Re: Version 2.0 is a lot closer to reality...
Arran Cudbard-Bell wrote: > At least in 1.1.5 it doesn't fall through properly if a user belongs to > multiple groups and the check items in the first group partially match.. In which version did it stop working? > Least that my experience. > Anyway, nice work on pre 2.0 , looking forward to it in anticipation. There are a few more things that have to go in, and then we can do a 2.0. I'll leave off the "magic" features for 2.1, as it's way past time 2.0 should be released. > Is freeradius development quite closed, or is it open to everyone ? One of our mantras is "As always, patches are welcome." However, we get the occasional email from people saying "I have a patch... give me CVS commit access". The answer is always "No.". Patches get audited for security, code style, etc. before they get applied. Some patches get completely re-written. People get CVS commit access after all of their patches go in with minimal changes. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Version 2.0 is a lot closer to reality...
Arran Cudbard-Bell wrote: >>> In 2.0 we lack the group checks: >>> > I thought group checks were slightly broken since 1.1.3 anyway if > not can someone please close the bug report :) > > At least in 1.1.5 it doesn't fall through properly if a user belongs to > multiple groups and the check items in the first group partially match.. > Hm. I did not notice that. Walked through 1.1.3,4,5 transparently without problems for users living in 2 or more groups. Though i slightly modified group authorization queries and usergroup table (added CLID field). -- Sincerely Yours, Alexander - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Re : EAP/TTLS PEAP MSCHAP
>> Pretty much. As long as you have the proper IP address for the AP in >> your clients.conf, which was my particular stupidity :) Still, it seems >> to work for me. >> Hehe, yeah same for me first time round ! Now it's all done via sql with a modified version of 1.1.5 to allow user NAS queries :) > I am using both client and server certificates, so the logon and > password is not currently needed -- for me Eeek , yes not such a good solution in our case, certificate management for 10,000 very sleepy students not fun :) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Re : EAP/TTLS PEAP MSCHAP
On Wed, 2007-04-04 at 22:16 +0100, Arran Cudbard-Bell wrote: > Is it really just as simple as creating the certificate, signing it with > the right extensions, installing the proper rootCA on the windows > machines , and configuring the windows supplicant correctly ? > Pretty much. As long as you have the proper IP address for the AP in your clients.conf, which was my particular stupidity :) Still, it seems to work for me. > Which would be > > In authentication tab > Enable IEEE 802.1x authentication for this network > Setting EAP Type to PEAP > > In properties > Validate server certificate > Authentication method EAP-MSCHAP v2 > Checking the Root CA the certificate was signed with . > > In Configure > Automatically use my windows logo name and password unchecked. > I am using both client and server certificates, so the logon and password is not currently needed -- for me. -- Ian Truelsen s/v Sting Email: [EMAIL PROTECTED] AIM: ihtruelsen MSN: [EMAIL PROTECTED] Google Talk: [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Version 2.0 is a lot closer to reality...
>> In 2.0 we lack the group checks: >> I thought group checks were slightly broken since 1.1.3 anyway if not can someone please close the bug report :) At least in 1.1.5 it doesn't fall through properly if a user belongs to multiple groups and the check items in the first group partially match.. Least that my experience. Anyway, nice work on pre 2.0 , looking forward to it in anticipation. Is freeradius development quite closed, or is it open to everyone ? --- Arran - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Version 2.0 is a lot closer to reality...
Alexander Serkin wrote:
> Alan, thinking about upcoming upgrade from 1.1.5 to 2.0 i tried 2.0 with
> my configuration from 1.1.5.
> There seem to be some difference which i hope you can explain.
> proxy.conf configuration is
>
> realm NULL {
> type= radius
> authhost= LOCAL
> accthost= LOCAL
> }
That should work.
> and we have a user who has simple radcheck entry in sql:
>
> mobileAuth-Type:=accept
>
> in 1.1.5 radiusd performs authorize and authorize group checks in sql:
...
> but in 2.0 we lack the group checks:
...
> what could be the possible reason(s) of that?
No idea. I haven't been using the SQL module, so I'm not sure what it
could be, sorry.
Alan DeKok.
--
http://deployingradius.com - The web site of the book
http://deployingradius.com/blog/ - The blog
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-TLS authentication
deepak kumar wrote: > Is there any way in freeradius, where freeradius server can invoke a > java program in response to some event. > eg if some user is logged out , this event should be propagated to java > prog or to some other component. jradius. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Res: Res: NAS-IP-Address
Erico Augusto wrote: > during authorize phase, client doesn't have an IP (configure to DHCP), > so the Access-Point fills the Client-IP-Addess with its own > IP(NAS-IP-Address - 10.10.10.1). No. Client-IP-Address is the address of the RADIUS client that sent the UDP packet. It is added by FreeRADIUS, and is internal to the server. It has no meaning outside of FreeRADIUS. The rest of your questions can be answered by saying that the attribute is internal to FreeRADIUS, and isn't what you think it is. Therefore, it doesn't have the problems you think it has. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Re : EAP/TTLS PEAP MSCHAP
Ian Truelsen wrote: > On Wed, 2007-04-04 at 20:58 +0100, Arran Cudbard-Bell wrote: > >> According to the microsoft support article >> (http://support.microsoft.com/kb/814394/en-us) >> >> "The IAS or the VPN server computer certificate is configured with the >> Server Authentication purpose. The object identifier for Server >> Authentication is 1.3.6.1.5.5.7.3.1." >> >> But I have no idea how to add it to the certificate, if you find out >> please let me know :) >> >> > Check out this article: > > http://www.linuxjournal.com/article/8095 > > It explains how to get the MS attributes into the certificates. > > Hope this helps. > Excellent, thanks, just what I was looking for :) Is it really just as simple as creating the certificate, signing it with the right extensions, installing the proper rootCA on the windows machines , and configuring the windows supplicant correctly ? Which would be In authentication tab Enable IEEE 802.1x authentication for this network Setting EAP Type to PEAP In properties Validate server certificate Authentication method EAP-MSCHAP v2 Checking the Root CA the certificate was signed with . In Configure Automatically use my windows logo name and password unchecked. Or are there more weird windows things ? Gah... never appreciated Mac OSX so much. "oo looks like your connecting to an 802.11x network , please enter your username and password, hmm you havent chosen to explicitly trust this certificate would you like to ? Connected!". "and now i'm going to save your username and password in the keychain so you'll never have to go through this amazingly simple process ever again". --- Arran - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Re : EAP/TTLS PEAP MSCHAP
On Wed, 2007-04-04 at 20:58 +0100, Arran Cudbard-Bell wrote: > According to the microsoft support article > (http://support.microsoft.com/kb/814394/en-us) > > "The IAS or the VPN server computer certificate is configured with the > Server Authentication purpose. The object identifier for Server > Authentication is 1.3.6.1.5.5.7.3.1." > > But I have no idea how to add it to the certificate, if you find out > please let me know :) > Check out this article: http://www.linuxjournal.com/article/8095 It explains how to get the MS attributes into the certificates. Hope this helps. -- Ian Truelsen s/v Sting Email: [EMAIL PROTECTED] AIM: ihtruelsen MSN: [EMAIL PROTECTED] Google Talk: [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Re : EAP/TTLS PEAP MSCHAP
Eshun Benjamin wrote: > Hello Arran, Which specific OID? I also think it has to do with the > certificate. Could you please be specific if possible with example. I > trried to use another certificate and I am getting 2 issues; > 1. is before access challenge ; > > Wed Apr 4 21:33:09 2007 : Debug: modsingle[authorize]: returned > from suffix (rlm_realm) for request 2 > Wed Apr 4 21:33:09 2007 : Debug: modcall[authorize]: module > "suffix" returns noop for request 2 > Wed Apr 4 21:33:09 2007 : Debug: modsingle[authorize]: calling eap > (rlm_eap) for request 2 > Wed Apr 4 21:33:09 2007 : Debug: rlm_eap: EAP packet type response > id 2 length 192 > Wed Apr 4 21:33:09 2007 : Debug: rlm_eap: No EAP Start, assuming > it's an on-going EAP conversation > Wed Apr 4 21:33:09 2007 : Debug: modsingle[authorize]: returned > from eap (rlm_eap) for request 2 > Wed Apr 4 21:33:09 2007 : Debug: modcall[authorize]: module "eap" > returns updated for request 2 > Wed Apr 4 21:33:09 2007 : Debug: modsingle[authorize]: calling > files (rlm_files) for request 2 > Wed Apr 4 21:33:09 2007 : Debug: users: Matched entry DEFAULT at > line 225 > Wed Apr 4 21:33:09 2007 : Debug: modsingle[authorize]: returned > from files (rlm_files) for request 2 > Wed Apr 4 21:33:09 2007 : Debug: modcall[authorize]: module "files" > returns ok for request 2 > Wed Apr 4 21:33:09 2007 : Debug: modsingle[authorize]: calling > etc_smbpasswd (rlm_passwd) for request 2 > Wed Apr 4 21:33:09 2007 : Debug: rlm_passwd: Added LM-Password: > '739EA6CD54DF1680AAD3B435B51404EE' to config_items > Wed Apr 4 21:33:09 2007 : Debug: rlm_passwd: Added NT-Password: > 'F138C6624B18D0E17EA9630C746A8202' to config_items > Wed Apr 4 21:33:09 2007 : Debug: rlm_passwd: Added > SMB-Account-CTRL-TEXT: '[UX ]' to config_items > Wed Apr 4 21:33:09 2007 : Info: rlm_passwd: Adding "Auth-Type = MS-CHAP" > Wed Apr 4 21:33:09 2007 : Debug: modsingle[authorize]: returned > from etc_smbpasswd (rlm_passwd) for request 2 > Wed Apr 4 21:33:09 2007 : Debug: modcall[authorize]: module > "etc_smbpasswd" returns ok for request 2 > Wed Apr 4 21:33:09 2007 : Debug: modsingle[authorize]: calling pap > (rlm_pap) for request 2 > Wed Apr 4 21:33:09 2007 : Debug: rlm_pap: Normalizing LM-Password > from hex encoding > Wed Apr 4 21:33:09 2007 : Debug: rlm_pap: Normalizing NT-Password > from hex encoding > Wed Apr 4 21:33:09 2007 : Debug: rlm_pap: Found existing Auth-Type, > not changing it. > Wed Apr 4 21:33:09 2007 : Debug: modsingle[authorize]: returned > from pap (rlm_pap) for request 2 > Wed Apr 4 21:33:09 2007 : Debug: modcall[authorize]: module "pap" > returns noop for request 2 > Wed Apr 4 21:33:09 2007 : Debug: modcall: leaving group authorize > (returns updated) for request 2 > Wed Apr 4 21:33:09 2007 : Debug: rad_check_password: Found > Auth-Type EAP > Wed Apr 4 21:33:09 2007 : Debug: auth: type "EAP" > Wed Apr 4 21:33:09 2007 : Debug: Processing the authenticate > section of radiusd.conf > Wed Apr 4 21:33:09 2007 : Debug: modcall: entering group authenticate > for request 2 > Wed Apr 4 21:33:09 2007 : Debug: modsingle[authenticate]: calling > eap (rlm_eap) for request 2 > Wed Apr 4 21:33:09 2007 : Debug: rlm_eap: Request found, released > from the list > Wed Apr 4 21:33:09 2007 : Debug: rlm_eap: EAP/peap > Wed Apr 4 21:33:09 2007 : Debug: rlm_eap: processing type peap > Wed Apr 4 21:33:09 2007 : Debug: rlm_eap_peap: Authenticate > Wed Apr 4 21:33:09 2007 : Debug: rlm_eap_tls: processing TLS > Wed Apr 4 21:33:09 2007 : Debug: rlm_eap_tls: Length Included > Wed Apr 4 21:33:09 2007 : Debug: eaptls_verify returned 11 > Wed Apr 4 21:33:09 2007 : Debug: rlm_eap_tls: <<< TLS 1.0 Handshake > [length 0086], ClientKeyExchange > Wed Apr 4 21:33:09 2007 : Debug: TLS_accept: SSLv3 read client > key exchange A > Wed Apr 4 21:33:09 2007 : Debug: rlm_eap_tls: <<< TLS 1.0 > ChangeCipherSpec [length 0001] > Wed Apr 4 21:33:09 2007 : Debug: rlm_eap_tls: <<< TLS 1.0 Handshake > [length 0010], Finished > Wed Apr 4 21:33:09 2007 : Debug: TLS_accept: SSLv3 read finished A > Wed Apr 4 21:33:09 2007 : Debug: rlm_eap_tls: >>> TLS 1.0 > ChangeCipherSpec [length 0001] > Wed Apr 4 21:33:09 2007 : Debug: TLS_accept: SSLv3 write change > cipher spec A > Wed Apr 4 21:33:09 2007 : Debug: rlm_eap_tls: >>> TLS 1.0 Handshake > [length 0010], Finished > Wed Apr 4 21:33:09 2007 : Debug: TLS_accept: SSLv3 write finished A > Wed Apr 4 21:33:09 2007 : Debug: TLS_accept: SSLv3 flush data > Wed Apr 4 21:33:09 2007 : Debug: (other): SSL negotiation > finished successfully > Wed Apr 4 21:33:09 2007 : Error: rlm_eap: SSL error > error::lib(0):func(0):reason(0) > Wed Apr 4 21:33:09 2007 : Debug: SSL Connection Established > Wed Apr 4 21:33:09 2007 : Debug: eaptls_process returned 13 > Wed Apr 4 21:33:09 2007 : Debug: rlm_eap_peap: EAP
Res: Res: NAS-IP-Address
during authorize phase, client doesn't have an IP (configure to DHCP), so the Access-Point fills the Client-IP-Addess with its own IP(NAS-IP-Address - 10.10.10.1). Note that during authorize FreeRADIUS sends 10.10.10.1(NAS-IP) as Client-IP, and during Post-Auth, 127.0.0.1 ... I'm sure that there is anything configured to do that. Isn't that a possible reason to FreeRADIUS send a loopback IP at Client-IP-Address Attribute in Post-Auth phase? Thanks a lot... Erico. - Mensagem original De: Internet-Wifi Operador <[EMAIL PROTECTED]> Para: freeradius-users@lists.freeradius.org Enviadas: Quarta-feira, 28 de Março de 2007 3:30:52 Assunto: RE: Res: NAS-IP-Address something more freeradius don't put this any IP in NAS-IP-Value this value come from the clliente (NAS) Fabián >From: Erico Augusto <[EMAIL PROTECTED]> >Reply-To: FreeRadius users mailing list > >To: FreeRadius users mailing list >Subject: Res: NAS-IP-Address >Date: Tue, 27 Mar 2007 21:24:38 -0700 (PDT) > >well, I don't know what chillispot means until now ... googling it I can >say that my application acts like that. >why? >thanks, Erico. > >- Mensagem original >De: Internet-Wifi Operador <[EMAIL PROTECTED]> >Para: freeradius-users@lists.freeradius.org >Enviadas: Terça-feira, 27 de Março de 2007 15:37:03 >Assunto: RE: NAS-IP-Address > >Hi, >Are you using Chillispot or something like that? > > > >Fabián > > > > > > >From: Erico Augusto <[EMAIL PROTECTED]> > >Reply-To: FreeRadius users mailing list > > > >To: freeradius-users@lists.freeradius.org > >Subject: NAS-IP-Address > >Date: Tue, 27 Mar 2007 11:14:19 -0700 (PDT) > > > >Hi, > > > >i) during Authentication phase, NAS-IP-Address attribute is filled with > >correct IP. > >During Post-Auth, NAS-IP-Address is filled with loopback 127.0.0.1 >Address > >... > >Is it possible to send the correct NAS-IP-Address during Post-Auth? How >is > >it possible? > > > >Thanks, Erico. > > > > > > > > > > > > > >__ > >Fale com seus amigos de graça com o novo Yahoo! Messenger > >http://br.messenger.yahoo.com/ > > > >- > >List info/subscribe/unsubscribe? See > >http://www.freeradius.org/list/users.html > >_ >Exercise your brain! Try Flexicon. >http://games.msn.com/en/flexicon/default.htm?icid=flexicon_hmemailtaglinemarch07 > > >- >List info/subscribe/unsubscribe? See >http://www.freeradius.org/list/users.html > > > > > >__ >Fale com seus amigos de graça com o novo Yahoo! Messenger >http://br.messenger.yahoo.com/ >- >List info/subscribe/unsubscribe? See >http://www.freeradius.org/list/users.html _ 5.5%* 30 year fixed mortgage rate. Good credit refinance. Up to 5 free quotes - *Terms https://www2.nextag.com/goto.jsp?product=10035&url=%2fst.jsp&tm=y&search=mortgage_text_links_88_h2a5d&s=4056&p=5117&disc=y&vers=910 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html __ Fale com seus amigos de graça com o novo Yahoo! Messenger http://br.messenger.yahoo.com/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Cisco Configuration
On Wednesday 04 April 2007 14:01:31 Norman Zhang wrote: > Hi, > > I'm learning how to use freeradius. Does anyone have a working conf that > works for cisco devices? > > Regards, > Norman Zhang DEFAULT Auth-Type := Accept ... but seriously, what are you trying to do? Authenticate PPPoX sessions, admin sessions, or something else? Have you run in debug mode to see what the cisco is sending to the radius server? A little more information on what you are trying to do would be very helpful. The wiki has some info related to cisco configs [1]. Another source that should have some cisco-related info is the mailing list archives. Kevin Bonner [1] http://wiki.freeradius.org/Cisco pgpE4JK3pnVC6.pgp Description: PGP signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Cisco Configuration
Norman Zhang wrote: > I'm learning how to use freeradius. Does anyone have a working conf that > works for cisco devices? Did you try the default one? -- Dennis Skinner Systems Administrator BlueFrog Internet http://www.bluefrog.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Cisco Configuration
Hi, I'm learning how to use freeradius. Does anyone have a working conf that works for cisco devices? Regards, Norman Zhang - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP/TTLS PEAP MSCHAP
Eshun Benjamin wrote: > Mac connects but ms windows does not. I am doing server side cert. > Error from ms windows. > > > User-Name = "testgeneral" > NAS-IP-Address = 10.1.5.26 > Called-Station-Id = "0016014d9158" > Calling-Station-Id = "0019e3034ceb" > NAS-Identifier = "0016014d9158" > NAS-Port = 36 > Framed-MTU = 1400 > State = 0x3d946123f5f422f576bed1eb52863e55 > NAS-Port-Type = Wireless-802.11 > EAP-Message = > 0x02020050198000461603010041013d030146139aedbfdec7d57168bf7fdbe984cfd19f5d1e7c13ee839e4b0a55d34aa8661600040005000a000900640062000300060013001200630100 > Message-Authenticator = 0x3efce19c566f372e8744589f65d58401 > Wed Apr 4 14:32:48 2007 : Debug: Processing the authorize section > of radiusd.conf > Wed Apr 4 14:32:48 2007 : Debug: modcall: entering group authorize > for request 74 > Wed Apr 4 14:32:48 2007 : Debug: modsingle[authorize]: calling > preprocess (rlm_preprocess) for request 74 > Wed Apr 4 14:32:48 2007 : Debug: modsingle[authorize]: returned > from preprocess (rlm_preprocess) for request 74 > Wed Apr 4 14:32:48 2007 : Debug: modcall[authorize]: module > "preprocess" returns ok for request 74 > Wed Apr 4 14:32:48 2007 : Debug: modsingle[authorize]: calling > mschap (rlm_mschap) for request 74 > Wed Apr 4 14:32:48 2007 : Debug: modsingle[authorize]: returned > from mschap (rlm_mschap) for request 74 > Wed Apr 4 14:32:48 2007 : Debug: modcall[authorize]: module > "mschap" returns noop for request 74 > Wed Apr 4 14:32:48 2007 : Debug: modsingle[authorize]: calling > suffix (rlm_realm) for request 74 > Wed Apr 4 14:32:48 2007 : Debug: rlm_realm: No '@' in User-Name = > "testgeneral", looking up realm NULL > Wed Apr 4 14:32:48 2007 : Debug: rlm_realm: No such realm "NULL" > Wed Apr 4 14:32:48 2007 : Debug: modsingle[authorize]: returned > from suffix (rlm_realm) for request 74 > Wed Apr 4 14:32:48 2007 : Debug: modcall[authorize]: module > "suffix" returns noop for request 74 > Wed Apr 4 14:32:48 2007 : Debug: modsingle[authorize]: calling eap > (rlm_eap) for request 74 > Wed Apr 4 14:32:48 2007 : Debug: rlm_eap: EAP packet type response > id 2 length 80 > Wed Apr 4 14:32:48 2007 : Debug: rlm_eap: No EAP Start, assuming > it's an on-going EAP conversation > Wed Apr 4 14:32:48 2007 : Debug: modsingle[authorize]: returned > from eap (rlm_eap) for request 74 > Wed Apr 4 14:32:48 2007 : Debug: modcall[authorize]: module "eap" > returns updated for request 74 > Wed Apr 4 14:32:48 2007 : Debug: modsingle[authorize]: calling > files (rlm_files) for request 74 > Wed Apr 4 14:32:48 2007 : Debug: users: Matched entry testgeneral > at line 216 > Wed Apr 4 14:32:48 2007 : Debug: modsingle[authorize]: returned > from files (rlm_files) for request 74 > Wed Apr 4 14:32:48 2007 : Debug: modcall[authorize]: module "files" > returns ok for request 74 > Wed Apr 4 14:32:48 2007 : Debug: modsingle[authorize]: calling > etc_smbpasswd (rlm_passwd) for request 74 > Wed Apr 4 14:32:48 2007 : Debug: modsingle[authorize]: returned > from etc_smbpasswd (rlm_passwd) for request 74 > Wed Apr 4 14:32:48 2007 : Debug: modcall[authorize]: module > "etc_smbpasswd" returns notfound for request 74 > Wed Apr 4 14:32:48 2007 : Debug: modsingle[authorize]: calling pap > (rlm_pap) for request 74 > Wed Apr 4 14:32:48 2007 : Debug: rlm_pap: Found existing Auth-Type, > not changing it. > Wed Apr 4 14:32:48 2007 : Debug: modsingle[authorize]: returned > from pap (rlm_pap) for request 74 > Wed Apr 4 14:32:48 2007 : Debug: modcall[authorize]: module "pap" > returns noop for request 74 > Wed Apr 4 14:32:48 2007 : Debug: modcall: leaving group authorize > (returns updated) for request 74 > Wed Apr 4 14:32:48 2007 : Debug: rad_check_password: Found > Auth-Type EAP > Wed Apr 4 14:32:48 2007 : Debug: auth: type "EAP" > Wed Apr 4 14:32:48 2007 : Debug: Processing the authenticate > section of radiusd.conf > Wed Apr 4 14:32:48 2007 : Debug: modcall: entering group authenticate > for request 74 > Wed Apr 4 14:32:48 2007 : Debug: modsingle[authenticate]: calling > eap (rlm_eap) for request 74 > Wed Apr 4 14:32:48 2007 : Debug: rlm_eap: Request found, released > from the list > Wed Apr 4 14:32:48 2007 : Debug: rlm_eap: EAP/peap > Wed Apr 4 14:32:48 2007 : Debug: rlm_eap: processing type peap > Wed Apr 4 14:32:48 2007 : Debug: rlm_eap_peap: Authenticate > Wed Apr 4 14:32:48 2007 : Debug: rlm_eap_tls: processing TLS > Wed Apr 4 14:32:48 2007 : Debug: rlm_eap_tls: Length Included > Wed Apr 4 14:32:48 2007 : Debug: eaptls_verify returned 11 > Wed Apr 4 14:32:48 2007 : Debug: (other): before/accept > initialization > Wed Apr 4 14:32:48 2007 : Debug: TLS_accept: before/accept > initialization > Wed Apr 4 14:32:48 2007 : Debug: rlm_eap_tls: <<< TLS 1.0 Handshake > [length 0041], ClientHell
Re: question about freeradius, 802.1x with peap, auth via LDAP
1) Microsoft LDAP isn't like normal ldap, you don't get access to the password. To have freeradius touch the password at any point, it needs to be on the domain and do a ntlm_auth instead of ldap. On 4/4/07, wenny wang <[EMAIL PROTECTED]> wrote: Hi, I need help/advise with te following scenario: 1. I have a freeradius server, this server is not part of Active Directory Domain, server is able to perform ldapsearch for user account. 2. the workstation is a windows 2000 pc, need to be authenticated thru Cisco catalyst switch to the freeradius server with user's LAN username and password transparently (peap) my question is: what is the requirement for radius server, does the server needs to be part of the Active Directory Domain?, can you direct me to a how to link?, I have made several configurations but none were successful, please help, thanks. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: question about freeradius, 802.1x with peap, auth via LDAP
Windows 2000 is not supported, only windows XP On 4/4/07, wenny wang <[EMAIL PROTECTED]> wrote: Hi, I need help/advise with te following scenario: 1. I have a freeradius server, this server is not part of Active Directory Domain, server is able to perform ldapsearch for user account. 2. the workstation is a windows 2000 pc, need to be authenticated thru Cisco catalyst switch to the freeradius server with user's LAN username and password transparently (peap) my question is: what is the requirement for radius server, does the server needs to be part of the Active Directory Domain?, can you direct me to a how to link?, I have made several configurations but none were successful, please help, thanks. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
question about freeradius, 802.1x with peap, auth via LDAP
Hi, I need help/advise with te following scenario: 1. I have a freeradius server, this server is not part of Active Directory Domain, server is able to perform ldapsearch for user account. 2. the workstation is a windows 2000 pc, need to be authenticated thru Cisco catalyst switch to the freeradius server with user's LAN username and password transparently (peap) my question is: what is the requirement for radius server, does the server needs to be part of the Active Directory Domain?, can you direct me to a how to link?, I have made several configurations but none were successful, please help, thanks. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
EAP/TTLS PEAP MSCHAP
Mac connects but ms windows does not. I am doing server side cert. Error from ms windows. User-Name = "testgeneral" NAS-IP-Address = 10.1.5.26 Called-Station-Id = "0016014d9158" Calling-Station-Id = "0019e3034ceb" NAS-Identifier = "0016014d9158" NAS-Port = 36 Framed-MTU = 1400 State = 0x3d946123f5f422f576bed1eb52863e55 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x02020050198000461603010041013d030146139aedbfdec7d57168bf7fdbe984cfd19f5d1e7c13ee839e4b0a55d34aa8661600040005000a000900640062000300060013001200630100 Message-Authenticator = 0x3efce19c566f372e8744589f65d58401 Wed Apr 4 14:32:48 2007 : Debug: Processing the authorize section of radiusd.conf Wed Apr 4 14:32:48 2007 : Debug: modcall: entering group authorize for request 74 Wed Apr 4 14:32:48 2007 : Debug: modsingle[authorize]: calling preprocess (rlm_preprocess) for request 74 Wed Apr 4 14:32:48 2007 : Debug: modsingle[authorize]: returned from preprocess (rlm_preprocess) for request 74 Wed Apr 4 14:32:48 2007 : Debug: modcall[authorize]: module "preprocess" returns ok for request 74 Wed Apr 4 14:32:48 2007 : Debug: modsingle[authorize]: calling mschap (rlm_mschap) for request 74 Wed Apr 4 14:32:48 2007 : Debug: modsingle[authorize]: returned from mschap (rlm_mschap) for request 74 Wed Apr 4 14:32:48 2007 : Debug: modcall[authorize]: module "mschap" returns noop for request 74 Wed Apr 4 14:32:48 2007 : Debug: modsingle[authorize]: calling suffix (rlm_realm) for request 74 Wed Apr 4 14:32:48 2007 : Debug: rlm_realm: No '@' in User-Name = "testgeneral", looking up realm NULL Wed Apr 4 14:32:48 2007 : Debug: rlm_realm: No such realm "NULL" Wed Apr 4 14:32:48 2007 : Debug: modsingle[authorize]: returned from suffix (rlm_realm) for request 74 Wed Apr 4 14:32:48 2007 : Debug: modcall[authorize]: module "suffix" returns noop for request 74 Wed Apr 4 14:32:48 2007 : Debug: modsingle[authorize]: calling eap (rlm_eap) for request 74 Wed Apr 4 14:32:48 2007 : Debug: rlm_eap: EAP packet type response id 2 length 80 Wed Apr 4 14:32:48 2007 : Debug: rlm_eap: No EAP Start, assuming it's an on-going EAP conversation Wed Apr 4 14:32:48 2007 : Debug: modsingle[authorize]: returned from eap (rlm_eap) for request 74 Wed Apr 4 14:32:48 2007 : Debug: modcall[authorize]: module "eap" returns updated for request 74 Wed Apr 4 14:32:48 2007 : Debug: modsingle[authorize]: calling files (rlm_files) for request 74 Wed Apr 4 14:32:48 2007 : Debug: users: Matched entry testgeneral at line 216 Wed Apr 4 14:32:48 2007 : Debug: modsingle[authorize]: returned from files (rlm_files) for request 74 Wed Apr 4 14:32:48 2007 : Debug: modcall[authorize]: module "files" returns ok for request 74 Wed Apr 4 14:32:48 2007 : Debug: modsingle[authorize]: calling etc_smbpasswd (rlm_passwd) for request 74 Wed Apr 4 14:32:48 2007 : Debug: modsingle[authorize]: returned from etc_smbpasswd (rlm_passwd) for request 74 Wed Apr 4 14:32:48 2007 : Debug: modcall[authorize]: module "etc_smbpasswd" returns notfound for request 74 Wed Apr 4 14:32:48 2007 : Debug: modsingle[authorize]: calling pap (rlm_pap) for request 74 Wed Apr 4 14:32:48 2007 : Debug: rlm_pap: Found existing Auth-Type, not changing it. Wed Apr 4 14:32:48 2007 : Debug: modsingle[authorize]: returned from pap (rlm_pap) for request 74 Wed Apr 4 14:32:48 2007 : Debug: modcall[authorize]: module "pap" returns noop for request 74 Wed Apr 4 14:32:48 2007 : Debug: modcall: leaving group authorize (returns updated) for request 74 Wed Apr 4 14:32:48 2007 : Debug: rad_check_password: Found Auth-Type EAP Wed Apr 4 14:32:48 2007 : Debug: auth: type "EAP" Wed Apr 4 14:32:48 2007 : Debug: Processing the authenticate section of radiusd.conf Wed Apr 4 14:32:48 2007 : Debug: modcall: entering group authenticate for request 74 Wed Apr 4 14:32:48 2007 : Debug: modsingle[authenticate]: calling eap (rlm_eap) for request 74 Wed Apr 4 14:32:48 2007 : Debug: rlm_eap: Request found, released from the list Wed Apr 4 14:32:48 2007 : Debug: rlm_eap: EAP/peap Wed Apr 4 14:32:48 2007 : Debug: rlm_eap: processing type peap Wed Apr 4 14:32:48 2007 : Debug: rlm_eap_peap: Authenticate Wed Apr 4 14:32:48 2007 : Debug: rlm_eap_tls: processing TLS Wed Apr 4 14:32:48 2007 : Debug: rlm_eap_tls: Length Included Wed Apr 4 14:32:48 2007 : Debug: eaptls_verify returned 11 Wed Apr 4 14:32:48 2007 : Debug: (other): before/accept initialization Wed Apr 4 14:32:48 2007 : Debug: TLS_accept: before/accept initialization Wed Apr 4 14:32:48 2007 : Debug: rlm_eap_tls: <<< TLS 1.0 Handshake [length 0041], ClientHello Wed Apr 4 14:32:48 2007 : Debug: TLS_accept: SSLv3 read client hello A Wed Apr 4 14:32:48 2007 : Debug: rlm_eap_tls: >>> TLS 1.0 Handshake [length 004a], ServerHello Wed Apr 4 14:32:48 2007 : Debug:
Re: EAP-TLS authentication
Hi Alan. Is there any way in freeradius, where freeradius server can invoke a java program in response to some event. eg if some user is logged out , this event should be propagated to java prog or to some other component. On 3/29/07, Alan DeKok <[EMAIL PROTECTED]> wrote: deepak kumar wrote: > Thanks > I have implemented EAP-TTLS , stored EAP-Type value in radpostauth table > and able to connect to internet without UAM. > Once a user is authenticated through EAP-TTLS , his details are put in > radpostauth table and he is allowed to acess internet without UAM,but > his accounting information is not stored in radacct table. > how to store accounting information in radacct, in case of EAP-TTLS. This is in the FAQ. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Version 2.0 is a lot closer to reality...
Alan, thinking about upcoming upgrade from 1.1.5 to 2.0 i tried 2.0 with
my configuration from 1.1.5.
There seem to be some difference which i hope you can explain.
proxy.conf configuration is
realm NULL {
type= radius
authhost= LOCAL
accthost= LOCAL
}
and we have a user who has simple radcheck entry in sql:
mobile Auth-Type:=accept
in 1.1.5 radiusd performs authorize and authorize group checks in sql:
rlm_sql (sqlauth): sql_set_user escaped user --> 'mobile'
radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE
Username = 'mobile' ORDER BY id'
rlm_sql (sqlauth): Reserving sql socket id: 4
radius_xlat: 'SELECT
radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op
FROM radgroupcheck,usergroup WHERE (usergroup.Username = 'mobile' or
usergroup.CLID = '25009740996') AND usergroup.GroupName =
radgroupcheck.GroupName ORDER BY usergroup.PRIORITY,radgroupcheck.id'
radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM radreply WHERE
Username = 'mobile' ORDER BY id'
radius_xlat: 'SELECT
radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op
FROM radgroupreply,usergroup WHERE (usergroup.Username = 'mobile' OR
usergroup.CLID = '25009740996') AND usergroup.GroupName =
radgroupreply.GroupName ORDER BY radgroupreply.id'
rlm_sql (sqlauth): Released sql socket id: 4
modcall[authorize]: module "sqlauth" returns ok for request 0
modcall: leaving group authorize (returns ok) for request 0
rad_check_password: Found Auth-Type Accept
rad_check_password: Auth-Type = Accept, accepting the user
Login OK: [mobile] (from client localhost port 0 cli 25009740996)
but in 2.0 we lack the group checks:
rlm_sql (sqlauth): sql_set_user escaped user --> 'mobile'
rlm_sql (sqlauth): Reserving sql socket id: 4
radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE
Username = 'mobile' ORDER BY id'
rlm_sql (sqlauth): User found in radcheck table
radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM radreply WHERE
Username = 'mobile' ORDER BY id'
rlm_sql (sqlauth): Released sql socket id: 4
modcall[authorize]: module "sqlauth" returns ok for request 0
modcall: group authorize returns ok for request 0
rad_check_password: Found Auth-Type Accept
rad_check_password: Auth-Type = Accept, accepting the user
Login OK: [mobile] (from client localhost port 0 cli 25009700040996)
what could be the possible reason(s) of that?
Alan DeKok wrote:
> I've just committed massive changes to the server core. The "diff" is
> about 3k lines, and doesn't include deleted or added files.
>
> The good news is that it looks to be nearly 100% backwards compatible
> with the configurations currently allowed by the CVS head. That is,
> I've written it to be backwards compatible, and validated it via tests,
> but I won't claim it's perfect until people test it.
...
--
Sincerely Yours,
Alexander
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Duplicate accounting log entries
Patric wrote: > made the unique_id column unique in my database Careful with that last bit. Some NAS's can and do reuse their unique_id's. Especially if they are reloaded. Making sure the port is part of the key will help some, but I was still getting dupes in my db after several months of data. You may not see this as often as I do b/c I reload my pools fairly often, but making that db column unique is absolute and those NAS's will be reloaded at some point. Just FYI. -- Dennis Skinner Systems Administrator BlueFrog Internet http://www.bluefrog.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Duplicate accounting log entries
Hi guys, The NAS maintainer was nice enough to get back to me, and problem has been sorted out. This is what was happening: Their proxy servers are behind a load sharing device, which is why the retransmission of one of the records had a different client_ip_address, but both entries came from the same NAS-ip-address. I have removed the client_ip_address from the unique_id declaration, and made the unique_id column unique in my database, so this should solve all my problems :] Thanks so much for your time and help! Patrick - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Duplicate accounting log entries
Patric wrote: > > I am getting duplicate update's for that user from the NAS, where > everything is identical including the input and output octets, which > leads me to believe that the traffic is being combined and I actually > only need 1 of the records. > If I then make my unique_id column unique I will prevent this duplication. I can't comment on DSL, but just as some general knowledge... RADIUS is UDP, so if reply packets from your system are lost, then the NAS will resend and you will have 2 copies. This can also happen if your radius server is being slow (perhaps due to SQL inserts) and not responding in time. You should try to optimize your database tables for best performance first (if MySQL, you prob want to use the InnoDB table engine at least for the radacct table). You will also want to archive that table on a regular basis. For our system, I found a significant slowdown on inserts when the table got above about 5 million records. If you are still getting a lot of duplicates, then you may want to work with the ppl who own the NAS's to adjust the timeouts. They may have then set too low for some reason. -- Dennis Skinner Systems Administrator BlueFrog Internet http://www.bluefrog.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Duplicate accounting log entries
Hi again,
Thanks a stack for your responses, I have a much better understanding of
how it works now! Yes I do have the acct_unique_id setup as below, and
have managed to weed out a lot of the duplication now.
Dennis Skinner wrote:
> No. Look in the radius.conf for a section that looks like this:
>
> acct_unique {
>key = "User-Name, Acct-Session-Id, NAS-IP-Address,
> Client-IP-Address, NAS-Port"
> }
>
> That creates the second key (the one that doesn't come from the NAS)
> that is based on the first one. Notice the User-Name is part of the
> mix, hence Alan's question about how they could be the same.
After further investigation with my newly gained knowledge, I have been
able to find in more detail what the problems are.
In 1 instance, I have 2 accounting start's for the same username at the
same time, but from 2 DIFFERENT NAS'! Which then results in 2 different
unique id's, as the client-ip is different...
I have now sent a query to the maintainers of the NAS, as I feel this is
a valid query, but if anyone could verify for me that this should NOT be
happening?
My second worry is this. If a dsl user connects multiple times on the
same line, what is the typical NAS behaviour for accounting?
Does the NAS combine the traffic of all the connections and send that,
or does it monitor each connection seperately.
I am getting duplicate update's for that user from the NAS, where
everything is identical including the input and output octets, which
leads me to believe that the traffic is being combined and I actually
only need 1 of the records.
If I then make my unique_id column unique I will prevent this duplication.
Thanks again guys, as always any input is much appreciated!
Patrick
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Radius Packet Simulator
NTRadPing may be useful, too: http://www.dialways.com/download/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
