Re: EAP load testing...
Alan DeKok wrote: Desmond Rivet [EMAIL PROTECTED] wrote: I haven't taken a close look at xsupplicant, and I realize this is somewhat off topic, but do you happen to know off the top of your head whether xsupplicant can talk directly to FreeRADIUS as a UDP client without going through a NAS of some description? No. Xsupplicant is an EAP client. It needs to talk to something like a wireless AP, which will act as an EAP server to xsupplicant, and as a RADIUS client to FreeRADIUS. So you've got to write an EAP server. It shouldn't be too bad, as you've got free client server code already. And a free EAP server will allow a UNix box to act as a wireless AP, which they can't do right now. That is, a free EAP server will probably receive significant input from the free software community. If I understand it correct, this is the same or something similar to an authenticator as can be seen in the picture at http://www.open1x.org. A starting point might be the code for such an authenticator - don't know how good/stable it is - in the cvs from open1x at sourceforge http://cvs.sourceforge.net/cgi-bin/viewcvs.cgi/open1x/ Norbert Wegener ALan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Norbert WegenerPhone:(49)2012661379 Fax:(49)2012661377 SBS Essen,Germany Mail: [EMAIL PROTECTED] Mailfax:(49)2018165521379 smime.p7s Description: S/MIME Cryptographic Signature
roadwarriors using smart cards
Sorry for this crossposting, but I think this question touches more than one list. We are using rp-l2tp+pppd+freeradius+freeswan for a while to setup l2tp/ipsec roadwarrior connections. The ipsec connection is authenticated via certificates, the l2tp/ppp connection via login/password and freeradius. Configuring those connections on the windows side, you can easily choose to use certificates on smart cards to authenticate the l2tp/ppp connection instead of using login/password. Starting such a connection first the ipsec tunnnel is setup up, then rp-l2tp starts pppd which does not seem to know how to do EAP-TLS authentication against freeradius. I suppose, there is no code available in pppd to do EAP-TLS authentication. Nevertheless: Is there any other known method to use smart cards instead of login/password for l2tp/ipsec connections? Regards Norbert -- Norbert Wegener Phone : (49) 201 2661 379 SBS Essen Fax:(49) 201 2661 377 Germany Mail: [EMAIL PROTECTED] http://corina-cert.sbs.de (intranet) smime.p7s Description: S/MIME Cryptographic Signature
Re: Freeradius + pppd
The actual cvs version of pppd contains a ppp-radius plugin, which -maybe- does what you want. Norbert Wegener Luca Grossi schrieb: Thanks very muchly ! :) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Miquel van Smoorenburg Sent: Monday, February 10, 2003 11:03 PM To: [EMAIL PROTECTED] Subject: Re: Freeradius + pppd In article 007a01c2d0f3$a09b2e30$020a@stuido, Luca Grossi [EMAIL PROTECTED] wrote: Hello everyone!, Could someone please explain to me, how to go about patch for pppd to support authentification throught RADIUS. I've been looking around , people just start suggesting to use portslave Why would that been ? I enterered pppd radius in Google and one of the first hits was http://www.chelcom.ru/~anton/projects/pppd-tacacs+radius/ which appears to be exactly what you want. linux:/usr/src/linux # patch -p1 ppp-2.4.1b2-mschapmppe-radclient-v2.0c.patch patching file Makefile Why are you trying to apply a patch for pppd to the Linux kernel? That doesn't make any sense. Mike. -- Norbert Wegener Phone : (49) 201 2661 379 SBS Essen Fax:(49) 201 2661 377 Germany Mail: [EMAIL PROTECTED] http://relax.sbs.de (intranet) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Testing freeradius and EAP/TLS
Is there a tool like radtest available, which helps in testing the correct configuration of eap/tls in freeradius? Norbert Wegener -- Norbert WegenerPhone:(49)2012661379 Fax:(49)2012661377 SBS Essen,Germany Mail: [EMAIL PROTECTED] Mailfax:(49)2018165521379 smime.p7s Description: S/MIME Cryptographic Signature
Check Users File
In the process of migrating from cistron to freeradius I notice, that one nice feature of cistron is missing in freeradius: With the option -C cistron checked the syntax of a usersfile. This was very useful for us. In freeradius I did not find an option for such a check. Is it missing or did I not read enough documentation? Norbert Wegener -- Norbert WegenerPhone:(49)2012661379 Fax:(49)2012661377 SBS Essen,Germany Mail: [EMAIL PROTECTED] Mailfax:(49)2018165521379 smime.p7s Description: S/MIME Cryptographic Signature
Dynamic Ipaddress using rlm_ippool
I've got the dynmaic ippool handling working. Looking at the source code, it seems to me, that ipaddresses are freed, when an Accounting-Stop record comes along. As those records arrive via udp (true??) some might be lost and the associated addresses will never be freed. Is this true? If so: how can those addresses be set to unused during normal operations? The module ippool is declared experimental. Does anyone have real experience with it? Thanks Norbert Wegener -- Norbert WegenerPhone:(49)2012661379 Fax:(49)2012661377 SBS Essen,Germany Mail: [EMAIL PROTECTED] Mailfax:(49)2018165521379 smime.p7s Description: S/MIME Cryptographic Signature
proxy cancelled
I start my freeradius 0.8.1 with /usr/local/sbin/radiusd -i 127.0.0.1 -p 1812 -sfX and have problems to get proxyauthentication working. Without the realm everything works as expected. proxy_requests = yes in radiusd.conf here is my minimal users file: users: nw@myrealm Auth-Type := Local, User-Password == testing Service-Type = Framed-User, Framed-IP-Address = 172.16.3.33, Framed-Protocol = PPP proxy.conf(only the Configuration for the proxy realms, above no changes) realm myrealm { type= radius authhost= LOCAL accthost= LOCAL strip } I get the following: Listening on IP address *, ports 1812/udp and 1813/udp, with proxy on 1814/udp. Ready to process requests. rad_recv: Access-Request packet from host 127.0.0.1:1043, id=45, length=94 Service-Type = Framed-User Framed-Protocol = PPP User-Name = nw@myrealm CHAP-Challenge = \207\234\202\201q(\350V\361\371e\206\024\004\277@\t CHAP-Password = 0x011cf65cb5691e1c9ad695579e01810184 NAS-IP-Address = 123.123.123.123 NAS-Port = 0 modcall: entering group authorize modcall[authorize]: module preprocess returns ok rlm_chap: Adding Auth-Type = CHAP modcall[authorize]: module chap returns ok modcall[authorize]: module mschap returns notfound rlm_realm: Looking up realm myrealm for User-Name = nw@myrealm rlm_realm: Found realm myrealm rlm_realm: Adding Stripped-User-Name = nw rlm_realm: Proxying request from user nw to realm myrealm rlm_realm: Adding Realm = myrealm rlm_realm: Authentication realm is LOCAL. rlm_realm: auth_port is not set. proxy cancelled Where do I have to set an auth_port ? Thanks Norbert Wegener -- Norbert WegenerPhone:(49)2012661379 Fax:(49)2012661377 SBS Essen,Germany Mail: [EMAIL PROTECTED] Mailfax:(49)2018165521379 smime.p7s Description: S/MIME Cryptographic Signature
Re: Dynamic Ipaddress using rlm_ippool
Kostas Kalevras schrieb: On Tue, 21 Jan 2003, Alan DeKok wrote: Norbert Wegener [EMAIL PROTECTED] wrote: I've got the dynmaic ippool handling working. Looking at the source code, it seems to me, that ipaddresses are freed, when an Accounting-Stop record comes along. As those records arrive via udp (true??) some might be lost and the associated addresses will never be freed. Is this true? Sort of. The UDP packets may be lost, but the NAS *should* re-send them. If it doesn't, it's broken. If so: how can those addresses be set to unused during normal operations? Use a non-broken NAS. Hmm... the module SHOULD handle the case where a stop is lost completely (rare, but possible) and a new start packet comes in for the same port. I haven't looked at the source to see if/how it does this, though. If an Access-Request comes in for a port that has already an assigned ip that ip is freed. This is a reasonable behaviour. Nevertheless I would like to know, whether there is a chance to monitor how many ips are in use. Does a tool for this already exist? Norbert Wegener -- Norbert Wegener Phone : (49) 201 2661 379 SBS Essen Fax:(49) 201 2661 377 Germany Mail: [EMAIL PROTECTED] http://relax.sbs.de (intranet) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
freeradius and ippools
I have downloaded the actual freeradius sources and wanted to make use of ippools. The module is still experimental(?) and so I configured fr with ./configure --with-experimental-modules From raddb/experimental.conf: # Do server side ip pool management. Should be added in post-auth and # accounting sections. As the distributed radiusd.conf contains an entry #main_pool in the post-auth section, I uncommented it. In the accounting section I added main_pool. I appended the following to radiusd.conf: ippool main_pool { session-db = /usr/local/etc/raddb/ippool-sess-db ip-index = /usr/local/etc/raddb/ippool-idx-db range-start = 192.168.100.20 range-stop = 192.168.100.40 } Starting radius with -X gives the following error message: ERROR: Cannot find a configuration entry for module main_pool Supposed I misunderstand the documentation, I changed the entries in the accounting and post-auth section to ippool. What changed was the error message: ERROR: Cannot find a configuration entry for module ippool What am I doing wrong and/or where can I find more documentation about this Norbert -- Norbert WegenerPhone:(49)2012661379 Fax:(49)2012661377 SBS Essen,Germany Mail: [EMAIL PROTECTED] Mailfax:(49)2018165521379 smime.p7s Description: S/MIME Cryptographic Signature
Re: freeradius and ippools
Thank you Alan, with this little bit of - for me - missing information it nearly worked out of the box. Just another question: How can I query which ipaddresses of the pool are in use? Only ping them might not be the best solution. Thanks Norbert Alan DeKok schrieb: Norbert Wegener [EMAIL PROTECTED] wrote: I appended the following to radiusd.conf: ippool main_pool { session-db = /usr/local/etc/raddb/ippool-sess-db ip-index = /usr/local/etc/raddb/ippool-idx-db range-start = 192.168.100.20 range-stop = 192.168.100.40 } Starting radius with -X gives the following error message: ERROR: Cannot find a configuration entry for module main_pool Put the configuration into the 'modules' section of radiusd.conf. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Norbert Wegener Phone : (49) 201 2661 379 SBS Essen Fax:(49) 201 2661 377 Germany Mail: [EMAIL PROTECTED] http://relax.sbs.de (intranet) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html