Re: EAP load testing...

2003-07-01 Thread Norbert Wegener 


Alan DeKok wrote:
Desmond Rivet [EMAIL PROTECTED] wrote:

I haven't taken a close look at xsupplicant, and I realize this is somewhat 
off topic, but do you happen to know off the top of your head whether 
xsupplicant can talk directly to FreeRADIUS as a UDP client without going 
through a NAS of some description?


  No.  Xsupplicant is an EAP client.  It needs to talk to something
like a wireless AP, which will act as an EAP server to xsupplicant,
and as a RADIUS client to FreeRADIUS.
  So you've got to write an EAP server. It shouldn't be too bad, as
you've got free client  server code already.  And a free EAP server
will allow a UNix box to act as a wireless AP, which they can't do
right now.
  That is, a free EAP server will probably receive significant input
from the free software community.
If I understand it correct, this is the same or something similar to an 
authenticator as can be seen in the picture at http://www.open1x.org.
A starting point might be the code for such an authenticator  - don't 
know how good/stable it is - in the cvs from open1x at sourceforge
http://cvs.sourceforge.net/cgi-bin/viewcvs.cgi/open1x/

Norbert Wegener


  ALan DeKok.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


--
Norbert WegenerPhone:(49)2012661379 Fax:(49)2012661377
SBS Essen,Germany  Mail: [EMAIL PROTECTED]  Mailfax:(49)2018165521379


smime.p7s
Description: S/MIME Cryptographic Signature

roadwarriors using smart cards

2003-06-11 Thread Norbert Wegener 
Sorry for this crossposting, but I think this question touches more than 
one list.

We are using rp-l2tp+pppd+freeradius+freeswan for a while to setup 
l2tp/ipsec roadwarrior connections.
The ipsec connection is authenticated via certificates, the l2tp/ppp 
connection via login/password and freeradius.

Configuring those connections on the windows side, you can easily choose 
to use certificates on smart cards to authenticate the l2tp/ppp 
connection instead of using login/password.
Starting such a connection first the ipsec tunnnel is setup up, then 
rp-l2tp starts pppd which does not seem to know  how to do EAP-TLS 
authentication against freeradius.
I suppose, there is no code available in pppd to do EAP-TLS authentication.

Nevertheless: Is there any other known method to use smart cards instead 
of login/password for l2tp/ipsec connections?

Regards
Norbert
--
Norbert Wegener Phone : (49) 201 2661 379
SBS Essen   Fax:(49) 201 2661 377
Germany Mail:   [EMAIL PROTECTED]
http://corina-cert.sbs.de (intranet)


smime.p7s
Description: S/MIME Cryptographic Signature

Re: Freeradius + pppd

2003-02-10 Thread Norbert Wegener 
The actual cvs version of pppd contains a ppp-radius plugin, which 
-maybe- does what you want.
Norbert Wegener


Luca Grossi schrieb:
Thanks very muchly ! :)

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]] On Behalf Of Miquel van
Smoorenburg
Sent: Monday, February 10, 2003 11:03 PM
To: [EMAIL PROTECTED]
Subject: Re: Freeradius + pppd

In article 007a01c2d0f3$a09b2e30$020a@stuido,
Luca Grossi [EMAIL PROTECTED] wrote:


Hello everyone!,
Could someone please explain to me, how to go about patch for pppd to
support authentification throught RADIUS.
I've been looking around , people just start suggesting to use


portslave


Why would that been ? 


I enterered pppd radius in Google and one of the first hits was
http://www.chelcom.ru/~anton/projects/pppd-tacacs+radius/
which appears to be exactly what you want.



linux:/usr/src/linux # patch -p1 
ppp-2.4.1b2-mschapmppe-radclient-v2.0c.patch
patching file Makefile



Why are you trying to apply a patch for pppd to the Linux kernel?
That doesn't make any sense.

Mike.



--
Norbert Wegener Phone : (49) 201 2661 379
SBS Essen   Fax:(49) 201 2661 377
Germany Mail:   [EMAIL PROTECTED]
http://relax.sbs.de (intranet)


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Testing freeradius and EAP/TLS

2003-02-04 Thread Norbert Wegener 
Is there a tool like radtest available, which helps in testing the 
correct configuration of eap/tls in freeradius?

Norbert Wegener

--
Norbert WegenerPhone:(49)2012661379 Fax:(49)2012661377
SBS Essen,Germany  Mail: [EMAIL PROTECTED] 	Mailfax:(49)2018165521379


smime.p7s
Description: S/MIME Cryptographic Signature

Check Users File

2003-01-22 Thread Norbert Wegener 
In the process of migrating from cistron to freeradius I notice, that 
one nice feature of cistron is missing in freeradius:
With the option -C cistron checked the syntax of a usersfile.
This was very useful for us.
In freeradius I did not find an option for such a check.
Is it missing or did I not read enough documentation?

Norbert Wegener

--
Norbert WegenerPhone:(49)2012661379 Fax:(49)2012661377
SBS Essen,Germany  Mail: [EMAIL PROTECTED] 	Mailfax:(49)2018165521379


smime.p7s
Description: S/MIME Cryptographic Signature

Dynamic Ipaddress using rlm_ippool

2003-01-21 Thread Norbert Wegener 
I've  got the dynmaic ippool handling working.
Looking at the source code, it seems to me, that ipaddresses are freed,
when an Accounting-Stop record comes along.
As those records arrive via udp (true??) some might be lost and the 
associated addresses will never be freed.
Is this true? If so: how can those addresses be set to unused during 
normal operations?
The module ippool is declared experimental. Does anyone have real 
experience with it?

Thanks
Norbert Wegener

--
Norbert WegenerPhone:(49)2012661379 Fax:(49)2012661377
SBS Essen,Germany  Mail: [EMAIL PROTECTED] 	Mailfax:(49)2018165521379


smime.p7s
Description: S/MIME Cryptographic Signature

proxy cancelled

2003-01-21 Thread Norbert Wegener 
I start my freeradius 0.8.1 with /usr/local/sbin/radiusd -i 127.0.0.1 -p 
1812 -sfX
and have problems to get proxyauthentication working. Without the realm 
everything works as expected.
proxy_requests  = yes in radiusd.conf

here is my minimal users file:

users:
nw@myrealm Auth-Type := Local,  User-Password == testing
Service-Type = Framed-User,
Framed-IP-Address = 172.16.3.33,
Framed-Protocol = PPP

proxy.conf(only the Configuration for the proxy realms, above no changes)

realm myrealm {
type= radius
authhost= LOCAL
accthost= LOCAL
strip
}

I get the following:

Listening on IP address *, ports 1812/udp and 1813/udp, with proxy on 
1814/udp.
Ready to process requests.
rad_recv: Access-Request packet from host 127.0.0.1:1043, id=45, length=94
Service-Type = Framed-User
Framed-Protocol = PPP
User-Name = nw@myrealm
CHAP-Challenge = 
\207\234\202\201q(\350V\361\371e\206\024\004\277@\t
CHAP-Password = 0x011cf65cb5691e1c9ad695579e01810184
NAS-IP-Address = 123.123.123.123
NAS-Port = 0
modcall: entering group authorize
  modcall[authorize]: module preprocess returns ok
rlm_chap: Adding Auth-Type = CHAP
  modcall[authorize]: module chap returns ok
  modcall[authorize]: module mschap returns notfound
rlm_realm: Looking up realm myrealm for User-Name = nw@myrealm
rlm_realm: Found realm myrealm
rlm_realm: Adding Stripped-User-Name = nw
  rlm_realm: Proxying request from user nw to realm myrealm
rlm_realm: Adding Realm = myrealm
rlm_realm:  Authentication realm is LOCAL.
rlm_realm:  auth_port is not set.  proxy cancelled

Where do I have to set an auth_port ?

Thanks
Norbert Wegener

--
Norbert WegenerPhone:(49)2012661379 Fax:(49)2012661377
SBS Essen,Germany  Mail: [EMAIL PROTECTED] 	Mailfax:(49)2018165521379


smime.p7s
Description: S/MIME Cryptographic Signature

Re: Dynamic Ipaddress using rlm_ippool

2003-01-21 Thread Norbert Wegener 


Kostas Kalevras schrieb:

On Tue, 21 Jan 2003, Alan DeKok wrote:



Norbert Wegener [EMAIL PROTECTED] wrote:


I've  got the dynmaic ippool handling working.
Looking at the source code, it seems to me, that ipaddresses are freed,
when an Accounting-Stop record comes along.
As those records arrive via udp (true??) some might be lost and the
associated addresses will never be freed.
Is this true?


 Sort of.  The UDP packets may be lost, but the NAS *should* re-send
them.  If it doesn't, it's broken.



If so: how can those addresses be set to unused during normal
operations?


 Use a non-broken NAS.

 Hmm... the module SHOULD handle the case where a stop is lost
completely (rare, but possible) and a new start packet comes in for
the same port.  I haven't looked at the source to see if/how it does
this, though.



If an Access-Request comes in for a port that has already an assigned ip that ip
is freed.

This is a reasonable behaviour. Nevertheless I would like to know, 
whether there is a chance to monitor how many ips are in use.
Does a tool for this already exist?
Norbert Wegener





--
Norbert Wegener Phone : (49) 201 2661 379
SBS Essen   Fax:(49) 201 2661 377
Germany Mail:   [EMAIL PROTECTED]
http://relax.sbs.de (intranet)


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

freeradius and ippools

2003-01-20 Thread Norbert Wegener 
I have downloaded the actual freeradius sources and wanted to make use 
of ippools. The module is still experimental(?)
and so I configured fr with
./configure  --with-experimental-modules

From raddb/experimental.conf:
#  Do server side ip pool management. Should be added in post-auth and
#  accounting sections.
As the distributed radiusd.conf contains an entry #main_pool in the 
post-auth section, I uncommented it. In the
accounting section I added  main_pool.

I appended the following to radiusd.conf:

ippool main_pool {
session-db = /usr/local/etc/raddb/ippool-sess-db
ip-index = /usr/local/etc/raddb/ippool-idx-db
range-start = 192.168.100.20
range-stop  = 192.168.100.40
}

Starting radius with -X gives the following error message: ERROR: Cannot 
find a configuration entry for module main_pool

Supposed I misunderstand the documentation, I changed the entries in the 
accounting and post-auth section to ippool.
What changed was the error message:
ERROR: Cannot find a configuration entry for module ippool

What am I doing wrong and/or where can I find more documentation about this
Norbert

--
Norbert WegenerPhone:(49)2012661379 Fax:(49)2012661377
SBS Essen,Germany  Mail: [EMAIL PROTECTED] 	Mailfax:(49)2018165521379


smime.p7s
Description: S/MIME Cryptographic Signature

Re: freeradius and ippools

2003-01-20 Thread Norbert Wegener 
Thank you Alan,
with this little bit of - for me - missing information it nearly worked 
out of the box.
Just another question: How can I query which ipaddresses of the pool are 
in use? Only ping them might not be the best solution.
Thanks
Norbert


Alan DeKok schrieb:
Norbert Wegener [EMAIL PROTECTED] wrote:


I appended the following to radiusd.conf:

ippool main_pool {
session-db = /usr/local/etc/raddb/ippool-sess-db
ip-index = /usr/local/etc/raddb/ippool-idx-db
range-start = 192.168.100.20
range-stop  = 192.168.100.40
}

Starting radius with -X gives the following error message: ERROR: Cannot 
find a configuration entry for module main_pool


  Put the configuration into the 'modules' section of radiusd.conf.

  Alan DeKok.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


--
Norbert Wegener Phone : (49) 201 2661 379
SBS Essen   Fax:(49) 201 2661 377
Germany Mail:   [EMAIL PROTECTED]
http://relax.sbs.de (intranet)


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html