Re: Using Freeradius with LDAP storage and EAP-TTLS authentication
Here's what I've to put in the users file to make it work :
DEFAULT Auth-Type := PAP, Freeradius-Proxied-To == 127.0.0.1
User-Name = `%{User-Name}`,
Fall-Through = no
But now PEAP/MSCHAPv2 doesn't work...
If you had read the debug log, you would see WHY it doesn't work.
Repeat it like a mantra: If you're not sure, DO NOT SET AUTH-TYPE.
When I do not set Auth-Type TTLS/PAP works with users stored in the users files,
PEAP/Ms-chap-v2 works with users from LDAP storage, but TTLS/PAP from LDAP doesn't
work
The server will figure it out on it's own.
Alan DeKok.
--
---
Christophe Saillard
Centre Réseau Communication
Université Louis Pasteur
---
Tél : 03 90 24 03 17
Fax : 03 90 24 03 12
---
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Is it possible to use the MAC as the key
Hi! I was wondering if it is possible to tell the Freeradius to use the MAC addr. as a validating key? I would like to store all my clients MAC addr. in a db, and use it as a backend for Freeradius, then when the clients starts, the AP sends the clients MAC addr. to Freeradius and the MAC addr. is used as a token for validating. / Christoffer
Problem getting a Cisco 3550 to change VLAN on dot1x authenticate
Hi, Im testing the Freeradius servers dotx support for EAP-TLS. So far I have got the
PC authenticated
using certificates but I cant get the switch to set the VLAN I want on the port.
I have tried every tips found on the Cisco web and from this list and Im now stuck.
And yes the VLAN
TESTVLAN is defined in the VLAN database. I have also trid the VLAN id 555 and the
long version 100555.
I have tried renameing the VLAN and using the attribute cisco-avpair to send the VLAN
info.
users setup:
DEFAULTAuth-Type := EAP
Tunnel-Type = VLAN,
Tunnel-Medium-Type = IEEE-802,
Tunnel-Private-Group-Id = TESTVLAN
or
DEFAULT Auth-Type := EAP
cisco-avpair += tunnel-type(#64)=VLAN(13),
cisco-avpair += tunnel-medium-type(#65)=802 media(6),
cisco-avpair += tunnel-private-group-ID(#81)=TESTVLAN
none of them worked.
I cut out some parts of the logs that show the problem:
FreeRadius sever debug log:
modcall: entering group authenticate for request 9
rlm_eap: Request found, released from the list
rlm_eap: EAP/tls
rlm_eap: processing type tls
rlm_eap_tls: Authenticate
rlm_eap_tls: processing TLS
rlm_eap_tls: Received EAP-TLS ACK message
rlm_eap_tls: ack handshake is finished
eaptls_verify returned 3
eaptls_process returned 3
rlm_eap: Freeing handler
modcall[authenticate]: module eap returns ok for request 9
modcall: group authenticate returns ok for request 9
Login OK: [host/Client certificate/no User-Password attribute] (from client
rklan-client port 50023 cli 00-08-02-D7-6B-24)
Sending Access-Accept of id 121 to 10.25.250.250:1812
Tunnel-Type:0 = VLAN
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Private-Group-Id:0 = TESTVLAN
MS-MPPE-Recv-Key =
0x8fcfa4475a4fd660644c278b0f121c5c36eba960ef13ef331fe8917485ab8990
MS-MPPE-Send-Key =
0xb2dc132a07afb4e469a48d3bd947fcc1dabaf7f80242e37e9eb7dd65a009e4ef
EAP-Message = 0x03640004
Message-Authenticator = 0x
User-Name = host/Client certificate
Finished request 9
Cisco 3550 radius debug log:
01:45:10: RADIUS: Received from id 121 10.25.32.63:1812, Access-Accept, len 207
01:45:10: Attribute 64 6 000D
01:45:10: Attribute 65 6 0006
01:45:10: Attribute 81 10 54455354
01:45:10: Attribute 26 58 0137113494E2
01:45:10: Attribute 26 58 013710349898
01:45:10: Attribute 79 6 03640004
01:45:10: Attribute 80 18 20106B4C
01:45:10: Attribute 1 25 686F7374
01:45:10: RADIUS: EAP-login: length of eap packet = 4
01:45:10: RADIUS: EAP-login: radius didn't send any vlan
tcpdump on the freeradius server:
11:18:49.257403 10.25.32.63.radius 10.25.250.250.radius: rad-access-accept 207 [id
121] Attr[ Tunnel_type{Tag[Unused]{#13} Tunnel_medium{Tag[Unused]{802}
Tunnel_priv_group{TESTVLAN} [|radius] (DF)
4500 00eb 4000 4011 0a97 0a19 203f
0a19 fafa 0714 0714 00d7 2b25 0279 00cf
5297 77d0 4247 9a82 f5f0 b245 39cd 9e9a
4006 000d 4106 0006 510a 5445
5354 564c 414e 1a3a 0137 1134 94e2
a9c9
Versions of the freeradius server and Cisco IOS:
[EMAIL PROTECTED] raddb]# /usr/local/sbin/radiusd -v
radiusd: FreeRADIUS Version 1.0.0-pre3, for host , built on Jun 21 2004 at 11:07:50
Copyright (C) 2000-2003 The FreeRADIUS server project.
Cisco Internetwork Operating System Software
IOS (tm) C3550 Software (C3550-I9K2L2Q3-M), Version 12.1(20)EA2, RELEASE SOFTWARE (fc1)
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
howto set max reauthentication parameter
Hi All, I am using CISCO Aironet 1100 AP and Freeradius server for EAP authentication. Now I want to set max reauthentication (reAuthMax) parameter in AP to some specific value. So please can anyone help me howto set this parameter inside AP? I know it's little bit deviation from the topics freeradius mailing-list discusses. But I am really in trouble with this matter and desperately need someone's help in this regard. And also please can anybody tell me the alternative place where should I post this kind of question? Regards Ankan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
SV: Problem getting a Cisco 3550 to change VLAN on dot1x authenticate
Thanks it made the difference... reading throug the Cisco guide again I see the
command listed as
optional and not in the command example so I simply missed it :(
Från: [EMAIL PROTECTED] genom Frédéric EVRARD
Skickat: ti 2004-06-22 10:41
Till: [EMAIL PROTECTED]
Ämne: Re: Problem getting a Cisco 3550 to change VLAN on dot1x authenticate
Hi,
don't forget on 3550 switch:
aaa authorization network default group radius
(to let radius change network conf)
Attributes are good.
Fred.EVRARD
Hi, Im testing the Freeradius servers dotx support for EAP-TLS. So far I
have got the PC authenticated
using certificates but I cant get the switch to set the VLAN I want on the
port.
I have tried every tips found on the Cisco web and from this list and Im
now stuck. And yes the VLAN
TESTVLAN is defined in the VLAN database. I have also trid the VLAN id 555
and the long version 100555.
I have tried renameing the VLAN and using the attribute cisco-avpair to
send the VLAN info.
users setup:
DEFAULTAuth-Type := EAP
Tunnel-Type = VLAN,
Tunnel-Medium-Type = IEEE-802,
Tunnel-Private-Group-Id = TESTVLAN
or
DEFAULT Auth-Type := EAP
cisco-avpair += tunnel-type(#64)=VLAN(13),
cisco-avpair += tunnel-medium-type(#65)=802 media(6),
cisco-avpair += tunnel-private-group-ID(#81)=TESTVLAN
none of them worked.
I cut out some parts of the logs that show the problem:
FreeRadius sever debug log:
modcall: entering group authenticate for request 9
rlm_eap: Request found, released from the list
rlm_eap: EAP/tls
rlm_eap: processing type tls
rlm_eap_tls: Authenticate
rlm_eap_tls: processing TLS
rlm_eap_tls: Received EAP-TLS ACK message
rlm_eap_tls: ack handshake is finished
eaptls_verify returned 3
eaptls_process returned 3
rlm_eap: Freeing handler
modcall[authenticate]: module eap returns ok for request 9
modcall: group authenticate returns ok for request 9
Login OK: [host/Client certificate/no User-Password attribute] (from
client rklan-client port 50023 cli 00-08-02-D7-6B-24)
Sending Access-Accept of id 121 to 10.25.250.250:1812
Tunnel-Type:0 = VLAN
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Private-Group-Id:0 = TESTVLAN
MS-MPPE-Recv-Key =
0x8fcfa4475a4fd660644c278b0f121c5c36eba960ef13ef331fe8917485ab8990
MS-MPPE-Send-Key =
0xb2dc132a07afb4e469a48d3bd947fcc1dabaf7f80242e37e9eb7dd65a009e4ef
EAP-Message = 0x03640004
Message-Authenticator = 0x
User-Name = host/Client certificate
Finished request 9
Cisco 3550 radius debug log:
01:45:10: RADIUS: Received from id 121 10.25.32.63:1812, Access-Accept,
len 207
01:45:10: Attribute 64 6 000D
01:45:10: Attribute 65 6 0006
01:45:10: Attribute 81 10 54455354
01:45:10: Attribute 26 58 0137113494E2
01:45:10: Attribute 26 58 013710349898
01:45:10: Attribute 79 6 03640004
01:45:10: Attribute 80 18 20106B4C
01:45:10: Attribute 1 25 686F7374
01:45:10: RADIUS: EAP-login: length of eap packet = 4
01:45:10: RADIUS: EAP-login: radius didn't send any vlan
tcpdump on the freeradius server:
11:18:49.257403 10.25.32.63.radius 10.25.250.250.radius:
rad-access-accept 207 [id 121] Attr[ Tunnel_type{Tag[Unused]{#13}
Tunnel_medium{Tag[Unused]{802} Tunnel_priv_group{TESTVLAN} [|radius] (DF)
4500 00eb 4000 4011 0a97 0a19 203f
0a19 fafa 0714 0714 00d7 2b25 0279 00cf
5297 77d0 4247 9a82 f5f0 b245 39cd 9e9a
4006 000d 4106 0006 510a 5445
5354 564c 414e 1a3a 0137 1134 94e2
a9c9
Versions of the freeradius server and Cisco IOS:
[EMAIL PROTECTED] raddb]# /usr/local/sbin/radiusd -v
radiusd: FreeRADIUS Version 1.0.0-pre3, for host , built on Jun 21 2004 at
11:07:50
Copyright (C) 2000-2003 The FreeRADIUS server project.
Cisco Internetwork Operating System Software
IOS (tm) C3550 Software (C3550-I9K2L2Q3-M), Version 12.1(20)EA2, RELEASE
SOFTWARE (fc1)
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
winmail.dat
disabling rlm_x99_token
Hi all, how can I stop the rlm_x99_token module from being compiled in? I get the following error and can't figure out how to fix it. /usr/ccs/bin/ld -G -h rlm_x99_token-1.0.0-pre3.so -o .libs/rlm_x99_token-1.0.0-pre3.so x99_rlm.lo x99_util.lo x99_state.lo x99_mac.lo x99_sync.lo x99_site.lo x99_pwe.lo x99_log.lo -lcrypto -lnsl -lresolv -lsocket -lposix4 -lpthread -L/usr/local/ssl/lib -lcrypto -lssl -lc ld: fatal: library -lcrypto: not found ld: fatal: File processing errors. No output written to .libs/rlm_x99_token-1.0.0-pre3.so make[6]: *** [rlm_x99_token.la] Error 1 make[6]: Leaving directory `/usr/local/src/freeradius-1.0.0-pre3/src/modules/rlm_x99_token' make[5]: *** [common] Error 1 make[5]: Leaving directory `/usr/local/src/freeradius-1.0.0-pre3/src/modules' make[4]: *** [all] Error 2 make[4]: Leaving directory `/usr/local/src/freeradius-1.0.0-pre3/src/modules' make[3]: *** [common] Error 1 make[3]: Leaving directory `/usr/local/src/freeradius-1.0.0-pre3/src' make[2]: *** [all] Error 2 make[2]: Leaving directory `/usr/local/src/freeradius-1.0.0-pre3/src' make[1]: *** [common] Error 1 make[1]: Leaving directory `/usr/local/src/freeradius-1.0.0-pre3' make: *** [all] Error 2 I assume I don't need this module for any core functionality? Thanks Cameron - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Ask active directory(ldap) for authentication. Problem with reference
Hy all,
Here is my Problem, hope someone is able to help me.
I use freeradius 0.9.3 on debian. I will ask our companys ad for authentication.
The AD is build up in the following way:
Ou=users,Ou=(fifferent ous), dc=my,dc=company,dc=de
If i ask for a user with basedn Ou=unit, dc=my,dc=company,dc=de everything works fine.
Now i have to ask for different users in different ous, so i use basdn=
dc=company,dc=de now i got an error saying:
Error: rlm_ldap: ldap_search() failed: Opperational Error.
I traced it and saw that i got an reference and the ldap module binds to a different
AD server, the problem is it tries to bind anonymouse, dont know why it doesnt use the
identity i configured.
In the search result there is the anwser i needed to. But how cann i use it without
the reference or how can i say the module to use the configured identity.
Here is the ldap part of my radiusd.conf:
snipp
ldap {
server = adserver.my.company.hamburg.de
identity = [EMAIL PROTECTED]
password=
basedn = DC=my,DC=company,DC=hamburg,DC=de
filter = (UserPrincipalName=%u)
# set this to 'yes' to use TLS encrypted connections
# to the LDAP database by using the StartTLS extended
# operation.
# The StartTLS operation is supposed to be used with normal
# ldap connections instead of using ldaps (port 689) connections
start_tls = no
# Mapping of RADIUS dictionary attributes to LDAP
# directory attributes.
dictionary_mapping = ${raddbdir}/ldap.attrmap
ldap_connections_number = 5
groupmembership_filter = (member=%{Ldap-UserDn})
timeout = 4
timelimit = 3
net_timeout = 1
}
snip
Is it a bug or e feature ;-)
Regards
Markus Wintruff
Betrieb Firewall und serverbasierte Datendienste
____
Dataport
Niederlassung Hamburg
Billstr. 82, 20539 Hamburg
Internet:www.dataport.de
E-Mail: [EMAIL PROTECTED]
Telefon: 040 - 4 28 46 28 78
Telefax: 040 - 4 279 46 878
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Is it possible to use the MAC as the key
I was wondering if it is possible to tell the Freeradius to use the MAC addr. as a validating key? I would like to store all my clients MAC addr. in a db, and use it as a backend for Freeradius, then when the clients starts, the AP sends the clients MAC addr. to Freeradius and the MAC addr. is used as a token for validating. Yes this is possible. You just need to find out where (what attribute) the AP puts the MAC in the request. It might be in Calling-Station-Id. Then you can treat it just like a password. Keith Yoder - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Authentication and assigning VLAN based on Certificate
Hi, I have (with some help) got the freeradius server to authenticate and sending the VLAN name to the switch. But what I want to do is to use the freeradius server to authenticate and set a VLAN based on the certificate without the need of any other external database lookup (ldap or sql). 1. Verify that the certificate is signed by your CA 2. Check the CRL 3. Check the OU field (or any other) in the certificate and then assign VLAN based on that field. For option 1 2 the answer should be yes but for option 3 I have no real clue on how to do it. /Stefan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
freeradius
Currently im running freeradius as authentication server usingpostgresql as database backend, which authenticating user base on their monthly usage (prepaid). Now im trying to create user which only can authenticate withintimespan period e.g from6 am-10 pmand this can simply done by adding login-time attribute. As expected after 10 pm the user/s will be disconnected. How do i tell freeradius if the user tried to connect to forward the authentication request to another radius server?
RE: Authentication and assigning VLAN based on Certificate
Hi, I have (with some help) got the freeradius server to authenticate and sending the VLAN name to the switch. But what I want to do is to use the freeradius server to authenticate and set a VLAN based on the certificate without the need of any other external database lookup (ldap or sql). 1. Verify that the certificate is signed by your CA 2. Check the CRL 3. Check the OU field (or any other) in the certificate and then assign VLAN based on that field. For option 1 2 the answer should be yes but for option 3 I have no real clue on how to do it. Have you try with the same value in FreeRADIUS users file field and in the certificate field ? Don't exactly follow you but I suspect you mean the CN name of the certificate. Well it would work but it counter what I want to do, namely set the client VLAN based on organization unit (OU) and not the clients name. And I want to have a unique name for each cleint/cerificate. The nice thing with this is that you could have a decentralized solution that's sets the VLAN from the information in the certificate. You would also get a radius server that is more or less static (part from log files and the CRL file). And the CRL file is fetched once per day so you don't have to have a connection with the corporate CA 100% of the time (or AD/ldap server). Regards, Stefan winmail.dat
Re: dialup_admin not showing any output
On Sat, 19 Jun 2004, Michael Markstaller wrote: Using Debian woody, every dialup_admin I tried *after* 0.9.3 release doesn't output the database-query results on the web. Apachephp should work, I can also see the queries bveing run against the mysql-server in mysql.log and these queries also return results if I execute them manually. But they're simply not written to the browser, nothing uncommon in access.log or error.log of Apache. Have you enabled sql_debug in admin.conf? any quick idea where to look ? Michael - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_sql / AcctstartTime AcctStartDelay
On Sat, 19 Jun 2004, Michael Markstaller wrote: Just an idea while messing around with duplicate accountings in mysql: Wouldn't it be more logical to change the insert/update-commands in sql.conf to log the real startstop-time of the session with regarding start/stop-delay instead of the packet-timestamp %S ? Because otherwise any query against the accounting-data has to calculate (AcctStartTime-AcctStartDelay) As LoginTime and AcctStopTime-AcctStopDelay IMHO it's much more likely to query login/logout-times than how long the packet took to reach the database (which is still possible with AcctStart/StopDelay) This has already been done for the accounting_stop_query_alt. It would be nice to do the same for the rest of the queries. I can make/change the queries and post them, just wanted to poll some opinions or maybe I've overlooked something this change might break up with.. Michael - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Remove these errors/info
On Tue, 2004-06-22 at 14:42 +0100, jihad Jaafar wrote: How do I stop these infos Cumming up Tue Jun 22 09:43:21 2004 : Info: Using deprecated naslist file. Support for this will go away soon. Tue Jun 22 09:43:21 2004 : Info: rlm_exec: Wait=yes but no output defined. Did you mean output=none? Thanks Just a guess, but maybe deleting the config files that are deprecated :-) Ted DISCLAIMER This e-mail, and any attachments thereto, is intended only for use by the addressee(s) named herein and may contain legally privileged and/or confidential information. If you are not the intended recipient of this e-mail, you are hereby notified that any dissemination, distribution or copying of this e-mail, and any attachments thereto, is strictly prohibited. If you have received this e-mail in error, please immediately notify me and permanently delete the original and any copy of any e-mail and any printout thereof. E-mail transmission cannot be guaranteed to be secure or error-free. The sender therefore does not accept liability for any errors or omissions in the contents of this message which arise as a result of e-mail transmission. REGARDING PRIVACY AND CONFIDENTIALITY Crown Financial Group may, at its discretion, monitor and review the content of all e-mail communications. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: dialup_admin/sql using postgresql
On Sat, 19 Jun 2004, apellido jr., wilfredo p. wrote: Hello Guy, just checked mailing list and i got your dialup admin postgres schema and im just combine it all. Can you take a look please, if this is correct, it work for me. Added to dialupadmin, thanks SET search_path = public, pg_catalog; --Table structure for table 'badusers' -- CREATE TABLE badusers ( id BIGSERIAL PRIMARY KEY, username TEXT NOT NULL, date timestamp with time zone DEFAULT 'now' NOT NULL, reason TEXT, admin TEXT DEFAULT '-' ); CREATE INDEX badusers_actiondate_idx ON badusers USING btree (actiondate); CREATE INDEX badusers_username_idx ON badusers USING btree (username); -- -- Table structure for table 'mtotacct' -- CREATE TABLE mtotacct ( mtotacctid BIGSERIAL PRIMARY KEY, username TEXT DEFAULT '' NOT NULL, acctdate DATE DEFAULT 'now' NOT NULL, connnum BIGINT, conntotduration BIGINT, connmaxduration BIGINT, connminduration BIGINT, inputoctets BIGINT, outputoctets BIGINT, nasipaddress INET ); CREATE INDEX mtotacct_acctdate_idx ON mtotacct USING btree (acctdate); CREATE INDEX mtotacct_nasipaddress_idx ON mtotacct USING btree (nasipaddress); CREATE INDEX mtotacct_username_idx ON mtotacct USING btree (username); CREATE INDEX mtotacct_userondate_idx ON mtotacct USING btree (username, acctdate); -- -- Table structure for table 'totacct' -- CREATE TABLE totacct ( totacctid bigSERIAL PRIMARY KEY, username TEXT DEFAULT '' NOT NULL, acctdate DATE DEFAULT 'now' NOT NULL, connnum BIGINT, conntotduration BIGINT, connmaxduration BIGINT, connminduration BIGINT, inputoctets BIGINT, outputoctets BIGINT, nasipaddress INET ); CREATE INDEX totacct_acctdate_idx ON totacct USING btree (acctdate); CREATE INDEX totacct_nasipaddress_idx ON totacct USING btree (nasipaddress); CREATE INDEX totacct_nasondate_idx ON totacct USING btree (acctdate, nasipaddress); CREATE INDEX totacct_username_idx ON totacct USING btree (username); CREATE INDEX totacct_userondate_idx ON totacct USING btree (username, acctdate); -- -- Table structure for table 'userinfo' -- CREATE TABLE userinfo ( id SERIAL PRIMARY KEY, username TEXT, name TEXT, mail TEXT, department TEXT, workphone TEXT, homephone TEXT, mobile TEXT ); CREATE INDEX userinfo_department_idx ON userinfo USING btree (department); CREATE INDEX userinfo_username_idx ON userinfo USING btree (username); Original Message - From: Kostas Kalevras [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Friday, June 18, 2004 7:59 PM Subject: Re: dialup_admin/sql using postgresql On Fri, 18 Jun 2004, apellido jr., wilfredo p. wrote: mysql -h mysql.host.com -u username -p radius badusers.sql this is for MYSQL. what about POSTGRESQL? i tried this cat mtotacct.sql | psql radius and i got this : ERROR: syntax error at or near ( at character 44 thanks so provide patches for the sql schema to work with postgresql. It shouldn't be too hard. I don't use pgsql so i can't help you on that. -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authentication and assigning VLAN based on Certificate
Stefan Westerberg [EMAIL PROTECTED] wrote: ... 3. Check the OU field (or any other) in the certificate and then assign VLAN based on that field. The server doesn't currently support looking into the certificates. Patches to the rlm_eap_tls module would be required. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Using Freeradius with LDAP storage and EAP-TTLS authentication
Christophe Saillard [EMAIL PROTECTED] wrote: When I do not set Auth-Type TTLS/PAP works with users stored in the users files, PEAP/Ms-chap-v2 works with users from LDAP storage, but TTLS/PAP from LDAP doesn't work And the debug log would tell you why. The FAQ also mentions something about statements like it doesn't work. Without looking at your configuration, I can tell that you've probably stored the passwords as NT-Passwords, so MS-CHAP works, but PAP doesn't. This isn't an issue for TTLS or PEAP, as it's completely independent of them. The rlm_pap module could be updated to compare PAP passwords from the packet with NT-Passwords retrieved from somewhere else. This could probably go into 1.0.0, as there are a few other issues with building on certain platforms. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: disabling rlm_x99_token
Cameron Gregg [EMAIL PROTECTED] wrote: how can I stop the rlm_x99_token module from being compiled in? Delete the directory before you run configure. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius
apellido jr., wilfredo p. [EMAIL PROTECTED] wrote: As expected after 10 pm the user/s will be disconnected. How do i tell freeradius if the user tried to connect to forward the authentication request to another radius server? Use the Current-Time attribute. It should take similar values as Login-Time, but it doesn't set Session-Timeout. Check the Current-Time *before* you enforce any Login-Time restrictions, and set it to proxy the packet. e.g. #--- DEFAULT Current-Time != Wk0600-2200, Proxy-To-Realm := foo DEFAULT Login-Time == Wk0600-2200, ... ... #--- Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
mysql then ldap auth?
Title: mysql then ldap auth? freeradius-1.0.0-pre2/linux red hat AS 3 i was trying to filter authentication w/ something like either /etc/group membership or mysql db entries. specifically, once client user passes test for either group or mysql entry then i would like to pass them to LDAP for final auth. doing this way because our campus has ldap server where passwords are maintained and i dont want to have to duplicate password mgmt on radius server. also, i dont want everyone w campus ldap acct to be able to get access. can someone point me in the right direction? thx
Ldap Multiple Attributes
Hello, We're going to be starting to use FreeRadius, converting from the old BSDi Cistron Radius. I have FreeRadius installed on two FreeBSD machines and running fine with ldap as the backend database. We're trying to get away from the users file and use ldap for static IP assignment. This is what we need and what I can't figure out how to do, yet. We have customers with multiple (5) static IPs. When the connect they will specify which static they want based on the prefix of their name, example: Acustomer = 192.168.1.1 Bcustomer = 192.168.1.2 Ccustomer = 192.168.1.3 Dcustomer = 192.168.1.4 Ccustomer = 192.168.1.5 I'm running into an issue of how to tell FreeRadius that I want to use 'Framed-IP-Address3' if the customer connects with a prefix of C and 'Framed-IP-Address1' if they connect with a prefix of A. Basically I think I need to setup a hint for each prefix and a DEFAULT statement in the users file for each type of static allowed. Does anyone have any insight on what I need to do? or where I can find documentation for this specific problem? Thank you, Lew A GWI Operations - A tiger can smile A snake will say it loves you Lies make us evil - - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radius, 802.1x, eap/tls, and edirectory (ldap)
Alan, At your request, I'll try to reformat this so that it is presented as a problem/challenge rather than a why doesn't my solution work post: Problem: My AP is a 3com 7250. It requires that you enable 802.1x on itself, the client, and the radius server if you want to use the radius server as the authentication server. My understanding is that 802.1x requires EAP-something. I chose EAP-TLS because my client is stock XP and my understanding is that EAP-TLS is my only option with that client. My boss asked me if it was possible to authenticate our wireless users against Novell's eDirectory (LDAP). He did not specifically require 802.1x/EAP-anything. The only reason I'm using 802.1x/EAP is because the AP requires it. I have successfully implemented EAP-TLS authentication between the client, AP, and freeradius. Now I am attempting to add LDAP authentication, but have not been successful. I can provide any configs/logs if needed. Solution: None so far. Anyone have any suggestions/comments? What would ya'll do in my position? thanks, mack On 21 Jun 2004 at 23:52, Alan DeKok wrote: Mack [EMAIL PROTECTED] wrote: My AP requires that I enable 802.1x in order to use RADIUS authentication. So, I figured I'd use EAP-TLS. Are you picking it at random, or are youi looking at the features it offers, and using your requirements to decide on a solution? I'm just testing now...using an XP client, so I chose to use EAP-TLS. I want to use LDAP because that's where our userbase is stored (Novell eDirectory). The idea is to authenticate users via LDAP. I thought I had been pretty clear in my response: EAP-TLS and LDAP are mutually incompatible. Stop trying to get them to work togerther. I'm only using EAP-TLS because the AP won't let me use RADIUS otherwise. Of course, I'm such a newbie that I'm probably getting it all wrong. That's where I was hoping the list would help. You should ask about how to solve a problem, rather than asking why the solution you chose didn't work. If you were given my task, how would you go about implementing this? I told you. Go back and read my message. If you could describe a problem, I might be able to come up with an alternate solution. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- This message has been scanned for viruses and dangerous content by the CSU Email Gateway, and is believed to be clean. -- This message has been scanned for viruses and dangerous content by the CSU Email Gateway, and is believed to be clean. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radius, 802.1x, eap/tls, and edirectory (ldap)
Mack [EMAIL PROTECTED] wrote: I have successfully implemented EAP-TLS authentication between the client, AP, and freeradius. Now I am attempting to add LDAP authentication, but have not been successful. Because it's impossible. EAP-TLS provides *nothing* with which to do LDAP authentication. There are no passwords or *anything* carried inside of EAP-TLS. The most you can do is verify that the person using EAP-TLS has an entry in the LDAP database. Use EAP-TTLS, or PEAP. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radius, 802.1x, eap/tls, and edirectory (ldap)
Mack, Take a look at the following URL: http://3w.denobula.com:5/EAPTLS.pdf It may be a little dated but all of the info is still relevent... one thing to take notice of is there is NO user password exchanged as EAP/TLS does not use a user's password for authentication - that chore is handled by the fact the supplicant contains a VALID user certificate the server recognizes. I think the above is what Alan is trying to convey to you - you can not use EAP/TLS and LDAP together as there is NO user password exchanged between the supplicant and Freeradius (or any other radius server) in that mode. If you are looking to use LDAP and a very secure method for the link between the client and the AP you will have to use a different method (PEAP or EAP/TTLS come to mind)... You may want to check out other supplicant software (if you are thinking of using the EAP/TTLS method you may want to check out the Odyssey Supplicant software from Funk Software (they are the one's who came up with TTLS and are working on a RFC to that effect). I may not have stated all of the above totally correctly but you should get the basic meaning [grin]... There are several RFC's that come with the freeradius package - I would strongly suggest reading them as they are the basis for all the different protocols and authentication methods Alan and company have based the Freeradius software against ( I think ) I hope the above information is helpful and taken in the manner in which it was meant (to be informative and helpful)... gm... -- Original Message -- From: Mack [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] Date: Tue, 22 Jun 2004 12:02:33 -0400 Alan, At your request, I'll try to reformat this so that it is presented as a problem/challenge rather than a why doesn't my solution work post: Problem: My AP is a 3com 7250. It requires that you enable 802.1x on itself, the client, and the radius server if you want to use the radius server as the authentication server. My understanding is that 802.1x requires EAP-something. I chose EAP-TLS because my client is stock XP and my understanding is that EAP-TLS is my only option with that client. My boss asked me if it was possible to authenticate our wireless users against Novell's eDirectory (LDAP). He did not specifically require 802.1x/EAP-anything. The only reason I'm using 802.1x/EAP is because the AP requires it. I have successfully implemented EAP-TLS authentication between the client, AP, and freeradius. Now I am attempting to add LDAP authentication, but have not been successful. I can provide any configs/logs if needed. Solution: None so far. Anyone have any suggestions/comments? What would ya'll do in my position? thanks, mack On 21 Jun 2004 at 23:52, Alan DeKok wrote: Mack [EMAIL PROTECTED] wrote: My AP requires that I enable 802.1x in order to use RADIUS authentication. So, I figured I'd use EAP-TLS. Are you picking it at random, or are youi looking at the features it offers, and using your requirements to decide on a solution? I'm just testing now...using an XP client, so I chose to use EAP-TLS. I want to use LDAP because that's where our userbase is stored (Novell eDirectory). The idea is to authenticate users via LDAP. I thought I had been pretty clear in my response: EAP-TLS and LDAP are mutually incompatible. Stop trying to get them to work togerther. I'm only using EAP-TLS because the AP won't let me use RADIUS otherwise. Of course, I'm such a newbie that I'm probably getting it all wrong. That's where I was hoping the list would help. You should ask about how to solve a problem, rather than asking why the solution you chose didn't work. If you were given my task, how would you go about implementing this? I told you. Go back and read my message. If you could describe a problem, I might be able to come up with an alternate solution. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- This message has been scanned for viruses and dangerous content by the CSU Email Gateway, and is believed to be clean. -- This message has been scanned for viruses and dangerous content by the CSU Email Gateway, and is believed to be clean. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html --- [This E-mail scanned for viruses by Declude Ant-Virus Scanner] Sent via the KillerWebMail system at mail.brev.org - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Removing VSAs from proxied requests
Hi all, I've seen this question asked before on the list, but can't figure out the answer despite much searching of the list and reading the source. I would like to remove some vendor-specific attributes from accounting requests that I proxy outbound (remove them completely, not just set the values to empty). I understand that I can use rlm_attr_filter to modify the requests, and that in theory I could give a white list of allowed attributes using the =* operator for those attributes that I want to allow. But is there any way to say Don't allow the following VSAs. Allow everything else? Or even, Don't allow any VSAs. Allow everything else? Any thoughts appreciated. Thanks, Alex - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
OpenLDAP, FreeRadius and CHAP? Help!
I have FreeRadius Server setup and working with an LDAP backend. We are adding new wireless devices that authenticate with CHAP to the radius server. I have to add user id's and passwords to the Radius files for this to work as CHAP auth doesnt seem to read from LDAP. How can I fix this?? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
WPA/EAP-TLS problems w/ FreeRADIUS and not with Win2K
Hi, We're experiencing a couple of strange problems getting a Linksys WRT54G 802.11g AP (latest firmware, have also tried previous) working in WPA mode (WPA certified device) against FreeRADIUS (currently an 8.3 Snapshot release). The authentication mode in use is EAP-TLS and the supplicant is a Windows XP machine, latest service packs etc, set to WPA w/ TKIP mode. The RADIUS debug output showed that FreeRADIUS complained about an incorrectly configured shared secret, but it only did this for each second Access-Request packet received during one authentication attempt - the first packet passed the corresponding check. We reconfigured the Linksys AP to use a Windows 2000 server running Microsoft IAS RADIUS server. We installed another client certificate on the supplicant machine and authentication succeeded in WPA w/ TKIP mode. As a next step, we patched the FreeRADIUS source code and disabled the check for the validity of the secret/message authenticator and tried again. This time the conversation did not stop after the 2nd Access-Request packet but went further, but did not complete (was finally rejected) as well. We then took traces with Ethereal and compared every single parameter of the trace taken during authentication against the W2K server with the trace taken when authenticating against FreeRADIUS. What we found was a difference in the TLS session initialisation between the supplicant and the client. When authenticating against the FreeRADIUS server, the 2nd Access-Request packet contained a SSL Record Layer: Client Hello, which is a backward compatibility option in TLS, but according to the EAP-TLS specification not allowed and therefore not accepted by the FreeRADIUS server. The corresponding packet in the authentication attempt against the W2K server contains a TLS Record: Client Hello. Note TLS, not SSL with Win2K. The only differences between the two authentication attempts are: - different certificates (from different CAs) used on the supplicant - Access-Point authenticating against a FreeRADIUS server vs. a W2K server Please see the two ascii-exported Ethereal traces at the end of this message. In summary, we have two issues with the Linksys: 1. The weird behaviour with the invalid shared secret for the 2nd packet sent from the AP to the FreeRADIUS server. 2. If FreeRADIUS is configured to ignore the first issue, we get a wrong SSL Record instead of the corresponding TLS Record client hello. The supplicant which fails to authenticate via the Linksys can authenticate fine through another (e.g. SMC, although not WPA certified) AP, which points to the same RADIUS server as the Linksys. We don't really understand why a supplicant should try to use the SSL option against one RADIUS server (FreeRADIUS), and the correct TLS option against another (Win2K). It's possible that the packet is being modified somewhere in transit (although both successful and non-successful APs are one NAT segment away from the RADIUS server so we've ruled NAT out as a cause), but we can't really understand where this might happen. Does anyone have any ideas what could cause this, or has anyone see similar behaviour with FreeRADIUS? Thanks in advance for any help you can offer, Best wishes, Sam Appendices: 1. WinXP supplicant WPA/TKIP, Linksys WRT54G AP, FreeRADIUS Ethereal trace 2. WinXP supplicatn WPA/TKIP, Linksys WRT54G AP, Win2K RADIUS Ethereal trace *** Begin FreeRADIUS Ethereal Trace *** No. TimeSourceDestination Protocol Info 1 0.0010.0.0.6 213.133.110.66RADIUS Access Request(1) (id=0, l=151) Frame 1 (193 bytes on wire, 193 bytes captured) Arrival Time: Jun 17, 2004 15:25:36.226168000 Time delta from previous packet: 0.0 seconds Time since reference or first frame: 0.0 seconds Frame Number: 1 Packet Length: 193 bytes Capture Length: 193 bytes Ethernet II, Src: 00:06:25:ea:5a:b3, Dst: 00:90:d0:32:57:46 Destination: 00:90:d0:32:57:46 (ThomsonB_32:57:46) Source: 00:06:25:ea:5a:b3 (LinksysG_ea:5a:b3) Type: IP (0x0800) Internet Protocol, Src Addr: 10.0.0.6 (10.0.0.6), Dst Addr: 213.133.110.66 (213.133.110.66) Version: 4 Header length: 20 bytes Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00) 00.. = Differentiated Services Codepoint: Default (0x00) ..0. = ECN-Capable Transport (ECT): 0 ...0 = ECN-CE: 0 Total Length: 179 Identification: 0xee38 (60984) Flags: 0x04 (Don't Fragment) 0... = Reserved bit: Not set .1.. = Don't fragment: Set ..0. = More fragments: Not set Fragment offset: 0 Time to live: 64 Protocol: UDP (0x11) Header checksum: 0xfe33 (correct) Source: 10.0.0.6 (10.0.0.6) Destination: 213.133.110.66 (213.133.110.66) User Datagram Protocol, Src Port: 4364 (4364), Dst Port:
Re: OpenLDAP, FreeRadius and CHAP? Help!
Andre Cameron [EMAIL PROTECTED] wrote: I have FreeRadius Server setup and working with an LDAP backend. We are adding new wireless devices that authenticate with CHAP to the radius server. I have to add user id's and passwords to the Radius files for this to work as CHAP auth doesnt seem to read from LDAP. How can I fix this?? Run the server in debugging mode, as suggested in the FAQ, README, and INSTALL. Read the output. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: WPA/EAP-TLS problems w/ FreeRADIUS and not with Win2K
Sam Critchley [EMAIL PROTECTED] wrote: The RADIUS debug output showed that FreeRADIUS complained about an incorrectly configured shared secret, but it only did this for each second Access-Request packet received during one authentication attempt - the first packet passed the corresponding check. That's very strange. For EAP, the only reason it knows that the shared secret is wrong is because the Message-Authenticator fails validation. We then took traces with Ethereal and compared every single parameter of the trace taken during authentication against the W2K server with the trace taken when authenticating against FreeRADIUS. What we found was a difference in the TLS session initialisation between the supplicant and the client. client as in ap? It doesn't do TLS, so that's probably not what you meant. There may also be differences in the SSL/TLS options that FreeRADIUS passes to the supplicant. The only differences between the two authentication attempts are: - different certificates (from different CAs) used on the supplicant - Access-Point authenticating against a FreeRADIUS server vs. a W2K server The servers may also be responding with different information. In summary, we have two issues with the Linksys: 1. The weird behaviour with the invalid shared secret for the 2nd packet sent from the AP to the FreeRADIUS server. That's plain wrong, and should be independent of any EAP or TLS issues, unless the AP is *severely* broken. We don't really understand why a supplicant should try to use the SSL option against one RADIUS server (FreeRADIUS), and the correct TLS option against another (Win2K). The servers send back TLS options, too. The supplicant may be getting excited about those, and doing something stupid. It's possible that the packet is being modified somewhere in transit (although both successful and non-successful APs are one NAT segment away from the RADIUS server so we've ruled NAT out as a cause), but we can't really understand where this might happen. I doubt that very much. Does anyone have any ideas what could cause this, or has anyone see similar behaviour with FreeRADIUS? I've never heard of it before. About the only thing I can see that's different between the two Access-Challenge packets is that one has: State, Message-Authenticator and the other (FreeRADIUS) has: Message-Authenticator, State One of the Intel AP's was reported as not working with FreeRADIUS, because it expected to see the attributes in the first order, and refused to work if it saw them in the second order. I'd suggest hacking src/lib/radius.c, rad_send() to always make Message-Authenticator the last attribute in the packet. If that works, file a bug report both with Linksys bugs.freeradius.org. If it *is* the cause of the problem, I'll be *very* annoyed. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radius, 802.1x, eap/tls, and edirectory (ldap)
Gary Alan, Thanks guys. Sorry for being so stupid about all of this, but thanks to ya'll and the reading that I've done is this short period of time, I have learned a great deal about how this stuff works. When using TTLS or PEAP, it seems that I'll still need EAP-TLS...but just on the server-side, not the client (am I right?). I think that TTLS will be a better fit as it seems to support more methods, and PEAP seems to be strickly a MS thing. I actually got the PEAP working now, though, thanks to your direction. I'll look into demoing third party clients. Know of any free ones, though? It looks like maybe the 0.9.3 version of freeradius does not support TTLS. Is this correct? If so, does the CVS version include support? Sorry if this, too, is documented somewhere, but I just thought I'd ask while I was here. Thanks for the help! mack On 22 Jun 2004 at 12:37, Gary McKinney wrote: Mack, Take a look at the following URL: http://3w.denobula.com:5/EAPTLS.pdf It may be a little dated but all of the info is still relevent... one thing to take notice of is there is NO user password exchanged as EAP/TLS does not use a user's password for authentication - that chore is handled by the fact the supplicant contains a VALID user certificate the server recognizes. I think the above is what Alan is trying to convey to you - you can not use EAP/TLS and LDAP together as there is NO user password exchanged between the supplicant and Freeradius (or any other radius server) in that mode. If you are looking to use LDAP and a very secure method for the link between the client and the AP you will have to use a different method (PEAP or EAP/TTLS come to mind)... You may want to check out other supplicant software (if you are thinking of using the EAP/TTLS method you may want to check out the Odyssey Supplicant software from Funk Software (they are the one's who came up with TTLS and are working on a RFC to that effect). I may not have stated all of the above totally correctly but you should get the basic meaning [grin]... There are several RFC's that come with the freeradius package - I would strongly suggest reading them as they are the basis for all the different protocols and authentication methods Alan and company have based the Freeradius software against ( I think ) I hope the above information is helpful and taken in the manner in which it was meant (to be informative and helpful)... gm... -- Original Message -- From: Mack [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] Date: Tue, 22 Jun 2004 12:02:33 -0400 Alan, At your request, I'll try to reformat this so that it is presented as a problem/challenge rather than a why doesn't my solution work post: Problem: My AP is a 3com 7250. It requires that you enable 802.1x on itself, the client, and the radius server if you want to use the radius server as the authentication server. My understanding is that 802.1x requires EAP-something. I chose EAP-TLS because my client is stock XP and my understanding is that EAP-TLS is my only option with that client. My boss asked me if it was possible to authenticate our wireless users against Novell's eDirectory (LDAP). He did not specifically require 802.1x/EAP-anything. The only reason I'm using 802.1x/EAP is because the AP requires it. I have successfully implemented EAP-TLS authentication between the client, AP, and freeradius. Now I am attempting to add LDAP authentication, but have not been successful. I can provide any configs/logs if needed. Solution: None so far. Anyone have any suggestions/comments? What would ya'll do in my position? thanks, mack On 21 Jun 2004 at 23:52, Alan DeKok wrote: Mack [EMAIL PROTECTED] wrote: My AP requires that I enable 802.1x in order to use RADIUS authentication. So, I figured I'd use EAP-TLS. Are you picking it at random, or are youi looking at the features it offers, and using your requirements to decide on a solution? I'm just testing now...using an XP client, so I chose to use EAP-TLS. I want to use LDAP because that's where our userbase is stored (Novell eDirectory). The idea is to authenticate users via LDAP. I thought I had been pretty clear in my response: EAP-TLS and LDAP are mutually incompatible. Stop trying to get them to work togerther. I'm only using EAP-TLS because the AP won't let me use RADIUS otherwise. Of course, I'm such a newbie that I'm probably getting it all wrong. That's where I was hoping the list would help. You should ask about how to solve a problem, rather than asking why the solution you chose didn't work. If you were given my task, how would you go about implementing this? I told you. Go back and read my message. If you could describe a problem, I might be able to come up with
Re: radius, 802.1x, eap/tls, and edirectory (ldap)
It looks like maybe the 0.9.3 version of freeradius does not support TTLS. Is this correct? If so, does the CVS version include support? Sorry if this, too, is documented somewhere, but I just thought I'd ask while I was here. I grabbed compiled the CVS few hours ago in the goal to make TTLS+mschapv2 and it crashes when i launch radiusd, saying that it can't find the rlm_eap module . .. Anyway, just for my information (still trying to get my auth working ..) are you using a supplicant like aegis, or just the one provided with your wifi card ? In my case, i used the dell drivers, freeradius 0.9.3, and got strange things during ssl initialisation. can'tg et the logs right now though .. -- Arnauld Dravet - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: WPA/EAP-TLS problems w/ FreeRADIUS and not with Win2K
Hi Alan, Thanks very much for your detailed response, please see mine in line: On Tue, 22 Jun 2004 15:51:41 -0400, Alan DeKok [EMAIL PROTECTED] wrote: Sam Critchley [EMAIL PROTECTED] wrote: The RADIUS debug output showed that FreeRADIUS complained about an incorrectly configured shared secret, but it only did this for each second Access-Request packet received during one authentication attempt - the first packet passed the corresponding check. That's very strange. For EAP, the only reason it knows that the shared secret is wrong is because the Message-Authenticator fails validation. Right. We then took traces with Ethereal and compared every single parameter of the trace taken during authentication against the W2K server with the trace taken when authenticating against FreeRADIUS. What we found was a difference in the TLS session initialisation between the supplicant and the client. client as in ap? It doesn't do TLS, so that's probably not what you meant. No, you're right, but this gets passed on from the RADIUS server to the supplicant - apologies. There may also be differences in the SSL/TLS options that FreeRADIUS passes to the supplicant. The only differences between the two authentication attempts are: - different certificates (from different CAs) used on the supplicant - Access-Point authenticating against a FreeRADIUS server vs. a W2K server The servers may also be responding with different information. We couldn't see any other differences as far as I know but will consult with the other folk working on this and get back to the list. In summary, we have two issues with the Linksys: 1. The weird behaviour with the invalid shared secret for the 2nd packet sent from the AP to the FreeRADIUS server. That's plain wrong, and should be independent of any EAP or TLS issues, unless the AP is *severely* broken. Well, we also tried the same thing with a D-Link DWL-AP2000+ straight out of the box. This is also a WPA certified AP, and we got the same behaviour. Works with Win2K RADIUS, doesn't work with (at least our version of) FreeRADIUS using EAP-TLS. We don't really understand why a supplicant should try to use the SSL option against one RADIUS server (FreeRADIUS), and the correct TLS option against another (Win2K). The servers send back TLS options, too. The supplicant may be getting excited about those, and doing something stupid. Well, it's the standard WinXP stack supplicant, maybe there's someone on the list who knows how it's put together? It's possible that the packet is being modified somewhere in transit (although both successful and non-successful APs are one NAT segment away from the RADIUS server so we've ruled NAT out as a cause), but we can't really understand where this might happen. I doubt that very much. Yeah, that's what we thought too. We had a couple of suspected problems with segmentation, but they turned out to be a red herring. Does anyone have any ideas what could cause this, or has anyone see similar behaviour with FreeRADIUS? I've never heard of it before. Okay, good to know in either case. About the only thing I can see that's different between the two Access-Challenge packets is that one has: State, Message-Authenticator and the other (FreeRADIUS) has: Message-Authenticator, State One of the Intel AP's was reported as not working with FreeRADIUS, because it expected to see the attributes in the first order, and refused to work if it saw them in the second order. I'd suggest hacking src/lib/radius.c, rad_send() to always make Message-Authenticator the last attribute in the packet. If that works, file a bug report both with Linksys bugs.freeradius.org. We will see if we can try this - will get back to the list with the results once we've got something. If it *is* the cause of the problem, I'll be *very* annoyed. ;-) Well, we've spent several weeks testing and puzzling as well... has slowed our project (authentication scheme for a wireless-equipped village in the Netherlands plus some other applications) down a lot. Thanks, Sam Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Using M2, Opera's revolutionary e-mail client: http://www.opera.com/m2/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Windows XP Username mangling
Using freeradius 0.9.3 I have eap-tls+WPA working with a cisco airnet 1200. Everything was working fine until I tried installing the certificate into the local machine store. It looks like Windows is prepending host/ to the CN of the certificate when it is passing the username. Of course this isn't matching the username in the users file. I have tried changing the CN during cert creation to every permutation of the hostname I can think of. Sadly this machine is a member of a NT style domain, and I'm not really sure what it wants the CN to be. Here's a portion of the ouput of radiusd -X -A: rad_recv: Access-Request packet from host 172.23.1.100:21696, id=200, length=161 User-Name = host/ELCIPSE\\newplasma Framed-MTU = 1400 Called-Station-Id = 000f.3489.13a9 Calling-Station-Id = 0040.96a4.2fac Message-Authenticator = 0x41771e9ca54cee074316338f3d433f5b EAP-Message = 0x0202001b01686f73742f454c43495053455c6e6577706c61736d61 NAS-Port-Type = Wireless-802.11 NAS-Port = 616 Service-Type = Framed-User NAS-IP-Address = 172.23.1.100 NAS-Identifier = FabAP1 Any help would be appreciated. Chris Childress Sundowner Trailers Inc - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radius, 802.1x, eap/tls, and edirectory (ldap)
On Tue, 2004-06-22 at 12:53, Mack wrote: I'll look into demoing third party clients. Know of any free ones, though? Mack, While buying all new client cards is probably not an option, buying one for testing may be. ZyXEL offers a free version of both the Funk and Meetinghouse supplicants which work only with their ZyAIR clients. The B-100 (a re-badge of the same OEM as a Linksys WPC-11) is about $30 from Provantage. The client s/w is on ZyXEL's ftp site. I've used both for EAP-TLS with 0.93 on XP, W2K and W98 and the Meetinghouse client on Linux. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
freeradius challenge response
Hi, I'm looking for configuration assistance on setting up the users file to emulate a challenge/response. I'm trying to help write a test plan for an embedded system that will emulate a SecurID next token mode using freeradius. The problem I'm having is getting the NAS [and/or freeradius] to send an access-challenge. I can get it to send a reply-message but I'm lost beyond that. The documentation hasn't provided any clear direction. Thanks. steve Auth-Type := Local, User-Password == testing Login-Service = Telnet, Reply-Message = Enter your date of birth, - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radius, 802.1x, eap/tls, and edirectory (ldap)
Arnauld, I am still making sure my configs are okay before starting up the CVS version. Will let you know how it goes. I am using the drivers provided by 3COM for my wireless nic, which is a 3CRPAG175a really nice a/b/g card with an xjack antenna. My supplicant is whatever comes stock with XP, plus whatever Windows Update offers on top of that (service packs, recommended update related to wireless, etc.) I did not see any, nor would I recommend using, drivers from the windows update site. I don't think a supplicant/client was shipped with my card, but to be honest I did not look very hard. I'm just playing with the XP supplicant right now, but will look at third- party next (like Odyssey (Funk), etc.) since they should support TTLS. I think the Window XP supplicant will work with PEAP, but not TTLS (someone correct me if I'm wrong). This is my first attempt at anything wireless (as you may have noticed by my previous posts), so I haven't had much experience with the various supplicants out there. I think you can get a fully working demo of Odyssey (double check that) from Funk Software...it's supposed to do TTLS, plus some other cool stuff with Novell Client signons. We'll see. I'll let you know how my TTLS efforts go with the CVS version. BTW...are you also attempting Novell LDAP with TTLS? later, mack On 22 Jun 2004 at 22:14, Arnauld Dravet wrote: It looks like maybe the 0.9.3 version of freeradius does not support TTLS. Is this correct? If so, does the CVS version include support? Sorry if this, too, is documented somewhere, but I just thought I'd ask while I was here. I grabbed compiled the CVS few hours ago in the goal to make TTLS+mschapv2 and it crashes when i launch radiusd, saying that it can't find the rlm_eap module . .. Anyway, just for my information (still trying to get my auth working ..) are you using a supplicant like aegis, or just the one provided with your wifi card ? In my case, i used the dell drivers, freeradius 0.9.3, and got strange things during ssl initialisation. can'tg et the logs right now though .. -- Arnauld Dravet - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- This message has been scanned for viruses and dangerous content by the CSU Email Gateway, and is believed to be clean. -- This message has been scanned for viruses and dangerous content by the CSU Email Gateway, and is believed to be clean. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: OpenLDAP, FreeRadius and CHAP? Help!
Andre Cameron wrote: I have FreeRadius Server setup and working with an LDAP backend. We are adding new wireless devices that authenticate with CHAP to the radius server. I have to add user id's and passwords to the Radius files for this to work as CHAP auth doesnt seem to read from LDAP. How can I fix this?? I would guess that the problem is that you are not storing the passwords in cleartext For CHAP to work, FreeRADIUS needs access to the passwords in cleartext. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius challenge response
[EMAIL PROTECTED] wrote: I'm looking for configuration assistance on setting up the users file to emulate a challenge/response. You can't. The users file doesn't set the packet reply code. I'm trying to help write a test plan for an embedded system that will emulate a SecurID next token mode using freeradius. I'd suggest looking at rlm_example. It's an example module which does challenge-response. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Problems with configurable_failover
Hi all,
Well, I've gotten a little further (thanks Alan) and I'm understanding
configurable_failover a lot more now. Here's some background and the current problem
I'm having.
Problem description:
As per my use cases, I'd like to proxy any Access-Request packets that fail
authorization or authentication to another RADIUS server. Packets that pass
authorization and authentication I'd like freeRADIUS to respond normally with
Access-Accept. To date I've gotten the following results from various configurations
in radiusd.conf, none of which solve my problem: all Access-Requests proxied; failed
authorizations are proxied but passed authentications reply with Access-Reject; or
passed authentications reply with Access-Accept but failed
authorizations/authentications reply with Access-Reject.
My use cases:
=
1) valid userid and password should authorize and authenticate against SQL and MSCHAP
ok;
2) valid userid but wrong password should authorize ok against SQL but fail
authentication against MSCHAP; I want to configure freeRADIUS to proxy this failed
Access-Request to another RADIUS server/service;
3) invalid userid (regardless of password) should return notfound when authorizing
against SQL; again I want to configure freeRADIUS to proxy this failed Access-Request
to another RADIUS server/service.
What I've tried:
I'm using configurable_failover with the following:
1) A files module called MyProxy with:
DEFAULT Proxy-To-Realm := ipaddress
2) radiusd.conf with:
...
authorize {
...
group {
sql {
reject = 1
noop= 1
fail= 1
invalid = 1
notfound= 1
handled = return
userlock= return
updated = return
}
MyProxy
}
...
}
...
The above correctly proxies for wrong userids, but it unexpectedly proxies for correct
userids and passwords (i.e. it proxies everything). sql returns ok and the above
config doesn't tell it to return so it invokes MyProxy.
So I added ok = return:
...
authorize {
...
group {
sql {
reject = 1
noop= 1
fail= 1
invalid = 1
notfound= 1
ok = return
handled = return
userlock= return
updated = return
}
MyProxy
}
...
}
...
This one correctly proxies for wrong userids, but it unexpectedly replies with
Access-Reject for correct userids and passwords even though sql returned ok. I
figured out freeRADIUS does this because my client is using mschap and radius doesn't
find a User-Password or CHAP-Password attribute in the request.
So I changed ok = return to ok = 1 and added an mschap section to authorize:
...
authorize {
...
group {
sql {
reject = 1
noop= 1
fail= 1
invalid = 1
notfound= 1
ok = 1
handled = return
userlock= return
updated = return
}
mschap {
reject = 1
noop= 1
fail= 1
invalid = 1
notfound= 1
ok = return
handled = return
userlock= return
updated = return
}
MyProxy
}
...
}
...
This sets the Auth-Type := MS-CHAP within authorize so that when authentication
hits, it finds MS-CHAP and authenticates correctly. So now my valid userids and
passwords authenticate correctly. But now my incorrect userids (authorization
failures) and passwords (authentication failures) are not
Re: radius, 802.1x, eap/tls, and edirectory (ldap)
I'm also a total newbie in wifi world =) spent 4 days on this auth thing and can't get it to work yet .. i'm not using Novell LDAP, it's an openldap with all our users infos in it: windows passwords without the 0x in front of the passwords (tried to add it manually, result is that i can't log in on a workstation after that), and unix encrypted passwords. I'll test the Aegis supplicant tomorrow, will post the results .. This is my first attempt at anything wireless (as you may have noticed by my previous posts), so I haven't had much experience with the various supplicants out there. I think you can get a fully working demo of Odyssey (double check that) from Funk Software...it's supposed to do TTLS, plus some other cool stuff with Novell Client signons. We'll see. I'll let you know how my TTLS efforts go with the CVS version. BTW...are you also attempting Novell LDAP with TTLS? later, mack -- Arnauld Dravet - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radius, 802.1x, eap/tls, and edirectory (ldap)
Arnauld, About your runtime error... I'm getting this one: Failed to link to module 'rlm_exec': rlm_exec.a: cannot open shared object file: No such file or directory This happens straight out of the box, running radiusd -X...no configuration changes made yet (testing if it runs). I'm running the latest cvs shapshot, 20040622, on a gentoo linux system. Did a standard ./configure, make, make install, with no errors. Strange...if I comment exec in the instantiate section of radiusd.conf, it then gives me the same error but this time with rlm_expr.a. Anyone have any clues what's going on? thanks On 22 Jun 2004 at 22:14, Arnauld Dravet wrote: It looks like maybe the 0.9.3 version of freeradius does not support TTLS. Is this correct? If so, does the CVS version include support? Sorry if this, too, is documented somewhere, but I just thought I'd ask while I was here. I grabbed compiled the CVS few hours ago in the goal to make TTLS+mschapv2 and it crashes when i launch radiusd, saying that it can't find the rlm_eap module . .. Anyway, just for my information (still trying to get my auth working ..) are you using a supplicant like aegis, or just the one provided with your wifi card ? In my case, i used the dell drivers, freeradius 0.9.3, and got strange things during ssl initialisation. can'tg et the logs right now though .. -- Arnauld Dravet - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- This message has been scanned for viruses and dangerous content by the CSU Email Gateway, and is believed to be clean. -- This message has been scanned for viruses and dangerous content by the CSU Email Gateway, and is believed to be clean. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
howto set max reauthentication parameter
Hi Mark, Actually I want to know, howto set the total number of authentication/reauthentication params inside CISCO 1100 AP. It means, I want to set the maximum number of authentication attempt after which the trusted port in AP will be finally unauthorized. Also how can I force the AP to start reauthentication? It seems to me that I can set reauthentication interval inside AP, but I am not able to force reauthentication at any time (does not depend on interal) inside AP. Regards Ankan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
