Re: PEAP and proxying
Hi Alan I did as you suggested and managed to get just the tunnel proxied by adding the line DEFAULTEAP-Type == MS-CHAP-V2, Proxy-To-Realm := mydomain and setting proxy_tunneled_request_as_eap = no in the peap section of eap.conf. Is this the way you would suggest to do it? I envisage it will cause me problems if I want to do MS-CHAP-V2 and not proxy it. How do I get around that? Also it doesn't cope with multiple realms and I am likely to have multiple realms configured. How can I set the realm to proxy to at run time? This is what I would like to do: Server configured to do TLS and PEAP authentication. PEAP tunnel will be proxied to realm if username is of the form [EMAIL PROTECTED] but otherwise authenticated locally. TLS part of PEAP always occurs on the local server. Multiple realms may be configured. Many thanks. Mark On Thu, 17 Mar 2005 12:43:35 -0500, Alan DeKok [EMAIL PROTECTED] wrote: Mark [EMAIL PROTECTED] wrote: Thanks for your reply. I've put some comments in-line. I can understand what you are saying but don't know how to configure the local radius to proxy just the tunnel. Run the server in debugging mode to see how it processes the PEAP request, and the tunneled request. Write entries in the users file to match the tunneled request, and proxy it. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
XP Computer Account Authentication
Hi I´m using Freeradius 1.0.2 and Samba 3.0.11 on a FreeBSD 5.0.3. I´m authenticating wireless clients on aWindowsPDC using PEAP/MSCHAPV2 with ntlm_auth an winbind and it works fine for the users account authentication. Is it possible to authenticate the Windows XP computer account in this environment ? Here is the radius log: Wed Mar 16 15:50:00 2005 : Info: (other): SSL negotiation finished successfullyWed Mar 16 15:50:00 2005 : Info: rlm_eap_tls: Received EAP-TLS ACK messageWed Mar 16 15:50:00 2005 : Info: rlm_eap_mschapv2: Issuing ChallengeWed Mar 16 15:50:00 2005 : Auth: Login incorrect: [host/computer11.PRGS.RS/no User-Password attribute] (from client localhost port 0)Wed Mar 16 15:50:00 2005 : Auth: Login incorrect: [host/computer11.PRGS.RS/no User-Password attribute] (from client AP.RPR port 6 cli 000f3dac614b) Wed Mar 16 15:50:13 2005 : Info: rlm_eap_tls: Length IncludedWed Mar 16 15:50:13 2005 : Error: TLS_accept:error in SSLv3 read client certificate AWed Mar 16 15:50:13 2005 : Info: rlm_eap_tls: Received EAP-TLS ACK messageWed Mar 16 15:50:13 2005 : Info: rlm_eap_tls: Length IncludedWed Mar 16 15:50:13 2005 : Info: (other): SSL negotiation finished successfullyWed Mar 16 15:50:13 2005 : Info: rlm_eap_tls: Received EAP-TLS ACK messageWed Mar 16 15:50:13 2005 : Info: rlm_eap_mschapv2: Issuing ChallengeWed Mar 16 15:50:34 2005 : Auth: Login OK: [PRGS\\USUARIO123/no User-Password attribute] (from client localhost port 0)Wed Mar 16 15:50:34 2005 : Auth: Login OK: [PRGS\\USUARIO123/no User-Password attribute] (from client AP.RPR port 6 cli 000f3dac614b) The client is authenticated, but the computer isn´t. Thanks in advance, Dagoberto Dagoberto Luiz SchonardieProcergs-DTO/SSR51.3210.3480[EMAIL PROTECTED]www.procergs.rs.gov.br
FreeRadius + FreeTDS + MSSQL70
Title: FreeRadius + FreeTDS + MSSQL70 Dear All How to setup the Freeradius to support FreeTDS and MSSQL70? Can provide more information and document? mssql.conf driver = rlm_sql_freetds server = 192.168.1.1 login = sa password = radius radus_db = radius After I run the radiusd -X, the get the error rlm_sql (sql): Could not link driver rlm_sql_freetds: rlm_sql_freetds.so: cannot open shared object file: No such file or directory THANKS
Re: FreeRADIUS and MySQL+SSL
* Paul Hampson [EMAIL PROTECTED] [2005-03-20 03:50]: On Sat, Mar 19, 2005 at 02:06:56PM +0100, Wolfram Schlich wrote: * Paul Hampson [EMAIL PROTECTED] [2005-03-19 04:56]: On Sat, Mar 19, 2005 at 03:52:52AM +0100, Wolfram Schlich wrote: * Wolfram Schlich [EMAIL PROTECTED] [2005-03-17 00:55]: [ MySQL+SSL patch for FreeRADIUS ] Ok, I have sat down and hacked something together, with a little help from a friend. I probably did something wrong or suboptimal (as I said, I am not a C coder), but at a first glance, it seems to work fine. Here's the patch: http://dev.gentoo.org/~wschlich/src/freeradius-1.0.2-mysql-ssl.patch Please remember to post patches to the list for easier discussion. Ok, sorry. And also, this sort of patch would probably be best against HEAD. The patch wasn't meant as an official submission for upstream, but as a basis for a discussion :) Yeah, sorry about that. I didn't notice this was on -user intead of -devel, and treated it as if it was on the latter. _ Not your fault. I should have labelled it accordingly :-) I don't give it much chance of getting into 1.0.3, especially since MySQL don't distribute SSL-enabled binaries. What does the MySQL client distribution policy have to do with this?! *wonder* Basically, things going into 1.0.3 (if it happens) are bug fixes, not feature changes. The fact that you have to recompile your mySQL locally anyway to enable SSL makes it reasonable to me to say this change is something you can patch in yourself as well. Well, using Gentoo Linux for example, when you have the 'ssl' USE flag set, which is the default, MySQL will be compiled with SSL support right from the start, so there's no need to re-compile it if you have already installed it. If upstream binaries were coming SSL-enabled, we could almost build a case that this is a bug, rather than a new feature. I still don't see why we have to depend the inclusion of this kind of functionality on MySQL distribution binaries. It doesn't affect Gentoo or other source based distros at all for example. Still, it has to get into HEAD before I'll consider it for 1.0.3, so one hurdle at a time. Ok. I will post something to -devel asking for help on how to deal with it :o) They're apparently moving away from OpenSSL in the server, but no indication that they're going to un-OpenSSL the _client_ libraries. [1] [2] Well, OpenSSL or GnuTLS -- it doesn't matter as long as the MySQL protocol keeps supporting SSL'd connections... I have posted a comment to [2] in order to get some more information from that MySQL guy. It matters as far as distributing binaries goes. You can't distribute a binary that links GPL code without any exception (such as FreeRADIUS and many of its depended-on libraries) with OpenSSL. Ah, of course. But well, binaries is just an additional form of distribution for me, source is the main one IMHO. You could disable SSL by default in the configure script btw. It's slightly more complicated than that, but there is a license issue of some kind which needs to be looked out for. It doesn't really affect _us_, but it's something to be mindful of when playing with these things. Yup, thanks for your thoughts. -- Wolfram Schlich - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Realm rewrite
Hello! El Viernes, 18 de Marzo de 2005 19:42, Alan DeKok escribió: David Manchado [EMAIL PROTECTED] wrote: I want to force that the whole realm adsl.realm1 must be rewritten as adsl.realm1.com so I won't have to add the same user as [EMAIL PROTECTED] and [EMAIL PROTECTED] That's just re-writing the User-Name attribute, or adding a Realm attribute of the appropriate value. DEFAULT User-Name =~ adsl\.realm1$, Realm := adsl.realm1.com I supposed it might not be too difficult... the main problem was I did no know where to apply the rewrite. Thanks a lot for your help Alan! Here's is what I have had to config to make it work: in radius.conf ... modules { ... attr_rewrite rewrite_realm { attribute = User-Name # may be packet, reply, proxy, proxy_reply or config searchin = packet searchfor = ^(.*)@adsl\.realm1$ replacewith = [EMAIL PROTECTED] ignore_case = no new_attribute = no max_matches = 10 ## If set to yes then the replace string will be appended to the original string append = no } ... authorize { rewrite_realm preprocess ... preacct { rewrite_realm preprocess ... If I put it into 'preprocess' it seems to skip in at startup so I loaded the module before. Module: Loaded preprocess preprocess: huntgroups = /etc/freeradius/huntgroups preprocess: hints = /etc/freeradius/hints preprocess: with_ascend_hack = no preprocess: ascend_channels_per_line = 23 preprocess: with_ntdomain_hack = no preprocess: with_specialix_jetstream_hack = no preprocess: with_cisco_vsa_hack = no Module: Instantiated preprocess (preprocess) In order to perform accounting with the translated User-Name it's necessary to load it in preacct and authorize sections. Regards, David - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: XP Computer Account Authentication
Dagoberto Luiz Schonardie wrote: Is it possible to authenticate the Windows XP computer account in this environment ? Not currently. --Mike - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
WinXP EAP-TLS: Zertifikat
Hallo, ich habe einen Freeradius Server der letzten Version unter CentOS 4 laufen. PEAP funktioniert wunderbar, auch die überprüfung des Serverzertifikates passt soweit. Im nächsten Schritt möchte ich gerne den Client mittels Zertifikat anstatt usr/pwd identifizieren. Leider gibt Windows immer die Fehlermeldung Es wurde kein Zertifikat gefunden, um Sie am Netzwerk anzumelden aus. Ich habe jedoch das cert-clt.der bzw. cert-clt.p12 schon zigmal installiert und auch darauf geachtet, dass die Verwendung als Clientzertifikat markiert ist. Hat jemand hierzu einen Tip bzw. Link zu einem HOWTO?? Ich arbeite mit WinXP SP2 und einem HP Switch im Testaufbau. thx Thomas -- Happy ProMail bis 24. März: http://www.gmx.net/de/go/promail Zum 6. Geburtstag gibt's GMX ProMail jetzt 66 Tage kostenlos! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
radclient
Hi guys and girls, I have recently downloaded and installed freeRADIUS on a fedora (Red Hat Linux) machine. The radtest is successful but the radclient :( is not. For example : #radclient localhost auth testing123 gives nothing, just like above. It hangs the terminal and I have to end the command with CTRL-c. Even the debugger gives nothing, blank. (Also tried radiusd -x -x -x). What seems to be the problem? Tanks in advance Vicky - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Doc bug?
Hello, in doc/Acct-Type all the examples state things like Acct-Type:= SQLFOO but in the dictionary, Acct-Type is defined as an integer. I am now asking myself if one shouldn't better use integer values for the := operator, and as well whether or not it will work anyway as described in the documentation (I would just try it out but I could only use our production server, which I don't particularly like to touch unless necessary). BTW, same thing for Autz-Type. At least I find it confusing. Can anyone clarify this? Greetings, Stefan Winter -- Stefan WINTER Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche Ingénieur réseau et système 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg email: [EMAIL PROTECTED] tél.: +352 424409-33 http://www.restena.lu fax: +352 422473 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius + FreeTDS + MSSQL70
Michael Lam [EMAIL PROTECTED] wrote: How to setup the Freeradius to support FreeTDS and MSSQL70? You don't. Use iodbc. mssql.conf driver = rlm_sql_freetds If that's in the default mssql.conf, it should be fixed. rlm_sql_freetds was deleted years ago. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
add realm in huntgroup and force proxy with latest cvs
Howdy, I'm attempting add a realm based on conditions in a huntgroup and I'm wondering if this is even possible and, if so, what I might be missing to make this work. Here is my [huntgroup] file cisco-router-admin NAS-IP-Address == 10.15.32.71, NAS-Port-Id == 66-67, NAS-Port-Type == Virtual cisco-router-user NAS-IP-Address == 10.15.32.71, NAS-Port-Id ==68-70, NAS-Port-Type == Virtual With the end-goal to replace the above with something like this: cisco-router-admin NAS-IP-Address == 10.15.32.71,NAS-Port-Type == Virtual cisco-router-user NAS-IP-Address == 10.15.32.71,NAS-Port-Type == Async And what I want to happen is for the end user to login into the NAS at 10.15.32.71 with just their username and based upon which port they are on either use a local users file (or ldap, etc) or proxy the request to another radius server running safeword computings premier access. This is how that would look user virtual - user local users file user async - proxy to another radius server I know that the proxy works, as I can setup this in proxy.conf and have it work without any issues if I login into the NAS as '[EMAIL PROTECTED]'. realm sybase.com { type= radius authhost= host.sybase.com:1645 secret = mysecret } It looks like I'm interested in the 'Realm' or 'Proxy-To-Realm' attributes, but I'm not sure where to put them. I think that I'd have to do this in the users file, but I'm not sure if that is too late in the process. Maybe something along these lines: DEFAULT Huntgroup-Name == cisco-router-user Proxy-To-Realm = sybase.com But from all the debug output, I'm not seeing that this is doing anything useful, nor is it if I change that to DEFAULT Huntgroup-Name == cisco-router-user Realm = sybase.com The rational behind what I'm trying to do is that I might have a cisco AS5300 with ISDN and Async lines as well as telnet/ssh access. And the goal is to limit who can telnet/ssh to this box while not limiting who can dial into the box, but having a desire that the people dialing into the box have to use a tokens instead of password. Hopefully this all makes sense and someone knows how to implement this. Cheers, -jason ornstein - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: add realm in huntgroup and force proxy with latest cvs
It looks like I'm interested in the 'Realm' or 'Proxy-To-Realm' attributes, but I'm not sure where to put them. I think that I'd have to do this in the users file, but I'm not sure if that is too late in the process. Maybe something along these lines: DEFAULT Huntgroup-Name == cisco-router-user Proxy-To-Realm = sybase.com Close... try DEFAULT Huntgroup-Name == cisco-router-user, Proxy-To-Realm := sybase.com or DEFAULT Huntgroup-Name == cisco-router-user, Realm := sybase.com Sorry, I'm not sure which one you need. But the second one is probably only useful if your authorize section is processing the realm module. Putting the attributes on the first line tells freeRADIUS to add the attributes to the RADIUS request, whereas the following lines are used to add attributes to the RADIUS reply. The rational behind what I'm trying to do is that I might have a cisco AS5300 with ISDN and Async lines as well as telnet/ssh access. And the goal is to limit who can telnet/ssh to this box while not limiting who can dial into the box, but having a desire that the people dialing into the box have to use a tokens instead of password. Not sure about this bit...maybe someone else can answer that. Hope that helps, Mike - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Variable...
Dear all, I would like to have the variable below. (Can get from almost everywhere) 1) User-Name 2) Nas-Ip-Address 3) Framed-Ip-Address (Only can get the information if the exec run on the accounting part) 4) Acct-Status-Type 5) Acct-Session-Id 6) Acct-Unique-Session-Id 7) Acct-Session-Time 8) Acct-Terminate-cause (Only can get the information if the exec is post-auth) 9) Class Anyone have a better way so that I can run them all into one single program under the exec? Regards, Cham Min Wal However, - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Doc bug?
Stefan Winter [EMAIL PROTECTED] wrote: in doc/Acct-Type all the examples state things like Acct-Type:= SQLFOO but in the dictionary, Acct-Type is defined as an integer. That's OK. The parser is forgiving (i.e. dumb) I am now asking myself if one shouldn't better use integer values for the := operator No. The operators have nothing to do with integers or strings. (I would just try it out but I could only use our production server, which I don't particularly like to touch unless necessary) If you have a spare desktop machine, install FreeRADIUS on it. BTW, same thing for Autz-Type. The docs could be updated, but it's not critical. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radclient
Vicky El Fhaily [EMAIL PROTECTED] wrote: For example : #radclient localhost auth testing123 gives nothing, just like above. Why not read the man page for radclient, or radclient -h? You're not using it properly. Even the debugger gives nothing, blank. (Also tried radiusd -x -x -x). I don't understand why changing the command-line arguments to the RADIUS server would help you debug radclient. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PEAP and proxying
Mark [EMAIL PROTECTED] wrote: I did as you suggested and managed to get just the tunnel proxied by adding the line DEFAULT EAP-Type == MS-CHAP-V2, Proxy-To-Realm := mydomain and setting proxy_tunneled_request_as_eap = no in the peap section of eap.conf. Is this the way you would suggest to do it? It should work. I envisage it will cause me problems if I want to do MS-CHAP-V2 and not proxy it. How do I get around that? EAP-MSCHAP-V2 is not the same as MSCHAPv2. Also it doesn't cope with multiple realms and I am likely to have multiple realms configured. How can I set the realm to proxy to at run time? You can use the Proxy-To-Realm attribute. Proxy-To-Realm := foo.com PEAP tunnel will be proxied to realm if username is of the form [EMAIL PROTECTED] but otherwise authenticated locally. TLS part of PEAP always occurs on the local server. Multiple realms may be configured. It should work. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius-Users digest, Vol 1 #4441 - 10 msgs
Guy. mssql.conf driver = rlm_sql_freetds #server = 192.168.1.1 server = name_of_MSSQLSERVER port=1433 login = sa password = radius radus_db = radius try unixodbc+freetds+freeradius, I use this and good work. Vicente. Message: 4 From: Michael Lam [EMAIL PROTECTED] To: 'freeradius-users@lists.freeradius.org' freeradius-users@lists.freeradius.org Subject: FreeRadius + FreeTDS + MSSQL70 Date: Mon, 21 Mar 2005 20:23:54 +0800 Reply-To: freeradius-users@lists.freeradius.org This message is in MIME format. Since your mail reader does not understand this format, some or all of this message may not be legible. --_=_NextPart_001_01C52E10.D8E9C2C0 Content-Type: text/plain Dear All How to setup the Freeradius to support FreeTDS and MSSQL70? Can provide more information and document? mssql.conf driver = rlm_sql_freetds server = 192.168.1.1 login = sa password = radius radus_db = radius After I run the radiusd -X, the get the error rlm_sql (sql): Could not link driver rlm_sql_freetds: rlm_sql_freetds.so: cannot open shared object file: No such file or directory THANKS --_=_NextPart_001_01C52E10.D8E9C2C0 Content-Type: text/html Content-Transfer-Encoding: quoted-printable !DOCTYPE HTML PUBLIC -//W3C//DTD HTML 3.2//EN HTML HEAD META HTTP-EQUIV=3DContent-Type CONTENT=3Dtext/html; = charset=3Dus-ascii META NAME=3DGenerator CONTENT=3DMS Exchange Server version = 5.5.2653.12 TITLEFreeRadius + FreeTDS + MSSQL70/TITLE /HEAD BODY PFONT FACE=3DVerdanaDear All/FONT /P PFONT FACE=3DVerdanaHow to setup the Freeradius to support = FreeTDS and MSSQL70?/FONT /P PFONT FACE=3DVerdanaCan provide more information and = document?/FONT /P PFONT FACE=3DVerdanamssql.conf/FONT BRnbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp; FONT = FACE=3DVerdanadriver =3D quot;rlm_sql_freetdsquot;/FONT BRnbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp; FONT = FACE=3DVerdanaserver =3D quot;192.168.1.1quot;/FONT BRnbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp; FONT = FACE=3DVerdanalogin =3D quot;saquot;/FONT BRnbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp; FONT = FACE=3DVerdanapassword =3D quot;radiusquot;/FONT /P Pnbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp; FONT = FACE=3DVerdanaradus_db =3D quot;radiusquot;/FONT /P PFONT FACE=3DVerdanaAfter I run the quot;radiusd -Xquot;, the = get the error quot;rlm_sql (sql): Could not link driver = rlm_sql_freetds: rlm_sql_freetds.so: cannot open shared object file: No = such file or directoryquot;/FONT/P PFONT FACE=3DVerdanaTHANKS/FONT /P /BODY /HTML --_=_NextPart_001_01C52E10.D8E9C2C0-- --__--__-- Message: 5 Date: Mon, 21 Mar 2005 12:25:30 + From: Pedro Ribeiro [EMAIL PROTECTED] Organization: Sanindusa - Ind. de =?ISO-8859-1?Q?Sanit=E1rios=2C_SA?= To: freeradius-users@lists.freeradius.org Subject: Re: FreeRadius + FreeTDS + MSSQL70 Reply-To: freeradius-users@lists.freeradius.org Hi there What version of FreeRADIUS you're using ? Michael Lam wrote: Dear All How to setup the Freeradius to support FreeTDS and MSSQL70? You must install unixODBC and freetds, the configure FreeRADIUS to work with unixODBC (rlm_sql_unixodbc) and use a DSN provided by freetds with the apropriate version... Can provide more information and document? I have a (badly) written document i made to myself as guide-line to this very same situation. Mail me if you'd like a copy. mssql.conf driver = rlm_sql_freetds server = 192.168.1.1 login = sa password = radius radus_db = radius See above, as you're not using rlm_sql_freetds you'll need to change sql.conf and not mssql.conf :) After I run the radiusd -X, the get the error rlm_sql (sql): Could not link driver rlm_sql_freetds: rlm_sql_freetds.so: cannot open shared object file: No such file or directory THANKS Since rlm_sql_freetds is not part of the distribution, it can't be found :) HTH Pedro Ribeiro - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html