Re: linking error / libcrypto / Solaris 8
Cameron Gregg wrote: Hi all, I'm getting a linking error I'm using freeradius-1.0.0-pre2 on Solaris 8. The error is: /usr/ccs/bin/ld -G -h rlm_x99_token-1.0.0-pre2.so -o .libs/rlm_x99_token-1.0.0-pre2.so x99_rlm.lo x99_util.lo x99_state.lo x99_mac.lo x99_sync.lo x99_site.lo x99_pwe.lo x99_log.lo -lcrypto -lnsl -lresolv -lsocket -lposix4 -lpthread -L/usr/local/ssl/lib -lcrypto -lssl -lc ld: fatal: library -lcrypto: not found ld: fatal: File processing errors. No output written to .libs/rlm_x99_token-1.0.0-pre2.so make[6]: *** [rlm_x99_token.la] Error 1 make[6]: Leaving directory `/usr/local/src/freeradius-1.0.0-pre2/src/modules/rlm_x99_token' make[5]: *** [common] Error 1 make[5]: Leaving directory `/usr/local/src/freeradius-1.0.0-pre2/src/modules' make[4]: *** [all] Error 2 make[4]: Leaving directory `/usr/local/src/freeradius-1.0.0-pre2/src/modules' make[3]: *** [common] Error 1 make[3]: Leaving directory `/usr/local/src/freeradius-1.0.0-pre2/src' make[2]: *** [all] Error 2 make[2]: Leaving directory `/usr/local/src/freeradius-1.0.0-pre2/src' make[1]: *** [common] Error 1 make[1]: Leaving directory `/usr/local/src/freeradius-1.0.0-pre2' make: *** [all] Error 2 # my configure line is: ./configure --prefix=/usr/local/radius --with-logdir=/var/log/radius --with-openssl-includes=/usr/local/ssl/include --with-openssl-libraries=/usr/local/ssl/lib --with-rlm-ldap-lib-dir=/usr/local/openldap/lib --with-rlm-ldap-include-dir=/usr/local/openldap/include and it seems libcrypto is where I tell configure it is: # ls /usr/local/ssl/lib/ libcrypto.a libcrypto.so.0 libssl.alibssl.so.0 pkgconfig libcrypto.solibcrypto.so.0.9.7 libssl.so libssl.so.0.9.7 # Any ideas? Thanks heaps Cameron Again I am getting this error still with 1.0.0-pre3. Same setup, same configure. Has anybody got any idea how I can fix this? Thanks Cam /usr/ccs/bin/ld -G -h rlm_x99_token-1.0.0-pre3.so -o .libs/rlm_x99_token-1.0.0-pre3.so x99_rlm.lo x99_util.lo x99_state.lo x99_mac.lo x99_sync.lo x99_site.lo x99_pwe.lo x99_log.lo -lcrypto -lnsl -lresolv -lsocket -lposix4 -lpthread -L/usr/local/ssl/lib -lcrypto -lssl -lc ld: fatal: library -lcrypto: not found ld: fatal: File processing errors. No output written to .libs/rlm_x99_token-1.0.0-pre3.so make[6]: *** [rlm_x99_token.la] Error 1 make[6]: Leaving directory `/usr/local/src/freeradius-1.0.0-pre3/src/modules/rlm_x99_token' make[5]: *** [common] Error 1 make[5]: Leaving directory `/usr/local/src/freeradius-1.0.0-pre3/src/modules' make[4]: *** [all] Error 2 make[4]: Leaving directory `/usr/local/src/freeradius-1.0.0-pre3/src/modules' make[3]: *** [common] Error 1 make[3]: Leaving directory `/usr/local/src/freeradius-1.0.0-pre3/src' make[2]: *** [all] Error 2 make[2]: Leaving directory `/usr/local/src/freeradius-1.0.0-pre3/src' make[1]: *** [common] Error 1 make[1]: Leaving directory `/usr/local/src/freeradius-1.0.0-pre3' make: *** [all] Error 2 # - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Case insensitive regexps
Hello! Is it possible to do case insensitive regular expression matching in users file ? I'd like to replace: DEFAULT User-Name =~ ^[Aa][Nn][Oo][Nn][Yy][Mm][Oo][Uu][Ss]|[EMAIL PROTECTED] with something like: DEFAULT User-Name =~ m/^anonymous|[EMAIL PROTECTED]/i lower-casing all usernames is not an option ;) since case does matter, just not in this case ;))). -- Lep pozdrav, Rok Papez. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Using Freeradius with LDAP storage and EAP-TTLS authentication
Hello Christophe. Christophe Saillard pravi: And you set Auth-Type = EAP. DON'T DO THAT. I do that ;). I prefer to manualy set EAP when user tries to identify as [EMAIL PROTECTED]. Users are *NOT* allowed to use any other authentication method :). For the moment I've a running freeradius EAP-TTLS/PAP configuration which works fine. Now I'd like to get credentials from an existing LDAP user storage instead of the Freeradius users file (I store MD5 hashed password to have PAP compatibility). 1. It would be nice to see relevant parts of the config file 2. The `radiusd -Xxxx 21 | tee logfile` output But there's some particular things I need to know : - how do I have to store password in the LDAP database (because I'd like to use TTLS/PAP) : crypt/MD5 hashed, clear text ? That's an LDAP thingy.. Here is an example of ldap diff entry for userPassword: userPassword: {crypt}$1$dK1Zl.Qp$khF3af1c7Te0cSf2w/tZO0 All you need is a type prefix in {...} and then a password hash. This is a perl code snippet that creates these hashes: my $pass = '{crypt}' . crypt($plaintext_password, '$1$' . join(, ('.', '/', 0..9, 'A'..'Z', 'a'..'z')[rand 64, rand 64, rand 64, rand 64, rand 64, rand 64, rand 64, rand 64]) . '$'); The hash is the same kind as used in a /etc/shadow file. Check the crypt() man page for details. = And this is in my radiusd.conf file: modules { pap { encryption_scheme = clear } # this is for the files, passwords are plaintext there :) ldap { server = localhost basedn = ou=users,dc=org,dc=tld filter = (attribWithUserName=%{User-Name}) start_tls = no } ... authenticate { Auth-Type EAP { eap } Auth-Type PAP { pap } Auth-Type LDAP { ldap } } - what do I have to put in the users file ? (I know that auth-type := EAP is wrong) ? In contrary to Alans advice O;-), I have this: # User anonymous and [EMAIL PROTECTED] should be allowed # # activate eap for them# DEFAULT User-Name =~ ^[Aa][Nn][Oo][Nn][Yy][Mm][Oo][Uu][Ss]|[EMAIL PROTECTED], Auth-Type := EAP # Users with a NULL realm should be rejected # DEFAULT Realm == NULL, Auth-Type := Reject Fall-Through = No # 1. Accounting fix for AP # # 2. a static username files_test for testing # # 3. LDAP authentication for local users # DEFAULT Realm == org.tld, Freeradius-Proxied-To == 127.0.0.1 User-Name = `%{User-Name}`, Fall-Through = yes files_test Realm == org.tld, User-Password == secret DEFAULT Realm == org.tld, Auth-Type := LDAP, Ldap-UserDN := `attribWithUserName=%{User-Name},ou=users,dc=org,dc=tld`, Freeradius-Pro xied-To == 127.0.0.1 Do notice, that I use the users username/password to bind to LDAP. This is done with the Ldap-UserDN item. - if it's not possible to have TTLS/PAP authentication what can I do else (PEAP/Mschapv2 ...) ? TTLS/PAP is working :). For MsCHAP you won't be able to use SecureW2 and you'll need to have plaintext passwords in LDAP. I hope my questions are not to stupid. Radius configuration is not simple. The documentation is still lacking and you simply have to learn as you go ;). So don't feel like you are asking stupid questions. -- Best regards, Rok Papez. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
freeradius-1.0.0 pre2 execution segfault
Hello! My configuration : Openssl v 0.9.7d installed with the option shared in /usr/local/ssl Openssl v 0.9.7d installed with the option shared in /usr/local/openssl-certgen openssl-SNAP20040613 installed with the option shared in /usr/local/openssl ./config and install OK ! Ive added the path /usr/local/openssl/lib to the ld.so.conf. Freeradius v 1.0.0 pre2 installed in /etc/raddb/ ./configure and installation OK ! When I radiusd is launched, I get an Segmentation fault. Apparently, the eap module with type tls is loaded but not instanciated. With defaut_eap_type in eap.conf set to md5 instead of tls and the tls module commented, it works fine ! Any ideas ? Thanks
PEAP Version
Hello all, can anybody tell me which version of PEAP is implemented in FreeRadius? is the PEAP version 2 implemented? Thanks in advance. -- == Manuel Sanchez Cuenca Dept. Ingenieria de la Informacion y las Comunicaciones Universidad de Murcia - Espana Tlf: +34 968364311 - Fax: 968364151 email: [EMAIL PROTECTED] www: http://skywalker.dif.um.es/~lolo www: http://livia.dif.um.es/~irisgrid - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radius, 802.1x, eap/tls, and edirectory (ldap)
Mack, I Was not trying to blow you off by making the statement of reading the archives... I am still, what I consider, a newbie as well... The statement about a lot of discussion on the subject you are requesting is true so I thought you would be better served checking over those discussions! As for documentation - have you read the rlm-eap and rlm-ldap documentation in the docs directory of the installation package (at least the version 1.0.0-pre1 and later source code) has information on what you are looking for in terms of using eap/tls and ldap together (in the rlm-eap docs). If you can use the pre-release code I would suggest doing so - while 0.9.3 is stable I have found the pre-release code does more [ymmv]... gm.. - Original Message - From: Mack [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Sunday, June 20, 2004 10:30 PM Subject: Re: radius, 802.1x, eap/tls, and edirectory (ldap) Gary, I had scanned them prior to posting, but there seem to be no solutions to all of the problems people have with this configuration. My impression is that most of the gurus on the list are assuming WAY too much of some of us newbies. They keep coming back with the same replies, like read the faqs, readme, rfc, etc., etc. But, that begs the question: If that's going to be the reply each time, then why even bother with the list in the first place? Oh, well. I am definitely taking a more indepth look at the archives, though, as you've suggested. If nothing else, maybe that will help me form better questions. Thanks for the help! mack On 19 Jun 2004 at 6:34, Gary McKinney wrote: Mack, Check the email archives over the last three months - there is a great deal of information on using EAP/TLS and how to use LDAP with freeradius (including example snippets). gm... - Original Message - From: Mack [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Friday, June 18, 2004 11:52 PM Subject: radius, 802.1x, eap/tls, and edirectory (ldap) Hi, I'm a newbie to all of this, so please bear with me. This list is all I've got! We are introducing a wireless infrastructure on our campus (a little late in the game). Right now we're in testing phase. In this testing phase, We are using several 3com 7250 AP's, some 3com cards capable of 802.1x, and Novell eDirectory (LDAP). My requirement is to enable 802.1x authentication to the AP's using EAP/TLS. Additionally, I need to be able to authenticate the users to Novell via LDAP. All via the FreeRADIUS server. I have configured freeradius version 0.9.3 to work successfully with only ldap authentication against Novell eDirectory. I have also verified that 802.1x authentication is working with the AP. However, if I attempt to somehow enable both authentication mechanisms, I fail. The logs keep passing the EAP username (common name from cert) to ldap and of course ldap spits it out because the object does not exist. Again, I'm new to this, and maybe I have made incorrect assumptions of what the end result should be. Maybe this isn't even possible, but here's what I had hoped to come away with: the wireless user boots their laptop, then gets authenticated via eap/tls. They then open a browser, and are asked for username and password (via dialog box?), or either redirected to a login page. The username and password are then passed to ldap for authentication. Successful authentication results in the client being given internet access. Is this possible? Or, am I totally misunderstanding how this is all supposed to work (very likely)? I must admit, I'm not very comfortable when working with the config files. Not too sure what I'm doing in there. I tackled this whole project somewhat blindly, with the help of various bits of info I gathered from google searches. I do need to obtain a good book on this stuff...that's obvious...but I am hoping that someone on this list has experience with getting freeradius to work with eap/tls and novell ldap authentication and is willing to share that experience and wisdom. (Embarrassed) Sorry again for the newbie-ness of this post, and thanks in advance for any help! mack -- This message has been scanned for viruses and dangerous content by the CSU Email Gateway, and is believed to be clean. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html --- [This E-mail scanned for viruses by Declude Ant-Virus Scanner] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- This message has been scanned for viruses and dangerous content by the CSU Email Gateway, and is believed to be clean. -- This message has been scanned for viruses and dangerous content by the CSU Email
Re: FreeRadius/LDAP conf : little problem
Hello again, Thanks for your help, it works great now ... just did what you told: an ldap user who got read access on all fields/users of the directory. Problem now is that i have to enter the encrypted version of the password in the username/password popup window. The userPassword field in the LDAP entries are encoded with the {CRYPT} salt. Is there a way to configure/hack FreeRadius to tell it to crypt the password before the comparison against the password the LDAP authorize section returns from its query ? If not possible, i have no idea how i could use in real world the 802.1x auth : -( I just can't decrypt all passwords in the directory and put them back in cleartext ... Thanks for your great job, and your support. -- Arnauld Dravet - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Basic ?
Before I go jumping off the deep end, what OS would be the best and easiest to use for Free Radius? Fedora Core 2 FreeBSD Debian Mandrake Or ??? I'm a linux and Freeradius newbie and I'm using Freeradius for two month on a mandrake 9.2, it's not to hard to congigure and it works very well...(802.1x, EAP/MD5/TLS). Fred.Evrard - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius-1.0.0 pre2 execution segfault
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Am Montag, 21. Juni 2004 10:46 schrieb Michel EAR: Hello ! My configuration : Openssl v 0.9.7d installed with the option shared in /usr/local/ssl Openssl v 0.9.7d installed with the option shared in /usr/local/openssl-certgen openssl-SNAP20040613 installed with the option shared in /usr/local/openssl ./config and install OK ! I've added the path /usr/local/openssl/lib to the ld.so.conf. Freeradius v 1.0.0 pre2 installed in /etc/raddb/ ./configure and installation OK ! When I radiusd is launched, I get an Segmentation fault. Apparently, the eap module with type tls is loaded but not instanciated. With defaut_eap_type in eap.conf set to md5 instead of tls and the tls module commented, it works fine ! Any ideas ? Thanks do you have other SSL also installed? If yes: Check ldd /usr/local/lib/rlm_eap_tls-1.0.0-pre2.so Does it link to the correct libs? - -- Dr. Michael Schwartzkopff MultiNET Services GmbH Bretonischer Ring 7 85630 Grasbrunn Tel: (+49 89) 456 911 - 0 Fax: (+49 89) 456 911 - 21 mob: (+49 174) 343 28 75 PGP Fingerprint: F919 3919 FF12 ED5A 2801 DEA6 AA77 57A4 EDD8 979B -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.4 (GNU/Linux) iD8DBQFA1sttqndXpO3Yl5sRAlbrAJ9n5smgOpsDy7MPJfhH3OLSX15+nQCg3Tdx 6FIFBIjMO4w34id1H6/wi6o= =2nzh -END PGP SIGNATURE- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Using Freeradius with LDAP storage and EAP-TTLS authentication
Hi, Now I've a working TTLS/PAP with LDAP storage configuration ;-) Here's what I've to put in the users file to make it work : DEFAULT Auth-Type := PAP, Freeradius-Proxied-To == 127.0.0.1 User-Name = `%{User-Name}`, Fall-Through = no But now PEAP/MSCHAPv2 doesn't work...I've try a lot of combination (Auth-Type := MSCHAP Fall-Through = yes ...) but none seem to work...if someone has a clue ;-) Thanks for all ! Bye. -- --- Christophe Saillard Centre Réseau Communication Université Louis Pasteur --- Tél : 03 90 24 03 17 Fax : 03 90 24 03 12 --- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Porting issue.
Quoting Mark Coccimiglio [EMAIL PROTECTED]: I had a problem building freeradius-1.0.0-pre2 on RH Fedora Core2 and was able to figure a workaround. Basically the build stopped because my system lacked the file com_err.h So I installed the current RPM for krb5 and still ran into the problem. It appears that the file is located at /usr/include/et when freeradius is looking for the file at /usr/include. As a quick and dirty fix I soft linked the file in the et directory into /usr/include (ln -s /usr/include/et/com_err.h /usr/include/com_err.h) and the build completed sucessfully. The other solution is to configure as: CFLAGS=-I/usr/include/et ./configure [other options] Just thought I let everyone know. Mark C. I guess creating a symbolic link would allow other applications to use the header file as well. That's probably a better choice. -Al - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
LDAP and Dynamic VLAN
Hello, I've a TTLS/PAP working configuration with dynamic VLAN allocation. Here's a sample of the users file : userX Crypt-Password == $1$ Tunnel-Type:1 = 13, Tunnel-Medium-Type:1 = 6, Tunnel-Private-Group-ID:1 = 4 At the authentication's end the NAS put the userX in the vlan 4. Now I'd like to do the same with user coming from LDAP storagebut I don't know where to begin : How can I get a group attribute from LDAP and match this with a VLAN id which will be send to the NAS ? Thanks. -- --- Christophe Saillard Centre Réseau Communication Université Louis Pasteur --- Tél : 03 90 24 03 17 Fax : 03 90 24 03 12 --- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: LDAP and Dynamic VLAN
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Am Montag, 21. Juni 2004 14:04 schrieb Christophe Saillard: Hello, I've a TTLS/PAP working configuration with dynamic VLAN allocation. Here's a sample of the users file : userX Crypt-Password == $1$ Tunnel-Type:1 = 13, Tunnel-Medium-Type:1 = 6, Tunnel-Private-Group-ID:1 = 4 At the authentication's end the NAS put the userX in the vlan 4. Now I'd like to do the same with user coming from LDAP storagebut I don't know where to begin : How can I get a group attribute from LDAP and match this with a VLAN id which will be send to the NAS ? Thanks. hi, You have to edit dictionary.tunnel (perhaps it is done already in 1.0.0pre2) VALUE Tunnel-Type VLAN13 VALUE Tunnel-Medium-Type IEEE-8026 and ldap.attrmap: replyItem Tunnel-Type radiusTunnelType replyItem Tunnel-Medium-Type radiusTunnelMediumType replyItem Tunnel-Private-Group-Id radiusTunnelPrivateGroupId There is some good docu in the internet. - -- Dr. Michael Schwartzkopff MultiNET Services GmbH Bretonischer Ring 7 85630 Grasbrunn Tel: (+49 89) 456 911 - 0 Fax: (+49 89) 456 911 - 21 mob: (+49 174) 343 28 75 PGP Fingerprint: F919 3919 FF12 ED5A 2801 DEA6 AA77 57A4 EDD8 979B -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.4 (GNU/Linux) iD8DBQFA1tYCqndXpO3Yl5sRAjxfAKDUb130cLPnB4ijRrVdsKiwV7+BIgCglOsI FN+uT8r5TzZn4uTWPnz/I24= =kVHE -END PGP SIGNATURE- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PEAP Version
No. Currently, only PEAPv0 is implemented. --Mike On Mon, 2004-06-21 at 05:53, Manuel Sánchez Cuenca wrote: Hello all, can anybody tell me which version of PEAP is implemented in FreeRadius? is the PEAP version 2 implemented? Thanks in advance. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Using Freeradius with LDAP storage and EAP-TTLS authentication
Try something like this for your check line: DEFAULT Freeradius-Proxied-To == 127.0.0.1, EAP-Message !* , Auth-Type := PAP --Mike On Mon, 2004-06-21 at 06:59, Christophe Saillard wrote: Hi, Now I've a working TTLS/PAP with LDAP storage configuration ;-) Here's what I've to put in the users file to make it work : DEFAULT Auth-Type := PAP, Freeradius-Proxied-To == 127.0.0.1 User-Name = `%{User-Name}`, Fall-Through = no But now PEAP/MSCHAPv2 doesn't work...I've try a lot of combination (Auth-Type := MSCHAP Fall-Through = yes ...) but none seem to work...if someone has a clue ;-) Thanks for all ! Bye. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problems with certificates
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Am Sonntag, 20. Juni 2004 06:56 schrieb Sathish Challa: Michael, Could you let me know how do u succeed with Setup: FreeRADIUS Version 1.0.0-pre2 setup with only OpenSSL 0.9.7d I am getting segmentation fault. hi, do you have more than one version of OpenSSL on your server? Did you link radius to version 0.97? Check with ldd /usr/local/lib/rlm_eap_tls-1.0.0-pre2.so - -- Dr. Michael Schwartzkopff MultiNET Services GmbH Bretonischer Ring 7 85630 Grasbrunn Tel: (+49 89) 456 911 - 0 Fax: (+49 89) 456 911 - 21 mob: (+49 174) 343 28 75 PGP Fingerprint: F919 3919 FF12 ED5A 2801 DEA6 AA77 57A4 EDD8 979B -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.4 (GNU/Linux) iD8DBQFA1t5WqndXpO3Yl5sRAtTSAJ4w7ueVug0uY+I2PGXWFsli1RNDRQCgiKtp laRRm4Y03vAi4WVkDb4exjQ= =SwLP -END PGP SIGNATURE- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: executing external program after accounting_stop_query
On Mon, Jun 21, 2004 at 03:15:29PM +0500, George Chelidze wrote: Hello, I need to add one column to radacct table and set it according to values inserted into table on stop packet receipt. The external program is coded in C. What if I place acct_users after sql in accounting section? Will it work? The example of possible accounting section from radiusd.conf is listed below: accounting { sql acct_users } section from acct_users DEFAULT Acct-Status-Type == Stop Exec-Program = /path/program arguments Sure I can test it myself but would be great to hear your input. If it won't work, is there any other way? You might be better off using rlm_exec (if you're using a recent enough FreeRADIUS version) and testing for 'Stop' or otherwise in that script, rather than using Exec-Program, which is somewhat deprecated, and known to have threading issues (on some platforms...) -- Paul TBBle Hampson, on an alternate email client. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius/LDAP conf : little problem
Ok, please forget my precedent message, i've just re-read aaa.txt and it's said that the AP sends an hash of the password it receives from the supplicant. No way to make freeradius crypt it it would not have any sense ... now that i'm lost in all those auth protocols, i don't know what to do ... is there a way to make the auth against the ntPassword field stored in the LDAP instead of the userPassword wich use the {CRYPT} salt ? I am currently generating certificates to use TTLS/PEAP ... -- Arnauld Dravet - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
No Password possible?
I am trying to setup a radius server that should work as an accounting server only. Is this possible? I want all passwords to be accepted. I Tried to use Exec-Program-Wait, but later saw this is not called until after password has been accepted. Thanks for your time. /Andreas - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: executing external program after accounting_stop_query
Hello, Paul Hampson wrote: On Mon, Jun 21, 2004 at 03:15:29PM +0500, George Chelidze wrote: Hello, I need to add one column to radacct table and set it according to values inserted into table on stop packet receipt. The external program is coded in C. What if I place acct_users after sql in accounting section? Will it work? The example of possible accounting section from radiusd.conf is listed below: accounting { sql acct_users } section from acct_users DEFAULT Acct-Status-Type == Stop Exec-Program = /path/program arguments Sure I can test it myself but would be great to hear your input. If it won't work, is there any other way? You might be better off using rlm_exec (if you're using a recent enough FreeRADIUS version) and testing for 'Stop' or otherwise in that script, rather than using Exec-Program, which is somewhat deprecated, and known to have threading issues (on some platforms...) Paul thanks for your quick response. I use freeradius 0.9.3. it's recent enough isn't it? I wonder if the schema I described will work or not. If it will, it will prove my understanding is correct. I'll read some docs for rlm_exec. Thanks Best Regards, -- George Chelidze - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: No Password possible?
Hi Andreas, in users file DEFAULT Realm == toto.cl, Auth-Type := Accept Tunnel-Assignment-Id := 1.2.3.4, Tunnel-Server-Endpoint := 1.2.3.4, Tunnel-Medium-Type := IP, Tunnel-Type := L2TP, Tunnel-Password := my_ultrascret_passwd, Framed-Protocol := PPP, Service-Type := Framed a l2tp tunnel is created for every user @toto.cl is ndreas wrote: I am trying to setup a radius server that should work as an accounting server only. Is this possible? I want all passwords to be accepted. I Tried to use Exec-Program-Wait, but later saw this is not called until after password has been accepted. Thanks for your time. /Andreas - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radius, 802.1x, eap/tls, and edirectory (ldap)
Mack [EMAIL PROTECTED] wrote: I had scanned them prior to posting, but there seem to be no solutions to all of the problems people have with this configuration. From what I can seem you're trying to use EAP-TLS, *and* some kind of LDAP authorization/authentication, but you're not putting the usernames used by EAP-TLS into LDAP. The solution is simple: a) put the usernames into LDAP b) or, get the clients to use usernames which are in ldap. My impression is that most of the gurus on the list are assuming WAY too much of some of us newbies. They keep coming back with the same replies, like read the faqs, readme, rfc, etc., etc. A significant number of questions on this list are answered in the FAQ, README, documentation, etc. Those replies are meant to tell people to stop wasting their time asking questions on the list, when the answer is already in front of them. But, that begs the question: If that's going to be the reply each time, then why even bother with the list in the first place? If you would read the list, you would see that most of the questions involve things which are *not* in the FAQ or README. Those questions are answered. My requirement is to enable 802.1x authentication to the AP's using EAP/TLS. Additionally, I need to be able to authenticate the users to Novell via LDAP. You can't do this. It's impossible. EAP-TLS is an authentication mechanism. LDAP doesn't know about EAP-TLS, and therefore won't be able to authenticate any EAP-TLS request. The logs keep passing the EAP username (common name from cert) to ldap and of course ldap spits it out because the object does not exist. Have you tried adding that object to LDAP? I really don't see what the problem is here. Maybe this isn't even possible, but here's what I had hoped to come away with: the wireless user boots their laptop, then gets authenticated via eap/tls. That will work. They then open a browser, and are asked for username and password (via dialog box?), or either redirected to a login page. By who? The AP won't do this. And since the AP won't do this, *nothing* will. The username and password are then passed to ldap for authentication. Successful authentication results in the client being given internet access. Is this possible? I doubt it. I also don't understand why you want the user to log in twice. Alan DEKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Case insensitive regexps
Rok Papez [EMAIL PROTECTED] wrote: Is it possible to do case insensitive regular expression matching in users file ? Not really. The CVS head has patches which should make it easier, but it's still not done yet. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Using Freeradius with LDAP storage and EAP-TTLS authentication
Rok Papez [EMAIL PROTECTED] wrote: And you set Auth-Type = EAP. DON'T DO THAT. I do that ;). I prefer to manualy set EAP when user tries to identify as [EMAIL PROTECTED]. Users are *NOT* allowed to use any other authentication method :). That's about the only time you should set it. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius/LDAP conf : little problem
Arnauld Dravet [EMAIL PROTECTED] wrote: Problem now is that i have to enter the encrypted version of the password in the username/password popup window. The userPassword field in the LDAP entries are encoded with the {CRYPT} salt. Is there a way to configure/hack FreeRadius to tell it to crypt the password before the comparison against the password the LDAP authorize section returns from its query ? Configure the password_header entry in the ldap{} section, in radiusd.conf. You can also map that LDAP entry to the Crypt-Password attribute, and the server will figure it out from there. Search the list archives for more details. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Using Freeradius with LDAP storage and EAP-TTLS authentication
Christophe Saillard [EMAIL PROTECTED] wrote: Now I've a working TTLS/PAP with LDAP storage configuration ;-) Here's what I've to put in the users file to make it work : DEFAULT Auth-Type := PAP, Freeradius-Proxied-To == 127.0.0.1 User-Name = `%{User-Name}`, Fall-Through = no But now PEAP/MSCHAPv2 doesn't work... If you had read the debug log, you would see WHY it doesn't work. Repeat it like a mantra: If you're not sure, DO NOT SET AUTH-TYPE. The server will figure it out on it's own. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Shared secret problems!
PS [EMAIL PROTECTED] wrote: ... if a nas sends invalid shared secret I still get it's access request packet processed, but only the User-Password is modified (with trash). That's the way RADIUS works. As I found out, there is no such problem for accounting packets - they are automatically rejected. That's the way RADIUS works. Can I make freeradius reject (or even better leave without a responce) registration packets that do not come from specified ip address and don't have correct shared secret? You can filter by IP, but not by incorrec shared secret. There is *nothing* in the protocol for Access-Requests that would let you discover that the shared secret is wrong. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Removing attributes using an external program
Ken Wolstencroft [EMAIL PROTECTED] wrote: I can add and rewrites attributes from an external program, but I can not figure out a way of removing them. It's not generally recommended, but try the -= operator. See the man page for the users file. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius/LDAP conf : little problem
Hi again Alan, Configure the password_header entry in the ldap{} section, in radiusd.conf. already done, but in the doc it's said it just strips away the {CRYPT} substring of the crypted passwd. Still have to put the encrypted password in the popup box to make it work... You can also map that LDAP entry to the Crypt-Password attribute, and the server will figure it out from there. Also tried it: checkItem LM-Password lmPassword checkItem NT-Password ntPassword checkItem Crypt-Password userPassword checkItem SMB-Account-CTRL-TEXT acctFlags But it doesn't seem to change a lot of things: rlm_ldap: Adding userPassword as Crypt-Password, value { op=21 rlm_ldap: Adding ntPassword as NT-Password, value EFAC11B52777F8D7A34BDC1A0F89228D op=21 rlm_ldap: Adding lmPassword as LM-Password, value 136BE46417241D68AAD3B435B51404EE op=21 rlm_ldap: looking for reply items in directory... I tried it with and without setting the password_attribute and password_header in the radiusd.conf. Result is the same. Anyway in the freeradius sources i can't find any reference to Crypt-Password in the rlm_ldap module, and in main.c it seems to be a reference to a user-provided password, not to the backend db. I'm using 0.9.3 do i need a CVS version ? Thanks again Arnauld -- Arnauld Dravet - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Removing attributes using an external program
Thanks Alan I'll give it a try. Ken - Original Message - From: Alan DeKok [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Monday, June 21, 2004 5:08 PM Subject: Re: Removing attributes using an external program Ken Wolstencroft [EMAIL PROTECTED] wrote: I can add and rewrites attributes from an external program, but I can not figure out a way of removing them. It's not generally recommended, but try the -= operator. See the man page for the users file. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html --- Outgoing mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.708 / Virus Database: 464 - Release Date: 6/18/2004 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius/LDAP conf : little problem
Arnauld Dravet [EMAIL PROTECTED] wrote: already done, but in the doc it's said it just strips away the {CRYPT} substring of the crypted passwd. Still have to put the encrypted password in the popup box to make it work... That shouldn't be necessary. Also tried it: checkItem LM-Password lmPassword checkItem NT-Password ntPassword checkItem Crypt-Password userPassword That should work. But it doesn't seem to change a lot of things: rlm_ldap: Adding userPassword as Crypt-Password, value { op=21 That value doesn't look like a password. rlm_ldap: Adding ntPassword as NT-Password, value EFAC11B52777F8D7A34BDC1A0F89228D op=21 That value should have a 0x in front of it. Anyway in the freeradius sources i can't find any reference to Crypt-Password in the rlm_ldap module, and in main.c it seems to be a reference to a user-provided password, not to the backend db. LDAP doesn't do crypt'd passwords. The server does. And the server doesn't care where that crypted password came from. I'm using 0.9.3 do i need a CVS version ? No. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius/LDAP conf : little problem
That shouldn't be necessary. well i'll double check tomorrow, i've done so many tests so far that maybe it's not usefull anymore .. I know for sure that in debug logs, it shows the password grabbed as {CRYPT}xxx. rlm_ldap: Adding userPassword as Crypt-Password, value { op=21 That value doesn't look like a password. yes i know, and i think that's the problem. When i just use password_attribute it grabs the whole password (displayed in debug logs), and not anymore when i use the mapping for Crypt-Password, of course on the same ldap attribute for both. i thought the '{' displayed was from the first caracter it met ( from {CRYPT} ) so i tried to re-enable the password_header field in the ldap section of radiusd.conf, without any good result. That value should have a 0x in front of it. That's what is told in the radiusd.conf yup .. could that change something to the rest of the problem ? I'll check the smbldap-adduser.pl script i use to add windows users in the ldap tree. Anyway windows workstations work perfectly without the 0x. LDAP doesn't do crypt'd passwords. The server does. And the server doesn't care where that crypted password came from. Yup, but i was trying to find the moment where the radius Crypt-Password attribute was used in the ldap mapping file and from the ldap directory, to check why it doesn't grab the password from the user entry. -- Arnauld Dravet - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
ip pool issue
Hi, I am using ip pool on my radius server 0.9.3 installed on Solaris 5.8. When NAS sends Access-Requestwith Framed-IP-Address attribute set to 255.255.255.254 then server responds with Access-Accept package with Framed-IP-Address attribute set to one of IP addresses taken from ip pool. Could anybody help me if it possible to retrieve from the radius server an information what ip address (from ip pool) has been assigned to a particular user who is currently logged in to NAS. Thank you for your time. I appreciate it Miroslaw Niemiec
FreeRadius using PGP to authenticate users
(Moderators: sorry I first sent this email with the wrong email address) Hi list, I'm curious about the possibility to use PGP keys to authenticate users via a challenge. I'm using an LDAP database to store my users information, and this is working great with a simple login/password scheme for the moment. However, I would really like to be able to authenticate them using a random string which would be encrypted using their public key, and they would just have to decipher it and they send back the string. I'm barely understanding if EAP could help on that (all documentation I find is evasive about EAP when not related to 802.1x)... Could any of you tell me if this would be possible with FreeRADIUS as it is now ? Would I have to modify its code ? Would EAP really help ? Thanks in advance for your answers, and please excuse my question if it is stupid, I'm totally new to RADIUS (I read Jonathan Hassel book, but it doesn't help on that particular subject). -- Alain Perry signature.asc Description: This is a digitally signed message part
Re: FreeRadius using PGP to authenticate users
Alain Perry [EMAIL PROTECTED] wrote: I'm curious about the possibility to use PGP keys to authenticate users via a challenge. I'm using an LDAP database to store my users information, and this is working great with a simple login/password scheme for the moment. However, I would really like to be able to authenticate them using a random string which would be encrypted using their public key, and they would just have to decipher it and they send back the string. What software exists on the client side to do this? If the answer is none, there isn't much point in doing it. I'm barely understanding if EAP could help on that (all documentation I find is evasive about EAP when not related to 802.1x)... EAP started off as part of PPP. It's used elsewhere now. To do this, you could use EAP-GTC, but few clients implement it as-is. It's usually part of EAP-TTLS or PEAP. Could any of you tell me if this would be possible with FreeRADIUS as it is now ? Would I have to modify its code ? Would EAP really help ? If you're doing wireless, use EAP. If not, don't. FreeRADIUS can do challenge-response fairly easily, but you will have to write code to decide what to use for a challenge, and how to verify the response. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ip pool issue
Miroslaw Niemiec [EMAIL PROTECTED] wrote: Could anybody help me if it possible to retrieve from the radius server an information what ip address (from ip pool) has been assigned to a particular user who is currently logged in to NAS. rlm_ippool_tool, which is included with the ippool module in 1.0.0. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius using PGP to authenticate users
What software exists on the client side to do this? If the answer is none, there isn't much point in doing it. The answer is none, but I'm planning on writing it... EAP started off as part of PPP. It's used elsewhere now. That I understood. To do this, you could use EAP-GTC, but few clients implement it as-is. It's usually part of EAP-TTLS or PEAP. The only radius software I'm going to use is freeRADIUS and the one I'll write, so if FreeRADIUS does it, that's good enough for me :-) If you're doing wireless, use EAP. If not, don't. Well, I'm doing wireless, but I'd like not to use a login/password scheme. FreeRADIUS can do challenge-response fairly easily, but you will have to write code to decide what to use for a challenge, and how to verify the response. Is this feasable as a module, or do I have to actually modify FreeRADIUS code to do it ? Thank you for your answers, -- Alain Perry signature.asc Description: This is a digitally signed message part
freeRADIUS cert chain authentication
Hi: I am using freeRADIUS (0.9.3 on linux with openssl ) for EAP-TLS authentication using our in-house supplicant, we are currently using 3-tier cert chains and have been using it quite successfully for TLS authentication with OpenSSL but when we try to use these same 3-tier certs for EAP-TLS radius authentication, the freeRADIUS server is unable to send the complete cert chain as part of the server certificate instead only sends the server/aaa cert (which works fine if the certificate chain length is = 2) but anything with a cert chain of 2 will not work. I investigated this issue further with the rlm_eap_tls module and noticed that internally freeRADIUS uses the openSSL int SSL_CTX_use_certificate_file(SSL_CTX *ctx, const char *file, int type);call and i replaced it with: int SSL_CTX_use_certificate_chain_file(SSL_CTX *ctx, const char *file);then i created the cert server/aaa chain in pem format by catting the aaa cert, sub-ca cert and server root cert as per openssl documentation (we've been using this in our application with openssl api and it works just fine) but then when i rebuild freeradius and try to start it up it gives me this error during init startup: 8448:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:632:Expecting: CERTIFICATErlm_eap_tls: Error reading certificate filerlm_eap: Failed to initialize the type tls any help in this regards would be appreciated - has anyone using freeRADIUS used cert chains with length more than 2 (this same scenario works fine with a Cisco ACS AAA) thanks. Regards, Mohammed. Do you Yahoo!? Yahoo! Mail Address AutoComplete - You start. We finish.
Re: FreeRadius using PGP to authenticate users
Alain Perry [EMAIL PROTECTED] wrote: FreeRADIUS can do challenge-response fairly easily, but you will have to write code to decide what to use for a challenge, and how to verify the response. Is this feasable as a module, or do I have to actually modify FreeRADIUS code to do it ? You'll have to add a module. Maybe hacking the rlm_eap_gtc module will work. You won't have to touch the server core. (i.e. anything outside of the module). Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radius, 802.1x, eap/tls, and edirectory (ldap)
Alan, I agree...I should read the docs and the lists more thoroughly. My AP requires that I enable 802.1x in order to use RADIUS authentication. So, I figured I'd use EAP-TLS. I'm just testing now...using an XP client, so I chose to use EAP-TLS. I want to use LDAP because that's where our userbase is stored (Novell eDirectory). The idea is to authenticate users via LDAP. I'm only using EAP-TLS because the AP won't let me use RADIUS otherwise. Of course, I'm such a newbie that I'm probably getting it all wrong. That's where I was hoping the list would help. If you were given my task, how would you go about implementing this? thanks, mack On 21 Jun 2004 at 11:07, Alan DeKok wrote: Mack [EMAIL PROTECTED] wrote: I had scanned them prior to posting, but there seem to be no solutions to all of the problems people have with this configuration. From what I can seem you're trying to use EAP-TLS, *and* some kind of LDAP authorization/authentication, but you're not putting the usernames used by EAP-TLS into LDAP. The solution is simple: a) put the usernames into LDAP b) or, get the clients to use usernames which are in ldap. My impression is that most of the gurus on the list are assuming WAY too much of some of us newbies. They keep coming back with the same replies, like read the faqs, readme, rfc, etc., etc. A significant number of questions on this list are answered in the FAQ, README, documentation, etc. Those replies are meant to tell people to stop wasting their time asking questions on the list, when the answer is already in front of them. But, that begs the question: If that's going to be the reply each time, then why even bother with the list in the first place? If you would read the list, you would see that most of the questions involve things which are *not* in the FAQ or README. Those questions are answered. My requirement is to enable 802.1x authentication to the AP's using EAP/TLS. Additionally, I need to be able to authenticate the users to Novell via LDAP. You can't do this. It's impossible. EAP-TLS is an authentication mechanism. LDAP doesn't know about EAP-TLS, and therefore won't be able to authenticate any EAP-TLS request. The logs keep passing the EAP username (common name from cert) to ldap and of course ldap spits it out because the object does not exist. Have you tried adding that object to LDAP? I really don't see what the problem is here. Maybe this isn't even possible, but here's what I had hoped to come away with: the wireless user boots their laptop, then gets authenticated via eap/tls. That will work. They then open a browser, and are asked for username and password (via dialog box?), or either redirected to a login page. By who? The AP won't do this. And since the AP won't do this, *nothing* will. The username and password are then passed to ldap for authentication. Successful authentication results in the client being given internet access. Is this possible? I doubt it. I also don't understand why you want the user to log in twice. Alan DEKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- This message has been scanned for viruses and dangerous content by the CSU Email Gateway, and is believed to be clean. -- This message has been scanned for viruses and dangerous content by the CSU Email Gateway, and is believed to be clean. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radius, 802.1x, eap/tls, and edirectory (ldap)
Gary, No, no, not you. I didn't mean you...sorry. You've been helpful...more so, you've shown a willingness to help. Thanks for that. I followed your suggestion about looking deeper into the list archives, and have progressed a bit further (i think). I stumbled upon PEAP, and configured my client to use mschapv2, thus answering the question of how to send LDAP username password to radius. This is all with EAP-TLS working (as far as I can tell). However, there's one catch... While running radiusd in debug mode, watching the output while the client authenticates (sends username password), it seems to get caught in a loop...same output over over again, and the client never gets totally authenticated. The output appears to indicate that the ldap auth and eap auth were both successful, but this is where it keeps looping...over and over again, keeps saying both were successful. Unless I'm just misinterpreting the output (that's VERY likely). I've attached some of the output to this email (hope that's ok...seemed to big to include in the body of the message). I am using a gentoo ebuild of freeradius now, but will look into the 1.0.0-pre1 version. I did notice that many of the posts assumed the users were on a 1.0.0-pre1 build. If nothing else, I can at least read thru the different docs included in that build, as you've suggested. Ready for a really dumb question? What does ymmv mean? I've often seen it on lists/boards, but have never seen a translation. Thanks for the help, mack On 21 Jun 2004 at 6:10, Gary McKinney wrote: Mack, I Was not trying to blow you off by making the statement of reading the archives... I am still, what I consider, a newbie as well... The statement about a lot of discussion on the subject you are requesting is true so I thought you would be better served checking over those discussions! As for documentation - have you read the rlm-eap and rlm-ldap documentation in the docs directory of the installation package (at least the version 1.0.0-pre1 and later source code) has information on what you are looking for in terms of using eap/tls and ldap together (in the rlm-eap docs). If you can use the pre-release code I would suggest doing so - while 0.9.3 is stable I have found the pre-release code does more [ymmv]... gm.. - Original Message - From: Mack [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Sunday, June 20, 2004 10:30 PM Subject: Re: radius, 802.1x, eap/tls, and edirectory (ldap) Gary, I had scanned them prior to posting, but there seem to be no solutions to all of the problems people have with this configuration. My impression is that most of the gurus on the list are assuming WAY too much of some of us newbies. They keep coming back with the same replies, like read the faqs, readme, rfc, etc., etc. But, that begs the question: If that's going to be the reply each time, then why even bother with the list in the first place? Oh, well. I am definitely taking a more indepth look at the archives, though, as you've suggested. If nothing else, maybe that will help me form better questions. Thanks for the help! mack On 19 Jun 2004 at 6:34, Gary McKinney wrote: Mack, Check the email archives over the last three months - there is a great deal of information on using EAP/TLS and how to use LDAP with freeradius (including example snippets). gm... - Original Message - From: Mack [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Friday, June 18, 2004 11:52 PM Subject: radius, 802.1x, eap/tls, and edirectory (ldap) Hi, I'm a newbie to all of this, so please bear with me. This list is all I've got! We are introducing a wireless infrastructure on our campus (a little late in the game). Right now we're in testing phase. In this testing phase, We are using several 3com 7250 AP's, some 3com cards capable of 802.1x, and Novell eDirectory (LDAP). My requirement is to enable 802.1x authentication to the AP's using EAP/TLS. Additionally, I need to be able to authenticate the users to Novell via LDAP. All via the FreeRADIUS server. I have configured freeradius version 0.9.3 to work successfully with only ldap authentication against Novell eDirectory. I have also verified that 802.1x authentication is working with the AP. However, if I attempt to somehow enable both authentication mechanisms, I fail. The logs keep passing the EAP username (common name from cert) to ldap and of course ldap spits it out because the object does not exist. Again, I'm new to this, and maybe I have made incorrect assumptions of what the end result should be. Maybe this isn't even possible, but here's what I had hoped to come away with: the wireless user boots their laptop, then gets
Re: radius, 802.1x, eap/tls, and edirectory (ldap)
Hi Mack, As for the looping problem - one question - do you have a wireless network card manager running in the background on the laptop ( I don't mean the nic driver) along with the supplicant??? I have EAP/TTLS running at home and ran into a looping problem that sounds the same (authenticated but kept on re-authenticating)... I am running the Odyssey Supplicant on a Windows 2000 machine and there was a Linksys NIC Manager program running at the same time the supplicant was running. The NIC manager was causing the supplicant to disconnect from the nic thereby causing the supplicant to re-authenticate continuously! (duh!). Turning off the NIC manager software fixed the problem As for YMMV it means Your Mileage May Vary [grin]... gm... - Original Message - From: Mack [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Monday, June 21, 2004 8:21 PM Subject: Re: radius, 802.1x, eap/tls, and edirectory (ldap) Gary, No, no, not you. I didn't mean you...sorry. You've been helpful...more so, you've shown a willingness to help. Thanks for that. I followed your suggestion about looking deeper into the list archives, and have progressed a bit further (i think). I stumbled upon PEAP, and configured my client to use mschapv2, thus answering the question of how to send LDAP username password to radius. This is all with EAP-TLS working (as far as I can tell). However, there's one catch... While running radiusd in debug mode, watching the output while the client authenticates (sends username password), it seems to get caught in a loop...same output over over again, and the client never gets totally authenticated. The output appears to indicate that the ldap auth and eap auth were both successful, but this is where it keeps looping...over and over again, keeps saying both were successful. Unless I'm just misinterpreting the output (that's VERY likely). I've attached some of the output to this email (hope that's ok...seemed to big to include in the body of the message). I am using a gentoo ebuild of freeradius now, but will look into the 1.0.0-pre1 version. I did notice that many of the posts assumed the users were on a 1.0.0-pre1 build. If nothing else, I can at least read thru the different docs included in that build, as you've suggested. Ready for a really dumb question? What does ymmv mean? I've often seen it on lists/boards, but have never seen a translation. Thanks for the help, mack On 21 Jun 2004 at 6:10, Gary McKinney wrote: Mack, I Was not trying to blow you off by making the statement of reading the archives... I am still, what I consider, a newbie as well... The statement about a lot of discussion on the subject you are requesting is true so I thought you would be better served checking over those discussions! As for documentation - have you read the rlm-eap and rlm-ldap documentation in the docs directory of the installation package (at least the version 1.0.0-pre1 and later source code) has information on what you are looking for in terms of using eap/tls and ldap together (in the rlm-eap docs). If you can use the pre-release code I would suggest doing so - while 0.9.3 is stable I have found the pre-release code does more [ymmv]... gm.. - Original Message - From: Mack [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Sunday, June 20, 2004 10:30 PM Subject: Re: radius, 802.1x, eap/tls, and edirectory (ldap) Gary, I had scanned them prior to posting, but there seem to be no solutions to all of the problems people have with this configuration. My impression is that most of the gurus on the list are assuming WAY too much of some of us newbies. They keep coming back with the same replies, like read the faqs, readme, rfc, etc., etc. But, that begs the question: If that's going to be the reply each time, then why even bother with the list in the first place? Oh, well. I am definitely taking a more indepth look at the archives, though, as you've suggested. If nothing else, maybe that will help me form better questions. Thanks for the help! mack On 19 Jun 2004 at 6:34, Gary McKinney wrote: Mack, Check the email archives over the last three months - there is a great deal of information on using EAP/TLS and how to use LDAP with freeradius (including example snippets). gm... - Original Message - From: Mack [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Friday, June 18, 2004 11:52 PM Subject: radius, 802.1x, eap/tls, and edirectory (ldap) Hi, I'm a newbie to all of this, so please bear with me. This list is all I've got! We are introducing a wireless infrastructure on our campus (a little late in the game). Right now we're in testing phase. In this testing phase, We are using several 3com
Re: radius, 802.1x, eap/tls, and edirectory (ldap)
Gary, I didn't recognize any services as being a wireless network card manager. Didn't see anything in add/remove, either. Where/how did you find yours? Thanks for clueing me in on the meaning of ymmv! I'll keep digging around for more information on my problem. BTW...did you have a chance to look at the output I attached? If so, what's your interpretation? thanks, mack On 21 Jun 2004 at 20:47, Gary McKinney wrote: Hi Mack, As for the looping problem - one question - do you have a wireless network card manager running in the background on the laptop ( I don't mean the nic driver) along with the supplicant??? I have EAP/TTLS running at home and ran into a looping problem that sounds the same (authenticated but kept on re-authenticating)... I am running the Odyssey Supplicant on a Windows 2000 machine and there was a Linksys NIC Manager program running at the same time the supplicant was running. The NIC manager was causing the supplicant to disconnect from the nic thereby causing the supplicant to re-authenticate continuously! (duh!). Turning off the NIC manager software fixed the problem As for YMMV it means Your Mileage May Vary [grin]... gm... - Original Message - From: Mack [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Monday, June 21, 2004 8:21 PM Subject: Re: radius, 802.1x, eap/tls, and edirectory (ldap) Gary, No, no, not you. I didn't mean you...sorry. You've been helpful...more so, you've shown a willingness to help. Thanks for that. I followed your suggestion about looking deeper into the list archives, and have progressed a bit further (i think). I stumbled upon PEAP, and configured my client to use mschapv2, thus answering the question of how to send LDAP username password to radius. This is all with EAP-TLS working (as far as I can tell). However, there's one catch... While running radiusd in debug mode, watching the output while the client authenticates (sends username password), it seems to get caught in a loop...same output over over again, and the client never gets totally authenticated. The output appears to indicate that the ldap auth and eap auth were both successful, but this is where it keeps looping...over and over again, keeps saying both were successful. Unless I'm just misinterpreting the output (that's VERY likely). I've attached some of the output to this email (hope that's ok...seemed to big to include in the body of the message). I am using a gentoo ebuild of freeradius now, but will look into the 1.0.0-pre1 version. I did notice that many of the posts assumed the users were on a 1.0.0-pre1 build. If nothing else, I can at least read thru the different docs included in that build, as you've suggested. Ready for a really dumb question? What does ymmv mean? I've often seen it on lists/boards, but have never seen a translation. Thanks for the help, mack On 21 Jun 2004 at 6:10, Gary McKinney wrote: Mack, I Was not trying to blow you off by making the statement of reading the archives... I am still, what I consider, a newbie as well... The statement about a lot of discussion on the subject you are requesting is true so I thought you would be better served checking over those discussions! As for documentation - have you read the rlm-eap and rlm-ldap documentation in the docs directory of the installation package (at least the version 1.0.0-pre1 and later source code) has information on what you are looking for in terms of using eap/tls and ldap together (in the rlm-eap docs). If you can use the pre-release code I would suggest doing so - while 0.9.3 is stable I have found the pre-release code does more [ymmv]... gm.. - Original Message - From: Mack [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Sunday, June 20, 2004 10:30 PM Subject: Re: radius, 802.1x, eap/tls, and edirectory (ldap) Gary, I had scanned them prior to posting, but there seem to be no solutions to all of the problems people have with this configuration. My impression is that most of the gurus on the list are assuming WAY too much of some of us newbies. They keep coming back with the same replies, like read the faqs, readme, rfc, etc., etc. But, that begs the question: If that's going to be the reply each time, then why even bother with the list in the first place? Oh, well. I am definitely taking a more indepth look at the archives, though, as you've suggested. If nothing else, maybe that will help me form better questions. Thanks for the help! mack On 19 Jun 2004 at 6:34, Gary McKinney wrote: Mack, Check the email archives over the last three months - there is a great deal of information on using EAP/TLS and how to use
Delay in updating accounting table
Hi, Does anybody know why accounting table is updated only when Account Stop packet is sent? Although the Account Start is not lost, but its only inserted when Account Stop is triggered. Does Freeradius saves the Accounting packets in some intermediary files before updating database? If it does then in which file? and if there is any way to push the insert without delay. FreeRadius: 0.93 Database: mySQL Thanks prabh - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
PEAP Server certificate problem
I am trying to get PEAP running with server certificate. I am using freeRADIUS version 1.0.0.pre3. I get the following error. Can anyone tell me the reason for this. Here is the setup, client -- AP -- freeRADIUS radiusd output with -X -A option . Waking up in 6 seconds...rad_recv: Access-Request packet from host 192.168.10.202:3072, id=0, length=210 User-Name = "bill" NAS-IP-Address = 192.168.10.202 Called-Station-Id = "000f6618f78a" Calling-Station-Id = "000f661d2a27" NAS-Identifier = "000f6618f78a" NAS-Port = 16 Framed-MTU = 1400 State = 0x1c4e178e2bc98f392d7790f75b245fe3 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x02010050198000461603010041013d030140d7a299b2f91538ee2ce9b0fe5733268ae1b5d3a91bdde1c5543688b308ce261600040005000a000900640062000300060013001200630100 Message-Authenticator = 0x54759471236cbc92ac2424359782dc6f Processing the authorize section of radiusd.confmodcall: entering group authorize for request 1 modcall[authorize]: module "preprocess" returns ok for request 1 modcall[authorize]: module "chap" returns noop for request 1 modcall[authorize]: module "mschap" returns noop for request 1 rlm_realm: No '@' in User-Name = "bill", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 1 rlm_eap: EAP packet type response id 1 length 80 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 1 users: Matched bill at 106radius_xlat: 'Hello, I am Bill here --- (MS-CHAP) bill' modcall[authorize]: module "files" returns ok for request 1modcall: group authorize returns updated for request 1 rad_check_password: Found Auth-Type EAPauth: type "EAP" Processing the authenticate section of radiusd.confmodcall: entering group authenticate for request 1 rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLSrlm_eap_tls: Length Included eaptls_verify returned 11 (other): before/accept initialization TLS_accept: before/accept initialization rlm_eap_tls: TLS 1.0 Handshake [length 0041], ClientHello TLS_accept: SSLv3 read client hello A rlm_eap_tls: TLS 1.0 Handshake [length 004a], ServerHello TLS_accept: SSLv3 write server hello A rlm_eap_tls: TLS 1.0 Handshake [length 0694], Certificate TLS_accept: SSLv3 write certificate A rlm_eap_tls: TLS 1.0 Handshake [length 0004], ServerHelloDone TLS_accept: SSLv3 write server done A TLS_accept: SSLv3 flush data TLS_accept:error in SSLv3 read client certificate A users file - "bill" User-Password == "hellobill" Reply-Message = "Hello, I am Bill here --- (MS-CHAP) %u" eap.conf ... tls { private_key_password = whatever private_key_file = ${raddbdir}/certs/cert-srv.pem # If Private key Certificate are located in # the same file, then private_key_file # certificate_file must contain the same file # name. certificate_file = ${raddbdir}/certs/cert-srv.pem # Trusted Root CA list CA_file = ${raddbdir}/certs/demoCA/cacert.pem dh_file = ${raddbdir}/certs/dh random_file = ${raddbdir}/certs/random # # This can never exceed the size of a RADIUS # packet (4096 bytes), and is preferably half # that, to accomodate other attributes in # RADIUS packet. On most APs the MAX packet # length is configured between 1500 - 1600 # In these cases, fragment size should be # 1024 or less. # fragment_size = 1024 # include_length is a flag which is # by default set to yes If set to # yes, Total Length of the message is # included in EVERY packet we send. # If set to no, Total Length of the # message is included ONLY in the # First packet of a fragment series. # include_length = yes # Check the Certificate Revocation List # # 1) Copy CA certificates and CRLs to same directory. # 2) Execute 'c_rehash CA certsCRLs Directory'. # 'c_rehash' is OpenSSL's command. # 3) Add 'CA_path=CA certsCRLs directory' # to radiusd.conf's tls section. # 4) uncomment the line below. # 5) Restart radiusd # check_crl = yes # # If check_cert_cn is set, the value will # be xlat'ed and checked against the CN # in the client certificate. If the values # do not match, the certificate verification # will fail rejecting the user. # # check_cert_cn = %{User-Name} } peap { # The tunneled EAP session needs a default # EAP type which is separate from the one for # the non-tunneled EAP module. Inside of the # PEAP tunnel, we recommend using MS-CHAPv2, # as that is the default type supported by # Windows clients. default_eap_type = mschapv2 } . Do you Yahoo!? New and Improved Yahoo! Mail - Send 10MB messages!
Re: Delay in updating accounting table
prabhdeep [EMAIL PROTECTED] wrote: Does anybody know why accounting table is updated only when Account Stop packet is sent? It's updated for start update queries, too, in the default config. Although the Account Start is not lost, but its only inserted when Account Stop is triggered. Are you sure? Run it in debugging mode to see. I doubt very much that's happening. Does Freeradius saves the Accounting packets in some intermediary files before updating database? No. If it does then in which file? and if there is any way to push the insert without delay. Inserts are always done without delay. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radius, 802.1x, eap/tls, and edirectory (ldap)
Mack [EMAIL PROTECTED] wrote: My AP requires that I enable 802.1x in order to use RADIUS authentication. So, I figured I'd use EAP-TLS. Are you picking it at random, or are youi looking at the features it offers, and using your requirements to decide on a solution? I'm just testing now...using an XP client, so I chose to use EAP-TLS. I want to use LDAP because that's where our userbase is stored (Novell eDirectory). The idea is to authenticate users via LDAP. I thought I had been pretty clear in my response: EAP-TLS and LDAP are mutually incompatible. Stop trying to get them to work togerther. I'm only using EAP-TLS because the AP won't let me use RADIUS otherwise. Of course, I'm such a newbie that I'm probably getting it all wrong. That's where I was hoping the list would help. You should ask about how to solve a problem, rather than asking why the solution you chose didn't work. If you were given my task, how would you go about implementing this? I told you. Go back and read my message. If you could describe a problem, I might be able to come up with an alternate solution. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius using PGP to authenticate users
Hi Alan. Alain Perry pravi: FreeRADIUS can do challenge-response fairly easily, but you will have to write code to decide what to use for a challenge, and how to verify the response. Is this feasable as a module, or do I have to actually modify FreeRADIUS code to do it ? A lot of freeRadius functionality is in modules, you'll have to look into ./src/modules/rlm_eap/types and create something like rlm_eap_gpg. This would be a directory for EAP_GPG submodule. Also, for development the freeradius-devel m.l. is available. But don't ask questions until you've studied at least one rlm_eap_* (I think md5 is the closest thing to what you want) and know some basic concepts. AFAIK Freeradius is very easy to code for. Code is well structured and clear. You'll have more fun ;-] with an EAP client. Your best (fastest) bet is to get it working with Xsupplicant. -- Good luck, Rok Papez. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html