FreeRadius with EAP/TLS and MAC OS
Hi, I had successfully install and configure FreeRadius with EAP/TLS to working with Windows XP client (wireless 802.1x authentication) Now, I have one iBook, how can I create a certificate for MAC OS? And, how to install the cert into the MAC OS? Please help me. Thank you. Regards, ro0ot - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-TLS and WEP key generation
Hi
Thanx for this reply and your previous one.
I tried the Session-Timeout in the radius users file and it works.so
thanx for that.
To answer one of your questions, on the AP I go to the web interface for the
AP and in there I go into Associations. I then select my client from the
list to get its association details and in there it says Encryption = Off.
I'll try kismet as soon as I can.
As regards the WPA TKIP key management command you mention below, if I
understand correctly WPA is supposed to be much better than WEP.
Can I (and if so should I) use WPA key management with the setup I have and
if so how do I configure freeradius for this?
If I can't use WPA, is EAP-TLS + regular WEP rekeying considered to be
secure enough?
Thanx in advance again.
Chris Bradshaw
From: Bob McCormick [EMAIL PROTECTED]
Reply-To: [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Subject: Re: EAP-TLS and WEP key generation
Date: Thu, 20 May 2004 15:48:35 -0600
On May 20, 2004, at 10:08 AM, Chris Bshaw wrote:
Hi
Thanx to everyone who has replied so farvery helpful. A few more
questions.
Bob.I tried your settings below. My client does connect and I can see
the EAP-TLS exchange via the radiusd debugging info. I also see
MS-MPPE-Recv-Key and MS-MPPE-Send-Key in the debug output, and in
ethereal on the client I see the EAPOL packets. However.
1. Again, both ends say security = none (or Encryption = off)
2. A show logging on the AP has a line like this when a client machine
associates with it:
*Mar 3 01:26:04.607: %DOT11-6-ASSOC: Interface Dot11Radio0, Station
0009.5b65.d55c Associated KEY_MGMT[NONE]
.is KEY_MGMT[NONE] relevant here?
I think I may have found what that message is referring to. Under each
SSID you can put the command authentication key-management { [wpa] [cckm]
} [ optional ]. My guess is that you don't have this command.
I believe this is part of enabling TKIP(wpa) or the older Cisco
proprietary CCKM.
Here's a URL for more info.
http://www.cisco.com/en/US/customer/products/hw/wireless/ps4570/
products_command_reference_chapter09186a00801d016c.html#2484789
3. I thought guest-mode meant that anyone could connect without EAP (or
WEP)am I wrong on this?
4. I set the dynamic rekeying interval to 120 seconds (instead of 600
seconds as you have below).however, after the first successful
connection, I never see any transaction on the radiusd server.you
mention I should configure the AP to honor the Session-Timeout from the
radius server.should I also set Session-Timeout = 120 on the
freeradius server and if so where? (eg: in the raddb/attrs file?)...
5. Does my client wlan card and/or card driver need to support WEP
dynamic rekeying? Or is it the w2k supplicant which handles this? (in
case you missed it below I am using a NetGear WG511 card).
Thanx again in advance
Chris Bradshaw
From: Bob McCormick [EMAIL PROTECTED]
Reply-To: [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Subject: Re: EAP-TLS and WEP key generation
Date: Thu, 20 May 2004 08:54:41 -0600
What kind of cipher suite did you configure on your AP? For a Cisco
AP, you should have something like this:
interface Dot11Radio0
no ip address
no ip route-cache
! # Require wep128 encryption
encryption mode ciphers wep128
! # rotate broadcast wep key every 10 minutes
broadcast-key change 600
! # Create an SSID named ssid1
! # Require EAP authentication
! # broadcast the SSID
ssid ssid1
authentication open eap eap_methods
guest-mode
! ## set the data rates support and/or required by the AP
! ## These are the rates recommended by Cisco for best throughput
! ## for supporting both 802.11.b and 802.11g
speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0
36.0 48.0 54.0
You'll also need to configure the AP to honor the Session-Timeout value
returned by the Radius server (by default, Cisco AP's don't).
! ## Tell the AP to honor the Session-Timeout returned by the Radius
server
dot1x reauth-period server
On May 20, 2004, at 3:28 AM, Chris Bshaw wrote:
Hi Andrea
Thanx for the reply. Using ethereal I can see the EAPOL packets on the
wireless client.
However, if I go into the status monitor for the wireless card, its
says security = none (would normally say security = wep if I was using
static non-EAP/TLS wep).
Also, as I mentioned below, the Cisco AP also says that the client is
'EAP-associated' but that Encryption is off.
However, everything works.I am connected to the WLAN just
fine.I am just unsure whether or not my connection is encrypted
with a WEP key.
I have read some more on this. I am not sure if I understand this
correctlyso feel free to correct me. Once the mutual authentication
is complete via EAP, the AP maintains per-client WEP keys which are
generated once per 1x auth (and can be regenerated after some period of
time, e.g. 1 hr) and a broadcast WEP key
RE: Web based front end?
Me too! Thanks. [EMAIL PROTECTED] 05/21/04 03:50AM I wrote a small one using PHP MySQL. Nothing too fancy, just lets you enter in user info into the applicable tables. I can share the source if anyone is interested. -Original Message- - This email is confidential and may be privileged. If you are not the intended recipient, please delete it and notify us immediately. Please do not copy or use it for any purpose, or disclose its contents to any other person. Thank You. BeginMessage--- I'm trying to find out if there is a web based front end for adding/deleting/modifying the FreeRADIUS users file. I've looked through the archives and the website and am unable to find any pointers. Any help is appreciated. Thanks, Lance - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html---End Message---
Re: Web based front end?
Hallo Micheal, I am interested ! ;) Thanks Eric Michael Shanafelt wrote: I wrote a small one using PHP MySQL. Nothing too fancy, just lets you enter in user info into the applicable tables. I can share the source if anyone is interested. -- -- Eric HannoschöckUniversität Duisburg-Essen Hochschulrechenzentrum Campus Essen Abt. Netze und Systeme Mail: [EMAIL PROTECTED] Tel: +49-(0)201-183-2937 Raum SH 305 Fax: +49-(0)201-183-3960Schützenbahn 70, D-45117 Essen - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Web based front end?
I´m very interesetd. Thanks, Heiner Michael Shanafelt wrote: I wrote a small one using PHP MySQL. Nothing too fancy, just lets you enter in user info into the applicable tables. I can share the source if anyone is interested. -Original Message- From: Lance Uyehara [mailto:[EMAIL PROTECTED] Sent: Thursday, May 20, 2004 3:40 PM To: [EMAIL PROTECTED] Subject: Web based front end? I'm trying to find out if there is a web based front end for adding/deleting/modifying the FreeRADIUS users file. I've looked through the archives and the website and am unable to find any pointers. Any help is appreciated. Thanks, Lance - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Web based front end?
Hello All, Errm...if its not too much of a trouble I'm very interest in trying the script out. Super thanx in advance. 8) [EMAIL PROTECTED] wrote: I wrote a small one using PHP MySQL. Nothing too fancy, just lets you enter in user info into the applicable tables. I can share the source if anyone is interested. -Original Message- From: Lance Uyehara [mailto:[EMAIL PROTECTED] Sent: Thursday, May 20, 2004 3:40 PM To: [EMAIL PROTECTED] Subject: Web based front end? I'm trying to find out if there is a web based front end for adding/deleting/modifying the FreeRADIUS users file. I've looked through the archives and the website and am unable to find any pointers. Any help is appreciated. Thanks, Lance - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: RE: Web based front end?
Yes, bring it on ! - Original Message - From: Kirti S. Bajwa To: '[EMAIL PROTECTED]' Sent: Thursday, May 20, 2004 7:07 PM Subject: RE: RE: Web based front end? Me tooo.. -Original Message-From: Radius [mailto:[EMAIL PROTECTED]Sent: Thursday, May 20, 2004 6:53 PMTo: [EMAIL PROTECTED]Subject: Re: RE: Web based front end? I would also be interested in it. I wrote a small one using PHP MySQL. Nothing too fancy, just lets you enter in user info into the applicable tables. I can share the source if anyone is interested. -Original Message- From: Lance Uyehara [mailto:[EMAIL PROTECTED] Sent: Thursday, May 20, 2004 3:40 PM To: [EMAIL PROTECTED] Subject: Web based front end? I'm trying to find out if there is a web based front end for adding/deleting/modifying the FreeRADIUS users file. I've looked through the archives and the website and am unable to find any pointers. Any help is appreciated. Thanks, Lance - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Auth-Problem
Markus, Others may disagree, but try making it work with PAP first. That way you can debug easier. Why don't you send us the relevant portion of your users file? Rob -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Markus Ebel Sent: Monday, May 17, 2004 5:59 AM To: [EMAIL PROTECTED] Subject: Auth-Problem Hi, i´v e got a authentication-problem with a MAX2000 and freeradius. Connetions-profiles configured on freeradius with CLID a working very well. Only those with username and passwort are making trouble: (snip) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Logging to syslog
Felipe Neuwald [EMAIL PROTECTED] wrote: anybody know how to make FreeRadius log everything to syslog, not to a regular file? radiusd -h Read it. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: problem with rlm_mysql and passwords with comma
Hi,
On Tue, 2004-05-18 at 12:28 -0400, Alan DeKok wrote:
Stephan Jaeger [EMAIL PROTECTED] wrote:
since cvs version 1.76 for file /radiusd/src/modules/rlm_sql/sql.c i
have a problem authenticating users with rlm_mysql which have a , in
their password, the problem seems to be the call to gettoken() in line
367, which returns in the argument value only the attribute value from
the mysql db up to the first comma.
Hmm... that is an issue.
My suggestion would be to either put double quotes around the
password, or to update sql.c, so that it calls gettoken ONLY if it sees the string
starting off with , `, or '
--- sql.c.orig 2004-05-21 16:09:03.0 +0200
+++ sql.c 2004-05-21 16:12:45.0 +0200
@@ -364,7 +364,15 @@
return 0;
ptr = row[3];
- xlat = gettoken(ptr, value, sizeof(value));
+ xlat = T_INVALID;
+
+ if ((*ptr == '\'') ||
+ (*ptr == '') ||
+ (*ptr == '`'))
+ xlat = gettoken(ptr, value, sizeof(value));
+ else
+ strNcpy(value, ptr, sizeof(value));
+
switch (xlat) {
/*
* Make the full pair now.
Would something like this be ok here?
Regards
Stephan Jaeger
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: stage 2 : errors
Chelsea Carter [EMAIL PROTECTED] wrote: Does this translate into : use the new sql.conf and radiusd.conf files, and dont try to use my old ones? No. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: to get compiled with rlm_eap_tls
Kevin Jeoung [EMAIL PROTECTED] wrote: I want to compile freeradius with rlm_eap_tls. But, it looks like configure could not find propler ssl stuff. Try the CVS snapshot. It is much better at working with OpenSSL. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: windows xp peap authentication via aironet 1200ap
Sven Juergensen [EMAIL PROTECTED] wrote: -windows xp (sp1) notebook with wlan adapter and plain peap without any certificate checks or anything (is this possible at all?) Yes. -debian box with freeradius (0.9.3-1), freeradius -X output at the bottom of this email 0.9.3 doesn't support PEAP. Try a recent CVS snapshot. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Documentation Question
Nick Marino [EMAIL PROTECTED] wrote: Ok I found that but that applies if FR is managing the ip pools, but in my configuration my RAS boxes are actually assigning the ip via pools setup in them. Is there a way for FR to request which pool for the ras box to select from for specific users when they connect? $ grep -i pool share/dictionary This should be less work than asking questions on the list. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-TLS and WEP key generation
Chris Bshaw [EMAIL PROTECTED] wrote: Can I (and if so should I) use WPA key management with the setup I have and if so how do I configure freeradius for this? FreeRADIUS doesn't do WPA or TKIP. If I can't use WPA, is EAP-TLS + regular WEP rekeying considered to be secure enough? Yes. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Web based front end?
Michael Shanafelt [EMAIL PROTECTED] wrote: Anyway, the web app is just a small site that I coded that is very specific to the way we use RADIUS for MAC based authentication to our wireless LAN. We use a MySQL database to put the MACs in. FreeRADIUS *already* comes with a PHP front-end for administering users in LDAP SQL databases. How does your project differ from it? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Web based front end?
I don't know, I've never seen it. It might not. Looks like a lot of other people on the list haven't either. What's it under in the freeRADIUS install? -Original Message- From: Alan DeKok [mailto:[EMAIL PROTECTED] Sent: Friday, May 21, 2004 10:40 AM To: [EMAIL PROTECTED] Subject: Re: Web based front end? Michael Shanafelt [EMAIL PROTECTED] wrote: Anyway, the web app is just a small site that I coded that is very specific to the way we use RADIUS for MAC based authentication to our wireless LAN. We use a MySQL database to put the MACs in. FreeRADIUS *already* comes with a PHP front-end for administering users in LDAP SQL databases. How does your project differ from it? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: problem with rlm_mysql and passwords with comma
Stephan Jaeger [EMAIL PROTECTED] wrote: My suggestion would be to either put double quotes around the password, or to update sql.c, so that it calls gettoken ONLY if it sees the string starting off with , `, or ' ... Would something like this be ok here? Yes. I've added the patch, thanks. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Web based front end?
Michael Shanafelt [EMAIL PROTECTED] wrote: I don't know, I've never seen it. It might not. Looks like a lot of other people on the list haven't either. What's it under in the freeRADIUS install? It's not. It's in the source tree under dialup_admin. After 1.0.0, we're going to take a look at making it part of the normal install. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Web based front end?
On Fri, May 21, 2004 at 10:48:46AM -0400, Michael Shanafelt wrote: I don't know, I've never seen it. It might not. Looks like a lot of other people on the list haven't either. What's it under in the freeRADIUS install? If you're building Debian packages from current snapshots, it's freeradius-dialupadmin -- Paul TBBle Hampson, on an alternate email client. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: problem with rlm_mysql and passwords with comma
On Fri, May 21, 2004 at 11:18:32AM -0400, Alan DeKok wrote:
[EMAIL PROTECTED] (Paul Hampson) wrote:
Wouldn't this make strings that start with and also contain ' break?
Yes, but those are less likely than commas.
It's hard to add new features without changing the way the server
works. If you wanted to be a little more careful, you'd also check
that the LAST character in the string was the same as the first
character. That would eliminate almost all of the false positives.
As far as SQL goes, I can't see that we need to do an xlat on single
or double-quoted strings, only backquoted strings.
My preference is to move to doing dynamic expansion on *all*
double-quoted strings.
Well, add T_DOUBLE_QUOTED_STRING and T_SINGLE_QUOTED_STRING to the cases
that do the later xlat... Although you're right, we _should_ in those
cases check that the last charcter of the original value is equal to the
first.
In fact, we'd _have_ to add T_DOUBLE_QUOTED_STRING and
T_SINGLE_QUOTED_STRING anyway, to allow values that start with `. X-(
So, even though you've committed the other patch, I feel the following
is better, as it saves an unneccessary string copy, and I think it's
clearer: On the other hand, it does call getoken always, so maybe it
should key off the initial character, and use row[3] when gettoken's not
needed.
(Not a patch, just a codeblock)
if (row[3][0] != row[3][strlen(row[3])-1]) {
/* String starts and ends differently. Take it literally */
pair = pairmake(row[2], row[3], pairmode);
} else {
ptr = row[3];
xlat = gettoken(ptr, value, sizeof(value));
switch (xlat) {
/*
* Make the full pair now.
*/
default:
pair = pairmake(row[2], row[3], pairmode);
break;
case T_SINGLE_QUOTED_STRING:
case T_DOUBLE_QUOTED_STRING:
pair = pairmake(row[2], value, pairmode);
break;
/*
* Mark the pair to be allocated later.
*/
case T_BACK_QUOTED_STRING:
pair = pairmake(row[2], NULL, pairmode);
if (pair) {
pair-flags.do_xlat = 1;
strNcpy(pair-strvalue, value, sizeof(pair-strvalue));
pair-length = 0;
}
}
}
--
Paul TBBle Hampson, on an alternate email client.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-TLS and WEP key generation
Errr.. That's because Freeradius doesn't have to. WPA is a combination of 802.1x authentication, TKIP and MIC. TKIP and MIC need to be supported by your AP and your client (supplicant), but the radius server doesn't need to know anything about it. I've tested WPA with a Cisco 1100 AP, Freeradius (for the 802.1x authentication) and both Windows XP and Mac OSX 10.3 clients. It works great. On May 21, 2004, at 8:34 AM, Alan DeKok wrote: Chris Bshaw [EMAIL PROTECTED] wrote: Can I (and if so should I) use WPA key management with the setup I have and if so how do I configure freeradius for this? FreeRADIUS doesn't do WPA or TKIP. If I can't use WPA, is EAP-TLS + regular WEP rekeying considered to be secure enough? Yes. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Documentation Question
- Original Message - From: Alan DeKok [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Friday, May 21, 2004 9:33 AM Subject: Re: Documentation Question Nick Marino [EMAIL PROTECTED] wrote: Ok I found that but that applies if FR is managing the ip pools, but in my configuration my RAS boxes are actually assigning the ip via pools setup in them. Is there a way for FR to request which pool for the ras box to select from for specific users when they connect? $ grep -i pool share/dictionary This should be less work than asking questions on the list. Alan DeKok. Then whats the point have this list in the first place. Just a place for you to insult people that don't know as much about FR as you do. Don't worry I won't post here anymore. I have had just about enough of your rudeness. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MySQL Digest
thks Alan DeKok more question i need chage sql.conf too to use MySQL schema because i use SER( Sip Express Router) with freeradius and Logs is write in files ou write in MySQL do you can send me one example ? thks a lot Welesley Sibelson Dias > "[EMAIL PROTECTED]" <[EMAIL PROTECTED]> wrote: > > How to use MySQL for store users using Digest: > > this is put in users > > file: > > ... > > The MySQL schema is intended to mirror the "users" file. So you can > put those attributes into the check, and reply tables in MySQL. > > Alan DeKok. > > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Documentation Question
Nick Marino [EMAIL PROTECTED] wrote: This should be less work than asking questions on the list. Then whats the point have this list in the first place. The list is for complicated questions that can't be answered by the existing documentation. Since you've made it clear you're not willing to read the existing documentation or files in the server, I don't see why you would bother reading responses on the list. It just doesn't make sense to me. The only reason I can think of for asking such questions on the list is that you want someone to hold your hand, and to do the work for you that you're unwilling to do yourself. Just a place for you to insult people that don't know as much about FR as you do. I didn't insult you, unless you believe that being asked to do work for yourself is insulting. And if you're too lazy to do any work to solve your problems, why the heck should I do any work to help you? Don't worry I won't post here anymore. I have had just about enough of your rudeness. Great. You're not only unwilling to do any work, you're unwilling to learn, and you're unwilling to follow the instructions of the one person who bothered answering your question. You're not posting on this list to get your questions answered. If you were, you would stay here, even despite my rudeness, because your questions are being answered. So my only conclusion is that you're posting to the list to have some on-line friends to talk to. Sorry, I don't play that way. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-TLS and WEP key generation
To add the the WPA confusion, there are actually two types of authentication within the WPA standard. There's 802.1x + TKIP + MIC for enterprises, then there's something called WPA personal that's for home users or really small businesses that don't have a Radius server. BTW. I've got an MS-Word doc with screenshots for how to configure XP for PEAP. I could post it to the list of you'd like? On May 21, 2004, at 10:02 AM, Alan DeKok wrote: Bob McCormick [EMAIL PROTECTED] wrote: Errr.. That's because Freeradius doesn't have to. WPA is a combination of 802.1x authentication, TKIP and MIC. TKIP and MIC need to be supported by your AP and your client (supplicant), but the radius server doesn't need to know anything about it. Hmm... Ok. Now I have to figure out why my XP laptop asks for a network key (i.e. wpa), but refuses to authenticate via PEAP. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-TLS and WEP key generation
Hi all Thanx for all the info. I would certainly like to see your Word doc on the subject. Yet another question.is there any advantage to using 802.1x + TKIP + MIC instead of the config you helped me get working? TIA Chris. From: Bob McCormick [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: Re: EAP-TLS and WEP key generation Date: Fri, 21 May 2004 10:04:03 -0600 To add the the WPA confusion, there are actually two types of authentication within the WPA standard. There's 802.1x + TKIP + MIC for enterprises, then there's something called WPA personal that's for home users or really small businesses that don't have a Radius server. BTW. I've got an MS-Word doc with screenshots for how to configure XP for PEAP. I could post it to the list of you'd like? On May 21, 2004, at 10:02 AM, Alan DeKok wrote: Bob McCormick [EMAIL PROTECTED] wrote: Errr.. That's because Freeradius doesn't have to. WPA is a combination of 802.1x authentication, TKIP and MIC. TKIP and MIC need to be supported by your AP and your client (supplicant), but the radius server doesn't need to know anything about it. Hmm... Ok. Now I have to figure out why my XP laptop asks for a network key (i.e. wpa), but refuses to authenticate via PEAP. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html _ MSN 8 helps eliminate e-mail viruses. Get 2 months FREE*. http://join.msn.com/?page=features/virus - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Logging to syslog
Alan, I'm running 'radiusd -l syslog' and the logs aren't going to syslog. -- Felipe Neuwald [EMAIL PROTECTED] +55 61 3038-5038 +55 61 8135-8918 -- Chave pública PGP / PGP public key: http://pgp.mit.edu:11371/pks/lookup?op=getsearch=0x8AE508F3 Em Sex, 2004-05-21 às 11:20, Alan DeKok escreveu: Felipe Neuwald [EMAIL PROTECTED] wrote: anybody know how to make FreeRadius log everything to syslog, not to a regular file? radiusd -h Read it. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Logging to syslog
Just to complete: I'm running 'radiusd -l syslog' and it still logging to /var/log/radius.log. -- Felipe Neuwald [EMAIL PROTECTED] +55 61 3038-5038 +55 61 8135-8918 -- Chave pública PGP / PGP public key: http://pgp.mit.edu:11371/pks/lookup?op=getsearch=0x8AE508F3 Em Sex, 2004-05-21 às 11:20, Alan DeKok escreveu: Felipe Neuwald [EMAIL PROTECTED] wrote: anybody know how to make FreeRadius log everything to syslog, not to a regular file? radiusd -h Read it. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html signature.asc Description: Esta =?ISO-8859-1?Q?=E9?= uma parte de mensagem assinada digitalmente
MS-CHAP/PEAP
Hi, I'm trying to use Freeradius to authenticate users in a wireless network. I don't wish to use certificates at all. I have read the FAQ and all the documentation I have found on this. Most of the clients will be running Windows XP. From what I've read it looks like I will need to use mschapv2 and peap. I have downloaded the latest snapshot from CVS. The comments in the eap.conf file say you need to configure the TLS module. I'm not quite sure how to do this if I'm not using certificates. The daemon won't start unless I uncomment out a few lines such as the path to the certificate files. I configured my wireless AP to use FR and tried authenticating with a Windows XP client but all authentication requests are rejected. I'm not sure if I have misconfigured FR or the clients or both. I can authenticate with the radtest client as shown in the documentation. I ran FR in debugging mode and I've pasted the output below. I've tried different client configurations and played with the conf files quite a bit but haven't had any luck. I'm new to FR and would appreciate (do not expect) any help with this. TIA, Barry Stewart Thread 3 waiting to be assigned a request rad_recv: Access-Request packet from host 192.168.1.2:6001, id=39, length=188 Waking up in 31 seconds... Thread 4 got semaphore Thread 4 handling request 8, (2 handled so far) User-Name = bstewart NAS-IP-Address = 192.168.1.2 Called-Station-Id = 00-20-a6-49-0f-4d Calling-Station-Id = 00-90-96-a5-ec-7d NAS-Identifier = Dell-TM-1170-AP-49-0f-4d State = 0x725a135fbfed24a58909bf4b8e16b9c0 Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x020a00261900170301001b53eae4429458cf05748e6a4945a011f0302d3bec929711b1a42eb0 Message-Authenticator = 0xe999651b7458764e92f923df04422e0a Processing the authorize section of radiusd.conf modcall: entering group authorize for request 8 modcall[authorize]: module preprocess returns ok for request 8 modcall[authorize]: module chap returns noop for request 8 modcall[authorize]: module mschap returns noop for request 8 rlm_realm: No '@' in User-Name = bstewart, looking up realm NULL rlm_realm: No such realm NULL modcall[authorize]: module suffix returns noop for request 8 rlm_eap: EAP packet type response id 10 length 38 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module eap returns updated for request 8 users: Matched DEFAULT at 152 modcall[authorize]: module files returns ok for request 8 modcall: group authorize returns updated for request 8 rad_check_password: Found Auth-Type EAP auth: type EAP Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 8 rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS eaptls_verify returned 7 rlm_eap_tls: Done initial handshake eaptls_process returned 7 rlm_eap_peap: EAPTLS_OK rlm_eap_peap: Session established. Decoding tunneled attributes. rlm_eap_peap: Received EAP-TLV response. rlm_eap_peap: Tunneled data is valid. rlm_eap_peap: Had sent TLV failure, rejecting. rlm_eap: Handler failed in EAP/peap rlm_eap: Failed in EAP select modcall[authenticate]: module eap returns invalid for request 8 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: EAP-TLS and WEP key generation
is it possible to have wireless linux users authenticate with EAP? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Chris Bshaw Sent: Friday, May 21, 2004 11:18 AM To: [EMAIL PROTECTED] Subject: Re: EAP-TLS and WEP key generation Hi all Thanx for all the info. I would certainly like to see your Word doc on the subject. Yet another question.is there any advantage to using 802.1x + TKIP + MIC instead of the config you helped me get working? TIA Chris. From: Bob McCormick [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: Re: EAP-TLS and WEP key generation Date: Fri, 21 May 2004 10:04:03 -0600 To add the the WPA confusion, there are actually two types of authentication within the WPA standard. There's 802.1x + TKIP + MIC for enterprises, then there's something called WPA personal that's for home users or really small businesses that don't have a Radius server. BTW. I've got an MS-Word doc with screenshots for how to configure XP for PEAP. I could post it to the list of you'd like? On May 21, 2004, at 10:02 AM, Alan DeKok wrote: Bob McCormick [EMAIL PROTECTED] wrote: Errr.. That's because Freeradius doesn't have to. WPA is a combination of 802.1x authentication, TKIP and MIC. TKIP and MIC need to be supported by your AP and your client (supplicant), but the radius server doesn't need to know anything about it. Hmm... Ok. Now I have to figure out why my XP laptop asks for a network key (i.e. wpa), but refuses to authenticate via PEAP. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html _ MSN 8 helps eliminate e-mail viruses. Get 2 months FREE*. http://join.msn.com/?page=features/virus - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Documentation Question
You're not posting on this list to get your questions answered. If you were, you would stay here, even despite my rudeness, because your questions are being answered. So my only conclusion is that you're posting to the list to have some on-line friends to talk to. Sorry, I don't play that way. Alan DeKok. But, Alan, you gave such good answers to my questions a few months back, I read all the messages you post to the list, just to enjoy your enlightened perspective on radius. I thought you were my on-line friend. (even if maybe you don't know who I am) Incidentally, since my initial posting, freeradius has been running like a champ. We've added two new servers, and now it does all of our wireless and dialup auth and accounting, postgresql works well, thanks to some understanding I gained from the list. Even if we can't be friends, thanks to everyone for producing and _supporting_ such a usefull and robust product in open source! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Filed to link EAP-Type/md5: file not found
Hi all, Would anyboby please help me with this? I have installed Freeradius-0.9.3 on my Red Hat Linux 9.0 and I run Freeradius in debug mode and got this error, how can I fix it? Module: Loaded eap eap: default_eap_type = md5 eap: timer_expire = 60 rlm_eap: Filed to link EAP-Type/md5: file not found Build it with disable-share option before install it Thanks Hung - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-TLS and WEP key generation
Sure, you just need an 802.1x supplicant (just like you would for any other OS). These are the ones I know of for Linux: Xsupplicant (OpenSource) http://open1x.sourceforge.net/ Meetinghouse Aegis client (Commercial Proprietary) http://www.mtghouse.com/products/aegisclient/index.shtml On May 21, 2004, at 10:55 AM, Jeff Bilder wrote: is it possible to have wireless linux users authenticate with EAP? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Chris Bshaw Sent: Friday, May 21, 2004 11:18 AM To: [EMAIL PROTECTED] Subject: Re: EAP-TLS and WEP key generation Hi all Thanx for all the info. I would certainly like to see your Word doc on the subject. Yet another question.is there any advantage to using 802.1x + TKIP + MIC instead of the config you helped me get working? TIA Chris. From: Bob McCormick [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: Re: EAP-TLS and WEP key generation Date: Fri, 21 May 2004 10:04:03 -0600 To add the the WPA confusion, there are actually two types of authentication within the WPA standard. There's 802.1x + TKIP + MIC for enterprises, then there's something called WPA personal that's for home users or really small businesses that don't have a Radius server. BTW. I've got an MS-Word doc with screenshots for how to configure XP for PEAP. I could post it to the list of you'd like? On May 21, 2004, at 10:02 AM, Alan DeKok wrote: Bob McCormick [EMAIL PROTECTED] wrote: Errr.. That's because Freeradius doesn't have to. WPA is a combination of 802.1x authentication, TKIP and MIC. TKIP and MIC need to be supported by your AP and your client (supplicant), but the radius server doesn't need to know anything about it. Hmm... Ok. Now I have to figure out why my XP laptop asks for a network key (i.e. wpa), but refuses to authenticate via PEAP. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html _ MSN 8 helps eliminate e-mail viruses. Get 2 months FREE*. http://join.msn.com/?page=features/virus - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MS-CHAP/PEAP
Thanks, It makes more sense now. I'll give it a try! Bob McCormick wrote: PEAP requires a certificate for the server, but not for the clients.Freeradius comes with some scripts for generating a self signed certificate, or you can buy one from Verisign or Thawte. On May 21, 2004, at 10:47 AM, Barry Stewart wrote: Hi, I'm trying to use Freeradius to authenticate users in a wireless network. I don't wish to use certificates at all. I have read the FAQ and all the documentation I have found on this. Most of the clients will be running Windows XP. From what I've read it looks like I will need to use mschapv2 and peap. I have downloaded the latest snapshot from CVS. The comments in the eap.conf file say you need to configure the TLS module. I'm not quite sure how to do this if I'm not using certificates. The daemon won't start unless I uncomment out a few lines such as the path to the certificate files. I configured my wireless AP to use FR and tried authenticating with a Windows XP client but all authentication requests are rejected. I'm not sure if I have misconfigured FR or the clients or both. I can authenticate with the radtest client as shown in the documentation. I ran FR in debugging mode and I've pasted the output below. I've tried different client configurations and played with the conf files quite a bit but haven't had any luck. I'm new to FR and would appreciate (do not expect) any help with this. TIA, Barry Stewart Thread 3 waiting to be assigned a request rad_recv: Access-Request packet from host 192.168.1.2:6001, id=39, length=188 Waking up in 31 seconds... Thread 4 got semaphore Thread 4 handling request 8, (2 handled so far) User-Name = bstewart NAS-IP-Address = 192.168.1.2 Called-Station-Id = 00-20-a6-49-0f-4d Calling-Station-Id = 00-90-96-a5-ec-7d NAS-Identifier = Dell-TM-1170-AP-49-0f-4d State = 0x725a135fbfed24a58909bf4b8e16b9c0 Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x020a00261900170301001b53eae4429458cf05748e6a4945a011f0302d3bec929711b 1a42eb0 Message-Authenticator = 0xe999651b7458764e92f923df04422e0a Processing the authorize section of radiusd.conf modcall: entering group authorize for request 8 modcall[authorize]: module preprocess returns ok for request 8 modcall[authorize]: module chap returns noop for request 8 modcall[authorize]: module mschap returns noop for request 8 rlm_realm: No '@' in User-Name = bstewart, looking up realm NULL rlm_realm: No such realm NULL modcall[authorize]: module suffix returns noop for request 8 rlm_eap: EAP packet type response id 10 length 38 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module eap returns updated for request 8 users: Matched DEFAULT at 152 modcall[authorize]: module files returns ok for request 8 modcall: group authorize returns updated for request 8 rad_check_password: Found Auth-Type EAP auth: type EAP Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 8 rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS eaptls_verify returned 7 rlm_eap_tls: Done initial handshake eaptls_process returned 7 rlm_eap_peap: EAPTLS_OK rlm_eap_peap: Session established. Decoding tunneled attributes. rlm_eap_peap: Received EAP-TLV response. rlm_eap_peap: Tunneled data is valid. rlm_eap_peap: Had sent TLV failure, rejecting. rlm_eap: Handler failed in EAP/peap rlm_eap: Failed in EAP select modcall[authenticate]: module eap returns invalid for request 8 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
new to radius
I have a wireless router that has radius server support in it. What I am trying to do is get the radius server setup to do the accounting and authentication. I was told by the company that I bought the router from that I could use just Login-User as the service type and that would be the basics I needed. I have the radius server running, and I even have it as far as storing the data in the mysql db. However, when I try to authenticate from the router I see that the service-type is always Framed-User and thats it. But the radtest command works fine and sends back the access-accept packet. I could use some help if anyone is willing to help me out. Jason
Forwarding accounting information
How can I forward accounting packets from the freeradius server to a billing server (BillMax) that is behind a firewall? for example NAS - Freeradius - router (firewall) - BillMax Billing server the two servers are physically close together (so I suppose I could just connect them directly together with an extra NIC in each, but I don't think that is the best solution) (Originally I was trying to think of how to get the NAS to send the accounting information straight to BillMax and then I would know how to forward the packets on to the Freeradius server, but I believe that would require us to take BillMax from behind the firewall) Any insight is appreciated, Evan Stenmark - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MS-CHAP/PEAP
I looked into the certificates a bit and I found the scripts for generating them. I can certainly create certs and I can create my own CA. However, I'm not sure this is my problem now as FR comes with sample certs and the lines in eap.conf point to these. If I change the password in eap.conf FR won't start. It looks like it is working with the included certs. Please correct me if I'm wrong. Thanks again for your response. -Barry Bob McCormick wrote: PEAP requires a certificate for the server, but not for the clients.Freeradius comes with some scripts for generating a self signed certificate, or you can buy one from Verisign or Thawte. On May 21, 2004, at 10:47 AM, Barry Stewart wrote: Hi, I'm trying to use Freeradius to authenticate users in a wireless network. I don't wish to use certificates at all. I have read the FAQ and all the documentation I have found on this. Most of the clients will be running Windows XP. From what I've read it looks like I will need to use mschapv2 and peap. I have downloaded the latest snapshot from CVS. The comments in the eap.conf file say you need to configure the TLS module. I'm not quite sure how to do this if I'm not using certificates. The daemon won't start unless I uncomment out a few lines such as the path to the certificate files. I configured my wireless AP to use FR and tried authenticating with a Windows XP client but all authentication requests are rejected. I'm not sure if I have misconfigured FR or the clients or both. I can authenticate with the radtest client as shown in the documentation. I ran FR in debugging mode and I've pasted the output below. I've tried different client configurations and played with the conf files quite a bit but haven't had any luck. I'm new to FR and would appreciate (do not expect) any help with this. TIA, Barry Stewart Thread 3 waiting to be assigned a request rad_recv: Access-Request packet from host 192.168.1.2:6001, id=39, length=188 Waking up in 31 seconds... Thread 4 got semaphore Thread 4 handling request 8, (2 handled so far) User-Name = bstewart NAS-IP-Address = 192.168.1.2 Called-Station-Id = 00-20-a6-49-0f-4d Calling-Station-Id = 00-90-96-a5-ec-7d NAS-Identifier = Dell-TM-1170-AP-49-0f-4d State = 0x725a135fbfed24a58909bf4b8e16b9c0 Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x020a00261900170301001b53eae4429458cf05748e6a4945a011f0302d3bec929711b 1a42eb0 Message-Authenticator = 0xe999651b7458764e92f923df04422e0a Processing the authorize section of radiusd.conf modcall: entering group authorize for request 8 modcall[authorize]: module preprocess returns ok for request 8 modcall[authorize]: module chap returns noop for request 8 modcall[authorize]: module mschap returns noop for request 8 rlm_realm: No '@' in User-Name = bstewart, looking up realm NULL rlm_realm: No such realm NULL modcall[authorize]: module suffix returns noop for request 8 rlm_eap: EAP packet type response id 10 length 38 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module eap returns updated for request 8 users: Matched DEFAULT at 152 modcall[authorize]: module files returns ok for request 8 modcall: group authorize returns updated for request 8 rad_check_password: Found Auth-Type EAP auth: type EAP Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 8 rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS eaptls_verify returned 7 rlm_eap_tls: Done initial handshake eaptls_process returned 7 rlm_eap_peap: EAPTLS_OK rlm_eap_peap: Session established. Decoding tunneled attributes. rlm_eap_peap: Received EAP-TLV response. rlm_eap_peap: Tunneled data is valid. rlm_eap_peap: Had sent TLV failure, rejecting. rlm_eap: Handler failed in EAP/peap rlm_eap: Failed in EAP select modcall[authenticate]: module eap returns invalid for request 8 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Forwarding accounting information
I'm sorry, That was a stupid question I know how to set that up (as simple as just fowarding port 1813 data in the router to the BillMax server) (But if you have anything else to add, go for it) Evan Stenmark -- Original Message -- From: Evan Stenmark [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] Date: Fri, 21 May 2004 14:12:05 -0600 How can I forward accounting packets from the freeradius server to a billing server (BillMax) that is behind a firewall? for example NAS - Freeradius - router (firewall) - BillMax Billing server the two servers are physically close together (so I suppose I could just connect them directly together with an extra NIC in each, but I don't think that is the best solution) (Originally I was trying to think of how to get the NAS to send the accounting information straight to BillMax and then I would know how to forward the packets on to the Freeradius server, but I believe that would require us to take BillMax from behind the firewall) Any insight is appreciated, Evan Stenmark - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Creating a Solaris package - HOWTO?
John Bossert [EMAIL PROTECTED] wrote: I'm trying to create a Solaris (Solaris9) package for FreeRadius. However, when I try to create a prepackaging directory structure with the following command: make install DESTDIR=/home/jbossert/rad-pkg Where does DESTDIR come from? Nothing in the server leads you to believe that will work. I get the following errors: /home/jbossert/freeradius-0.9.3/install-sh -c -d -m 755 /usr/local/sbin /home/jbossert/freeradius-0.9.3/install-sh -c -d -m 755 /usr/local/bin /home/jbossert/freeradius-0.9.3/install-sh -c -d -m 755 /etc/raddb mkdir: Failed to make directory /etc/raddb; Permission denied And you should not that it's not using the DESDIR you supplied. What's my error/workaround for this problem? I want /etc/raddb in this case to be created under /home/jbossert/rad-pkg (relative vs absolute path) and all other directories/files to be similarly placed. Do: $ make install R=/home/jbossert/rad-pkg See the top-level Makefile. It uses $(R) all over the place. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: auth against postgresql
Xavier Romero [EMAIL PROTECTED] wrote: I know thats a noobish question, but... i cannot figure how to get freeradius authenticating against my postgresql database. You can't. You don't want to do that. Put the passwords in the SQL database, and the server will figure it out on its own. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MS-CHAP/PEAP
Thanks for the response, Bob McCormick clued me in on this. I thought this was about client certs. I have been succesfull authenticating with PEAP thanks to Kerry Hughes. I didn't have the users file configured right as I was including Auth-Type in the following line: userid User-Password == mypassword Now I am trying to get this working with LDAP. According to the docs there is a way to get the password from LDAP and the authenticate using CHAP. Is there a way to do this with PEAP/MS-CHAP? The passwords in the LDAP directory are encrypted. Thanks again, -Barry Alan DeKok wrote: Barry Stewart [EMAIL PROTECTED] wrote: I'm trying to use Freeradius to authenticate users in a wireless network. I don't wish to use certificates at all. Then you can't authenticate users in a wireless network. From what I've read it looks like I will need to use mschapv2 and peap. Which requires the use of a server-side certificate. The comments in the eap.conf file say you need to configure the TLS module. To use PEAP, yes. I'm not quite sure how to do this if I'm not using certificates. You can't. It's impossible. The daemon won't start unless I uncomment out a few lines such as the path to the certificate files. Exactly. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
WPA Support
Does FreeRadius support WPA standard? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: WPA Support
Yes. Tomasz Szymanski wrote: Does FreeRadius support WPA standard? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
how to change the proxy realm in the User-Name
Hi,
I have an application where I need to programmatically change the realm
I proxy Accounting-Request messages to if the incoming realm is some
known value. I have a preacct function that looks for the particular
realm in the User-Name, and if it's there, it adds a Realm attrbute to
request-packet-vps and a Proxy-To-Realm attribute to
request-config_items. In radiusd.conf I put this before suffix, so
rlm_realm doesnt do anything. This sets up the proxy to the new realm,
but the User-Name in the proxy packet still has the original realm, and
I need to switch it to the new one.
I tried writing a pre-proxy function that looks for User-Name in
request-proxy-vps, deletes it, and adds a new one with the my new
realm substituted for the old one. That function appears to work, but
radiusd crashes in rad_send (radius.c) in the following code block, on
the line if ((VENDOR
for (reply = packet-vps; reply; reply = reply-next) {
/*
*Ignore non-wire attributes
*/
if ((VENDOR(reply-attribute) == 0)
((reply-attribute 0x) 0xff)) {
continue;
}
I suspect I mangled the request proxy packet somehow. Is there a better
way to do this?
Dave
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius with EAP/TLS and MAC OS
Hi, What version of openssl and freeradius did you use? I want to compile freeradius with rlm_eap_tls on solaris but have had trouble. Kevin ro0ot wrote: Hi, I follow the below documentation: - http://www.impossiblereflex.com/8021x/eap-tls-HOWTO.htm Regards, ro0ot Szabo David wrote: Hi, Can you describe how did you do that (EAP/TLS+WinXP), because I wasn't able to. What should I set up in WinXP? Do you use certificates? Thanks, David --- Original Message - I had successfully install and configure FreeRadius with EAP/TLS to working with Windows XP client (wireless 802.1x authentication) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Do I have unneeded modules enabled?
Hi again. First off, thanks Alan, your tips got me going in the right direction.
Unfortunately I dont get to play with radius very much so so it takes me a bit to get
back in gear after 2 years.
Second, am I running some things I dont need here? This shows my lack of understanding
of how this system even works but heres what I see.
Im authing off mysql... no realms, no accounting, and in ./radiusd -X we see we are
loading (see below for output) realms, files, detail, system, unix, radutmp, etc.
Can any of this be excluded because Im not using it?
Thanks
Chelsea
Module: Instantiated sql (sql)
Module: Loaded realm
realm: format = suffix
realm: delimiter = @
Module: Instantiated realm (suffix)
Module: Loaded files
files: usersfile = /usr/local/etc/raddb/users
files: acctusersfile = /usr/local/etc/raddb/acct_users
files: preproxy_usersfile = /usr/local/etc/raddb/preproxy_users
files: compat = no
Module: Instantiated files (files)
Module: Loaded detail
detail: detailfile = /usr/local/var/log/radius/radacct/%{Client-IP-Address}/detail
detail: detailperm = 384
detail: dirperm = 493
detail: locking = no
Module: Instantiated detail (detail)
Module: Loaded System
unix: cache = no
unix: passwd = /etc/passwd
unix: shadow = (null)
unix: group = /etc/group
unix: radwtmp = /usr/local/var/log/radius/radwtmp
unix: usegroup = no
unix: cache_reload = 600
Module: Instantiated unix (unix)
Module: Loaded radutmp
radutmp: filename = /usr/local/var/log/radius/radutmp
radutmp: username = %{User-Name}
radutmp: case_sensitive = yes
radutmp: check_with_nas = yes
radutmp: perm = 384
radutmp: callerid = yes
Module: Instantiated radutmp (radutmp)
�
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
FreeRADIUS and Cisco AP Aironet 1200
This is what I am trying to set up: Cisco AP Aironet 1200 authenticating on a FreeRADIUS running on Linux Redhat 9... it is supposed that the clients (which the most run windows XP in their laptops) should authenticate via the freeradius server in order to gain access to the network. I configured FreeRadius the way that it checks the Linux users/passwords (it doesn't use the users.conf file). I have seen a lot (A LOT) of tutorials and how-to's on how to do this but nothing seems to work fine. I don't know what I am doing wrong (or what I am NOT doing). If anyone has done this before I would appreciate a lot your help... thanks José _ Add photos to your e-mail with MSN 8. Get 2 months FREE*. http://join.msn.com/?page=features/featuredemail - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Segmentation fault (core dumped)
Hello guys, just a follow up report. I still got Segmentation fault (core dumped) errror after running Freeradius with rlm_sql (mysql) module. Here's the output when running in debugging mode: rlm_sql (sql): Driver rlm_sql_mysql (module rlm_sql_mysql) loaded and linked rlm_sql (sql): Attempting to connect to [EMAIL PROTECTED]:/radius rlm_sql (sql): starting 0 rlm_sql (sql): Attempting to connect rlm_sql_mysql #0 rlm_sql_mysql: *mysql_sock: 556, rlm_sql_mysql_sock: 556 Segmentation fault (core dumped) And here's the core dump output: (gdb) bt #0 0x28398a57 in sql_init_socket (sqlsocket=0x809e640, config=0x80a2300) at sql_mysql.c:75 #1 0x2834bdfe in connect_single_socket (sqlsocket=0x809e640, inst=0x809e580) at sql.c:70 #2 0x2834bf5f in sql_init_socketpool (inst=0x809e580) at sql.c:130 #3 0x2834a84a in rlm_sql_instantiate (conf=0x809f7c0, instance=0x8170508) at rlm_sql.c:699 #4 0x80542ab in find_module_instance (instname=0x80a06b0 sql) at modules.c:358 #5 0x80554da in do_compile_modsingle (component=1, ci=0x80a3740, filename=0x805e007 radiusd.conf, grouptype=0, modname=0xbfbfeacc) at modcall.c:814 #6 0x8055547 in compile_modsingle (component=1, ci=0x80a3740, filename=0x805e007 radiusd.conf, modname=0xbfbfeacc) at modcall.c:829 #7 0x805470c in load_component_section (cs=0x80a36c0, comp=1, filename=0x805e007 radiusd.conf) at modules.c:584 #8 0x8054b91 in setup_modules () at modules.c:874 #9 0x804c95c in main (argc=2, argv=0xbfbffc48) at radiusd.c:961 (gdb) Thanks... - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
radiusd: Cannot findELF
Hi, i have compiled the Radius Server successfully ( freeradius-0.9.3 ). But if i should like to to start the Server ( ./radiusd -X ) i got the a notification ( radiusd: Cannot findELF Killed ). What's the matter? # uname -a SunOS spock 5.8 Generic_108528-11 sun4u sparc SUNW,Ultra-5_10 Cioa Maurice -- Powered by NetMail - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
