Re: radius, 802.1x, eap/tls, and edirectory (ldap)
Mack, Check the email archives over the last three months - there is a great deal of information on using EAP/TLS and how to use LDAP with freeradius (including example snippets). gm... - Original Message - From: "Mack" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Friday, June 18, 2004 11:52 PM Subject: radius, 802.1x, eap/tls, and edirectory (ldap) > Hi, > > I'm a newbie to all of this, so please bear with me. This list is all I've got! > > We are introducing a wireless infrastructure on our campus (a little late in the game). > Right now we're in testing phase. In this testing phase, We are using several 3com > 7250 AP's, some 3com cards capable of 802.1x, and Novell eDirectory (LDAP). My > requirement is to enable 802.1x authentication to the AP's using EAP/TLS. > Additionally, I need to be able to authenticate the users to Novell via LDAP. All via > the FreeRADIUS server. > > I have configured freeradius version 0.9.3 to work successfully with only ldap > authentication against Novell eDirectory. I have also verified that 802.1x > authentication is working with the AP. However, if I attempt to somehow enable both > authentication mechanisms, I fail. The logs keep passing the EAP username > (common name from cert) to ldap and of course ldap spits it out because the object > does not exist. > > Again, I'm new to this, and maybe I have made incorrect assumptions of what the > end result should be. Maybe this isn't even possible, but here's what I had hoped to > come away with: the wireless user boots their laptop, then gets authenticated via > eap/tls. They then open a browser, and are asked for username and password (via > dialog box?), or either redirected to a login page. The username and password are > then passed to ldap for authentication. Successful authentication results in the client > being given internet access. Is this possible? Or, am I totally misunderstanding how > this is all supposed to work (very likely)? > > I must admit, I'm not very comfortable when working with the config files. Not too > sure what I'm doing in there. I tackled this whole project somewhat blindly, with the > help of various bits of info I gathered from google searches. I do need to obtain a > good book on this stuff...that's obvious...but I am hoping that someone on this list > has experience with getting freeradius to work with eap/tls and novell ldap > authentication and is willing to share that experience and wisdom. > > (Embarrassed) Sorry again for the newbie-ness of this post, and thanks in advance > for any help! > > mack > > -- > This message has been scanned for viruses and > dangerous content by the CSU Email Gateway, and is > believed to be clean. > > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > --- [This E-mail scanned for viruses by Declude Ant-Virus Scanner] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius-1.0.0-pre2 configure problem
Thanks for that hint. Maybe it can be mentioned in the documentation, that on a Suse system the simple ./configure does not work. Using CFLAGS="-I/usr/include/heimdal -I/usr/include/et" ./configure --enable-heimdal-krb5 build radiusd. Norbert Wegener Kevin Bonner wrote: Norbert Wegener <[EMAIL PROTECTED]> wrote : On a suse9.0 system I ran ./configure;make. from config output:(complete script output is available at http://www.wegener-net.de/radius/typescript.bz2 ) ... checking for krb5.h... no^ http://lists.cistron.nl/pipermail/freeradius-devel/2004-April/007092.html That got around the problem on FC1, so it will probably work on suse. Kevin Bonner - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
AIX and Freeradius semaphore problem
Hello, I have been trying to get freeradius to run
on aix for awhile, now if I use version 0.9.3 or version 1 I get the same error
in the log file. Below is a copy of the debug output, attempting to start
radius, and then the log file. I would be very thank for for any help or
suggestions!
Thanks!
# `pwd`/radiusd -XStarting - reading
configuration files ...reread_config: reading
radiusd.confConfig: including file:
/home/tomh/radius/etc/raddb/proxy.confConfig: including file:
/home/tomh/radius/etc/raddb/clients.confConfig: including file:
/home/tomh/radius/etc/raddb/snmp.confConfig: including file:
/home/tomh/radius/etc/raddb/sql.conf main: prefix =
"/home/tomh/radius" main: localstatedir =
"/home/tomh/radius/var" main: logdir =
"/home/tomh/radius/var/log/radius" main: libdir =
"/home/tomh/radius/lib" main: radacctdir =
"/home/tomh/radius/var/log/radius/radacct" main: hostname_lookups =
no main: max_request_time = 30 main: cleanup_delay =
5 main: max_requests = 1024 main: delete_blocked_requests =
0 main: port = 1645 main: allow_core_dumps = no main:
log_stripped_names = no main: log_file =
"/home/tomh/radius/var/log/radius/radius.log" main: log_auth =
no main: log_auth_badpass = no main: log_auth_goodpass =
no main: pidfile =
"/home/tomh/radius/var/run/radiusd/radiusd.pid" main: user =
"(null)" main: group = "(null)" main: usercollide =
no main: lower_user = "after" main: lower_pass =
"after" main: nospace_user = "after" main: nospace_pass =
"after" main: checkrad =
"/home/tomh/radius/sbin/checkrad" main: proxy_requests =
yes proxy: retry_delay = 5 proxy: retry_count =
3 proxy: synchronous = no proxy: default_fallback =
yes proxy: dead_time = 120 proxy: post_proxy_authorize =
yes proxy: wake_all_if_all_dead = no security: max_attributes
= 200 security: reject_delay = 1 security: status_server =
no main: debug_level = 0read_config_files: reading
dictionaryread_config_files: reading
naslistread_config_files: reading clientsread_config_files:
reading realmsradiusd: entering modules setupModule: Library
search path is /home/tomh/radius/libModule: Loaded exec exec: wait
= no exec: program = "(null)" exec: input_pairs =
"request" exec: output_pairs = "(null)" exec: packet_type =
"(null)"Module: Instantiated exec (exec) Module: Loaded expr Module:
Instantiated expr (expr) Module: Loaded PAP pap: encryption_scheme
= "crypt"Module: Instantiated pap (pap) Module: Loaded CHAP Module:
Instantiated chap (chap) Module: Loaded MS-CHAP mschap: use_mppe =
yes mschap: require_encryption = no mschap: require_strong =
no mschap: with_ntdomain_hack = no mschap: passwd =
"(null)" mschap: authtype = "MS-CHAP" mschap: ntlm_auth =
"(null)"Module: Instantiated mschap (mschap) Module: Loaded System
unix: cache = no unix: passwd = "/etc/passwd" unix:
shadow = "(null)" unix: group = "/etc/group" unix: radwtmp =
"/home/tomh/radius/var/log/radius/radwtmp" unix: usegroup =
no unix: cache_reload = 600Module: Instantiated unix (unix)
Module: Loaded preprocess preprocess: huntgroups =
"/home/tomh/radius/etc/raddb/huntgroups" preprocess: hints =
"/home/tomh/radius/etc/raddb/hints" preprocess: with_ascend_hack =
no preprocess: ascend_channels_per_line = 23 preprocess:
with_ntdomain_hack = no preprocess: with_specialix_jetstream_hack =
no preprocess: with_cisco_vsa_hack = noModule: Instantiated
preprocess (preprocess) Module: Loaded realm realm: format =
"suffix" realm: delimiter = "@" realm: ignore_default =
no realm: ignore_null = noModule: Instantiated realm (suffix)
Module: Loaded files files: usersfile =
"/home/tomh/radius/etc/raddb/users" files: acctusersfile =
"/home/tomh/radius/etc/raddb/acct_users" files: preproxy_usersfile =
"/home/tomh/radius/etc/raddb/preproxy_users" files: compat =
"no"Module: Instantiated files (files) Module: Loaded
Acct-Unique-Session-Id acct_unique: key = "User-Name, Acct-Session-Id,
NAS-IP-Address, Client-IP-Address, NAS-Port"Module: Instantiated
acct_unique (acct_unique) Module: Loaded detail detail: detailfile
=
"/home/tomh/radius/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d" detail:
detailperm = 384 detail: dirperm = 493 detail: locking =
noModule: Instantiated detail (detail) Module: Loaded radutmp
radutmp: filename =
"/home/tomh/radius/var/log/radius/radutmp" radutmp: username =
"%{User-Name}" radutmp: case_sensitive = yes radutmp:
check_with_nas = yes radutmp: perm = 384 radutmp: callerid =
yesModule: Instantiated radutmp (radutmp) Listening on authentication
*:1645Listening on accounting *:1646Listening on proxy *:1647Ready
to process requests.
# `pwd`/radiusd Sat Jun 12 09:29:41
2004 : Info: Starting - reading configuration files ...# ps -ef |grep
rad root 19576 53218 1
09:29:48 pts/3 0:00 grep rad ## cd
/home/tomh/radius/var/log/radius### cat radius.logSat Jun 12
09:29:42 2004 : Error: FATAL: Failed to initialize semaphore: The system call
does not exist on th
Re: User configuration
> > Considering running freeradius. I have a special need that just popped > into my lap. I need to set up a radius server that allows for any > arbitrary user with any password to be authenticated by the radius > server. Sounds crazy, but I want to use the server to capture user > information for a contact list. Did I explain that correctly? > > You should be able to do that. In radiusd.conf make sure you have log_auth=yes. In the users file, put DEFAULT Auth-Type := Accept That should allow anyone to connect. Your radiusd.log file will show the usernames that were used to login. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
dialup_admin add new user error
Hello guys i got this error using dialup_admin in postgresql but before im using mysql and its workin. im just edited radius.conf sql_type: pgsql_server: localhostsql_port: 5432sql_command: /usr/local/bin/psql Unable to add user test: ERROR: duplicate key violates unique constraint "radcheck_pkey"Could not add user to group Admin. SQL ErrorUser created successfully
Removing attributes using an external program
Hi, Is it possible to remove request and reply attributes using an external program ? Basically I want to filter both request and reply attributes stored in an SQL database. I can add and rewrites attributes from an external program, but I can not figure out a way of removing them. Any idea's will be much appreciated. Thanks, Ken --- Outgoing mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.708 / Virus Database: 464 - Release Date: 6/18/2004 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Cisco Authorization failed
Hi Alan Dekok, I run the debug on router and checked it is giving the message like " No appropriate authorization type for user" Pls tell me how to proceed ? and where could be the problem Thanks Nagesh Boyina -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Alan DeKok Sent: Friday, June 18, 2004 10:03 PM To: [EMAIL PROTECTED] Subject: Re: Cisco Authorization failed "Nagesh Boyina" <[EMAIL PROTECTED]> wrote: > When I am trying to telnet to the router though radius server it says > authorization got failed. > When I check radius debug it says access accept using the port 1645. Then I suggest checking the debug logs on the router. So far as FreeRADIUS is concerned, it saw a good request, and send a proper reply. > And also why the request coming from 1645 and 1646 ports from router > instead of 1812 and 1813. The ports that the request comes from don't matter to anyone. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html --- Incoming mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.708 / Virus Database: 464 - Release Date: 6/18/2004 --- Outgoing mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.708 / Virus Database: 464 - Release Date: 6/18/2004 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
oracle database library problem
I am running freeRADIUS version 0.9.0 on Solaris 2.8 and using oracle 8.1.7.4 database for accounting and authentication. I have two databases for authentication and I am configuring the freeRADIUS to implement failover. When the radius detects that primary database is not accessible it crashes in most of the cases when using the standard oracle library that comes with installed oracle client "libclntsh.so.8.0". If I use another library that was generated by another machine the radius works fine. (I do not know how that library was generated) I would like to know if there are special requirements for oracle client installation in order to work properly with freeRADIUS. I have tried the third pre 1.0.0 version and still have the same problem. Regards, - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
rlm_sql_mysql
hi i am running freeradius 0.7 on redhat 9. when i am in debug mode (radiusd -xx), i have this error message cannot link rlm_sql_mysql can someone help me how to resolve this problem _ MSN Premium: Up to 11 personalized e-mail addresses and 2 months FREE* http://join.msn.com/?pgmarket=en-ca&page=byoa/prem&xAPID=1994&DI=1034&SU=http://hotmail.com/enca&HL=Market_MSNIS_Taglines - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Problems with certificates
Michael, Could you let me know how do u succeed with Setup: FreeRADIUS Version 1.0.0-pre2 setup with only OpenSSL 0.9.7d I am getting segmentation fault. I have done workaround for this as I have installed OpenSSLs as per How-TO guide and installed free-radius pre2. And works fine for me. With that I have success with EAP/TLS and PEAP too. Thank you, Sathish, www.goremote.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Michael Schwartzkopff Sent: Friday, June 18, 2004 5:26 PM To: [EMAIL PROTECTED] Subject: Problems with certificates -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi, I want to use PEAP and created the certificates with CA.all in the scripts dir. I copied the cert-srv.pem and root.pem to my config dir and configured eap.conf according. But radiusd -XA stops with the following error: tls: private_key_file = "/usr/local/etc/raddb/certs/cert-srv.pem" tls: certificate_file = "/usr/local/etc/raddb/certs/cert-srv.pem" tls: CA_file = "/usr/local/etc/raddb/certs/root.pem" tls: private_key_password = "radius" tls: dh_file = "/usr/local/etc/raddb/certs/dh" tls: random_file = "/usr/local/etc/raddb/certs/random" tls: fragment_size = 1024 tls: include_length = yes tls: check_crl = no tls: check_cert_cn = "(null)" 30092:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:663:Expecting: CERTIFICATE 30092:error:06065064:digital envelope routines:EVP_DecryptFinal:bad decrypt:evp_enc.c:277: 30092:error:0906A065:PEM routines:PEM_do_header:bad decrypt:pem_lib.c:452: 30092:error:140B0009:SSL routines:SSL_CTX_use_PrivateKey_file:missing asn1 eos:ssl_rsa.c:707: rlm_eap_tls: Error reading private key file rlm_eap: Failed to initialize type tls radiusd.conf[9]: eap: Module instantiation failed. Setup: OpenSSL 0.9.7d FreeRADIUS Version 1.0.0-pre2 Any idea what might be wrong? - -- Dr. Michael Schwartzkopff MultiNET Services GmbH Bretonischer Ring 7 85630 Grasbrunn Tel: (+49 89) 456 911 - 0 Fax: (+49 89) 456 911 - 21 mob: (+49 174) 343 28 75 PGP Fingerprint: F919 3919 FF12 ED5A 2801 DEA6 AA77 57A4 EDD8 979B -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.4 (GNU/Linux) iD8DBQFA0thKqndXpO3Yl5sRAnNLAJ9lEpggk1VUHdH7Vg5i+cn7qar1oACgqzG/ xeov8WFRmLNbbzRdbwokG/8= =/fAo -END PGP SIGNATURE- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
