Re: Denying access without restarting radiusd [SEC=UNCLASSIFIED]
Hi, Hello All, I have a freeradius v1.51 as can be seen bellow ranning on a linux server. err, no. you have radclient version 1.51 - the tools are at different version levels. to check what version of freeradius, radiusd -v Can someone show me how to deny a set of users like this without restarting radius? SQL table...or maybe the hashed 'fastusers' file alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Rlm_python - need documentation
Peter, thank you for your fast response. Can u also provide me some example of script, so I could understand how the module works? Again, it is bit difficult for me to find it out from the documentation which comes with freeradius. Ta, Dan On Mon 28 May 2007, UriCALL Support wrote: Hi All, I am in need of developing my own application using rlm_python. Can anybody inform me about some documentation available? From what I have found on Internet it looks like an isolate project with lack of users ... Anybody able to share the experience with me? Is it stable for production? Some patches went in recently to make it better based on code that reportedly has been running in production for over 12 months. YMMV. Cheers -- Peter Nixon http://www.peternixon.net/ PGP Key: http://www.peternixon.net/public.asc -- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: JRS Service configurations + Wiki
Hi, Would you mind having configuration documents for 3rd party services like JRS on the FreeRADIUS wiki ? as the work item leader for eduroam in Europe, I'd say: we also wouldn't mind if you'd give permission to put all this fine documentation into the Roaming Cookbook v2 (or v3), if you don't mind... ;-) You can contact Josh Howlett from UKERNA for these matters, or me directly. Greetings, Stefan -- Stefan WINTER Stiftung RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche Ingenieur Forschung Entwicklung 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg E-Mail: [EMAIL PROTECTED] Tel.: +352 424409-1 http://www.restena.lu Fax: +352 422473 pgpDaa5aXl9ei.pgp Description: PGP signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: 2.0.0-pre1 - cannot build on FreeBSD
David Wood wrote: Fortunately it's a two line change in the port's Makefile to delete configure after applying the patch and run configure.in through autoconf 2.61 - though if I don't need to do that, I don't, as it means that the port doesn't force systems without autoconf 2.61 to build and install autoconf. There's no need to do that. I just re-ran autoconf, and checked the results in. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
The EAP-TLS packet will contain more data than we can process
Hi, I'm setting up a Mikrotik wireless AP with a freeradius server behind it and EAP-TLS, client connects fine (those errors are meaningless, right? can I get rid of them?): Tue May 29 11:47:56 2007 : Error: TLS_accept:error in SSLv3 read client certificate A Tue May 29 11:47:56 2007 : Error: rlm_eap: SSL error error::lib(0):func(0):reason(0) Tue May 29 11:47:59 2007 : Error: rlm_eap: SSL error error::lib(0):func(0):reason(0) Tue May 29 11:48:00 2007 : Auth: Login OK: [Jan Schermer/no User-Password attribute] (from client internal-rec port 0) but after a while, the connection is renegotiated (maybe because of weak signal), but then it starts failing: Tue May 29 12:01:12 2007 : Error: TLS_accept:error in SSLv3 read client certificate A Tue May 29 12:01:12 2007 : Error: rlm_eap: SSL error error::lib(0):func(0):reason(0) Tue May 29 12:01:16 2007 : Error: rlm_eap: SSL error error::lib(0):func(0):reason(0) Tue May 29 12:01:16 2007 : Auth: Login OK: [Jan Schermer/no User-Password attribute] (from client internal-rec port 0) Tue May 29 12:01:41 2007 : Error: TLS_accept:error in SSLv3 read client certificate A Tue May 29 12:01:41 2007 : Error: rlm_eap: SSL error error::lib(0):func(0):reason(0) Tue May 29 12:02:42 2007 : Error: TLS_accept:error in SSLv3 read client certificate A Tue May 29 12:02:42 2007 : Error: rlm_eap: SSL error error::lib(0):func(0):reason(0) Tue May 29 12:02:44 2007 : Error: rlm_eap_tls: The EAP-TLS packet will contain more data than we can process. Tue May 29 12:02:44 2007 : Auth: Login incorrect: [Jan Schermer/no User-Password attribute] (from client internal-rec port 0) Tue May 29 12:02:53 2007 : Error: TLS_accept:error in SSLv3 read client certificate A Tue May 29 12:02:53 2007 : Error: rlm_eap: SSL error error::lib(0):func(0):reason(0) Tue May 29 12:02:55 2007 : Error: rlm_eap_tls: The EAP-TLS packet will contain more data than we can process. Tue May 29 12:02:55 2007 : Auth: Login incorrect: [Jan Schermer/no User-Password attribute] (from client internal-rec port 0) Tue May 29 12:03:08 2007 : Error: TLS_accept:error in SSLv3 read client certificate A Tue May 29 12:03:08 2007 : Error: rlm_eap: SSL error error::lib(0):func(0):reason(0) Tue May 29 12:03:09 2007 : Error: rlm_eap_tls: The EAP-TLS packet will contain more data than we can process. Tue May 29 12:03:09 2007 : Auth: Login incorrect: [Jan Schermer/no User-Password attribute] (from client internal-rec port 0) What might be the cause of this? I suspect that Mikrotik corrupts the packets somehow... I'm using freeradius 1.1.3-3 (debian etch version with EAP-TLS enabled) Thanks -- Jan Schermer Linux Administrator ET NETERA | smart e-business solutions [EMAIL PROTECTED] +420 60805 ~ [ www.ahold.cz | www.annonce.cz | www.datart.cz ] [ www.knizniweb.cz | www.siemens.cz | www.cz.o2.com ] Created by ET NETERA | Powered by jNetPublish begin:vcard fn:Jan Schermer / ET NETERA n:Schermer;Jan org:Et netera a.s.;Deployment and Operations adr:;;Milady Horakove 108;Praha 6;;16000;Czech Republic email;internet:[EMAIL PROTECTED] title:Linux Administrator tel;work:+420 233326810 tel;cell:+420 60805 x-mozilla-html:FALSE url:http://www.etnetera.cz version:2.1 end:vcard smime.p7s Description: S/MIME Cryptographic Signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: log file for free radius 1.1.6 eap-tls authentication
1. That's not how certificates work. You add those that you want to PREVENT from connecting (for whatever reason) to Certificate Revocation List (CRL). You suposedly do have control over who are certificates issued to. If you have no control over CA then you shouldn't be using them. 2. Is anything (reading config files etc.) written to the log when you restart the server? Ivan Kalik Kalik Informatika ISP Dana 29/5/2007, [EMAIL PROTECTED] [EMAIL PROTECTED] piše: Hi 1 I know its eap-tls and certificate based. Earlier i was using Navis radius .In that for eap-tls we have to add certificate name to a specific user file. Like that here also user file is there can i make use of the user file so that only that user get authenticated, 2 Logs are not happening.In config changes required to get the same? Regards Anoop Message: 2 Date: Mon, 28 May 2007 15:07:06 +0100 From: [EMAIL PROTECTED] Subject: Re: log file for free radius 1.1.6 eap-tls authentication To: \FreeRadius users mailing list\ freeradius-users@lists.freeradius.org Message-ID: [EMAIL PROTECTED] Content-Type: text/plain; charset=ISO-8859-2 This is EAP-TLS. This user has a valid user certificate and is accepted. If you don\'t want to go via certificates but use user/password, use EAP-TTLS with MS-CHAPv2 (or PAP or any other auth protocol). Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: The EAP-TLS packet will contain more data than we can process
Jan Schermer / ET NETERA wrote: I'm setting up a Mikrotik wireless AP with a freeradius server behind it and EAP-TLS, client connects fine (those errors are meaningless, right? can I get rid of them?): Upgrade to 1.1.6. but after a while, the connection is renegotiated (maybe because of weak signal), but then it starts failing: ... Tue May 29 12:02:44 2007 : Error: rlm_eap_tls: The EAP-TLS packet will contain more data than we can process. The supplicant is tunnelling additional data inside of EAP-TLS. FreeRADIUS doesn't support that. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: The EAP-TLS packet will contain more data than we can process
Hi, I'll give 2.0-pre1 a try, to see if it works. I will revert to 1.1.6 if needed. The supplicant is tunnelling additional data inside of EAP-TLS. FreeRADIUS doesn't support that Supplicant - do you mean Mikrotik AP or wpa_supplicant on the client? I'm not sure what exactly Mikrotik does with EAP-TLS (and there are several options - EAP-TLS or passthrough, and verify cert. x don't verify cert x no certificate) - I thought the AP doesn't care about certificates, only forwards it to the RADIUS service (I already set this up once on a different AP and it had no such options) Thanks Jan Alan Dekok wrote: Jan Schermer / ET NETERA wrote: I'm setting up a Mikrotik wireless AP with a freeradius server behind it and EAP-TLS, client connects fine (those errors are meaningless, right? can I get rid of them?): Upgrade to 1.1.6. but after a while, the connection is renegotiated (maybe because of weak signal), but then it starts failing: ... Tue May 29 12:02:44 2007 : Error: rlm_eap_tls: The EAP-TLS packet will contain more data than we can process. The supplicant is tunnelling additional data inside of EAP-TLS. FreeRADIUS doesn't support that. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html begin:vcard fn:Jan Schermer / ET NETERA n:Schermer;Jan org:Et netera a.s.;Deployment and Operations adr:;;Milady Horakove 108;Praha 6;;16000;Czech Republic email;internet:[EMAIL PROTECTED] title:Linux Administrator tel;work:+420 233326810 tel;cell:+420 60805 x-mozilla-html:FALSE url:http://www.etnetera.cz version:2.1 end:vcard smime.p7s Description: S/MIME Cryptographic Signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
variables expansion in config files
Hi Alan, it looks like latest CVS head has problems with expansion of ${var} in assignments: rlm_sql (sql): database query error, SELECT id, ipaddr, shortname, type, secret FROM ${nas_table} where secret 'DISABLED' group by ipaddr: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '{nas_table} where secret 'DISABLED' group by ipaddr' at line 1 where nas_table is defined properly in sql.conf(which is included by server) but it's not expanded in sql/mysql-dialup.conf ... nas_query = SELECT id, ipaddr, shortname, type, secret FROM ${nas_table} where secret 'DISABLED' group by ipaddr ... It's related at least to all variables defined in sql.conf. Milan Holub holub (at) thenet (dot) ch -- TheNet-Internet Services AG, im Bernertechnopark, Morgenstr. 129 CH-3018, Bern, Switzerland 031 998 4333, Fax 031 998 4330 http://www.thenet.ch http://wlan.thenet.ch -- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: variables expansion in config files
Milan Holub wrote: it looks like latest CVS head has problems with expansion of ${var} in assignments: The fix has already been committed. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: variables expansion in config files
Hi Alan, On Tue, May 29, 2007 at 11:37:15AM +0200, Alan Dekok wrote: The fix has already been committed. == yes, it works, thanks:) Milan Holub holub (at) thenet (dot) ch -- TheNet-Internet Services AG, im Bernertechnopark, Morgenstr. 129 CH-3018, Bern, Switzerland 031 998 4333, Fax 031 998 4330 http://www.thenet.ch http://wlan.thenet.ch -- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
error make rlm_tls
Hello I'm trying to install FR 1.1.6 (from .tar file) on Solaris 8, with openssl 0.9.8e (also installed from .tar file), and when I do the make, the types rlm_eap_peap and rlm_eap_tls fail. When I do the compile they find the OpenSSL libs The error is: In file included from eap_peap.h:25, from rlm_eap_peap.c:24: ../../libeap/eap_tls.h:138: error: parse error before SSL I know this is an old problem but, I thougth that was related with a bug in 1.1.1 version Does someone give me some indications on how to solve this problem? Thanks in advance *** Pilar Sánchez Fernández Comunicaciones CEDEX C/ Alfonso XII nº 3 y 5 Tel: 91 335 72 81 Mail: [EMAIL PROTECTED] http://www.cedex.es - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
using encrypted passwords in users file or sql-radcheck table
Hi all, cleartext, unix crypt and MD5 - Passwords work fine in both, users file and db. does sha1-hashed pwds work? another question: can i use symmetric password encryption in users-File or radcheck table? thx for your help - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: JRS Service configurations + Wiki
Alan D, Would you mind having configuration documents for 3rd party services like JRS on the FreeRADIUS wiki ? Alan B, Would JANET mind having configuration documents for JRS on the FreeRADIUS wiki ? It is meant to be a repository for everything FreeRADIUS after all ... and it's easier if all this stuff is in one place. personally I would prefer such configuration to be on the JRS support / UKERNA document site. What should be on the main FR wiki is the fundamental 'how to proxy' and 'how to attribute filter' type documents. I believe that special service cases could otherwise overrun the freeradius site (as they do the freeradius users list) While UKERNA would have absolutely no problem with this, I empathise with Alan B's view that such documentation might be 'clutter' on the FreeRADIUS Wiki and might be better located on a JRS-specific website. It might also be more visible to JRS participants. Perhaps a link from the Wiki to the JRS website might be more appropriate? If you'd like to contribute some JRS documentation formally, then please get in touch with me directly! We're particularly interested in documentation covering the 'complete solution' (auth db, radius, WAPs, PR, etc). This is obviously a lot of work, but we should be able to compensate your Institution for this effort. best regards, josh. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Multiple server certificates in EAP-TLS or EAP-TTLS
Multiple RADIUS clients can be defined in the clients.conf file. Is there a way to define the location of a server certificate for each client? I'm envisioning a single freeRadius server supporting multiple client authenticators. I want each authenticator to be able to send a unique certificate to identify itself to its supplicants. It appears that the certificate_file parameter in the eap.conf file would only support a single certificate. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
DDNS problem
hello i'm using the 1.1.5 version of freeradius. i have problem i setup a client in clients.conf that is a host name like fkatz.dyndns.org because my NAS has dynamic ip. When i try to login at first time (i use DD-WRT + chillispot built-in) i succeeded but after i receive new dynamic ip from my ISP the radius reject it because he doesn't know the new ip. The radius server works fine with IP static i tested. Also i checked lookup and ping to the fkatz.dyndns.org after the dynamic ip has changed and very fast it refreshs. thanks and sorry about my english. -- ICQ#: 40226462 Skype: katonidas Email: [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: DDNS problem
Mati Katz wrote: hello i'm using the 1.1.5 version of freeradius. i have problem i setup a client in clients.conf that is a host name like fkatz.dyndns.org because my NAS has dynamic ip. When i try to login at first time (i use DD-WRT + chillispot built-in) i succeeded but after i receive new dynamic ip from my ISP the radius reject it because he doesn't know the new ip. The radius server works fine with IP static i tested. Also i checked lookup and ping to the fkatz.dyndns.org after the dynamic ip has changed and very fast it refreshs. The simple answer is don't use dynamic hosts. FreeRADIUS reads the clients file once at startup, resolves the IP's and then stores those. It won't know about the new IP until the daemon is restarted (or in theory HUP'ed when that is fixed). If you must use dynamic hosts, then you will need to specify an IP range like this: client 192.168.0.0/24 { secret = testing123-1 shortname = private-network-1 } That would allow a NAS to have any of 254 different IP's and still be able to talk to FreeRADIUS. It would also allow anyone else on those IP's who wants to talk to you NAS and can figure out the secret to potentially do naughty things. -- Dennis Skinner Systems Administrator BlueFrog Internet http://www.bluefrog.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: DDNS problem
On 2007-05-30 00:28, Dennis Skinner wrote: Mati Katz wrote: hello i'm using the 1.1.5 version of freeradius. i have problem i setup a client in clients.conf that is a host name like fkatz.dyndns.org because my NAS has dynamic ip. When i try to login at first time (i use DD-WRT + chillispot built-in) i succeeded but after i receive new dynamic ip from my ISP the radius reject it because he doesn't know the new ip. The radius server works fine with IP static i tested. Also i checked lookup and ping to the fkatz.dyndns.org after the dynamic ip has changed and very fast it refreshs. The simple answer is don't use dynamic hosts. FreeRADIUS reads the clients file once at startup, resolves the IP's and then stores those. It won't know about the new IP until the daemon is restarted (or in theory HUP'ed when that is fixed). If you must use dynamic hosts, then you will need to specify an IP range like this: client 192.168.0.0/24 { secret = testing123-1 shortname = private-network-1 } That would allow a NAS to have any of 254 different IP's and still be able to talk to FreeRADIUS. It would also allow anyone else on those IP's who wants to talk to you NAS and can figure out the secret to potentially do naughty things. Maybe fastusers with short hash_reload is able to solve that issue? Pozdrawiam, Krzysztof Olędzki -- Krzysztof Olędzki Axel Springer Polska Sp. z o.o. tel: +48-22-2320969 fax: +48-22-2325530 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: DDNS problem
On 2007-05-30 01:08, Krzysztof Olędzki wrote: On 2007-05-30 00:28, Dennis Skinner wrote: Mati Katz wrote: hello i'm using the 1.1.5 version of freeradius. i have problem i setup a client in clients.conf that is a host name like fkatz.dyndns.org because my NAS has dynamic ip. When i try to login at first time (i use DD-WRT + chillispot built-in) i succeeded but after i receive new dynamic ip from my ISP the radius reject it because he doesn't know the new ip. The radius server works fine with IP static i tested. Also i checked lookup and ping to the fkatz.dyndns.org after the dynamic ip has changed and very fast it refreshs. The simple answer is don't use dynamic hosts. FreeRADIUS reads the clients file once at startup, resolves the IP's and then stores those. It won't know about the new IP until the daemon is restarted (or in theory HUP'ed when that is fixed). If you must use dynamic hosts, then you will need to specify an IP range like this: client 192.168.0.0/24 { secret = testing123-1 shortname = private-network-1 } That would allow a NAS to have any of 254 different IP's and still be able to talk to FreeRADIUS. It would also allow anyone else on those IP's who wants to talk to you NAS and can figure out the secret to potentially do naughty things. Maybe fastusers with short hash_reload is able to solve that issue? Ehh, sorry - totally wrong answer. So late, I should go sleep. ;) Pozdrawiam, Krzysztof Olędzki -- Krzysztof Olędzki Axel Springer Polska Sp. z o.o. tel: +48-22-2320969 fax: +48-22-2325530 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Gigaword support
Thank you! It would be nice if FreeRadius could have more support for Gigawords built in! -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: 22 May 2007 11:15 PM To: FreeRadius users mailing list Subject: Re: Gigaword support Have a look at this: http://www.netexpertise.eu/en/FreeRadius/GigaWords.html Ivan Kalik Kalik Informatika ISP Dana 22/5/2007, [EMAIL PROTECTED] [EMAIL PROTECTED] piše: I would like to have updated mysql querries for FreeRadius that supports gigawords. Please assist. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re : Multiple server certificates in EAP-TLS or EAP-TTLS
There was a post on this by Mike; You'll have to set up two instances of the EAP module. The first instance will have the TLS submodule set up with the information for Cert1.pem (and the appropriate key and CA cert). The second instance will have its TLS submodule set with the info for Cert2.pem. It will look something like this: modules { ... eap eap1 { ... tls { certificate = Cert1.pem ... } } eap eap2 { ... tls { certificate = Cert2.pem ... } } } authorize { ... eap1 } authenticate { ... eap1 eap2 } Then, this is one of the few instances where you'll need to manually specify the Auth-Type in the users file, like this: DEFAULTCalled-Station-ID = 00112233445566:SSID1, Auth-Type := eap1 DEFAULTCalled-Station-ID = 00112233445566:SSID2, Auth-Type := eap2 Or, better yet, use regexes (this should work): DEFAULT Called-Station-ID =~ :SSID1$, Auth-Type := eap1 == Benjamin K. Eshun - Message d'origine De : Don Peoples [EMAIL PROTECTED] À : freeradius-users@lists.freeradius.org Envoyé le : Mardi, 29 Mai 2007, 23h27mn 06s Objet : Multiple server certificates in EAP-TLS or EAP-TTLS Multiple RADIUS clients can be defined in the clients.conf file. Is there a way to define the location of a server certificate for each client? I'm envisioning a single freeRadius server supporting multiple client authenticators. I want each authenticator to be able to send a unique certificate to identify itself to its supplicants. It appears that the certificate_file parameter in the eap.conf file would only support a single certificate. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html _ Ne gardez plus qu'une seule adresse mail ! Copiez vos mails vers Yahoo! Mail - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html