Re: EAP-TTLS PAP Mysql problems

[Stefan Winter]

> What it is that I need put in mysql and my configuration, for before I
> obtain good authentication return: Tunnel-Type, Tunnel-Medium-Type and
> Tunnel-Private-Group-ID for the client make a dhclient in vlan I return?

Put the appropriate attributes for VLAN assignment into the radreply table for 
the user in question.
Chances are that you also need to set the option 

use_tunneled_reply = yes

in eap.conf.

Greetings,

Stefan Winter

-- 
Stefan WINTER

Stiftung RESTENA - Réseau Téléinformatique de l'Education Nationale et de 
la Recherche
Ingenieur Forschung & Entwicklung

6, rue Richard Coudenhove-Kalergi
L-1359 Luxembourg
E-Mail: [EMAIL PROTECTED]     Tel.:     +352 424409-1
http://www.restena.lu                Fax:      +352 422473


pgpUoOZOVIMvP.pgp
Description: PGP signature
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Re : 2.0.0-pre : Failed to open socket.

[David Wood]

Hi Arran and all,

In message <[EMAIL PROTECTED]>, Arran Cudbard-Bell 
<[EMAIL PROTECTED]> writes
>Debashis Prusty wrote:
>> No. I have tried this. As I have mentioned earlier versions like 
>>1.1.4 & 1.1.6  are working fine. Problem is with version 2.0.0, where 
>>the listen part is not comented. Lets think of something else.
>>
>
>As I said earlier , but will say again for clarity.
>
>It *is* a bug in pre1, Alan was trying something out that broke binding
>in some BSD based operating systems and looks like Solaris too ...

Following a little bit of detective work with gdb, I realised that the 
problem is with the udpfromto code in -pre1, at least on FreeBSD. 
Passing --without-udpfromto to configure on FreeBSD means 2.0.0-pre1 
works on FreeBSD 6.2-RELEASE. Supposedly udpfromto works on BSD like 
operating systems, but I've never got it to work on FreeBSD, even in 
1.1.x.


>The code has been taken out in the CVS head... if you want to use the
>new features of 2** (of which there are many) use the CVS head not pre1.

Has the faulty code really been taken out or fixed, or is the resolution 
of this situation a side-effect of udpfromto being disabled in HEAD at 
the moment?


>In my opinion the biggest advantage of 2.*.* is the FreeRADIUS unlang
>(see man unlang) which wasn't included in pre1 anyway.

I have a working FreeBSD port for 2.0.0-pre1 on my system, but I'm loath 
to ask for it to be committed. I have to patch for bugs #452, 453 and 
454 (thanks to Nicolas for committing my enhanced patch for #454 to HEAD 
and the 1.1 branch), and pass --without-udpfromto to get the thing to 
work at all - though it is now working on my live system.

Further, pre1 has features missing compared to HEAD (not least the 
sites-available / sites-enabled stuff in raddb, which leads to quite a 
few changes in the configuration file), the PGP signature for the pre1 
.tar.gz doesn't verify and the .tar.bz2 isn't PGP signed, also 
raddb/certs/bootstrap doesn't work for me in pre1. I haven't bothered to 
try to debug raddb/certs/bootstrap yet; I have my own way of building 
the necessary certificates.

Nevertheless, if any FreeBSD users want a tarball of my 2.0.0-pre1 port, 
please email me. At the moment, it couldn't be committed to the ports 
tree because the patches are organised incorrectly, but it does work on 
my machine.


I had a relatively painless migration to a version 2 configuration - 
svn_load_dirs to update the configuration vendor branch in my private 
Subversion repository, svn copy to tag that vendor drop, svn merge the 
vendor branch changes to my live configuration, a bit of manual conflict 
resolution followed svn resolved (though less than I'd feared - 
Subversion got most things right by itself), then svn ci when I'd done.

That said, all I've done this far is port my version 1.1.6 configuration 
to version 2 configuration files; I've not taken advantage of anything 
new, nor will I do so without sites-available / sites-enabled and some 
other things that not in pre1.


Is there any hope of a 2.0.0-pre2 release any time soon? I realise that 
version 2 is still under active development, that HEAD has just gone 
through a period of being uninstallable for a while so it may be wise to 
let things settle a while longer, and that the priority is on 
development rather than release of even a "pre" version. That said, I 
feel that there may be sufficient broken or missing in 2.0.0-pre1 to 
discourage further testing now, which I understood to be the whole point 
of shipping 2.0.0-pre1.

Whilst "it's fixed in HEAD" is fine for those who hang out here, FreeBSD 
ports are not really supposed to depend on a CVS or Subversion checkout 
for their main tarball. Recent discussion on freebsd-ports has suggested 
that, at most, using a checkout should be a non-default option. As 
development on 2.x continues, the FreeBSD package list is changing, so 
that really leaves my only options at the moment as patching 2.0.0-pre1 
or creating an unofficial 2.0.0-pre2 based on a tarball I'd have to host 
myself.


On that note, whilst I know this isn't the best place to report it (what 
is - bug database?), there's a typo in HEAD. raddb/Makefile version 1.26 
has a typo in the second line of the install target - it should be 
sites-available not sites-evailable.


Best wishes to you all,




David
-- 
David Wood
[EMAIL PROTECTED]
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: RADIUS Authentication

[nguyenvinht]

By reading the wiki, it said FreeRadius runs on AIX. Any documentation about
how to install FreeRadius on AIX? Please let me know. Thanks.


Peter Nixonn wrote:
> 
> On Fri 15 Jun 2007, nguyenvinht wrote:
>> Thanks Arran.
>>
>> How and where do I implement those codes in AIX RADIUS? Doable on AIX
>> RADIUS?
> 
> This is the FreeRADIUS mailing list. Please ask questions about other
> RADIUS 
> servers elsewhere.
> 
> -- 
> 
> Peter Nixon
> http://www.peternixon.net/
> PGP Key: http://www.peternixon.net/public.asc
> - 
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
> 
> 

-- 
View this message in context: 
http://www.nabble.com/RADIUS-Authentication-tf3918468.html#a11224860
Sent from the FreeRadius - User mailing list archive at Nabble.com.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Need help with 802.1X authentication to Active Directory

[Bryant Marsh]

Yes, the cert-clt.p12 is imported to the personal and the cacert.pem is in
the trusted root certificates.

I was looking at another document that was putting chmod 0444 on the
cert-clt.p12 and chmod 0400 on the cacert.pem. 
Then, chown to radius:users on both.
Is that necessary?

Thanks,
Bryant.


You don't need users file if all user/pass information is stored in AD.
Can you check if imported certificate is in "Trusted Root" and not
some other certificate folder. I can't think of any other reason why
the conversation wouldn't start with your network configuration.

Ivan Kalik
Kalik Informatika ISP

-- 
View this message in context: 
http://www.nabble.com/Need-help-with-802.1X-authentication-to-Active-Directory-tf3925261.html#a11223473
Sent from the FreeRadius - User mailing list archive at Nabble.com.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Need help with 802.1X authentication to Active Directory

[tnt]

You don't need users file if all user/pass information is stored in AD.
Can you check if imported certificate is in "Trusted Root" and not
some other certificate folder. I can't think of any other reason why
the conversation wouldn't start with your network configuration.

Ivan Kalik
Kalik Informatika ISP



Dana 20/6/2007, "Bryant Marsh" <[EMAIL PROTECTED]> piše:

>
>Hi Ivan,
>
>There are Event log errors in Application and System.
>
>Event ID 1053 - Windows cannot determine the user or computer name. ().
>Group Policy processing aborted.  Or error: "The specified user does not
>exist."
>
>Event ID 5719 - The system cannot log you on now because the domain "name"
>is not available."
>
>This would be expected because port security is preventing traffic. Since
>DOT1X is enabled on the Cisco switch port for the server, I need to
>authenticate against the RADIUS server which is sending credentials to my AD
>domain controller. 
>Both the server and the radius server are on the same switch, so there are
>no firewall issues. The switch is an access switch uplinked to the core
>switch where the DC is located. All servers are in the same VLAN.
>
>I cannot decipher the meaning of the debug negotiations that are happening,
>but it looks like to me that there is some kind of default in the users file
>for 255.255.255.254 that is not the IP address of the server in question. 
>Again, my question is if I need a USERS files, because I was reading that
>this file is not required for AD.
>
>Here is my USERS file.
>
>http://www.nabble.com/file/p11222403/users users 
>
>Thanks,
>Bryant.
>
>
>
>
>tnt wrote:
>> 
>> OK. What does the Event Viewer on Win2K3 client say about failed login
>> attempts. Has it recieved Access-Challenge packet? There might be a
>> firewall problem.
>> 
>> Ivan Kalik
>> Kalik Informatika ISP
>> 
>> 
>> Dana 20/6/2007, "Bryant Marsh" <[EMAIL PROTECTED]> piĹĄe:
>> 
>>>
>>>Hi Ivan,
>>>
>>>Sorry I forgot to mention that I did import the cert-clt.p12 and
>cacert.pem
>>>to the local machine certificate store.
>>>
>>>I was reading a document that was saying that the USERS file is not
>>>necessary for authenticating to Active Directory. Is that really true?
>>>
>>>Here are my config files.
>>>http://www.nabble.com/file/p11217074/clients.conf clients.conf
>>>http://www.nabble.com/file/p11217074/smb.conf smb.conf
>>>http://www.nabble.com/file/p11217074/nsswitch.conf nsswitch.conf
>>>http://www.nabble.com/file/p11217074/radiusd.conf radiusd.conf
>>>http://www.nabble.com/file/p11217074/eap.conf eap.conf
>>>http://www.nabble.com/file/p11217074/hosts hosts
>>>
>>>Thanks,
>>>Bryant.
>>>
>>>
>>>Yes. Certificates created with xpextensions will work with Win2K3 clients
>>>as well. But you need to import CA certificate to the trusted
>>>certificate store on Windows clients (XP and 2K3; Win 2K can't be used).
>>>
>>>Ivan Kalik
>>>Kalik Informatika ISP
>>>
>>>--
>>>View this message in context:
>http://www.nabble.com/Need-help-with-802.1X-authentication-to-Active-Directory-tf3925261.html#a11217074
>>>Sent from the FreeRadius - User mailing list archive at Nabble.com.
>>>
>>>-
>>>List info/subscribe/unsubscribe? See
>http://www.freeradius.org/list/users.html
>>>
>>>
>> 
>> - 
>> List info/subscribe/unsubscribe? See
>> http://www.freeradius.org/list/users.html
>> 
>> 
>
>-- 
>View this message in context: 
>http://www.nabble.com/Need-help-with-802.1X-authentication-to-Active-Directory-tf3925261.html#a11222403
>Sent from the FreeRadius - User mailing list archive at Nabble.com.
>
>
>- 
>List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: Freeradius-Users Digest, Vol 26, Issue 79

[Hugh Messenger]

Alan DeKok wrote:
> Hugh Messenger wrote:
> > So far the only errors I'm seeing are these:
> >
> > ==29820== Thread 2:
> > ==29820== Invalid write of size 1
> > ==29820==at 0x4819294: strNcpy (misc.c:187)
> > ==29820==by 0x4CC43F3: sqlippool_postauth (rlm_sqlippool.c:527)
> 
>   That's... fairly broken.

Oh dear.  I think you just made that wind sucking tsk-tsk sound favored by
auto mechanics.

FYI, these errors only seem to happen on the first handful of logins.  Then
it seems to run error free.  Not much help, but an observation none the
less.

>   Barring severe code changes to rlm_sqlippool, I would suggest not
> using it in 1.1.6.  Sorry.

No apologies necessary.  Hey, I get what I pay for.  :)

> 
>   Try 2.0.0-pre, at least the rlm_sqlippool module is fixed there.

Okie Dokie.

Is 2.0.0 ready for prime time, assuming the bits I need work?  Given that my
choice is to keep running 1.1.6 in debug mode from a terminal session, I'd
take a slightly fragile v2.  Load would be very light for a few months while
we migrate to PPPOE.

>   Alan DeKok.

   -- hugh



- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Need help with 802.1X authentication to Active Directory

[Bryant Marsh]

Hi Ivan,

There are Event log errors in Application and System.

Event ID 1053 - Windows cannot determine the user or computer name. ().
Group Policy processing aborted.  Or error: "The specified user does not
exist."

Event ID 5719 - The system cannot log you on now because the domain "name"
is not available."

This would be expected because port security is preventing traffic. Since
DOT1X is enabled on the Cisco switch port for the server, I need to
authenticate against the RADIUS server which is sending credentials to my AD
domain controller. 
Both the server and the radius server are on the same switch, so there are
no firewall issues. The switch is an access switch uplinked to the core
switch where the DC is located. All servers are in the same VLAN.

I cannot decipher the meaning of the debug negotiations that are happening,
but it looks like to me that there is some kind of default in the users file
for 255.255.255.254 that is not the IP address of the server in question. 
Again, my question is if I need a USERS files, because I was reading that
this file is not required for AD.

Here is my USERS file.

http://www.nabble.com/file/p11222403/users users 

Thanks,
Bryant.




tnt wrote:
> 
> OK. What does the Event Viewer on Win2K3 client say about failed login
> attempts. Has it recieved Access-Challenge packet? There might be a
> firewall problem.
> 
> Ivan Kalik
> Kalik Informatika ISP
> 
> 
> Dana 20/6/2007, "Bryant Marsh" <[EMAIL PROTECTED]> piše:
> 
>>
>>Hi Ivan,
>>
>>Sorry I forgot to mention that I did import the cert-clt.p12 and
cacert.pem
>>to the local machine certificate store.
>>
>>I was reading a document that was saying that the USERS file is not
>>necessary for authenticating to Active Directory. Is that really true?
>>
>>Here are my config files.
>>http://www.nabble.com/file/p11217074/clients.conf clients.conf
>>http://www.nabble.com/file/p11217074/smb.conf smb.conf
>>http://www.nabble.com/file/p11217074/nsswitch.conf nsswitch.conf
>>http://www.nabble.com/file/p11217074/radiusd.conf radiusd.conf
>>http://www.nabble.com/file/p11217074/eap.conf eap.conf
>>http://www.nabble.com/file/p11217074/hosts hosts
>>
>>Thanks,
>>Bryant.
>>
>>
>>Yes. Certificates created with xpextensions will work with Win2K3 clients
>>as well. But you need to import CA certificate to the trusted
>>certificate store on Windows clients (XP and 2K3; Win 2K can't be used).
>>
>>Ivan Kalik
>>Kalik Informatika ISP
>>
>>--
>>View this message in context:
http://www.nabble.com/Need-help-with-802.1X-authentication-to-Active-Directory-tf3925261.html#a11217074
>>Sent from the FreeRadius - User mailing list archive at Nabble.com.
>>
>>-
>>List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
>>
>>
> 
> - 
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
> 
> 

-- 
View this message in context: 
http://www.nabble.com/Need-help-with-802.1X-authentication-to-Active-Directory-tf3925261.html#a11222403
Sent from the FreeRadius - User mailing list archive at Nabble.com.


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: RE : Ldap Group Membership Requirements

[tnt]

DEFAULT   LDAP-Group!="wireless", Auth-Type:=Reject
 Reply-Message="You are not allowed to connect"

Ivan Kalik
Kalik Informatika ISP

Dana 20/6/2007, "Cody Jarrett" <[EMAIL PROTECTED]> piše:

>So it will search and find the group, but I can still connect with my
>user even though it isn't in that group. Any ideas on how to keep a user
>from connecting if their account isn't in that group?
>
>
>
>Thibault Le Meur wrote:
>>> Basically trying to
>>> figure out
>>> what I need to add to these lines: groupname_attribute,
>>> groupmembership_filter, and groupmembership_attribute. Also
>>> not sure if
>>> I need to add something to users file like: DEFAULT LDAP-Group ==
>>> "wireless". Can anyone provide input on what I need to
>>> configure, Thanks.
>>>
>>> wireless group in ldap, you can see cjarrett is a member:
>>> dn: cn=wireless,ou=Groups,dc=itfreedom,dc=com
>>> objectClass: posixGroup
>>> cn: wireless
>>> gidNumber: 1011
>>> memberUid: cjarrett
>>>
>>
>> You're using POSIXGroups:
>> groupname_attribute = cn
>> Groupmembership_filter = "(&(objectclass=posixGroup)(memberUid=%u))
>>
>> No groupmembership_attribute.
>>
>>
>> In you users file, for instance:
>> DEFAULT LDAP-Group ==  "wireless" ...
>>
>>
>> See /usr/share/doc/freeradius/rlm_ldap text file.
>>
>> HTH,
>> Thibault
>>
>>
>>
>> -
>> List info/subscribe/unsubscribe? See 
>> http://www.freeradius.org/list/users.html
>>
>>
>
>

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: add new arributes in the proxy reply message

[tnt]

http://www.die.net/doc/linux/man/man5/rlm_attr_rewrite.5.html

Ivan Kalik
Kalik Informatika ISP


Dana 20/6/2007, "Ashraf Al-Basti" <[EMAIL PROTECTED]> piše:

>Dear,
>i need to add attributes in the proxy reply message, how can i do that
>using attrib_rewrite?
>-
>List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>
>

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Need help with 802.1X authentication to Active Directory

[tnt]

OK. What does the Event Viewer on Win2K3 client say about failed login
attempts. Has it recieved Access-Challenge packet? There might be a
firewall problem.

Ivan Kalik
Kalik Informatika ISP


Dana 20/6/2007, "Bryant Marsh" <[EMAIL PROTECTED]> piše:

>
>Hi Ivan,
>
>Sorry I forgot to mention that I did import the cert-clt.p12 and cacert.pem
>to the local machine certificate store.
>
>I was reading a document that was saying that the USERS file is not
>necessary for authenticating to Active Directory. Is that really true?
>
>Here are my config files.
>http://www.nabble.com/file/p11217074/clients.conf clients.conf
>http://www.nabble.com/file/p11217074/smb.conf smb.conf
>http://www.nabble.com/file/p11217074/nsswitch.conf nsswitch.conf
>http://www.nabble.com/file/p11217074/radiusd.conf radiusd.conf
>http://www.nabble.com/file/p11217074/eap.conf eap.conf
>http://www.nabble.com/file/p11217074/hosts hosts
>
>Thanks,
>Bryant.
>
>
>Yes. Certificates created with xpextensions will work with Win2K3 clients
>as well. But you need to import CA certificate to the trusted
>certificate store on Windows clients (XP and 2K3; Win 2K can't be used).
>
>Ivan Kalik
>Kalik Informatika ISP
>
>--
>View this message in context: 
>http://www.nabble.com/Need-help-with-802.1X-authentication-to-Active-Directory-tf3925261.html#a11217074
>Sent from the FreeRadius - User mailing list archive at Nabble.com.
>
>-
>List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>
>

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

rlm-digest - devel question

[UriCALL Support]

Hi All,

I have noticed that in latest versions of rlm_digest the part with converting 
of the attributes to something useful (DEBUG("rlm_digest: Converting 
Digest-Attributes to something sane...")) was moved from authorize section to 
authenticate section. There was even a discussion a while back on the mailing 
list that this could be moved again to authorize part (so it can be used by 
other modules as well), but still nothing has happened. 
I am building a module which will make use of the conversion of those 
attributes and using right now the old version of rlm_digest.c file. Is there 
any reason for which the conversion of the attributes is not moved back to 
authorize section in standard distribution? I am asking this because I must 
instruct my users to patch freeradius every time they use my module.

Thxs in advance for any answer I would get.

Cheers,
DanB

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: 1.1.6 name resolution

[Andrew Long]

> -Original Message-
> From: 
> [EMAIL PROTECTED]
> .org 
> [mailto:[EMAIL PROTECTED]
> eeradius.org] On Behalf Of Dennis Skinner
> Sent: Wednesday, June 20, 2007 3:37 PM
> To: FreeRadius users mailing list
> Subject: Re: 1.1.6 name resolution
> 
> Andrew Long wrote:
> > Is it permissable to use a hostname in clients.conf, as for a host 
> > using dyndns?
> 
> You can put hostnames in the clients.conf file, however I'm 
> pretty sure that FreeRADIUS resolves those names at startup 
> and uses that initial lookup until it is forced to reread the 
> clients.conf file for some reason.  Since I think 1.1.6 still 
> has issues with HUP, that means a restart.
> 
> In short, you can, but it will not see any changes in dynamic 
> IP's unless you restart radiusd.
> 
> --
> Dennis Skinner

Would be nice to have freeradius update the name resolution
at a period specified in radiusd.conf...

oops. I am not a programmer, so forget I said that :)


Regards,

Andrew Long


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: 1.1.6 name resolution

[Dennis Skinner]

Andrew Long wrote:
> Is it permissable to use a hostname in clients.conf, as for
> a host using dyndns?

You can put hostnames in the clients.conf file, however I'm pretty sure
that FreeRADIUS resolves those names at startup and uses that initial
lookup until it is forced to reread the clients.conf file for some
reason.  Since I think 1.1.6 still has issues with HUP, that means a
restart.

In short, you can, but it will not see any changes in dynamic IP's
unless you restart radiusd.

-- 
Dennis Skinner
Systems Administrator
BlueFrog Internet
http://www.bluefrog.com
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: empty password / dhcpd

[tnt]

Just delete that User-Password entry from the radcheck table.

Ivan Kalik
Kalik Informatika ISP


Dana 20/6/2007, "Felipe Ceglia - PY1NB" <[EMAIL PROTECTED]>
piše:

>Hi again...
>
>I am now trying to authenticate a DHCPd request from a mikrotik box.
>My freeradius server says that there is a problem with user's password.
>How can I tell him (PAP) that this should be ok?
>
>Something strange that I noticed is that the calling station id got
>changed from the original mac address value. Anyway, I just put this as
>a calling-station id attribute on radcheck.
>
>
>mysql> SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE
>Username = '00:0B:CD:EC:63:50' ORDER BY id;
>+--+---++---++
>| id   | UserName  | Attribute  | Value | op |
>+--+---++---++
>| 2047 | 00:0B:CD:EC:63:50 | Calling-Station-Id | 1:0:b:cd:ec:63:50 | := |
>| 2050 | 00:0B:CD:EC:63:50 | User-Password  |   | := |
>+--+---++---++
>2 rows in set (0.00 sec)
>
>SELECT
>radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op
>FROM radgroupcheck,usergroup WHERE usergroup.Username =
>'00:0B:CD:EC:63:50' AND usergroup.GroupName = radgroupcheck.GroupName
>ORDER BY radgroupcheck.id;
>Empty set (0.00 sec)
>
>mysql> SELECT id,UserName,Attribute,Value,op FROM radreply WHERE
>Username = '00:0B:CD:EC:63:50' ORDER BY id;
>++---+---+-++
>| id | UserName  | Attribute | Value   | op |
>++---+---+-++
>| 42 | 00:0B:CD:EC:63:50 | Framed-IP-Address | 192.168.254.101 | == |
>| 43 | 00:0B:CD:EC:63:50 | Framed-IP-Netmask | 255.255.255.0   | == |
>++---+---+-++
>2 rows in set (0.00 sec)
>
>SELECT
>radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op
>FROM radgroupreply,usergroup WHERE usergroup.Username =
>'00:0B:CD:EC:63:50' AND usergroup.GroupName = radgroupreply.GroupName
>ORDER BY radgroupreply.id;
>Empty set (0.00 sec)
>
>
>
>
>
>
>Ready to process requests.
>rad_recv: Access-Request packet from host 172.16.3.5:32768, id=71,
>length=113
>NAS-Port-Type = Ethernet
>NAS-Port = 2205155400
>Calling-Station-Id = "1:0:b:cd:ec:63:50"
>Called-Station-Id = "server1"
>User-Name = "00:0B:CD:EC:63:50"
>User-Password = ""
>NAS-Identifier = "MikroTik"
>NAS-IP-Address = 172.16.3.5
>  Processing the authorize section of radiusd.conf
>modcall: entering group authorize for request 0
>  modcall[authorize]: module "preprocess" returns ok for request 0
>  modcall[authorize]: module "chap" returns noop for request 0
>  modcall[authorize]: module "mschap" returns noop for request 0
>rlm_realm: No '@' in User-Name = "00:0B:CD:EC:63:50", looking up
>realm NULL
>rlm_realm: Found realm "NULL"
>rlm_realm: Adding Stripped-User-Name = "00:0B:CD:EC:63:50"
>rlm_realm: Proxying request from user 00:0B:CD:EC:63:50 to realm NULL
>rlm_realm: Adding Realm = "NULL"
>rlm_realm: Authentication realm is LOCAL.
>  modcall[authorize]: module "suffix" returns noop for request 0
>  rlm_eap: No EAP-Message, not doing EAP
>  modcall[authorize]: module "eap" returns noop for request 0
>users: Matched entry DEFAULT at line 174
>  modcall[authorize]: module "files" returns ok for request 0
>radius_xlat:  '00:0B:CD:EC:63:50'
>rlm_sql (sql): sql_set_user escaped user --> '00:0B:CD:EC:63:50'
>radius_xlat:  'SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE
>Username = '00:0B:CD:EC:63:50' ORDER BY id'
>rlm_sql (sql): Reserving sql socket id: 4
>radius_xlat:  'SELECT
>radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op
>FROM radgroupcheck,usergroup WHERE usergroup.Username =
>'00:0B:CD:EC:63:50' AND usergroup.GroupName = radgroupcheck.GroupName
>ORDER BY radgroupcheck.id'
>radius_xlat:  'SELECT id,UserName,Attribute,Value,op FROM radreply WHERE
>Username = '00:0B:CD:EC:63:50' ORDER BY id'
>radius_xlat:  'SELECT
>radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op
>FROM radgroupreply,usergroup WHERE usergroup.Username =
>'00:0B:CD:EC:63:50' AND usergroup.GroupName = radgroupreply.GroupName
>ORDER BY radgroupreply.id'
>rlm_sql (sql): Released sql socket id: 4
>  modcall[authorize]: module "sql" returns ok for request 0
>rlm_pap: Found existing Auth-Type, not changing it.
>  modcall[authorize]: module "pap" returns noop for request 0
>modcall: leaving group authorize (returns ok) for request 0
>**
>  rad_check_password:  Found Auth-Type PAP
>auth:

Re: empty password / dhcpd

[Felipe Ceglia - PY1NB]

Hey!

I just added Auth-Type := Local for this group, and it worked.
Is there any clever/cleaner way to do it?

Thank you.

Felipe Ceglia - PY1NB wrote:
> Hi again...
> 
> I am now trying to authenticate a DHCPd request from a mikrotik box.
> My freeradius server says that there is a problem with user's password.
> How can I tell him (PAP) that this should be ok?
> 
> Something strange that I noticed is that the calling station id got 
> changed from the original mac address value. Anyway, I just put this as 
> a calling-station id attribute on radcheck.
> 
> 
> mysql> SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE 
> Username = '00:0B:CD:EC:63:50' ORDER BY id;
> +--+---++---++
> | id   | UserName  | Attribute  | Value | op |
> +--+---++---++
> | 2047 | 00:0B:CD:EC:63:50 | Calling-Station-Id | 1:0:b:cd:ec:63:50 | := |
> | 2050 | 00:0B:CD:EC:63:50 | User-Password  |   | := |
> +--+---++---++
> 2 rows in set (0.00 sec)
> 
> SELECT 
> radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op
>   
> FROM radgroupcheck,usergroup WHERE usergroup.Username = 
> '00:0B:CD:EC:63:50' AND usergroup.GroupName = radgroupcheck.GroupName 
> ORDER BY radgroupcheck.id;
> Empty set (0.00 sec)
> 
> mysql> SELECT id,UserName,Attribute,Value,op FROM radreply WHERE 
> Username = '00:0B:CD:EC:63:50' ORDER BY id;
> ++---+---+-++
> | id | UserName  | Attribute | Value   | op |
> ++---+---+-++
> | 42 | 00:0B:CD:EC:63:50 | Framed-IP-Address | 192.168.254.101 | == |
> | 43 | 00:0B:CD:EC:63:50 | Framed-IP-Netmask | 255.255.255.0   | == |
> ++---+---+-++
> 2 rows in set (0.00 sec)
> 
> SELECT 
> radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op
>   
> FROM radgroupreply,usergroup WHERE usergroup.Username = 
> '00:0B:CD:EC:63:50' AND usergroup.GroupName = radgroupreply.GroupName 
> ORDER BY radgroupreply.id;
> Empty set (0.00 sec)
> 
> 
> 
> 
> 
> 
> Ready to process requests.
> rad_recv: Access-Request packet from host 172.16.3.5:32768, id=71, 
> length=113
> NAS-Port-Type = Ethernet
> NAS-Port = 2205155400
> Calling-Station-Id = "1:0:b:cd:ec:63:50"
> Called-Station-Id = "server1"
> User-Name = "00:0B:CD:EC:63:50"
> User-Password = ""
> NAS-Identifier = "MikroTik"
> NAS-IP-Address = 172.16.3.5
>   Processing the authorize section of radiusd.conf
> modcall: entering group authorize for request 0
>   modcall[authorize]: module "preprocess" returns ok for request 0
>   modcall[authorize]: module "chap" returns noop for request 0
>   modcall[authorize]: module "mschap" returns noop for request 0
> rlm_realm: No '@' in User-Name = "00:0B:CD:EC:63:50", looking up 
> realm NULL
> rlm_realm: Found realm "NULL"
> rlm_realm: Adding Stripped-User-Name = "00:0B:CD:EC:63:50"
> rlm_realm: Proxying request from user 00:0B:CD:EC:63:50 to realm NULL
> rlm_realm: Adding Realm = "NULL"
> rlm_realm: Authentication realm is LOCAL.
>   modcall[authorize]: module "suffix" returns noop for request 0
>   rlm_eap: No EAP-Message, not doing EAP
>   modcall[authorize]: module "eap" returns noop for request 0
> users: Matched entry DEFAULT at line 174
>   modcall[authorize]: module "files" returns ok for request 0
> radius_xlat:  '00:0B:CD:EC:63:50'
> rlm_sql (sql): sql_set_user escaped user --> '00:0B:CD:EC:63:50'
> radius_xlat:  'SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE 
> Username = '00:0B:CD:EC:63:50' ORDER BY id'
> rlm_sql (sql): Reserving sql socket id: 4
> radius_xlat:  'SELECT 
> radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op
>   
> FROM radgroupcheck,usergroup WHERE usergroup.Username = 
> '00:0B:CD:EC:63:50' AND usergroup.GroupName = radgroupcheck.GroupName 
> ORDER BY radgroupcheck.id'
> radius_xlat:  'SELECT id,UserName,Attribute,Value,op FROM radreply WHERE 
> Username = '00:0B:CD:EC:63:50' ORDER BY id'
> radius_xlat:  'SELECT 
> radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op
>   
> FROM radgroupreply,usergroup WHERE usergroup.Username = 
> '00:0B:CD:EC:63:50' AND usergroup.GroupName = radgroupreply.GroupName 
> ORDER BY radgroupreply.id'
> rlm_sql (sql): Released sql socket id: 4
>   modcall[authorize]: module "sql" returns ok for request 0
> rlm_pap: Found existing Auth-Type, not changing it.
>   modcall[authorize]: module "pap" returns noop for request 0
> modcall: leaving group authorize (returns ok) for request 0
> 

empty password / dhcpd

[Felipe Ceglia - PY1NB]

Hi again...

I am now trying to authenticate a DHCPd request from a mikrotik box.
My freeradius server says that there is a problem with user's password.
How can I tell him (PAP) that this should be ok?

Something strange that I noticed is that the calling station id got 
changed from the original mac address value. Anyway, I just put this as 
a calling-station id attribute on radcheck.


mysql> SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE 
Username = '00:0B:CD:EC:63:50' ORDER BY id;
+--+---++---++
| id   | UserName  | Attribute  | Value | op |
+--+---++---++
| 2047 | 00:0B:CD:EC:63:50 | Calling-Station-Id | 1:0:b:cd:ec:63:50 | := |
| 2050 | 00:0B:CD:EC:63:50 | User-Password  |   | := |
+--+---++---++
2 rows in set (0.00 sec)

SELECT 
radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op
  
FROM radgroupcheck,usergroup WHERE usergroup.Username = 
'00:0B:CD:EC:63:50' AND usergroup.GroupName = radgroupcheck.GroupName 
ORDER BY radgroupcheck.id;
Empty set (0.00 sec)

mysql> SELECT id,UserName,Attribute,Value,op FROM radreply WHERE 
Username = '00:0B:CD:EC:63:50' ORDER BY id;
++---+---+-++
| id | UserName  | Attribute | Value   | op |
++---+---+-++
| 42 | 00:0B:CD:EC:63:50 | Framed-IP-Address | 192.168.254.101 | == |
| 43 | 00:0B:CD:EC:63:50 | Framed-IP-Netmask | 255.255.255.0   | == |
++---+---+-++
2 rows in set (0.00 sec)

SELECT 
radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op
  
FROM radgroupreply,usergroup WHERE usergroup.Username = 
'00:0B:CD:EC:63:50' AND usergroup.GroupName = radgroupreply.GroupName 
ORDER BY radgroupreply.id;
Empty set (0.00 sec)






Ready to process requests.
rad_recv: Access-Request packet from host 172.16.3.5:32768, id=71, 
length=113
NAS-Port-Type = Ethernet
NAS-Port = 2205155400
Calling-Station-Id = "1:0:b:cd:ec:63:50"
Called-Station-Id = "server1"
User-Name = "00:0B:CD:EC:63:50"
User-Password = ""
NAS-Identifier = "MikroTik"
NAS-IP-Address = 172.16.3.5
  Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 0
  modcall[authorize]: module "preprocess" returns ok for request 0
  modcall[authorize]: module "chap" returns noop for request 0
  modcall[authorize]: module "mschap" returns noop for request 0
rlm_realm: No '@' in User-Name = "00:0B:CD:EC:63:50", looking up 
realm NULL
rlm_realm: Found realm "NULL"
rlm_realm: Adding Stripped-User-Name = "00:0B:CD:EC:63:50"
rlm_realm: Proxying request from user 00:0B:CD:EC:63:50 to realm NULL
rlm_realm: Adding Realm = "NULL"
rlm_realm: Authentication realm is LOCAL.
  modcall[authorize]: module "suffix" returns noop for request 0
  rlm_eap: No EAP-Message, not doing EAP
  modcall[authorize]: module "eap" returns noop for request 0
users: Matched entry DEFAULT at line 174
  modcall[authorize]: module "files" returns ok for request 0
radius_xlat:  '00:0B:CD:EC:63:50'
rlm_sql (sql): sql_set_user escaped user --> '00:0B:CD:EC:63:50'
radius_xlat:  'SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE 
Username = '00:0B:CD:EC:63:50' ORDER BY id'
rlm_sql (sql): Reserving sql socket id: 4
radius_xlat:  'SELECT 
radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op
  
FROM radgroupcheck,usergroup WHERE usergroup.Username = 
'00:0B:CD:EC:63:50' AND usergroup.GroupName = radgroupcheck.GroupName 
ORDER BY radgroupcheck.id'
radius_xlat:  'SELECT id,UserName,Attribute,Value,op FROM radreply WHERE 
Username = '00:0B:CD:EC:63:50' ORDER BY id'
radius_xlat:  'SELECT 
radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op
  
FROM radgroupreply,usergroup WHERE usergroup.Username = 
'00:0B:CD:EC:63:50' AND usergroup.GroupName = radgroupreply.GroupName 
ORDER BY radgroupreply.id'
rlm_sql (sql): Released sql socket id: 4
  modcall[authorize]: module "sql" returns ok for request 0
rlm_pap: Found existing Auth-Type, not changing it.
  modcall[authorize]: module "pap" returns noop for request 0
modcall: leaving group authorize (returns ok) for request 0
**
  rad_check_password:  Found Auth-Type PAP
auth: type "PAP"
  Processing the authenticate section of radiusd.conf
modcall: entering group PAP for request 0
  modcall[authenticate]: module "pap" returns invalid for request 0
modcall: leaving group PAP (returns invalid) for request 0
*

1.1.6 name resolution

[Andrew Long]

Is it permissable to use a hostname in clients.conf, as for
a host using dyndns?

Regards,

Andrew Long


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Re : 2.0.0-pre : Failed to open socket.

[Arran Cudbard-Bell]

Debashis Prusty wrote:
> No. I have tried this. As I have mentioned earlier versions like 1.1.4 & 
> 1.1.6  are working fine. Problem is with version 2.0.0, where the listen part 
> is not comented. Lets think of something else.
>  

As I said earlier , but will say again for clarity.

It *is* a bug in pre1, Alan was trying something out that broke binding 
in some BSD based operating systems and looks like Solaris too ...

The code has been taken out in the CVS head... if you want to use the 
new features of 2** (of which there are many) use the CVS head not pre1.

In my opinion the biggest advantage of 2.*.* is the FreeRADIUS unlang 
(see man unlang) which wasn't included in pre1 anyway.

-- 
Arran Cudbard-Bell ([EMAIL PROTECTED])
Authentication, Authorisation and Accounting Officer
Infrastructure Services | ENG1 E1-1-08
University Of Sussex, Brighton
EXT:01273 873900 | INT: 3900
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

EAP-TTLS PAP Mysql problems

[emmcosta]

Hi everyone,

I  already configured my freeradius with eap-ttls pap with
authentication on mysql. I obtain authentication, but logs some lines:

Wed Jun 20 19:46:47 2007 : Error: Trying to look up name of unknown
client 127.0.0.1.
Wed Jun 20 19:46:47 2007 : Auth: Login OK: [teste/secret] (from client
UNKNOWN-CLIENT port 327 cli 0040.96a2.24f3)
Wed Jun 20 19:46:47 2007 : Auth: Login OK: [teste/] (from client ap2 port 327 cli 0040.96a2.24f3)

My radiusd.conf:



authorize {
preprocess
sql
pap

}

authenticate{
 Auth-Type PAP {
 pap
 }

 eap

 }
..

My eap.conf:

 eap{
 default_eap_type = ttls
 timer_expire = 60
 ignore_unknown_eap_types = no
 cisco_accounting_username_bug = yes

 gtc {
 auth_type = PAP
 }
tls {
 private_key_password = whatever
 private_key_file = ${raddbdir}/certs/cert-srv.pem


 certificate_file = ${raddbdir}/certs/cert-srv.pem

 CA_file = ${raddbdir}/certs/demoCA/cacert.pem

 dh_file = ${raddbdir}/certs/dh
 random_file = ${raddbdir}/certs/random
  }
 ttls {
 default_eap_type = gtc
 copy_request_to_tunnel = yes
 use_tunneled_reply = yes
}
 }

What it is that I need put in mysql and my configuration, for before I
obtain good authentication return: Tunnel-Type, Tunnel-Medium-Type and
Tunnel-Private-Group-ID for the client make a dhclient in vlan I return?

Best Regards

 -- 
/emmc

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: Re : 2.0.0-pre : Failed to open socket.

[Debashis Prusty]

No. I have tried this. As I have mentioned earlier versions like 1.1.4 & 1.1.6  
are working fine. Problem is with version 2.0.0, where the listen part is not 
comented. Lets think of something else.
 
ERROR: Failed to open socket:

check the port 1812 if it is being used. Or you can also run radius on the old 
school port 1645 for testing.

 
== 
 
Benjamin K. Eshun


- Message d'origine 
De : Debashis Prusty <[EMAIL PROTECTED]>
À : FreeRadius users mailing list 
Envoyé le : Mercredi, 20 Juin 2007, 18h02mn 39s
Objet : 2.0.0-pre : Failed to open socket.


I am trying to rum Freeradius on Solaris with MySQL. Logs are pasted 
below. Its working fine for earlier versions of Freeradius. Do any one 
have the solution?
Thanks in advance,
Debashis
~~~
freeradius/sbin # ./radiusd -X
Config:   including file: /opt/sf/freeradius/etc/raddb/radiusd.conf
Config:   including file: /opt/sf/freeradius/etc/raddb/proxy.conf
Config:   including file: /opt/sf/freeradius/etc/raddb/clients.conf
Config:   including file: /opt/sf/freeradius/etc/raddb/snmp.conf
Config:   including file: /opt/sf/freeradius/etc/raddb/eap.conf
Config:   including file: /opt/sf/freeradius/etc/raddb/sql.conf
Config:   including file: /opt/sf/freeradius/etc/raddb/sql/mysql-dialup.conf
FreeRADIUS Version 2.0.0-pre1, for host i386-pc-solaris2.10, built on 
Jun 19 2007 at 10:29:22
Starting - reading configuration files ...
read_config_files:  reading dictionary
main {
prefix = "/opt/sf/freeradius"
localstatedir = "/opt/sf/freeradius/var"
logdir = "/opt/sf/freeradius/var/log/radius"
libdir = "/opt/sf/freeradius/lib"
radacctdir = "/opt/sf/freeradius/var/log/radius/radacct"
hostname_lookups = no
max_request_time = 30
cleanup_delay = 5
max_requests = 1024
allow_core_dumps = no
log_stripped_names = no
log_file = "/opt/sf/freeradius/var/log/radius/radius.log"
log_auth = no
log_auth_badpass = no
log_auth_goodpass = no
pidfile = "/opt/sf/freeradius/var/run/radiusd/radiusd.pid"
checkrad = "/opt/sf/freeradius/sbin/checkrad"
debug_level = 0
proxy_requests = yes
log {
syslog_facility = "daemon"
}
proxy server {
retry_delay = 5
retry_count = 3
default_fallback = no
dead_time = 120
wake_all_if_all_dead = no
}
security {
max_attributes = 200
reject_delay = 1
status_server = yes
}
}
home_server localhost {
ipaddr = 127.0.0.1 IP address [127.0.0.1]
port = 1812
type = "auth"
secret = "testing123"
response_window = 20
max_outstanding = 65536
zombie_period = 40
status_check = "status-server"
ping_check = "none"
ping_interval = 30
check_interval = 30
num_answers_to_alive = 3
num_pings_to_alive = 3
revive_interval = 120
status_check_timeout = 4
}
server_pool my_auth_failover {
type = my_auth_failover
home_server = localhost
}
realm example.com {
auth_pool = my_auth_failover
}
realm LOCAL {
ldflag = fail_over
}
port = 1812
listen {
type = "auth"
ipaddr = *
port = 0
ERROR: Failed to open socket:
/opt/sf/freeradius/etc/raddb/radiusd.conf[195]: Error binding to port 
for 0.0.0.0 port 1812
~~~
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html





Ne gardez plus qu'une seule adresse mail ! Copiez vos mails 
  vers Yahoo! Mail 
<>- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: PHP issues with PHP 4.3.9 and dialup_admin

[Josh Howlett]

> On 6/16/07, Josh Howlett <[EMAIL PROTECTED]> wrote:
> > Ethan,
> >
> > Have you got the freeradius-mysql RPM installed?
> 
> I don't know if I remembered to post a followup or not, but, 
> "undefined constant" messages aside (which are caused by a 
> change to how PHP requires single quotes), my real problems 
> with dialup_admin not working at all (blank screens), was 
> caused by a missing rpm related to PHP and a 
> reported/documented "feature" that if you call a PHP function 
> that does not exist, you get no feedback in the way of error 
> messages - just total silence.

You were probably missing php-mysql, as I was. PHP does normally return
sensible error messages of the kind you mention, so I had the some
confusion as you. I'm not sure if there is an new option in php5 to
enable these, or if something has changed in dialup_admin to suppress
them...

josh.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: PHP issues with PHP 4.3.9 and dialup_admin

[Ethan Dicks]

On 6/16/07, Josh Howlett <[EMAIL PROTECTED]> wrote:
> Ethan,
>
> Have you got the freeradius-mysql RPM installed?

I don't know if I remembered to post a followup or not, but,
"undefined constant" messages aside (which are caused by a change to
how PHP requires single quotes), my real problems with dialup_admin
not working at all (blank screens), was caused by a missing rpm
related to PHP and a reported/documented "feature" that if you call a
PHP function that does not exist, you get no feedback in the way of
error messages - just total silence.  Personally, I find this to be a
nail in the coffin for PHP as far as I'm concerned.  If I typo a
function call or forget to load some optional package, I want to
_know_ I've done something wrong.  BASIC tells you if you try to GOSUB
to a non-existent line number.  The C linker barfs if you try to call
a function that's not present at link-time.  Why can't PHP do
something as simple as report that you asked it to jump to a
non-existent function at run time?

So I did get dialup_admin working, but only after a lot of cleanup to
eliminate trivial warning messages from cluttering the debugging
process and obscuring the real problem.

-ethan
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: 1.1.6 rpmbuild on centos 4.4

[Andrew Long]

On 6/20/07, Tomas Hoger <[EMAIL PROTECTED]> wrote:
> On 6/20/07, Andrew Long <[EMAIL PROTECTED]> wrote:
> > > [EMAIL PROTECTED] SPECS]# rpmbuild -bb freeradius.spec
> > > error: Failed build dependencies:
> > > libtool-ltdl-devel is needed by freeradius-1.1.6-0.i386
> > >
> > > On Cent 4.4 there is no libtool-ltdl or devel package.
> >
> > Edit .spec file and remove 'BuildRequires: 
> libtool-ltdl-devel'.  You 
> > only need libtool package on CentOS4 / RHEL4.
> 
> Thanks for that tip (I'm running freeRADIUS on RHEL4).
> 
> -ethan

Yes, thank you. Worked like a charm on cent 4.4

-Andrew


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: 1.1.6 rpmbuild on centos 4.4

[Ethan Dicks]

On 6/20/07, Tomas Hoger <[EMAIL PROTECTED]> wrote:
> On 6/20/07, Andrew Long <[EMAIL PROTECTED]> wrote:
> > [EMAIL PROTECTED] SPECS]# rpmbuild -bb freeradius.spec
> > error: Failed build dependencies:
> > libtool-ltdl-devel is needed by freeradius-1.1.6-0.i386
> >
> > On Cent 4.4 there is no libtool-ltdl or devel package.
>
> Edit .spec file and remove 'BuildRequires: libtool-ltdl-devel'.  You
> only need libtool package on CentOS4 / RHEL4.

Thanks for that tip (I'm running freeRADIUS on RHEL4).

-ethan
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: mschapv2 and users file

[Ryan Kramer]

Alan DeKok already hit it head on, I had an old version of the radius
dictionary hanging around.  -v doesn't list the version of the modules or
dictionary file unfortunately.  Swapped in the new one and it works

Ryan



On 6/20/07, [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote:


Hi,
> I'm having the same problem on 1.1.6, but when I try the cobb
> Cleartext-Password := "secret" as below, i get this when starting...
>
> /etc/raddb-test/users[1]: Parse error (check) for entry test: Unknown
> attribute "Cleartext-password"
> Errors reading /etc/raddb-test/users
> radiusd.conf[1052]: files: Module instantiation failed.
> radiusd.conf[1654] Unknown module "files".
> radiusd.conf[1589] Failed to parse authorize section.


output of  `radiusd -v` please

alan
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re : Sending CA certificate during EAP-TLS

[Eshun Benjamin]

Well in my current configuration I have the RADIUS server certificate in 
certificate_file and CA certificate in CA_file.

But with that configuration , the radius server is still sending the CA 
certificate.

The CA_path folder is empty and the CA_file is commented out. This should work 
for you.

tls {
#
#  These is used to simplify later configurations.
#
certdir = ${raddbdir}/certs
cadir = ${raddbdir}/certs/trustedCA

private_key_password = whatever
private_key_file = ${certdir}/server.pem
certificate_file = ${certdir}/server.pem

#  Trusted Root CA list - CA_path folder is empty
#   CA_file = ${cadir}/ca.pem
CA_path = ${raddbdir}/certs/trustedCA
   
dh_file = ${certdir}/dh
random_file = ${certdir}/random

  
#   fragment_size = 1024

  
#   include_length = yes

  
#   check_crl = yes


#   check_cert_issuer = "/C=GB/ST=Berkshire/L=Newbury/O=My 
Company Ltd"

  
#   check_cert_cn = %{User-Name}
#
# Set this option to specify the allowed
# TLS cipher suites.  The format is listed
# in "man 1 ciphers".
cipher_list = "DEFAULT"


#make_cert_command = "${certdir}/bootstrap"
}


 
== 
Benjamin K. Eshun

- Message d'origine 
De : Rafa Marín López <[EMAIL PROTECTED]>
À : FreeRadius users mailing list 
Cc : Rafa Marin Lopez <[EMAIL PROTECTED]>
Envoyé le : Mercredi, 20 Juin 2007, 18h10mn 12s
Objet : Re: Sending CA certificate during EAP-TLS

Reimer Karlsen-Masur, DFN-CERT escribió:

Hi Karlsen,

thanks for the answer, please see inline...
>
> Argh, your misunderstanding is because of the inline 
> documentation/default setup of the eap config file.
>
> *Trusted* CAs for client auth are stored in
>
> CA_file
>
> or
>
> CA_path
>
> So there is no conflict here with certificate_file option.
>
> And IMO usually CA_file and certificate_file should *not* contain the 
> same CA certs
Well in my current configuration I have the RADIUS server certificate in 
certificate_file and CA certificate in CA_file.

But with that configuration , the radius server is still sending the CA 
certificate.

Having said that , your proposal was to not include the CA certificate 
in the RADIUS server certificate (in certificate_file variable)

My RADIUS server certificate does not have the CA certificate included. 
Even so, the RADIUS server is including the CA certificate :(...

any alternative solution?.

> because I guess in the majority of cases the RADIUS server cert is 
> issued by some (commercial) server CA where as the client certs are 
> mostly issued by some home grown user CA.
>
> Saying that there might be cases where the CA certificates from 
> CA_file are indeed the CA chain certs of the RADIUS server 
> certificate.
>
> 
>
> - 
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html








  
_ 
Ne gardez plus qu'une seule adresse mail ! Copiez vos mails vers Yahoo! Mail - 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: 1.1.6 rpmbuild on centos 4.4

[Tomas Hoger]

On 6/20/07, Andrew Long <[EMAIL PROTECTED]> wrote:
> [EMAIL PROTECTED] SPECS]# rpmbuild -bb freeradius.spec
> error: Failed build dependencies:
> libtool-ltdl-devel is needed by freeradius-1.1.6-0.i386
>
> On Cent 4.4 there is no libtool-ltdl or devel package.

Edit .spec file and remove 'BuildRequires: libtool-ltdl-devel'.  You
only need libtool package on CentOS4 / RHEL4.

th.
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re : 2.0.0-pre : Failed to open socket.

[Eshun Benjamin]

ERROR: Failed to open socket:

check the port 1812 if it is being used. Or you can also run radius on the old 
school port 1645 for testing.
 
== 
Benjamin K. Eshun

- Message d'origine 
De : Debashis Prusty <[EMAIL PROTECTED]>
À : FreeRadius users mailing list 
Envoyé le : Mercredi, 20 Juin 2007, 18h02mn 39s
Objet : 2.0.0-pre : Failed to open socket.

I am trying to rum Freeradius on Solaris with MySQL. Logs are pasted 
below. Its working fine for earlier versions of Freeradius. Do any one 
have the solution?
Thanks in advance,
Debashis
~~~
freeradius/sbin # ./radiusd -X
Config:   including file: /opt/sf/freeradius/etc/raddb/radiusd.conf
Config:   including file: /opt/sf/freeradius/etc/raddb/proxy.conf
Config:   including file: /opt/sf/freeradius/etc/raddb/clients.conf
Config:   including file: /opt/sf/freeradius/etc/raddb/snmp.conf
Config:   including file: /opt/sf/freeradius/etc/raddb/eap.conf
Config:   including file: /opt/sf/freeradius/etc/raddb/sql.conf
Config:   including file: /opt/sf/freeradius/etc/raddb/sql/mysql-dialup.conf
FreeRADIUS Version 2.0.0-pre1, for host i386-pc-solaris2.10, built on 
Jun 19 2007 at 10:29:22
Starting - reading configuration files ...
read_config_files:  reading dictionary
main {
prefix = "/opt/sf/freeradius"
localstatedir = "/opt/sf/freeradius/var"
logdir = "/opt/sf/freeradius/var/log/radius"
libdir = "/opt/sf/freeradius/lib"
radacctdir = "/opt/sf/freeradius/var/log/radius/radacct"
hostname_lookups = no
max_request_time = 30
cleanup_delay = 5
max_requests = 1024
allow_core_dumps = no
log_stripped_names = no
log_file = "/opt/sf/freeradius/var/log/radius/radius.log"
log_auth = no
log_auth_badpass = no
log_auth_goodpass = no
pidfile = "/opt/sf/freeradius/var/run/radiusd/radiusd.pid"
checkrad = "/opt/sf/freeradius/sbin/checkrad"
debug_level = 0
proxy_requests = yes
 log {
syslog_facility = "daemon"
 }
 proxy server {
retry_delay = 5
retry_count = 3
default_fallback = no
dead_time = 120
wake_all_if_all_dead = no
 }
 security {
max_attributes = 200
reject_delay = 1
status_server = yes
 }
}
 home_server localhost {
ipaddr = 127.0.0.1 IP address [127.0.0.1]
port = 1812
type = "auth"
secret = "testing123"
response_window = 20
max_outstanding = 65536
zombie_period = 40
status_check = "status-server"
ping_check = "none"
ping_interval = 30
check_interval = 30
num_answers_to_alive = 3
num_pings_to_alive = 3
revive_interval = 120
status_check_timeout = 4
 }
 server_pool my_auth_failover {
type = my_auth_failover
home_server = localhost
 }
 realm example.com {
auth_pool = my_auth_failover
 }
 realm LOCAL {
ldflag = fail_over
 }
port = 1812
 listen {
type = "auth"
ipaddr = *
port = 0
ERROR: Failed to open socket:
/opt/sf/freeradius/etc/raddb/radiusd.conf[195]: Error binding to port 
for 0.0.0.0 port 1812
~~~
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html








  
_ 
Ne gardez plus qu'une seule adresse mail ! Copiez vos mails vers Yahoo! Mail - 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Re : Off-topic: DHCP server with radius support

[Arran Cudbard-Bell]

Eshun Benjamin wrote:
> 
> Slightly off-topic. Is anyone aware of a DHCP server with radius
> support. Or even just with exec support? I 'd like to setup a DHPC that
> will ask a radius server for IP instead of assigning it itself
> 
> A radius server assigning IPs  ...that is not radius (!) . May be 
> you mean the radius server authenticating (MACs and/or IPs) before the 
> dhcp assigns it; this you have to configure and write your own scripts 
> on the dhcp server to authenticate against the radius. Radius is for AAA
>  

And DHCP doesn't fit into those A's just as neatly as RADIUS ?

Ok the authentication aspect is a bit iffy, but theres definitely 
authorisation and accounting going on ;)

-- 
Arran Cudbard-Bell ([EMAIL PROTECTED])
Authentication, Authorisation and Accounting Officer
Infrastructure Services | ENG1 E1-1-08
University Of Sussex, Brighton
EXT:01273 873900 | INT: 3900
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re : Off-topic: DHCP server with radius support

[Eshun Benjamin]

Slightly off-topic. Is anyone aware of a DHCP server with radius 
support. Or even just with exec support? I 'd like to setup a DHPC that 
will ask a radius server for IP instead of assigning it itself

A radius server assigning IPs  ...that is not radius (!) . May be you mean 
the radius server authenticating (MACs and/or IPs) before the dhcp assigns it; 
this you have to configure and write your own scripts on the dhcp server to 
authenticate against the radius. Radius is for AAA 
 
== 
Benjamin K. Eshun

- Message d'origine 
De : Kostas Kalevras <[EMAIL PROTECTED]>
À : FreeRadius users mailing list 
Envoyé le : Mercredi, 20 Juin 2007, 14h18mn 09s
Objet : Off-topic: DHCP server with radius support

Slightly off-topic. Is anyone aware of a DHCP server with radius 
support. Or even just with exec support? I 'd like to setup a DHPC that 
will ask a radius server for IP instead of assigning it itself

-- 
Kostas Kalevras - Network Operations Center
National Technical University of Athens
http://kkalev.wordpress.com

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html








  
_ 
Ne gardez plus qu'une seule adresse mail ! Copiez vos mails vers Yahoo! Mail - 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: RE : Ldap Group Membership Requirements

[Cody Jarrett]

So it will search and find the group, but I can still connect with my 
user even though it isn't in that group. Any ideas on how to keep a user 
from connecting if their account isn't in that group?




Thibault Le Meur wrote:
Basically trying to 
figure out 
what I need to add to these lines: groupname_attribute, 
groupmembership_filter, and groupmembership_attribute. Also 
not sure if 
I need to add something to users file like: DEFAULT LDAP-Group == 
"wireless". Can anyone provide input on what I need to 
configure, Thanks.


wireless group in ldap, you can see cjarrett is a member:
dn: cn=wireless,ou=Groups,dc=itfreedom,dc=com
objectClass: posixGroup
cn: wireless
gidNumber: 1011
memberUid: cjarrett



You're using POSIXGroups:
groupname_attribute = cn
Groupmembership_filter = "(&(objectclass=posixGroup)(memberUid=%u))

No groupmembership_attribute.


In you users file, for instance:
DEFAULT LDAP-Group ==  "wireless" ...


See /usr/share/doc/freeradius/rlm_ldap text file.

HTH,
Thibault



- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


  
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

1.1.6 rpmbuild on centos 4.4

[Andrew Long]

I know this is a little off topic, but would appreciate any help.

Following instructions at http://radiuswiki.suntel.com.tr/Build
I am getting...

[EMAIL PROTECTED] SPECS]# rpmbuild -bb freeradius.spec
error: Failed build dependencies:
libtool-ltdl-devel is needed by freeradius-1.1.6-0.i386

On Cent 4.4 there is no libtool-ltdl or devel package. I don't quite understand 
this, as this machine is identical to another on which I built freeradius from 
source (not rpmbuild, though).

I can find a libtool-ltdl for FC, but it puts me in a spiral of failed deps...

Anyone have a clue?

Regards,

Andrew Long



- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

add new arributes in the proxy reply message

[Ashraf Al-Basti]

Dear,
i need to add attributes in the proxy reply message, how can i do that 
using attrib_rewrite?
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: 2.0.0-pre : Failed to open socket.

[Arran Cudbard-Bell]

Debashis Prusty wrote:
> I am trying to rum Freeradius on Solaris with MySQL. Logs are pasted 
> below. Its working fine for earlier versions of Freeradius. Do any one 
> have the solution?
> Thanks in advance,
> Debashis
> ~~~
> freeradius/sbin # ./radiusd -X
> Config:   including file: /opt/sf/freeradius/etc/raddb/radiusd.conf
> Config:   including file: /opt/sf/freeradius/etc/raddb/proxy.conf
> Config:   including file: /opt/sf/freeradius/etc/raddb/clients.conf
> Config:   including file: /opt/sf/freeradius/etc/raddb/snmp.conf
> Config:   including file: /opt/sf/freeradius/etc/raddb/eap.conf
> Config:   including file: /opt/sf/freeradius/etc/raddb/sql.conf
> Config:   including file: /opt/sf/freeradius/etc/raddb/sql/mysql-dialup.conf
> FreeRADIUS Version 2.0.0-pre1, for host i386-pc-solaris2.10, built on 
> Jun 19 2007 at 10:29:22
> Starting - reading configuration files ...
> read_config_files:  reading dictionary
> main {
> prefix = "/opt/sf/freeradius"
> localstatedir = "/opt/sf/freeradius/var"
> logdir = "/opt/sf/freeradius/var/log/radius"
> libdir = "/opt/sf/freeradius/lib"
> radacctdir = "/opt/sf/freeradius/var/log/radius/radacct"
> hostname_lookups = no
> max_request_time = 30
> cleanup_delay = 5
> max_requests = 1024
> allow_core_dumps = no
> log_stripped_names = no
> log_file = "/opt/sf/freeradius/var/log/radius/radius.log"
> log_auth = no
> log_auth_badpass = no
> log_auth_goodpass = no
> pidfile = "/opt/sf/freeradius/var/run/radiusd/radiusd.pid"
> checkrad = "/opt/sf/freeradius/sbin/checkrad"
> debug_level = 0
> proxy_requests = yes
>  log {
> syslog_facility = "daemon"
>  }
>  proxy server {
> retry_delay = 5
> retry_count = 3
> default_fallback = no
> dead_time = 120
> wake_all_if_all_dead = no
>  }
>  security {
> max_attributes = 200
> reject_delay = 1
> status_server = yes
>  }
> }
>  home_server localhost {
> ipaddr = 127.0.0.1 IP address [127.0.0.1]
> port = 1812
> type = "auth"
> secret = "testing123"
> response_window = 20
> max_outstanding = 65536
> zombie_period = 40
> status_check = "status-server"
> ping_check = "none"
> ping_interval = 30
> check_interval = 30
> num_answers_to_alive = 3
> num_pings_to_alive = 3
> revive_interval = 120
> status_check_timeout = 4
>  }
>  server_pool my_auth_failover {
> type = my_auth_failover
> home_server = localhost
>  }
>  realm example.com {
> auth_pool = my_auth_failover
>  }
>  realm LOCAL {
> ldflag = fail_over
>  }
> port = 1812
>  listen {
> type = "auth"
> ipaddr = *
> port = 0
> ERROR: Failed to open socket:
> /opt/sf/freeradius/etc/raddb/radiusd.conf[195]: Error binding to port 
> for 0.0.0.0 port 1812
> ~~~
> - 
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Update to CVS head...

This seems to be an issue with Mac OSX and maybe other BSD based 
operating systems.

-- 
Arran Cudbard-Bell ([EMAIL PROTECTED])
Authentication, Authorisation and Accounting Officer
Infrastructure Services | ENG1 E1-1-08
University Of Sussex, Brighton
EXT:01273 873900 | INT: 3900
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Need help with 802.1X authentication to Active Directory

[Bryant Marsh]

Hi Ivan,

Sorry I forgot to mention that I did import the cert-clt.p12 and cacert.pem
to the local machine certificate store.

I was reading a document that was saying that the USERS file is not
necessary for authenticating to Active Directory. Is that really true?

Here are my config files.
http://www.nabble.com/file/p11217074/clients.conf clients.conf 
http://www.nabble.com/file/p11217074/smb.conf smb.conf 
http://www.nabble.com/file/p11217074/nsswitch.conf nsswitch.conf 
http://www.nabble.com/file/p11217074/radiusd.conf radiusd.conf 
http://www.nabble.com/file/p11217074/eap.conf eap.conf 
http://www.nabble.com/file/p11217074/hosts hosts 

Thanks,
Bryant.


Yes. Certificates created with xpextensions will work with Win2K3 clients
as well. But you need to import CA certificate to the trusted
certificate store on Windows clients (XP and 2K3; Win 2K can't be used).

Ivan Kalik
Kalik Informatika ISP

-- 
View this message in context: 
http://www.nabble.com/Need-help-with-802.1X-authentication-to-Active-Directory-tf3925261.html#a11217074
Sent from the FreeRadius - User mailing list archive at Nabble.com.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: mschapv2 and users file

[Matt Cobb]

Alan,

I believe you that is can work - I just want to know how to configure it
so it does :-)

Here is the output:

Starting - reading configuration files ...
reread_config:  reading radiusd.conf
Config:   including file: /etc/raddb/proxy.conf
Config:   including file: /etc/raddb/clients.conf
Config:   including file: /etc/raddb/snmp.conf
Config:   including file: /etc/raddb/eap.conf
Config:   including file: /etc/raddb/sql.conf
 main: prefix = "/usr"
 main: localstatedir = "/var/lib"
 main: logdir = "/var/lib/log/radius"
 main: libdir = "/usr/lib"
 main: radacctdir = "/var/lib/log/radius/radacct"
 main: hostname_lookups = no
 main: max_request_time = 30
 main: cleanup_delay = 5
 main: max_requests = 1024
 main: delete_blocked_requests = 0
 main: port = 1812
 main: allow_core_dumps = no
 main: log_stripped_names = no
 main: log_file = "/var/log/radius.log"
 main: log_auth = yes
 main: log_auth_badpass = no

 main: log_auth_goodpass = no
 main: pidfile = "/var/lib/run/radiusd/radiusd.pid"
 main: user = "(null)"
 main: group = "(null)"
 main: usercollide = no
 main: lower_user = "no"
 main: lower_pass = "no"
 main: nospace_user = "no"
 main: nospace_pass = "no"
 main: checkrad = "/usr/sbin/checkrad"
 main: proxy_requests = yes
 proxy: retry_delay = 5
 proxy: retry_count = 3
 proxy: synchronous = no
 proxy: default_fallback = yes
 proxy: dead_time = 120
 proxy: post_proxy_authorize = no
 proxy: wake_all_if_all_dead = no
 security: max_attributes = 200
 security: reject_delay = 1
 security: status_server = no
 main: debug_level = 0
read_config_files:  reading dictionary
read_config_files:  reading naslist
Using deprecated naslist file.  Support for this will go away soon.
read_config_files:  reading clients
read_config_files:  reading realms
 listen: port = 1645
 listen: type = "auth"
radiusd:  entering modules setup
Module: Library search path is /usr/lib
Module: Loaded exec
 exec: wait = yes
 exec: program = "(null)"
 exec: input_pairs = "request"
 exec: output_pairs = "(null)"
 exec: packet_type = "(null)"
rlm_exec: Wait=yes but no output defined. Did you mean output=none?
Module: Instantiated exec (exec)
Module: Loaded expr
Module: Instantiated expr (expr)
 Module: Loaded PAP
 pap: encryption_scheme = "crypt"
 pap: auto_header = no
Module: Instantiated pap (pap)
Module: Loaded CHAP
Module: Instantiated chap (chap)
Module: Loaded MS-CHAP
 mschap: use_mppe = yes
 mschap: require_encryption = no
 mschap: require_strong = no
 mschap: with_ntdomain_hack = no
 mschap: passwd = "(null)"
 mschap: ntlm_auth = "(null)"
Module: Instantiated mschap (mschap)
Module: Loaded System
 unix: cache = no
 unix: passwd = "(null)"
 unix: shadow = "(null)"
 unix: group = "(null)"
 unix: radwtmp = "/var/lib/log/radius/radwtmp"
 unix: usegroup = no
 unix: cache_reload = 600
Module: Instantiated unix (unix)
Module: Loaded eap
 eap: default_eap_type = "md5"
 eap: timer_expire = 60
 eap: ignore_unknown_eap_types = no
 eap: cisco_accounting_username_bug = no
rlm_eap: Loaded and initialized type md5
rlm_eap: Loaded and initialized type leap
 gtc: challenge = "Password: "
 gtc: auth_type = "PAP"
rlm_eap: Loaded and initialized type gtc
 mschapv2: with_ntdomain_hack = no
rlm_eap: Loaded and initialized type mschapv2
Module: Instantiated eap (eap)
Module: Loaded preprocess
 preprocess: huntgroups = "/etc/raddb/huntgroups"
 preprocess: hints = "/etc/raddb/hints"
 preprocess: with_ascend_hack = no
 preprocess: ascend_channels_per_line = 23
 preprocess: with_ntdomain_hack = no
 preprocess: with_specialix_jetstream_hack = no
 preprocess: with_cisco_vsa_hack = no
 preprocess: with_alvarion_vsa_hack = no
Module: Instantiated preprocess (preprocess)
Module: Loaded realm
 realm: format = "suffix"
 realm: delimiter = "@"
 realm: ignore_default = no
 realm: ignore_null = yes
Module: Instantiated realm (suffix)
 realm: format = "prefix"
 realm: delimiter = "\"
 realm: ignore_default = no
 realm: ignore_null = no
Module: Instantiated realm (ntdomain)
Module: Loaded files
 files: usersfile = "/etc/raddb/users"
 files: acctusersfile = "/etc/raddb/acct_users"
 files: preproxy_usersfile = "/etc/raddb/preproxy_users"
 files: compat = "no"
Module: Instantiated files (files)
Module: Loaded Acct-Unique-Session-Id
 acct_unique: key = "User-Name, Acct-Session-Id, NAS-IP-Address,
Client-IP-Address, NAS-Port"
Module: Instantiated acct_unique (acct_unique)
Module: Loaded detail
 detail: detailfile =
"/var/lib/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d"
 detail: detailperm = 384
 detail: dirperm = 493
 detail: locking = no
Module: Instantiated detail (detail)
Module: Loaded radutmp
 radutmp: filename = "/var/lib/log/radius/radutmp"
 radutmp: username = "%{User-Name}"
 radutmp: case_sensitive = yes
 radutmp: check_with_nas = yes
 radutmp: perm = 384
 radutmp: callerid = yes
Module: Instantiated radutmp (radutmp)
Listening on authentication *:1812
Listening on accounting *:1813
Listening on authentication *:1645
Listening on proxy *:1814
Ready to process

RE : Ldap Group Membership Requirements

[Thibault Le Meur]

>Basically trying to 
> figure out 
> what I need to add to these lines: groupname_attribute, 
> groupmembership_filter, and groupmembership_attribute. Also 
> not sure if 
> I need to add something to users file like: DEFAULT LDAP-Group == 
> "wireless". Can anyone provide input on what I need to 
> configure, Thanks.
> 
> wireless group in ldap, you can see cjarrett is a member:
> dn: cn=wireless,ou=Groups,dc=itfreedom,dc=com
> objectClass: posixGroup
> cn: wireless
> gidNumber: 1011
> memberUid: cjarrett

You're using POSIXGroups:
groupname_attribute = cn
Groupmembership_filter = "(&(objectclass=posixGroup)(memberUid=%u))

No groupmembership_attribute.


In you users file, for instance:
DEFAULT LDAP-Group ==  "wireless" ...


See /usr/share/doc/freeradius/rlm_ldap text file.

HTH,
Thibault



- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Sending CA certificate during EAP-TLS

[Rafa Marín López]

Reimer Karlsen-Masur, DFN-CERT escribió:

Hi Karlsen,

thanks for the answer, please see inline...
>
> Argh, your misunderstanding is because of the inline 
> documentation/default setup of the eap config file.
>
> *Trusted* CAs for client auth are stored in
>
> CA_file
>
> or
>
> CA_path
>
> So there is no conflict here with certificate_file option.
>
> And IMO usually CA_file and certificate_file should *not* contain the 
> same CA certs
Well in my current configuration I have the RADIUS server certificate in 
certificate_file and CA certificate in CA_file.

But with that configuration , the radius server is still sending the CA 
certificate.

Having said that , your proposal was to not include the CA certificate 
in the RADIUS server certificate (in certificate_file variable)

My RADIUS server certificate does not have the CA certificate included. 
Even so, the RADIUS server is including the CA certificate :(...

any alternative solution?.

> because I guess in the majority of cases the RADIUS server cert is 
> issued by some (commercial) server CA where as the client certs are 
> mostly issued by some home grown user CA.
>
> Saying that there might be cases where the CA certificates from 
> CA_file are indeed the CA chain certs of the RADIUS server 
> certificate.
>
> 
>
> - 
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Ldap Group Membership Requirements

[Cody Jarrett]

I'm trying to require a user to be a member of the wireless group in 
ldap to be able to join the wireless. All users can currently join the 
wireless. I can't find very much documentation on the groupmembers* 
lines in the ldap section of radius.conf. Basically trying to figure out 
what I need to add to these lines: groupname_attribute, 
groupmembership_filter, and groupmembership_attribute. Also not sure if 
I need to add something to users file like: DEFAULT LDAP-Group == 
"wireless". Can anyone provide input on what I need to configure, Thanks.

wireless group in ldap, you can see cjarrett is a member:
dn: cn=wireless,ou=Groups,dc=itfreedom,dc=com
objectClass: posixGroup
cn: wireless
gidNumber: 1011
memberUid: cjarrett

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

2.0.0-pre : Failed to open socket.

[Debashis Prusty]

I am trying to rum Freeradius on Solaris with MySQL. Logs are pasted 
below. Its working fine for earlier versions of Freeradius. Do any one 
have the solution?
Thanks in advance,
Debashis
~~~
freeradius/sbin # ./radiusd -X
Config:   including file: /opt/sf/freeradius/etc/raddb/radiusd.conf
Config:   including file: /opt/sf/freeradius/etc/raddb/proxy.conf
Config:   including file: /opt/sf/freeradius/etc/raddb/clients.conf
Config:   including file: /opt/sf/freeradius/etc/raddb/snmp.conf
Config:   including file: /opt/sf/freeradius/etc/raddb/eap.conf
Config:   including file: /opt/sf/freeradius/etc/raddb/sql.conf
Config:   including file: /opt/sf/freeradius/etc/raddb/sql/mysql-dialup.conf
FreeRADIUS Version 2.0.0-pre1, for host i386-pc-solaris2.10, built on 
Jun 19 2007 at 10:29:22
Starting - reading configuration files ...
read_config_files:  reading dictionary
main {
prefix = "/opt/sf/freeradius"
localstatedir = "/opt/sf/freeradius/var"
logdir = "/opt/sf/freeradius/var/log/radius"
libdir = "/opt/sf/freeradius/lib"
radacctdir = "/opt/sf/freeradius/var/log/radius/radacct"
hostname_lookups = no
max_request_time = 30
cleanup_delay = 5
max_requests = 1024
allow_core_dumps = no
log_stripped_names = no
log_file = "/opt/sf/freeradius/var/log/radius/radius.log"
log_auth = no
log_auth_badpass = no
log_auth_goodpass = no
pidfile = "/opt/sf/freeradius/var/run/radiusd/radiusd.pid"
checkrad = "/opt/sf/freeradius/sbin/checkrad"
debug_level = 0
proxy_requests = yes
 log {
syslog_facility = "daemon"
 }
 proxy server {
retry_delay = 5
retry_count = 3
default_fallback = no
dead_time = 120
wake_all_if_all_dead = no
 }
 security {
max_attributes = 200
reject_delay = 1
status_server = yes
 }
}
 home_server localhost {
ipaddr = 127.0.0.1 IP address [127.0.0.1]
port = 1812
type = "auth"
secret = "testing123"
response_window = 20
max_outstanding = 65536
zombie_period = 40
status_check = "status-server"
ping_check = "none"
ping_interval = 30
check_interval = 30
num_answers_to_alive = 3
num_pings_to_alive = 3
revive_interval = 120
status_check_timeout = 4
 }
 server_pool my_auth_failover {
type = my_auth_failover
home_server = localhost
 }
 realm example.com {
auth_pool = my_auth_failover
 }
 realm LOCAL {
ldflag = fail_over
 }
port = 1812
 listen {
type = "auth"
ipaddr = *
port = 0
ERROR: Failed to open socket:
/opt/sf/freeradius/etc/raddb/radiusd.conf[195]: Error binding to port 
for 0.0.0.0 port 1812
~~~
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: mschapv2 and users file

[A . L . M . Buxey]

Hi,
> I'm having the same problem on 1.1.6, but when I try the cobb
> Cleartext-Password := "secret" as below, i get this when starting...
> 
> /etc/raddb-test/users[1]: Parse error (check) for entry test: Unknown
> attribute "Cleartext-password"
> Errors reading /etc/raddb-test/users
> radiusd.conf[1052]: files: Module instantiation failed.
> radiusd.conf[1654] Unknown module "files".
> radiusd.conf[1589] Failed to parse authorize section.


output of  `radiusd -v` please

alan
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: mschapv2 and users file

[Alan DeKok]

Ryan Kramer wrote:
> I'm having the same problem on 1.1.6, but when I try the cobb
> Cleartext-Password := "secret" as below, i get this when starting...
> 
> /etc/raddb-test/users[1]: Parse error (check) for entry test: Unknown
> attribute "Cleartext-password"

  You're not using the dictionaries that came with 1.1.6.  See
raddb/dictionary.  Point it to the location of the 1.1.6 dictionaries.

  Alan DeKok.
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: mschapv2 and users file

[Ryan Kramer]

I'm having the same problem on 1.1.6, but when I try the cobb
Cleartext-Password := "secret" as below, i get this when starting...

/etc/raddb-test/users[1]: Parse error (check) for entry test: Unknown
attribute "Cleartext-password"
Errors reading /etc/raddb-test/users
radiusd.conf[1052]: files: Module instantiation failed.
radiusd.conf[1654] Unknown module "files".
radiusd.conf[1589] Failed to parse authorize section.



On 6/20/07, Alan DeKok <[EMAIL PROTECTED]> wrote:


Matt Cobb wrote:
> Tried:
>
>   cobb Cleartext-Password:="secret"
>
> same result:

  Please post the ENTIRE debug output.  Trust me, MS-CHAP works in the
server.  Put that entry at the TOP of the "users" file, and it should
work.  Odds are you put it in the middle of the "users" file, and
there's an earlier entry which means that the "cobb" entry is never used.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: mschapv2 and users file

[tnt]

Can you post the whole conversation from the request. From this snip it
looks like your realm isn't stripped. Try using [EMAIL PROTECTED] as username
in users file instead of cobb.

Ivan Kalik
Kalik Informatika ISP


Dana 20/6/2007, "Matt Cobb" <[EMAIL PROTECTED]> piše:

>Tried:
>
>   cobb Cleartext-Password:="secret"
>
>same result:
>
>  rlm_mschap: No User-Password configured.  Cannot create LM-Password.
>  rlm_mschap: No User-Password configured.  Cannot create NT-Password.
>  rlm_mschap: Told to do MS-CHAPv2 for [EMAIL PROTECTED] with NT-Password
>  rlm_mschap: FAILED: No NT/LM-Password.  Cannot perform authentication.
>  rlm_mschap: FAILED: MS-CHAP2-Response is incorrect
>  modcall[authenticate]: module "mschap" returns reject for request 0
>
>
>-Original Message-
>From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL 
>PROTECTED]
>Sent: Wednesday, June 20, 2007 1:47 AM
>To: FreeRadius users mailing list
>Subject: Re: mschapv2 and users file
>
>Use Cleartext-Password and operator :=
>
>That listing seems to be from the attempt with NT-Password. That entry
>should also use := as the operator.
>
>Ivan Kalik
>Kalik Informatika ISP
>
>
>Dana 20/6/2007, "Matt Cobb" <[EMAIL PROTECTED]> piše:
>
>>I have freeradius 1.1.4 setup as a proxy to an upstream radius server
>>which works.  I also want to put guests in a local users file and use
>>MSCHAPV2 on them, but didn't get it to work.  I was able to get PAP and
>>CHAP working.  Here is the MSCHAPV2 configuration I tried:
>>
>> 
>>
>>users file:
>>
>>cobb User-Password=="secret"
>> 
>>
>>How do I configure MSCHAPv2 to a local users file?
>>
>>
>>
>
>- 
>List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>
>- 
>List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>
>

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Exec-Program-Wait

[Alan DeKok]

Felipe Ceglia - PY1NB wrote:
> When I run it thru users file, it is called, and works.

  You put it in the "reply" list in the "users" file, and the "check"
table in the SQL database.

  Put it in the reply tble in the SQL database.

  Alan DeKok.
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Primary, Secondary, Radrelay, Mysql Problem

[Jeff]

I kinda see whats going on  
User connects to primary  
Radrelay then sends accounting data to secondary  
Thus user shows up online in both databases  
Then radrelay on secondary sends accounting info back to the primary  
Thus creating a double entry in mysql in the primary  
   
Am I right?  
If so is the solution just not running radrelay on the primary?  
 
  _  

  From: Jeff [mailto:[EMAIL PROTECTED]
To: FreeRadius users mailing list [mailto:[EMAIL PROTECTED]
Sent: Wed, 20 Jun 2007 10:52:01 -0400
Subject: Primary, Secondary, Radrelay, Mysql Problem

I am doing the following and have an issue
Issue is on the primary I get duplicate entry on accounting in mysql for a user
I don't use this accounting for nothing but users online listing, I have to use 
accounting from the detail file for that.

Ok heres the expanation
I use radrelay so each radius accounting will be in sync (I need detail file 
for accounting) the billing package we have won't read the sql data.

Primary Server (Freeradius 1.16)
I have radrelay configured to push accounting detail to the secondary 
freeradius server
I also have mysql setup on that server with accounting going into it to be able 
to see users online for that server 

Secondary Server (Freeradius 1.16)
I have radrelay configured to push accounting detail to the primary freeradius 
server
I also have mysql setup on that server with accounting going into it to be able 
to see users online for that server 

Heres what happens
On the secondary server in mysql radacct table i get on entry for start and 
stop on a client, as it should be showing i user online

On Primary Server, I get a duplicate entry for start and duplicate entry for 
stop
and thus also show the user online twice.

I am not sure what to do.
Bascially what i was tyring to have here is
A primary and secondary radius, with the detail file combined and in sync for 
purpose of the reasons.
1. To input on detail file into the billing program
2. To make sure it was showing users logged on.

I didn't setup radsqlrelay didn't think that was necesaary, and mabe I am going 
about this wrong.

ANy suggestions?

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
  
   
 - 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Exec-Program-Wait

[Felipe Ceglia - PY1NB]

Hi gurus!

Should this work, or am I missing something?
radiusd -x doesnt outupt any call to this script.

When I run it thru users file, it is called, and works.


mysql> SELECT 
radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op
  
FROM radgroupcheck,usergroup WHERE usergroup.Username = 'mendes' AND 
usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id;
++---+---+--++
| id | GroupName | Attribute | 
Value| op |
++---+---+--++
| 24 | dialup2   | Exec-Program-Wait | php 
/intranet/prod/src/checkradius.php %u %n | := |
++---+---+--++
1 row in set (0.00 sec)


Thank you,

Felipe Ceglia
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: mschapv2 and users file

[Alan DeKok]

Matt Cobb wrote:
> Tried:
> 
>   cobb Cleartext-Password:="secret"
> 
> same result:

  Please post the ENTIRE debug output.  Trust me, MS-CHAP works in the
server.  Put that entry at the TOP of the "users" file, and it should
work.  Odds are you put it in the middle of the "users" file, and
there's an earlier entry which means that the "cobb" entry is never used.

  Alan DeKok.
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: mschapv2 and users file

[Matt Cobb]

Tried:

cobb Cleartext-Password:="secret"

same result:

  rlm_mschap: No User-Password configured.  Cannot create LM-Password.
  rlm_mschap: No User-Password configured.  Cannot create NT-Password.
  rlm_mschap: Told to do MS-CHAPv2 for [EMAIL PROTECTED] with NT-Password
  rlm_mschap: FAILED: No NT/LM-Password.  Cannot perform authentication.
  rlm_mschap: FAILED: MS-CHAP2-Response is incorrect
  modcall[authenticate]: module "mschap" returns reject for request 0


-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]
Sent: Wednesday, June 20, 2007 1:47 AM
To: FreeRadius users mailing list
Subject: Re: mschapv2 and users file

Use Cleartext-Password and operator :=

That listing seems to be from the attempt with NT-Password. That entry
should also use := as the operator.

Ivan Kalik
Kalik Informatika ISP


Dana 20/6/2007, "Matt Cobb" <[EMAIL PROTECTED]> piše:

>I have freeradius 1.1.4 setup as a proxy to an upstream radius server
>which works.  I also want to put guests in a local users file and use
>MSCHAPV2 on them, but didn't get it to work.  I was able to get PAP and
>CHAP working.  Here is the MSCHAPV2 configuration I tried:
>
> 
>
>users file:
>
>cobb User-Password=="secret"
> 
>
>How do I configure MSCHAPv2 to a local users file?
>
>
>

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Primary, Secondary, Radrelay, Mysql Problem

[Jeff]

I am doing the following and have an issue
Issue is on the primary I get duplicate entry on accounting in mysql for a user
I don't use this accounting for nothing but users online listing, I have to use 
accounting from the detail file for that.

Ok heres the expanation
I use radrelay so each radius accounting will be in sync (I need detail file  
for accounting) the billing package we have won't read the sql data.

Primary Server (Freeradius 1.16)
I have radrelay configured to push accounting detail to the secondary 
freeradius server
I also have mysql setup on that server with accounting going into it to be able 
to see users online for that server 

Secondary Server (Freeradius 1.16)
I have radrelay configured to push accounting detail to the primary freeradius 
server
I also have mysql setup on that server with accounting going into it to be able 
to see users online for that server 

Heres what happens
On the secondary server in mysql radacct table i get on entry for start and 
stop on  a client, as it should be showing i user online

On Primary Server, I get a duplicate entry for start and duplicate entry for 
stop
and thus also show the user online twice.

I am not sure what to do.
Bascially what i was tyring to have here is
A primary and secondary radius, with the detail file combined and in sync for 
purpose of the reasons.
1. To input on detail file into the billing program
2. To make sure it was showing users logged on.

I didn't setup radsqlrelay didn't think that was necesaary, and mabe I am going 
about this wrong.

ANy suggestions?

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Sending CA certificate during EAP-TLS

[Reimer Karlsen-Masur, DFN-CERT]

Rafa Marin wrote:

Hi Karlsen,

2007/6/20, Reimer Karlsen-Masur, DFN-CERT <[EMAIL PROTECTED] 
>:


Hi,

in the file referenced by the option variable "certificate_file" in
the tls
section only put the server certificate (and optionally the private
key) of
your RADIUS server.


I think this might work (after some tests i did). But my immediate 
question is how the server is supposed to verify client certificate if 
we don't configure any CA certificate?.


Argh, your misunderstanding is because of the inline documentation/default 
setup of the eap config file.


*Trusted* CAs for client auth are stored in

CA_file

or

CA_path

So there is no conflict here with certificate_file option.

And IMO usually CA_file and certificate_file should *not* contain the same 
CA certs because I guess in the majority of cases the RADIUS server cert is 
issued by some (commercial) server CA where as the client certs are mostly 
issued by some home grown user CA.


Saying that there might be cases where the CA certificates from CA_file are 
indeed the CA chain certs of the RADIUS server certificate.


--
Beste Gruesse / Kind Regards

Reimer Karlsen-Masur

DFN-PKI FAQ: https://www.pki.dfn.de/faqpki
--
Dipl.-Inform. Reimer Karlsen-Masur (PKI Team), Phone +49 40 808077-615
DFN-CERT Services GmbH, https://www.dfn-cert.de, Phone +49 40 808077-555
Sitz / Register: Hamburg, AG Hamburg, HRB 88805, Ust-IdNr.: DE 232129737


smime.p7s
Description: S/MIME Cryptographic Signature
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: 1.1.6 README error?

[Alan DeKok]

Andrew Long wrote:
> I am wondering if the last line is supposed to read, " use 
> Cleartext-Password instead."

  Yes.  Fixed, thanks.

  Alan DeKok.
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Additionally set/provided variables... how to access them?

[Alan DeKok]

Mark J Elkins wrote:
> # Contents of file "/usr/share/freeradius/dictionary.telkom"

  Added, thanks.

  Alan DeKok.
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Sending CA certificate during EAP-TLS

[Rafa Marin]

Hi Karlsen,

2007/6/20, Reimer Karlsen-Masur, DFN-CERT <[EMAIL PROTECTED]>:


Hi,

in the file referenced by the option variable "certificate_file" in the
tls
section only put the server certificate (and optionally the private key)
of
your RADIUS server.



I think this might work (after some tests i did). But my immediate question
is how the server is supposed to verify client certificate if we don't
configure any CA certificate?.

i.e. don't put ca certificates of the chain into that file.


I don't know how to prevent the client from sending CA path
certificates

Rafa Marin wrote:
> Hi all,
>
> Is there any way to configure free radius + eap-tls module to avoid to
> send CA certificate during EAP-TLS negotiation? As Free Radius is
> sending it right now EAP-TLS packets get fragmented and I would like to
> avoid it.

--
Beste Gruesse / Kind Regards

Reimer Karlsen-Masur

DFN-PKI FAQ: https://www.pki.dfn.de/faqpki
--
Dipl.-Inform. Reimer Karlsen-Masur (PKI Team), Phone +49 40 808077-615
DFN-CERT Services GmbH, https://www.dfn-cert.de, Phone +49 40 808077-555
Sitz / Register: Hamburg, AG Hamburg, HRB 88805, Ust-IdNr.: DE 232129737

-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Re : Sending CA certificate during EAP-TLS

[Rafa Marin]

Hi Alan,



err, no. you need to handle those fragmented packets. where is it failing,
on your network or more
remotely?



Actually, it is not failing. I got a successful authentication I was only
trying to avoid fragmentation if possible.

EAP-TLS places much larger demands on the packet sizes during AAA

processseveral hundred
bytes more than PEAP (which JUST ABOUT misses fragmentation in its current
form from recent
memory)



Yes I know.

you've GOT to pass the certsand if you're using a larger cert (chained

etc) those packets
will be big.



Actually I don't see any problem in sending server certificate and the
client its own client certificate. What I would like to do is to avoid
sending CA certificate.

sowhos breaking the RFCs with respect to ICMP and pmtu?  ;-)


alan
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

1.1.6 README error?

[Andrew Long]

The README for 1.1.6 states...

"New users of FreeRADIUS should prefer using Cleartext-Password over
User-Password.  That is, if the documentation or a web page says to
configure User-Password in a database or server configuration file,
the documentation is likely out of date, and you should use
User-Password instead."

I am wondering if the last line is supposed to read, " use 
Cleartext-Password instead."

Regards,

Andrew Long


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Re : Sending CA certificate during EAP-TLS

[Rafa Marin]

Hi Benjamin

2007/6/20, Eshun Benjamin <[EMAIL PROTECTED]>:


Is there any way to configure free radius + eap-tls module to avoid to
send CA certificate during EAP-TLS negotiation?
You may have to read the RFC :-).  You need the certificates to do EAP-TLS



Yes that's clear to me that you need to  send your certificates. But my
question was related with CA certificate. When you read TLS RFC (see below)
it seems that sending CA certificate is not mandatory. That is the reason of
my question.

certificate_list
  This is a sequence (chain) of X.509v3 certificates. The sender's
  certificate must come first in the list. Each following
  certificate must directly certify the one preceding it. Because
  certificate validation requires that root keys be distributed
  independently, the self-signed certificate which specifies the
  root certificate authority may optionally be omitted from the
  chain, under the assumption that the remote end must already
  possess it in order to validate it in any case.




==

Benjamin K. Eshun

- Message d'origine 
De : Rafa Marin <[EMAIL PROTECTED]>
À : freeradius-users@lists.freeradius.org
Envoyé le : Mercredi, 20 Juin 2007, 13h16mn 05s
Objet : Sending CA certificate during EAP-TLS

Hi all,

Is there any way to configure free radius + eap-tls module to avoid to
send CA certificate during EAP-TLS negotiation? As Free Radius is sending it
right now EAP-TLS packets get fragmented and I would like to avoid it.

Thanks in advance.
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html


--
Ne gardez plus qu'une seule adresse mail ! Copiez vos 
mailsvers Yahoo! Mail

-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Support for PEAP-Mschapv2 and PEAP-GTC simultaneously?

[Colleen C. Morrissey]

That worked.  Thank you!

Alan DeKok wrote:
> Colleen C. Morrissey wrote:
>> I don't have the clear text password.  Your original reply said this 
>> would work with clear text password or nt hash.  I have the NT hash 
>> and/or I can get the SHA1 base 64 encoded password (which was working 
>> with gtc by itself).  Can I get pap/gtc to work with the NT hash password?
>> I don't manage the ldap service so getting the clear text password will 
>> not be easy and may not be possible organizationally.   Thanks.
> 
>   Hmm.. OK.
> 
>   In that case your best bet may be to grab the current code from CVS.
> See the web page for how to do CVS logins, etc.  Then,
> 
> $ cvs -d :pserver:[EMAIL PROTECTED]:/source checkout -r
> branch_1_1 -d freeradius-1.1.7pre radiusd
> 
>   And the "freeradius-1.1.7pre" directory will contain a version that
> fixes the issue you're seeing in the mschap module.
> 
>   Alan DeKok.
> - 
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
> 

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Additionally set/provided variables... how to access them?

[Mark J Elkins]

Alan DeKok wrote:
> Mark J Elkins wrote:
>   
>> Added the 'dictionary.telkom', got this $included in 'dictionary' - and
>> the "Warning:.." message has gone. The value of the new variable is now
>> showing up.
>> 
>
>   Could you mail a copy here so that other people don't have to go
> through this?
>
>   
The Dictionary that needs the include 
$INCLUDE dictionary.telkom  # ie - put this line in
"/usr/share/freeradius/dictionary"

# Contents of file "/usr/share/freeradius/dictionary.telkom"
#
#   Telkom SA - RADIUS dictionary
#   Used to convey Telkom Specific Information in proxied requests
#   EDS 20031007 [EMAIL PROTECTED]
VENDOR  Telkom  1431

BEGIN-VENDORTelkom

#   Access-Type is used to describe the Access Medium used eg
#   Dial/ADSL/VSAT etc.  Used in both Access-Requests and Accounting
ATTRIBUTE   Telkom-Access-Type  1   string
#
#   Service-Type is used to indicate the Service used main in
conjunction
#   with the SSG.  Used in both Access-Requests and Accounting
ATTRIBUTE   Telkom-Service-Type 2   string

END-VENDOR  Telkom


Use:

You would normally add the following as a check item in your freeradius 
radcheck table by adding an entry
like:

Attribute : 'Telkom-Access-Type'
Value : 'DSL'
Op: '=='

Which will restrict a user to ADSL only.


>> (South African audience)
>> Incidentally - Telkom SA set this with all requests (access and
>> accounting). Eddie Stassen at SAIX customised (an old version of)
>> freeradius and gets his proxy servers to add the attribute. Apparently -
>> using the new 'unlanguage' - this is now trivial.
>> 
>
>   That's the idea.  I like trivial solutions to problems.
>
>   Alan DeKok.
> - 
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>   


-- 
  .  . ___. .__  Posix Systems - Sth Africa
 /| /|   / /__   [EMAIL PROTECTED]  -  Mark J Elkins, SCO ACE, Cisco 
CCIE
/ |/ |ARK \_/ /__ LKINS  Tel: +27 12 807 0590  Cell: +27 82 601 0496

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Sending CA certificate during EAP-TLS

[Stefan Winter]

Hi,

> sowhos breaking the RFCs with respect to ICMP and pmtu?  ;-)

I've been hunting one such case recently. Just in case it helps: in our case 
it was a BSD firewall that was misconfigured to only allow non-fragmented UDP 
packets. I'm not into BSD at all, the guy said something about this being a 
default setting? I hope I got him wrong back then.

We also currently have a pending issue with Cisco WLAN Controllers. We suspect 
that it will take the EAPoL message from the client, and put the beginning of 
it into a UDP packet, simply forgetting about the rest if EAPoL payload > 
largest possible EAP-Message payload. We couldn't get our hands on a 100% 
positive test case, so didn't approach TAC yet.

If any of the two are the case for you, please report back here - it's quite 
an interesting piece of info...

Stefan

-- 
Stefan WINTER

Stiftung RESTENA - Réseau Téléinformatique de l'Education Nationale et de 
la Recherche
Ingenieur Forschung & Entwicklung

6, rue Richard Coudenhove-Kalergi
L-1359 Luxembourg
E-Mail: [EMAIL PROTECTED]     Tel.:     +352 424409-1
http://www.restena.lu                Fax:      +352 422473


pgpEyEWBaiaZi.pgp
Description: PGP signature
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: Off-topic: DHCP server with radius support

[Edvin Seferovic]

How about DHCP with LDAP ?

>Kostas Kalevras wrote:
>> Slightly off-topic. Is anyone aware of a DHCP server with radius 
>> support. Or even just with exec support? I 'd like to setup a DHPC that 
>> will ask a radius server for IP instead of assigning it itself
>
>  Nope.  I spent a while looking at adding RADIUS support to the ISC
>server last year.  It turned out it was just too difficult.
>
>  Alan DeKok.
>- 
>List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Off-topic: DHCP server with radius support

[Alan DeKok]

Kostas Kalevras wrote:
> Slightly off-topic. Is anyone aware of a DHCP server with radius 
> support. Or even just with exec support? I 'd like to setup a DHPC that 
> will ask a radius server for IP instead of assigning it itself

  Nope.  I spent a while looking at adding RADIUS support to the ISC
server last year.  It turned out it was just too difficult.

  Alan DeKok.
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Re : Sending CA certificate during EAP-TLS

[A . L . M . Buxey]

Hi,

> Is there any way to configure free radius + eap-tls module to avoid to send 
> CA certificate during EAP-TLS negotiation? As Free Radius is sending it right 
> now EAP-TLS packets get fragmented and I would like to avoid it.

err, no. you need to handle those fragmented packets. where is it failing, on 
your network or more
remotely? EAP-TLS places much larger demands on the packet sizes during AAA 
processseveral hundred
bytes more than PEAP (which JUST ABOUT misses fragmentation in its current form 
from recent
memory)

you've GOT to pass the certsand if you're using a larger cert (chained etc) 
those packets
will be big. 

sowhos breaking the RFCs with respect to ICMP and pmtu?  ;-)

alan
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Additionally set/provided variables... how to access them?

[Alan DeKok]

Mark J Elkins wrote:
> Added the 'dictionary.telkom', got this $included in 'dictionary' - and
> the "Warning:.." message has gone. The value of the new variable is now
> showing up.

  Could you mail a copy here so that other people don't have to go
through this?

> (South African audience)
> Incidentally - Telkom SA set this with all requests (access and
> accounting). Eddie Stassen at SAIX customised (an old version of)
> freeradius and gets his proxy servers to add the attribute. Apparently -
> using the new 'unlanguage' - this is now trivial.

  That's the idea.  I like trivial solutions to problems.

  Alan DeKok.
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Off-topic: DHCP server with radius support

[Kostas Kalevras]

Slightly off-topic. Is anyone aware of a DHCP server with radius 
support. Or even just with exec support? I 'd like to setup a DHPC that 
will ask a radius server for IP instead of assigning it itself

-- 
Kostas Kalevras - Network Operations Center
National Technical University of Athens
http://kkalev.wordpress.com

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: dialup_admin user password question

[Jay Banks]

> On Wed 20 Jun 2007, Jay Banks wrote:
>> I spent most of the day getting dialup_admin to work, and I did get it to
>> work. Not being an mysql expert, I have to say what a blessing Webmin
>> turned out to be on the project. It sure was nice to be able to easily 
>> use
>> Webmin to look at data in the database table.
>
> Please do not hijack threads on the mailing list. Please start your own
> thread!

I've gone back through and read the latest posts. Unless I missed it, I have 
only seen two other discussions on Dialup Admin, and that was a bad link to 
download it, and a blank password for Mikrotik.

I read the PAP - CHAP thread, if that is what I "hijacked" my apologies. I 
see that as related, maybe, but the real issue was with where Dialup Admin 
was telling it how to store a password. I worked all day on Dialup Admin and 
just overlooked it. And as I stated, was just looking for someone to point 
me in the right direction since I was going to be out of the office for a 
couple of days and wanted to hit the ground running when I returned to work.

Feeling it had to be a Dialup Admin issue, I looked through the admin.conf 
again this morning. For people searching the archives, here was the line I 
missed:

#
# can be one of crypt,md5,clear
#
general_encryption_method: clear

Change the above line from crypt to clear. This is located under this 
section:

general_auth_request_file:

The "general_auth_request_file" threw me off a little. I was thinking 
"password" at the time.


Thanks,

Jay Banks
 http://groups.yahoo.com/group/mikrotik-wisp




- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: rlm_sql.c in 2.0.0-pre2

[Alexander Serkin]

Arran Cudbard-Bell wrote:
> Alan DeKok wrote:
>>   I don't think it was ever added.  I'm not sure the functionality is
>> even tested.
>>
>>   i.e. Does it work?
>>
>>   Alan DeKok.
> 
> Read Groups in SQL ? Yes, very very well tested. It's horribly broken in 
> 1.*.* though, or at least it was for me.
> 
> Unfortunately whoever modified rlm_sql in cvs head chose a very 
> inefficient querying system.
> 
> First you query to pull out group membership, second you query to get 
> each groups check items, then to get each groups reply items ... It just 
> doesn't scale when a users a member of lots of groups.
> 
> Previously you pulled out all the records for all the groups a user was 
> a member of in two queries, one for check items and one for reply items..

Yes. It worked for me this way until at least 1.1.6.
You are right, Alan, - read_grops configuration checks were not in 1.1.x 
also, but they worked somehow.
Starting from 2.0.0-pre only user checks are performed by default.
The only way to make groups to be checked was the supposed patch.
Or adding "Fall-Through=yes" for all user profiles in radcheck table 
which is not good.

-- 
Sincerely Yours,
Alexander
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re : Sending CA certificate during EAP-TLS

[Eshun Benjamin]

Is there any way to configure free radius + eap-tls module to avoid to send CA 
certificate during EAP-TLS negotiation?
You may have to read the RFC :-).  You need the certificates to do EAP-TLS
 
== 
Benjamin K. Eshun

- Message d'origine 
De : Rafa Marin <[EMAIL PROTECTED]>
À : freeradius-users@lists.freeradius.org
Envoyé le : Mercredi, 20 Juin 2007, 13h16mn 05s
Objet : Sending CA certificate during EAP-TLS

Hi all,

Is there any way to configure free radius + eap-tls module to avoid to send CA 
certificate during EAP-TLS negotiation? As Free Radius is sending it right now 
EAP-TLS packets get fragmented and I would like to avoid it.


Thanks in advance.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html







  
_ 
Ne gardez plus qu'une seule adresse mail ! Copiez vos mails vers Yahoo! Mail - 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Sending CA certificate during EAP-TLS

[Reimer Karlsen-Masur, DFN-CERT]

Hi,

in the file referenced by the option variable "certificate_file" in the tls 
section only put the server certificate (and optionally the private key) of 
your RADIUS server.


i.e. don't put ca certificates of the chain into that file.

I don't know how to prevent the client from sending CA path certificates

Rafa Marin wrote:

Hi all,

Is there any way to configure free radius + eap-tls module to avoid to 
send CA certificate during EAP-TLS negotiation? As Free Radius is 
sending it right now EAP-TLS packets get fragmented and I would like to 
avoid it.


--
Beste Gruesse / Kind Regards

Reimer Karlsen-Masur

DFN-PKI FAQ: https://www.pki.dfn.de/faqpki
--
Dipl.-Inform. Reimer Karlsen-Masur (PKI Team), Phone +49 40 808077-615
DFN-CERT Services GmbH, https://www.dfn-cert.de, Phone +49 40 808077-555
Sitz / Register: Hamburg, AG Hamburg, HRB 88805, Ust-IdNr.: DE 232129737


smime.p7s
Description: S/MIME Cryptographic Signature
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Sending CA certificate during EAP-TLS

[Rafa Marin]

Hi all,

Is there any way to configure free radius + eap-tls module to avoid to send
CA certificate during EAP-TLS negotiation? As Free Radius is sending it
right now EAP-TLS packets get fragmented and I would like to avoid it.

Thanks in advance.
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Additionally set/provided variables... how to access them?

[Mark J Elkins]

[EMAIL PROTECTED] wrote:
> If you are introducing a new attribute it has to be defined in the
> dictionary.
>
>   
Thanks Ivan - it was over three years ago when the Radius server was
first set up - so I had completely forgotten about the Dictionary part...

Added the 'dictionary.telkom', got this $included in 'dictionary' - and
the "Warning:.." message has gone. The value of the new variable is now
showing up.

(South African audience)
Incidentally - Telkom SA set this with all requests (access and
accounting). Eddie Stassen at SAIX customised (an old version of)
freeradius and gets his proxy servers to add the attribute. Apparently -
using the new 'unlanguage' - this is now trivial.

Thanks FreeRadius community!
> Ivan Kalik
> Kalik Informatika ISP
>
>
> Dana 19/6/2007, "Mark J Elkins" <[EMAIL PROTECTED]> piše:
>
>   
>> Alan DeKok wrote:
>> 
>>> Mark J Elkins wrote:
>>>
>>>   
 This gives (in radiusd -X) the debug warning message of

 WARNING: Attempt to use unknown xlat function, or non-existent attribute
 in string %{Telkom-Access-Type}

 So how do I correctly access and use this value

 

-- 
  .  . ___. .__  Posix Systems - Sth Africa
 /| /|   / /__   [EMAIL PROTECTED]  -  Mark J Elkins, SCO ACE, Cisco 
CCIE
/ |/ |ARK \_/ /__ LKINS  Tel: +27 12 807 0590  Cell: +27 82 601 0496

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: rlm_sql.c in 2.0.0-pre2

[Arran Cudbard-Bell]

Alan DeKok wrote:
> Alexander Serkin wrote:
>> Hi,
>> Is the "read_groups" configuration paramter reading strings 
>> intentionally removed from rlm_sql.c? Why?
> 
>   I don't think it was ever added.  I'm not sure the functionality is
> even tested.
> 
>   i.e. Does it work?
> 
>   Alan DeKok.
> - 
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Read Groups in SQL ? Yes, very very well tested. It's horribly broken in 
1.*.* though, or at least it was for me.

Unfortunately whoever modified rlm_sql in cvs head chose a very 
inefficient querying system.

First you query to pull out group membership, second you query to get 
each groups check items, then to get each groups reply items ... It just 
doesn't scale when a users a member of lots of groups.

Previously you pulled out all the records for all the groups a user was 
a member of in two queries, one for check items and one for reply items..

---

Still think it would be a nice idea to have the option to disable single 
user lookups, SQL queries really are very expensive .

-- 
Arran Cudbard-Bell ([EMAIL PROTECTED])
Authentication, Authorisation and Accounting Officer
Infrastructure Services | ENG1 E1-1-08
University Of Sussex, Brighton
EXT:01273 873900 | INT: 3900
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: rlm_sql.c in 2.0.0-pre2

[Alan DeKok]

Alexander Serkin wrote:
> Hi,
> Is the "read_groups" configuration paramter reading strings 
> intentionally removed from rlm_sql.c? Why?

  I don't think it was ever added.  I'm not sure the functionality is
even tested.

  i.e. Does it work?

  Alan DeKok.
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: mschapv2 and users file

[tnt]

Use Cleartext-Password and operator :=

That listing seems to be from the attempt with NT-Password. That entry
should also use := as the operator.

Ivan Kalik
Kalik Informatika ISP


Dana 20/6/2007, "Matt Cobb" <[EMAIL PROTECTED]> piše:

>I have freeradius 1.1.4 setup as a proxy to an upstream radius server
>which works.  I also want to put guests in a local users file and use
>MSCHAPV2 on them, but didn't get it to work.  I was able to get PAP and
>CHAP working.  Here is the MSCHAPV2 configuration I tried:
>
> 
>
>users file:
>
>cobb User-Password=="secret"
> 
>
>How do I configure MSCHAPv2 to a local users file?
>
>
>

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Support for PEAP-Mschapv2 and PEAP-GTC simultaneously?

[Alan DeKok]

Colleen C. Morrissey wrote:
> I don't have the clear text password.  Your original reply said this 
> would work with clear text password or nt hash.  I have the NT hash 
> and/or I can get the SHA1 base 64 encoded password (which was working 
> with gtc by itself).  Can I get pap/gtc to work with the NT hash password?
> I don't manage the ldap service so getting the clear text password will 
> not be easy and may not be possible organizationally.   Thanks.

  Hmm.. OK.

  In that case your best bet may be to grab the current code from CVS.
See the web page for how to do CVS logins, etc.  Then,

$ cvs -d :pserver:[EMAIL PROTECTED]:/source checkout -r
branch_1_1 -d freeradius-1.1.7pre radiusd

  And the "freeradius-1.1.7pre" directory will contain a version that
fixes the issue you're seeing in the mschap module.

  Alan DeKok.
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: authenticating Linux and Windows servers with freeradius

[Alan DeKok]

vasanth kumar wrote:
> Hi everybody,
>  This is sambu, I have configured FreeRadius-1.0.1-1

  Why?  Please install 1.1.6.

> ... My question is how to authenticate both Windows and Linux
> servers and ssh,telnet,ftp,apache running on different machines with
> Freeradius server. Is it possible to authenticate both Linux and Windows
> server and all other services with Freeradius? Please help me.

  For Windows, see "pgina".  For Linux, you can authenticate users, but
you'll still need a way to set UID, GID, home directory, etc.  The PAM
RADIUS module doesn't do that.

  Alan DeKok.
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Multiple Databases

[Alan DeKok]

Abdul Qadir wrote:
> I am using freeradius with SER and oracle. Currently i have one
> domain for my SER. I want my SER to support another domain and separate
> database for second domain. Is it possible to configure Radius server to
> connect with two databases and perform queries based on URI or some
> other criteria eg. [EMAIL PROTECTED] should go to domainA database and
> [EMAIL PROTECTED] should go to domainB database.

  Yes.

  See the examples and documentation.

  Alan DeKok.
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Support for PEAP-Mschapv2 and PEAP-GTC simultaneously?

[Arran Cudbard-Bell]

Colleen C. Morrissey wrote:
> Hi,
>
>
>   
>>   Why?  If you have the clear-text password on the server, you can just
>> compare the two.  There's no need to configure rlm_pap to do the NT hash.
>>
>> 
>
> I don't have the clear text password.  Your original reply said this 
> would work with clear text password or nt hash.  I have the NT hash 
> and/or I can get the SHA1 base 64 encoded password (which was working 
> with gtc by itself).  Can I get pap/gtc to work with the NT hash password?
> I don't manage the ldap service so getting the clear text password will 
> not be easy and may not be possible organizationally.   Thanks.
>
>
>   
I know SHA1 will definitely work, as will NT but you will have to use 
the PAP module.
The nt hash should be written into the check item NT-Password, I think 
sha is SHA-Password.

If your using LDAP just enable auto header and it'll figure it out for 
you :) , if you do use NT password be sure the FreeRADIUS <-> LDAP nt 
hash password attribute mapping is correct.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html