radrelay'. It's designed to copy requests to another server. Ok, I can understand how to use radrelay, but than I have another problem. I have around 50 different gateways sending the accounting data to this radius server. Each gateway has it's own radacct sub-directory. Do I need to keep running 50 different instances of radrelay, or is there a more convenient way ? (Possibly make all gateways write to one detail file ?) Thanks in advance. Regards, Ivan Meic - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to tag attributes ?
Hi all, no idea ? regards Thomas Thomas MARCHESSEAU wrote: Hi All, Specs: - Freeradius 0.9.1, on debian woody - 2 Radius servers , 2 radius proxys (sharing a virtual IP) Everything is working fine except that i would like to add (or increment) tags to freeradius attributes ie: [EMAIL PROTECTED]:~$ ./radtest [EMAIL PROTECTED] ipdyn 172.16.129.4 1812 testing123 Sending Access-Request of id 186 to 172.16.129.4:1812 User-Name = "[EMAIL PROTECTED]" User-Password = "ipdyn" NAS-IP-Address = 172.16.69.1 NAS-Port = 1812 rad_recv: Access-Accept packet from host 172.16.129.4:1812, id=186, length=188 Session-Timeout = 86400 Idle-Timeout = 180 Tunnel-Medium-Type:0 = IP<= Here Tunnel-Server-Endpoint:0 = "172.18.21.3" <= here etc ... Tunnel-Assignment-Id:0 = "tunnel-172.16.21.3" Tunnel-Client-Auth-Id:0 = "LNS-NET7-1" Tunnel_Local_Name = "LNS-NET7-1" Tunnel-Type:0 = L2TP Tunnel-Server-Auth-Id:0 = "srv44-2.idf1.realm.net" Tunnel_Remote_Name = "srv44-2.idf1.realm.net" Proxy-State = 0x31 Service-Type = Framed-User [EMAIL PROTECTED]:~$ The tag is 0 , but i would like to obtain something like that Tunnel-Server-Endpoint:1 = "172.18.21.3" Any idea ? regards Thomas MARCHESSEAU - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
