Re: Using Disallow anonymous simple bind with FreeRadius
Hi, I did a bit more research on this and here is what happens. When ldap module is configured with start_tls = yes it calls ldap_start_tls_s() function. With Disallow anonymous simple bind this call fails and as such the error rlm_ldap: could not start TLS Inappropriate authentication is returned. The solution for this would be to use tls_mode and port 636 Thus in the ldap module section of radiusd.conf set : port = 636 tls_mode = yes This will work even with the Disallow anonymous simple bind option on. -Sayantan. [EMAIL PROTECTED] 04/07/05 6:39 PM Hi, The Disallow anonymous simple bind option Prevents users from logging in to the LDAP server without specifying a username and password. In case of FreeRADIUS the ldap module does not perform an anonymous bind so turning on this option should not create any problems. Could you post the complete debug message. -Sayantan. [EMAIL PROTECTED] 04/07/05 3:11 AM Anyone have ideas on how to get freeradius to work with eDirectory when Disallow anonymous simple bind is turned on? I am getting: rlm_ldap: could not start TLS Inappropriate authentication When I turn on this option. I've attempted to authenticate with an ldap browser as well. The LDAP browser I have though doesn't have a section for TLS and I do have require TLS turned on in eDirectory. Is there a TLS capable ldap browser? -d - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
different pools for different realms
Hello, I am newbie with freeradius (and with all radius servers), so maybe this is a silly question, I am sorry if it is. I have 1.0.2 running in a debian sarge box. I am configuring a new radius server to substitute two different radius already working. We want to substitute that two servers with a new one. So we have to unify both configurations. That servers offers IP addresses from different pools to their users. So with the new one we have to authenticate users (with different realms) and map them to different ip pools. By now, I have an entry in the users file like this: DEFAULT Auth-Type = LDAP, Pool-Name := my_pool, NAS-IP-Address == 10.10.10.1 User-Name := `%{User-Name}`, Service-Type = Framed-User, Framed-Protocol = PPP, X-Ascend-Client-Primary-DNS = 10.10.10.10, X-Ascend-Client-Secondary-DNS = 10.10.10.11, Fall-Through = No (I authenticate through a LDAP server) Is there any way to force that entry to have a particular realm?, that is something like this: DEFAULT Auth-Type = LDAP, Realm == @myrealm, Pool-Name := my_pool, NAS-IP-Address == 10.10.10.1 ... ... Or there is any other way to do what I want? -- Angel L. Mateo Martínez Sección de Telemática Área de Tecnologías de la Información _o) y las Comunicaciones Aplicadas (ATICA)/ \\ http://www.um.es/atica _(___V Tfo: 968367590 Fax: 968398337 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Security in the network traffic
Hi people, I am still using freeradius 0.9.3 in a server with devian distribution for more than one year. However I have a doubt: Can I use acctSessionId AcctUniqueId attributes in order to crypt the traffic to achieve a safer communications ? If it is so, How do you implement in the system? Thanks, SantiagoDescubre la descarga digital segura. Medio millón de canciones en MSN Music. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius Active Directory?
Hello all, My Freeradius server works quite well with system accounts but I must link an Active Directory database to my server. So, in view of that, I would have some informations : [...] 4- If this configuration is impossible, what type of configuration for freeradius can I use? I authenticate the users against a Windows (AD) domain with PEAP + MSCHAPv2 + ntlm_auth. It works well. So I follow your advises by running my server with PEAP but can you give me more informations about ntlm_auth?? Because I don't understand how it works and especially why it works. My last question : Can someone give me an exemple of radiusd.conf for an Active Directory(the LDAP part)? or just some explanations about the LDAP part, I think it can help me a lot :) Thanks to Alexandre for his reply List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re:WG: PEAP and fatal unknown_ca
I had EXACTLY that error when using a cisco card talking to a cisco AP1100 and freeradius. I am on XP and not W2K so YMMV but... the problem is the cisco ADU (Aironet Desktop Utility). If you are using that to configure your card it just won't do PEAP correctly. If you switch over and set the Use windows to configure... check box it will work. At least on XP SP2 (and SP2 is needed, as I understand it, to do PEAP) I had a talk with cisco tech support and they claimed it wasn't their problem, they have run it with PEAP. Wouldn't work for me in this setup tho, had to go with windows config. Bob - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: high volume proxy radius issues
thanks for the reply - multiple source ports is the obvious answer which i didn't trust was actually specified in the RFCs. The reason for this is that too often i have seen requests from 1645 to 1645 and not (random-high-port to 1645) for example. extendid ID? well some radius servers will extend the 8-bit Identifier into a proxy-state part of the packetm effectively extending the 8bit length. in freeradius - is that 8k requests per thread? or does the freeradius proxy not use threads to handle the proxy states - is it a central state-table? i was hoping the threads handled the proxying becasue then i can set the initial pool size and max-pool size (where each thread has space for say 500 pending proxy results). t --- FreeRADIUS allows 8k *active* requests to any home server. That's more than enough for major deployments. i know that not all devices and target radius servers implement the extended id which effectively expands the range from 256) Extended ID? What's that? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Simultaneous use ?
To answer some of my own questions, and maybe someone else's with the same issues running 3COM USRHiper equipment. To get the SNMP_Sessions and BER modules for Perl go to: http://www.switch.ch/misc/leinen/snmp/perl/dist/SNMP_Session-1.07.tar.gz After installing these my simultaneous use works. Joel - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Security in the network traffic
=?iso-8859-1?B?U2FudGlhZ28gQmFsYWd1ZXIgR2FyY+1h?= [EMAIL PROTECTED] wrote: I am still using freeradius 0.9.3 in a server Upgrade to 1.0.2. However I have a doubt: Can I use acctSessionId AcctUniqueId attributes in order to crypt the traffic to achieve a safer communications ? No. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: check_cert_uid instead of check_cert_cn
=?iso-8859-1?Q?Alejandro_Mart=EDnez_Marcos?= [EMAIL PROTECTED] wrote: I would need an option check_cert_uid instead of check_cert_cn, because my client certificates don't have a cn. Is it possible at the moment? In other case, how can we achieve it? Source code edits. The TLS module should really export a way to check all fields in the certificate, via something like %{tls:}. That way the check_cert_foo stuff could go away. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PEAP-{GTC,MSCHAPv2} against OpenLDAP
Sebastian Mauer [EMAIL PROTECTED] wrote: I already read several messages related on the topic EAP with FreeRadius and LDAP, but I'm not yet sure because I never found a clear statemant that this combination will work. People keep asking this, and the answer is ALWAYS the same. If you store clear-text passwords in LDAP, there's no problem. In the end I should have an OpenSource based combination with XSupplicant, FreeRadius, one of the above EAP flavours and OpenLDAP. So, is this possible ? Yes. At the moment I'm testing the authorize integeration of LDAP with PEAP-GTC. The User-Passwords in LDAP are plain-text, altough i would prefer som encryption (possible?). The simplest answer is No. rlm_pap: No password (or empty password) to check against for for user maui You didn't tell the server what the users password was. Earlier in the debug log: rlm_ldap: performing search in ou=people,dc=sicherheit,dc=net, with filter (uid=maui) rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... Nothing was found in LDAP. i.e. No password. Fix that. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: high volume proxy radius issues
Tariq Rashid [EMAIL PROTECTED] wrote: thanks for the reply - multiple source ports is the obvious answer which i didn't trust was actually specified in the RFCs. Yes, it's in there. The reason for this is that too often i have seen requests from 1645 to 1645 and not (random-high-port to 1645) for example. Agreed. That's a *bad* design for a server. It means that you can't run a client server on the same IP. in freeradius - is that 8k requests per thread? Would you please stop getting excited about threads? Nothing I said had anything to do with threads. or does the freeradius proxy not use threads to handle the proxy states - is it a central state-table? I've answered that 3 times already, by my recollection. Can you explain why you are ignoring my answers? i was hoping the threads handled the proxying becasue then i can set the initial pool size and max-pool size (where each thread has space for say 500 pending proxy results). That's a terrible design for a server. I've said so many times. Please, if you're going to ask questions here, then READ THE ANSWERS. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: different pools for different realms
On Fri, 8 Apr 2005, Angel L. Mateo wrote: Hello, I am newbie with freeradius (and with all radius servers), so maybe this is a silly question, I am sorry if it is. I have 1.0.2 running in a debian sarge box. I am configuring a new radius server to substitute two different radius already working. We want to substitute that two servers with a new one. So we have to unify both configurations. That servers offers IP addresses from different pools to their users. So with the new one we have to authenticate users (with different realms) and map them to different ip pools. By now, I have an entry in the users file like this: DEFAULT Auth-Type = LDAP, Pool-Name := my_pool, NAS-IP-Address == 10.10.10.1 User-Name := `%{User-Name}`, Service-Type = Framed-User, Framed-Protocol = PPP, X-Ascend-Client-Primary-DNS = 10.10.10.10, X-Ascend-Client-Secondary-DNS = 10.10.10.11, Fall-Through = No (I authenticate through a LDAP server) Is there any way to force that entry to have a particular realm?, that is something like this: DEFAULT Auth-Type = LDAP, Realm == @myrealm, Pool-Name := my_pool, NAS-IP-Address == 10.10.10.1 Yes. DEFAULT Realm == myrealm, NAS-IP-Address == 10.10.10.1, Auth-Type = LDAP, Pool-Name := my_pool ... ... Or there is any other way to do what I want? -- Angel L. Mateo Mart?nez Secci?n de Telem?tica ?rea de Tecnolog?as de la Informaci?n _o) y las Comunicaciones Aplicadas (ATICA)/ \\ http://www.um.es/atica _(___V Tfo: 968367590 Fax: 968398337 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius Active Directory?
Sylvain Clerc [EMAIL PROTECTED] wrote: 1- I must work in eap-ttls mode (with md5 in the tunneled encryption), is it compatible with Active Directory? No. 2- Is it possible to link the database only with the configuration files of freeradius (like radiusd.conf)? I have no idea what you mean by this. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius accounting problem/question
silvia troselj [EMAIL PROTECTED] wrote: How can I find out how many octets are transfered between 2005-04-06 14:38:39 and 2005-04-06 23:59:59 and 2005-04-07 00:00:00 and 2005-04-07 10:01:19? The NAS should send this information. If it doesn't, you can't get it. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Error: Dropping conflicting packet due to unfinished request
Juan Nin [EMAIL PROTECTED] wrote: Maybe we should back-port some fixes, and release 1.0.3. 1.1.0 is still a ways off, due to various craziness. that would be great! is this just an idea, or you've decided it? if so, any idea on aprox. realesa date for 1.0.3? :) Some time in the future. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Error: Dropping conflicting packet due to unfinished request
Alan DeKok wrote: if so, any idea on aprox. realesa date for 1.0.3? :) Some time in the future. I really need to execute an external script I have another radius running freeradius-0.9.3 on other server which is executing external scripts, so I guess the bug wasn't present on previous versions would it be to crazy to downgrade? or should I use latest from CVS? is it stable for production? thanks again, Juan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Error: Dropping conflicting packet due to unfinished request
Juan Nin [EMAIL PROTECTED] wrote: I have another radius running freeradius-0.9.3 on other server which is executing external scripts, so I guess the bug wasn't present on previous versions would it be to crazy to downgrade? I would suggest using the fixed code from CVS. You should be able to patch it into 1.0.2. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Error: Dropping conflicting packet due to unfinished request
Juan Nin [EMAIL PROTECTED] wrote: I have another radius running freeradius-0.9.3 on other server which is executing external scripts, so I guess the bug wasn't present on previous versions would it be to crazy to downgrade? I would suggest using the fixed code from CVS. You should be able to patch it into 1.0.2. Alan DeKok. Is the same bug present in external programs when running with rlm_perl? Thanks - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Error: Dropping conflicting packet due to unfinished request
Dustin Doris [EMAIL PROTECTED] wrote: Is the same bug present in external programs when running with rlm_perl? Hmm... I don't think so. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PEAP-{GTC,MSCHAPv2} against OpenLDAP
Alan DeKok schrieb: Sebastian Mauer [EMAIL PROTECTED] wrote: I already read several messages related on the topic EAP with FreeRadius and LDAP, but I'm not yet sure because I never found a clear statemant that this combination will work. People keep asking this, and the answer is ALWAYS the same. If you store clear-text passwords in LDAP, there's no problem. In the end I should have an OpenSource based combination with XSupplicant, FreeRadius, one of the above EAP flavours and OpenLDAP. So, is this possible ? Yes. At the moment I'm testing the authorize integeration of LDAP with PEAP-GTC. The User-Passwords in LDAP are plain-text, altough i would prefer som encryption (possible?). The simplest answer is No. rlm_pap: No password (or empty password) to check against for for user maui You didn't tell the server what the users password was. Earlier in the debug log: rlm_ldap: performing search in ou=people,dc=sicherheit,dc=net, with filter (uid=maui) rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... Nothing was found in LDAP. i.e. No password. Thanks for that answer, but lately I found out some more. The Password *is *as clear/plain-text in the LDAP and the authentication works when using EAP-TTLS with GTC or MSCHAPv2 for example. It's only not working when using PEAP as EAP-flavour and this is what's confusing me right now. Maybe a problem in FreeRADIUS 1.0.2, that I compiled yesterday, on the other hand it could also be of course a mistake by me, but why authenticates it with TTLS without problems? Fix that. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
freeradius + Active Directory
Hello People. I m new in Freeradius, and i've been searching some "howto" to configure freeradius and Active Directory. I guessthis is possible through ldap. I know that i need configure the rlm_ldap. Please send me the firsts steps to begin it. regards. Christian Souza
Re: PEAP-{GTC,MSCHAPv2} against OpenLDAP
Sebastian Mauer wrote: Thanks for that answer, but lately I found out some more. The Password *is *as clear/plain-text in the LDAP and the authentication works when using EAP-TTLS with GTC or MSCHAPv2 for example. It's only not working when using PEAP as EAP-flavour and this is what's confusing me right now. Maybe a problem in FreeRADIUS 1.0.2, that I compiled yesterday, on the other hand it could also be of course a mistake by me, but why authenticates it with TTLS without problems? You may want to attach the debug log of what happens in PEAP. I have a HOWTO of our OpenLDAP/WPA/802.1x set up http://vuksan.com/linux/dot1x/802-1x-LDAP.html You don't necessarily need clear/plain-text passwords in the LDAP database. You can a) Have MD5/CRYPT/SSHA hashed passwords if you are using TTLS with PAP b) Have NT/LM password hashes if you are using PEAP. Vladimir - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
FreeRADIUS + Emerald?
Has anyone out there written the appropriate SQL glue to get FreeRADIUS to talk to an Emerald database? (Emerald is an ISP management package made by IEA Software. It's intended to be used with RadiusNT, but since all the data are stored in a fairly easy-to-use Microsoft SQL Server database, making it work with FreeRADIUS should only require writing the appropriate sql.conf statements.) It's not by any means hard to do, but if it's already been done, I'd love to save the effort. (If it hasn't already been done, I'll probably end up doing it...) David Smith MVN.net - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Error: Dropping conflicting packet due to unfinished request
On Thu, Apr 07, 2005 at 02:05:04PM -0400, Alan DeKok wrote: Juan Nin [EMAIL PROTECTED] wrote: also, another issue that worries me is that if I change my authentication method on /etc/raddb/users so as to be the following: Ah... That's a bug in the run external program code. It's fixed in the latest CVS snapshot. Which's this fix? I hit the same problem, but hadn't had a chance to debug it, but I can't see the change in CVS that either caused or fixed it. (It only started happening to me when I moved from my PPC machine to an i386 machine, so I was blaming NPTL for the problem and just rewrote around all my wait=yes rlm_exec modules) -- Paul TBBle Hampson, on an alternate email client. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html