Re: Buy SSL Certificates for PEAP
Hi ! Are you sure your certificate isn't already in PEM format? How can I verify which format the certificate is in ? # openssl x509 -in somecertificate.cer -text Certificate: Data: Version: 3 (0x2) Serial Number: 69:4c:8a:74:b7:45:cd:7f:cd:47:71:b8:c0:f2:60:6a Signature Algorithm: sha1WithRSAEncryption Issuer: C=ZA, ST=FOR TESTING PURPOSES ONLY, O=Thawte Certification, OU=TEST TEST TEST, CN=Thawte Test CA Root Validity Not Before: Jun 27 20:00:54 2006 GMT Not After : Jul 18 20:00:54 2006 GMT Subject: C=XX, ST=X, L=X, O=XX, OU=XX, CN= Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (1024 bit) Modulus (1024 bit): 00:ce:0c:00:a5:88:d5:f7:f2:b8:c5:7d:f3:9d:0a: 0e:44:28:ee:fc:b0:78:c9:d0:1e:f2:cf:cf:2f:cc: 6f:bc:87:06:f4:eb:aa:a3:3d:8d:d5:d8:60:54:8e: 78:c3:2b:a5:fc:f5:fa:97:ea:d3:17:20:00:07:62: 25:1a:8f:cf:41:9e:ba:59:a7:c3:75:a0:ae:4c:9c: 69:4f:52:c3:7c:51:d7:2e:70:63:1e:d5:79:97:d7: b3:81:94:d8:4f:cf:f1:5c:9c:ab:c5:e2:f5:82:70: 34:f0:8b:e8:70:a0:ce:27:b4:26:fc:16:b5:6c:64: fd:f5:99:94:f8:ad:63:a7:41 Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Basic Constraints: critical CA:FALSE X509v3 Extended Key Usage: TLS Web Server Authentication, TLS Web Client Authentication X509v3 CRL Distribution Points: URI:http://crl.thawte.com/ThawtePremiumServerCA.crl Authority Information Access: OCSP - URI:http://ocsp.thawte.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
radwho doesnt work - complains about missing radutmp file
This is the error I'm getting:radwho: Error reading /var/log/freeradius/radutmp: No such file or directoryradutmp indeed doesn't exist in /var/logDoes anyone know why is freeradius not creating the radutmp file? Thanks. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
LDAP related questions
Hello to everyone. I have a question regarding a configuration I am trying to achieve. I have users stored in an ldap database. An example user entry looks like this: dn: uid=kzorba,ou=people,dc=company,dc=gr cn: ZORBADELOS KONSTANTINOS uid: kzorba clearTextPwd: mypassword radiusProfile: PSTN_STATIC radiusAccountStatus: activated radiusMaxLogins: 1 radiusExpDate: 2030/12/31 00:00:00 Framed-IP-Address: 62.103.176.39 objectClass: account objectClass: MyRadiusAccount objectClass: top Tha attribute radiusProfile groups the users. For each group we have a corresponding profile # PSTN_STATIC, radiusProfiles, company.gr dn: cn=PSTN_STATIC,ou=radiusProfiles,dc=company,dc=gr cn: PSTN_STATIC objectClass: freeradiusProfile objectClass: top radiusNASPortType: Async radiusFramedProtocol: PPP radiusCisco-AVPair: lcp:interface-config#1=ip vrf forwarding STATIC_USER radiusCisco-AVPair: lcp:interface-config#2=ip unnumbered Loopback1001 radiusServiceType: Framed Now, I want to authorize the user according to this information. I have read and tried the configuration described in ldap_howto.txt shipped in the freeradius distribution. It uses the Ldap-Group attribute and the users file. This configuration is sub-optimal because it generates many ldap queries trying to figure out in which group a user belongs. If we have many entries in the users file, one for each group, each entry will generate a couple of queries until the matching entry is found. So if we have, for example, a hundred groups and the last one in the users file matches, we will have generated ~200 ldap queries, just to find the group the user belongs to. I try the following alternative approach: #ldap.attrmap checkItem Group radiusProfile #users file ... DEFAULT Group == PSTN_STATIC, User-Profile := cn=PSTN_DYNAMIC,ou=radiusProfiles,dc=company,dc=gr Fall-Through = no DEFAULT Auth-Type := Reject Reply-Message = Unauthorized access. #radiusd.conf authorize { preprocess chap mschap suffix ldap files ldap } In the first pass through the ldap module I want to set the Group attribute, then in users file set the User-Profile and I use one more pass through the ldap module to get the profile attributes. However this is what I get when testing with radclient: rad_recv: Access-Request packet from host 127.0.0.1:41392, id=167, length=52 User-Name = kzorba User-Password = XX NAS-IP-Address = 62.103.0.99 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module preprocess returns ok for request 0 modcall[authorize]: module chap returns noop for request 0 modcall[authorize]: module mschap returns noop for request 0 rlm_realm: No '@' in User-Name = kzorba, looking up realm NULL rlm_realm: Found realm NULL rlm_realm: Adding Stripped-User-Name = kzorba rlm_realm: Proxying request from user kzorba to realm NULL rlm_realm: Adding Realm = NULL rlm_realm: Authentication realm is LOCAL. modcall[authorize]: module suffix returns noop for request 0 rlm_ldap: - authorize rlm_ldap: performing user authorization for kzorba radius_xlat: '((uid=kzorba)(objectClass=MyRadiusAccount)(radiusAccountStatus=activated))' radius_xlat: 'ou=people,dc=company,dc=gr' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to ldapserver.company.gr:489, authentication 0 rlm_ldap: bind as cn=Directory Manager/XX to ldapserver.company.gr:489 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: performing search in ou=people,dc=company,dc=gr, with filter ((uid=kzorba)(objectClass=MyRadiusAccount)(radiusAccountStatus=activated)) rlm_ldap: Added password XX in check items rlm_ldap: looking for check items in directory... rlm_ldap: Adding radiusProfile as Group, value PSTN_STATIC op=21 ^^ rlm_ldap: Adding radiusMaxLogins as Simultaneous-Use, value 1 op=21 rlm_ldap: looking for reply items in directory... rlm_ldap: Adding Framed-IP-Address as Framed-IP-Address, value 62.103.176.39 op=11 rlm_ldap: user kzorba authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module ldap returns ok for request 0 users: Matched entry DEFAULT at line 82 ^^^(?) Here, the files module does not match the line with the Group == PSTN_STATIC condition, but the last DEFAULT line that rejects the user modcall[authorize]: module files returns ok for request 0 rlm_ldap: - authorize rlm_ldap: performing user authorization for kzorba radius_xlat: '((uid=kzorba)(objectClass=MyRadiusAccount)(radiusAccountStatus=activated))' radius_xlat: 'ou=people,dc=company,dc=gr' rlm_ldap: ldap_get_conn: Checking Id: 0
using radius with samba
Hello, I have freeradius version 1.1.2 and a samba installation with version 3.0.23. My Samba works as a Windows NT 4.0 PDC. Now I want that the radius sends authentication requests to the samba. So that I can logon on on the radius server with my samba domain login. What parameter in radiusd.conf I have to change that this function works? Thank you very much for your help Josef - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: mpd+freeradius+AD
This is Framed-IP-Address in radius dialect. Thanks for explaining freeradius basic concepts. I understood, that to assign IP to user I should use users freeradius file. But I couldn't configure it correctly. Now I have only one line in this file DEFAULT Auth-Type := MS-CHAP I've add another string (for user test), but it doesn't correct test Auth-Type := MS-CHAP, Framed-IP-Address = 192.168.10.65, Fall-Through = Yes That should I fix? -Original Message- From: Nikos Vassiliadis [mailto:[EMAIL PROTECTED] Sent: Monday, June 26, 2006 5:09 PM To: freeradius-users@lists.freeradius.org Cc: Егоров Сергей Subject: Re: mpd+freeradius+AD On Monday 26 June 2006 14:04, Егоров Сергей wrote: Thanks for reply. You can use one of the three firewalls avaliable in the base system(ipfw, ipf and pf), however mpd comes with a small dictionary that uses ipfw(8) and you can easily define some filter bound to an interface (bound to a username) via a radius reply attribute, let filter be a pipe(for bandwidth control) or a packet filtering expression. That's fine for filtering vpn users access to local net. But how could I assign specific IP for specific user in AD? Your questions don't clearly tell where your problem is. Active Directory? mpd? or FreeRADIUS? You should define them better in order to get help from the list. My goal is to replace VPN server, based on win2003, with FreeBSD one. WIN 2003 can do 1 and 2 in my questions, so I have to realize how to setup this in mpd + freeradius. I already authenticate users from AD group: ntlm_auth = /usr/bin/ntlm_auth --request-nt-key --username=%{Stripped-User-Name:-%{User-Name:-None}} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00} --require-membership-of=EXAMPLE+VPN_Allowed. But I have several vpn groups and need to setup timeouts on each one. setup timeout? This looks like Session-Timeout in radius dialect. Also I need to I assign specific IP for specific user in AD. This is Framed-IP-Address in radius dialect. Looks like FreeRadius should respond for this. Yes, you have to have basic understanding of what radius is. All of these are very basic setup. I don't know how FreeRADIUS interacts with AD and what info it should get from AD. So, try searching (or asking) for active directory and FreeRADIUS. Keep the mpd part out of it, since it will add unneeded complexity. Or perhaps start from setting up mpd and FreeRADIUS. And then you could add AD. A few suggestions, Nikos - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: LDAP related questions
On Wed, Jun 28, 2006 at 11:56:27AM +0300, Kostas Zorbadelos wrote: I have a few suspicions where the problem might be. Is there a way to define the operator in the radius check attributes of ldap (without using the generic radiusCheckItem attribute)? -- Kostas Zorbadelos [EMAIL PROTECTED] contact: kzorba (at) otenet.gr Out there in the darkness, out there in the night out there in the starlight, one soul burns brighter than a thousand suns. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Fixed IP
Thanks for the guidance. how can i use the post-auth section?? Regards Thanks Mahesh S Kudva -Original Message- From: Phil Mayers [EMAIL PROTECTED] To: FreeRadius users mailing list freeradius-users@lists.freeradius.org Date: Tue, 27 Jun 2006 10:30:37 +0100 Subject: Re: Fixed IP Mahesh S Kudva wrote: Hi I am running Freeradius on Mac OS X. How do i assign fixed IP address to my wireless clients who are authenticating under Apple BAse stations?? You can't with radius. 802.11 clients assign IP addresses by DHCP after the link, so you would need to configure the DHCP server appropriately. (In theory one could push an IP from FreeRadius into the DHCP server e.g. in the post-auth section with an exec module, but that would be a custom solution you'd have to make yourself) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html --- Robosoft Technologies - Come home to Technology - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: LDAP related questions
On Wed, 28 Jun 2006, Kostas Zorbadelos wrote: On Wed, Jun 28, 2006 at 11:56:27AM +0300, Kostas Zorbadelos wrote: I have a few suspicions where the problem might be. Is there a way to define the operator in the radius check attributes of ldap (without using the generic radiusCheckItem attribute)? radiusSessionTimeout: += value -- Kostas Zorbadelos [EMAIL PROTECTED] contact: kzorba (at) otenet.gr Out there in the darkness, out there in the night out there in the starlight, one soul burns brighter than a thousand suns. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: LDAP related questions
On Wed, 28 Jun 2006, Kostas Zorbadelos wrote: Hello to everyone. I have a question regarding a configuration I am trying to achieve. I have users stored in an ldap database. An example user entry looks like this: dn: uid=kzorba,ou=people,dc=company,dc=gr cn: ZORBADELOS KONSTANTINOS uid: kzorba clearTextPwd: mypassword radiusProfile: PSTN_STATIC radiusAccountStatus: activated radiusMaxLogins: 1 radiusExpDate: 2030/12/31 00:00:00 Framed-IP-Address: 62.103.176.39 objectClass: account objectClass: MyRadiusAccount objectClass: top Tha attribute radiusProfile groups the users. For each group we have a corresponding profile Why not put the full profile DN in radiusProfile? Then you can use the profile_attribute mechanism -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Fixed IP
Hi Mahesh, This is *totally* independent of the authentication process. You don't need to do anything to the RADIUS server to do this. You need a DHCP server. When your client (the PC) is attached to a particular subnet, it will request a DHCP address by sending a broadcast to find a DHCP server. The DHCP server will see the MAC address from which the request was sent and, if a one-to-one mapping between that MAC address and an IP address exists in the config files for the DHCP server, it will return that IP address. The RADIUS server's job is over well before that happens (except for any accounting it may do). Rgds, Guy On 28/06/06, Mahesh S Kudva [EMAIL PROTECTED] wrote: Thanks for the guidance. how can i use the post-auth section?? Regards Thanks Mahesh S Kudva -Original Message- From: Phil Mayers [EMAIL PROTECTED] To: FreeRadius users mailing list freeradius-users@lists.freeradius.org Date: Tue, 27 Jun 2006 10:30:37 +0100 Subject: Re: Fixed IP Mahesh S Kudva wrote: Hi I am running Freeradius on Mac OS X. How do i assign fixed IP address to my wireless clients who are authenticating under Apple BAse stations?? You can't with radius. 802.11 clients assign IP addresses by DHCP after the link, so you would need to configure the DHCP server appropriately. (In theory one could push an IP from FreeRadius into the DHCP server e.g. in the post-auth section with an exec module, but that would be a custom solution you'd have to make yourself) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html --- Robosoft Technologies - Come home to Technology - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: LDAP related questions
On Wed, Jun 28, 2006 at 02:11:00PM +0300, Kostas Kalevras wrote: On Wed, 28 Jun 2006, Kostas Zorbadelos wrote: Hello to everyone. I have a question regarding a configuration I am trying to achieve. I have users stored in an ldap database. An example user entry looks like this: dn: uid=kzorba,ou=people,dc=company,dc=gr cn: ZORBADELOS KONSTANTINOS uid: kzorba clearTextPwd: mypassword radiusProfile: PSTN_STATIC radiusAccountStatus: activated radiusMaxLogins: 1 radiusExpDate: 2030/12/31 00:00:00 Framed-IP-Address: 62.103.176.39 objectClass: account objectClass: MyRadiusAccount objectClass: top Tha attribute radiusProfile groups the users. For each group we have a corresponding profile Why not put the full profile DN in radiusProfile? Then you can use the profile_attribute mechanism That would be perfect, however we already have the users database and we use a different Radius software. Our data are in the form I described. Any modifications would require migration and this is what I am trying to avoid. -- Kostas Zorbadelos [EMAIL PROTECTED] contact: kzorba (at) otenet.gr Out there in the darkness, out there in the night out there in the starlight, one soul burns brighter than a thousand suns. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Freeradius advocacy needed for convincing corporate management
My greetings to the list. The company I work is one of the largest ISPs in Greece. We are evaluating the possibility to move away from our current radius software (FUNK Radius now Juniper) in favour of freeradius. We as technical people understand all the benefits of the move (and it would also give us opportunity to contribute to the project). However management would like to hear stuff like - Any large installations that use freeradius effectively today (commercial environments preffered). This would give us arguments in favour of freeradius scalability and reliability - Possibility to have commercial support Anyone who can contribute arguments or facts is more than welcome. Kostas -- Kostas Zorbadelos [EMAIL PROTECTED] contact: kzorba (at) otenet.gr Out there in the darkness, out there in the night out there in the starlight, one soul burns brighter than a thousand suns. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius advocacy needed for convincing corporate management
- Any large installations that use freeradius effectively today (commercial environments preffered). This would give us arguments in favour of freeradius scalability and reliability http://www.eduroam.org Non-commercial, sorry. - Possibility to have commercial support http://www.freeradius.org/business/ Greetings, Stefan Winter -- Stefan WINTER Stiftung RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche Ingenieur Forschung Entwicklung 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg E-Mail: [EMAIL PROTECTED] Tel.: +352 424409-1 http://www.restena.lu Fax: +352 422473 pgpCwfihHpLYT.pgp Description: PGP signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: LDAP related questions
On Wed, Jun 28, 2006 at 02:09:15PM +0300, Kostas Kalevras wrote: On Wed, Jun 28, 2006 at 11:56:27AM +0300, Kostas Zorbadelos wrote: I have a few suspicions where the problem might be. Is there a way to define the operator in the radius check attributes of ldap (without using the generic radiusCheckItem attribute)? radiusSessionTimeout: += value I meant in ldap.attrmap. When I define for example checkItem Group-Name radiusProfile what is the operator implied ( op=21 in the debugging output)? Can this be changed? -- Kostas Zorbadelos [EMAIL PROTECTED] contact: kzorba (at) otenet.gr Out there in the darkness, out there in the night out there in the starlight, one soul burns brighter than a thousand suns. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: LDAP related questions
On Wed, 28 Jun 2006, Kostas Zorbadelos wrote: On Wed, Jun 28, 2006 at 02:09:15PM +0300, Kostas Kalevras wrote: On Wed, Jun 28, 2006 at 11:56:27AM +0300, Kostas Zorbadelos wrote: I have a few suspicions where the problem might be. Is there a way to define the operator in the radius check attributes of ldap (without using the generic radiusCheckItem attribute)? radiusSessionTimeout: += value I meant in ldap.attrmap. When I define for example checkItem Group-Name radiusProfile what is the operator implied ( op=21 in the debugging output)? Can this be changed? In the cvs version at least an extra field is supported in ldap.attrmap which sets the operator to be used. Dont know if it's supported in the stable versions. -- Kostas Zorbadelos [EMAIL PROTECTED] contact: kzorba (at) otenet.gr Out there in the darkness, out there in the night out there in the starlight, one soul burns brighter than a thousand suns. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius advocacy needed for convincing corporate management
On Wed, 28 Jun 2006, Kostas Zorbadelos wrote: My greetings to the list. The company I work is one of the largest ISPs in Greece. We are evaluating the possibility to move away from our current radius software (FUNK Radius now Juniper) in favour of freeradius. We as technical people understand all the benefits of the move (and it would also give us opportunity to contribute to the project). However management would like to hear stuff like - Any large installations that use freeradius effectively today (commercial environments preffered). This would give us arguments in favour of freeradius scalability and reliability http://www.freeradius.org/testimonials.html - Possibility to have commercial support Anyone who can contribute arguments or facts is more than welcome. Kostas -- Kostas Zorbadelos [EMAIL PROTECTED] contact: kzorba (at) otenet.gr Out there in the darkness, out there in the night out there in the starlight, one soul burns brighter than a thousand suns. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Mysql Tribox(Asterisk)
Hello, I have installed FreeRadius server on Trixbox Server. My problem is mysql is not letting FreeRadius to login either locally or remotely. I also insert proper entries in HOST and USERS tables. But it does not work I always get ERROR 1045 (28000); Access Denied for user 'root'@'localhost' Thanks Wazb - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Buy SSL Certificates for PEAP
By default, OpenSSL uses PEM format, so if you didn't specify a certificate format of DER, then its a PEM encoded cert. If you look at the cert in a text viewer/editor, you'll see lines that have --- BEGIN CERTIFICATE--- and ---END CERTIFICATE--- if its PEM encoded. --Mike On Jun 28, 2006, at 2:53 AM, VannMann32 . wrote: Hi ! Are you sure your certificate isn't already in PEM format? How can I verify which format the certificate is in ? # openssl x509 -in somecertificate.cer -text Certificate: Data: Version: 3 (0x2) Serial Number: 69:4c:8a:74:b7:45:cd:7f:cd:47:71:b8:c0:f2:60:6a Signature Algorithm: sha1WithRSAEncryption Issuer: C=ZA, ST=FOR TESTING PURPOSES ONLY, O=Thawte Certification, OU=TEST TEST TEST, CN=Thawte Test CA Root Validity Not Before: Jun 27 20:00:54 2006 GMT Not After : Jul 18 20:00:54 2006 GMT Subject: C=XX, ST=X, L=X, O=XX, OU=XX, CN= Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (1024 bit) Modulus (1024 bit): 00:ce:0c:00:a5:88:d5:f7:f2:b8:c5:7d:f3:9d:0a: 0e:44:28:ee:fc:b0:78:c9:d0:1e:f2:cf:cf:2f:cc: 6f:bc:87:06:f4:eb:aa:a3:3d:8d:d5:d8:60:54:8e: 78:c3:2b:a5:fc:f5:fa:97:ea:d3:17:20:00:07:62: 25:1a:8f:cf:41:9e:ba:59:a7:c3:75:a0:ae:4c:9c: 69:4f:52:c3:7c:51:d7:2e:70:63:1e:d5:79:97:d7: b3:81:94:d8:4f:cf:f1:5c:9c:ab:c5:e2:f5:82:70: 34:f0:8b:e8:70:a0:ce:27:b4:26:fc:16:b5:6c:64: fd:f5:99:94:f8:ad:63:a7:41 Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Basic Constraints: critical CA:FALSE X509v3 Extended Key Usage: TLS Web Server Authentication, TLS Web Client Authentication X509v3 CRL Distribution Points: URI:http://crl.thawte.com/ThawtePremiumServerCA.crl Authority Information Access: OCSP - URI:http://ocsp.thawte.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/ list/users.html smime.p7s Description: S/MIME cryptographic signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Mysql Tribox(Asterisk)
Wasif wrote: I have installed FreeRadius server on Trixbox Server. My problem is mysql is not letting FreeRadius to login either locally or remotely. I also insert proper entries in HOST and USERS tables. But it does not work I always get ERROR 1045 (28000); Access Denied for user 'root'@'localhost' 1. Did you FLUSH PRIVILEGES in MySQL? 2. Don't use root. Create a new user in MySQL that only has the specific access to the db's, tables, and/or columns needed. If you use the GRANT command to create the user and privs you won't need to flush the privs afterwards. See the MySQL docs. They are very good. -- Dennis Skinner Systems Administrator BlueFrog Internet http://www.bluefrog.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radwho doesnt work - complains about missing radutmp file
liran tal [EMAIL PROTECTED] wrote: Does anyone know why is freeradius not creating the radutmp file? The NAS isn't sending accounting packets. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius advocacy needed for convincing corporate management
Kostas Zorbadelos [EMAIL PROTECTED] wrote: - Any large installations that use freeradius effectively today (commercial environments preffered). This would give us arguments in favour of freeradius scalability and reliability Most commercial installations won't publicly say they're using it. I know of multiple national ISP's with millions of users who've replaced commercial servers with FreeRADIUS. But they don't want me to mention their names, sorry. An alternative is to see who's subscribed to this list. Past posts include people from DHL, among other large companies. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Please help !!!
Using the same FR, authenticating wireless client sagainst the Active directory using PEAP and TLS and now trying to authenticate the PPTP clients against the Active directory thru Dlink FW. The first part works like charm...and the second one i have issue with and here is the MSCHAP configuration on radiusd.conf mschap { authtype = MS-CHAP use_mppe = no require_encryption = yes require_strong = yes with_ntdomain_hack = yes ntlm_auth = /usr/bin/ntlm_auth --request-nt-key --username=%{mschap:User-Name} --domain=%{mschap:NT-Domain} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00} } Here is the log when pptp client dials into the pptp server (ie. Dlink FW, parameters are configured as MPPE 128 bit encryption and MSCHAPV2). rad_recv: Access-Request packet from host 192.168.0.1:2838, id=68, length=151 User-Name = TEST\\kartthikr MS-CHAP2-Response = 0x200038088c81bfc0e2d29944dc15551174ab231accd16d14cd2691a3d4ebc78d51577067db9138eaf627 MS-CHAP-Challenge = 0xfb3fee292c917043d609ddf16c97b78c NAS-Identifier = Clavister NAS-Port = 0 NAS-Port-Type = Virtual Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module preprocess returns ok for request 0 modcall[authorize]: module chap returns noop for request 0 rlm_mschap: Found MS-CHAP attributes. Setting 'Auth-Type = MS-CHAP' modcall[authorize]: module mschap returns ok for request 0 rlm_realm: No '@' in User-Name = TEST\kartthikr, looking up realm NULL rlm_realm: No such realm NULL modcall[authorize]: module suffix returns noop for request 0 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module eap returns noop for request 0 users: Matched entry DEFAULT at line 152 modcall[authorize]: module files returns ok for request 0 modcall: leaving group authorize (returns ok) for request 0 rad_check_password: Found Auth-Type MS-CHAP auth: type MS-CHAP Processing the authenticate section of radiusd.conf modcall: entering group MS-CHAP for request 0 rlm_mschap: No User-Password configured. Cannot create LM-Password. rlm_mschap: No User-Password configured. Cannot create NT-Password. rlm_mschap: Told to do MS-CHAPv2 for kartthikr with NT-Password radius_xlat: Running registered xlat function of module mschap for string 'User-Name' radius_xlat: Running registered xlat function of module mschap for string 'NT-Domain' radius_xlat: Running registered xlat function of module mschap for string 'Challenge' mschap2: fb radius_xlat: Running registered xlat function of module mschap for string 'NT-Response' radius_xlat: '/usr/bin/ntlm_auth --request-nt-key --username=kartthikr --domain=TEST --challenge=ee58ce24154980e8 --nt-response=231accd16d14cd2691a3d4ebc78d51577067db9138eaf627' Exec-Program: /usr/bin/ntlm_auth --request-nt-key --username=kartthikr --domain=TEST --challenge=ee58ce24154980e8 --nt-response=231accd16d14cd2691a3d4ebc78d51577067db9138eaf627 Exec-Program output: NT_KEY: 67F102C088FF660F615D1F9236DF9797 Exec-Program-Wait: plaintext: NT_KEY: 67F102C088FF660F615D1F9236DF9797 Exec-Program: returned: 0 modcall[authenticate]: module mschap returns ok for request 0 modcall: leaving group MS-CHAP (returns ok) for request 0 Sending Access-Accept of id 68 to 192.168.0.1 port 2838 MS-CHAP2-Success = 0x20533d36333943444337363042443142463535393941334136453634453645364430343545333138363336 Finished request 0 Going to the next request --- Walking the entire request list --- Waking up in 6 seconds... --- Walking the entire request list --- Cleaning up request 0 ID 68 with timestamp 44a2cf37 Kartthik I have freeradius setup for wireless client access againt the active directory and its working good. Now using the same FR trying to authenticating pptp clients against AD using Dlink firewall. While the pptp client connect to the dlink fw, getting this error message the remote server doesnt support the support the encryption type. So it's a DLINK problem. The dlink support guys told that the encryption on the freeradius server is not correct. Do you guys think this makes sense ? Since you didn't show any of the RADIUS logs, there's no way to tell. Note: In dlink fw, the mppe encryption has been enabled. Does freeradius support this encryption type too ? Yes. Alan DeKok. -- ___ Search for businesses by name, location, or phone number. -Lycos Yellow Pages http://r.lycos.com/r/yp_emailfooter/http://yellowpages.lycos.com/default.asp?SRC=lycos10 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Please help !!!
Kartthik Raghunathan [EMAIL PROTECTED] wrote: Using the same FR, authenticating wireless client sagainst the Active directory using PEAP and TLS and now trying to authenticate the PPTP clients against the Active directory thru Dlink FW. The first part works like charm...and the second one i have issue with and here is the MSCHAP configuration on radiusd.conf mschap { authtype = MS-CHAP use_mppe = no Why did you change that? The default is to use MPPE, which you say you need. Since you turned MPPE off, I don't understand why you're surprised that MPPE doesn't work. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radwho doesnt work - complains about missing radutmp file
I don't think it's because of that since I do have records on radacct table.On 6/28/06, Alan DeKok [EMAIL PROTECTED] wrote:liran tal [EMAIL PROTECTED] wrote: Does anyone know why is freeradius not creating the radutmp file?The NAS isn't sending accounting packets.Alan DeKok.-List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
PEAP MSCHAP2 Freeradius Active Directory
Hi, I have a question on configuring freeradius to return vlan attributes base on a user group membership or ou. I have a windows client xp sp2 using peap mschap2 to authenticate off radius. How do I set radius to return a vlan id of 10 if the user belongs to the student group and if the user belongs to the teacher group the user get a vlan id of 20? I have freeradius to authenticate of Active Directory but its only returning one vlan.. DEFAULT NAS-Port-Type == Wireless-802.11 Tunnel-Medium-Type = IEEE-802, Tunnel-Private-Group-Id = 10, Tunnel-Type = VLAN Do I have add something else in the user file? __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Installation on SuSE 10 x64
Hi, I keep getting the following error when building freeRADIUS on SuSE 10 x64. /usr/lib/libltdl.so: could not read symbols: File in wrong format I have tried to configure with the flag --disable-ltdl-install and without and get the same message each time. Is there something else I need to do to get this built on x64 Linux? Trying to install freeradius-1.1.2. Thank you, Roger Rhody Programmer / Analyst burton + BURTON [EMAIL PROTECTED] (706) 548-1588 Notice: This e-mail (including attachments) is covered by the Electronic Communications Privacy Act, 10 U.S.C. 2510-2521, is confidential and may be legally privileged. If you are not the intended recipient, you are hereby notified that any retention, dissemination, distribution, or copy of this communication is strictly prohibited. Please reply to the sender that you have received the message in error and then delete it. Thank you. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PEAP MSCHAP2 Freeradius Active Directory
fvt3 wrote: Hi, I have a question on configuring freeradius to return vlan attributes base on a user group membership or ou. I have a windows client xp sp2 using peap mschap2 to authenticate off radius. How do I set radius to return a vlan id of 10 if the user belongs to the student group and if the user belongs to the teacher group the user get a vlan id of 20? I have freeradius to authenticate of Active Directory but its only returning one vlan.. DEFAULT NAS-Port-Type == Wireless-802.11 Tunnel-Medium-Type = IEEE-802, Tunnel-Private-Group-Id = 10, Tunnel-Type = VLAN Do I have add something else in the user file? You will need to configure the LDAP module to fetch groups from ADs LDAP server. See copious documentation or posts to the list. Broadly, once the LDAP module is setup correctly: DEFAULT NAS-Port-Type == Wireless-802.11, Ldap-Group == Students Tunnel-Medium-Type = IEEE-802, Tunnel-Private-Group-Id = 10, Tunnel-Type = VLAN DEFAULT NAS-Port-Type == Wireless-802.11, Ldap-Group == Staff Tunnel-Medium-Type = IEEE-802, Tunnel-Private-Group-Id = 20, Tunnel-Type = VLAN Alternatively if you fill AD in from some external system e.g. SQL database you can pull from there, or dump the groups to a file like so: username:groupname ...and use the (poorly-named) passwd module to add the group. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: PEAP MSCHAP2 Freeradius Active Directory
I thought the ldap module wouldn't work with PEAP and AD unless you store the LM and NT password hashes for each user in AD?! Because you can't get the cleartext password back from AD... I don't think that extending AD to store this info would be difficult, I just think having those hashes updated when I user changes his/her password would be a pain, but I don't know. -- Chris Liles -Original Message- From: freeradius-users- [EMAIL PROTECTED] [mailto:freeradius- [EMAIL PROTECTED] On Behalf Of Phil Mayers Sent: Wednesday, June 28, 2006 4:20 PM To: FreeRadius users mailing list Subject: Re: PEAP MSCHAP2 Freeradius Active Directory fvt3 wrote: Hi, I have a question on configuring freeradius to return vlan attributes base on a user group membership or ou. I have a windows client xp sp2 using peap mschap2 to authenticate off radius. How do I set radius to return a vlan id of 10 if the user belongs to the student group and if the user belongs to the teacher group the user get a vlan id of 20? I have freeradius to authenticate of Active Directory but its only returning one vlan.. DEFAULT NAS-Port-Type == Wireless-802.11 Tunnel-Medium-Type = IEEE-802, Tunnel-Private-Group-Id = 10, Tunnel-Type = VLAN Do I have add something else in the user file? You will need to configure the LDAP module to fetch groups from ADs LDAP server. See copious documentation or posts to the list. Broadly, once the LDAP module is setup correctly: DEFAULT NAS-Port-Type == Wireless-802.11, Ldap-Group == Students Tunnel-Medium-Type = IEEE-802, Tunnel-Private-Group-Id = 10, Tunnel-Type = VLAN DEFAULT NAS-Port-Type == Wireless-802.11, Ldap-Group == Staff Tunnel-Medium-Type = IEEE-802, Tunnel-Private-Group-Id = 20, Tunnel-Type = VLAN Alternatively if you fill AD in from some external system e.g. SQL database you can pull from there, or dump the groups to a file like so: username:groupname ...and use the (poorly-named) passwd module to add the group. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PEAP MSCHAP2 Freeradius Active Directory
You will need to configure the LDAP module to fetch groups from ADs LDAP server. See copious documentation or posts to the list. Broadly, once the LDAP module is setup correctly: DEFAULT NAS-Port-Type == Wireless-802.11, Ldap-Group == Students Tunnel-Medium-Type = IEEE-802, Tunnel-Private-Group-Id = 10, Tunnel-Type = VLAN DEFAULT NAS-Port-Type == Wireless-802.11, Ldap-Group == Staff Tunnel-Medium-Type = IEEE-802, Tunnel-Private-Group-Id = 20, Tunnel-Type = VLAN The doc. states that LDAP only supports PAP. Is this a problem given he said he's using PEAP/MSCHAPv2? How would LDAP do the authentication if it doesn't have a clear text password? Or is the approach to use MSCHAPv2 for authentication and then LDAP for authorization?? Thanks for helping me better understand... - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: PEAP MSCHAP2 Freeradius Active Directory
I never though about splitting the authentication and authorization between ntlm and ldap. I don't see why that wouldn't work, but I really have no idea. But that would be pretty slick, coupled with some hacked wrt54g's to support the vlans a pretty cheap enterprise level solution! -- Chris Liles -Original Message- From: freeradius-users- [EMAIL PROTECTED] [mailto:freeradius- [EMAIL PROTECTED] On Behalf Of Neal S. Garber Sent: Wednesday, June 28, 2006 4:44 PM To: FreeRadius users mailing list Subject: Re: PEAP MSCHAP2 Freeradius Active Directory You will need to configure the LDAP module to fetch groups from ADs LDAP server. See copious documentation or posts to the list. Broadly, once the LDAP module is setup correctly: DEFAULT NAS-Port-Type == Wireless-802.11, Ldap-Group == Students Tunnel-Medium-Type = IEEE-802, Tunnel-Private-Group-Id = 10, Tunnel-Type = VLAN DEFAULT NAS-Port-Type == Wireless-802.11, Ldap-Group == Staff Tunnel-Medium-Type = IEEE-802, Tunnel-Private-Group-Id = 20, Tunnel-Type = VLAN The doc. states that LDAP only supports PAP. Is this a problem given he said he's using PEAP/MSCHAPv2? How would LDAP do the authentication if it doesn't have a clear text password? Or is the approach to use MSCHAPv2 for authentication and then LDAP for authorization?? Thanks for helping me better understand... - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Buy SSL Certificates for PEAP
Hello ! By default, OpenSSL uses PEM format, so if you didn't specify a certificate format of DER, then its a PEM encoded cert. If you look at the cert in a text viewer/editor, you'll see lines that have --- BEGIN CERTIFICATE--- and ---END CERTIFICATE--- if its PEM encoded. The certificate is in PEM format. Isn't there anybody that can verify how the eap.conf file should be ? tls { # private_key_password = X # private_key_file = ${raddbdir}/certs/somecertificate.cer certificate_file = ${raddbdir}/certs/somecertificate.cer CA_file = ${raddbdir}/certs/demoCA/cacert.pem dh_file = ${raddbdir}/certs/dh random_file = ${raddbdir}/certs/random # fragment_size = 1024 # include_length = yes # check_crl = yes # check_cert_issuer = /C=GB/ST=Berkshire/L=Newbury/O=My Company Ltd # check_cert_cn = %{User-Name} # cipher_list = DEFAULT } - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Windows 2000 ignoring Access-Accept
Hello All. I'm having a rather odd problem and can no longer afford to bang my head on the desk. I have Freeradius 1.1.1 working for winXP clients and Intermec CK30 bar code scanners using EAP-TLS authentication. The issue I'm having is with win2k. According to my radius log an accesss-accept packet is being sent to the client, but the client seems to be ignoring it by continuing to send access-request packets. Maybe a fresh pair eyes looking over my log will catch something I'm missing. Again, the client is win2k with SP4. Authentication method is EAP-TLS. The machine uses a Cisco Aironet 350 11b PCI card with the latest drivers. Freeradius is version 1.1.1. I have 16 of these system that I need to get working. Any solution will get you big hug ;o) -Doug Here's the output of Freeradius: Ready to process requests. rad_recv: Access-Request packet from host 172.18.138.20:1645, id=252, length=160 User-Name = OIT07.plydex.decoma.com Framed-MTU = 1400 Called-Station-Id = 0016.4631.fdb0 Calling-Station-Id = 000b.5feb.e378 Service-Type = Login-User Message-Authenticator = 0xfa2fc8d43ca72a7493037b4063809fdc EAP-Message = 0x0202001c014f495430372e706c796465782e6465636f6d612e636f6d NAS-Port-Type = Wireless-802.11 NAS-Port = 798 NAS-IP-Address = 172.18.138.20 NAS-Identifier = AP1 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module preprocess returns ok for request 0 modcall[authorize]: module chap returns noop for request 0 modcall[authorize]: module mschap returns noop for request 0 rlm_realm: No '@' in User-Name = OIT07.plydex.decoma.com, looking up realm NULL rlm_realm: No such realm NULL modcall[authorize]: module suffix returns noop for request 0 rlm_eap: EAP packet type response id 2 length 28 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module eap returns updated for request 0 users: Matched DEFAULT at 152 modcall[authorize]: module files returns ok for request 0 modcall: group authorize returns updated for request 0 rad_check_password: Found Auth-Type EAP auth: type EAP Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 0 rlm_eap: EAP Identity rlm_eap: processing type tls rlm_eap_tls: Requiring client certificate rlm_eap_tls: Initiate rlm_eap_tls: Start returned 1 modcall[authenticate]: module eap returns handled for request 0 modcall: group authenticate returns handled for request 0 Sending Access-Challenge of id 252 to 172.18.138.20:1645 EAP-Message = 0x010300060d20 Message-Authenticator = 0x State = 0x7d80c12e86b5280fc6bbb43135d7a0f6 Finished request 0 Going to the next request --- Walking the entire request list --- Waking up in 6 seconds... rad_recv: Access-Request packet from host 172.18.138.20:1645, id=253, length=262 User-Name = OIT07.plydex.decoma.com Framed-MTU = 1400 Called-Station-Id = 0016.4631.fdb0 Calling-Station-Id = 000b.5feb.e378 Service-Type = Login-User Message-Authenticator = 0x7b11ea00e1a1ef7ae92d8b85d32d1fad EAP-Message = 0x020300700d8000661603010061015d0301449c3941ac4e798194917f3a2ece3387637476b85e300b991aba12ab10cb2133201031998c0256343a7436ce53f69c84559c2c72bd37d5b85b246e4887ebcbbcf7001600040005000a000900640062000300060013001200630100 NAS-Port-Type = Wireless-802.11 NAS-Port = 798 State = 0x7d80c12e86b5280fc6bbb43135d7a0f6 NAS-IP-Address = 172.18.138.20 NAS-Identifier = AP1 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 1 modcall[authorize]: module preprocess returns ok for request 1 modcall[authorize]: module chap returns noop for request 1 modcall[authorize]: module mschap returns noop for request 1 rlm_realm: No '@' in User-Name = OIT07.plydex.decoma.com, looking up realm NULL rlm_realm: No such realm NULL modcall[authorize]: module suffix returns noop for request 1 rlm_eap: EAP packet type response id 3 length 112 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module eap returns updated for request 1 users: Matched DEFAULT at 152 modcall[authorize]: module files returns ok for request 1 modcall: group authorize returns updated for request 1 rad_check_password: Found Auth-Type EAP auth: type EAP Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 1 rlm_eap: Request found, released from the list rlm_eap: EAP/tls rlm_eap: processing type tls rlm_eap_tls: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Length Included eaptls_verify returned 11 (other): before/accept initialization TLS_accept: before/accept
RE: PEAP MSCHAP2 Freeradius Active Directory
Are you suggesting that do not use MSCHAP module and use ldap module to do group lookup? If you using LDAP module, that would mean stripping the user name because the user name will be in this format domain\\username. Then in radius config file I would have ldap student { } ldap staff { } user file DEFAULT NAS-Port-Type == Wireless-802.11,Autz-type=LDAP1, Auth-Type := MSCHAP Ldap-Group == Students Tunnel-Medium-Type = IEEE-802, Tunnel-Private-Group-Id = 10, Tunnel-Type = VLAN DEFAULT NAS-Port-Type == Wireless-802.11,Autz-type=LDAP2, Auth-Type := MSCHAP Ldap-Group == Staff Tunnel-Medium-Type = IEEE-802, Tunnel-Private-Group-Id = 20, Tunnel-Type = VLAN Does this config sound right or am I off? Thanks for the suggestion.. --- Chris Liles [EMAIL PROTECTED] wrote: I never though about splitting the authentication and authorization between ntlm and ldap. I don't see why that wouldn't work, but I really have no idea. But that would be pretty slick, coupled with some hacked wrt54g's to support the vlans a pretty cheap enterprise level solution! -- Chris Liles -Original Message- From: freeradius-users- [EMAIL PROTECTED] [mailto:freeradius- [EMAIL PROTECTED] On Behalf Of Neal S. Garber Sent: Wednesday, June 28, 2006 4:44 PM To: FreeRadius users mailing list Subject: Re: PEAP MSCHAP2 Freeradius Active Directory You will need to configure the LDAP module to fetch groups from ADs LDAP server. See copious documentation or posts to the list. Broadly, once the LDAP module is setup correctly: DEFAULT NAS-Port-Type == Wireless-802.11, Ldap-Group == Students Tunnel-Medium-Type = IEEE-802, Tunnel-Private-Group-Id = 10, Tunnel-Type = VLAN DEFAULT NAS-Port-Type == Wireless-802.11, Ldap-Group == Staff Tunnel-Medium-Type = IEEE-802, Tunnel-Private-Group-Id = 20, Tunnel-Type = VLAN The doc. states that LDAP only supports PAP. Is this a problem given he said he's using PEAP/MSCHAPv2? How would LDAP do the authentication if it doesn't have a clear text password? Or is the approach to use MSCHAPv2 for authentication and then LDAP for authorization?? Thanks for helping me better understand... - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html