SMUX with FreeRadius

2006-09-21 Thread Kshitij Korde 


Hi



I have integrated free radius server with NET-SNMP for monitoring radius
server. Now the



NET-SNMP daemon is detecting radius server. If I run radius server in
debug mode I get following debug messages.





Module: Instantiated radutmp (radutmp)

 main: smux_password = "verysecret"

 main: snmp_write_access = no

inside oid_compare

inside smux_connect

SMUX connect try 1

inside smux_oid_dump

SMUX open oid: 1.3.6.1.4.1.3317.1.3.1

SMUX open progname: radiusd

SMUX open password: verysecret

inside smux_oid_dump

SMUX register oid: 1.3.6.1.2.1.67.1.1.1.1

SMUX register priority: -1

SMUX register operation: 1

inside smux_oid_dump

SMUX register oid: 1.3.6.1.2.1.67.2.1.1.1

SMUX register priority: -1

SMUX register operation: 1

Listening on authentication *:1812

Listening on accounting *:1813

Ready to process requests.

SMUX read start

SMUX read len: 12

SMUX message received type: 67 rest len: 4

SMUX_RRSP

SMUX_RRSP value: 0 errstat: 0

--- Walking the entire request list ---

Nothing to do.  Sleeping until we see a request.



I may be asking some silly question since I don't have any idea how SMUX
works.



What are the functionalities provided by SMUX peer with respect to SNMP
MODULE?

Is there any mechanism where in we can send trap signal if radius server
goes down?



Tech Mahindra, formerly Mahindra-British Telecom.

Disclaimer:

This message and the information contained herein is proprietary and 
confidential and subject to the Tech Mahindra policy statement, you may review 
at http://www.techmahindra.com/Disclaimer.html";>http://www.techmahindra.com/Disclaimer.html
 externally and http://tim.techmahindra.com/Disclaimer.html";>http://tim.techmahindra.com/Disclaimer.html
 internally within Tech Mahindra.



- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: EAP-Problem

2006-09-21 Thread Florian Prester 

K. Hoercher wrote:

On 9/20/06, Florian Prester <[EMAIL PROTECTED]> wrote:

Also I have some questions about eap at all. How should it work
correctly. because I see up to 10 Authentication-Requests until the
client is authenticated correctly. For example the client wants to do
EAP-PEAP (Windows-client), but the radius says EAP-NAK:
  rlm_eap: Request found, released from the list
  rlm_eap: EAP NAK
 rlm_eap: EAP-NAK asked for EAP-Type/peap
  rlm_eap: processing type tls
  rlm_eap_tls: Initiate
  rlm_eap_tls: Start returned 1
  modcall[authenticate]: module "eap" returns handled for request 
231
modcall: leaving group authenticate (returns handled) for request 
231

Sending Access-Challenge ...
Finished request 231

What does it mean? Can I tune the process?


My guess would be, that your default_eap_type in eap.conf is not set
to peap. So your supplicant (XP) is sending the NAK (not the server,
it just logs that it got the NAK) to get the server to use peap.
Depending on your needs you could change it. That's a normal part of
EAP. As is the sending back and forth of Access-Requests and
Access-Challenges to negotiate the details inherent to EAP.


OK - thanks. So I have to take a deeper look at the eap-process.
But, ...

Log:
rad_recv: Access-Request packet from host 131.188.4.190:2, id=35,
length=202
NAS-Port-Id = "2059/1"
Calling-Station-Id = "00-15-00-01-C0-D1"
Called-Station-Id = "00-0B-0E-15-3D-80:FAU-STAFF"
Service-Type = Framed-User
User-Name = "unrz06"
State = 0x...
EAP-Message = 0x...
NAS-Port-Type = Wireless-802.11
NAS-Identifier = "Trapeze"
NAS-IP-Address = 131.188.4.190
Message-Authenticator = 0x...


The username looks like a machine name for .uni-erlangen.de. Do you
intend to use machine authentication? If so, what does a succesful
request look like? Note, that it seems to only find matching DEFAULT
entries, so peap would be impossible, as no User-Password is known to
freeradius. Otherwise, you should check your XP setup to use the
intended username/password credentials combo.

... no, that is not a maschine name or something. This a subsequent 
request, after a password has been submitted.

looking a t EAP-Message, Authenticator.. and so on.
But looking back at  the foll request:



ad_recv: Access-Request packet from host 131.188.4.190:2, id=35, 
length=202

  NAS-Port-Id = "2059/1"
  Calling-Station-Id = "00-15-00-01-C0-D1"
  Called-Station-Id = "00-0B-0E-15-3D-80:FAU-STAFF"
  Service-Type = Framed-User
  User-Name = "unrz06"
  State = 0x...
  EAP-Message = 0x...
  NAS-Port-Type = Wireless-802.11
  NAS-Identifier = "Trapeze"
  NAS-IP-Address = 131.188.4.190
  Message-Authenticator = 0x...
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 228
modcall[authorize]: module "preprocess" returns ok for request 228
modcall[authorize]: module "chap" returns noop for request 228
modcall[authorize]: module "mschap" returns noop for request 228
rlm_eap: EAP packet type response id 14 length 53
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module "eap" returns updated for request 228
  users: Matched entry DEFAULT at line 12
modcall[authorize]: module "files" returns ok for request 228
rlm_ldap: - authorize
modcall[authorize]: module "ldap" returns ok for request 228
modcall[authorize]: module "perl" returns ok for request 228
modcall: leaving group authorize (returns updated) for request 228
rad_check_password:  Found Auth-Type EAP
auth: type "EAP"
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 228
rlm_eap: Request found, released from the list
rlm_eap: EAP/peap
rlm_eap: processing type peap
rlm_eap_peap: Authenticate
rlm_eap_tls: processing TLS
rlm_eap_tls:  Length Included
eaptls_verify returned 11
rlm_eap_tls: <<< TLS 1.0 ChangeCipherSpec [length 0001]
rlm_eap_tls: <<< TLS 1.0 Handshake [length 0010], Finished
  TLS_accept: SSLv3 read finished A
  (other): SSL negotiation finished successfully
rlm_eap: SSL error error::lib(0):func(0):reason(0)
SSL Connection Established
rlm_eap: SSL error error::lib(0):func(0):reason(0)
eaptls_process returned 13
rlm_eap_peap: EAPTLS_HANDLED
rlm_eap: Freeing handler
modcall[authenticate]: module "eap" returns reject for request 228
modcall: leaving group authenticate (returns reject) for request 228
auth: Failed to validate the user.
Login incorrect: [unrz06] (from client QRA-MX port 0 cli 00-15-00-01-C0-D1)
Sending Access-Reject of id 35 to 131.188.4.190 port 2
  EAP-Message = 0x040e0004
  Message-Authenticator = 0x
Finished request 228

I do not get the reason why this request is rejected!
Why does the modules "eap" reject a request? How can I debug eap?

regards
K. Hoercher

Thanks and best

Re: Problem configuration eap-tls

2006-09-21 Thread listas 
> Hi,
> 
> > rlm_eap_tls: Loading the certificate file as a chain
> > rlm_eap: SSL error error:02001002:system library:fopen:No such file or 
> > directory
> > rlm_eap_tls: Error reading Trusted root CA list
> > rlm_eap: Failed to initialize type tls
> 
> it cant load the certificate file. please post your eap.conf
> 
> alan

This is my eap.conf, I have omited some comments

eap {
   default_eap_type = tls

   timer_expire = 60

   ignore_unknown_eap_types = no

   cisco_accounting_username_bug = no

  
md5 {
}


leap {
}

gtc {
#challenge = "Password: "

auth_type = PAP
}

tls {
private_key_password = **  # have I to put the 
server pass phrase here?
private_key_file = ${raddbdir}/certs/server_keycert.pem
certificate_file = ${raddbdir}/certs/server_keycert.pem

#  Trusted Root CA list
CA_file = ${raddbdir}/certs/demoCA/cacert.pem

dh_file = ${raddbdir}/certs/dh
random_file = ${raddbdir}/certs/random
 
fragment_size = 1024


include_length = yes

  
#   check_crl = yes

   
#   check_cert_issuer = "/C=GB/ST=Berkshire/L=Newbury/O=My 
Company Ltd"

   
#   check_cert_cn = %{User-Name}

   
#   cipher_list = "DEFAULT"
}


#ttls {

#   default_eap_type = md5

   
#   copy_request_to_tunnel = no

 
#   use_tunneled_reply = no
#}

   
 peap {

default_eap_type = mschapv2


#   copy_request_to_tunnel = no
#   use_tunneled_reply = no


#   proxy_tunneled_request_as_eap = yes
}

mschapv2 {
}
}
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Radius installation

2006-09-21 Thread anyuru francis 
Hello, 
 
Am installing freeRadius with Mysql5 and dialup admin with a freebsd 5.4 box 
well done most of the configs but dialup wont show the frame on the right in 
browser when  I load it on the webserver
 
 
Any help will be highly appreciated
 
Kind Regards
 
Francis
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Rewriting reply attributes

2006-09-21 Thread Graham Beneke 

Hi guys

Is there any way (in some post processing module perhaps) to rewrite the 
name of a reply attribute without changing the value.


One of the modules that I am using has the reply attribute 'hardwired' 
but it is returning the exact attribute value that I require.


The more elegant solution would be to make the module more customisable 
- which is something I plan to pursue on the devel list shortly.
But it would be really good if I can find a stop gap solution in the 
mean time.


--


 Graham Beneke
 Apolix Internet Services

E-Mail: [EMAIL PROTECTED] 
Cell: 082-432-1873 
Skype: grbeneke 
WEB: www.apolix.co.za 
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Peap+TTLs and Ldap

2006-09-21 Thread Francisco Castanheiro 
Hello,i'm using freeradius to do the auth on a wireless network. My users are in a Ldap directory that have both NT-Password and UserPassword, i use ldap to auth linux users and samba+ldap to auth windows users.I have PEAP and ttls set up in my config and some test users with clear password in the users file, plus the ldap users. I have no problems with ttls auth, both with ldap and "local" test users, but i can't say the same about peap. When i try to use peap to auth a "local" user it goes fine, but when the user is a ldap one it just fails. I have the map between ldap and radius attributes setup.I think that my ldap NT hashes are correct because i can use them to auth my windows users with samba, but the only thing that i can see that differs from both the scenarios that i described is that ttls uses the "userpassword" attr and PEAP uses the NT-Password attr. And i know that peap works when the password is clear, because it works with the "local" test users.Could some bad config do this behavior? Or could it be some problem with my version of freeradius and my NT hashes?I'm out of ideas. If my config or logs help i can post them.Thanks for any help.Regards  ---Francisco CastanheiroDepartamento de InformáticaFaculdade de Ciências e Tecnologia - UNLE-mail: [EMAIL PROTECTED] 

PGP.sig
Description: This is a digitally signed message part
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Default radiusd.conf and Auth-Type LDAP comment

2006-09-21 Thread Alan DeKok 
Thibault Le Meur <[EMAIL PROTECTED]> wrote:
> * the inner PAP authentication is "processed" by the ldap module in 
> which I don't need to define which password hashing method is used (I 
> use at least CRYPT _and_ MD5 in the same directory for historical 
> reasons)

  Version 2.0 has fixes that make it much easier to handle multiple
hashing types in the same LDAP database.

> * I don't need to have freeradius _read_ the passwords from the 
> directory: the DN identity defined in the ldap module can only have 
> auth and read access to radius entries but not to the passwords (which 
> in my point of view is more secure)

  If all you're doing is PAP, sure.  Most wireless deployments use
PEAP, and then people wonder why "bind as user" doesn't work.  It's
frustrating.

> Again, I might not have caught your meaning: Are you saying that in the 
> future the standards ldap module will be only an authorization module, 
> and that a new ldap_bind module could be used in the authenticate 
> section ?

  I think it's a good idea.

  Alan DeKok.
--
  http://deployingradius.com   - The web site of the book
  http://deployingradius.com/blog/ - The blog
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Default radiusd.conf and Auth-Type LDAP comment

2006-09-21 Thread Thibault Le Meur 

While usually true, this assumption is a little confusing sometimes.
Indeed, when EAP-TTLS uses PAP (not an EAP protocol I know) as its
inside authentication protocol, a cleartext password is provided to
Freeradius which is then able to use a simple ldap bind exchange to
authenticate the user.


 But you still can't force "Auth-Type := LDAP", because then the
outer TTLS session will fail.


I don't need to... In the authorize section I get something like this:
authorize {
 eap
 files
 ldap
}

EAP beeing before files, it sets Auth-Type to EAP and when the files 
module tries to force "Auth-Type = LDAP" (not ":=") it stays with 
Auth-Type=EAP untill the inside PAP phase is reached.


This is how it works (quite well) for me.

... but you've written a big part of the code so you already know 
this... I might have not caught what you are saying.



 I'm inclined to remove the LDAP "bind as user" entirely, or move it


Pity... that's the best setup I found in my case :-(


to a completely separate "ldap_bind" module.  It's a major cause of
problems, and it's rarely necessary.


Well, I find it very usefull:

* the inner PAP authentication is "processed" by the ldap module in 
which I don't need to define which password hashing method is used (I 
use at least CRYPT _and_ MD5 in the same directory for historical 
reasons)


* I don't need to have freeradius _read_ the passwords from the 
directory: the DN identity defined in the ldap module can only have 
auth and read access to radius entries but not to the passwords (which 
in my point of view is more secure)


Again, I might not have caught your meaning: Are you saying that in the 
future the standards ldap module will be only an authorization module, 
and that a new ldap_bind module could be used in the authenticate 
section ?


Regards,
Thibault

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Users submitted password

2006-09-21 Thread Michael Gale 


:( No ... further reading the MS-CHAP process points out that there is 
no password in the request.


Michael


Alan DeKok wrote:

Michael Gale <[EMAIL PROTECTED]> wrote:
	Should I be able to read the User-Password attribute in the authorize 
section ?


  Is there a password in the request?

  Alan DeKok.
--
  http://deployingradius.com   - The web site of the book
  http://deployingradius.com/blog/ - The blog
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


--
Michael Gale

Red Hat Certified Engineer
Network Administrator
Pason Systems Corp.
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Default radiusd.conf and Auth-Type LDAP comment

2006-09-21 Thread Alan DeKok 
Thibault Le Meur <[EMAIL PROTECTED]> wrote:
> While usually true, this assumption is a little confusing sometimes. 
> Indeed, when EAP-TTLS uses PAP (not an EAP protocol I know) as its 
> inside authentication protocol, a cleartext password is provided to 
> Freeradius which is then able to use a simple ldap bind exchange to 
> authenticate the user.

  But you still can't force "Auth-Type := LDAP", because then the
outer TTLS session will fail.

  I'm inclined to remove the LDAP "bind as user" entirely, or move it
to a completely separate "ldap_bind" module.  It's a major cause of
problems, and it's rarely necessary.

  Alan DeKok.
--
  http://deployingradius.com   - The web site of the book
  http://deployingradius.com/blog/ - The blog
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: MS Vista RC1 and Freeradius 802.1x

2006-09-21 Thread A . L . M . Buxey 
Hi,
> 
> > We are having some difficulties getting MS Vista RC1 build 
> > (5600) to work with our Freeradius server using 802.1x. Has 
> > anyone been able to get this to work?
> 
> PEAP-MSChapv2 does not work for us. EAP-TLS does. Not had a chance to look
> any further into it yet though.

they havent used PEAPv1/PEAPv2 in Vista by any chance? :-|

whilst checking the behaviour of vista is reasonable, its still only
a release candidate. many things could change before final release...and
even afterwards - just look at the WinXP supplicant for example :-)

alan
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Problem configuration eap-tls

2006-09-21 Thread A . L . M . Buxey 
Hi,

> rlm_eap_tls: Loading the certificate file as a chain
> rlm_eap: SSL error error:02001002:system library:fopen:No such file or 
> directory
> rlm_eap_tls: Error reading Trusted root CA list
> rlm_eap: Failed to initialize type tls

it cant load the certificate file. please post your eap.conf

alan
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

rlm_ldap and 'unencrypted' connections

2006-09-21 Thread Thibault Le Meur 

ine doc/rlm_ldap I've read:

#   identity: DN under which LDAP searches are done password: pasword
#   which authenticate this DN default: anonymous bind, no password
#   required NOTE: searches are done now over unencrypted connection!


I'm especially concerned about the 'searches are done now over 
unencrypted connection!' sentence.


Does this mean that even if I use "start_tls = yes", searches will be 
performed unencrypted ?


If yes, isn't the following procedure a way to enforce encryption on 
searches ?

* do not use "start_tls = yes"
* use "port = 636" and/or "tls_mode = yes"
* have your ldap server reply only to port 636 in ldaps.

Thanks in advance,
Thibault

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Users submitted password

2006-09-21 Thread Alan DeKok 
Michael Gale <[EMAIL PROTECTED]> wrote:
>   Should I be able to read the User-Password attribute in the authorize 
> section ?

  Is there a password in the request?

  Alan DeKok.
--
  http://deployingradius.com   - The web site of the book
  http://deployingradius.com/blog/ - The blog
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Freeradius Suse distro

2006-09-21 Thread Dunhill Satellite Systems 


LeRoy DeVries wrote:
> Does the latest version (1.1.3) have the experimental modules that you had to 
> compile with in the old version 1.03 
>   
I removed the Suse (10.1) version completely and installed the
Freeradius 1.1.2 by hand
Since than i have no (real) problems with freeradius anymore

Arjan
-- 

==
*Dunhill Systems*, USA,
The Satellite Specialists for the Carribean
UnaSat, Nera, Idirect and Direcway Certified Installers
Phone: 352-437-1026

*Brant Systems*, Dominican Republic
Registered at INDOTEL
Phone: 809-437-8005

Visit our website at: http://www.dunhill.ws

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Default radiusd.conf and Auth-Type LDAP comment

2006-09-21 Thread Thibault Le Meur 

Hi,

This is just a comment on the default radiusd.conf provided information.

In the authenticate section of the default radiusd.conf I can read 
about "Auth-Type LDAP":


   # Note that this means "check plain-text password against
   # the ldap database", which means that EAP won't work,
   # as it does not supply a plain-text password.


While usually true, this assumption is a little confusing sometimes. 
Indeed, when EAP-TTLS uses PAP (not an EAP protocol I know) as its 
inside authentication protocol, a cleartext password is provided to 
Freeradius which is then able to use a simple ldap bind exchange to 
authenticate the user.


Could we replace with something like that

   # Note that this means "check plain-text password against
   # the ldap database", which means that most EAP types won't work
   # as they do not supply a plain-text password (unless you use a
   # composite EAP scheme with and inner cleartext-enabled protocol
   # such as EAP-TTLS/PAP)


But this is a little tricky...

Or more simply:

   # Note that this means "check plain-text password against
   # the ldap database", which means that most EAP types won't work
   # as they do not supply a plain-text password
   # (an exception beeing EAP-TTLS with inner PAP authentication)


The second one could be less confusing for people trying to setup 
EAP-TTLS/PAP on ldap directories but of course this is not a big deal...


Thibault

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: MS Vista RC1 and Freeradius 802.1x

2006-09-21 Thread David Mitton 
Be aware that the EAP subsystem in Vista has been totally re-architected.

There are new APIs and legacy module support.
Anything could go wrong.

Dave.

> - Original Message -
> From: "Dourty, Brian R. (IATS)" <[EMAIL PROTECTED]>
> To: "FreeRadius users mailing list" 
> Subject: RE: MS Vista RC1 and Freeradius 802.1x 
> Date: Thu, 21 Sep 2006 10:59:48 -0500
> 
> 
> I haven't spent a lot of time debugging the problem yet, but out of the
> box Vista doesn't work with our 802.1x/PEAP/MSChapV2 config we have been
> using successfully on WinXP.
> 
> Brian Dourty
> 
>

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: MS Vista RC1 and Freeradius 802.1x

2006-09-21 Thread Dourty, Brian R. \(IATS\) 
I haven't spent a lot of time debugging the problem yet, but out of the
box Vista doesn't work with our 802.1x/PEAP/MSChapV2 config we have been
using successfully on WinXP.

Brian Dourty

> -Original Message-
> From: freeradius-users-
> [EMAIL PROTECTED] [mailto:freeradius-
> [EMAIL PROTECTED] On Behalf Of
> Alan DeKok
> Sent: Thursday, September 21, 2006 9:54 AM
> To: FreeRadius users mailing list
> Subject: Re: MS Vista RC1 and Freeradius 802.1x
> 
> "Dourty, Brian R. \(IATS\)" <[EMAIL PROTECTED]> wrote:
> > We are having some difficulties getting MS Vista RC1 build (5600) to
> > work with our Freeradius server using 802.1x. Has anyone been able
to
> > get this to work?
> 
>   Not that I've heard.
> 
>   What problems are you having?
> 
>   Alan DeKok.
> --
>   http://deployingradius.com   - The web site of the book
>   http://deployingradius.com/blog/ - The blog
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Problem configuration eap-tls

2006-09-21 Thread listas 
Hello!I'm OrgacK and this is my first post. I'm try to configure my own radius 
server for my house but before a lot of attempts I haven't got it. I always 
obtain same error:

Starting - reading configuration files ...
Using deprecated naslist file.  Support for this will go away soon.
Module: Loaded exec
rlm_exec: Wait=yes but no output defined. Did you mean output=none?
Module: Instantiated exec (exec)
Module: Loaded expr
Module: Instantiated expr (expr)
Module: Loaded PAP
Module: Instantiated pap (pap)
Module: Loaded CHAP
Module: Instantiated chap (chap)
Module: Loaded MS-CHAP
Module: Instantiated mschap (mschap)
Module: Loaded System
Module: Instantiated unix (unix)
Module: Loaded eap
rlm_eap: Loaded and initialized type md5
rlm_eap: Loaded and initialized type leap
rlm_eap: Loaded and initialized type gtc
rlm_eap_tls: Loading the certificate file as a chain
rlm_eap: SSL error error:02001002:system library:fopen:No such file or directory
rlm_eap_tls: Error reading Trusted root CA list
rlm_eap: Failed to initialize type tls
radiusd.conf[10]: eap: Module instantiation failed.
radiusd.conf[1897] Unknown module "eap".
radiusd.conf[1844] Failed to parse authenticate section.

I think about the CA, server certificates and client certificates are created 
correctly. I don't know what i can do, have somebody any idea?


PD: Sorry I'm Spanish and my English isn't very good.

Greeting
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Users submitted password

2006-09-21 Thread Michael Gale 

Hello,

	Should I be able to read the User-Password attribute in the authorize 
section ?


I tried printing out RAD_REQUEST{'User-Password'} but it is blank ...


--
Michael Gale

Red Hat Certified Engineer
Network Administrator
Pason Systems Corp.
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: MS Vista RC1 and Freeradius 802.1x

2006-09-21 Thread Alan DeKok 
"Dourty, Brian R. \(IATS\)" <[EMAIL PROTECTED]> wrote:
> We are having some difficulties getting MS Vista RC1 build (5600) to
> work with our Freeradius server using 802.1x. Has anyone been able to
> get this to work?

  Not that I've heard.

  What problems are you having?

  Alan DeKok.
--
  http://deployingradius.com   - The web site of the book
  http://deployingradius.com/blog/ - The blog
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Freeradius Suse distro

2006-09-21 Thread Peter Nixon 
On Thu 21 Sep 2006 17:27, LeRoy DeVries wrote:
> On Wednesday 20 September 2006 22:39, Peter Nixon wrote:
> > On Thu 21 Sep 2006 04:50, LeRoy DeVries wrote:
> > > Does the latest version (1.1.3) have the experimental modules that you
> > > had to compile with in the old version 1.03
> >
> > I suggest you use my SUSE packages:
> > http://software.opensuse.org/download/network:/aaa/
> >
> > Which modules are you looking for? If needed I can add them.
> >
> > Cheers
>
> Thanks.. I will be using Radius for AUTH against MYSQL/phpMyPrePaid using
> Chillispot Wi-Fi.  When I 1st did this using radius1.03 I had to do the
> following:
>
> ./configure --with-experimental-modules
>
> Not sure all what was in the modules but suspect it had to do with
> accounting (ie:sql_rlm)

The sql modules are enabled by default.

-- 

Peter Nixon
http://www.peternixon.net/
PGP Key: http://www.peternixon.net/public.asc


pgp3wZvpg0pfb.pgp
Description: PGP signature
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: MS Vista RC1 and Freeradius 802.1x

2006-09-21 Thread Matthew Balyuzi 

> We are having some difficulties getting MS Vista RC1 build 
> (5600) to work with our Freeradius server using 802.1x. Has 
> anyone been able to get this to work?

PEAP-MSChapv2 does not work for us. EAP-TLS does. Not had a chance to look
any further into it yet though.

Matt Balyuzi
Imperial College London


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Freeradius Suse distro

2006-09-21 Thread LeRoy DeVries 
On Wednesday 20 September 2006 22:39, Peter Nixon wrote:
> On Thu 21 Sep 2006 04:50, LeRoy DeVries wrote:
> > Does the latest version (1.1.3) have the experimental modules that you
> > had to compile with in the old version 1.03
>
> I suggest you use my SUSE packages:
> http://software.opensuse.org/download/network:/aaa/
>
> Which modules are you looking for? If needed I can add them.
>
> Cheers

After further research it looks like the module was rlm_sqlcounter

-- 
LeRoy DeVries
Certified Hughesnet Installer
Location: http://map.datastormusers.com/user2.cfm?user=1591
Web Page: http://www.rvfulltimer.com
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Freeradius Suse distro

2006-09-21 Thread LeRoy DeVries 
On Wednesday 20 September 2006 22:39, Peter Nixon wrote:
> On Thu 21 Sep 2006 04:50, LeRoy DeVries wrote:
> > Does the latest version (1.1.3) have the experimental modules that you
> > had to compile with in the old version 1.03
>
> I suggest you use my SUSE packages:
> http://software.opensuse.org/download/network:/aaa/
>
> Which modules are you looking for? If needed I can add them.
>
> Cheers

Thanks.. I will be using Radius for AUTH against MYSQL/phpMyPrePaid using 
Chillispot Wi-Fi.  When I 1st did this using radius1.03 I had to do the 
following:

./configure --with-experimental-modules

Not sure all what was in the modules but suspect it had to do with accounting 
(ie:sql_rlm)

LeRoy
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

MS Vista RC1 and Freeradius 802.1x

2006-09-21 Thread Dourty, Brian R. \(IATS\) 
We are having some difficulties getting MS Vista RC1 build (5600) to
work with our Freeradius server using 802.1x. Has anyone been able to
get this to work?

Brian Dourty
System Administrator - Team Lead
IAT Services
University of Missouri - Columbia
573-882-1035


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: What kind of error in client-cert using EAP?

2006-09-21 Thread Thibault Le Meur 

Hi,

it works now. Thanks Thibault, you saved my day, again! :-)


You're welcome


- the extension SubjectAltName must contain the Netbios name of the 
PC (I think)


This had no meaning in my tests. Anyway, there must be chosen a type 
of that field. Did you take DNS-Name, Email or Raw?


I use DNS-Name

I took now DNS-Name, but in another case there was an email in that 
field and the systems authetifies without problems. So I think you 
can leave this field out.


Ok.

I've seen that you integrate the emailaddress in the subject (an 
option in TinyCA): can you disable this ?


Yupp, this was the mistake. It is somehome on by default. I switched 
it off and created new certs as you wrote and the XP Machine works 
now too. Hell, I gonna print your mail and hang it in front of me.


The problem is that Microsoft doesn't describe exactly how certificates 
must be generated in order to have host authentication nor how the EAP 
request is made (using host/Netbios-name as the identity). This is 
because (I presume), they want us to use IAS and their certificate 
management software.



This is ok, but are the certificates _exactly_ generated in the same way ?


Obiously not. As I made the same mistake over and over again. I have 
now only the problem of one W2K Machine, not even asking the 
Radius-Server.


I'm not sure this will be an issue on the radius server.


I assume it's some kind of inkompatibilty of drivers or NIC.


I don't think so. I think it's Windows XP that doesn't recognize the 
host certificate as a valid one because its "subject" doesn't match 
exactly the netbios name of the host.




Thanks for your help:

Have that for your trouble: http://www.engelbraeu.de/images/bierkiste.gif


Thanks, could you send me a fridge as well to keep them fresh... It's 
hot in my office today ;-).


Thibault.


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: What kind of error in client-cert using EAP?

2006-09-21 Thread Alexandros Gougousoudis 

Hi,

Thibault Le Meur schrieb:
Alexandros do you confirm that you are not trying to authenticate the 
user, but only the host at boot time ?


Exactly. The hosts need to be authentified, we simply do that to protect 
the Ethernetports of the switch. Our students plug in their equipment 
otherwise (like an WLAN-AP) and danger our net.


cu
 Alex


--
ServiceCenter IT - Alexandros Gougousoudis (Leiter)

Gemeinsame Einrichtung der Kunsthochschule Berlin-Weissensee, Hochschule 
für Musik "Hanns Eisler" und der Hochschule für Schauspielkunst "Ernst 
Busch".


Tel.: 030 / 477 05 - 444 * Fax.: 030 / 477 05 - 445


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Freeradius + Cisco VoIP

2006-09-21 Thread Ali Majdzadeh 
Hi Gef
I solved the problem through C and rlm_modules.
Anyway, Thanks a lot.
 
Regards 
On 9/21/06, Geoffrey Cauchi <[EMAIL PROTECTED]> wrote:
Hello AliI do not know whether you managed to solve your issue, however using a perlscript, the format to send these AV Pairs is:
#!/usr/bin/perlprint "Cisco-AVPair += \"h323-return-code=0\"\,\n";print "Cisco-AVPair += \"h323-credit-amount=30\"\,\n";print "Cisco-AVPair += \"h323-credit-time=200\"\n";
   exit(0);And now the script works.Obviously the h323-credit-time and h323-credit-amount need to be calculatedin real time, but the above can be used as a test to allow you to utilisethe cisco TCL script with freeradius
Hope this helpsGefFrom: freeradius-users-bounces+agcauchi=[EMAIL PROTECTED][mailto:
[EMAIL PROTECTED]rg] On Behalf Of Ali MajdzadehSent: 07 September 2006 10:06
To: FreeRadius users mailing list; [EMAIL PROTECTED]Subject: Re: Freeradius + Cisco VoIPHi AlanI replied Geoffrey with all I knew about AV pairs expected by a Cisco VoIP
gateway. But I have another problem.I am using rlm_example to develop a module to handle VoIP stuff.My question is, how should I pack and send those AV piars expected by thegateway?For example, in example_authenticate function, I should return a number of
AV pairs to the gateway in order to authenticate the user. How should I dothat?Best RegardsAliOn 9/6/06, Alan DeKok <[EMAIL PROTECTED]> wrote:
"Geoffrey Cauchi" <[EMAIL PROTECTED]> wrote:> Can anyone provide a sample config of the AV Pairs required by a ciscoVoIP> gateway to accept a user?
See the NAS documentation.Alan DeKok.--http://deployingradius.com - The web site of the bookhttp://deployingradius.com/blog/
 - The blog-List info/subscribe/unsubscribe? Seehttp://www.freeradius.org/list/users.html-List info/subscribe/unsubscribe? See 
http://www.freeradius.org/list/users.html
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: What kind of error in client-cert using EAP?

2006-09-21 Thread Alexandros Gougousoudis 

Hi,

it works now. Thanks Thibault, you saved my day, again! :-)

- the extension SubjectAltName must contain the Netbios name of the PC 
(I think)


This had no meaning in my tests. Anyway, there must be chosen a type of 
that field. Did you take DNS-Name, Email or Raw? I took now DNS-Name, 
but in another case there was an email in that field and the systems 
authetifies without problems. So I think you can leave this field out.


I've seen that you integrate the emailaddress in the subject (an option 
in TinyCA): can you disable this ?


Yupp, this was the mistake. It is somehome on by default. I switched it 
off and created new certs as you wrote and the XP Machine works now too. 
Hell, I gonna print your mail and hang it in front of me.



This is ok, but are the certificates _exactly_ generated in the same way ?


Obiously not. As I made the same mistake over and over again. I have now 
only the problem of one W2K Machine, not even asking the Radius-Server. 
I assume it's some kind of inkompatibilty of drivers or NIC.


Thanks for your help:

Have that for your trouble: http://www.engelbraeu.de/images/bierkiste.gif

cu
 Alex


--
ServiceCenter IT - Alexandros Gougousoudis (Leiter)

Gemeinsame Einrichtung der Kunsthochschule Berlin-Weissensee, Hochschule 
für Musik "Hanns Eisler" und der Hochschule für Schauspielkunst "Ernst 
Busch".


Tel.: 030 / 477 05 - 444 * Fax.: 030 / 477 05 - 445


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: freeradius stops with hostapd

2006-09-21 Thread K. Hoercher 

Hi,

uh not sure, but you seem to have mixed up the installation by using
the .deb (most prominent change: uses /etc/freeradius as configuration
place) and having some libraries lying around in

 main: libdir = "/usr/local/lib"

probably from building and installing from the tarball.

I'm not sure if that contributes to the problem, but it would be
easier (at least for me) to spot something if you talk about/show logs
from a clean and consistent environment.

On 9/21/06, Michał Prochaczek <[EMAIL PROTECTED]> wrote:


Ready to process requests.
rad_recv: Accounting-Request packet from host 127.0.0.1:1036, id=1,
length=79
Acct-Status-Type = Accounting-Off
Acct-Authentic = RADIUS
NAS-IP-Address = 127.0.0.1
NAS-Identifier = "localhost"
Called-Station-Id = "00-04-47-50-1A-1F:test"
Acct-Terminate-Cause = NAS-Reboot
  Processing the preacct section of radiusd.conf
modcall: entering group preacct for request 0


Which version of hostapd is that? Perhaps it might me useful to forego
the accounting (comment out the lines auth_server_* in hostapd.conf)
for the moment and check if the remaining parts work.

hth
K. Hoercher

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

freeradius stops with hostapd

2006-09-21 Thread Michał Prochaczek 
Hi 

I am trying to set freeradius +hostapd on Debian 


I have installed freeradius from .deb testing package and than from 
.tar (1.1.3)


In init.d freeradius starts first and than hostapd is started. 


Immediately after hostapd is started freeradius disappears from process 
list. 
I have tested running freeradius manually and than starting hostapd. 
Result is the same. 
Changing starting order makes survive freeradius few minutes probably 
until first request is send from hostapd. 


The only message I got in log file is: 


Tue Sep 19 21:53:26 2006 : Info: Using deprecated naslist file. 
Support for this will go away soon. 
Tue Sep 19 21:53:26 2006 : Info: rlm_exec: Wait=yes but no output 
defined. Did you mean output=none? 
Tue Sep 19 21:53:26 2006 : Info: rlm_eap_tls: Loading the certificate 
file as a chain 
Tue Sep 19 21:53:26 2006 : Info: Ready to process requests. 
Tue Sep 19 21:55:30 2006 : Error: WARNING: Unresponsive child (id 
3073981360) for request 0 


Or another version: 


Tue Sep 19 21:58:59 2006 : Info: Using deprecated naslist file. 
Support for this will go away soon. 
Tue Sep 19 21:58:59 2006 : Info: rlm_exec: Wait=yes but no output 
defined. Did you mean output=none? 
Tue Sep 19 21:58:59 2006 : Info: rlm_eap_tls: Loading the certificate 
file as a chain 
Tue Sep 19 21:58:59 2006 : Info: Ready to process requests. 
Tue Sep 19 21:59:58 2006 : Error: Discarding duplicate request from 
client localhost:1029 - ID: 0 due to unfinished request 0 


in freeradius -X I get this output: 


Starting - reading configuration files ... 
reread_config:  reading radiusd.conf 
Config:   including file: /etc/freeradius/proxy.conf 
Config:   including file: /etc/freeradius/clients.conf 
Config:   including file: /etc/freeradius/snmp.conf 
Config:   including file: /etc/freeradius/eap.conf 
Config:   including file: /etc/freeradius/sql.conf 
 main: prefix = "/usr" 
 main: localstatedir = "/var" 
 main: logdir = "/var/log/freeradius" 
 main: libdir = "/usr/local/lib" 
 main: radacctdir = "/var/log/freeradius/radacct" 
 main: hostname_lookups = no 
 main: max_request_time = 30 
 main: cleanup_delay = 5 
 main: max_requests = 1024 
 main: delete_blocked_requests = 0 
 main: port = 0 
 main: allow_core_dumps = no 
 main: log_stripped_names = no 
 main: log_file = "/var/log/freeradius/radius.log" 
 main: log_auth = no 
 main: log_auth_badpass = no 
 main: log_auth_goodpass = no 
 main: pidfile = "/var/run/freeradius/freeradius.pid" 
 main: bind_address = 127.0.0.1 IP address [127.0.0.1] 
 main: user = "freerad" 
 main: group = "freerad" 
 main: usercollide = no 
 main: lower_user = "no" 
 main: lower_pass = "no" 
 main: nospace_user = "no" 
 main: nospace_pass = "no" 
 main: checkrad = "/usr/sbin/checkrad" 
 main: proxy_requests = yes 
 proxy: retry_delay = 5 
 proxy: retry_count = 3 
 proxy: synchronous = no 
 proxy: default_fallback = yes 
 proxy: dead_time = 120 
 proxy: post_proxy_authorize = no 
 proxy: wake_all_if_all_dead = no 
 security: max_attributes = 200 
 security: reject_delay = 1 
 security: status_server = no 
 main: debug_level = 0 
read_config_files:  reading dictionary 
read_config_files:  reading naslist 
Using deprecated naslist file.  Support for this will go away soon. 
read_config_files:  reading clients 
read_config_files:  reading realms 
radiusd:  entering modules setup 
Module: Library search path is /usr/local/lib 
Module: Loaded exec 
 exec: wait = yes 
 exec: program = "(null)" 
 exec: input_pairs = "request" 
 exec: output_pairs = "(null)" 
 exec: packet_type = "(null)" 
rlm_exec: Wait=yes but no output defined. Did you mean output=none? 
Module: Instantiated exec (exec) 
Module: Loaded expr 
Module: Instantiated expr (expr) 
Module: Loaded PAP 
 pap: encryption_scheme = "crypt" 
Module: Instantiated pap (pap) 
Module: Loaded CHAP 
Module: Instantiated chap (chap) 
Module: Loaded MS-CHAP 
 mschap: use_mppe = yes 
 mschap: require_encryption = no 
 mschap: require_strong = no 
 mschap: with_ntdomain_hack = no 
 mschap: passwd = "(null)" 
 mschap: ntlm_auth = "(null)" 
Module: Instantiated mschap (mschap) 
Module: Loaded System 
 unix: cache = no 
 unix: passwd = "(null)" 
 unix: shadow = "/etc/shadow" 
 unix: group = "(null)" 
 unix: radwtmp = "/var/log/freeradius/radwtmp" 
 unix: usegroup = no 
 unix: cache_reload = 600 
Module: Instantiated unix (unix) 
Module: Loaded eap 
 eap: default_eap_type = "peap" 
 eap: timer_expire = 60 
 eap: ignore_unknown_eap_types = no 
 eap: cisco_accounting_username_bug = no 
rlm_eap: Loaded and initialized type md5 
rlm_eap: Loaded and initialized type leap 
 gtc: challenge = "Password: " 
 gtc: auth_type = "PAP" 
rlm_eap: Loaded and initialized type gtc 
 tls: rsa_key_exchange = no 
 tls: dh_key_exchange = yes 
 tls: rsa_key_length = 512 
 tls: dh_key_length = 512 
 tls: verify_depth = 0 
 tls: CA_path = "(null)" 
 tls: pem_file_type = yes 
 tls: private_key_file = "/etc/freeradius/certs/cert-srv.pem" 
 tls: certificate_file = "/etc/freer

Re: What kind of error in client-cert using EAP?

2006-09-21 Thread Thibault Le Meur 



I don't know if my chiming in will make a difference or not.

But windows can authenticate with a machine certificate or a user 
certificate


If you're doing the machine certificates, please say so, I'm a little 
confused as to what exactly you are doing now.


I don't now if you're asking this to me or to Alexandros.

The setup I propose corresponds to a machine authentication (Windows XP 
authenticates automatically at startup time) and not to a user 
authentication.


The complete setup is explained in this previous post 
http://www.mail-archive.com/freeradius-users@lists.freeradius.org/msg28499.html


I thought this was Alexandros's case as well as he wrote:
"I do only a machine-authentication, every machine which has a valid 
cert can connect to the network... I write the explicit hostname in the 
users file"


Alexandros do you confirm that you are not trying to authenticate the 
user, but only the host at boot time ?


Thibault

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: Freeradius + Cisco VoIP

2006-09-21 Thread Geoffrey Cauchi 
Hello Ali

I do not know whether you managed to solve your issue, however using a perl
script, the format to send these AV Pairs is:

#!/usr/bin/perl
print "Cisco-AVPair += \"h323-return-code=0\"\,\n";
print "Cisco-AVPair += \"h323-credit-amount=30\"\,\n";
print "Cisco-AVPair += \"h323-credit-time=200\"\n";
exit(0);

And now the script works.  

Obviously the h323-credit-time and h323-credit-amount need to be calculated
in real time, but the above can be used as a test to allow you to utilise
the cisco TCL script with freeradius

Hope this helps

Gef

From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]
rg] On Behalf Of Ali Majdzadeh
Sent: 07 September 2006 10:06
To: FreeRadius users mailing list; [EMAIL PROTECTED]
Subject: Re: Freeradius + Cisco VoIP

Hi Alan
I replied Geoffrey with all I knew about AV pairs expected by a Cisco VoIP
gateway. But I have another problem.
I am using rlm_example to develop a module to handle VoIP stuff.
My question is, how should I pack and send those AV piars expected by the
gateway? 
For example, in example_authenticate function, I should return a number of
AV pairs to the gateway in order to authenticate the user. How should I do
that?

Best Regards
Ali
On 9/6/06, Alan DeKok <[EMAIL PROTECTED]> wrote:
"Geoffrey Cauchi" <[EMAIL PROTECTED]> wrote:
> Can anyone provide a sample config of the AV Pairs required by a cisco
VoIP
> gateway to accept a user? 

  See the NAS documentation.

  Alan DeKok.
--
  http://deployingradius.com   - The web site of the book
  http://deployingradius.com/blog/ - The blog
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html




- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: How to get FreeRadius 2.0.0 pre version???

2006-09-21 Thread Nicolas Baradakis 
Trymp wrote:

> I want to get FreeRadius 2.0.0 pre version.
>
> $ cvs -d :pserver:[EMAIL PROTECTED]:/source checkout module-name
>
> what is module-name??

Please no HTML to the list.

The module name is "radiusd".

-- 
Nicolas Baradakis

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html