MAC address authentication
Hi list, Plz explain the overview of how to enable mac address based authentication where all the three parameters (uid, userPassword and radiusCallingStationId are matched from the ldap database).. at presently am able to do uid + userPassword successfully from openldap database -- Registerd Linux User #426561 - Shobhit Jindal B.Tech. Part-III, Department Of Electronics Engineering, ITBHU INDIA - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Red Hat vs. Slackware
On Thu, 15 Feb 2007, silvia bogos wrote: please i need to decide what to use RED HAT OR SLACKWARE. Um, use whichever one you want? To the rest of us, the distribution you choose to run really doesn't matter. That said, I moved off of Slackware around 1998 and haven't looked back. -- Jeremy L. Gaddis, MCP, GCWN [EMAIL PROTECTED] LinuxWiz Consulting http://linuxwiz.net - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Red Hat vs. Slackware
Redhat is probably the Ford of the linux distributions: it'll get you to where you want to be, it just might not do it as quickly or flashily as other distros. For most installs I recommend CentOS - which is basically Redhat Enterpise 4 but free. You pretty much can't go wrong with any modern, mainstream distro though. Jan On 15/02/07, Gaddis, Jeremy L. [EMAIL PROTECTED] wrote: On Thu, 15 Feb 2007, silvia bogos wrote: please i need to decide what to use RED HAT OR SLACKWARE. Um, use whichever one you want? To the rest of us, the distribution you choose to run really doesn't matter. That said, I moved off of Slackware around 1998 and haven't looked back. -- Jeremy L. Gaddis, MCP, GCWN [EMAIL PROTECTED] LinuxWiz Consulting http://linuxwiz.net - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Red Hat vs. Slackware
but i knew that slackware is the most secure and flexible and greater than any other os so what do u think thanx On 2/15/07, Gaddis, Jeremy L. [EMAIL PROTECTED] wrote: On Thu, 15 Feb 2007, silvia bogos wrote: please i need to decide what to use RED HAT OR SLACKWARE. Um, use whichever one you want? To the rest of us, the distribution you choose to run really doesn't matter. That said, I moved off of Slackware around 1998 and haven't looked back. -- Jeremy L. Gaddis, MCP, GCWN [EMAIL PROTECTED] LinuxWiz Consulting http://linuxwiz.net - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Red Hat vs. Slackware
Personally i'd recommend a distro with a functioning package handler, my suggestion is debian. Feels good when you update the whole system with the ease of one command. The wet dream of every admin. //M From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] org] On Behalf Of affora deeb Sent: den 15 februari 2007 10:12 To: FreeRadius users mailing list Subject: Re: Red Hat vs. Slackware but i knew that slackware is the most secure and flexible and greater than any other os so what do u think thanx On 2/15/07, Gaddis, Jeremy L. [EMAIL PROTECTED] wrote: On Thu, 15 Feb 2007, silvia bogos wrote: please i need to decide what to use RED HAT OR SLACKWARE. Um, use whichever one you want? To the rest of us, the distribution you choose to run really doesn't matter. That said, I moved off of Slackware around 1998 and haven't looked back. -- Jeremy L. Gaddis, MCP, GCWN [EMAIL PROTECTED] LinuxWiz Consulting http://linuxwiz.net - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
TTY?
Hi! Got a quick question. When i input radwho, i get this output.. Login Name What TTY When From Location userlogin username PPP S12 Thu 11:21 127.0.0.1 XXX.XXX.XXX.XXX What does the TTY mean? What kind of TTY is radius using? Is there a limit to how many TTYs i can have? Cheers! //Max - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Linksys WRT54G - DD-WRT - Wireless Auth
Thanks Alan, What I'll probably have a go at will be attempting to authenticate it against Samba if possible, not looked into how it works yet, but I'm hopeful. :) R On 15/02/07, Alan DeKok [EMAIL PROTECTED] wrote: Richard Hamilton-Frost wrote: What I want: To be able to authenticate wireless users via the /etc/passwd and /etc/shadow files. I've setup the WRT54GL to talk to the Radius server, this all seems fine and dandy. The WRT54GL is using WPA TKIP, it has the option of WPA AES too, and WPA AES+TKIP, neither seem to work.. here is the output I get when trying to authenticate a user: ... rlm_eap_md5: Issuing Challenge http://deployingradius.com/documents/protocols/compatibility.html Passwords in /etc/shadow are hashed via the crypt method, or one similar to that. It is impossible to do EAP-MD5 and authenticate users via passwords in /etc/shadow. If you're going to use EAP, you MUST have the clear-text password for the user. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Doubt about RADIUS server errors.
Hi All, I am using free radius server with dot1X. and supplicant is on windows XP. Here when I use user name = 3 letters I am getting following error... 1. Received packet from 192.168.112.90 with invalid Message-Authenticator! (Shared secret is incorrect.) and for user name =3 my client is getting following error. 2. Malformed RADIUS packet from host 192.168.0.1: too short (length 17 minimum 20). where as radius RFC say... user name length can be = 3. since user name goes as part of attributes in radius packet... but errors we are getting are totally different. I mean first we are getting related to message-authenticator where as we are passing username with length =3. and second error my client getting is related to packet length...another interesting thing is we get these errors only for PEAP configuration this will work for MD5 and others. can any one help me in this. Thanx in Advance... ---Raghu. The information contained in this electronic message and any attachments to this message are intended for the exclusive use of the addressee(s) and may contain proprietary, confidential or privileged information. If you are not the intended recipient, you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately and destroy all copies of this message and any attachments. WARNING: Computer viruses can be transmitted via email. The recipient should check this email and any attachments for the presence of viruses. The company accepts no liability for any damage caused by any virus transmitted by this email. www.wipro.com- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Simple security
Thanks Jeremy. I've been doing various searches for practical examples of 802.1x in a LAN setting and haven't found anything yet. Have you? -Original Message- From: Gaddis, Jeremy L. [EMAIL PROTECTED] Date: Thu, 15 Feb 2007 00:07:42 To:FreeRadius users mailing list freeradius-users@lists.freeradius.org Subject: Re: Simple security On Wed, 14 Feb 2007, Scott Hughes wrote: I have friend that want some light security on the small network they have (15-25 PCs). What is the best way to secure his network so that someone can't just plug in his laptop and be on the network? He would prefer to make this seamless to his users. 802.1X -- Jeremy L. Gaddis, MCP, GCWN [EMAIL PROTECTED] LinuxWiz Consulting http://linuxwiz.net - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Doubt about RADIUS server errors.
[EMAIL PROTECTED] wrote: Hi All, I am using free radius server with dot1X. and supplicant is on windows XP. Here when I use user name = 3 letters I am getting following error... * 1.* *Received packet from 192.168.112.90 with invalid Message-Authenticator! (Shared secret is incorrect.)* Then the shared secret is incorrect. and for user name =3 my client is getting following error. *2. **Malformed RADIUS packet from host 192.168.0.1: too short (length 17 minimum 20).* Then the RADIUS client is broken. It's not sending RADIUS packets. where as radius RFC say... user name length can be = 3. Read the RFC's again. RADIUS packets MUST be 20 bytes or more. Either the RADIUS client you're using is completely broken, or you're sending non-RADIUS packets to the RADIUS server. I mean first we are getting related to message-authenticator where as we are passing username with length =3. and second error my client getting is related to packet length...another interesting thing is we get these *errors only for PEAP *configuration this will work for MD5 and others. If that's true, then the client is broken. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Does the latest cvs support the read_gro ups parameter
Hi! I am using the latest cvs version of freeradius. Does this version support the read_group parameter? In the conf file there is written that setting it to yes causes to read the group table. From my observation freeradius works like this: 1 - checks records from radcheck 2 - if they match, add parameters from radreply 3 - if parameter Fall-Through is set then select group parameters and merge them together with those from radreply And this way it works. But when I set the read_group parameter in the conf file and remove the Fall_through from radreply the group table is not read. Is it the right behavior? Thanks in advance! Bests tomasz - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Getting error in radius server with dot1X and supplicant on windows XP...
Hi All, I am using free radius server with dot1X. and supplicant is on windows XP. Here when I use user name = 3 letters I am getting following error... 1. Received packet from 192.168.112.90 with invalid Message-Authenticator! (Shared secret is incorrect.) and for user name =3 my client is getting following error. 2. Malformed RADIUS packet from host 192.168.0.1: too short (length 17 minimum 20). where as radius RFC say... user name length can be = 3. since user name goes as part of attributes in radius packet... but errors we are getting are totally different. I mean first we are getting related to message-authenticator where as we are passing username with length =3. and second error my client getting is related to packet length...another interesting thing is we get these errors only for PEAP configuration this will work for MD5 and others. can any one help me in this. whether we are getting different errors because both of us may be using different versions of RADIUS server? just a guess. This error may be because of RADIUS client or server? Thanx in Advance... ---Raghu. The information contained in this electronic message and any attachments to this message are intended for the exclusive use of the addressee(s) and may contain proprietary, confidential or privileged information. If you are not the intended recipient, you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately and destroy all copies of this message and any attachments. WARNING: Computer viruses can be transmitted via email. The recipient should check this email and any attachments for the presence of viruses. The company accepts no liability for any damage caused by any virus transmitted by this email. www.wipro.com- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Simple security
Hi, Thanks Jeremy. I've been doing various searches for practical examples of 802.1x in a LAN setting and haven't found anything yet. Have you? it all depends on what kit you've got, both in the network space and in the server architecture. eg with decent Cisco or HP switches you can simply enable dot1X on each switch interface and configure the switch to RADIUS authenticate eg against FreeRADIUS. you would need to install EAP-TLS certs on each machine - or configure PEAP etc v's an AD for auth. thats hardly 'seamless' but no network access control is seamless to users in reality. alternatively. how 'secure' does this have to be? you could, eg use MAC address authentication. eg use dot1x with MAC auth...and then also do the same for DHCP. going this was you could use VMPS on the CISCO kit - unregistered machine live on their own VLAN devoid of anything - execpt maybe an authentication gateway to register their systems. or, as a final option, default VLAN on the switch gives people only a captive portal. once they have registered (or if they are already known - via MAC) a quick SNMP of their switch port sets their vlan to the correct working one. this can be acheived with home-brew code OR via solutions such as campus manager. balance up the security requirements v's the cost and implementation timeframe. for a small setup, EAP-TLS certs with real dot1x would be my personal way to go. you've just then got the headache of those network devices that dont do dot1X - eg network printers/scanners, voip handsets etc - for those you'd have to secure the network socket and cabling :-| alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
rlm_sql question
I am using freeradius 1.1.4 with mysql. I had to change the authorize_check_query. authorize_check_query = SELECT radcheck.id, radcheck.UserName, radcheck.Attribute, radcheck.Value, radcheck.op \ FROM radcheck,nas \ WHERE (Username = '%{SQL-User-Name}') \ and (nas.type='Enterasys Networks' and nas.nasname= '%{NAS-IP-Address}') \ ORDER BY id Now radiusd -AX gives me: .. rlm_sql (enterasys): sql_set_user escaped user -- '7509' radius_xlat: 'SELECT radcheck.id, radcheck.UserName, radcheck.Attribute, radcheck.Value, radcheck.op FROM radcheck,nas WHERE (Username = '7509') and (nas.type='Enterasys Networks' and nas.nasname= '172.31.110.150') ORDER BY id' rlm_sql (enterasys): Reserving sql socket id: 3 rlm_sql_mysql: query: SELECT radcheck.id, radcheck.UserName, radcheck.Attribute, radcheck.Value, radcheck.op FROM radcheck,nas WHERE (Username = '7509') and (nas.type='Enterasys Networks' and nas.nasname= '172.31.110.150') ORDER BY id rlm_sql (enterasys): User 7509 not found in radcheck .. where the same query in mysql shows: mysql SELECT radcheck.id, radcheck.UserName, radcheck.Attribute, radcheck.Value, radcheck.op FROM radcheck,nas WHERE (Username = '7509') and (nas.type='Enterasys Networks' and nas.nasname= '172.31.110.150') ORDER BY id; +-+--+---+++ | id | UserName | Attribute | Value | op | +-+--+---+++ | 1180894 | 7509 | Auth-Type | Accept | += | +-+--+---+++ 1 row in set (0.00 sec) I would have expected the same results as well from rlm_sql as from mysql directly. Why do the results differ? Thanks Norbert Wegener - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
1.1.4 - TTLS - missing attributes
Hi list! Recently upgraded from 1.1.3 to 1.1.4 to support EAP-PEAP for Windows Vista clients. That works fine but now I got problems with missing reply attributes for Mac OSX clients using EAP-TTLS. FreeRADIUS sends an Access-Challenge with the correct attributes but they are missing from the final Access-Accept. If I use eapol_test client it works fine. I used the freeradius.spec file for Suse to build the server. The file is for 1.1.3. I simply changed the version number to 1.1.4. Here is the debug output from OSX. -- modcall: leaving group post-auth (returns ok) for request 5 TTLS: Got tunneled reply RADIUS code 2 User-Name = XXX Tunnel-Private-Group-Id:0 = 315 Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Type:0 = VLAN MS-CHAP2-Success = 0xe9533d3431363235364546323938444235453643334436384536413041413237433742373433324531 MS-MPPE-Recv-Key = 0x2f1c2a0924281f7543ac01a62e5d4959 MS-MPPE-Send-Key = 0x54b7f78adaa581dcbe24933210de2944 MS-MPPE-Encryption-Policy = 0x0001 MS-MPPE-Encryption-Types = 0x0006 TTLS: Got tunneled Access-Accept TTLS: Got MS-CHAP2-Success, tunneling it to the client in a challenge. modcall[authenticate]: module eap returns handled for request 5 modcall: leaving group authenticate (returns handled) for request 5 Sending Access-Challenge of id 57 to 172.20.16.14 port 1645 User-Name = XXX Tunnel-Private-Group-Id:0 = 315 Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Type:0 = VLAN MS-MPPE-Recv-Key = 0x2f1c2a0924281f7543ac01a62e5d4959 MS-MPPE-Send-Key = 0x54b7f78adaa581dcbe24933210de2944 MS-MPPE-Encryption-Policy = 0x0001 MS-MPPE-Encryption-Types = 0x0006 EAP-Message = 0x0140005f1580005517030100501cc3ec5991b8db1c9fa0b2a8738e13a3adafa3d12aad4719582298263fd36dd9e40a95a7b92783655681e701373871336737a7ea70a9a07ea8a015dc51b734e3700b71dc22b33bc6686f23efc7bfeba8 Message-Authenticator = 0x State = 0xd1d25d75fcc645729434631403c3dd5a Finished request 5 Going to the next request Waking up in 6 seconds... rad_recv: Access-Request packet from host 172.20.16.14:1645, id=58, length=142 NAS-IP-Address = 172.20.16.14 NAS-Port = 50632 NAS-Port-Type = Ethernet User-Name = XXX Called-Station-Id = 00-03-6B-BE-25-8F Calling-Station-Id = 00-14-51-2E-6C-50 Service-Type = Framed-User Framed-MTU = 1500 State = 0xd1d25d75fcc645729434631403c3dd5a EAP-Message = 0x02461500 Message-Authenticator = 0x2d5e6aadce0ad3a0eb864bc26e9271f9 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 6 modcall[authorize]: module preprocess returns ok for request 6 rlm_realm: No '@' in User-Name = XXX, looking up realm NULL rlm_realm: No such realm NULL modcall[authorize]: module suffix returns noop for request 6 rlm_eap: EAP packet type response id 64 length 6 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module eap returns updated for request 6 modcall[authorize]: module mschap returns noop for request 6 modcall[authorize]: module files returns notfound for request 6 modcall: leaving group authorize (returns updated) for request 6 rad_check_password: Found Auth-Type EAP auth: type EAP Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 6 rlm_eap: Request found, released from the list rlm_eap: EAP/ttls rlm_eap: processing type ttls rlm_eap_ttls: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Received EAP-TLS ACK message rlm_eap_tls: ack handshake is finished eaptls_verify returned 3 eaptls_process returned 3 rlm_eap: Freeing handler modcall[authenticate]: module eap returns ok for request 6 modcall: leaving group authenticate (returns ok) for request 6 Login OK: [XXX/no User-Password attribute] (from client SITEALAN port 50632 cli 00-14-51-2E-6C-50) Processing the post-auth section of radiusd.conf modcall: entering group post-auth for request 6 modcall[post-auth]: module LDAP1LAN returns noop for request 6 modcall[post-auth]: module LDAP2LAN returns noop for request 6 modcall[post-auth]: module LDAP1AIR returns noop for request 6 modcall[post-auth]: module LDAP2AIR returns noop for request 6 modcall[post-auth]: module LDAP1VPN returns noop for request 6 modcall[post-auth]: module LDAP2VPN returns noop for request 6 modcall: leaving group post-auth (returns noop) for request 6 Sending Access-Accept of id 58 to 172.20.16.14 port 1645 MS-MPPE-Recv-Key = 0x3e5ac1123d8312388fd89060503bbc0111586573e9b05e0166f4b738ef11db5a MS-MPPE-Send-Key = 0x68dce1376add4161d31704257ac1d5d9e891b1905e62064647c2216b53454986 EAP-Message
Re: rlm_sql question
Please forget this question. Someone had changed a network setting, so that mysql and rlm_sql did not reach the same databases. Right now everything works as expected. Sorry Norbert Wegener Norbert Wegener schrieb: I am using freeradius 1.1.4 with mysql. I had to change the authorize_check_query. authorize_check_query = SELECT radcheck.id, radcheck.UserName, radcheck.Attribute, radcheck.Value, radcheck.op \ FROM radcheck,nas \ WHERE (Username = '%{SQL-User-Name}') \ and (nas.type='Enterasys Networks' and nas.nasname= '%{NAS-IP-Address}') \ ORDER BY id Now radiusd -AX gives me: .. rlm_sql (enterasys): sql_set_user escaped user -- '7509' radius_xlat: 'SELECT radcheck.id, radcheck.UserName, radcheck.Attribute, radcheck.Value, radcheck.op FROM radcheck,nas WHERE (Username = '7509') and (nas.type='Enterasys Networks' and nas.nasname= '172.31.110.150') ORDER BY id' rlm_sql (enterasys): Reserving sql socket id: 3 rlm_sql_mysql: query: SELECT radcheck.id, radcheck.UserName, radcheck.Attribute, radcheck.Value, radcheck.op FROM radcheck,nas WHERE (Username = '7509') and (nas.type='Enterasys Networks' and nas.nasname= '172.31.110.150') ORDER BY id rlm_sql (enterasys): User 7509 not found in radcheck .. where the same query in mysql shows: mysql SELECT radcheck.id, radcheck.UserName, radcheck.Attribute, radcheck.Value, radcheck.op FROM radcheck,nas WHERE (Username = '7509') and (nas.type='Enterasys Networks' and nas.nasname= '172.31.110.150') ORDER BY id; +-+--+---+++ | id | UserName | Attribute | Value | op | +-+--+---+++ | 1180894 | 7509 | Auth-Type | Accept | += | +-+--+---+++ 1 row in set (0.00 sec) I would have expected the same results as well from rlm_sql as from mysql directly. Why do the results differ? Thanks Norbert Wegener - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: 1.1.4 - TTLS - missing attributes
Hi, Recently upgraded from 1.1.3 to 1.1.4 to support EAP-PEAP for Windows Vista clients. That works fine but now I got problems with missing reply attributes for Mac OSX clients using EAP-TTLS. I can also report the same issue. I have been looking at it for a little while now - I thought it may have been my attribute filter being too strict - but I saw no EAP-TTLS attributes that are documented that I'm not allowingand I believe I havent changed my attribute filter since 1.1.3 alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: 1.1.4 - TTLS - missing attributes
[EMAIL PROTECTED] wrote: I can also report the same issue. I have been looking at it for a little while now - I thought it may have been my attribute filter being too strict - but I saw no EAP-TTLS attributes that are documented that I'm not allowingand I believe I havent changed my attribute filter since 1.1.3 It looks to be a side effect of doing MS-CHAP in the tunnel correctly. There's already a bug filed for the PEAP side of things. I'll see what I can do tomorrow to fix it. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: db.counter not found!
Hi, bash-2.05b# ls -l /usr/local/etc/raddb/db.counter -rw--- 1 root wheel 24576 Nov 21 2003 /usr/local/etc/raddb/db.counter drwxr-xr-x 5 root wheel1536 Feb 14 12:09 raddb right. so root is okay. do you run radiusd as root? alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Algorithm used by FreeRADIUS to choose cipher suite used with EAP-TLS/TTLS
Hi, How does FreeRADIUS's rlm_eap module choose the cipher suite used for EAP-TLS/TTLS sessions? RFC 2246 for TLS states that the client presents the list of ciphersuites supported to the server and the server picks one that it supports. Is there a way to configure FreeRADIUS to only use a specific set of ciphersuites? The goal is that in some cases it may be desireable to restrict incoming clients to use a particular suite. Thanks, Walter - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: db.counter not found!
Hi, On 2/15/07, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: Hi, bash-2.05b# ls -l /usr/local/etc/raddb/db.counter -rw--- 1 root wheel 24576 Nov 21 2003 /usr/local/etc/raddb/db.counter drwxr-xr-x 5 root wheel1536 Feb 14 12:09 raddb right. so root is okay. do you run radiusd as root? As for what i know yes, it runs as root by default on freeBSD systems, any ideas on this matter? alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Thanks in advance, Enrique -- Enrique Llanos V. HTU Networks Peru www.htu.com.pe Nextel del Peru www.nextel.com.pe e666.invazores.org/blog/ www.fotolog.com/e666 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Algorithm used by FreeRADIUS to choose cipher suite used with EAP-TLS/TTLS
Walter Goulet wrote: How does FreeRADIUS's rlm_eap module choose the cipher suite used for EAP-TLS/TTLS sessions? It relies on OpenSSL to do the negotiation. RFC 2246 for TLS states that the client presents the list of ciphersuites supported to the server and the server picks one that it supports. Is there a way to configure FreeRADIUS to only use a specific set of ciphersuites? The goal is that in some cases it may be desireable to restrict incoming clients to use a particular suite. Yes. See cipher_list in eap.conf. It's documented. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Getting error in radius server with dot1X and supplicant on windows XP...
Hi All, I am using free radius server with dot1X. and supplicant is on windows XP. Here when I use user name = 3 letters I am getting following error... 1. Received packet from 192.168.112.90 with invalid Message-Authenticator! (Shared secret is incorrect.) and for user name =3 my client is getting following error. 2. Malformed RADIUS packet from host 192.168.0.1: too short (length 17 minimum 20). where as radius RFC say... user name length can be = 3. since user name goes as part of attributes in radius packet... but errors we are getting are totally different. I mean first we are getting related to message-authenticator where as we are passing username with length =3. and second error my client getting is related to packet length...another interesting thing is we get these errors only for PEAP configuration this will work for MD5 and others. can any one help me in this. whether we are getting different errors because both of us may be using different versions of RADIUS server? just a guess. This error may be because of RADIUS client or server? Thanx in Advance... ---Raghu. The information contained in this electronic message and any attachments to this message are intended for the exclusive use of the addressee(s) and may contain proprietary, confidential or privileged information. If you are not the intended recipient, you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately and destroy all copies of this message and any attachments. WARNING: Computer viruses can be transmitted via email. The recipient should check this email and any attachments for the presence of viruses. The company accepts no liability for any damage caused by any virus transmitted by this email. www.wipro.com- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MySQL support in Windows binary of FreeRadius
Thanks Peter and Alan for your replies. I don't mind recompiling, except that I need to run FreeRadius as a Windows service, and I don't know what it takes to enable mysql in the compilation. Basically my problem with the default setup, is that it logs on a per-day basis. If I can configure FreeRadius to use a new accounting file every hour, it will be ideal. Does anyone know if this can be done? Peter Nixon wrote: On Fri 09 Feb 2007 12:04, Foo JH wrote: Hi all, I'm using the precompiled binary of FreeRadius from freeradius.net. Well, I'm happy to say that it works! My last challenge with FreeRadius is getting it to work with MySQL. I don't know if MySQL connectivity is possible with the precompiled Windows version. Can anyone confirm this? Cos I'm not getting very far trying to activate mysql. Basically I uncommented the sql line in line 2017 (under accounting), and the daemon will not run any more. It complains: Error: radiusd.conf[2017] Unknown module sql Can anyone comment on this? Thanks. As far as we know the windows binary from freeradius.net contains no sql support at all. you should recompile it yourself or contact the packager. Regards - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Configure FreeRadius to generate new accounting file by hour
Hi all. Just want to pose this qn to the community: Is it possible to configure FreeRadius, so that instead of generate a new accouting file per-day, can it be per-hour (or better: per-n minutes)? Thanks - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: [unclas] Configure FreeRadius to generate new accounting file by hour
-Original Message- Hi all. Just want to pose this qn to the community: Is it possible to configure FreeRadius, so that instead of generate a new accouting file per-day, can it be per-hour (or better: per-n minutes)? Thanks - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html From radiusd.conf: # The following line creates a new detail file for # every radius client (by IP address or hostname). # In addition, a new detail file is created every # day, so that the detail file doesn't have to go # through a 'log rotation' # # If your detail files are large, you may also want # to add a ':%H' (see doc/variables.txt) to the end # of it, to create a new detail file every hour, e.g.: # # /detail-%Y%m%d:%H # # This will create a new detail file for every hour. # detailfile = ${radacctdir}/%{Client-IP-Address}/detail-%Y%m%d Of course, if you are using freeradius on a Windows server, don't use the ':' character as it is one of the forbidden filename character if I remember correctly. Regards Frank Ranner - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: [unclas] Configure FreeRadius to generate new accounting file by hour
Hello Ranner, Beautiful! Thanks for the quick pointer. I did a keyword search, but I guess I missed out on this one. Ranner, Frank MR wrote: -Original Message- Hi all. Just want to pose this qn to the community: Is it possible to configure FreeRadius, so that instead of generate a new accouting file per-day, can it be per-hour (or better: per-n minutes)? Thanks - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html From radiusd.conf: # The following line creates a new detail file for # every radius client (by IP address or hostname). # In addition, a new detail file is created every # day, so that the detail file doesn't have to go # through a 'log rotation' # # If your detail files are large, you may also want # to add a ':%H' (see doc/variables.txt) to the end # of it, to create a new detail file every hour, e.g.: # # /detail-%Y%m%d:%H # # This will create a new detail file for every hour. # detailfile = ${radacctdir}/%{Client-IP-Address}/detail-%Y%m%d Of course, if you are using freeradius on a Windows server, don't use the ':' character as it is one of the forbidden filename character if I remember correctly. Regards Frank Ranner - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html