RE: Disabling EAP-TLS while keeping EAP-PEAP
If someone can gain that level of access and decides JUST to issue a wild certificate - write him a "Thank You" letter. What if he cretes a batch of new users? Or resets ALL your users passwords to "Leroy wuz 'ere"? Your worries are misplaced. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Disabling EAP-TLS while keeping EAP-PEAP
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 [EMAIL PROTECTED] wrote: > By not issuing client certificates. > While I covered this solution in my initial posting, what if a certificate was issued, no CRL possible and I want to disable EAP-TLS but keep EAP-PEAP? - -- == +-+ Martin Gadbois | "Please answer by yes or no.| Sr. SW Designer| Uncooperative user waste precious CPU time" | Colubris Networks Inc. | -- The Andromeda Strain, M. Crichton, 1969 | -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.5 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFGYICA9Y3/iTTCEDkRAoUVAJ9AkEcaJz1982XRsby3LIU6XCDAhwCfSOqN 3w+xIMoyhuEnPElmiJi6bCU= =ZqwT -END PGP SIGNATURE- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Disabling EAP-TLS while keeping EAP-PEAP
By not issuing client certificates. Ivan Kalik Kalik Informatika ISP Dana 1/6/2007, "Martin Gadbois" <[EMAIL PROTECTED]> piše: >-BEGIN PGP SIGNED MESSAGE- >Hash: SHA1 > >When enabling EAP-PEAP with FreeRADIUS, module EAP-TLS is required. > >How can I disable EAP-TLS while using EAP-PEAP? > >I agree that if the client does not have a client key, EAP-TLS will not >work. But how to restrict EAP-TLS in any case? > >Thanks! > >- -- >== +-+ >Martin Gadbois | "Please answer by yes or no.| >Sr. SW Designer| Uncooperative user waste precious CPU time" | >Colubris Networks Inc. | -- The Andromeda Strain, M. Crichton, 1969 | >-BEGIN PGP SIGNATURE- >Version: GnuPG v1.4.5 (GNU/Linux) >Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org > >iD8DBQFGYGSw9Y3/iTTCEDkRAiawAJ9hANUDvgjJTDDwAfiQkDR/NUKH1ACghRNW >O1DdJnCymFB8hsiiIUMc9Ks= >=1OR5 >-END PGP SIGNATURE- >- >List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Disabling EAP-TLS while keeping EAP-PEAP
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 When enabling EAP-PEAP with FreeRADIUS, module EAP-TLS is required. How can I disable EAP-TLS while using EAP-PEAP? I agree that if the client does not have a client key, EAP-TLS will not work. But how to restrict EAP-TLS in any case? Thanks! - -- == +-+ Martin Gadbois | "Please answer by yes or no.| Sr. SW Designer| Uncooperative user waste precious CPU time" | Colubris Networks Inc. | -- The Andromeda Strain, M. Crichton, 1969 | -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.5 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFGYGSw9Y3/iTTCEDkRAiawAJ9hANUDvgjJTDDwAfiQkDR/NUKH1ACghRNW O1DdJnCymFB8hsiiIUMc9Ks= =1OR5 -END PGP SIGNATURE- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Freeradius and Rodopi
Does anyone have a Radiusd.conf they would share? I am trying to get Rodopi's users file it creates to work with freeradius As you knw its in a different format as username Password = password Anyway its a backup radius solution of site, and I don't want it to have to use mssql Trying to be as simple as possible Any help would be appreciated Thanks All From: Elie Hani [mailto:[EMAIL PROTECTED] To: 'FreeRadius users mailing list' [mailto:[EMAIL PROTECTED] Sent: Fri, 01 Jun 2007 05:43:36 -0400 Subject: RE: Backing up freeradius Thanks a lot, it works fine now. Elie Hani -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Peter Nixon Sent: Friday, June 01, 2007 10:47 AM To: FreeRadius users mailing list Subject: Re: Backing up freeradius On Fri 01 Jun 2007, Peter Nixon wrote: > On Fri 01 Jun 2007, Elie Hani wrote: > > Hi; > > > > I have freeradius configured on Fedora Core 6, I tried to configure a > > backup script where I can copy /etc/raddb folder to another server with > > the same version and the same operating system. > > > > When it's done, the command service radiusd start did not work, > > But radiusd -x & worked and the server is well functioning. > > > > What could be the problem? > > permissions... My server synchronisation script looks like: rsync -a /etc/raddb [EMAIL PROTECTED]:/etc --delete ssh [EMAIL PROTECTED] /etc/init.d/freeradius stop ssh [EMAIL PROTECTED] /etc/init.d/freeradius start I run it AFTER I have already verified that the config works on the localhost, and I use ssh keys so that it doesnt ask for the password for each line... If you have different ssl certs on each machine then you will need to modify the rsync line.. Cheers -- Peter Nixon http://www.peternixon.net/ PGP Key: http://www.peternixon.net/public.asc - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: problem in autehtication with EAP-MD5
This looks OK now: State: DISCONNECTED -> ASSOCIATING .. State: ASSOCIATING -> ASSOCIATED .. EAP: EAP entering state INITIALIZE .. EAPOL: SUPP_PAE entering state AUTHENTICATING This is now a supplicant issue > EAP is failing despite Access-Accept. Something is broken there. You will need to post your question to wpasupplicant list. I don't know anything about that supplicant. Ivan Kalik Kalik Informatika ISP Dana 1/6/2007, "shantanu choudhary" <[EMAIL PROTECTED]> piše: >well i m using DHCP to get an ip. now i have retried and now i m not getting >any message like cannot assign requested address but i m still getting that >EAP-FAILIURE message. >i m sending you output for client side hope u can trace the problem >thanks for ur help! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Backing up freeradius
Thanks a lot, it works fine now. Elie Hani -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Peter Nixon Sent: Friday, June 01, 2007 10:47 AM To: FreeRadius users mailing list Subject: Re: Backing up freeradius On Fri 01 Jun 2007, Peter Nixon wrote: > On Fri 01 Jun 2007, Elie Hani wrote: > > Hi; > > > > I have freeradius configured on Fedora Core 6, I tried to configure a > > backup script where I can copy /etc/raddb folder to another server with > > the same version and the same operating system. > > > > When it's done, the command service radiusd start did not work, > > But radiusd -x & worked and the server is well functioning. > > > > What could be the problem? > > permissions... My server synchronisation script looks like: rsync -a /etc/raddb [EMAIL PROTECTED]:/etc --delete ssh [EMAIL PROTECTED] /etc/init.d/freeradius stop ssh [EMAIL PROTECTED] /etc/init.d/freeradius start I run it AFTER I have already verified that the config works on the localhost, and I use ssh keys so that it doesnt ask for the password for each line... If you have different ssl certs on each machine then you will need to modify the rsync line.. Cheers -- Peter Nixon http://www.peternixon.net/ PGP Key: http://www.peternixon.net/public.asc - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: problem in autehtication with EAP-MD5
Yes, radius is now working fine. What are you using (? going to use) to assign an IP address to the client - radius or DHCP? If you are using DHCP something is wrong with address/netmask assignment. If you are not using anything at the moment you will need to pick one. As for wpasupplicant log - it doesn't mean much to me (our WiFi lot is all XP). At a glance, you fail to associate with an AP even before radius traffic starts. It's complaining about IP address from the start. Are you sure that's working properly? Framed-IP-Address and Framed-IP-Netmask are used to assign them to the client if NAS is not doing DHCP. Ivan Kalik Kalik Informatika ISP Dana 1/6/2007, "shantanu choudhary" <[EMAIL PROTECTED]> piše: >sorry for the confusion and delay!! >i am attaching user file, server output and client output. >server is still giving access accept, but client is displaying cant assign >requested address!! >one thing what parameters should i add and what does framed ip address used >for?? >now this user file is giving no error and is rserver is running without any >problem! > >user file:- > > >#Please read the documentation file ../doc/processing_users_file, >#or 'man 5 users' (after installing the server) for more information. ># >#As of 1.1.4, you SHOULD NOT use Auth-Type. See "man rlm_pap" >#for a much better way of dealing with differing passwords. >#If you set Auth-Type, SOME AUTHENTICATION METHODS WILL NOT WORK. >#If you don't set Auth-Type, the server will figure out what to do, >#and will almost always do the right thing. ># >#This file contains authentication security and configuration >#information for each user. Accounting requests are NOT processed >#through this file. Instead, see 'acct_users', in this directory. ># >#The first field is the user's name and can be up to >#253 characters in length. This is followed (on the same line) with >#the list of authentication requirements for that user. This can >#include password, comm server name, comm server port number, protocol >#type (perhaps set by the "hints" file), and huntgroup name (set by >#the "huntgroups" file). ># >#Indented (with the tab character) lines following the first >#line indicate the configuration values to be passed back to >#the comm server to allow the initiation of a user session. >#This can include things like the PPP configuration values >#or the host to log the user onto. ># >#If you are not sure why a particular reply is being sent by the >#server, then run the server in debugging mode (radiusd -X), and >#you will see which entries in this file are matched. ># >#When an authentication request is received from the comm server, >#these values are tested. Only the first match is used unless the >#"Fall-Through" variable is set to "Yes". ># >#A special user named "DEFAULT" matches on all usernames. >#You can have several DEFAULT entries. All entries are processed >#in the order they appear in this file. The first entry that >#matches the login-request will stop processing unless you use >#the Fall-Through variable. ># >#You can include another `users' file with `$INCLUDE users.other' ># > ># >#For a list of RADIUS attributes, and links to their definitions, >#see: ># >#http://www.freeradius.org/rfc/attributes.html ># > ># ># Deny access for a specific user. Note that this entry MUST ># be before any other 'Auth-Type' attribute which results in the user ># being authenticated. ># ># Note that there is NO 'Fall-Through' attribute, so the user will not ># be given any additional resources. ># >#lameuserAuth-Type := Reject >#Reply-Message = "Your account has been disabled." > ># ># Deny access for a group of users. ># ># Note that there is NO 'Fall-Through' attribute, so the user will not ># be given any additional resources. ># >#DEFAULTGroup == "disabled", Auth-Type := Reject >#Reply-Message = "Your account has been disabled." ># > ># ># This is a complete entry for "steve". Note that there is no Fall-Through ># entry so that no DEFAULT entry will be used, and the user will NOT ># get any attributes in addition to the ones listed here. ># >#steveCleartext-Password := "testing" >#Service-Type = Framed-User, >#Framed-Protocol = PPP, >#Framed-IP-Address = 172.16.3.33, >#Framed-IP-Netmask = 255.255.255.0, >#Framed-Routing = Broadcast-Listen, >#Framed-Filter-Id = "std.ppp", >#Framed-MTU = 1500, >#Framed-Compression = Van-Jacobsen-TCP-IP > ># ># This is an entry for a user with a space in their name. ># Note the double quotes surrounding the name. ># >#"John Doe"Cleartext-Password := "hello" >#Reply-Message = "Hello, %u" > ># ># Dial user back and telnet to the default host for that port ># >#DegCleartext-Password := "ge55ged" >#Service-Type = Callback-Login-User, >#Login-IP-Host = 0.0.0.0, >#Callba
Re: Backing up freeradius
On Fri 01 Jun 2007, Peter Nixon wrote: > On Fri 01 Jun 2007, Elie Hani wrote: > > Hi; > > > > I have freeradius configured on Fedora Core 6, I tried to configure a > > backup script where I can copy /etc/raddb folder to another server with > > the same version and the same operating system. > > > > When it's done, the command service radiusd start did not work, > > But radiusd -x & worked and the server is well functioning. > > > > What could be the problem? > > permissions... My server synchronisation script looks like: rsync -a /etc/raddb [EMAIL PROTECTED]:/etc --delete ssh [EMAIL PROTECTED] /etc/init.d/freeradius stop ssh [EMAIL PROTECTED] /etc/init.d/freeradius start I run it AFTER I have already verified that the config works on the localhost, and I use ssh keys so that it doesnt ask for the password for each line... If you have different ssl certs on each machine then you will need to modify the rsync line.. Cheers -- Peter Nixon http://www.peternixon.net/ PGP Key: http://www.peternixon.net/public.asc - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Backing up freeradius
On Fri 01 Jun 2007, Elie Hani wrote: > Hi; > > I have freeradius configured on Fedora Core 6, I tried to configure a > backup script where I can copy /etc/raddb folder to another server with > the same version and the same operating system. > > When it's done, the command service radiusd start did not work, > But radiusd -x & worked and the server is well functioning. > > What could be the problem? permissions... -- Peter Nixon http://www.peternixon.net/ PGP Key: http://www.peternixon.net/public.asc - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Backing up freeradius
Hi; I have freeradius configured on Fedora Core 6, I tried to configure a backup script where I can copy /etc/raddb folder to another server with the same version and the same operating system. When it's done, the command service radiusd start did not work, But radiusd -x & worked and the server is well functioning. What could be the problem? Thanks Elie Hani - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: error make rlm_tls
> > Pilar Sanchez wrote: > > I put as option of "compile" > > -with-openssl-libraries=/usr/local/ssl/lib > > --with-openssl-includes=/usr/local/ssl/include > > Maybe that should be with --with-openssl-libraries. > > You have -with-openssl-libraries. I wrote bad in the email but was rigth when I compiled. I did all the process again and still had to modify the Makefiles of modules. But now I've found another problem and I think this will be more difficult to solve, when I execute radius -X -A I've got: rlm_eap: Failed to link EAP-Type/tls: ld.so.1: radiusd: fatal: relocation error: file /usr/local/freeradius/lib/rlm_eap_tls-1.1.6.so : symbol cbtls_password: referenced symbol not found radiusd.conf[10]: eap: Module instantiation failed. radiusd.conf[1959] Unknown module "eap". Thanks - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html