date:20070117

My configuration is:

[poptop pptpd & pppd][freeradius]-[Microsoft IAS][ADS]

pptpd is 1.3.3
pppd is 2.4.4
freeradius is 1.1.3

Clients go from internet, make auth via MS IAS, but accounting does
freeradius.
All seems good. Clients go OK. Auth and accounting seems OK too.

But, I have couple of questions

1. Accounting of Calling-station-id returns only first 4 characters of
user's IP address.
I noticed that if some user enters using his remote IP like 77.122.215.143
the record of his Calling-Station-Id would be

Calling-Station-Id = "1.77"

which are first 4 symbols of IP address in back order.

What's goin' wrong? I suppose that calling-station-id should be whole IP
address.

2. Radius does not understand some attributes from client.
a) Jan 14 12:37:14 shata pppd[25046]: rc_avpair_gen: received unknown
attribute 25 of length 30:
0x333B0427013700010A1701C735C490B2116B014C
b) Jan 11 22:29:02 shata pppd[19185]: RADIUS: wrong service type 4 for
user21

But I know that these are

VALUEService-TypeDialback-Framed-User4

and

ATTRIBUTE MS-CHAP2-Response 25 octets

as they are written in the dictionary file.
For the first case users can not login. Radius refuse them by wrong service
type.
In second case users login OK but I what to know why there is error anyway.

What is wrong here?

Thank for replies,
---
Oleg.

--
View this message in context:
http://www.nabble.com/A-couple-of-questions-PoPToP%2BFreeRadius%2BIAS-tf2997630.html#a8346050
Sent from the FreeRadius - User mailing list archive at Nabble.com.

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

setting user profile depending on realms?

2007-01-17 Thread Markus Krause


Hi list!

We have an internal LAN with several VLANs, each corresponding the the  
unix group of the users. This VLAN information is stored in OpenLDAP  
(via radiusprofiledn), and that works :-)
But we want to give our users the possibility to get into a special  
VLAN, in particular one which is called "Internetcafe" (in which the  
can use "special services"). I thought of doing this by adding a realm  
to the username, so the users can either use "username" or  
"[EMAIL PROTECTED]" and gets the appropriate VLAN. To do this i added the  
following line in /etc/raddb/users:


DEFAULT User-Name =~ "@ic$", User-Profile :=  
"cn=InternetCafe,ou=VLAN,o=Testnet"


But this works only if i do not have a radiusprofiledn attribute in  
the users entry in OpenLDAP, otherwise it works.


Is there a way to override the userprofile given back by the  
freeradius if the user adds a "@ic" (or whatever realm) ?
Or is there even a better way to achieve this goal and i am thinking  
in a completly wrong direction?


Thanks in advance for any hints!

Regards
   Markus


--
Markus Krause   email: [EMAIL PROTECTED]
Mogli-Soft: Support for Mac OS X, Webmail/Horde, LDAP, RADIUS
by order of the Computing Center of the Max-Planck-Institute of Biochemistry
Tel.: 089 - 89 40 85 99 Fax.: 089 - 89 40 85 98

--
 This message was sent using https://webmail2.biochem.mpg.de
If you encounter any problems please report to [EMAIL PROTECTED]



- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: EAP-TLS certificate question

kemas wrote:
> Hi all,
> 
> I've install freeradius-1.1.3,use it with AP Aironet 1100 doing EAP-TLS
> and works very well.
> I still confuse about certificate, is all client certificate created
> under 1 root ca, can be authenticated against freeradius that started 
> with different server certificate?

  I haven't tried it, but it's possible, yes.

  Alan DeKok.
--
  http://deployingradius.com   - The web site of the book
  http://deployingradius.com/blog/ - The blog
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE : A couple of questions PoPToP+FreeRadius+IAS

> 2. Radius does not understand some attributes from client.
> a) Jan 14 12:37:14 shata pppd[25046]: rc_avpair_gen: received 
> unknown attribute 25 of length 30: 
> 0x333B0427013700010A1701C735C490B2116B014C
> b) Jan 11 22:29:02 shata pppd[19185]: RADIUS: wrong service 
> type 4 for user21
> 
> But I know that these are
> 
> VALUEService-TypeDialback-Framed-User4
> 
> and
> 
> ATTRIBUTE  MS-CHAP2-Response   25  octets
> 
> as they are written in the dictionary file.

There must be a mistake in your /etc/radiusclient/dictionary file.

Check that you use a 'INCLUDE /etc/radiusclient/dictionary.microsoft' line
and not a '$INCLUDE /etc/radiusclient/dictionary.microsoft'
Check also the permissions ont he dictionary files.

HTH,
Thibault


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: A couple of questions PoPToP+FreeRadius+IAS

Marxy wrote:
> 1. Accounting of Calling-station-id returns only first 4 characters of
> user's IP address.

  If that's what the RADIUS client is sending, then the only solution is
to fix the client so it sends the correct information.

> 2. Radius does not understand some attributes from client.
> a) Jan 14 12:37:14 shata pppd[25046]: rc_avpair_gen: received unknown
> attribute 25 of length 30:

> 0x333B0427013700010A1701C735C490B2116B014C
> b) Jan 11 22:29:02 shata pppd[19185]: RADIUS: wrong service type 4 for
> user21

  The client doesn't understand the response of the server.  Again, the
only solution is to fix the client.

  Alan DeKok.
--
  http://deployingradius.com   - The web site of the book
  http://deployingradius.com/blog/ - The blog
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: How to send tome clients to the same detail file

2007-01-17 Thread Angel L. Mateo

El mar, 07-11-2006 a las 18:29 -0500, Alan DeKok escribió:
> "Angel L. Mateo" <[EMAIL PROTECTED]> wrote:
> > But now I want to send all the logs for requests from a group of
> > clients (defined as a huntgroup) to the same files, and the request for
> > all other clients as now (classified with the IP address of the client).
> > Is there any way to redefine this files for a set of clients?
> 
>   Yes.  Define an attribute, and set it per-client.  Then use that
> attribute in the expansion of the detailfile.
> 

Hello,

After a lot of time, I have taken up again this issue. I want a a group
of radius clients (defined in the same huntgroup) to log their request
(detail and auth-detail files) in the same file. So I have redefine my
logs files as:

detail {
  detailfile =
${radacctdir}/%{Huntgroup-Name:-%{Client-IP-Address}}/detail-%Y%m%d
  detailperm = 0600
}

detail auth_log {
  detailfile =
${radacctdir}/%{Huntgroup-Name:-%{Client-IP-Address}}/auth-detail-%Y%m%d
  detailperm = 0600
}

So if I have a client defined in a huntgroup, it logs to the
huntgroup's log files and if not, it logs to a directory identify by its
client ip address.

My problem is that this is working fine for the auth-detail file, but
detail file is still logging individually, without using the
Huntgroup-Name variable.

Any idea?

-- 
Angel L. Mateo Martínez
Sección de Telemática
Área de Tecnologías de la Información   _o)
y las Comunicaciones Aplicadas (ATICA)  / \\
http://www.um.es/atica_(___V
Tfo: 968367590
Fax: 968398337

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Feeding an LDAP replyItem to an MS-CHAPv2 ntlm_auth request

Haas Florian wrote:
> The tricky part is that XP's
> supplicant, which supplies the username as "DOMAIN\\Username" while a user is
> logged on, supplies a username in the form of "host/computername.my.domain"
> otherwise -- this corresponds to the servicePrincipalName attribute on the
> machine's object in MSAD. This is of course a format that ntlm_auth can't deal
> with.

  Why not?  There's a reason that the ntlm_auth configuration is
editable in the mschap module.  Just edit it to do whatever you want.
If all else fails, replace ntlm_auth with a Perl script that looks at
the environment variables, and determines the proper arguments to use.

  Alan DeKok.
--
  http://deployingradius.com   - The web site of the book
  http://deployingradius.com/blog/ - The blog
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: RE : A couple of questions PoPToP+FreeRadius+IAS


It seems no mistakes in dictionary file. It is standard one from RH
distribution.
BTW, freeradius use $INCLUDE, not INCLUDE as you advised.
With INCLUDE you will see something like
--
Wed Jan 17 14:48:41 2007 : Error: Errors reading dictionary: dict_init:
/etc/raddb/dictionary[14] invalid keyword "INCLUDE"
--


Thibault LE MEUR wrote:
> 
> There must be a mistake in your /etc/radiusclient/dictionary file.
> 
> Check that you use a 'INCLUDE /etc/radiusclient/dictionary.microsoft' line
> and not a '$INCLUDE /etc/radiusclient/dictionary.microsoft'
> Check also the permissions ont he dictionary files.
> 

-- 
View this message in context: 
http://www.nabble.com/A-couple-of-questions-PoPToP%2BFreeRadius%2BIAS-tf2997630.html#a8409674
Sent from the FreeRadius - User mailing list archive at Nabble.com.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: A couple of questions PoPToP+FreeRadius+IAS



Alan DeKok-4 wrote:
> 
> Marxy wrote:
>> 1. Accounting of Calling-station-id returns only first 4 characters of
>> user's IP address.
>   If that's what the RADIUS client is sending, then the only solution is
> to fix the client so it sends the correct information.
> 
My radius client is standard radiusclient software.
But it seems no settings for that in its /etc/radiusclient/radiusclient.conf


Alan DeKok-4 wrote:
> 
>> 2. Radius does not understand some attributes from client.
>> a) Jan 14 12:37:14 shata pppd[25046]: rc_avpair_gen: received unknown
>> attribute 25 of length 30:
> 
>   The client doesn't understand the response of the server.  Again, the
> only solution is to fix the client.
> 
Yes. You are quite right.
I add missing attributes to radiusclient dictionary file.
ATTRIBUTE   MS-CHAP2-Response   25  string  
ATTRIBUTE   Acct-Input-Packets  47  integer
ATTRIBUTE   Acct-Output-Packets 48  integer

And this problem has gone.


Alan DeKok-4 wrote:
> 
>> 0x333B0427013700010A1701C735C490B2116B014C
>> b) Jan 11 22:29:02 shata pppd[19185]: RADIUS: wrong service type 4 for
>> user21
> 

The line that describes service-type 4 was already in radiusclient
dictionary file
VALUE   Service-TypeCallback-Framed-User4

But it does not help.

-- 
View this message in context: 
http://www.nabble.com/A-couple-of-questions-PoPToP%2BFreeRadius%2BIAS-tf2997630.html#a8410303
Sent from the FreeRadius - User mailing list archive at Nabble.com.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

One question about Access-Request packet

2007-01-17 Thread Rafał Kamiński

Hi, i have one question:

Why when i try auth. by laptop-wifi over linksys then it's send that
request:

rad_recv: Access-Request packet from host 192.168.1.245:3072, id=0,
length=119
User-Name = "rka"
NAS-IP-Address = 192.168.1.245
Called-Station-Id = "001217694588"
Calling-Station-Id = "0014a41e7112"
NAS-Identifier = "001217694588"
NAS-Port = 61
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
EAP-Message = 0x0201000801726b61
Message-Authenticator = 0x794e9d729e673a6c41b875855ae5a464

Request without User-Password -> and that is problem with auth.

When i try auth. over lan my PC send request:

rad_recv: Access-Request packet from host 10.44.3.15:62963, id=66, length=55
User-Name = "rka"
User-Password = "qazwsxedc"
NAS-IP-Address = 255.255.255.255
NAS-Port = 0

And the auth. is correct.

Where is the problem? Maybe with Linksys? This is WPA54G.


Thanks a lot for help

BR,

-- 
Rafal Kaminski
http://blstream.com
email: [EMAIL PROTECTED]
jid: [EMAIL PROTECTED]
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Freeradius and users with ADS domain


I has this configuration

[poptop pptpd & pppd & radiusclient][freeradius+mysql]-[Microsoft
IAS][ADS] 

pptpd is 1.3.3 
pppd is 2.4.4 
freeradius is 1.1.3 
radiusclient is 0.3.2
mysql is 5.0.27


Clients go from internet, make auth via MS IAS/ADS, but accounting does
freeradius 
writing logs to file and to mysql DB.
All seems good. Clients go OK. Auth and accounting seems OK too.

But some clients use domain with their user names.
For ex: user smith sends ORG\Smith as username.

Its accounting string appears like this in
/var/log/radius/radacct/NAS1/detail-20070117 file
--
User-Name = "ORG\\Smith"
---

But its accounting's UserName in the mysql DB (radacct table) appears as
---
ORG=5C=5C=5C=5CSmith
---


What's going wrong?

It would be like an ideal situation when I could strip the domain from
user's names. I has the only domain in the net.
But in the common case I think it could be right to write the EXACT usename
as it sent by user.
I mean if the user authorizes as ORG\Smith it seems like accounting should
be done AS

User-Name = "ORG\Smith" in log file
and it should be
UserName='ORG\Smith' in the nysql database

-- 
View this message in context: 
http://www.nabble.com/Freeradius-and-users-with-ADS-domain-tf3027388.html#a8410573
Sent from the FreeRadius - User mailing list archive at Nabble.com.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE : RE : A couple of questions PoPToP+FreeRadius+IAS


> It seems no mistakes in dictionary file. It is standard one 
> from RH distribution. BTW, freeradius use $INCLUDE, not 
> INCLUDE as you advised. With INCLUDE you will see something like
> --
> Wed Jan 17 14:48:41 2007 : Error: Errors reading dictionary: 
> dict_init: /etc/raddb/dictionary[14] invalid keyword "INCLUDE"
> --

I'm talking about the radiusclient library's dictionaries, not the
Freeradius ones: the ones that can be found on your PopTop server, not the
Freeradius server.
Look at the path I worte: it's not /etc/raddb/dictionary, but
/etc/radiusclient/dictionnary.

The issue here, is that the radiusclient package doesn't come with the
necessary dictionaries.

So check on you PopTop server that the /etc/radiusclient/dictionary contains
an 'INCLUDE' and not '$INCLUDE' for the dictionary.microsoft file.

HTH,
Thibault



- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE : A couple of questions PoPToP+FreeRadius+IAS



> -Message d'origine-
> De : 
> [EMAIL PROTECTED]
> radius.org 
> [mailto:[EMAIL PROTECTED]
> sts.freeradius.org] De la part de Marxy
> Envoyé : mercredi 17 janvier 2007 14:39
> À : freeradius-users@lists.freeradius.org
> Objet : Re: A couple of questions PoPToP+FreeRadius+IAS
> 
> 
> 
> 
> Alan DeKok-4 wrote:
> > 
> > Marxy wrote:
> >> 1. Accounting of Calling-station-id returns only first 4 
> characters 
> >> of user's IP address.
> >   If that's what the RADIUS client is sending, then the 
> only solution 
> > is to fix the client so it sends the correct information.
> > 
> My radius client is standard radiusclient software.
> But it seems no settings for that in its 
> /etc/radiusclient/radiusclient.conf
> 
> 
> Alan DeKok-4 wrote:
> > 
> >> 2. Radius does not understand some attributes from client.
> >> a) Jan 14 12:37:14 shata pppd[25046]: rc_avpair_gen: 
> received unknown 
> >> attribute 25 of length 30:
> > 
> >   The client doesn't understand the response of the server.  Again, 
> > the only solution is to fix the client.
> > 
> Yes. You are quite right.
> I add missing attributes to radiusclient dictionary file.
> ATTRIBUTE   MS-CHAP2-Response   25  string  
> ATTRIBUTE   Acct-Input-Packets  47  integer
> ATTRIBUTE   Acct-Output-Packets 48  integer

It might not be enough.

Could you check this post and give it a try ?

http://lists.freeradius.org/pipermail/freeradius-users/2007-January/059299.h
tml

Thibault



- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: One question about Access-Request packet

Rafał Kamiński wrote:
>
> Why when i try auth. by laptop-wifi over linksys then it's send that
> request:
...
> Request without User-Password -> and that is problem with auth.

  The authentication method is called EAP.  It's the way wireless is
supposed to work.  See "eap.conf".

  Alan DeKok.
--
  http://deployingradius.com   - The web site of the book
  http://deployingradius.com/blog/ - The blog
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE : One question about Access-Request packet


> Hi, i have one question:
> 
> Why when i try auth. by laptop-wifi over linksys then it's send that
> request:
> 
> rad_recv: Access-Request packet from host 192.168.1.245:3072, 
> id=0, length=119
> User-Name = "rka"
> NAS-IP-Address = 192.168.1.245
> Called-Station-Id = "001217694588"
> Calling-Station-Id = "0014a41e7112"
> NAS-Identifier = "001217694588"
> NAS-Port = 61
> Framed-MTU = 1400
> NAS-Port-Type = Wireless-802.11
> EAP-Message = 0x0201000801726b61
> Message-Authenticator = 0x794e9d729e673a6c41b875855ae5a464
> 
> Request without User-Password -> and that is problem with auth.

This is normal because it is an EAP authentication request: so this is not a
problem for authentication as long as you have enabled and configured EAP in
the freeradius configuration (see eap.conf).

Thibault



- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: RE : A couple of questions PoPToP+FreeRadius+IAS



Thibault LE MEUR wrote:
> 
>> >   The client doesn't understand the response of the server.  Again, 
>> > the only solution is to fix the client.
>> > 
>> Yes. You are quite right.
>> I add missing attributes to radiusclient dictionary file.
>> ATTRIBUTE   MS-CHAP2-Response   25  string  
>> ATTRIBUTE   Acct-Input-Packets  47  integer
>> ATTRIBUTE   Acct-Output-Packets 48  integer
> 
> It might not be enough.
> 

It is enough 'cause I had add all microsoft vendor's attributes early.
Thanks.
I have another unsolved probems.

-- 
View this message in context: 
http://www.nabble.com/A-couple-of-questions-PoPToP%2BFreeRadius%2BIAS-tf2997630.html#a8412105
Sent from the FreeRadius - User mailing list archive at Nabble.com.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

3ComSwitch Login

2007-01-17 Thread Alexandre Soares


Hi All,

Sorry team, but I still problem to authenticate a valid Administrator User
in 3Com Swithc, my question is anyone implemented this feature ?

I really don't know where to start the solution in freeradius
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

freeradius working with quintum cms

2007-01-17 Thread Goke Aruna

Hi all,

Can someone share his experiance with me in getting freeradius work with
quintum CMS   ?


goksie
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: 3ComSwitch Login

2007-01-17 Thread Vineet Verma


Hi Alexandre,
   I think you need RADIUS to return the Service-Type attribute as 
Administrative for it to work.


-Vineet


Alexandre Soares wrote:

Hi All,
 
Sorry team, but I still problem to authenticate a valid Administrator 
User in 3Com Swithc, my question is anyone implemented this feature ?
 
I really don't know where to start the solution in freeradius



- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

AW: Feeding an LDAP replyItem to an MS-CHAPv2 ntlm_auth request

2007-01-17 Thread Haas Florian

Hello. 

>   Why not?  There's a reason that the ntlm_auth configuration is
> editable in the mschap module.  Just edit it to do whatever you want.
> If all else fails, replace ntlm_auth with a Perl script that looks at
> the environment variables, and determines the proper arguments to use.

Ahem. From my original message you may have read that your suggestion describes
precisely what I am trying to implement, and that modifying the parameters
passed to ntlm_auth is exactly my intention.

I also understand that I could use a wrapper script or possibly do all sorts of
things with %{exec:} and/or %{expr:}. I could also do some simple text mangling
with the User-Name attribute as passed by the XP supplicant. However, the most
elegant way of working around the servicePrincipalName that XP seems to provide
when no user is logged on[1], would be to query MSAD for the corresponding
sAMAccountName, and use that for NTLM authentication.

I could write some Perl or Python or shell script that retrieves that
information from MSAD, invoke that script via %{exec:}, and put its output in
the ntlm_auth command arguments (or invoke it instead of ntlm_auth, for that
matter). However, it seems sort of ridiculous to run an additional LDAP query
for just that purpose, considering all the relevant information should already
be available to FreeRADIUS at that point.

So, to clarify my original question. What I want is this:

1. Put the value of an LDAP attribute (sAMAccountName) into a variable when the
user is authorized in LDAP.
2. Access that variable when the user is being authenticated via MS-CHAPv2, and
put it into the --username argument of ntlm_auth.

I do understand that this would require registering said variable in dictionary
and ldap.attrmap. I also understand that I need to set up a proper filter in the
configuration of the ldap module, for correct authorization of the "user" that's
being identified by it servicePrincipalName in this case. I have done all that.
What else would I need, if what I'm trying to do is at all possible?

Cheers,
Florian

[1] Yes, a rant about the XP supplicant providing "wrong" data in this case is
in order, however that's not going to persuade my customer to switch to Ubuntu.
:-)

The information contained in this e-mail message is privileged and
confidential and is for the exclusive use of the addressee. The person
who receives this message and who is not the addressee, one of his
employees or an agent entitled to hand it over to the addressee, is
informed that he may not use, disclose or reproduce the contents thereof.


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

SPLAT question

2007-01-17 Thread Enright Patrick - penrig

Hello,

 

This pertains to Feeradius 1.1.0.

  

I am having trouble setting up freeradius and Checkpoint's
Secureplatform Pro (SPLAT) firewall (which is a stripped down Linux) so
that administrators logging into the firewalls will be authenticated by
the freeradius server.

 

According to the SPLAT pro user guide I should be able to set up a group
on the firewall and I should not have to define all the individual users
on the firewall.  Once the user enters the username and password that
info will be passed to the freeradius server along with the group (which
is already defined on the firewall).  

 

When I start the freeradius server with the -AX switches I really don't
see it reading the following that I set up in the radiusd.conf file:

 

passwd etc_group {

filename = /etc/freeradius/group

format = "=Group-Name:::*,User-Name"

hashsize = 50

ignorenislike = yes

allowmultiplekeys = yes

delimiter = ":"

}

 

I'm not sure if this is how you tell it to look in the group file and
not sure why I do not see this in the messages when I start
freeradius???

 

Is anybody else doing this and if so can you provide some guidance?

 

Thanks so much.

 

Regards,  

 

Patrick Enright

Information Security Architecture Team

[EMAIL PROTECTED]  

 

 

 

*
The information contained in this communication is confidential, is
intended only for the use of the recipient named above, and may be
legally privileged.

If the reader of this message is not the intended recipient, you are 
hereby notified that any dissemination, distribution or copying of this
communication is strictly prohibited.

If you have received this communication in error, please resend this
communication to the sender and delete the original message or any copy
of it from your computer system.

Thank you.
*
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: SPLAT question

2007-01-17 Thread James Wakefield


Enright Patrick - penrig wrote:



I’m not sure if this is how you tell it to look in the group file and 
not sure why I do not see this in the messages when I start freeradius….???


G'day Patrick,

You've defined the etc_group module but you also need to instantiate it. 
 Add etc_group to the authorize { } section further down in radiusd.conf.


--
James Wakefield,
Unix Administrator, Information Technology Services Division
Deakin University, Geelong, Victoria 3217 Australia.

Phone: 03 5227 8690 International: +61 3 5227 8690
Fax:   03 5227 8866 International: +61 3 5227 8866
E-mail:   [EMAIL PROTECTED]
Website:  http://www.deakin.edu.au
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: EAP-TLS certificate question

2007-01-17 Thread kemas

On Wed, 2007-01-17 at 13:36 +0100, Alan DeKok wrote:
> kemas wrote:
> > Hi all,
> > 
> > I've install freeradius-1.1.3,use it with AP Aironet 1100 doing EAP-TLS
> > and works very well.
> > I still confuse about certificate, is all client certificate created
> > under 1 root ca, can be authenticated against freeradius that started 
> > with different server certificate?
> 
>   I haven't tried it, but it's possible, yes.
> 

is there any howto or link about it?
maybe someone would share the light

thanks

>   Alan DeKok.
> --
>   http://deployingradius.com   - The web site of the book
>   http://deployingradius.com/blog/ - The blog
> - 
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
> 

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

monitoring freeradius with nagios

2007-01-17 Thread Mike


All,
When trying to use the "radauth" tool from nagios to monitor
freeradius, I get the following in the freeradius log:

Error: WARNING: Malformed RADIUS packet from host ... too long (length
18432 > maximum 4096)

radtest seems to be ok.  has anyone else experienced this or knows
what is wrong?
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Does the Users file still support auth-type :=PAM in ver 1.1.4?

2007-01-17 Thread Ellis, Scott 1 (N-Comptel Inc.)


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: monitoring freeradius with nagios

2007-01-17 Thread James Wakefield


Mike wrote:

All,
When trying to use the "radauth" tool from nagios to monitor
freeradius, I get the following in the freeradius log:

Error: WARNING: Malformed RADIUS packet from host ... too long (length
18432 > maximum 4096)

radtest seems to be ok.  has anyone else experienced this or knows
what is wrong?
- List info/subscribe/unsubscribe? See 
http://www.freeradius.org/list/users.html


G'day Mike,

Fire up wireshark or tcpdump and have a look what's actually in the packets.

--
James Wakefield,
Unix Administrator, Information Technology Services Division
Deakin University, Geelong, Victoria 3217 Australia.

Phone: 03 5227 8690 International: +61 3 5227 8690
Fax:   03 5227 8866 International: +61 3 5227 8866
E-mail:   [EMAIL PROTECTED]
Website:  http://www.deakin.edu.au
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: help

2007-01-17 Thread John Wan

Hi Alan,

Now everything works but the Active Directory authentication,Please see
the following output from "$ Radiusd -X" when a wireless client uses
"administrator" logon into the chillispot web logon page:


Ready to process requests.
rad_recv: Access-Request packet from host 127.0.0.1:32772, id=0,
length=223
User-Name = "administrator"
CHAP-Challenge = 0xa784482e8ac92fd573e87bbbad9ca58f
CHAP-Password = 0x00f54cc04e288eec67feff0b13e9448bd2
NAS-IP-Address = 0.0.0.0
Service-Type = Login-User
Framed-IP-Address = 192.168.182.5
Calling-Station-Id = "00-16-6F-79-91-F4"
Called-Station-Id = "00-05-5D-9E-0F-94"
NAS-Identifier = "nas01"
Acct-Session-Id = "45aec9a9"
NAS-Port-Type = Wireless-802.11
NAS-Port = 0
Message-Authenticator = 0x97668bae73249b0dd4755ab03d364f34
WISPr-Logoff-URL = "http://192.168.182.1:3990/logoff";
  Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 0
  modcall[authorize]: module "preprocess" returns ok for request 0
  rlm_chap: Setting 'Auth-Type := CHAP'
  modcall[authorize]: module "chap" returns ok for request 0
  modcall[authorize]: module "mschap" returns noop for request 0
rlm_realm: No '@' in User-Name = "administrator", looking up realm
NULL
rlm_realm: No such realm "NULL"
  modcall[authorize]: module "suffix" returns noop for request 0
  rlm_eap: No EAP-Message, not doing EAP
  modcall[authorize]: module "eap" returns noop for request 0
users: Matched DEFAULT at 153
  modcall[authorize]: module "files" returns ok for request 0
modcall: group authorize returns ok for request 0
  rad_check_password:  Found Auth-Type CHAP
auth: type "CHAP"
  Processing the authenticate section of radiusd.conf
modcall: entering group Auth-Type for request 0
  rlm_chap: login attempt by "administrator" with CHAP password
  rlm_chap: Could not find clear text password for user administrator
  modcall[authenticate]: module "chap" returns invalid for request 0
modcall: group Auth-Type returns invalid for request 0
auth: Failed to validate the user.
Delaying request 0 for 1 seconds
Finished request 0
Going to the next request
--- Walking the entire request list ---
Waking up in 1 seconds...
--- Walking the entire request list ---
Waking up in 1 seconds...
rad_recv: Access-Request packet from host 127.0.0.1:32772, id=0,
length=223
Sending Access-Reject of id 0 to 127.0.0.1:32772
--- Walking the entire request list ---
Waking up in 4 seconds...
--- Walking the entire request list ---
Cleaning up request 0 ID 0 with timestamp 45aecedc
Nothing to do.  Sleeping until we see a request.

  

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On
Behalf Of John Wan
Sent: Friday, 5 January 2007 11:26 AM
To: FreeRadius users mailing list
Subject: RE: help

 Hi Alan,

Many thanks for your help.

Now the kerberos service and the Samba service are running now, I have
followed your instructions on your webpage, but I still have experenced
the similar issue, please see the folloewing:

[EMAIL PROTECTED] ~]# net join -U Administrator
Administrator's password:
[2007/01/05 10:10:15, 0] libads/kerberos.c:ads_kinit_password(146)
  kerberos_kinit_password [EMAIL PROTECTED] failed: Cannot find
KDC for requested realm
[2007/01/05 10:10:15, 0] utils/net_ads.c:ads_startup(186)
  ads_connect: Cannot find KDC for requested realm Joined domain MBUS.


[EMAIL PROTECTED] ~]# wbinfo -a administrator%password plaintext password
authentication failed Could not authenticate user administrator%password
with plaintext password could not obtain winbind separator!
could not obtain winbind domain name!
challenge/response password authentication failed Could not authenticate
user administrator with challenge/response

Would you please give me some hints so I could try it again. All I need
is to allow the freeradius server and Chillispot to hand over the
authentication (for wireless client) to the Win2k3 Active Directory. To
be able to achive that, I have to make sure the above two steps are
working (at moment they are not working).

Many thanks again in advance.

Regards

John







-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On
Behalf Of Alan DeKok
Sent: Thursday, 14 December 2006 12:20 PM
To: FreeRadius users mailing list
Subject: Re: help

John Wan wrote:

>  Would you please give me some hints how to start the Kerberos server 
> and how to solve the issue of
>  "ads_connect: Invalid credentials".

  Unfortunately, I'm not a kerberos or Samba expert.  I know just enough
to follow the script.  If it doesn't work, I suggest asking on the Samba
/ kerberos lists.

  i.e. the people who wrote the software are the ones most likely to be
able to help you.

  Alan DeKok.
--
  http://deployingradius.com   - The web site of the book
  http://deployingradius.com/blog/ - The blog
-
List info/subscribe/unsubscribe? See

RE: Building from CVS

2007-01-17 Thread King, Michael

 

> -Original Message-
> apt-get install g++
> 

Thank you.  Apparently, this would be my first Debian box that didn't
have g++ out of the box.  (I've built more than 10 following the same
cookbook that our office wrote)

I guess gcc and gpp weren't enough.

It built...  Well it's building as I type.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: monitoring freeradius with nagios

2007-01-17 Thread Keith Woodworth

On Wed, 17 Jan 2007, Mike wrote:

|->All,
|->When trying to use the "radauth" tool from nagios to monitor
|->freeradius, I get the following in the freeradius log:
|->
|->Error: WARNING: Malformed RADIUS packet from host ... too long (length
|->18432 > maximum 4096)
|->
|->radtest seems to be ok.  has anyone else experienced this or knows
|->what is wrong?

I know what some monitoring tool I used a while ago (whats up Gold I
think) I had to add the Ip of the whatsup server as a NAS to the allowed
list with the shared secret to monitor an old livingston radius server.

I have not tried with my Freeradius box yet, but I think I might just to
see. The FR is not in production as of yet so I'm not worried about it.


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: rlm_eap: SSL error

2007-01-17 Thread James Lever



On 17/01/2007, at 4:47 PM, Alan DeKok wrote:


James Lever wrote:

Wed Jan 17 08:00:11 2007 : Error: TLS_accept:error in SSLv3 read
client certificate A

  That just means there's no client certificate.


Interesting given I'm only allowing EAP-TLS access to my wireless LAN  
(or attempting to)


Below is the log output when run in full debugging (excerpt)

--
  rad_check_password:  Found Auth-Type EAP
auth: type "EAP"
  Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 6
  rlm_eap: Request found, released from the list
  rlm_eap: EAP/tls
  rlm_eap: processing type tls
  rlm_eap_tls: Authenticate
  rlm_eap_tls: processing TLS
  eaptls_verify returned 7
  rlm_eap_tls: Done initial handshake
  rlm_eap_tls: <<< TLS 1.0 Handshake [length 0be8], Certificate
chain-depth=1,
error=0
--> User-Name = clientCN
--> BUF-Name = :30 2007 : Info: Ready to process requests.
--> subject = /C=AU/issuerDN
--> issuer  = /C=AU/issuerDN
--> verify return:1
radius_xlat:  'clientCN'
rlm_eap_tls: checking certificate CN (clientCN) with xlat'ed  
value (clientCN)

chain-depth=0,
error=0
--> User-Name = clientCN
--> BUF-Name = clientCN
--> subject = /C=AU/clientDN
--> issuer  = /C=AU/issuerDN
--> verify return:1
TLS_accept: SSLv3 read client certificate A
  rlm_eap_tls: <<< TLS 1.0 Handshake [length 0106], ClientKeyExchange
TLS_accept: SSLv3 read client key exchange A
  rlm_eap_tls: <<< TLS 1.0 Handshake [length 0106], CertificateVerify
TLS_accept: SSLv3 read certificate verify A
  rlm_eap_tls: <<< TLS 1.0 ChangeCipherSpec [length 0001]
  rlm_eap_tls: <<< TLS 1.0 Handshake [length 0010], Finished
TLS_accept: SSLv3 read finished A
  rlm_eap_tls: >>> TLS 1.0 ChangeCipherSpec [length 0001]
TLS_accept: SSLv3 write change cipher spec A
  rlm_eap_tls: >>> TLS 1.0 Handshake [length 0010], Finished
TLS_accept: SSLv3 write finished A
TLS_accept: SSLv3 flush data
(other): SSL negotiation finished successfully
rlm_eap: SSL error error::lib(0):func(0):reason(0)
SSL Connection Established
  eaptls_process returned 13
  modcall[authenticate]: module "eap" returns handled for request 6
modcall: leaving group authenticate (returns handled) for request 6
--

When I try to do the same with a Certificate from another CA it fails  
as expected.  So why does the EAP-TLS login work even though it  
complains that no certificate was received?  Is the certificate  
actually validated and hence there really was no error, or is  
FreeRADIUS or OpenSSL authorising where it should not?


cheers,
James


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: SPLAT question

Enright Patrick - penrig wrote:

> When I start the freeradius server with the –AX switches I really don’t
> see it reading the following that I set up in the radiusd.conf file:
> 
> passwd etc_group {
> filename = /etc/freeradius/group
> format = "=Group-Name:::*,User-Name"

  You can't use the Group-Name attribute.  That's reserved for Unix
groups.  You have to define your own attribute.  See "man rlm_passwd"
for examples/

> I’m not sure if this is how you tell it to look in the group file

  See "man rlm_passwd".  It gives examples.

  Alan DeKok.
--
  http://deployingradius.com   - The web site of the book
  http://deployingradius.com/blog/ - The blog
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: monitoring freeradius with nagios

Mike wrote:
> All,
> When trying to use the "radauth" tool from nagios to monitor
> freeradius, I get the following in the freeradius log:
> 
> Error: WARNING: Malformed RADIUS packet from host ... too long (length
> 18432 > maximum 4096)
> 
> radtest seems to be ok.  has anyone else experienced this or knows
> what is wrong?

  I haven't seen it.  I note that 18432 is hex 0x7200.  I suspect that
the NAGIOS people missed a 'htons()' somewhere, and the field should be
0x0072.

  Alan DeKok.
--
  http://deployingradius.com   - The web site of the book
  http://deployingradius.com/blog/ - The blog
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: help