unsubscribe
John Wan Project Manager (DMZ project), Information Technology Services Melbourne Business School T: +61 3 9349 8428 F: +61 3 9349 8433 M: 0419 349 339 Please consider the environment before printing this email -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alan DeKok Sent: Tuesday, 2 October 2007 3:06 PM To: FreeRadius users mailing list Subject: Re: Shared Secret Cesar De la Hoz wrote: I want to setup a Client in my server by only setting his IP, and not caring about the share secret he's using. Is this possible ? No. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- ___ Notice from Melbourne Business School Ltd The information contained in this e-mail is confidential, and is intended for the named person's use only. It may contain proprietary or legally privileged information. If you have received this email in error, please notify the sender and delete it immediately. You must not, directly or indirectly, use, disclose, distribute, print, or copy any part of this message if you are not the intended recipient Internet communications are not secure. You should scan this message and any attachments for viruses. Melbourne Business School does not accept any liability for loss or damage which may result from receipt of this message or any attachments. __ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: unsubscribe
Can you please stop sending this email to the group? Thank you Sam - Original Message From: John Wan [EMAIL PROTECTED] To: FreeRadius users mailing list freeradius-users@lists.freeradius.org Sent: Tuesday, October 2, 2007 4:12:29 PM Subject: unsubscribe John Wan Project Manager (DMZ project), Information Technology Services Melbourne Business School T: +61 3 9349 8428 F: +61 3 9349 8433 M: 0419 349 339 Please consider the environment before printing this email -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alan DeKok Sent: Tuesday, 2 October 2007 3:06 PM To: FreeRadius users mailing list Subject: Re: Shared Secret Cesar De la Hoz wrote: I want to setup a Client in my server by only setting his IP, and not caring about the share secret he's using. Is this possible ? No. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- ___ Notice from Melbourne Business School Ltd The information contained in this e-mail is confidential, and is intended for the named person's use only. It may contain proprietary or legally privileged information. If you have received this email in error, please notify the sender and delete it immediately. You must not, directly or indirectly, use, disclose, distribute, print, or copy any part of this message if you are not the intended recipient Internet communications are not secure. You should scan this message and any attachments for viruses. Melbourne Business School does not accept any liability for loss or damage which may result from receipt of this message or any attachments. __ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
error with dictionary definition.
Hi, I really need help to solve this error. I have been working on it for few days, and still can't get it working. I am using the following packages in freebsd(6.2) sip server: core:radiusclient-ng # ps -auxww | grep openser root 46008 0.0 0.1 1548 1008 p5 R+1:41PM 0:00.00 grep openser core:radiusclient-ng # pkg_info | grep openser openser-1.2.2 A very fast and configurable SIP proxy with TLS support core:radiusclient-ng # pkg_info | grep radius freeradius-mysql-1.1.7 A free RADIUS server implementation with MySQL support radiusclient-0.5.6 Client library and basic utilities for Radius authenticated core:radiusclient-ng # pkg_info | grep proxy mediaproxy-1.8.2_1 A far-end NAT traversal solution for SER/OpenSER The problem is after merged the 2 dictionary files (cat dictionary.sip dictionary) and added the following lines in the radiusclient-ng/dictionary file, ATTRIBUTEAcct-Status-Type40 integer ATTRIBUTEService-Type6 integer ATTRIBUTEEvent-Timestamp 55 integer ATTRIBUTEAcct-Session-Id 44 string ATTRIBUTE src_leg1 integer ATTRIBUTEdst_leg1 integer VALUE Acct-Status-TypeStart 1 VALUE Acct-Status-TypeStop2 VALUE Acct-Status-TypeAlive 3 # dup VALUE Acct-Status-TypeInterim-Update 3 VALUE Acct-Status-TypeAccounting-On 7 VALUE Acct-Status-TypeAccounting-Off 8 VALUE Acct-Status-TypeFailed 15 VALUE Service-Type Sip-Session 15 Start openser recevied the following error: ERROR:acc:extra2int: src_leg is not a number ERROR:acc:acc_diam_init: leg info names for DIAMTER must be integer AVP codes Can anyone please help? Thanks Sam - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: error with dictionary definition.
Live Great wrote: Start openser recevied the following error: Why are you asking this question here? It's really an openser issue. ERROR:acc:extra2int: src_leg is not a number ERROR:acc:acc_diam_init: leg info names for DIAMTER must be integer AVP codes I know very little about openser, but I can tell that DIAMETER is not RADIUS. FreeRADIUS doesn't do Diameter. Freeradiusclient doesn't do it, either. So my conclusion is that this problem has nothing to do with FreeRADIUS. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: error with dictionary definition.
But have you created similar ATTRIBUTEs for readiusclient-ng's dictionary? Thanks Sam - Original Message From: Alan DeKok [EMAIL PROTECTED] To: FreeRadius users mailing list freeradius-users@lists.freeradius.org Sent: Tuesday, October 2, 2007 5:11:09 PM Subject: Re: error with dictionary definition. Live Great wrote: Start openser recevied the following error: Why are you asking this question here? It's really an openser issue. ERROR:acc:extra2int: src_leg is not a number ERROR:acc:acc_diam_init: leg info names for DIAMTER must be integer AVP codes I know very little about openser, but I can tell that DIAMETER is not RADIUS. FreeRADIUS doesn't do Diameter. Freeradiusclient doesn't do it, either. So my conclusion is that this problem has nothing to do with FreeRADIUS. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: error with dictionary definition.
But have you created similar ATTRIBUTEs for readiusclient-ng's dictionary? If not, how did you set it up for accounting purpose? Thanks Sam - Original Message From: Alan DeKok [EMAIL PROTECTED] To: FreeRadius users mailing list [EMAIL PROTECTED] Sent: Tuesday, October 2, 2007 5:11:09 PM Subject: Re: error with dictionary definition. Live Great wrote: Start openser recevied the following error: Why are you asking this question here? It's really an openser issue. ERROR:acc:extra2int: src_leg is not a number ERROR:acc:acc_diam_init: leg info names for DIAMTER must be integer AVP codes I know very little about openser, but I can tell that DIAMETER is not RADIUS. FreeRADIUS doesn't do Diameter. Freeradiusclient doesn't do it, either. So my conclusion is that this problem has nothing to do with FreeRADIUS. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: error with dictionary definition.
Live Great wrote: But have you created similar ATTRIBUTEs for readiusclient-ng's dictionary? Similar to what? Diameter? And radiusclient-ng is no longer supported by anyone. See the main freeradius.org page for the new freeradius-client. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
rlm_Python - PyExc_IOError
Hi Guys
Got a problem with rlm_python using 1.1.7 on Debian etch with no changes
to source other than to move rlm_python in to the stable modules file.
The module is in the path and an strace shows the file being found.
rlm_python:python_load_function: module 'radiusd_test' is not found
rlm_python:EXCEPT:exceptions.ImportError:
/usr/lib/python2.4/lib-dynload/time.so: undefined symbol: PyExc_IOError
rlm_python:python_load_function: failed to import python function
'radiusd_test.instantiate'
radiusd.conf[1]: python: Module instantiation failed.
Anyidea would be great
Thanks
Mike
--- File is found and loaded
open(/usr/lib/python2.4/site-packages/radiusd_test.py,
O_RDONLY|O_LARGEFILE) = 5
fstat64(5, {st_mode=S_IFREG|0644, st_size=497, ...}) = 0
open(/usr/lib/python2.4/site-packages/radiusd_test.pyc,
O_RDONLY|O_LARGEFILE) = 6
fstat64(6, {st_mode=S_IFREG|0644, st_size=1408, ...}) = 0
mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1,
0) = 0xb7b67000
read(6, m\362\r\n[EMAIL PROTECTED]...,
4096) = 1408
fstat64(6, {st_mode=S_IFREG|0644, st_size=1408, ...}) = 0
read(6, , 4096) = 0
close(6)= 0
munmap(0xb7b67000, 4096)
--
= 0
stat64(/usr/lib/python24.zip/time, 0xbfa8422c) = -1 ENOENT (No such
file or directory)
open(/usr/lib/python24.zip/time.so, O_RDONLY|O_LARGEFILE) = -1 ENOENT
(No such file or directory)
open(/usr/lib/python24.zip/timemodule.so, O_RDONLY|O_LARGEFILE) = -1
ENOENT (No such file or directory)
open(/usr/lib/python24.zip/time.py, O_RDONLY|O_LARGEFILE) = -1 ENOENT
(No such file or directory)
open(/usr/lib/python24.zip/time.pyc, O_RDONLY|O_LARGEFILE) = -1 ENOENT
(No such file or directory)
stat64(/usr/lib/python2.4/time, 0xbfa8422c) = -1 ENOENT (No such file
or directory)
open(/usr/lib/python2.4/time.so, O_RDONLY|O_LARGEFILE) = -1 ENOENT (No
such file or directory)
open(/usr/lib/python2.4/timemodule.so, O_RDONLY|O_LARGEFILE) = -1
ENOENT (No such file or directory)
open(/usr/lib/python2.4/time.py, O_RDONLY|O_LARGEFILE) = -1 ENOENT (No
such file or directory)
open(/usr/lib/python2.4/time.pyc, O_RDONLY|O_LARGEFILE) = -1 ENOENT
(No such file or directory)
stat64(/usr/lib/python2.4/plat-linux2/time, 0xbfa8422c) = -1 ENOENT
(No such file or directory)
open(/usr/lib/python2.4/plat-linux2/time.so, O_RDONLY|O_LARGEFILE) =
-1 ENOENT (No such file or directory)
open(/usr/lib/python2.4/plat-linux2/timemodule.so,
O_RDONLY|O_LARGEFILE) = -1 ENOENT (No such file or directory)
open(/usr/lib/python2.4/plat-linux2/time.py, O_RDONLY|O_LARGEFILE) =
-1 ENOENT (No such file or directory)
open(/usr/lib/python2.4/plat-linux2/time.pyc, O_RDONLY|O_LARGEFILE) =
-1 ENOENT (No such file or directory)
stat64(/usr/lib/python2.4/lib-tk/time, 0xbfa8422c) = -1 ENOENT (No
such file or directory)
open(/usr/lib/python2.4/lib-tk/time.so, O_RDONLY|O_LARGEFILE) = -1
ENOENT (No such file or directory)
open(/usr/lib/python2.4/lib-tk/timemodule.so, O_RDONLY|O_LARGEFILE) =
-1 ENOENT (No such file or directory)
open(/usr/lib/python2.4/lib-tk/time.py, O_RDONLY|O_LARGEFILE) = -1
ENOENT (No such file or directory)
open(/usr/lib/python2.4/lib-tk/time.pyc, O_RDONLY|O_LARGEFILE) = -1
ENOENT (No such file or directory)
stat64(/usr/lib/python2.4/lib-dynload/time, 0xbfa8422c) = -1 ENOENT
(No such file or directory)
open(/usr/lib/python2.4/lib-dynload/time.so, O_RDONLY|O_LARGEFILE) = 6
fstat64(6, {st_mode=S_IFREG|0644, st_size=15860, ...}) = 0
open(/usr/lib/python2.4/lib-dynload/time.so, O_RDONLY) = 7
read(7, \177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0\20\22\0...,
512) = 512
fstat64(7, {st_mode=S_IFREG|0644, st_size=15860, ...}) = 0
mmap2(NULL, 19072, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 7, 0)
= 0xb79a6000
mmap2(0xb79a9000, 8192, PROT_READ|PROT_WRITE,
MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 7, 0x2) = 0xb79a9000
close(7)= 0
munmap(0xb79a6000, 19072) = 0
close(6)= 0
close(5)= 0
futex(0x8010a620, FUTEX_WAKE, 1)= 0
time(NULL) = 1191313703
write(1, rlm_python:python_load_function:...,
68rlm_python:python_load_function: module 'radiusd_test' is not found
) = 68
futex(0x801083f8, FUTEX_WAKE, 1)= 0
time(NULL) = 1191313703
write(1, rlm_python:EXCEPT:exceptions.Imp...,
114rlm_python:EXCEPT:exceptions.ImportError:
/usr/lib/python2.4/lib-dynload/time.so: undefined symbol: PyExc_IOError
) = 114
futex(0x801083f8, FUTEX_WAKE, 1)= 0
time(NULL) = 1191313703
write(1, rlm_python:python_load_function:...,
93rlm_python:python_load_function: failed to import python function
'radiusd_test.instantiate'
) = 93
futex(0x801083f8, FUTEX_WAKE, 1)= 0
futex(0x801083f8, FUTEX_WAKE, 1)= 0
futex(0x801083f8, FUTEX_WAKE, 1)= 0
time(NULL) = 1191313703
write(1, radiusd.conf[1]: python: Module ...,
Re: rlm_Python - PyExc_IOError
Mike O'Connor wrote: Got a problem with rlm_python using 1.1.7 on Debian etch with no changes to source other than to move rlm_python in to the stable modules file. The module is in the path and an strace shows the file being found. Is radiusd.py in the path? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_Python - PyExc_IOError
Hi Alan Is radiusd.py in the path? Yep in the same place as my own code /usr/lib/python2.4/site-packages/ Strace never shows that file being requested for loading. Mike - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Supplicant seems not to send password user
2007/10/1, [EMAIL PROTECTED] [EMAIL PROTECTED]: Yes. This is still the certificate problem. You haven't got to the password check yet. Chack that you have imported the correct certificates (as per previous post). Ivan Kalik Kalik Informatika ISP It's a bit strange, I think that I created and imported it well. I did so: cd /usr/local/etc/raddb /etc/pki/tls/misc/CA -newca openssl req -new -nodes -keyout privadaradius.pem -out pedidoradius.pem -days 730 -config /etc/pki/tls/openssl.cnf openssl ca -config /etc/pki/tls/openssl.cnf -policy policy_anything -out publicaradius.pem -extensions xpserver_ext -extfile /etc/pki/tls/xpextensions -infiles pedidoradius.pem I edited publicaradius.pem in order to delete lines above BEGIN CERTIFICATE and joined with key file. previously I backuped certificate file: cp publicaradius.pem publicaradius.pem.bkp cat privadaradius.pem publicaradius.pem privandpubradius.pem DH file creation: openssl dhparam -check -text -5 512 -out dh Random file: dd if=/dev/urandom of=random count=2 Then I copied cacert.pem to pendrive and imported in Windows as Trusted Certificate in mmc. OK, you can say pem is not the right format, ok, I've created the der file: openssl x509 -inform PEM -outform DER -in CA/cacert.pem -out CA/cacert.der Ok, you say, der is not the format but p12 is, so: openssl pkcs12 -export -in certs/CA/cacert.pem -inkey certs/CA/private/cakey.pem -out certs/CA/cacert.p12 -clcerts In each case I imported the certificate but never worked :( What's wrong about all of this? Thanks in advance Dana 1/10/2007, Sergio Belkin [EMAIL PROTECTED] piše: 2007/10/1, [EMAIL PROTECTED] [EMAIL PROTECTED]: Because conversation hasn't got to password checking. Probably, since this debug doesn't mean much to me. Ivan Kalik Kalik Informatika ISP These are Debug messages (using a wrong password) rad_recv: Access-Request packet from host 10.30.1.151:1036, id=66, length=98 User-Name = test Calling-Station-Id = 00-0e-35-bf-51-18 EAP-Message = 0x020100090174657374 Framed-MTU = 1287 NAS-IP-Address = 192.168.1.1 NAS-Port = 0 NAS-Port-Type = Wireless-802.11 Message-Authenticator = 0xb8d1b41830e1a2edc1ecf677b3936c68 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 2 modcall[authorize]: module preprocess returns ok for request 2 modcall[authorize]: module chap returns noop for request 2 modcall[authorize]: module mschap returns noop for request 2 rlm_realm: No '@' in User-Name = test, looking up realm NULL rlm_realm: No such realm NULL modcall[authorize]: module suffix returns noop for request 2 rlm_eap: EAP packet type response id 1 length 9 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module eap returns updated for request 2 users: Matched entry test at line 79 modcall[authorize]: module files returns ok for request 2 rlm_pap: Found existing Auth-Type, not changing it. modcall[authorize]: module pap returns noop for request 2 modcall: leaving group authorize (returns updated) for request 2 rad_check_password: Found Auth-Type EAP auth: type EAP Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 2 rlm_eap: EAP Identity rlm_eap: processing type tls rlm_eap_tls: Initiate rlm_eap_tls: Start returned 1 modcall[authenticate]: module eap returns handled for request 2 modcall: leaving group authenticate (returns handled) for request 2 Sending Access-Challenge of id 66 to 10.30.1.151 port 1036 Reply-Message = Hola test EAP-Message = 0x010200061920 Message-Authenticator = 0x State = 0x0554162407c62e4d26c570bf0dc3a4aa Finished request 2 Going to the next request --- Walking the entire request list --- Waking up in 6 seconds... rad_recv: Access-Request packet from host 10.30.1.151:1036, id=67, length=187 User-Name = test Calling-Station-Id = 00-0e-35-bf-51-18 EAP-Message = 0x02020050198000461603010041013d030147015317f20f33b39cf4163f4dc7389a82b29787664c80850600d8173d387a8c1600040005000a000900640062000300060013001200630100 Framed-MTU = 1287 NAS-IP-Address = 192.168.1.1 NAS-Port = 0 NAS-Port-Type = Wireless-802.11 State = 0x0554162407c62e4d26c570bf0dc3a4aa Message-Authenticator = 0x772f0fcf0b9095b3987366da2b8b0eec Processing the authorize section of radiusd.conf modcall: entering group authorize for request 3 modcall[authorize]: module preprocess returns ok for request 3 modcall[authorize]: module chap returns noop for request 3 modcall[authorize]: module mschap returns noop for request 3 rlm_realm: No '@' in User-Name = test, looking up realm NULL rlm_realm: No such realm NULL modcall[authorize]: module
Re: rlm_Python - PyExc_IOError
Hi Guys I decided to try freeradius-2.0.0-pre2 and its give a much clear idea of the problem. The issue seems to be that the rlm_python module is having trouble loading dynamic code. Mike write(1, exceptions.ImportError: /usr/lib..., 97exceptions.ImportError: /usr/lib/python2.4/lib-dynload/time.so: undefined symbol: PyExc_IOError ) = 97 write(1, Failed to import python module \..., 47Failed to import python module radiusd_test ) = 47 write(1, /etc/freeradius/rlmpython.conf[1..., 76/etc/freeradius/rlmpython.conf[1]: Instantiation failed for module python ) = 76 write(1, /etc/freeradius/sites-enabled/de..., 76/etc/freeradius/sites-enabled/default[126]: Failed to find module python. ) = 76 write(1, /etc/freeradius/sites-enabled/de..., 79/etc/freeradius/sites-enabled/default[35]: Failed to parse authorize section. ) = 79 write(1, }\n, 3 } ) = 3 write(1, }\n, 2} ) = 2 write(1, Errors setting up modules\n, 26Errors setting up modules ) = 26 exit_group(1) = ? Process 1212 detached - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Supplicant seems not to send password user
I can't go through this riow. Perhaps later this evening. Anything wrong with using provided and tested CA.all script? Or you just like things complicated? At first glance you are using cacert as a root certificate instead of creating one. Ivan Kalik Kalik Informatika ISP Dana 2/10/2007, Sergio Belkin [EMAIL PROTECTED] piše: 2007/10/1, [EMAIL PROTECTED] [EMAIL PROTECTED]: Yes. This is still the certificate problem. You haven't got to the password check yet. Chack that you have imported the correct certificates (as per previous post). Ivan Kalik Kalik Informatika ISP It's a bit strange, I think that I created and imported it well. I did so: cd /usr/local/etc/raddb /etc/pki/tls/misc/CA -newca openssl req -new -nodes -keyout privadaradius.pem -out pedidoradius.pem -days 730 -config /etc/pki/tls/openssl.cnf openssl ca -config /etc/pki/tls/openssl.cnf -policy policy_anything -out publicaradius.pem -extensions xpserver_ext -extfile /etc/pki/tls/xpextensions -infiles pedidoradius.pem I edited publicaradius.pem in order to delete lines above BEGIN CERTIFICATE and joined with key file. previously I backuped certificate file: cp publicaradius.pem publicaradius.pem.bkp cat privadaradius.pem publicaradius.pem privandpubradius.pem DH file creation: openssl dhparam -check -text -5 512 -out dh Random file: dd if=/dev/urandom of=random count=2 Then I copied cacert.pem to pendrive and imported in Windows as Trusted Certificate in mmc. OK, you can say pem is not the right format, ok, I've created the der file: openssl x509 -inform PEM -outform DER -in CA/cacert.pem -out CA/cacert.der Ok, you say, der is not the format but p12 is, so: openssl pkcs12 -export -in certs/CA/cacert.pem -inkey certs/CA/private/cakey.pem -out certs/CA/cacert.p12 -clcerts In each case I imported the certificate but never worked :( What's wrong about all of this? Thanks in advance Dana 1/10/2007, Sergio Belkin [EMAIL PROTECTED] pie: 2007/10/1, [EMAIL PROTECTED] [EMAIL PROTECTED]: Because conversation hasn't got to password checking. Probably, since this debug doesn't mean much to me. Ivan Kalik Kalik Informatika ISP These are Debug messages (using a wrong password) rad_recv: Access-Request packet from host 10.30.1.151:1036, id=66, length=98 User-Name = test Calling-Station-Id = 00-0e-35-bf-51-18 EAP-Message = 0x020100090174657374 Framed-MTU = 1287 NAS-IP-Address = 192.168.1.1 NAS-Port = 0 NAS-Port-Type = Wireless-802.11 Message-Authenticator = 0xb8d1b41830e1a2edc1ecf677b3936c68 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 2 modcall[authorize]: module preprocess returns ok for request 2 modcall[authorize]: module chap returns noop for request 2 modcall[authorize]: module mschap returns noop for request 2 rlm_realm: No '@' in User-Name = test, looking up realm NULL rlm_realm: No such realm NULL modcall[authorize]: module suffix returns noop for request 2 rlm_eap: EAP packet type response id 1 length 9 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module eap returns updated for request 2 users: Matched entry test at line 79 modcall[authorize]: module files returns ok for request 2 rlm_pap: Found existing Auth-Type, not changing it. modcall[authorize]: module pap returns noop for request 2 modcall: leaving group authorize (returns updated) for request 2 rad_check_password: Found Auth-Type EAP auth: type EAP Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 2 rlm_eap: EAP Identity rlm_eap: processing type tls rlm_eap_tls: Initiate rlm_eap_tls: Start returned 1 modcall[authenticate]: module eap returns handled for request 2 modcall: leaving group authenticate (returns handled) for request 2 Sending Access-Challenge of id 66 to 10.30.1.151 port 1036 Reply-Message = Hola test EAP-Message = 0x010200061920 Message-Authenticator = 0x State = 0x0554162407c62e4d26c570bf0dc3a4aa Finished request 2 Going to the next request --- Walking the entire request list --- Waking up in 6 seconds... rad_recv: Access-Request packet from host 10.30.1.151:1036, id=67, length=187 User-Name = test Calling-Station-Id = 00-0e-35-bf-51-18 EAP-Message = 0x02020050198000461603010041013d030147015317f20f33b39cf4163f4dc7389a82b29787664c80850600d8173d387a8c1600040005000a000900640062000300060013001200630100 Framed-MTU = 1287 NAS-IP-Address = 192.168.1.1 NAS-Port = 0 NAS-Port-Type = Wireless-802.11 State = 0x0554162407c62e4d26c570bf0dc3a4aa Message-Authenticator = 0x772f0fcf0b9095b3987366da2b8b0eec Processing the authorize section of radiusd.conf modcall: entering group authorize for
radwho question....
Hi I am using freeradius 1.0.1 on a Red Hat Ent Linux v4 server as an authentication backend for our wireless network. Our wireless clients all use EAP/TTLS (via the SecureW2 client) and the access points are Cisco Aironet 1200's. I have noticed that if I run radwho, I seem to only see the name of the user from the 'outside' of the tunnel (in this case 'anonymous')as a result its not possible to tell who is connected at any one time. Also I have noticed that the fields tend to get truncated: Login Name What TTY When From Location anonymous anonymous shell 999 Tue 16:00 10.10.2.9 The IP address above should be 10.10.2.96. I was just wondering if anyone might know how to fix either of these problems? TIA Chris Bradshaw. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
FreeRADIUS TLS certificate signing
Can someone on the list share with me their experience with certificate signing? I'd like to submit a CSR to a commercial signing authority such as GoDaddy so that wireless clients can establish a TLS session with a trusted certificate. Is this as simple as: openssl genrsa -out radius.key 1024 openssl req -new -key radius.key -out radius.csr Then submitting the CSR to the signing authority? My biggest concern is if the signing authority will add the Enhanced Key Usage parameters necessary to support Windows clients. I think I read that they add it to support SSL web servers, but I haven't been able to find that reference again. Also, in my testing it appears that unlike with web servers, it doesn't really matter what CN you use - since clients aren't resolving DNS at that point, it appears from my testing that they take any cert signed by a trusted signing authority, and don't do the standard check of FQDN == CN. Does that sound right? Thanks in advance, Chris - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radwho question....
Chris Bradshaw wrote: I am using freeradius 1.0.1 on a Red Hat Ent Linux v4 server as an authentication backend for our wireless network. You really should upgrade, but that's another story. I have noticed that if I run radwho, I seem to only see the name of the user from the 'outside' of the tunnel (in this case 'anonymous')as a result its not possible to tell who is connected at any one time. The NAS is responsible for sending the anonymous user name. If you want the NAS to send something different, you have to send the inner tunnel user name back in the Access-Accept. See use_tunneled_reply in the configuration for the EAP module. Also I have noticed that the fields tend to get truncated: Login Name What TTY When From Location anonymous anonymous shell 999 Tue 16:00 10.10.2.9 The IP address above should be 10.10.2.96. Change the format of the printf command in radwho. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRADIUS TLS certificate signing
Chris Byrd wrote: Can someone on the list share with me their experience with certificate signing? I'd like to submit a CSR to a commercial signing authority such as GoDaddy so that wireless clients can establish a TLS session with a trusted certificate. Is this as simple as: openssl genrsa -out radius.key 1024 openssl req -new -key radius.key -out radius.csr Then submitting the CSR to the signing authority? Pretty much, but make sure the Root CA you submit it to is available and maintained on the clients that will be using your certificate. 'GoDaddy' for example, is almost certainly not. Where as 'Thawte Premium Server CA' (the certification authority we use) is almost always there by default. My biggest concern is if the signing authority will add the Enhanced Key Usage parameters necessary to support Windows clients. I think I read that they add it to support SSL web servers, but I haven't been able to find that reference again. Thats a bit hit and miss. Also, in my testing it appears that unlike with web servers, it doesn't really matter what CN you use - since clients aren't resolving DNS at that point, it appears from my testing that they take any cert signed by a trusted signing authority, and don't do the standard check of FQDN == CN. Does that sound right? Thats correct. Thanks in advance, Chris - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Arran Cudbard-Bell ([EMAIL PROTECTED]) Authentication, Authorisation and Accounting Officer Infrastructure Services | ENG1 E1-1-08 University Of Sussex, Brighton EXT:01273 873900 | INT: 3900 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Questions on Acct-Interim-Interval
Hi, A couple of questions on Acct-Interim-Interval 1. I wanted to know if the Acct-Interim update that comes from the NAS has any relevance as far as the user session maintained in the radius server is concerned. Meaning that is it treated like a keep-alive of some sort. If the Acct-Interim-Interval is configured to be 100 seconds and the NAS sends the Interim-Update after 200 seconds does the freeradius server care ? 2. What is the typical value of this attribute, I ask because if this value is configured to be small then it will generate a lot of interim updates from a NAS that supports large number of subscribers. At the same time I am not sure how the service providers who deploy the server use this Attribute and how often do they want the updates. Thanks, Vinay - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Supplicant seems not to send password user
OK. Had some time to look at your certificates. You have created a server certificate but not the (signed) root one. Instead you used and exported cacert. Also your server cert and private keys are separate while in your tls config you configured them as a same file. Have a look at CA.all script that comes with the freeradius distribution (or better use it) to see how it should be done. It places the key in the same file as the certificate. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Supplicant seems not to send password user
2007/10/2, Ivan Kalik [EMAIL PROTECTED]: OK. Had some time to look at your certificates. You have created a server certificate but not the (signed) root one. Instead you used and exported cacert. Also your server cert and private keys are separate while in your tls config you configured them as a same file. Have a look at CA.all script that comes with the freeradius distribution (or better use it) to see how it should be done. It places the key in the same file as the certificate. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Hi Ivan thanks for your time. I've deleted those files and recreated with certs.sh and CA.all. Now I have signed certificates in der, p12 and pem formats. What of these ones should I use in eap.conf. I don't understand something, root one is not cacert.* ? -- -- Sergio Belkin - - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: FreeRADIUS TLS certificate signing
I just went through the process last night, and the initial steps you outline are part of the first steps. I used RapidSSL and found it quite straight forward the knowledge base is well laid and answered any questions I had. After the initial submission of the CSR, you have to go through a validation process, once completed you get the cert and have to install it, all documented well. RapidSSL also offers a 30 day trial SSL that may be beneficial in your situation. Good luck, -Stubbs Can someone on the list share with me their experience with certificate signing? I'd like to submit a CSR to a commercial signing authority such as GoDaddy so that wireless clients can establish a TLS session with a trusted certificate. Is this as simple as: openssl genrsa -out radius.key 1024 openssl req -new -key radius.key -out radius.csr Then submitting the CSR to the signing authority? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Chris Byrd Sent: Tuesday, October 02, 2007 9:42 AM To: freeradius-users@lists.freeradius.org Subject: FreeRADIUS TLS certificate signing Can someone on the list share with me their experience with certificate signing? I'd like to submit a CSR to a commercial signing authority such as GoDaddy so that wireless clients can establish a TLS session with a trusted certificate. Is this as simple as: openssl genrsa -out radius.key 1024 openssl req -new -key radius.key -out radius.csr Then submitting the CSR to the signing authority? My biggest concern is if the signing authority will add the Enhanced Key Usage parameters necessary to support Windows clients. I think I read that they add it to support SSL web servers, but I haven't been able to find that reference again. Also, in my testing it appears that unlike with web servers, it doesn't really matter what CN you use - since clients aren't resolving DNS at that point, it appears from my testing that they take any cert signed by a trusted signing authority, and don't do the standard check of FQDN == CN. Does that sound right? Thanks in advance, Chris - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: More debug info about LDAP?
I am having this same issue. Did you ever find/get a solution? On Mar 21, 2007, at 11:23 AM, rickan wrote: Hi guys, I am trying to establish a secure connection between freeradius and a Novell eDirectory LDAP server. After configuring LDAP in radiusd.conf it seemed to work, almost: rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to 192.168.1.5:636, authentication 0 rlm_ldap: setting TLS mode to 1 rlm_ldap: setting TLS CACert File to /usr/local/etc/raddb/ ldap_ca_cert.pem rlm_ldap: setting TLS Require Cert to demand rlm_ldap: starting TLS rlm_ldap: ldap_start_tls_s() rlm_ldap: could not start TLS Operations error rlm_ldap: (re)connection attempt failed Because I don't know how to get logs from the eDirectory side, I recorded the traffic between both hosts and saw that the TLS handshake had been done, both mashines had exchanged cipher key and begun to send data. After 3 or 4 packets the LDAP server sent a encrypted alert and disconnected. Since these data are encrypted I could not see what happened indeed. My question: is it possible to get more debug info from the freeradius side? If yes, how? Thanks, Rickan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/ users.html Brad Lachel [EMAIL PROTECTED] - All e-mail to and from this address is subject to the Acceptable Use Policies of Community High School District #155. All e-mail may be monitored and/or disclosed to third parties. Any views or opinions presented in an e-mail are solely those of the author and may not represent those of Community High School District #155. Community High School District #155 http://www.d155.org - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Supplicant seems not to send password user
2007/10/2, Sergio Belkin [EMAIL PROTECTED]: 2007/10/2, Ivan Kalik [EMAIL PROTECTED]: OK. Had some time to look at your certificates. You have created a server certificate but not the (signed) root one. Instead you used and exported cacert. Also your server cert and private keys are separate while in your tls config you configured them as a same file. Have a look at CA.all script that comes with the freeradius distribution (or better use it) to see how it should be done. It places the key in the same file as the certificate. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Hi Ivan thanks for your time. I've deleted those files and recreated with certs.sh and CA.all. Now I have signed certificates in der, p12 and pem formats. What of these ones should I use in eap.conf. I don't understand something, root one is not cacert.* ? -- -- Sergio Belkin - And I don't know why but I only get client and server certificates but not root certificate using CA.all -- -- Sergio Belkin - - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Supplicant seems not to send password user
Use default values:
private_key_password = whatever
private_key_file = ${raddbdir}/certs/cert-srv.pem
certificate_file = ${raddbdir}/certs/cert-srv.pem
CA_file = ${raddbdir}/certs/demoCA/cacert.pem
Root contains the key as well. You export root.der to XP clients.
Ivan Kalik
Kalik Informatika ISP
Dana 2/10/2007, Sergio Belkin [EMAIL PROTECTED] piše:
2007/10/2, Ivan Kalik [EMAIL PROTECTED]:
OK. Had some time to look at your certificates. You have created a server
certificate but not the (signed) root one. Instead you used and exported
cacert. Also your server cert and private keys are separate while in your
tls config you configured them as a same file. Have a look at CA.all script
that comes with the freeradius distribution (or better use it) to see how it
should be done. It places the key in the same file as the certificate.
Ivan Kalik
Kalik Informatika ISP
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
Hi Ivan thanks for your time. I've deleted those files and recreated
with certs.sh and CA.all.
Now I have signed certificates in der, p12 and pem formats. What of
these ones should I use in eap.conf.
I don't understand something, root one is not cacert.* ?
--
--
Sergio Belkin -
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Supplicant seems not to send password user
Freeradius version? In new ones you should have all of them created as you install the server. Ivan Kalik Kalik Informatika ISP Dana 2/10/2007, Sergio Belkin [EMAIL PROTECTED] piše: 2007/10/2, Sergio Belkin [EMAIL PROTECTED]: 2007/10/2, Ivan Kalik [EMAIL PROTECTED]: OK. Had some time to look at your certificates. You have created a server certificate but not the (signed) root one. Instead you used and exported cacert. Also your server cert and private keys are separate while in your tls config you configured them as a same file. Have a look at CA.all script that comes with the freeradius distribution (or better use it) to see how it should be done. It places the key in the same file as the certificate. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Hi Ivan thanks for your time. I've deleted those files and recreated with certs.sh and CA.all. Now I have signed certificates in der, p12 and pem formats. What of these ones should I use in eap.conf. I don't understand something, root one is not cacert.* ? -- -- Sergio Belkin - And I don't know why but I only get client and server certificates but not root certificate using CA.all -- -- Sergio Belkin - - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Supplicant seems not to send password user
2007/10/2, [EMAIL PROTECTED] [EMAIL PROTECTED]: Freeradius version? In new ones you should have all of them created as you install the server. Ivan Kalik Kalik Informatika ISP I'm using freeradius-1.1.7. If I use certificates that come as demo, the problem is that is valid to 24/01/2006. Dana 2/10/2007, Sergio Belkin [EMAIL PROTECTED] piše: 2007/10/2, Sergio Belkin [EMAIL PROTECTED]: 2007/10/2, Ivan Kalik [EMAIL PROTECTED]: OK. Had some time to look at your certificates. You have created a server certificate but not the (signed) root one. Instead you used and exported cacert. Also your server cert and private keys are separate while in your tls config you configured them as a same file. Have a look at CA.all script that comes with the freeradius distribution (or better use it) to see how it should be done. It places the key in the same file as the certificate. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Hi Ivan thanks for your time. I've deleted those files and recreated with certs.sh and CA.all. Now I have signed certificates in der, p12 and pem formats. What of these ones should I use in eap.conf. I don't understand something, root one is not cacert.* ? -- -- Sergio Belkin - And I don't know why but I only get client and server certificates but not root certificate using CA.all -- -- Sergio Belkin - - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- -- Sergio Belkin - - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Questions on Acct-Interim-Interval
Hi, -Original Message- From: [EMAIL PROTECTED] [mailto:freeradius-[EMAIL PROTECTED] On Behalf Of Vinay Wagh Sent: 02 October 2007 20:47 To: FreeRadius users mailing list Subject: Questions on Acct-Interim-Interval Hi, A couple of questions on Acct-Interim-Interval 1. I wanted to know if the Acct-Interim update that comes from the NAS has any relevance as far as the user session maintained in the radius server is concerned. Meaning that is it treated like a keep-alive of some sort. If the Acct-Interim-Interval is configured to be 100 seconds and the NAS sends the Interim-Update after 200 seconds does the freeradius server care ? Acct-Interim-Update is an extrension to the Radius protocol to make it more robust for people who do accounting. It avoids losing the totallity of your session accounting if the stop record gets lost (or the NAS becomes unavailable). Not a keep-alive really... 2. What is the typical value of this attribute, I ask because if this value is configured to be small then it will generate a lot of interim updates from a NAS that supports large number of subscribers. At the same time I am not sure how the service providers who deploy the server use this Attribute and how often do they want the updates. Interim updates increase the load on the NAS, especially with a lot of sessions. 100s sounds very short and could impact your authentication performance. I would send every 60mn or more. Anyone's tried below with a lot of subscribers maybe? Thanks, Vinay - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html David Roze http://www.netexpertise.eu - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Supplicant seems not to send password user
Sergio Belkin wrote: I'm using freeradius-1.1.7. If I use certificates that come as demo, the problem is that is valid to 24/01/2006. Install 2.0.0-pre2 somewhere. Start it as root, in debugging mode. Look in raddb/certs. There will be certs available. To customize them, edit ca.cnf and server.cnf. Then run the bootstrap program in that directory. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
