Second level authentication..
Hi Ivan, What i meant is you type "enable" but the password you give should be authenticated by RADIUS server not the "enable password stored on the device". I am not sure whether it is possible or not. But just wanted to know from the experts. Thanks, Ashish On 7/19/07, [EMAIL PROTECTED] < [EMAIL PROTECTED]> wrote: Send Freeradius-Users mailing list submissions to freeradius-users@lists.freeradius.org To subscribe or unsubscribe via the World Wide Web, visit http://lists.freeradius.org/mailman/listinfo/freeradius-users or, via email, send a message with subject or body 'help' to [EMAIL PROTECTED] You can reach the person managing the list at [EMAIL PROTECTED] When replying, please edit your Subject line so it is more specific than "Re: Contents of Freeradius-Users digest..." Today's Topics: 1. Second level authentication. (ashish verma) 2. Re: Second level authentication. ([EMAIL PROTECTED]) 3. Re: TLS cant connect ldap+freeradius+novell ([EMAIL PROTECTED]) 4. Re: Quirky question about rewriting usernames (Cliff Cole) 5. Re: Second level authentication. (Claudiu Filip) 6. Re: TLS cant connect ldap+freeradius+novell (Martin G) -- Message: 1 Date: Thu, 19 Jul 2007 22:21:30 +0530 From: "ashish verma" <[EMAIL PROTECTED]> Subject: Second level authentication. To: freeradius-users@lists.freeradius.org Message-ID: <[EMAIL PROTECTED]> Content-Type: text/plain; charset="iso-8859-1" Hi Stefan, I read the document and thanks for giving the link, that was helpful. Well I think i put my question in a wrong way. Let me put it in a different way. I dont want the user to go directly in priv mode. through priv level = 15 we direclty get into priv level right. what i am looking for is first the user get into user level and then with another password in level 2. (not with enable password)..it should be through RADIUS server. Ashish -- next part -- An HTML attachment was scrubbed... URL: https://lists.freeradius.org/pipermail/freeradius-users/attachments/20070719/4c1e3a0e/attachment-0001.html -- Message: 2 Date: Thu, 19 Jul 2007 18:13:00 +0100 From: <[EMAIL PROTECTED]> Subject: Re: Second level authentication. To: "FreeRadius users mailing list" Message-ID: <[EMAIL PROTECTED]> Content-Type: text/plain; charset=ISO-8859-2 You want a shell user to get to privilege mode without typing "enable"and knowing enable password? I am quite certain that Cisco spent many years making sure that's impossible. If you find a way to do that you can blackmail them for a hell of a lot of money. Ivan Kalik Kalik Informatika ISP Dana 19/7/2007, "ashish verma" <[EMAIL PROTECTED]> pi?e: >Hi Stefan, > >I read the document and thanks for giving the link, that was helpful. > >Well I think i put my question in a wrong way. >Let me put it in a different way. > >I dont want the user to go directly in priv mode. >through priv level = 15 we direclty get into priv level right. > >what i am looking for is first the user get into user level and then with >another >password in level 2. (not with enable password)..it should be through RADIUS >server. > > >Ashish > > -- Message: 3 Date: Thu, 19 Jul 2007 18:19:59 +0100 From: <[EMAIL PROTECTED]> Subject: Re: TLS cant connect ldap+freeradius+novell To: "FreeRadius users mailing list" Message-ID: <[EMAIL PROTECTED]> Content-Type: text/plain; charset=ISO-8859-2 >Any idea how to type the FQDN !? :( Well if this was your server: >http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/ FQDN would be: messenger.msn.click-url.com Ivan Kalik Kalik Informatika ISP -- Message: 4 Date: Thu, 19 Jul 2007 13:30:23 -0400 From: "Cliff Cole" <[EMAIL PROTECTED]> Subject: Re: Quirky question about rewriting usernames To: "FreeRadius users mailing list" Message-ID: <[EMAIL PROTECTED]> Content-Type: text/plain; charset=WINDOWS-1252; format=flowed Once again. I am backwards on my wording, I am so sorry. This should be correct. IF the username does have @domain.com and NAS = "NAS A" THEN continue with username as is IF the username does not have @domain.com and NAS = "NAS A" THEN append the @domain.com I have been trying the hints file. I'm able to append @domain.com but do not know how to check for @domain.com and continue if the @domain.com is present. Here is what I have in my hints file. DEFAULT NAS-IP-Address == "255.255.255.255" User-Name := "[EMAIL PROTECTED]" This part works great and hopefully I'
Segfault with -X and rlm_krb5 under Fedora 7 x86_64
This may be a Fedora/Kerberos issue rather than a Freeradius issue, but... Has anyone experienced "radiusd -X" segfaulting when using rlm_krb5? This is under Fedora 7 (x86_64), with freeradius 1.1.6 and 2.0.0-pre1 built from source tarballs. (I am trying to migrate to this environment from a working freeradius-1.1.0 / Fedora Core 2 / i686 installation.) The segfault is actually occurring in the Kerberos libraries, which means that Freeradius might not be the issue, however the segfault occurs only when radiusd is given "-X" or "-sfxx" options. I.e. "radiusd -sfx" and "radiusd" work as expected, and do not segfault. (One thing off the top of my head: Does this point to something possibly happening when debug_flag is >= 2 ?) The killer request: radtest testuser testpass localhost 1 testing123 Below are my users and radiusd.conf files. Full gdb output from a segfault case follows. So, this isn't a bug report... i'm just hoping for tips on how to proceed... thanks in advance for any clues. -Matt ### begin complete users file ### DEFAULT Auth-Type:=Kerberos ### end complete users file ### ### begin partial radiusd.conf ### # stuff that was changed from the default 1.1.6 radiusd.conf : prefix = /opt/radius localstatedir = /var user = radiusd group = radiusd log_auth = yes proxy_requests = no modules { krb5 { keytab = radius-krb5.keytab service_principal = radius } } authenticate { Auth-Type Kerberos { krb5 } } ### end partial radiusd.conf ### ### begin gdb output ### [EMAIL PROTECTED] raddb]# gdb radiusd GNU gdb Red Hat Linux (6.6-15.fc7rh) Copyright (C) 2006 Free Software Foundation, Inc. GDB is free software, covered by the GNU General Public License, and you are welcome to change it and/or distribute copies of it under certain conditions. Type "show copying" to see the conditions. There is absolutely no warranty for GDB. Type "show warranty" for details. This GDB was configured as "x86_64-redhat-linux-gnu"... Using host libthread_db library "/lib64/libthread_db.so.1". (gdb) run -X Starting program: /usr/local/sbin/radiusd -X [Thread debugging using libthread_db enabled] [New Thread 46912517212928 (LWP 25560)] Starting - reading configuration files ... reread_config: reading radiusd.conf Config: including file: /opt/radius/etc/raddb/clients.conf Config: including file: /opt/radius/etc/raddb/snmp.conf Config: including file: /opt/radius/etc/raddb/eap.conf Config: including file: /opt/radius/etc/raddb/sql.conf main: prefix = "/opt/radius" main: localstatedir = "/var" main: logdir = "/var/log/radius" main: libdir = "/opt/radius/lib" main: radacctdir = "/var/log/radius/radacct" main: hostname_lookups = no main: max_request_time = 30 main: cleanup_delay = 5 main: max_requests = 1024 main: delete_blocked_requests = 0 main: port = 0 main: allow_core_dumps = no main: log_stripped_names = no main: log_file = "/var/log/radius/radius.log" main: log_auth = yes main: log_auth_badpass = no main: log_auth_goodpass = no main: pidfile = "/var/run/radiusd/radiusd.pid" main: user = "radiusd" main: group = "radiusd" main: usercollide = no main: lower_user = "no" main: lower_pass = "no" main: nospace_user = "no" main: nospace_pass = "no" main: checkrad = "/opt/radius/sbin/checkrad" main: proxy_requests = no security: max_attributes = 200 security: reject_delay = 1 security: status_server = no main: debug_level = 0 read_config_files: reading dictionary read_config_files: reading naslist read_config_files: reading clients read_config_files: reading realms radiusd: entering modules setup Module: Library search path is /opt/radius/lib Module: Loaded exec exec: wait = yes exec: program = "(null)" exec: input_pairs = "request" exec: output_pairs = "(null)" exec: packet_type = "(null)" rlm_exec: Wait=yes but no output defined. Did you mean output=none? Module: Instantiated exec (exec) Module: Loaded expr Module: Instantiated expr (expr) Module: Loaded Kerberos krb5: keytab = "radius-krb5.keytab" krb5: service_principal = "radius" rlm_krb5: krb5_init ok Module: Instantiated krb5 (krb5) Module: Loaded PAP pap: encryption_scheme = "crypt" pap: auto_header = yes Module: Instantiated pap (pap) Module: Loaded CHAP Module: Instantiated chap (chap) Module: Loaded MS-CHAP mschap: use_mppe = yes mschap: require_encryption = no mschap: require_strong = no mschap: with_ntdomain_hack = no mschap: passwd = "(null)" mschap: ntlm_auth = "(null)" Module: Instantiated mschap (mschap) Module: Loaded System unix: cache = no unix: passwd = "(null)" unix: shadow = "(null)" unix: group = "(null)" unix: radwtmp = "/var/log/radius/radwtmp" unix: usegroup = no unix: cache_reload = 600 Module: Instantiated unix (unix) Module: Loaded preprocess preprocess: huntgroups = "/opt/radius/etc/raddb/huntgroups" preprocess: hints = "/opt/radius/etc/raddb/hints" preprocess: with_ascend_hack = no preprocess:
2.0 mysql.sql
Peter - a couple of things about the MySQL stuff: 1) I just noticed that the ./docs/examples/mysql.sql schema in the 2.0 HEAD doesn't look right: # # Table structure for table 'radippool' # CREATE TABLE radippool ( idint(11) unsigned NOT NULL auto_increment, pool_name varchar(30) NOT NULL, FramedIPAddress varchar(15) NOT NULL default , NASIPAddress varchar(15) NOT NULL default , CalledStationId VARCHAR(30) NOT NULL, CallingStationID VARCHAR(30) NOT NULL, expiry_time DATETIME NOT NULL default '-00-00 00:00:00', username varchar(64) NOT NULL default , pool_key varchar(30) NOT NULL, PRIMARY KEY (id) ); Note the missing default values. The 1.1.7 branch has a more correct looking version. 2) Also, I just noticed in the 2.0 mysql-ippool-dialup.conf, the allocate-clear query has ... allocate-clear = "UPDATE ${ippool_table} \ SET NASIPAddress = '', pool_key = 0, \ CallingStationID = '', username = '', \ expiry_time = '-00-00 00:00:00' \ WHERE expiry_time <= NOW() - INTERVAL 1 SECOND AND nasipaddress = '%{Nas-IP-Address}'" Note the lower case 'nasipaddress'. Pretty please for to remember that MySQL on Windows is cASe SenSITiVe when it comes to column names. Well, by default. Yes, one can make the names case insensitive, but that can cause problems. And yeah, there aren't many of us using MySQL on Windows behind FR, but I happen to be one of them. Don't ask. :) FYI, slippool.conf in 1.1.7 has the correct case-ification. -- hugh - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: New freeradius installation
Lisa Casey wrote: > But if I make changes to my users file (and accidently make a mistake), I > get errors regarding that of course when I restart radius, but I also get > errors regarding the radiusd.conf file. No, those errors are saying "radiusd.conf says to load the files module, which says to load the users file, but something went wrong". > I correct the error in the users file and get no more complaints regarding > radiusd.conf > > Why? If something goes wrong with your car, a little red light often shows up on the dashboard. But the light isn't the problem, it's just the complaint about the problem. The same thing applies here. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: 3COM sw4500 802.1x Problem
Aydın KOÇAK wrote: > Hello; > I could solve my problem with change Auth-Type attribute to EAP in LDAP an > everything is ok. Don't do that. If anyone is reading the archive of this list, don't do that. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: mod_auth_radius
Rascher, Markus wrote: > # service httpd start > Starting httpd: httpd: Syntax error on line 205 of > /etc/httpd/conf/httpd.conf: Cannot load > /usr/lib/httpd/modules/mod_auth_radius-2.0.so into server: > /usr/lib/httpd/modules/mod_auth_radius-2.0.so: undefined symbol: ap_snprintf There are patches to make the module build with newer versions of Apache. They should really be applied, but I've been busy with other things. Once that's done, a new version of the module should be released. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem in EAP-TLS Authentication
Govardhana K N wrote: > I was trying to configure EAP with TLS/TTlS. After enabling TLS/TTLS in > "eap.conf", I tried sending an Radius Access-Request with EAP-Identitye > response. The Server is crashing becoz of segmentation fault. The debug > lod from the server is given below. See doc/bugs The problem is most likely that the dynamic linker can't find the libraries it needs. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Support for WiMAX VSA
Walter Goulet wrote: > Question on your planned contribution to FreeRADIUS: Does your module > support the key generation algorithms for the WiMAX mobility keys? > Specifically, is your module able to correctly generate the > MN-HA-MIP4-KEY and related key material from the EMSK derived as part > of the EAP exchange? > > Personally this was seen as the biggest challenge towards building NWG > compliance into FreeRADIUS as opposed to VSA format. If there is sufficient interest in getting the work done, there are ways of getting the work done. My goal (if it wasn't obvious by now) is to make FreeRADIUS the default WiMAX AAA server. If we add MIP4 and MIP6 support, I won't complain. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Support for WiMAX VSA
Nitin Naveen wrote: > Hi I am Nitin Naveen working with HUGHES SYSTIQUE. We have been working to > enhance freeradius to support WiMAX VSA (as per WiMAX NWG forum). WiMAX > VSA are not the typical type-length-value rather they have > type-length-controlinfo-value. Yes.. > We have enhanced the dictionary but we were not able to generate the > attributes > as per the WiMAX NWG format. For now we have developed our own > rlm_hsc_wimax > module. We like to contribute to freeradius so that the WiMAX VSA are > supported as > part of the standard distribution. To this end we can share our code. > But before that > we would like to follow the correct procedure for releasing the code. Submit a feature request on bugs.freeradius.org. Add the patch as an attachment. Make sure that the code has the GPL license in it. The FreeRADIUS code currently does this. Copyright can remain with you. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: 1.1.7 sqlippool %{SQL-User-Name}
Hugh Messenger wrote: > It's been pretty darn stable for me in 1.1.6. And now we've gotten the > MySQL stuff whipped into shape and fixed a few other issues for 1.1.7, I'd > say it's ready for Prime Time. > > Alan? I have that Internet thing working again, so yes. Tomorrow looks good. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Quirky question about rewriting usernames
Use regular expressions: http://wiki.freeradius.org/Operators Check for @ or that it doesn't end with @domain.com or whatever you fancy. Ivan Kalik Kalik Informatika ISP Dana 19/7/2007, "Cliff Cole" <[EMAIL PROTECTED]> piše: >Once again. I am backwards on my wording, I am so sorry. This should >be correct. > >IF the username does have @domain.com and NAS = "NAS A" >THEN continue with username as is > >IF the username does not have @domain.com and NAS = "NAS A" >THEN append the @domain.com > >I have been trying the hints file. I'm able to append @domain.com but >do not know how to check for @domain.com and continue if the >@domain.com is present. > >Here is what I have in my hints file. > >DEFAULT NAS-IP-Address == "255.255.255.255" >User-Name := "[EMAIL PROTECTED]" > >This part works great and hopefully I'm FINALLY clear on what I'm >trying to accomplish. > >Cliff > > >On 7/19/07, [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote: >> How about the other way around: >> >> IF the username does not have @domain.com and NAS = "NAS A" >> THEN continue with username as is >> >> IF the username has @domain.com and NAS = "NAS A" >> THEN strip @domain.com >> >> That works by default. If you want to keep it the other way around have a >> look at the hints file. >> >> Ivan Kalik >> Kalik Informatika ISP >> >> >> >> Dana 19/7/2007, "Cliff Cole" <[EMAIL PROTECTED]> pi�e: >> >> >Thanks for the reply. I'm new to free radius and have been >> >overwhelmed with documentation the past few days. Let me explain in >> >some logic and maybe I can make some sense as to what I'm trying to >> >do. >> > >> >User authentication comes from "NAS A" >> > >> >IF the username does not have @domain.com and NAS = "NAS A" >> >THEN append @domain.com >> > >> >IF the username has @domain.com and NAS = "NAS A" >> >THEN continue with username as is. >> > >> >Hope this helps to clear up what I'm trying to do. I appologize for >> >not being very clear. >> > >> >Thanks >> > >> >Cliff >> > >> > >> > >> >On 7/19/07, Pshem Kowalczyk <[EMAIL PROTECTED]> wrote: >> >> Hi >> >> >> >> On 19/07/07, Cliff Cole <[EMAIL PROTECTED]> wrote: >> >> > Hello all. >> >> > >> >> > Here is my issue. This is very weird and would only affect one NAS. >> >> > I'm not sure freeradius is capable of this. I want a username that >> >> > comes in to check for an @domainname. If the domainname is there I >> >> > want it to be stripped and added back later. If the domainname is not >> >> > there I'd like it to continue and have to domainname added later in >> >> > the authentication process. I hope this makes sense and any help is >> >> > appreciated >> >> >> >> What do you mean by 'later' you can definitely check for the presence >> >> of domain, you can strip it and add it again. you just have to define >> >> the flow. rlm_attr will be of help to you (for both stripping and >> >> adding). >> >> >> >> kind regards >> >> Pshem >> >> - >> >> List info/subscribe/unsubscribe? See >> >> http://www.freeradius.org/list/users.html >> >> >> >- >> >List info/subscribe/unsubscribe? See >> >http://www.freeradius.org/list/usershtml >> > >> > >> >> - >> List info/subscribe/unsubscribe? See >> http://www.freeradius.org/list/users.html >> > >- >List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Second level authentication.
Hi, > You want a shell user to get to privilege mode without typing > "enable"and knowing enable password? I am quite certain that Cisco > spent many years making sure that's impossible. If you find a way to do > that you can blackmail them for a hell of a lot of money. err, TACACS+ with priv_lvl 15 - they helped write that protocol alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: TLS cant connect ldap+freeradius+novell
Iv found the following on the novellserver (CA-service): Distinguished name: WIFITREE CA.Security Host server: NW1.SYSTEM.WIFI "NW1" would be the servername and "NW1.SYSTEM.WIFI" the FQDN? I added the info in all kinds of sorts in my hosts-file to the novell-ip on the linux-server but still no progress :( Still: ldapsearch -vvv -h NW1.SYSTEM.WIFI wifi -x -Z -b ou=adm,ou=malmo,o=wifi "cn=lotta" ldap_initialize( ldap://wifi ) ldap_start_tls: Connect error (-11) additional info: TLS: hostname does not match CN in peer certificate filter: cn=lotta requesting: All userApplication attributes Any good idea!? (iv added the novell-servers dns-ip to the ifconfig-dns of the linux also, but no help from that either). /Mr G >>Any idea how to type the FQDN !? :( > >Well if this was your server: > >>http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/ > >FQDN would be: messenger.msn.click-url.com > >Ivan Kalik >Kalik Informatika ISP > >- List info/subscribe/unsubscribe? See >http://www.freeradius.org/list/users.html >From: "Martin G" <[EMAIL PROTECTED]> >Reply-To: FreeRadius users mailing list > >To: freeradius-users@lists.freeradius.org >Subject: Re: TLS cant connect ldap+freeradius+novell >Date: Thu, 19 Jul 2007 18:05:22 +0200 > >Subject of the novell-server-certificate is : O = WIFITREE >OU = Organizational CA >And thats no FQDN!? >(I exported it from the novell as an .der and extracted it to see the >subject, maby wrong way to do it? i havent exported the private key with >either the .b64 or the .der and that shouldnt matter ?) > >*output from novell* >Subject name: OU=Organizational CA.O=WIFITREE >Issuer name: OU=Organizational CA.O=WIFITREE >Effective date: den 22 oktober 2005 23:04:08 >Expiration date: den 22 oktober 2015 23:04:08 >Certificate status: Valid > >Any idea how to type the FQDN !? :( > >(Thx for all the good answers this far!) > >/Mr G > > > >From: "Reimer Karlsen-Masur, DFN-CERT" <[EMAIL PROTECTED]> > >Reply-To: FreeRadius users mailing list > > > >To: FreeRadius users mailing list > >Subject: Re: TLS cant connect ldap+freeradius+novell > >Date: Thu, 19 Jul 2007 17:51:24 +0200 > > > >Hm. > > > >Martin G wrote: > > > Sorry, when i tried to rehash my certificate, id changed its path, but > >now > > > its back and i got a new output from my ldapsearch-command: > > > > > > ldapsearch -vvv -h 10.10.0.11 -x -Z -b ou > > > =adm,ou=malmo,o=wifi "cn=lotta" > > > ldap_initialize( ldap://10.10.0.11 ) > > > ldap_start_tls: Connect error (-11) > > > additional info: TLS: hostname does not match CN in peer > >certificate > > > >What is the CN in the SubjectDN of the ldap servers certificate? Is it a > >FQDN? > > > >If so, try to map IP# 10.10.0.11 to this FQDN via /etc/hosts if your DNS > >server can't find the FQDN. Try to call ldapsearch with -h FQDN option. > > > >Is above warning going away? > > > > > filter: cn=lotta > > > requesting: All userApplication attributes > > > # extended LDIF > > > # > > > # LDAPv3 > > > # base with scope subtree > > > # filter: cn=lotta > > > # requesting: ALL > > > # > > > > > > # lotta, ADM, MALMO, WIFI > > > dn: cn=lotta,ou=ADM,ou=MALMO,o=WIFI > > > zenzfdVersion:: > > > >Something is at least working. It's not SSL secured though. > > > >... > > > > > > Iv also added the loglevel -1 to the /etc/ldap/ldap.conf and removed >the > > > TLSCertificateFile and TLSCertificateKeyFile from the > >/etc/ldap/sldap.conf > > > as i did forget before. > > > >slapd.conf is the config file of the openldap *server*. Messing with this > >file should not change anything. Or was that a typo? > > > > > Do i need to convert the certificate to .pem and how if the c_rehash > >dont > > > work? > > > >If tls_cacertdir is not set, then don't use c_rehash. > > > >Set tls_cacertfile to a single ASCII file containing all PEM formatted CA > >certificates of the CA certificate chain that is needed to validate your > >ldap servers certificate. Concatenate these PEM formatted CA certs into > >this > >single ASCII file. > > > >And I forgot, set ldap_debug to -1 in the radius config file. > > > >Don't send your ldap servers password in log files ;-) > > > >... > > > Tue Jul 10 12:35:00 2007 : Debug: Module: Loaded LDAP > > > Tue Jul 10 12:35:00 2007 : Debug: ldap: server = "10.10.0.11" > > > Tue Jul 10 12:35:00 2007 : Debug: ldap: port = 389 > > > Tue Jul 10 12:35:00 2007 : Debug: ldap: net_timeout = 1 > > > Tue Jul 10 12:35:00 2007 : Debug: ldap: timeout = 4 > > > Tue Jul 10 12:35:00 2007 : Debug: ldap: timelimit = 3 > > > Tue Jul 10 12:35:00 2007 : Debug: ldap: identity = "cn=admin,o=wifi" > > > Tue Jul 10 12:35:00 2007 : Debug: ldap: tls_mode = no > > > Tue Jul 10 12:35:00 2007 : Debug: ldap: start_tls = yes > > > Tue Jul 10 12:35:00 2007 : Debug: ldap: tls_cacertfile = > > > "/etc/freeradius/certs > > > /WIFITREE_CA.b64" > > > Tue Jul 10 12:35:00 2007 : Debug: ldap: tls_cacertdir = "(null)" > > > Tue Jul 10 12:35:00 2007 : Debug: ldap: tls_certfile =
Re: Second level authentication.
Hi ashish, First of all, WHY you will need such a setup? Afaik, cisco will send a request to radius for user '$enable15$' whenever someone tries to "enable". Run freeradius in debug mode (radiusd -X) and then login as one of your users. Type "enable" and the cisco will send a request to the radiusd. From the debugging session, save that request. Logout, login on cisco as another username. Type "enable" and the same password. From the debugging radius session, save the new request. If you see any relevant differences between the two requests, you may be able to make freeradius do what you want. If the requests are the same, you realize there is no way to figure out the user behind each request. Best regards, Claudiu Filip @: [EMAIL PROTECTED] Http://www.globtel.ro T:+40344880100 F:+40344880113 Thursday, July 19, 2007, 7:51:30 PM, you wrote: > I dont want the user to go directly in priv mode. through priv level = 15 we direclty get into priv level right. what i am looking for is first the user get into user level and then with another password in level 2. (not with enable password)..it should be through RADIUS server. Ashish - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Quirky question about rewriting usernames
Once again. I am backwards on my wording, I am so sorry. This should be correct. IF the username does have @domain.com and NAS = "NAS A" THEN continue with username as is IF the username does not have @domain.com and NAS = "NAS A" THEN append the @domain.com I have been trying the hints file. I'm able to append @domain.com but do not know how to check for @domain.com and continue if the @domain.com is present. Here is what I have in my hints file. DEFAULT NAS-IP-Address == "255.255.255.255" User-Name := "[EMAIL PROTECTED]" This part works great and hopefully I'm FINALLY clear on what I'm trying to accomplish. Cliff On 7/19/07, [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote: > How about the other way around: > > IF the username does not have @domain.com and NAS = "NAS A" > THEN continue with username as is > > IF the username has @domain.com and NAS = "NAS A" > THEN strip @domain.com > > That works by default. If you want to keep it the other way around have a > look at the hints file. > > Ivan Kalik > Kalik Informatika ISP > > > > Dana 19/7/2007, "Cliff Cole" <[EMAIL PROTECTED]> piše: > > >Thanks for the reply. I'm new to free radius and have been > >overwhelmed with documentation the past few days. Let me explain in > >some logic and maybe I can make some sense as to what I'm trying to > >do. > > > >User authentication comes from "NAS A" > > > >IF the username does not have @domain.com and NAS = "NAS A" > >THEN append @domain.com > > > >IF the username has @domain.com and NAS = "NAS A" > >THEN continue with username as is. > > > >Hope this helps to clear up what I'm trying to do. I appologize for > >not being very clear. > > > >Thanks > > > >Cliff > > > > > > > >On 7/19/07, Pshem Kowalczyk <[EMAIL PROTECTED]> wrote: > >> Hi > >> > >> On 19/07/07, Cliff Cole <[EMAIL PROTECTED]> wrote: > >> > Hello all. > >> > > >> > Here is my issue. This is very weird and would only affect one NAS. > >> > I'm not sure freeradius is capable of this. I want a username that > >> > comes in to check for an @domainname. If the domainname is there I > >> > want it to be stripped and added back later. If the domainname is not > >> > there I'd like it to continue and have to domainname added later in > >> > the authentication process. I hope this makes sense and any help is > >> > appreciated > >> > >> What do you mean by 'later' you can definitely check for the presence > >> of domain, you can strip it and add it again. you just have to define > >> the flow. rlm_attr will be of help to you (for both stripping and > >> adding). > >> > >> kind regards > >> Pshem > >> - > >> List info/subscribe/unsubscribe? See > >> http://www.freeradius.org/list/users.html > >> > >- > >List info/subscribe/unsubscribe? See > >http://www.freeradius.org/list/users.html > > > > > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: TLS cant connect ldap+freeradius+novell
>Any idea how to type the FQDN !? :( Well if this was your server: >http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/ FQDN would be: messenger.msn.click-url.com Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Second level authentication.
You want a shell user to get to privilege mode without typing "enable"and knowing enable password? I am quite certain that Cisco spent many years making sure that's impossible. If you find a way to do that you can blackmail them for a hell of a lot of money. Ivan Kalik Kalik Informatika ISP Dana 19/7/2007, "ashish verma" <[EMAIL PROTECTED]> piše: >Hi Stefan, > >I read the document and thanks for giving the link, that was helpful. > >Well I think i put my question in a wrong way. >Let me put it in a different way. > >I dont want the user to go directly in priv mode. >through priv level = 15 we direclty get into priv level right. > >what i am looking for is first the user get into user level and then with >another >password in level 2. (not with enable password)..it should be through RADIUS >server. > > >Ashish > > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Second level authentication.
Hi Stefan, I read the document and thanks for giving the link, that was helpful. Well I think i put my question in a wrong way. Let me put it in a different way. I dont want the user to go directly in priv mode. through priv level = 15 we direclty get into priv level right. what i am looking for is first the user get into user level and then with another password in level 2. (not with enable password)..it should be through RADIUS server. Ashish - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: New freeradius installation
Lisa Casey said: > I correct the error in the users file and get no more complaints > regarding > radiusd.conf > > Why? I've noticed this as well. I've always assumed it's a knock-on effect from the error in the users file. Same way missing a quote or a semi colon in something like perl can cause dozens of knock on errors that go away when you fix the actual problem. The configuration parsing in freeradius is very complex, so it wouldn't be surprising if a formatting error causes a 'cascade effect'. Or it might be because if the users file can't be read, then the 'files' module isn't instantiated. Bottom line, I wouldn't worry about it. In fact, I don't worry about it. Fix the users file, everything works. :-) > Lisa Casey -- hugh - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RadiusClient
I'm trying to authenticate a linux client against a radius server. I've implemented the radius server with freeradius and i've tested it with a cisco client and it worked, but, unfortunately, i'm having seriuos problems to authenticate the linux client using RadiusClient. I'm running the server in debug mode and when i run the password the server shows it's not plain text, it's sth like "\211pe;\336." so i thought it could be a problem with the secret word. However, i've checket it in the "servers" file (at the client) and in the "clients.conf" file (at the server) and it's the same. Sth i found is that i don't seem to have the file radius.seq in /var/run, i would like to create it but i don't know what the sequence number is and i don't know what the format of the file should be. I'd appreciate it a lot if sb could help me Sofia _ ¿Cuánto vale tu auto? Tips para mantener tu carro. ¡De todo en MSN Latino Autos! http://latino.msn.com/autos/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: TLS cant connect ldap+freeradius+novell
Subject of the novell-server-certificate is : O = WIFITREE OU = Organizational CA And thats no FQDN!? (I exported it from the novell as an .der and extracted it to see the subject, maby wrong way to do it? i havent exported the private key with either the .b64 or the .der and that shouldnt matter ?) *output from novell* Subject name: OU=Organizational CA.O=WIFITREE Issuer name: OU=Organizational CA.O=WIFITREE Effective date: den 22 oktober 2005 23:04:08 Expiration date: den 22 oktober 2015 23:04:08 Certificate status: Valid Any idea how to type the FQDN !? :( (Thx for all the good answers this far!) /Mr G >From: "Reimer Karlsen-Masur, DFN-CERT" <[EMAIL PROTECTED]> >Reply-To: FreeRadius users mailing list > >To: FreeRadius users mailing list >Subject: Re: TLS cant connect ldap+freeradius+novell >Date: Thu, 19 Jul 2007 17:51:24 +0200 > >Hm. > >Martin G wrote: > > Sorry, when i tried to rehash my certificate, id changed its path, but >now > > its back and i got a new output from my ldapsearch-command: > > > > ldapsearch -vvv -h 10.10.0.11 -x -Z -b ou > > =adm,ou=malmo,o=wifi "cn=lotta" > > ldap_initialize( ldap://10.10.0.11 ) > > ldap_start_tls: Connect error (-11) > > additional info: TLS: hostname does not match CN in peer >certificate > >What is the CN in the SubjectDN of the ldap servers certificate? Is it a >FQDN? > >If so, try to map IP# 10.10.0.11 to this FQDN via /etc/hosts if your DNS >server can't find the FQDN. Try to call ldapsearch with -h FQDN option. > >Is above warning going away? > > > filter: cn=lotta > > requesting: All userApplication attributes > > # extended LDIF > > # > > # LDAPv3 > > # base with scope subtree > > # filter: cn=lotta > > # requesting: ALL > > # > > > > # lotta, ADM, MALMO, WIFI > > dn: cn=lotta,ou=ADM,ou=MALMO,o=WIFI > > zenzfdVersion:: > >Something is at least working. It's not SSL secured though. > >... > > > > Iv also added the loglevel -1 to the /etc/ldap/ldap.conf and removed the > > TLSCertificateFile and TLSCertificateKeyFile from the >/etc/ldap/sldap.conf > > as i did forget before. > >slapd.conf is the config file of the openldap *server*. Messing with this >file should not change anything. Or was that a typo? > > > Do i need to convert the certificate to .pem and how if the c_rehash >dont > > work? > >If tls_cacertdir is not set, then don't use c_rehash. > >Set tls_cacertfile to a single ASCII file containing all PEM formatted CA >certificates of the CA certificate chain that is needed to validate your >ldap servers certificate. Concatenate these PEM formatted CA certs into >this >single ASCII file. > >And I forgot, set ldap_debug to -1 in the radius config file. > >Don't send your ldap servers password in log files ;-) > >... > > Tue Jul 10 12:35:00 2007 : Debug: Module: Loaded LDAP > > Tue Jul 10 12:35:00 2007 : Debug: ldap: server = "10.10.0.11" > > Tue Jul 10 12:35:00 2007 : Debug: ldap: port = 389 > > Tue Jul 10 12:35:00 2007 : Debug: ldap: net_timeout = 1 > > Tue Jul 10 12:35:00 2007 : Debug: ldap: timeout = 4 > > Tue Jul 10 12:35:00 2007 : Debug: ldap: timelimit = 3 > > Tue Jul 10 12:35:00 2007 : Debug: ldap: identity = "cn=admin,o=wifi" > > Tue Jul 10 12:35:00 2007 : Debug: ldap: tls_mode = no > > Tue Jul 10 12:35:00 2007 : Debug: ldap: start_tls = yes > > Tue Jul 10 12:35:00 2007 : Debug: ldap: tls_cacertfile = > > "/etc/freeradius/certs > > /WIFITREE_CA.b64" > > Tue Jul 10 12:35:00 2007 : Debug: ldap: tls_cacertdir = "(null)" > > Tue Jul 10 12:35:00 2007 : Debug: ldap: tls_certfile = "(null)" > > Tue Jul 10 12:35:00 2007 : Debug: ldap: tls_keyfile = "(null)" > > Tue Jul 10 12:35:00 2007 : Debug: ldap: tls_randfile = "(null)" > > Tue Jul 10 12:35:00 2007 : Debug: ldap: tls_require_cert = "allow" > > Tue Jul 10 12:35:00 2007 : Debug: ldap: password = "novell" > > Tue Jul 10 12:35:00 2007 : Debug: ldap: basedn = >"ou=adm,ou=malmo,o=wifi" >... > > Tue Jul 10 12:35:00 2007 : Debug: ldap: ldap_debug = 0 > > Tue Jul 10 12:35:00 2007 : Debug: ldap: ldap_connections_number = 5 > > Tue Jul 10 12:35:00 2007 : Debug: ldap: compare_check_items = no > >-- >Beste Gruesse / Kind Regards > >Reimer Karlsen-Masur > >DFN-PKI FAQ: https://www.pki.dfn.de/faqpki >-- >Dipl.-Inform. Reimer Karlsen-Masur (PKI Team), Phone +49 40 808077-615 >DFN-CERT Services GmbH, https://www.dfn-cert.de, Phone +49 40 808077-555 >Sitz / Register: Hamburg, AG Hamburg, HRB 88805, Ust-IdNr.: DE 232129737 ><< smime.p7s >> >- >List info/subscribe/unsubscribe? See >http://www.freeradius.org/list/users.html _ Express yourself instantly with MSN Messenger! Download today it's FREE! http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Adding a ldap.attrb Dialuppassword to radius-ldap.schema
RHEL5/FreeRadius freeradius-1.1.3-1.2.el5/Fedora Directory server. Scenario... Currently trying to move all our dial up user entry's from users file to ldap ( FDS ) and need to add an attribute in radius ldap schema which would contain clear text password of the dial in password for the dial up users and match the dial in password to that password instead of users login password. What needs to be done to make this possible if it is possible? ( user are already authenticated through ldap except for their adsl dial in passwords which are in clear text and even if the passwords weren't in clear text and they could use there login password to login the user ain't smart enough and or technology challenge ( or at least majority of them ) to know if they change they're login password they needed to change it in the adsl router as well ) Schema changes? Dictionary changes ldap.attrmap changes ldap changes in radiusd.conf? ( password_attribute already mapped to userPassword in the ldap section ) Best regards Johann B. -- Johann B. Gudmundsson. RHCE,CCSA Unix System Engineer. IT Management. Reiknistofnun University of Iceland. Taeknigardi, Dunhaga 5. Email: [EMAIL PROTECTED] IS-107 Reykjavik. Phone: +354-525-4267 Iceland. Fax: +354-552-8801 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: TLS cant connect ldap+freeradius+novell
Hm. Martin G wrote: > Sorry, when i tried to rehash my certificate, id changed its path, but now > its back and i got a new output from my ldapsearch-command: > > ldapsearch -vvv -h 10.10.0.11 -x -Z -b ou > =adm,ou=malmo,o=wifi "cn=lotta" > ldap_initialize( ldap://10.10.0.11 ) > ldap_start_tls: Connect error (-11) > additional info: TLS: hostname does not match CN in peer certificate What is the CN in the SubjectDN of the ldap servers certificate? Is it a FQDN? If so, try to map IP# 10.10.0.11 to this FQDN via /etc/hosts if your DNS server can't find the FQDN. Try to call ldapsearch with -h FQDN option. Is above warning going away? > filter: cn=lotta > requesting: All userApplication attributes > # extended LDIF > # > # LDAPv3 > # base with scope subtree > # filter: cn=lotta > # requesting: ALL > # > > # lotta, ADM, MALMO, WIFI > dn: cn=lotta,ou=ADM,ou=MALMO,o=WIFI > zenzfdVersion:: Something is at least working. It's not SSL secured though. ... > > Iv also added the loglevel -1 to the /etc/ldap/ldap.conf and removed the > TLSCertificateFile and TLSCertificateKeyFile from the /etc/ldap/sldap.conf > as i did forget before. slapd.conf is the config file of the openldap *server*. Messing with this file should not change anything. Or was that a typo? > Do i need to convert the certificate to .pem and how if the c_rehash dont > work? If tls_cacertdir is not set, then don't use c_rehash. Set tls_cacertfile to a single ASCII file containing all PEM formatted CA certificates of the CA certificate chain that is needed to validate your ldap servers certificate. Concatenate these PEM formatted CA certs into this single ASCII file. And I forgot, set ldap_debug to -1 in the radius config file. Don't send your ldap servers password in log files ;-) ... > Tue Jul 10 12:35:00 2007 : Debug: Module: Loaded LDAP > Tue Jul 10 12:35:00 2007 : Debug: ldap: server = "10.10.0.11" > Tue Jul 10 12:35:00 2007 : Debug: ldap: port = 389 > Tue Jul 10 12:35:00 2007 : Debug: ldap: net_timeout = 1 > Tue Jul 10 12:35:00 2007 : Debug: ldap: timeout = 4 > Tue Jul 10 12:35:00 2007 : Debug: ldap: timelimit = 3 > Tue Jul 10 12:35:00 2007 : Debug: ldap: identity = "cn=admin,o=wifi" > Tue Jul 10 12:35:00 2007 : Debug: ldap: tls_mode = no > Tue Jul 10 12:35:00 2007 : Debug: ldap: start_tls = yes > Tue Jul 10 12:35:00 2007 : Debug: ldap: tls_cacertfile = > "/etc/freeradius/certs > /WIFITREE_CA.b64" > Tue Jul 10 12:35:00 2007 : Debug: ldap: tls_cacertdir = "(null)" > Tue Jul 10 12:35:00 2007 : Debug: ldap: tls_certfile = "(null)" > Tue Jul 10 12:35:00 2007 : Debug: ldap: tls_keyfile = "(null)" > Tue Jul 10 12:35:00 2007 : Debug: ldap: tls_randfile = "(null)" > Tue Jul 10 12:35:00 2007 : Debug: ldap: tls_require_cert = "allow" > Tue Jul 10 12:35:00 2007 : Debug: ldap: password = "novell" > Tue Jul 10 12:35:00 2007 : Debug: ldap: basedn = "ou=adm,ou=malmo,o=wifi" ... > Tue Jul 10 12:35:00 2007 : Debug: ldap: ldap_debug = 0 > Tue Jul 10 12:35:00 2007 : Debug: ldap: ldap_connections_number = 5 > Tue Jul 10 12:35:00 2007 : Debug: ldap: compare_check_items = no -- Beste Gruesse / Kind Regards Reimer Karlsen-Masur DFN-PKI FAQ: https://www.pki.dfn.de/faqpki -- Dipl.-Inform. Reimer Karlsen-Masur (PKI Team), Phone +49 40 808077-615 DFN-CERT Services GmbH, https://www.dfn-cert.de, Phone +49 40 808077-555 Sitz / Register: Hamburg, AG Hamburg, HRB 88805, Ust-IdNr.: DE 232129737 smime.p7s Description: S/MIME Cryptographic Signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: TLS cant connect ldap+freeradius+novell
Sorry, when i tried to rehash my certificate, id changed its path, but now its back and i got a new output from my ldapsearch-command: ldapsearch -vvv -h 10.10.0.11 -x -Z -b ou =adm,ou=malmo,o=wifi "cn=lotta" ldap_initialize( ldap://10.10.0.11 ) ldap_start_tls: Connect error (-11) additional info: TLS: hostname does not match CN in peer certificate filter: cn=lotta requesting: All userApplication attributes # extended LDIF # # LDAPv3 # base with scope subtree # filter: cn=lotta # requesting: ALL # # lotta, ADM, MALMO, WIFI dn: cn=lotta,ou=ADM,ou=MALMO,o=WIFI zenzfdVersion:: PD94bWwgdmVyc2lvbj0iMS4fSe34FNvZGluZz0iVVRGLTgiPz48QWdlbnREYX RhPjxWZXJzaW9uPjQuMC4xLjU5PC9WZXJzaWwAffwawFWZXJXcml0ZVRpbWU+MTE0OTUwMTY4MjwvVmV yV3JpdGVUaW1lPjwvQwfAwREYXRhPg== zenpolPolicy: cn=UserZenPolPackage,ou=ZEN,o=WIFI#0#zenUserPackage sasDefaultLoginSequence: --No default-- uid: lotta givenName: lotta fullName: lotta whatever Language: ENGLISH sn: whatever passwordUniqueRequired: FALSE passwordRequired: TRUE passwordMinimumLength: 5 passwordExpirationTime: 20070815131928Z passwordExpirationInterval: 3456000 passwordAllowChange: TRUE objectClass: inetOrgPerson objectClass: organizationalPerson objectClass: Person objectClass: ndsLoginProperties objectClass: Top objectClass: radiusprofile loginTime: 20070719121749Z loginGraceRemaining: 6 loginGraceLimit: 6 cn: lotta ACL: 2#subtree#cn=lotta,ou=ADM,ou=MALMO,o=WIFI#[All Attributes Rights] ACL: 6#entry#cn=lotta,ou=ADM,ou=MALMO,o=WIFI#loginScript ACL: 2#entry#[Public]#messageServer ACL: 2#entry#[Root]#groupMembership ACL: 6#entry#cn=lotta,ou=ADM,ou=MALMO,o=WIFI#printJobConfiguration ACL: 2#entry#[Root]#networkAddress # search result search: 3 result: 0 Success # numResponses: 2 # numEntries: 1 Iv also added the loglevel -1 to the /etc/ldap/ldap.conf and removed the TLSCertificateFile and TLSCertificateKeyFile from the /etc/ldap/sldap.conf as i did forget before. Do i need to convert the certificate to .pem and how if the c_rehash dont work? I paste the new output from the freeradius -XXX -A if it might help... freeradius -XXX -A Tue Jul 10 12:35:00 2007 : Info: Starting - reading configuration files ... Tue Jul 10 12:35:00 2007 : Debug: reread_config: reading radiusd.conf Tue Jul 10 12:35:00 2007 : Debug: Config: including file: /etc/freeradius/prox y.conf Tue Jul 10 12:35:00 2007 : Debug: Config: including file: /etc/freeradius/clie nts.conf Tue Jul 10 12:35:00 2007 : Debug: Config: including file: /etc/freeradius/snmp ..conf Tue Jul 10 12:35:00 2007 : Debug: Config: including file: /etc/freeradius/eap. conf Tue Jul 10 12:35:00 2007 : Debug: Config: including file: /etc/freeradius/sql. conf Tue Jul 10 12:35:00 2007 : Debug: main: prefix = "/usr" Tue Jul 10 12:35:00 2007 : Debug: main: localstatedir = "/var" Tue Jul 10 12:35:00 2007 : Debug: main: logdir = "/var/log/freeradius" Tue Jul 10 12:35:00 2007 : Debug: main: libdir = "/usr/lib/freeradius" Tue Jul 10 12:35:00 2007 : Debug: main: radacctdir = "/var/log/freeradius/radac ct" Tue Jul 10 12:35:00 2007 : Debug: main: hostname_lookups = no Tue Jul 10 12:35:00 2007 : Debug: main: max_request_time = 30 Tue Jul 10 12:35:00 2007 : Debug: main: cleanup_delay = 5 Tue Jul 10 12:35:00 2007 : Debug: main: max_requests = 1024 Tue Jul 10 12:35:00 2007 : Debug: main: delete_blocked_requests = 0 Tue Jul 10 12:35:00 2007 : Debug: main: port = 0 Tue Jul 10 12:35:00 2007 : Debug: main: allow_core_dumps = no Tue Jul 10 12:35:00 2007 : Debug: main: log_stripped_names = yes Tue Jul 10 12:35:00 2007 : Debug: main: log_file = "/var/log/freeradius/radius. log" Tue Jul 10 12:35:00 2007 : Debug: main: log_auth = yes Tue Jul 10 12:35:00 2007 : Debug: main: log_auth_badpass = yes Tue Jul 10 12:35:00 2007 : Debug: main: log_auth_goodpass = yes Tue Jul 10 12:35:00 2007 : Debug: main: pidfile = "/var/run/freeradius/freeradi us.pid" Tue Jul 10 12:35:00 2007 : Debug: main: user = "freerad" Tue Jul 10 12:35:00 2007 : Debug: main: group = "freerad" Tue Jul 10 12:35:00 2007 : Debug: main: usercollide = no Tue Jul 10 12:35:00 2007 : Debug: main: lower_user = "no" Tue Jul 10 12:35:00 2007 : Debug: main: lower_pass = "no" Tue Jul 10 12:35:00 2007 : Debug: main: nospace_user = "no" Tue Jul 10 12:35:00 2007 : Debug: main: nospace_pass = "no" Tue Jul 10 12:35:00 2007 : Debug: main: checkrad = "/usr/sbin/checkrad" Tue Jul 10 12:35:00 2007 : Debug: main: proxy_requests = yes Tue Jul 10 12:35:00 2007 : Debug: proxy: retry_delay = 5 Tue Jul 10 12:35:00 2007 : Debug: proxy: retry_count = 3 Tue Jul 10 12:35:00 2007 : Debug: proxy: synchronous = no Tue Jul 10 12:35:00 2007 : Debug: proxy: default_fallback = yes Tue Jul 10 12:35:00 2007 : Debug: proxy: dead_time = 120 Tue Jul 10 12:35:00 2007 : Debug: proxy: post_proxy_authorize = no Tue Jul 10 12:35:00 2007 : Debug: proxy: wake_all_if_all_dead = no Tue Jul 10 12:35:00 2007 : Debug: security: max_attributes = 200 Tue Jul 10 12:35:00 2007 : Debug:
Re: TLS cant connect ldap+freeradius+novell
Hm fiddling with parameters in the FreeRADIUS config files should not change any behavior of ldapsearch. ldapsearch depends on ldap.conf config file. Did you turn on ldap client debugging by setting "loglevel -1" in the ~/.ldap.conf file for the user that is executing ldapsearch? Or if ~/.ldap.conf does not exist, did you turn it on in /etc/openldap/ldap.conf or wherever your system ldap clients expects its config file to be? Martin G wrote: > Thx for the reply! > > Iv tried removing "port" and "tls_mode" from my radius.conf and hade > "tls_start = yes" set. > > The tls_certfile and tls_keyfile is now commented away #. > > I use the tls_certfile to /etc/freeradius/certs/WIFITREE_CA.b64 Is this file of ASCII type and does it read about like BEGIN CERTIFICATE -- Base64 blob END CERTIFICATE -- ? That is the correct format, i.e. PEM. Is there more than one certificate in the file? If it is binary, then its DER format. In this case you could try openssl x509 -inform DER -in WIFITREE_CA.b64 -out WIFITREE_CA.pem > Id tried to use "c_rehash ." in that directory but the rehash dont find my > cert, only other certs in that path who is made into strange names. > Can i force it to pick my .b64 certificate or can i convert it in any other > way? (after the certs turned into funny names from c_rehash, its just to > rename them, if it starts to work with the right certificate?) > > The only output i now get from lldapsearch -vvv -h 10.10.0.11 -x -Z -b > ou=adm,ou=malmo,o=wifi "cn=lotta" > is: > > ldap_initialize( ldap://10.10.0.11 ) > ldap_start_tls: Connect error (-11) > ldap_result: Can't contact LDAP server (-1) > > Did i miss anything or is the only thing left now, to get a .pem > certificate? -- Beste Gruesse / Kind Regards Reimer Karlsen-Masur DFN-PKI FAQ: https://www.pki.dfn.de/faqpki -- Dipl.-Inform. Reimer Karlsen-Masur (PKI Team), Phone +49 40 808077-615 DFN-CERT Services GmbH, https://www.dfn-cert.de, Phone +49 40 808077-555 Sitz / Register: Hamburg, AG Hamburg, HRB 88805, Ust-IdNr.: DE 232129737 smime.p7s Description: S/MIME Cryptographic Signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
New freeradius installation
Hi, I just migrated my radius from Cistron to freeradius. It's working fine as far as authenticating our dialups goes. I do have one concern though, because this shouldn't be happening (at least I don't think so). If I were to restart the radius daemon now, all would be well: Thu Jul 19 10:53:51 2007 : Info: Using deprecated naslist file. Support for this will go away soon. Thu Jul 19 10:53:51 2007 : Info: Using deprecated realms file. Support for this will go away soon. Thu Jul 19 10:53:51 2007 : Info: rlm_exec: Wait=yes but no output defined. Did you mean output=none? Thu Jul 19 10:53:51 2007 : Info: Ready to process requests. But if I make changes to my users file (and accidently make a mistake), I get errors regarding that of course when I restart radius, but I also get errors regarding the radiusd.conf file. For example, this morning I left off a comma at the end of a line. Thu Jul 19 10:13:10 2007 : Info: Using deprecated naslist file. Support for this will go away soon. Thu Jul 19 10:13:10 2007 : Info: Using deprecated realms file. Support for this will go away soon. Thu Jul 19 10:13:10 2007 : Info: rlm_exec: Wait=yes but no output defined. Did you mean output=none? Thu Jul 19 10:13:10 2007 : Error: /usr/local/etc/raddb/users[4375]: Syntax error: Previous line is missing a trailing comma for entry bruce Thu Jul 19 10:13:10 2007 : Error: Errors reading /usr/local/etc/raddb/users Thu Jul 19 10:13:10 2007 : Error: radiusd.conf[1067]: files: Module instantiation failed. Thu Jul 19 10:13:10 2007 : Error: radiusd.conf[1852] Unknown module "files". Thu Jul 19 10:13:10 2007 : Error: radiusd.conf[1788] Failed to parse authorize section. I correct the error in the users file and get no more complaints regarding radiusd.conf Why? Lisa Casey - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius-Users Digest, Vol 27, Issue 121
ot; >> THEN continue with username as is. >> >> Hope this helps to clear up what I'm trying to do. I appologize for >> not being very clear. >> >> Thanks >> >> Cliff >> >> >> >> On 7/19/07, Pshem Kowalczyk <[EMAIL PROTECTED]> wrote: >> > Hi >> > >> > On 19/07/07, Cliff Cole <[EMAIL PROTECTED]> wrote: >> > > Hello all. >> > > >> > > Here is my issue. This is very weird and would only affect one NAS. >> > > I'm not sure freeradius is capable of this. I want a username that >> > > comes in to check for an @domainname. If the domainname is there I >> > > want it to be stripped and added back later. If the domainname is not >> > > there I'd like it to continue and have to domainname added later in >> > > the authentication process. I hope this makes sense and any help is >> > > appreciated >> > >> > What do you mean by 'later' you can definitely check for the presence >> > of domain, you can strip it and add it again. you just have to define >> > the flow. rlm_attr will be of help to you (for both stripping and >> > adding). >> > >> > kind regards >> > Pshem >> > - >> > List info/subscribe/unsubscribe? See >> http://www.freeradius.org/list/users.html >> > >> >> >> -- >> >> Message: 3 >> Date: Thu, 19 Jul 2007 15:38:54 +0200 >> From: [EMAIL PROTECTED] >> Subject: "Time-out" Problem with Huntgroups in conjunction with MYSQL >> Backend >> To: freeradius-users@lists.freeradius.org >> Message-ID: <[EMAIL PROTECTED]> >> Content-Type: text/plain; charset=ISO-8859-1; DelSp="Yes"; >> format="flowed" >> >> Hello FR users, >> >> I am running FreeRadius 1.1.3 together with MySQL 5.0.27 >> I use huntgroups to allow access to specific devices only to certain users >> belonging to a certain group (I use huntgroups since "I" didnt find a way >> to do it via MySQL) >> I have the following issue: >> When for a longer period (e.g. over night) no one logs into one of the >> devices (so the radius server sits idle), it happens that the first time >> in >> the morning someone tries to login he fails because FR rejects the Request >> with "invalid user" - only after 3 or 4 tries the login-attempt is >> successfull >> The reason seems to be, that after such a "long" dormant period, when the >> first RADIUS-request(s) arrive, FR has to re-connect to the MySQL DB to >> query the user's group-membership >> Since this re-connect takes "too long" the query returns "Not found" and >> the user is rejected as "unknown" >> >> Here is what you see in the radius.log file: >> Tue Jul 17 08:05:16 2007 : Info: rlm_sql_mysql: Starting connect to MySQL >> server for #9 >> Tue Jul 17 08:05:16 2007 : Error: rlm_sql (sql): failed after re-connect >> Tue Jul 17 08:05:16 2007 : Auth: No huntgroup access: [xxx] (from client >> ATWRE22e7601 port 1 cli 10.0.0.31) >> Tue Jul 17 08:05:16 2007 : Auth: Invalid user: [xxx] (from client >> ATWRE22e7601 port 1 cli 10.0.0.31) >> Tue Jul 17 08:05:25 2007 : Info: rlm_sql_mysql: Starting connect to MySQL >> server for #8 >> Tue Jul 17 08:05:25 2007 : Error: rlm_sql (sql): failed after re-connect >> Tue Jul 17 08:05:25 2007 : Auth: No huntgroup access: [xxx] (from client >> ATWRE22e7601 port 0) >> Tue Jul 17 08:05:25 2007 : Auth: Invalid user: [xxx] (from client >> ATWRE22e7601 port 0) >> Tue Jul 17 08:05:38 2007 : Info: rlm_sql_mysql: Starting connect to MySQL >> server for #7 >> Tue Jul 17 08:05:38 2007 : Error: rlm_sql (sql): failed after re-connect >> Tue Jul 17 08:05:38 2007 : Auth: No huntgroup access: [xxx] (from client >> ATWRE22e7601 port 0) >> Tue Jul 17 08:05:38 2007 : Auth: Invalid user: [xxx] (from client >> ATWRE22e7601 port 0) >> Tue Jul 17 08:06:00 2007 : Info: rlm_sql_mysql: Starting connect to MySQL >> server for #6 >> Tue Jul 17 08:06:00 2007 : Auth: Login OK: [xxx] (from client ATWRE22b7201 >> port 2 cli 10.0.0.31) >> >> Hope the logfile is sufficient, otherwise I would have to let FR run in >> debug-mode over night >> >> The funny thing is, that this problem doesn't occure when all entries in >> the huntgroups file are "commented out" >> >> So my question is, is there a config parame
Re: TLS cant connect ldap+freeradius+novell
Thx for the reply! Iv tried removing "port" and "tls_mode" from my radius.conf and hade "tls_start = yes" set. The tls_certfile and tls_keyfile is now commented away #. I use the tls_certfile to /etc/freeradius/certs/WIFITREE_CA.b64 Id tried to use "c_rehash ." in that directory but the rehash dont find my cert, only other certs in that path who is made into strange names. Can i force it to pick my .b64 certificate or can i convert it in any other way? (after the certs turned into funny names from c_rehash, its just to rename them, if it starts to work with the right certificate?) The only output i now get from lldapsearch -vvv -h 10.10.0.11 -x -Z -b ou=adm,ou=malmo,o=wifi "cn=lotta" is: ldap_initialize( ldap://10.10.0.11 ) ldap_start_tls: Connect error (-11) ldap_result: Can't contact LDAP server (-1) Did i miss anything or is the only thing left now, to get a .pem certificate? /Mr G >From: "Reimer Karlsen-Masur, DFN-CERT" <[EMAIL PROTECTED]> >Reply-To: FreeRadius users mailing list > >To: FreeRadius users mailing list >Subject: Re: TLS cant connect ldap+freeradius+novell >Date: Thu, 19 Jul 2007 16:06:46 +0200 > >Hi. > >Martin G wrote: > > Hello! > > > > Im new to both this mailinglist and to novell/linux/ldap/freeradius but >iv > > tried my best to install a radius/ldap linuxserver to pass on > > radius-requests from a Aruba-controller to our novell-server. > > > > IPs: > > Novell 10.10.0.11 > > Aruba 10.10.0.28 > > Linux (freeradius+ldap) 10.10.0.132 > > > > Iv tried to change tls_mode, port and tls_start on and off a couple of >times > > without any good result and when i go use ldapsearch -vvv -h 10.10.0.11 >-x > > -Z -b ou=adm,ou=malmo,o=wifi "cn=lotta" > > i recieve "TLS: hostname does not match CN in peer certificate". > >At least this means that your ldap server understands STARTTLS on the >standard ldap port. > >So in FreeRADIUS ldap config section you should *not* set port and tls_mode >options at all. > >You should set start_tls=yes though. > > > >As for the ldap server certificate name mismatch > > > So i have some thoughts about the certificate, but iv exported the > > selfsigned novell-certificate from the novellserver and verifyed it. But >im > > not sure how to use a "client-certificate" on the linux. > > > > When i use "freeradius -XXX -A" on the linuxserver and i trie to do a > > radius-request, the aruba gets a timeout and the linuxserver tells me >the > > following logg: > >Now for the certificates. Since your ldap server is using a server >certificate you must configure FreeRADIUS to trust the issuing CA. > >Since identity and password are set it seems you do not use SSL client >authentication to authenticate the FreeRADIUS server (acting as ldap >client) >at the ldap server. > >Hence don't set tls_certfile and tls_keyfile options. > >Either use tls_cacertfile xor tlc_cacertdir option. > >If using former, put in all the CA certificate chain validating the ldap >servers certificate in PEM format. Concatenate the CA certs into the file >named by this option. > >If using the latter, put all CA certs of the chain validating the ldap >servers certificate in PEM format with .pem file extension into that >directory. cd into this directory and execute > ># c_rehash . > >to build some symlinks. The dot (.) for the current directory seems vital. >c_rehash is a tool that comes with openssl. > >Be aware that the openldap client configuration file on the system or for >that user running FreeRADIUS is being used. That is ~/.ldap.conf or system >wide something like /etc/openldap/ldap.conf or what ever fits your FS >layout >and ldap installation on the FreeRADIUS server. > >To ease ldap debugging within FreeRADIUS set "loglevel -1" in the ldap.conf >file. Debugging output is to be found in files configured by syslogd more >than likely in /var/log/messages or similar. > >HTH & good luck > >-- >Beste Gruesse / Kind Regards > >Reimer Karlsen-Masur > >DFN-PKI FAQ: https://www.pki.dfn.de/faqpki >-- >Dipl.-Inform. Reimer Karlsen-Masur (PKI Team), Phone +49 40 808077-615 >DFN-CERT Services GmbH, https://www.dfn-cert.de, Phone +49 40 808077-555 >Sitz / Register: Hamburg, AG Hamburg, HRB 88805, Ust-IdNr.: DE 232129737 ><< smime.p7s >> >- >List info/subscribe/unsubscribe? See >http://www.freeradius.org/list/users.html _ Express yourself instantly with MSN Messenger! Download today it's FREE! http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: "Time-out" Problem with Huntgroups in conjunction with MYSQL Backend
Yes. MySQL has wait_timeout set to 8 hours. See last option: http://dev.mysql.com/doc/refman/5.0/en/instance-manager-command-options.html Ivan Kalik Kalik Informatika ISP Dana 19/7/2007, "[EMAIL PROTECTED]" <[EMAIL PROTECTED]> piše: >Hello FR users, > >I am running FreeRadius 1.1.3 together with MySQL 5.0.27 >I use huntgroups to allow access to specific devices only to certain users >belonging to a certain group (I use huntgroups since "I" didnt find a way >to do it via MySQL) >I have the following issue: >When for a longer period (e.g. over night) no one logs into one of the >devices (so the radius server sits idle), it happens that the first time in >the morning someone tries to login he fails because FR rejects the Request >with "invalid user" - only after 3 or 4 tries the login-attempt is >successfull >The reason seems to be, that after such a "long" dormant period, when the >first RADIUS-request(s) arrive, FR has to re-connect to the MySQL DB to >query the user's group-membership >Since this re-connect takes "too long" the query returns "Not found" and >the user is rejected as "unknown" > >Here is what you see in the radius.log file: >Tue Jul 17 08:05:16 2007 : Info: rlm_sql_mysql: Starting connect to MySQL >server for #9 >Tue Jul 17 08:05:16 2007 : Error: rlm_sql (sql): failed after re-connect >Tue Jul 17 08:05:16 2007 : Auth: No huntgroup access: [xxx] (from client >ATWRE22e7601 port 1 cli 10.0.0.31) >Tue Jul 17 08:05:16 2007 : Auth: Invalid user: [xxx] (from client >ATWRE22e7601 port 1 cli 10.0.0.31) >Tue Jul 17 08:05:25 2007 : Info: rlm_sql_mysql: Starting connect to MySQL >server for #8 >Tue Jul 17 08:05:25 2007 : Error: rlm_sql (sql): failed after re-connect >Tue Jul 17 08:05:25 2007 : Auth: No huntgroup access: [xxx] (from client >ATWRE22e7601 port 0) >Tue Jul 17 08:05:25 2007 : Auth: Invalid user: [xxx] (from client >ATWRE22e7601 port 0) >Tue Jul 17 08:05:38 2007 : Info: rlm_sql_mysql: Starting connect to MySQL >server for #7 >Tue Jul 17 08:05:38 2007 : Error: rlm_sql (sql): failed after re-connect >Tue Jul 17 08:05:38 2007 : Auth: No huntgroup access: [xxx] (from client >ATWRE22e7601 port 0) >Tue Jul 17 08:05:38 2007 : Auth: Invalid user: [xxx] (from client >ATWRE22e7601 port 0) >Tue Jul 17 08:06:00 2007 : Info: rlm_sql_mysql: Starting connect to MySQL >server for #6 >Tue Jul 17 08:06:00 2007 : Auth: Login OK: [xxx] (from client ATWRE22b7201 >port 2 cli 10.0.0.31) > >Hope the logfile is sufficient, otherwise I would have to let FR run in >debug-mode over night > >The funny thing is, that this problem doesn't occure when all entries in >the huntgroups file are "commented out" > >So my question is, is there a config parameter to tell FR to "wait" a bit >longer in the preprocess module (I assume) for the MYSQL query to deliver >its answer? > >thanks alot >regards >thomas pudil > > > >- >List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius-Users Digest, Vol 27, Issue 121
4 +0200 From: [EMAIL PROTECTED] Subject: "Time-out" Problem with Huntgroups in conjunction with MYSQL Backend To: freeradius-users@lists.freeradius.org Message-ID: <[EMAIL PROTECTED]> Content-Type: text/plain; charset=ISO-8859-1; DelSp="Yes"; format="flowed" Hello FR users, I am running FreeRadius 1.1.3 together with MySQL 5.0.27 I use huntgroups to allow access to specific devices only to certain users belonging to a certain group (I use huntgroups since "I" didnt find a way to do it via MySQL) I have the following issue: When for a longer period (e.g. over night) no one logs into one of the devices (so the radius server sits idle), it happens that the first time in the morning someone tries to login he fails because FR rejects the Request with "invalid user" - only after 3 or 4 tries the login-attempt is successfull The reason seems to be, that after such a "long" dormant period, when the first RADIUS-request(s) arrive, FR has to re-connect to the MySQL DB to query the user's group-membership Since this re-connect takes "too long" the query returns "Not found" and the user is rejected as "unknown" Here is what you see in the radius.log file: Tue Jul 17 08:05:16 2007 : Info: rlm_sql_mysql: Starting connect to MySQL server for #9 Tue Jul 17 08:05:16 2007 : Error: rlm_sql (sql): failed after re-connect Tue Jul 17 08:05:16 2007 : Auth: No huntgroup access: [xxx] (from client ATWRE22e7601 port 1 cli 10.0.0.31) Tue Jul 17 08:05:16 2007 : Auth: Invalid user: [xxx] (from client ATWRE22e7601 port 1 cli 10.0.0.31) Tue Jul 17 08:05:25 2007 : Info: rlm_sql_mysql: Starting connect to MySQL server for #8 Tue Jul 17 08:05:25 2007 : Error: rlm_sql (sql): failed after re-connect Tue Jul 17 08:05:25 2007 : Auth: No huntgroup access: [xxx] (from client ATWRE22e7601 port 0) Tue Jul 17 08:05:25 2007 : Auth: Invalid user: [xxx] (from client ATWRE22e7601 port 0) Tue Jul 17 08:05:38 2007 : Info: rlm_sql_mysql: Starting connect to MySQL server for #7 Tue Jul 17 08:05:38 2007 : Error: rlm_sql (sql): failed after re-connect Tue Jul 17 08:05:38 2007 : Auth: No huntgroup access: [xxx] (from client ATWRE22e7601 port 0) Tue Jul 17 08:05:38 2007 : Auth: Invalid user: [xxx] (from client ATWRE22e7601 port 0) Tue Jul 17 08:06:00 2007 : Info: rlm_sql_mysql: Starting connect to MySQL server for #6 Tue Jul 17 08:06:00 2007 : Auth: Login OK: [xxx] (from client ATWRE22b7201 port 2 cli 10.0.0.31) Hope the logfile is sufficient, otherwise I would have to let FR run in debug-mode over night The funny thing is, that this problem doesn't occure when all entries in the huntgroups file are "commented out" So my question is, is there a config parameter to tell FR to "wait" a bit longer in the preprocess module (I assume) for the MYSQL query to deliver its answer? thanks alot regards thomas pudil -- Message: 4 Date: Thu, 19 Jul 2007 19:11:35 +0530 From: "ashish verma" <[EMAIL PROTECTED]> Subject: Level 2 authentication with RADIUS. To: freeradius-users@lists.freeradius.org Message-ID: <[EMAIL PROTECTED]> Content-Type: text/plain; charset="iso-8859-1" Hi all, I am new to the list and for RADIUS too so i might ask some repetitive questions. Here is my question: Can we have level 2 (enable) authentication too with Radius server as we have for level 1(user level)? If yes, can someone provide me some documentation. I tried to search for it but couldnt find any. Thanks in advance, Ashish -- next part -- An HTML attachment was scrubbed... URL: https://lists.freeradius.org/pipermail/freeradius-users/attachments/20070719/d418ae1e/attachment-0001.html -- Message: 5 Date: Thu, 19 Jul 2007 15:45:44 +0200 From: Stefan Winter <[EMAIL PROTECTED]> Subject: Re: Level 2 authentication with RADIUS. To: FreeRadius users mailing list Message-ID: <[EMAIL PROTECTED]> Content-Type: text/plain; charset="utf-8" > Can we have level 2 (enable) authentication too with Radius server as we > have for level 1(user level)? If you say "enable" I suspect you are talking about Cisco equipment? Then enable is really level 15. And the following link was posted just MINUTES ago on this list. Did you read the etiquette thing about "read the mail archives before asking?"? http://wiki.freeradius.org/Cisco#Per_User_Privilege_Level Stefan -- Stefan WINTER Stiftung RESTENA - R?seau T?l?informatique de l'Education Nationale et de la Recherche Ingenieur Forschung & Entwicklung 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg E-Mail: [EMAIL PROTECTED] ? ? Tel.: ? ?+352 424409-1 http://www.restena.lu ? ? ? ? ? ? ? Fax: ? ? ?+352 422473 -- next part -- A non-text attachment was scrubbed... Name: not available Type
RE: 3COM sw4500 802.1x Problem
Hello; I could solve my problem with change Auth-Type attribute to EAP in LDAP an everything is ok. Thank you for your relation. Best Regards, Aydin Kocak. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Quirky question about rewriting usernames
How about the other way around: IF the username does not have @domain.com and NAS = "NAS A" THEN continue with username as is IF the username has @domain.com and NAS = "NAS A" THEN strip @domain.com That works by default. If you want to keep it the other way around have a look at the hints file. Ivan Kalik Kalik Informatika ISP Dana 19/7/2007, "Cliff Cole" <[EMAIL PROTECTED]> piše: >Thanks for the reply. I'm new to free radius and have been >overwhelmed with documentation the past few days. Let me explain in >some logic and maybe I can make some sense as to what I'm trying to >do. > >User authentication comes from "NAS A" > >IF the username does not have @domain.com and NAS = "NAS A" >THEN append @domain.com > >IF the username has @domain.com and NAS = "NAS A" >THEN continue with username as is. > >Hope this helps to clear up what I'm trying to do. I appologize for >not being very clear. > >Thanks > >Cliff > > > >On 7/19/07, Pshem Kowalczyk <[EMAIL PROTECTED]> wrote: >> Hi >> >> On 19/07/07, Cliff Cole <[EMAIL PROTECTED]> wrote: >> > Hello all. >> > >> > Here is my issue. This is very weird and would only affect one NAS. >> > I'm not sure freeradius is capable of this. I want a username that >> > comes in to check for an @domainname. If the domainname is there I >> > want it to be stripped and added back later. If the domainname is not >> > there I'd like it to continue and have to domainname added later in >> > the authentication process. I hope this makes sense and any help is >> > appreciated >> >> What do you mean by 'later' you can definitely check for the presence >> of domain, you can strip it and add it again. you just have to define >> the flow. rlm_attr will be of help to you (for both stripping and >> adding). >> >> kind regards >> Pshem >> - >> List info/subscribe/unsubscribe? See >> http://www.freeradius.org/list/users.html >> >- >List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: TLS cant connect ldap+freeradius+novell
Hi. Martin G wrote: > Hello! > > Im new to both this mailinglist and to novell/linux/ldap/freeradius but iv > tried my best to install a radius/ldap linuxserver to pass on > radius-requests from a Aruba-controller to our novell-server. > > IPs: > Novell 10.10.0.11 > Aruba 10.10.0.28 > Linux (freeradius+ldap) 10.10.0.132 > > Iv tried to change tls_mode, port and tls_start on and off a couple of times > without any good result and when i go use ldapsearch -vvv -h 10.10.0.11 -x > -Z -b ou=adm,ou=malmo,o=wifi "cn=lotta" > i recieve "TLS: hostname does not match CN in peer certificate". At least this means that your ldap server understands STARTTLS on the standard ldap port. So in FreeRADIUS ldap config section you should *not* set port and tls_mode options at all. You should set start_tls=yes though. As for the ldap server certificate name mismatch > So i have some thoughts about the certificate, but iv exported the > selfsigned novell-certificate from the novellserver and verifyed it. But im > not sure how to use a "client-certificate" on the linux. > > When i use "freeradius -XXX -A" on the linuxserver and i trie to do a > radius-request, the aruba gets a timeout and the linuxserver tells me the > following logg: Now for the certificates. Since your ldap server is using a server certificate you must configure FreeRADIUS to trust the issuing CA. Since identity and password are set it seems you do not use SSL client authentication to authenticate the FreeRADIUS server (acting as ldap client) at the ldap server. Hence don't set tls_certfile and tls_keyfile options. Either use tls_cacertfile xor tlc_cacertdir option. If using former, put in all the CA certificate chain validating the ldap servers certificate in PEM format. Concatenate the CA certs into the file named by this option. If using the latter, put all CA certs of the chain validating the ldap servers certificate in PEM format with .pem file extension into that directory. cd into this directory and execute # c_rehash . to build some symlinks. The dot (.) for the current directory seems vital. c_rehash is a tool that comes with openssl. Be aware that the openldap client configuration file on the system or for that user running FreeRADIUS is being used. That is ~/.ldap.conf or system wide something like /etc/openldap/ldap.conf or what ever fits your FS layout and ldap installation on the FreeRADIUS server. To ease ldap debugging within FreeRADIUS set "loglevel -1" in the ldap.conf file. Debugging output is to be found in files configured by syslogd more than likely in /var/log/messages or similar. HTH & good luck -- Beste Gruesse / Kind Regards Reimer Karlsen-Masur DFN-PKI FAQ: https://www.pki.dfn.de/faqpki -- Dipl.-Inform. Reimer Karlsen-Masur (PKI Team), Phone +49 40 808077-615 DFN-CERT Services GmbH, https://www.dfn-cert.de, Phone +49 40 808077-555 Sitz / Register: Hamburg, AG Hamburg, HRB 88805, Ust-IdNr.: DE 232129737 smime.p7s Description: S/MIME Cryptographic Signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Level 2 authentication with RADIUS.
> enable is really level 15. And the following link was posted just MINUTES > ago on this list. Did you read the etiquette thing about "read the mail > archives before asking?"? Wait a minute. That link was sent in reply to YOUR question! Did you even read it? -- Stefan WINTER Stiftung RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche Ingenieur Forschung & Entwicklung 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg E-Mail: [EMAIL PROTECTED] Tel.: +352 424409-1 http://www.restena.lu Fax: +352 422473 signature.asc Description: This is a digitally signed message part. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Level 2 authentication with RADIUS.
> Can we have level 2 (enable) authentication too with Radius server as we > have for level 1(user level)? If you say "enable" I suspect you are talking about Cisco equipment? Then enable is really level 15. And the following link was posted just MINUTES ago on this list. Did you read the etiquette thing about "read the mail archives before asking?"? http://wiki.freeradius.org/Cisco#Per_User_Privilege_Level Stefan -- Stefan WINTER Stiftung RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche Ingenieur Forschung & Entwicklung 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg E-Mail: [EMAIL PROTECTED] Tel.: +352 424409-1 http://www.restena.lu Fax: +352 422473 signature.asc Description: This is a digitally signed message part. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Level 2 authentication with RADIUS.
Hi all, I am new to the list and for RADIUS too so i might ask some repetitive questions. Here is my question: Can we have level 2 (enable) authentication too with Radius server as we have for level 1(user level)? If yes, can someone provide me some documentation. I tried to search for it but couldnt find any. Thanks in advance, Ashish - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
"Time-out" Problem with Huntgroups in conjunction with MYSQL Backend
Hello FR users, I am running FreeRadius 1.1.3 together with MySQL 5.0.27 I use huntgroups to allow access to specific devices only to certain users belonging to a certain group (I use huntgroups since "I" didnt find a way to do it via MySQL) I have the following issue: When for a longer period (e.g. over night) no one logs into one of the devices (so the radius server sits idle), it happens that the first time in the morning someone tries to login he fails because FR rejects the Request with "invalid user" - only after 3 or 4 tries the login-attempt is successfull The reason seems to be, that after such a "long" dormant period, when the first RADIUS-request(s) arrive, FR has to re-connect to the MySQL DB to query the user's group-membership Since this re-connect takes "too long" the query returns "Not found" and the user is rejected as "unknown" Here is what you see in the radius.log file: Tue Jul 17 08:05:16 2007 : Info: rlm_sql_mysql: Starting connect to MySQL server for #9 Tue Jul 17 08:05:16 2007 : Error: rlm_sql (sql): failed after re-connect Tue Jul 17 08:05:16 2007 : Auth: No huntgroup access: [xxx] (from client ATWRE22e7601 port 1 cli 10.0.0.31) Tue Jul 17 08:05:16 2007 : Auth: Invalid user: [xxx] (from client ATWRE22e7601 port 1 cli 10.0.0.31) Tue Jul 17 08:05:25 2007 : Info: rlm_sql_mysql: Starting connect to MySQL server for #8 Tue Jul 17 08:05:25 2007 : Error: rlm_sql (sql): failed after re-connect Tue Jul 17 08:05:25 2007 : Auth: No huntgroup access: [xxx] (from client ATWRE22e7601 port 0) Tue Jul 17 08:05:25 2007 : Auth: Invalid user: [xxx] (from client ATWRE22e7601 port 0) Tue Jul 17 08:05:38 2007 : Info: rlm_sql_mysql: Starting connect to MySQL server for #7 Tue Jul 17 08:05:38 2007 : Error: rlm_sql (sql): failed after re-connect Tue Jul 17 08:05:38 2007 : Auth: No huntgroup access: [xxx] (from client ATWRE22e7601 port 0) Tue Jul 17 08:05:38 2007 : Auth: Invalid user: [xxx] (from client ATWRE22e7601 port 0) Tue Jul 17 08:06:00 2007 : Info: rlm_sql_mysql: Starting connect to MySQL server for #6 Tue Jul 17 08:06:00 2007 : Auth: Login OK: [xxx] (from client ATWRE22b7201 port 2 cli 10.0.0.31) Hope the logfile is sufficient, otherwise I would have to let FR run in debug-mode over night The funny thing is, that this problem doesn't occure when all entries in the huntgroups file are "commented out" So my question is, is there a config parameter to tell FR to "wait" a bit longer in the preprocess module (I assume) for the MYSQL query to deliver its answer? thanks alot regards thomas pudil - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Quirky question about rewriting usernames
Thanks for the reply. I'm new to free radius and have been overwhelmed with documentation the past few days. Let me explain in some logic and maybe I can make some sense as to what I'm trying to do. User authentication comes from "NAS A" IF the username does not have @domain.com and NAS = "NAS A" THEN append @domain.com IF the username has @domain.com and NAS = "NAS A" THEN continue with username as is. Hope this helps to clear up what I'm trying to do. I appologize for not being very clear. Thanks Cliff On 7/19/07, Pshem Kowalczyk <[EMAIL PROTECTED]> wrote: > Hi > > On 19/07/07, Cliff Cole <[EMAIL PROTECTED]> wrote: > > Hello all. > > > > Here is my issue. This is very weird and would only affect one NAS. > > I'm not sure freeradius is capable of this. I want a username that > > comes in to check for an @domainname. If the domainname is there I > > want it to be stripped and added back later. If the domainname is not > > there I'd like it to continue and have to domainname added later in > > the authentication process. I hope this makes sense and any help is > > appreciated > > What do you mean by 'later' you can definitely check for the presence > of domain, you can strip it and add it again. you just have to define > the flow. rlm_attr will be of help to you (for both stripping and > adding). > > kind regards > Pshem > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: mod_auth_radius
On 7/19/07, Rascher, Markus <[EMAIL PROTECTED]> wrote: > > > Hi All, > > is there a tutorial how to install mod_auth_radius on an apache 2.xx server? > The howto on the freeradius webpage is a little bit deprecated i guess. > i get an error when starting the apache server after installing > mod_auth_radius: > > # service httpd start > Starting httpd: httpd: Syntax error on line 205 of > /etc/httpd/conf/httpd.conf: Cannot load > /usr/lib/httpd/modules/mod_auth_radius-2.0.so into server: > /usr/lib/httpd/modules/mod_auth_radius-2.0.so: undefined > symbol: ap_snprintf > [FAILED] You might try mod_auth_xradius. I have done a couple of apache + radius + WiKID 2FA docs that might help: http://www.wikidsystems.com/documentation/howtos/how-to-add-two-factor-authentication-to-apache/ http://www.howtoforge.com/apache_radius_two_factor_authentication The latter is more recent. HTH, nick -- Nick Owen WiKID Systems, Inc. 404.962.8983 http://www.wikidsystems.com Commercial/Open Source Two-Factor Authentication - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
TLS cant connect ldap+freeradius+novell
Hello! Im new to both this mailinglist and to novell/linux/ldap/freeradius but iv tried my best to install a radius/ldap linuxserver to pass on radius-requests from a Aruba-controller to our novell-server. IPs: Novell 10.10.0.11 Aruba 10.10.0.28 Linux (freeradius+ldap) 10.10.0.132 Iv tried to change tls_mode, port and tls_start on and off a couple of times without any good result and when i go use ldapsearch -vvv -h 10.10.0.11 -x -Z -b ou=adm,ou=malmo,o=wifi "cn=lotta" i recieve "TLS: hostname does not match CN in peer certificate". So i have some thoughts about the certificate, but iv exported the selfsigned novell-certificate from the novellserver and verifyed it. But im not sure how to use a "client-certificate" on the linux. When i use "freeradius -XXX -A" on the linuxserver and i trie to do a radius-request, the aruba gets a timeout and the linuxserver tells me the following logg: Tue Jul 10 11:32:28 2007 : Info: Starting - reading configuration files ... Tue Jul 10 11:32:28 2007 : Debug: reread_config: reading radiusd.conf Tue Jul 10 11:32:28 2007 : Debug: Config: including file: /etc/freeradius/proxy.conf Tue Jul 10 11:32:28 2007 : Debug: Config: including file: /etc/freeradius/clients.conf Tue Jul 10 11:32:28 2007 : Debug: Config: including file: /etc/freeradius/snmp.conf Tue Jul 10 11:32:28 2007 : Debug: Config: including file: /etc/freeradius/eap.conf Tue Jul 10 11:32:28 2007 : Debug: Config: including file: /etc/freeradius/sql.conf Tue Jul 10 11:32:28 2007 : Debug: main: prefix = "/usr" Tue Jul 10 11:32:28 2007 : Debug: main: localstatedir = "/var" Tue Jul 10 11:32:28 2007 : Debug: main: logdir = "/var/log/freeradius" Tue Jul 10 11:32:28 2007 : Debug: main: libdir = "/usr/lib/freeradius" Tue Jul 10 11:32:28 2007 : Debug: main: radacctdir = "/var/log/freeradius/radacct" Tue Jul 10 11:32:28 2007 : Debug: main: hostname_lookups = no Tue Jul 10 11:32:28 2007 : Debug: main: max_request_time = 30 Tue Jul 10 11:32:28 2007 : Debug: main: cleanup_delay = 5 Tue Jul 10 11:32:28 2007 : Debug: main: max_requests = 1024 Tue Jul 10 11:32:28 2007 : Debug: main: delete_blocked_requests = 0 Tue Jul 10 11:32:28 2007 : Debug: main: port = 0 Tue Jul 10 11:32:28 2007 : Debug: main: allow_core_dumps = no Tue Jul 10 11:32:28 2007 : Debug: main: log_stripped_names = yes Tue Jul 10 11:32:28 2007 : Debug: main: log_file = "/var/log/freeradius/radius.log" Tue Jul 10 11:32:28 2007 : Debug: main: log_auth = yes Tue Jul 10 11:32:28 2007 : Debug: main: log_auth_badpass = yes Tue Jul 10 11:32:28 2007 : Debug: main: log_auth_goodpass = yes Tue Jul 10 11:32:28 2007 : Debug: main: pidfile = "/var/run/freeradius/freeradius.pid" Tue Jul 10 11:32:28 2007 : Debug: main: user = "freerad" Tue Jul 10 11:32:28 2007 : Debug: main: group = "freerad" Tue Jul 10 11:32:28 2007 : Debug: main: usercollide = no Tue Jul 10 11:32:28 2007 : Debug: main: lower_user = "no" Tue Jul 10 11:32:28 2007 : Debug: main: lower_pass = "no" Tue Jul 10 11:32:28 2007 : Debug: main: nospace_user = "no" Tue Jul 10 11:32:28 2007 : Debug: main: nospace_pass = "no" Tue Jul 10 11:32:28 2007 : Debug: main: checkrad = "/usr/sbin/checkrad" Tue Jul 10 11:32:28 2007 : Debug: main: proxy_requests = yes Tue Jul 10 11:32:28 2007 : Debug: proxy: retry_delay = 5 Tue Jul 10 11:32:28 2007 : Debug: proxy: retry_count = 3 Tue Jul 10 11:32:28 2007 : Debug: proxy: synchronous = no Tue Jul 10 11:32:28 2007 : Debug: proxy: default_fallback = yes Tue Jul 10 11:32:28 2007 : Debug: proxy: dead_time = 120 Tue Jul 10 11:32:28 2007 : Debug: proxy: post_proxy_authorize = no Tue Jul 10 11:32:28 2007 : Debug: proxy: wake_all_if_all_dead = no Tue Jul 10 11:32:28 2007 : Debug: security: max_attributes = 200 Tue Jul 10 11:32:28 2007 : Debug: security: reject_delay = 1 Tue Jul 10 11:32:28 2007 : Debug: security: status_server = no Tue Jul 10 11:32:28 2007 : Debug: main: debug_level = 0 Tue Jul 10 11:32:28 2007 : Debug: read_config_files: reading dictionary Tue Jul 10 11:32:28 2007 : Debug: read_config_files: reading naslist Tue Jul 10 11:32:28 2007 : Info: Using deprecated naslist file. Support for this will go away soon. Tue Jul 10 11:32:28 2007 : Debug: read_config_files: reading clients Tue Jul 10 11:32:28 2007 : Debug: read_config_files: reading realms Tue Jul 10 11:32:28 2007 : Debug: radiusd: entering modules setup Tue Jul 10 11:32:28 2007 : Debug: Module: Library search path is /usr/lib/freeradius Tue Jul 10 11:32:28 2007 : Debug: Module: Loaded exec Tue Jul 10 11:32:28 2007 : Debug: exec: wait = yes Tue Jul 10 11:32:28 2007 : Debug: exec: program = "(null)" Tue Jul 10 11:32:28 2007 : Debug: exec: input_pairs = "request" Tue Jul 10 11:32:28 2007 : Debug: exec: output_pairs = "(null)" Tue Jul 10 11:32:28 2007 : Debug: exec: packet_type = "(null)" Tue Jul 10 11:32:28 2007 : Info: rlm_exec: Wait=yes but no output defined. Did you mean output=none? Tue Jul 10 11:32:28 2007 : Debug: Module: Instantiated exec (exec)
Re: Help(1.1.3): Access-Reject is sent by server for EAP-MD5 challengeresponse
Thanks for the help Stefan. On 7/19/07, Stefan Winter <[EMAIL PROTECTED]> wrote: > I am trying to send an Access-Request with EAP-Identity response. The > Request was successful and Server sent an Access-Challenge in response (MD5 > challenge), the response to this challenge is failing (receiving > Access-Reject from Server), the Error message was "rlm_eap_md5: > User-Password is required for EAP-MD5 authentication". I have the > User-Password attribute in Access-Request. Below is the Access-Request > packet attributes, You don't quite understand how EAP-MD5 works. There is not supposed to be a User-Password in the request - instead, a response to the MD5-Challenge the server sent out earlier. The *server* needs to know the user's password to verify this response. So putting the attribute User-Password in the request won't gain you anything, other than violating RFCs. The server will not look there. With EAP-MD5, the user's password is *never* on the wire. You want to configure the user's password in the server, for example in the users file. In 1.16 and later, you will want to use the name "Cleartext-Password" instead of User-Password for that - it reduces confusion. Stefan -- Stefan WINTER Stiftung RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche Ingenieur Forschung & Entwicklung 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg E-Mail: [EMAIL PROTECTED] Tel.: +352 424409-1 http://www.restena.lu Fax: +352 422473 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- With Regards, Govardhana K N - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Help(1.1.3): Access-Reject is sent by server for EAP-MD5 challengeresponse
> I am trying to send an Access-Request with EAP-Identity response. The > Request was successful and Server sent an Access-Challenge in response (MD5 > challenge), the response to this challenge is failing (receiving > Access-Reject from Server), the Error message was "rlm_eap_md5: > User-Password is required for EAP-MD5 authentication". I have the > User-Password attribute in Access-Request. Below is the Access-Request > packet attributes, You don't quite understand how EAP-MD5 works. There is not supposed to be a User-Password in the request - instead, a response to the MD5-Challenge the server sent out earlier. The *server* needs to know the user's password to verify this response. So putting the attribute User-Password in the request won't gain you anything, other than violating RFCs. The server will not look there. With EAP-MD5, the user's password is *never* on the wire. You want to configure the user's password in the server, for example in the users file. In 1.16 and later, you will want to use the name "Cleartext-Password" instead of User-Password for that - it reduces confusion. Stefan -- Stefan WINTER Stiftung RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche Ingenieur Forschung & Entwicklung 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg E-Mail: [EMAIL PROTECTED] Tel.: +352 424409-1 http://www.restena.lu Fax: +352 422473 signature.asc Description: This is a digitally signed message part. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
mod_auth_radius
Hi All, is there a tutorial how to install mod_auth_radius on an apache 2.xx server? The howto on the freeradius webpage is a little bit deprecated i guess. i get an error when starting the apache server after installing mod_auth_radius: # service httpd start Starting httpd: httpd: Syntax error on line 205 of /etc/httpd/conf/httpd.conf: Cannot load /usr/lib/httpd/modules/mod_auth_radius-2.0.so into server: /usr/lib/httpd/modules/mod_auth_radius-2.0.so: undefined symbol: ap_snprintf [FAILED] Thanks for your answers. Markus - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Help(1.1.3): Access-Reject is sent by server for EAP-MD5 challenge response
Hi, I am trying to send an Access-Request with EAP-Identity response. The Request was successful and Server sent an Access-Challenge in response (MD5 challenge), the response to this challenge is failing (receiving Access-Reject from Server), the Error message was "rlm_eap_md5: User-Password is required for EAP-MD5 authentication". I have the User-Password attribute in Access-Request. Below is the Access-Request packet attributes, User-Name = jrc User-Password = jrc Nas-identifier = jrcnas Nas-Ip-Address = 10.10.10.10 Nas-Port = 20 Nas-Port-Type = 15 CUI = 0 Service-Type = Framed-User Framed-MTU = 1400 Calling-Station-Id = 1:1:1:1:1:1 NSP-Id = nap BS-ID = TestBS EAP-Code = Response EAP-Id = 210 EAP-Type-Identity = "jrc" EAP-MD5-Password = jrc Message-Authenticator = 0x00 am I doing any wrong here? Can Anybody help me how to solve this problem? --- rad_recv: Access-Request packet from host 127.0.0.1:32825, id=177, length=150 User-Name = "jrc" User-Password = "jrc" NAS-Identifier = "jrcnas" NAS-IP-Address = 10.10.10.10 NAS-Port = 20 NAS-Port-Type = Ethernet CUI = "0" Service-Type = Framed-User Framed-MTU = 1400 Calling-Station-Id = "1:1:1:1:1:1" NSP-ID = "nap" BS-ID = "TestBS" Message-Authenticator = 0x4cc4b9e9f807f7648ddb267ec1365cc6 EAP-Message = 0x02d20008016a7263 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module "preprocess" returns ok for request 0 modcall[authorize]: module "chap" returns noop for request 0 modcall[authorize]: module "mschap" returns noop for request 0 rlm_realm: No '@' in User-Name = "jrc", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 0 rlm_eap: EAP packet type response id 210 length 8 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 0 users: Matched entry jrc at line 231 modcall[authorize]: module "files" returns ok for request 0 modcall: leaving group authorize (returns updated) for request 0 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 0 rlm_eap: EAP Identity rlm_eap: processing type md5 rlm_eap_md5: Issuing Challenge modcall[authenticate]: module "eap" returns handled for request 0 modcall: leaving group authenticate (returns handled) for request 0 Sending Access-Challenge of id 177 to 127.0.0.1 port 32825 CUI = "TestCUI2" Service-Type = Framed-User Framed-Protocol = PPP Framed-IP-Address = 172.31.128.112 Framed-IP-Netmask = 255.255.255.0 Framed-MTU = 1400 AAA-Session-Id = "MultiSessionId2" MSK = "TestMSK2" HA-IP-MIP4 = 1.2.3.5 DHCPv4-Server = 5.6.7.9 MN-HA-MIP4-KEY = "TestMIPKey2" MN-HA-MIP4-SPI = "TestMIPSPI2" DHCP-RK = "TestDHCPRK2" DHCP-RK-KEY-ID = "TestDHCPRKID2" DHCP-RK_LIFETIME = 30 EAP-Message = 0x01d300160410f492fb48923219d8c9760b271cf4e031 Message-Authenticator = 0x State = 0x467be2cc5938e30e368d1633e8ebd4fd Finished request 0 Going to the next request --- Walking the entire request list --- Waking up in 6 seconds... rad_recv: Access-Request packet from host 127.0.0.1:32825, id=178, length=182 User-Name = "jrc" User-Password = "jrc" NAS-Identifier = "jrcnas" NAS-IP-Address = 10.10.10.10 NAS-Port = 20 NAS-Port-Type = Ethernet CUI = "0" Service-Type = Framed-User Framed-MTU = 1400 Calling-Station-Id = "1:1:1:1:1:1" NSP-ID = "nap" BS-ID = "TestBS" Message-Authenticator = 0x7c3e1b2a25d10ce176811099e6ea64a3 State = 0x467be2cc5938e30e368d1633e8ebd4fd EAP-Message = 0x02d300160410d879a36a071bbf8da598184dbe22 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 1 modcall[authorize]: module "preprocess" returns ok for request 1 modcall[authorize]: module "chap" returns noop for request 1 modcall[authorize]: module "mschap" returns noop for request 1 rlm_realm: No '@' in User-Name = "jrc", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 1 rlm_eap: EAP packet type response id 211 length 22 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "e
Re: Freeradius-Users Digest, Vol 27, Issue 116
;(null)" Module: Instantiated mschap (mschap) Module: Loaded System unix: cache = no unix: passwd = "/etc/passwd" unix: shadow = "/etc/shadow" unix: group = "/etc/group" unix: radwtmp = "/var/log/freeradius/radwtmp" unix: usegroup = no unix: cache_reload = 600 Module: Instantiated unix (unix) Module: Loaded eap eap: default_eap_type = "md5" eap: timer_expire = 60 eap: ignore_unknown_eap_types = no eap: cisco_accounting_username_bug = no rlm_eap: Loaded and initialized type md5 rlm_eap: Loaded and initialized type leap gtc: challenge = "Password: " gtc: auth_type = "PAP" rlm_eap: Loaded and initialized type gtc tls: rsa_key_exchange = no tls: dh_key_exchange = yes tls: rsa_key_length = 512 tls: dh_key_length = 512 tls: verify_depth = 0 tls: CA_path = "(null)" tls: pem_file_type = yes tls: private_key_file = "/etc/freeradius/certs/cert-srv.pem" tls: certificate_file = "/etc/freeradius/certs/cert-srv.pem" tls: CA_file = "/etc/freeradius/certs/demoCA/cacert.pem" tls: private_key_password = "whatever" tls: dh_file = "/etc/freeradius/certs/dh" tls: random_file = "/etc/freeradius/certs/random" tls: fragment_size = 1024 tls: include_length = yes tls: check_crl = yes tls: check_cert_cn = "%{User-Name}" tls: cipher_list = "DEFAULT" tls: check_cert_issuer = "/C=GB/ST=Berkshire/L=Newbury/O=My Company Ltd" rlm_eap_tls: Loading the certificate file as a chain rlm_eap: Loaded and initialized type tls ttls: default_eap_type = "md5" ttls: copy_request_to_tunnel = no ttls: use_tunneled_reply = no rlm_eap: Loaded and initialized type ttls mschapv2: with_ntdomain_hack = no rlm_eap: Loaded and initialized type mschapv2 Module: Instantiated eap (eap) Module: Loaded preprocess preprocess: huntgroups = "/etc/freeradius/huntgroups" preprocess: hints = "/etc/freeradius/hints" preprocess: with_ascend_hack = no preprocess: ascend_channels_per_line = 23 preprocess: with_ntdomain_hack = no preprocess: with_specialix_jetstream_hack = no preprocess: with_cisco_vsa_hack = no preprocess: with_alvarion_vsa_hack = no Module: Instantiated preprocess (preprocess) Module: Loaded realm realm: format = "suffix" realm: delimiter = "@" realm: ignore_default = no realm: ignore_null = no Module: Instantiated realm (suffix) Module: Loaded files files: usersfile = "/etc/freeradius/users" files: acctusersfile = "/etc/freeradius/acct_users" files: preproxy_usersfile = "/etc/freeradius/preproxy_users" files: compat = "no" Module: Instantiated files (files) Module: Loaded Acct-Unique-Session-Id acct_unique: key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address" Module: Instantiated acct_unique (acct_unique) Module: Loaded detail detail: detailfile = "/var/log/freeradius/radacct/%{Client-IP-Address}/detail-%Y%m%d" detail: detailperm = 384 detail: dirperm = 493 detail: locking = no Module: Instantiated detail (detail) Module: Loaded radutmp radutmp: filename = "/var/log/freeradius/radutmp" radutmp: username = "%{User-Name}" radutmp: case_sensitive = yes radutmp: check_with_nas = yes radutmp: perm = 384 radutmp: callerid = yes Module: Instantiated radutmp (radutmp) Listening on authentication 127.0.0.1:1812 Listening on accounting 127.0.0.1:1813 Ready to process requests. rad_recv: Access-Request packet from host 127.0.0.1:32823, id=217, length=95 User-Name = "jrc" NAS-Identifier = "jrcnas" NAS-Port-Type = Ethernet CUI = "0" Service-Type = Framed-User Framed-MTU = 1400 Calling-Station-Id = "1:1:1:1:1:1" Message-Authenticator = 0x2568987af6f31763f9199f8067fafee1 EAP-Message = 0x02d20008016a7263 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 Segmentation fault cheux301:/etc/freeradius# - -- Thanks & Regards, Govardhana K N -- next part -- An HTML attachment was scrubbed... URL: https://lists.freeradius.org/pipermail/freeradius-users/attachments/20070719/d5a2969f/attachment-0001.html -- Message: 2 Date: Thu, 19 Jul 2007 17:59:54 +1200 From: "Pshem Kowalczyk" <[EMAIL PROTECTED]> Subject: Re: Quirky question about rewriting usernames To: "FreeRadius users mailing list" Message-ID: <[EMAIL PROTECTED]> Content-Type: text/plain; charset=UTF-8; format=flowed Hi On 19/07/07, Cliff Cole <[EMAIL PROTECTED]> wrote: > Hello all. > > Here is my issue. This is v
Re: Support for Cisco
Use proper format: Cisco-AVPair = "priv-lvl=levelnumber" Ivan Kalik Kalik Informatika ISP Dana 19/7/2007, "ashish verma" <[EMAIL PROTECTED]> piše: >Hi all, > >I am trying to configure "free radius" for some Cisco devices. >till now i am able to authenticate using the radius server and i am getting >into user level or privilege level depending on the attribute i am defining. >Now what i am looking for is authorization. >There is something called "Cisco-AV priv" attribute through which one can >define privilege level from 1 to 15. But i am not able to define it in >"users file". >Can anyone tell me how to define this or whether we can define this kind of >attribute in freeradius or not? > >Thanks in advance, >Ashish > > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Support for Cisco
Sorry, my mistake. It is "shell:priv-lvl=levelnumber" Ivan Kalik Kalik Informatika ISP Dana 19/7/2007, "Peter Nixon" <[EMAIL PROTECTED]> piše: >I thought it was: > > cisco-avpair = "shell:priv-lvl=levelnumber" > >If not, we need to fix the wiki. > >Cheers > >Peter > > >On Thu 19 Jul 2007, [EMAIL PROTECTED] wrote: >> Use proper format: >> >> Cisco-AVPair = "priv-lvl=levelnumber" >> >> Ivan Kalik >> Kalik Informatika ISP >> >> Dana 19/7/2007, "ashish verma" <[EMAIL PROTECTED]> piše: >> >Hi all, >> > >> >I am trying to configure "free radius" for some Cisco devices. >> >till now i am able to authenticate using the radius server and i am >> > getting into user level or privilege level depending on the attribute i >> > am defining. Now what i am looking for is authorization. >> >There is something called "Cisco-AV priv" attribute through which one can >> >define privilege level from 1 to 15. But i am not able to define it in >> >"users file". >> >Can anyone tell me how to define this or whether we can define this kind >> > of attribute in freeradius or not? >> > >> >Thanks in advance, >> >Ashish >> >> - >> List info/subscribe/unsubscribe? See >> http://www.freeradius.org/list/users.html > > > >-- > >Peter Nixon >http://peternixon.net/ > >- >List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Support for Cisco
I thought it was: cisco-avpair = "shell:priv-lvl=levelnumber" If not, we need to fix the wiki. Cheers Peter On Thu 19 Jul 2007, [EMAIL PROTECTED] wrote: > Use proper format: > > Cisco-AVPair = "priv-lvl=levelnumber" > > Ivan Kalik > Kalik Informatika ISP > > Dana 19/7/2007, "ashish verma" <[EMAIL PROTECTED]> piše: > >Hi all, > > > >I am trying to configure "free radius" for some Cisco devices. > >till now i am able to authenticate using the radius server and i am > > getting into user level or privilege level depending on the attribute i > > am defining. Now what i am looking for is authorization. > >There is something called "Cisco-AV priv" attribute through which one can > >define privilege level from 1 to 15. But i am not able to define it in > >"users file". > >Can anyone tell me how to define this or whether we can define this kind > > of attribute in freeradius or not? > > > >Thanks in advance, > >Ashish > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html -- Peter Nixon http://peternixon.net/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Support for Cisco
On Thu 19 Jul 2007, ashish verma wrote: > Hi all, > > I am trying to configure "free radius" for some Cisco devices. > till now i am able to authenticate using the radius server and i am > getting into user level or privilege level depending on the attribute i am > defining. Now what i am looking for is authorization. > There is something called "Cisco-AV priv" attribute through which one can > define privilege level from 1 to 15. But i am not able to define it in > "users file". > Can anyone tell me how to define this or whether we can define this kind > of attribute in freeradius or not? http://wiki.freeradius.org/Cisco#Per_User_Privilege_Level -- Peter Nixon http://peternixon.net/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Support for Cisco
Hi all, I am trying to configure "free radius" for some Cisco devices. till now i am able to authenticate using the radius server and i am getting into user level or privilege level depending on the attribute i am defining. Now what i am looking for is authorization. There is something called "Cisco-AV priv" attribute through which one can define privilege level from 1 to 15. But i am not able to define it in "users file". Can anyone tell me how to define this or whether we can define this kind of attribute in freeradius or not? Thanks in advance, Ashish - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html