Re: authenticate machine accounts with ntlm_auth
Kris Benson [EMAIL PROTECTED] wrote: It sounds to me like you're saying this is a server-side issue. I'm saying the exact opposite. It's a function of running on Windows, and it has nothing to do with the RADIUS server. FreeRADIUS can run on Windows, and with the right code, it will most likely do what you want. Since AD is available via LDAP, why couldn't this FreeRadius install just use rlm_ldap to access the machine account info in AD? The AD information you need IS NOT AVAILABLE THROUGH LDAP. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: accounting 'detail' file and EAP
Kris Benson [EMAIL PROTECTED] wrote: Has anyone come up with a way to either A) ensure the outside username matches the inside one (guaranteeing the outside one isn't falsified) or B) log the accounting details with the tunnel information? Use the class attribute. Set it to some value inside of the tunnel, and set use_tunneled_reply=yes. You will then see it come back in accounting packets outside of the tunnel. You will need to log the *inner* tunnel username Class attribute, to tie those two together, too. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Computer Authentication problem
[EMAIL PROTECTED] wrote: I want to know if there is a way to work with realm configuration based on host/fqdn, example: host/israel.teste.com Yes. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authenticate as computer - Windows XP
[EMAIL PROTECTED] wrote: How I can do this in Freeradius for authenticate computer account, You can't. See recent messages on this list. IAS interacts with AD in certain magic ways that no one in the world outside of Microsoft understand. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: access-challenge
Thanks Alan. Would please answer another question in-line below. Alan DeKok wrote: Srinivasa Rao Chigurupati [EMAIL PROTECTED] wrote: 1. Will FreeRadius challenges with access-challenge if auth-type is PAP? No. Read the RFC's for how PAP works. 2. How FreeRadius understands incoming Radius access-request packet contains PAP authentication information, CHAP authentication information or MS-CHAP authentication information or other authentication information? It looks in the packets. I think if access-request packet contains user-password attribute, FreeRadius authenticates with PAP. If access-request packet contains chap-password attribute, FreeRadius authenticates with CHAP. Am I correct? How MS-CHAP and other authentication methods are identified from access-request by FreeRadius? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Thanks Regards Srinivasa Rao Chigurupati - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: authenticate machine accounts with ntlm_auth
Hi, It sounds to me like you're saying this is a server-side issue. Since AD is available via LDAP, why couldn't this FreeRadius install just use rlm_ldap to access the machine account info in AD? No. There is one important difference between plain LDAP and AD: an AD server will _never_ give away the user's (machine's) password. Never. The closest thing you can get is a MS-CHAP challenge that is built from the password, but for some reason that doesn't do the trick. The Microsoft side of things isn't my greatest strength, least of all the AD/LDAP stuff, but it seems as though this *should* work. It would, if AD would give you the password. But it doesn't. Greetings, Stefan Winter -- Stefan WINTER Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche Ingénieur de recherche 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg email: [EMAIL PROTECTED] tél.: +352 424409-1 http://www.restena.lu fax: +352 422473 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Cisco WAP 1200 Accounting for 802.1X PEAP
Hi, I am having difficulty getting my Cisco APs (all 1230s) to send accounting information regarding 802.1x PEAP authentications - stop/start info.Does anyone have this working? If so can you please post the AP config. This is off-topic for this list (no RADIUS server issue). Anyway: I currently have the following: aaa accounting network eap_methods start-stop group rad_acct This is only one part. It sends you start-stop packets when *network* events happen, i.e. stop packet only when a EAPoL-Logoff is occuring on the network. This does not cover events like station disassociated, cable was unplugged etc. Try adding the two lines aaa accounting system default start-stop group radius aaa accounting resource default start-stop group radius (eventually replacing default and radius for your setup) Greetings, Stefan Winter -- Stefan WINTER Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche Ingénieur de recherche 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg email: [EMAIL PROTECTED] tél.: +352 424409-1 http://www.restena.lu fax: +352 422473 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: authenticate machine accounts with ntlm_auth
Kris Benson wrote: I'm very frustrated now after spending a couple of weeks trying to get free radius to authenticate my Win2k machine accounts against active directory. :-( Sorry, blame Microsoft. It isn't possible, but they don't make it obvious that it's not possible. Alan, do you know of any way to get this working. I have been assured that Funk can do this, have you any idea how Funk are doing it. Funk costs too much. Maybe I'm not allowed to ask such questions. Funk does it by running the radius server on the AD server. At that point, they can use *internal* Windows API's or hacks to get at the data. Since FreeRADIUS is running externally, it can't use those API's, and thus won't work. FreeRADIUS *will* run on XP. If someone were to write the necessary code, you could run the server on XP, and do what Funk does. It sounds to me like you're saying this is a server-side issue. Since AD is available via LDAP, why couldn't this FreeRadius install just use rlm_ldap to access the machine account info in AD? The Microsoft side of things isn't my greatest strength, least of all the AD/LDAP stuff, but it seems as though this *should* work. :-) -kb -- Kris Benson, CCP, I.S.P. Technical Analyst, District Projects School District #57 (Prince George) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html AD unfortunatly does not provide the passwords via ldap, the authentication gets passed on to a kerberos implamentation, LDAP just provide group information. I'd look in to a solution for radius that is able to either athenticate via machine accounts provided via winbindd, or an implamentation that is abble to use kerberos for user account athentication information. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
sementation fault
Hi all,
I trying to install (compile from source) freeRADIUS 1.0.4 on a SuSe
Linux system version 9.1. The configuration, compilation and
installation goes well. The problem comes when I run it with -X -A. You
can see the output from that attached with this mail.
I have made sure the the mysql-devel packages is installed so I guess it
is not that.
The last two lines in the output are :
sql: postauth_query = INSERT into radpostauth (id, user, pass,
session_id, reply, date) values ('', '%{User-Name}',
'%{User-Password:-Chap-Password}', '%{Acct-Session-Id}',
'%{reply:Packet-Type}', NOW())
sql: safe-characters =
@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /
It tries to insert to a table 'radpostauth' that doesn't exist and
further more there are no tables at all in the database. Is that normal?
Please help me shed some light on this,
Thanks!
--Vicky
Starting - reading configuration files ...
reread_config: reading radiusd.conf
Config: including file: /opt/freeradius/etc/raddb/proxy.conf
Config: including file: /opt/freeradius/etc/raddb/clients.conf
Config: including file: /opt/freeradius/etc/raddb/snmp.conf
Config: including file: /opt/freeradius/etc/raddb/eap.conf
Config: including file: /opt/freeradius/etc/raddb/sql.conf
main: prefix = /opt/freeradius
main: localstatedir = /opt/freeradius/var
main: logdir = /opt/freeradius/var/log/radius
main: libdir = /opt/freeradius/lib
main: radacctdir = /opt/freeradius/var/log/radius/radacct
main: hostname_lookups = no
main: max_request_time = 30
main: cleanup_delay = 5
main: max_requests = 1024
main: delete_blocked_requests = 0
main: port = 0
main: allow_core_dumps = no
main: log_stripped_names = no
main: log_file = /opt/freeradius/var/log/radius/radius.log
main: log_auth = yes
main: log_auth_badpass = no
main: log_auth_goodpass = no
main: pidfile = /opt/freeradius/var/run/radiusd/radiusd.pid
main: user = psaadm
main: group = psaadm
main: usercollide = no
main: lower_user = no
main: lower_pass = no
main: nospace_user = no
main: nospace_pass = no
main: checkrad = /opt/freeradius/sbin/checkrad
main: proxy_requests = yes
proxy: retry_delay = 5
proxy: retry_count = 3
proxy: synchronous = no
proxy: default_fallback = yes
proxy: dead_time = 120
proxy: post_proxy_authorize = yes
proxy: wake_all_if_all_dead = no
security: max_attributes = 200
security: reject_delay = 1
security: status_server = no
main: debug_level = 0
read_config_files: reading dictionary
read_config_files: reading naslist
Using deprecated naslist file. Support for this will go away soon.
read_config_files: reading clients
read_config_files: reading realms
radiusd: entering modules setup
Module: Library search path is /opt/freeradius/lib
Module: Loaded PAP
pap: encryption_scheme = crypt
Module: Instantiated pap (pap)
Module: Loaded CHAP
Module: Instantiated chap (chap)
Module: Loaded MS-CHAP
mschap: use_mppe = yes
mschap: require_encryption = no
mschap: require_strong = no
mschap: with_ntdomain_hack = no
mschap: passwd = (null)
mschap: authtype = MS-CHAP
mschap: ntlm_auth = (null)
Module: Instantiated mschap (mschap)
Module: Loaded System
unix: cache = no
unix: passwd = (null)
unix: shadow = (null)
unix: group = (null)
unix: radwtmp = /opt/freeradius/var/log/radius/radwtmp
unix: usegroup = no
unix: cache_reload = 600
Module: Instantiated unix (unix)
Module: Loaded eap
eap: default_eap_type = md5
eap: timer_expire = 60
eap: ignore_unknown_eap_types = no
eap: cisco_accounting_username_bug = no
rlm_eap: Loaded and initialized type md5
rlm_eap: Loaded and initialized type leap
gtc: challenge = Password:
gtc: auth_type = PAP
rlm_eap: Loaded and initialized type gtc
mschapv2: with_ntdomain_hack = no
rlm_eap: Loaded and initialized type mschapv2
Module: Instantiated eap (eap)
Module: Loaded attr_rewrite
attr_rewrite: attribute = User-Name
attr_rewrite: searchfor = promo.*
attr_rewrite: searchin = packet
attr_rewrite: replacewith = %{User-Password}
attr_rewrite: append = no
attr_rewrite: ignore_case = no
attr_rewrite: new_attribute = no
attr_rewrite: max_matches = 10
Module: Instantiated attr_rewrite (attr_rewrite)
Module: Loaded preprocess
preprocess: huntgroups = /opt/freeradius/etc/raddb/huntgroups
preprocess: hints = /opt/freeradius/etc/raddb/hints
preprocess: with_ascend_hack = no
preprocess: ascend_channels_per_line = 23
preprocess: with_ntdomain_hack = no
preprocess: with_specialix_jetstream_hack = no
preprocess: with_cisco_vsa_hack = no
Module: Instantiated preprocess (preprocess)
Module: Loaded detail
detail: detailfile =
/opt/freeradius/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d
detail: detailperm = 384
detail: dirperm = 493
detail: locking = no
Module: Instantiated detail (auth_log)
Module: Loaded realm
realm: format = prefix
realm: delimiter = /
realm: ignore_default = yes
realm: ignore_null = yes
Module: Instantiated realm (prefix)
realm:
AW: sementation fault
-Ursprüngliche Nachricht- Von: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Im Auftrag von vicky It tries to insert to a table 'radpostauth' that doesn't exist and further more there are no tables at all in the database. Is that normal? Please help me shed some light on this, Generate the Database and make sure the rigth connect infos in the sql.conf Read : http://www.frontios.com/freeradius.html Setting up the RADIUS database in MySQL First, you should a new empty 'radius' database in MySQL and login user with permissions to that database. You could of course call the database and the user anything you like but we'll stick to 'radius' for both for the purposes of this discussion Next up, you need to create the schema for the database. There is a file which describes this and is actually a SQL script file. It can be found at /src/modules/rlm_sql/drivers/rlm_sql_mysql/db_mysql.sql where you untar'd FreeRadius. This is the bit that, at least at the time I originally wrote these notes, wasn't really documented anywhere and was the thing most people seemed to be asking. How you run that script is up to you and how you like to admin MySQL. The easiest way is to: mysql -uroot -prootpass radius db_mysql.sql ...where 'root' and 'rootpass' are your mysql root name and password respectively. Mit freundlichen Grüßen Drießen Es liegt was in der Luft www.feilbingert.net Uwe Drießen Software Computer Lembergstraße 33 67824 Feilbingert Tel.: 06708 660045 Fax 06708 661397 www.edv-driessen.de - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
OFF-TOPIC - ISDN and 56k modem users
Has anyone ever used an eicon diva card for a dial-up server?? I have setup such a server using a DIVA 4BRI card in a Redhat box with mgetty 1.1.33 and pppd-2.4.3 Everything worked OK for the modem users. The dial-up server sent a NAS-Port-Type = Async to the radius server But when I tried with ISDN users I saw that the NAS-Port-Type that the dial-up server sent to radius was Async again Has anyone any idea on how to make pppd send the correct type of NAS-Port-Type to the radius server? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: WRT54GS (sveasoft) with Freeradius 1.0.2
Rajeev Pokkyarath wrote: I am trying to use Linksys WRT54GS with Firmware_Alchemy-6.0rc3lw031 (sveasoft) against my freeradius server (1.0.2). Basically trying to setup a hotspot scenario. But eventhough I enter a valid username/password in the login page, I am not able to login. I ran the radius server in the debug mode and I see that the server is sending the Access-Accept packet (I also notice that it is re-sending it). You have to provide a debug log with more details on your setup if you want any help. Vladimir - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
System requirements
Hi, Can someone help me with the following problem? I need a freeradius Server for a wireless network with Approximately 15,000 users with Approximately 2,000 simultanous users and I need to know which are the system requirements(like CPU, Memory, Processor,...) for a good server performance. thanks in advance Alfonso Celestino DGSCA, UNAM ___ Do You Yahoo!? La mejor conexión a Internet y b 2GB/b extra a tu correo por $100 al mes. http://net.yahoo.com.mx - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: System requirements
alfonso celestino [EMAIL PROTECTED] wrote: I need a freeradius Server for a wireless network with Approximately 15,000 users with Approximately 2,000 simultanous users and I need to know which are the system requirements(like CPU, Memory, Processor,...) for a good server performance. The number that matters is how many people login per minute. If it's small, any old PC will do. If it's large, then a more powerful PC may be better. Generally, and system built in the last year has more than enough CPU power and memory to run a busy RADIUS server. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: access-challenge
Srinivasa Rao Chigurupati [EMAIL PROTECTED] wrote: I think if access-request packet contains user-password attribute, FreeRadius authenticates with PAP. If access-request packet contains chap-password attribute, FreeRadius authenticates with CHAP. Am I correct? How MS-CHAP and other authentication methods are identified from access-request by FreeRadius? That information is in the packet. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
XP supplicant and Secure Cerficate acceptance
I am running FreeRadius 1.0.4 and using XP supplicants. My problem is after authenticating against FreeRadius, XP asks me to OK the server certificate. I do not want to manually validate the server certificate. XP should be able to validte the certificate by itself, as long as the cert has been issued by a valid Certificate Authority. I have tried using certs from DigiCert and Verisign. Does anyone else see this same problem? How can this step be automated so that my users are not requried this additional click? --johnk - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Problems with Simultaneous-Use
= This is a re-post. I received no help from the previous posting =
Hello,
I am having problems with Simultaneous-Use and checkrad. I know that
checkrad is not running because:
grep debug /usr/local/sbin/checkrad
# Config: $debug is the file you want to put debug messages in
#$debug = ;
$debug = $logdir/checkrad.log;
and:
--
tail -F /var/log/radius/checkrad.log
Fri Jul 29 12:57:30 2005 checkrad
Usage: checkrad nas_type nas_ip nas_port login session_id
--
(nothing new is showing up in the checkrad log file, except for when I
run it by hand)
I have both the Perl SNMP modules installed, along with NET-SNMP (and
the correct syntax for NET used in the checkrad script, even though
it should be using the perl modules first).
I am able to manually use snmpwalk /fine/.
Here is how my SQL table looks:
mysql select * from radgroupcheck;
+++--++---+
| id | GroupName | Attribute| op | Value |
+++--++---+
| 1 | pirate | Simultaneous-Use | := | 2 |
| 2 | pirate-stu | Simultaneous-Use | := | 2 |
| 3 | pirate-stf | Simultaneous-Use | := | 2 |
| 4 | pirate-fac | Simultaneous-Use | := | 2 |
| 5 | pirate-its | Simultaneous-Use | := | 1 |
+++--++---+
Here are the related sections from my radiusd.conf file:
radutmp {
# Where the file is stored. It's not a log file,
# so it doesn't need rotating.
#
filename = ${logdir}/radutmp
# The field in the packet to key on for the
# 'user' name, If you have other fields which you want
# to use to key on to control Simultaneous-Use,
# then you can use them here.
#
# Note, however, that the size of the field in the
# 'utmp' data structure is small, around 32
# characters, so that will limit the possible choices
# of keys.
#
# You may want instead: %{Stripped-User-Name:-%{User-Name}}
username = %{User-Name}
# Whether or not we want to treat user the same
# as USER, or User. Some systems have problems
# with case sensitivity, so this should be set to
# 'no' to enable the comparisons of the key attribute
# to be case insensitive.
#
case_sensitive = yes
# Accounting information may be lost, so the user MAY
# have logged off of the NAS, but we haven't noticed.
# If so, we can verify this information with the NAS,
#
# If we want to believe the 'utmp' file, then this
# configuration entry can be set to 'no'.
#
check_with_nas = yes
# Set the file permissions, as the contents of this file
# are usually private.
perm = 0600
# callerid = yes
}
#
# For Simultaneous-Use tracking.
#
# Due to packet losses in the network, the data here
# may be incorrect. There is little we can do about it.
radutmp
# sradutmp
#
# Log traffic to an SQL database.
#
# See Accounting queries in sql.conf
sql
# Session database, used for checking Simultaneous-Use. Either the radutmp
# or rlm_sql module can handle this.
# The rlm_sql module is *much* faster
session {
#radutmp
#
# See Simultaneous Use Checking Querie in sql.conf
sql
}
And here is my sql.conf file:
# Simultaneous Use Checking Queries
###
# simul_count_query - query for the number of current connections
# - If this is not defined, no simultaneouls use
checking
# - will be performed by this module instance
# simul_verify_query- query to return details of current
connections for verification
# - Leave blank or commented out to disable
verification step
# - Note that the returned field order should not
be changed.
###
# Uncomment simul_count_query to enable simultaneous use checking
simul_count_query = SELECT COUNT(*) FROM ${acct_table1} WHERE
UserName='%{SQL-User-Name}' AND AcctStopTime = 0
simul_verify_query = SELECT RadAcctId, AcctSessionId, UserName,
NASIPAddress, NASPortId, FramedIPAddress, CallingStationId, FramedProtocol FROM
${acct_table1} WHERE
Re: XP supplicant and Secure Cerficate acceptance
On Mon, 1 Aug 2005, [EMAIL PROTECTED] wrote: I am running FreeRadius 1.0.4 and using XP supplicants. My problem is after authenticating against FreeRadius, XP asks me to OK the server certificate. I do not want to manually validate the server certificate. XP should be able to validte the certificate by itself, as long as the cert has been issued by a valid Certificate Authority. I have tried using certs from DigiCert and Verisign. Hi, In an 802.1x context, it is best to use certs from a self-signed CA, rather than a well-known CA (such as Verisign). This is because an attacker could dupe your users' supplicants by acquiring a certificate from the same CA that you trust (ie. Verisign), and install a rogue WAP near your premises to steal inner-tunnel credentials. There is a solution, and this is to get the supplicant to verify certain attributes within the server cert. However, I am aware of only one supplicant that can do this: Funk's Odyssey. FWIW, even Funk recommend using a self-signed CA. Evidentally, you'll need to distribute the CA's root certificate to your users. josh. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: XP supplicant and Secure Cerficate acceptance
On Monday 01 August 2005 16:37, [EMAIL PROTECTED] wrote: I am running FreeRadius 1.0.4 and using XP supplicants. My problem is after authenticating against FreeRadius, XP asks me to OK the server certificate. I do not want to manually validate the server certificate. XP should be able to validte the certificate by itself, as long as the cert has been issued by a valid Certificate Authority. I have tried using certs from DigiCert and Verisign. Does anyone else see this same problem? How can this step be automated so that my users are not requried this additional click? On the XP machines you can either uncheck the Validate server certificate in the EAP properties (not recommended) or you can specify the trusted root certificate that you are using (check the box in the list) and the RADIUS server names. The validation is not a big deal and you only have to do it once unless you are wiping the eapinfo from the registry on shutdown. Zoltan Ori - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
simultanius use
Hello ok Im closer the simultanius use works but its not doing it for the dialup its only doing it for the slipstream-auth group I have a dialup-yes group for allowed dialup customers and it doesnt seem to work Can you help - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
accounting records per nasid, not ip address
hi, this is my first time using freeradius. had a good experience so far. i had to coerce the latest cvs version into fedora core 3 with more hacks than i would have liked, but that's ok, it's up and running. one issue i find so far is that my NASs have a dynamic ip. i managed this externally at great pains, however, for the purposes of radius accounting, i'd like to see the accounting records on a per-nasid file in /var/log/radius/radacct/nasid rather than what i see now as: /var/log/radius/radacct/ip-address i could not find a simple way to do this by looking around, though i may be missing something. is this doable as-is? if not, any hint on where to hack this would be greatly appreciated. while i am on the list, and at the risk of irking someone i would like to (lazily) ask if anyone knows offhand where can i find a document that i saw a few months back on hardening radiusd. the process exited on me a couple of times due to dynamic ip issues, creating multi-hour blackouts that i rather not see again. looking for freeradius hardening or crashing i cannot seem to find that most excellent list of things to restart or manage a crashed server. thanks in advance! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: XP supplicant and Secure Cerficate acceptance
I think your terminology is incorrect. I know for a fact that Funk's software will not accept a self-signed cert. That is a certificate not signed by another CA. What I think you meant, was a having your own private trusted CA root. Where the server and client certs are signed by it. And, yes, in that configuration you have to install the cert for that CA on the clients, if you want them to verify the server cert. If you can provide me a pointer to the Funk documentation that recommends what you suggest, I would appreciate it. Dave. - Original Message - From: Josh Howlett [EMAIL PROTECTED] To: FreeRadius users mailing list freeradius-users@lists.freeradius.org Subject: Re: XP supplicant and Secure Cerficate acceptance Date: Mon, 1 Aug 2005 21:53:16 +0100 (BST) On Mon, 1 Aug 2005, [EMAIL PROTECTED] wrote: I am running FreeRadius 1.0.4 and using XP supplicants. My problem is after authenticating against FreeRadius, XP asks me to OK the server certificate. I do not want to manually validate the server certificate. XP should be able to validte the certificate by itself, as long as the cert has been issued by a valid Certificate Authority. I have tried using certs from DigiCert and Verisign. Hi, In an 802.1x context, it is best to use certs from a self-signed CA, rather than a well-known CA (such as Verisign). This is because an attacker could dupe your users' supplicants by acquiring a certificate from the same CA that you trust (ie. Verisign), and install a rogue WAP near your premises to steal inner-tunnel credentials. There is a solution, and this is to get the supplicant to verify certain attributes within the server cert. However, I am aware of only one supplicant that can do this: Funk's Odyssey. FWIW, even Funk recommend using a self-signed CA. Evidentally, you'll need to distribute the CA's root certificate to your users. josh. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: XP supplicant and Secure Cerficate acceptance
On Mon, 1 Aug 2005, David Mitton wrote: I think your terminology is incorrect. Yes. It's late :-) I know for a fact that Funk's software will not accept a self-signed cert. That is a certificate not signed by another CA. What I think you meant, was a having your own private trusted CA root. Where the server and client certs are signed by it. And, yes, in that configuration you have to install the cert for that CA on the clients, if you want them to verify the server cert. That's correct. josh. If you can provide me a pointer to the Funk documentation that recommends what you suggest, I would appreciate it. Dave. - Original Message - From: Josh Howlett [EMAIL PROTECTED] To: FreeRadius users mailing list freeradius-users@lists.freeradius.org Subject: Re: XP supplicant and Secure Cerficate acceptance Date: Mon, 1 Aug 2005 21:53:16 +0100 (BST) On Mon, 1 Aug 2005, [EMAIL PROTECTED] wrote: I am running FreeRadius 1.0.4 and using XP supplicants. My problem is after authenticating against FreeRadius, XP asks me to OK the server certificate. I do not want to manually validate the server certificate. XP should be able to validte the certificate by itself, as long as the cert has been issued by a valid Certificate Authority. I have tried using certs from DigiCert and Verisign. Hi, In an 802.1x context, it is best to use certs from a self-signed CA, rather than a well-known CA (such as Verisign). This is because an attacker could dupe your users' supplicants by acquiring a certificate from the same CA that you trust (ie. Verisign), and install a rogue WAP near your premises to steal inner-tunnel credentials. There is a solution, and this is to get the supplicant to verify certain attributes within the server cert. However, I am aware of only one supplicant that can do this: Funk's Odyssey. FWIW, even Funk recommend using a self-signed CA. Evidentally, you'll need to distribute the CA's root certificate to your users. josh. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Josh Howlett, Networking Digital Communications, Information Systems Computing, University of Bristol, U.K. 'phone: 0117 928 7850 email: [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Disconnect-Request packet
On Friday 29 July 2005 13:43, N White wrote: I understand this now, and why it would be... as you put it yuck. Ha Ha! Well thanks for answering my question and explaining it to me. Looks like some custom scripting for me then. :-) My only problem now is going to be figuring out how to send disconnect packets to different types of server. Thanks for your help! Cisco call this a Packet of Disconnect (Death? =) and Ascend Max-TNT's have their own radius server running on the NAS to handle disconnect packets (though I've found the TNT to have several annoying bugs). Those are two devices I've used to send disconnect packets to. Kevin Bonner pgpEQcVf1DXol.pgp Description: PGP signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: accounting records per nasid, not ip address
[EMAIL PROTECTED] wrote: i had to coerce the latest cvs version into fedora core 3 with more hacks than i would have liked, Such as...? It's a development version, so not everything works. one issue i find so far is that my NASs have a dynamic ip. That's evil. Very evil. i managed this externally at great pains, however, for the purposes of radius accounting, i'd like to see the accounting records on a per-nasid file in /var/log/radius/radacct/nasid rather than what i see now as: /var/log/radius/radacct/ip-address Step 1: Find out which module writes those files Step 2: Edit the modules configuration See radiusd.conf. You're probably looking for th edetail module. while i am on the list, and at the risk of irking someone i would like to (lazily) ask if anyone knows offhand where can i find a document that i saw a few months back on hardening radiusd. the process exited on me a couple of times due to dynamic ip issues, creating multi-hour blackouts that i rather not see again. looking for freeradius hardening or crashing i cannot seem to find that most excellent list of things to restart or manage a crashed server. doc/supervise-radiusd.txt Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
VSA id's higer than 255
We are using freeradius 1.0.4 and having a problem with VSA id's higher than 255 (more than 8 bit). ATTRIBUTE Ascend-Http-Redirect-URL287 string Lucent ATTRIBUTE Ascend-Http-Redirect-Port 288 integer Lucent When one of the attributes above are sent back to the NAS, it seems that radius is sending it as 8 bit thus interpreted as something else on the Lucent NAS. Any simple solution for that ? Best Regards / Fawaz - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Fwd: PEAP + linksysWRT54G not working
Hi All, I was having a very simple network for testing, WIN XP (SP2) client, connecting via a wireless router . in PEAP MSCHAPv2 Mode .. Now, everything was working fine with no issues while I was using a D-Link AP, I replaced it with a Linksys Router (WRT54G) and boom boom bang .. I cannot get even basic WPA-TKIP RADIUS to work. (Btw, My Win XP PEAP is set for asking for credentials and not default use windows domain and password. no server certificate validation ) My observations: Issue 1: After wireless association, router send EAPOL-req. Identiy, 1) If I enter credentials, say pradeep/pradeep .. they go to radius.. logs attached .. radius sends a challenge to router. router doesnt seem to be forwarding this ! 2) If I change above PEAP setting to use domain name .. the exchange goes through but fails at the last step, saying no password found. Issue 2: Even if I assume that linksys is somehow looking for \\ in incoming username requests, I was trying to configure radius for that. And here is where I need critical help. Is just entering the username in this format in users file ok ? SBNOTEBOOK\\Administrator Auth-Type := Local, User-Password == sbook SB_Uplink = 10, SB_Downlink = 20, Session-Timeout = 600, Fall-Through = 0 I have tried all combinations here with \ instead of \\ .. turning on with_nt_domain_hack = yes in conf file. I am new and am sure I am missing something very basic here, any help would be appreciated. I am attaching a log from Issue1, step2 and radiusd.conf. Cheers, Alfred radius_files.tar.gz Description: GNU Zip compressed data - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius-Users Digest, Vol 4, Issue 5
Please note that as of the 1st August 2005 my email address changed to [EMAIL PROTECTED] Your email has been forwarded onto my new address but please update your address book for future use. Thank you. David Barker 4D Internet Limited http://www.4dtechnologygroup.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
