Re: freeRADIUS with Active-derectory
Hangjun He wrote: I have configured ntlm_auth in freeRADIUS talk to AD(user store). And It works well. Now I want to use ldap to get attribute from AD, It failed. It seems ldapsearch will search user's *display name*. And ntlm_auth will search user's *user logon name.* If I set display name same with user logon name, It can work. Is there a way let ldapsearch to search user logon name too?? The LDAP search strings are editable in radiusd.conf. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: web based admin
Dear i need also this kind of setup i want to replace AAA ACS with freeradius but i dont know how accouning work in this case and authorization of cisco LEVEL base can u provide me doucment of URL for this setup Hawkins, Michael [EMAIL PROTECTED] wrote: Hi all, I am very familiar with Cisco Secure ACS for AAA of Cisco devices. I am considering using FreeRadius at another customer site instead of Cisco Secure ACS. Will I still be able to control command execution (authorization) etc via FreeRadius? Or would I be restricted to authentication only? What do people recommend I use as a web front end for FreeRadius when managing AAA on a Cisco network via FreeRadius? I've seen daloradius but that is geared to wireless hotspots. I've taken a quick look at phpRADmin and also ASN but I'm not sure which one is more mature and would like to know other peoples thoughts. Or is dailupadmin itself good enough? Any advice given is very much appreciated. Mike Hawkins - The information contained in this email is confidential and may also contain privileged information. Sender does not waive confidentiality or legal privilege. If you are not the intended recipient please notify the sender immediately; you should not retain this message or disclose its content to anyone. Internet communications are not secure or error free and the sender does not accept any liability for the content of the email. Although emails are routinely screened for viruses, the sender does not accept responsibility for any damage caused. Replies to this email may be monitored. - __ This email has been scanned by the MessageLabs Email Security System. For more information please visit http://www.messagelabs.com/email __ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html $ cat ~/satish/url.txt http://www.linuxbug.org _ - Unlimited freedom, unlimited storage. Get it now- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: web based admin
Hey Michael, On 10/29/07, Hawkins, Michael [EMAIL PROTECTED] wrote: What do people recommend I use as a web front end for FreeRadius when managing AAA on a Cisco network via FreeRadius? I've seen daloradius but that is geared to wireless hotspots. I've taken a quick look at phpRADmin and also ASN but I'm not sure which one is more mature and would like to know other peoples thoughts. Or is dailupadmin itself good enough? Any advice given is very much appreciated. I personally don't think of daloRADIUS as geared towards hotspots deployment but rather have an integrated support for that. If you find it lacking any enterprise scale features or missing some functionality that you require I'd love to hear from you so I can push all efforts for development on those topics. Regards, Liran. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
PAM_RADIUS_AUTH
Hi I am trying install the PAM_RADIUS_AUTH on a Solaris 10 server to use RADIUS for user authentication. I have managed to successfully compile and install the pam plugin. When I tried to telnet to the machine from a different server I am getting the following error. Failed looking up IP address for RADIUS server radius1 (errcode=12) I have made a host entry for this server name in /etc/hosts file and able to ping the RADIUS server with name. But still its not working. Could you please help on resolving this. Regards Soban CAUTION - Disclaimer * This e-mail contains PRIVILEGED AND CONFIDENTIAL INFORMATION intended solely for the use of the addressee(s). If you are not the intended recipient, please notify the sender by e-mail and delete the original message. Further, you are not to copy, disclose, or distribute this e-mail or its contents to any other person and any such actions are unlawful. This e-mail may contain viruses. Infosys has taken every reasonable precaution to minimize this risk, but is not liable for any damage you may sustain as a result of any virus in this e-mail. You should carry out your own virus checks before opening the e-mail or attachment. Infosys reserves the right to monitor and review the content of all messages sent to or from this e-mail address. Messages sent to or from this e-mail address may be stored on the Infosys e-mail system. ***INFOSYS End of Disclaimer INFOSYS*** - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Turn of user acc - MySQL
Hello I made small web based application and it uses MySql database. I can add user accounts, create packages, add access points etc and now I need to create script for user control. Question is next. Is it better to remove the username from radcheck table or it is better option to add access-reject atribute for specific user in radreply table. Is there any better solution. Also I'm thinking to create small perl script which I can call during auth process. I'm not sure did you understand me :) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeRADIUS + Openldap with TLS
Hangjun He wrote: I use freeradius 1.1.6 and Openldap 2.3.32. And now It can authenticate success( freeRADIUS + Openldap with TLS TLS encrypt.) My question is how to set private-key password in radiusd.conf? Is there a related variable to set, just like private_key_password in eap.conf . No. As always, patches are welcome. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Access-Reject in a php script
manIP wrote: Have you find out any solutions to that problem? There are whole hours when I don't read this list. I'm waiting for an answer before modifying the source code... May be, there is a bug and the official source code should be modified as Patric did. Yes, the debug output helped. It looks like it's an issue with src/main/exec.c. The code calling module_authorize() should treat FAIL the same as REJECT. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Server instability
Nicolai Tejlgaard Hansen wrote: I'm having the exact same problem as described below, with Freeradius 1.7 hanging at 99 percent. Also using PEAP, MSCHAPV2, and eDir, and running 1.7 on a SLES 10 SP1. I have been using the same configuration since 1.3 without any problems problems, but since upgrading from 1.6 to 1.7 it's crashed 3 times within a month. As noted, it's 1.1.x, not 1.x. But in any case, crashes are bad. It's difficult to know what changed from 1.1.3 to 1.1.7 that causes the problem. My suggestion, if you're willing to experience, is to build a version of 1.1.7 with the rlm_ldap module from 1.1.3. i.e. $ rm freeradius-1.1.7/src/modules/rlm_ldap/* $ cp freeradius-1.1.3/src/modules/rlm_ldap/* freeradius-1.1.7/src/modules/rlm_ldap $ cd freeradius-1.1.7 $ ./configure ... $ make Some things in rlm_ldap changed between the two versions. This test will let us know if the issue is in rlm_ldap, or elsewhere. If it still crashes, tell us. If it doesn't crash any more, please tell us, too! As per Phil Mayers request, I recompiled with the developer option (and --edir as I am using that). The following is the output: That doesn't give anything overly suspicious. Oh well... I think I'll have to get a Mac with Leopard, and start using DTrace to debug these kinds of problems. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Access-Reject in a php script
Alan DeKok wrote: Yes, the debug output helped. It looks like it's an issue with src/main/exec.c. The code calling module_authorize() should treat FAIL the same as REJECT. Is that src/main/exec.c or src/main/auth.c? If I look at src/main/auth.c I see the following : int rad_authenticate(REQUEST *request) { ... /* Get the user's authorization information from the database */ autz_redo: result = module_authorize(autz_type, request); switch (result) { case RLM_MODULE_NOOP: case RLM_MODULE_NOTFOUND: case RLM_MODULE_OK: case RLM_MODULE_UPDATED: break; case RLM_MODULE_FAIL: case RLM_MODULE_HANDLED: return result; case RLM_MODULE_INVALID: case RLM_MODULE_REJECT: case RLM_MODULE_USERLOCK: default: ... Is this the code you are referring to? Should RLM_MODULE_FAIL go in with the last few that drop into the default case? So this would fix it : result = module_authorize(autz_type, request); switch (result) { case RLM_MODULE_NOOP: case RLM_MODULE_NOTFOUND: case RLM_MODULE_OK: case RLM_MODULE_UPDATED: break; /*case RLM_MODULE_FAIL:*/ case RLM_MODULE_HANDLED: return result; case RLM_MODULE_FAIL: case RLM_MODULE_INVALID: case RLM_MODULE_REJECT: case RLM_MODULE_USERLOCK: default: Makes sense, because the default case returns a reject... Alan you are a genius! Is this even considered a bug? Can we expect this to be changed in the future? Thanks a stack for all the time Alan! -- Q: I want to be a sysadmin. What should I do? A: Seek professional help. -- Get a free email address with REAL anti-spam protection. http://www.bluebottle.com/tag/1 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Access-Reject in a php script
Patric wrote: Alan DeKok wrote: Is that src/main/exec.c or src/main/auth.c? Sorry, src/main/auth.c If I look at src/main/auth.c I see the following : int rad_authenticate(REQUEST *request) { ... /* Get the user's authorization information from the database */ autz_redo: result = module_authorize(autz_type, request); switch (result) { case RLM_MODULE_NOOP: case RLM_MODULE_NOTFOUND: case RLM_MODULE_OK: case RLM_MODULE_UPDATED: break; case RLM_MODULE_FAIL: Delete this line. case RLM_MODULE_HANDLED: return result; case RLM_MODULE_INVALID: Put a copy of that line here. case RLM_MODULE_REJECT: case RLM_MODULE_USERLOCK: default: ... Is this the code you are referring to? Should RLM_MODULE_FAIL go in with the last few that drop into the default case? Yes. Makes sense, because the default case returns a reject... Alan you are a genius! Sometimes. If you look at who wrote that code in the first place... Is this even considered a bug? Can we expect this to be changed in the future? Yes. Thanks a stack for all the time Alan! You're welcome. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Access-Reject in a php script
Alan DeKok wrote: Is this even considered a bug? Can we expect this to be changed in the future? Yes. Not sure if you looked at the changes I originally made to rlm_exec.c but if you did, I was curious as to whether those changes contradicted the FreeRadius RFC's at all? I dont *think* so, but you never know :] -- Q: I want to be a sysadmin. What should I do? A: Seek professional help. -- Get a free email address with REAL anti-spam protection. http://www.bluebottle.com/tag/1 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PAM_RADIUS_AUTH
On 10/30/07, Sobanbabu Bakthavathsalu [EMAIL PROTECTED] wrote: Hi I am trying install the PAM_RADIUS_AUTH on a Solaris 10 server to use RADIUS for user authentication. I have managed to successfully compile and install the pam plugin. When I tried to telnet to the machine from a different server I am getting the following error. Failed looking up IP address for RADIUS server radius1 (errcode=12) I have made a host entry for this server name in /etc/hosts file and able to ping the RADIUS server with name. But still its not working. Could you please help on resolving this. Lots of times this is a firewall issue where the port opening is set for tcp and not UDP. check that. Check that both are using port 1812, if that is what you are using. Have you edited your telnet pam entry? I'm not familiar with solaris, but that is what I would check. More info would be helpful too. HTH, Nick -- -- Nick Owen WiKID Systems, Inc. 404.962.8983 http://www.wikidsystems.com Commercial/Open Source Two-Factor Authentication - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: PAM_RADIUS_AUTH
Hi Nick, Thank you for the response. There is no firewall in between the RADIUS server and Solaris server (RADIUS client), only an Cisco router with standard ACL. I have verified the ACL matches counter and found that the request from the clinet itself is not reachign the router. Is that host entries in /etc/hosts file wont work for this, do I need a DNS server for RADIUS server name authentication to work with pam_radius_auth. The server in question is not configured for any DNS server for name resolution, it uses the hosts file only. Hope this provides more information. Regards Soban From: [EMAIL PROTECTED] [EMAIL PROTECTED] On Behalf Of Nick Owen [EMAIL PROTECTED] Sent: 30 October 2007 15:37 To: FreeRadius users mailing list Subject: Re: PAM_RADIUS_AUTH On 10/30/07, Sobanbabu Bakthavathsalu [EMAIL PROTECTED] wrote: Hi I am trying install the PAM_RADIUS_AUTH on a Solaris 10 server to use RADIUS for user authentication. I have managed to successfully compile and install the pam plugin. When I tried to telnet to the machine from a different server I am getting the following error. Failed looking up IP address for RADIUS server radius1 (errcode=12) I have made a host entry for this server name in /etc/hosts file and able to ping the RADIUS server with name. But still its not working. Could you please help on resolving this. Lots of times this is a firewall issue where the port opening is set for tcp and not UDP. check that. Check that both are using port 1812, if that is what you are using. Have you edited your telnet pam entry? I'm not familiar with solaris, but that is what I would check. More info would be helpful too. HTH, Nick -- -- Nick Owen WiKID Systems, Inc. 404.962.8983 http://www.wikidsystems.com Commercial/Open Source Two-Factor Authentication - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html CAUTION - Disclaimer * This e-mail contains PRIVILEGED AND CONFIDENTIAL INFORMATION intended solely for the use of the addressee(s). If you are not the intended recipient, please notify the sender by e-mail and delete the original message. Further, you are not to copy, disclose, or distribute this e-mail or its contents to any other person and any such actions are unlawful. This e-mail may contain viruses. Infosys has taken every reasonable precaution to minimize this risk, but is not liable for any damage you may sustain as a result of any virus in this e-mail. You should carry out your own virus checks before opening the e-mail or attachment. Infosys reserves the right to monitor and review the content of all messages sent to or from this e-mail address. Messages sent to or from this e-mail address may be stored on the Infosys e-mail system. ***INFOSYS End of Disclaimer INFOSYS*** - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
pam_radius_auth updated spec file, please include in future releases
I attached an updated spec file for pam_radius_auth. The original one fails when building as non-root. I fixed that and made a few other minor changes. It would be nice if the build system could generate this spec file from a template, automatically replace the version number inside the spec with the actual version of the pam_radius_auth tarball, and include the automatically generated spec in the tarball. That way, users could generate RPM packages out of the tarball by simply downloading the archive and running: rpmbuild -ta pam_radius...(version number here)...tar.gz Thanks, -- Florin Andrei http://florin.myip.org/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: pam_radius_auth updated spec file, please include in future releases
Florin Andrei wrote: I attached an updated spec file for pam_radius_auth. No, I didn't. _Now_ I did. :-/ -- Florin Andrei http://florin.myip.org/ %define name pam_radius_auth %define shortname pam_radius %define version 1.3.17 %define release 0 Name: %{name} Summary: PAM Module for RADIUS Authentication Version: %{version} Release: %{release} Source: ftp://ftp.freeradius.org/pub/radius/%{shortname}-%{version}.tar.gz URL: http://www.freeradius.org/pam_radius_auth/ Group: System Environment/Libraries BuildRoot: %{_tmppath}/%{name}-buildroot License: BSD-like or GNU GPL Requires: pam %description This is the PAM to RADIUS authentication module. It allows any PAM-capable machine to become a RADIUS client for authentication and accounting requests. You will need a RADIUS server to perform the actual authentication. %prep %setup -q -n %{shortname}-%{version} %build make %install mkdir -p %{buildroot}/lib/security cp -p pam_radius_auth.so %{buildroot}/lib/security mkdir -p %{buildroot}/etc/raddb [ -f %{buildroot}/etc/raddb/server ] || cp -p pam_radius_auth.conf %{buildroot}/etc/raddb/server #chown root %{buildroot}/etc/raddb/server #chgrp root %{buildroot}/etc/raddb/server chmod 0600 %{buildroot}/etc/raddb/server %clean [ $RPM_BUILD_ROOT != / ] rm -rf $RPM_BUILD_ROOT %postun rmdir /etc/raddb || true %files %defattr(-,root,root,0755) %doc README INSTALL USAGE Changelog %config /etc/raddb/server /lib/security/pam_radius_auth.so %changelog * Tue Oct 30 2007 Florin Andrei [EMAIL PROTECTED] 1.3.17-0 - build fixes * Mon Jun 03 2002 Richie Laager [EMAIL PROTECTED] 1.3.15-0 - Inital RPM Version - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Cert Problem with EAP-TTSL, SecureW2 (1.0.5--1.1.7)
Hi everybody, I'm trying to upgrade form 1.0.5 to 1.1.7. For a test run, I copied all the cert and key files (only server-side, it's TTLS) from the production server, and 1.1.7 starts up fine (well, almost, see below). When connecting with a SecureW2 client that goes along well with the 1.0.5 server, I get a dialog window presenting the cert, but SecureW2 complains it's unable to put it into the hierarchy (which is in place already). There is no way to go on then, installing manually won't work either. Have I missed some change in the cert handling? Thanks for any help Martin Here's the output: Starting - reading configuration files ... reread_config: reading radiusd.conf Config: including file: /etc/freeradius/proxy.conf Config: including file: /etc/freeradius/clients.conf Config: including file: /etc/freeradius/snmp.conf Config: including file: /etc/freeradius/eap.conf Config: including file: /etc/freeradius/sql.conf main: prefix = /usr main: localstatedir = /var main: logdir = /var/log/freeradius main: libdir = /usr/lib/freeradius main: radacctdir = /var/log/freeradius/radacct main: hostname_lookups = no main: snmp = no main: max_request_time = 30 main: cleanup_delay = 5 main: max_requests = 1024 main: delete_blocked_requests = 0 main: port = 0 main: allow_core_dumps = no main: log_stripped_names = no main: log_file = /var/log/freeradius/radius.log main: log_auth = no main: log_auth_badpass = no main: log_auth_goodpass = no main: pidfile = /var/run/freeradius/freeradius.pid main: user = freerad main: group = freerad main: usercollide = no main: lower_user = no main: lower_pass = no main: nospace_user = no main: nospace_pass = no main: checkrad = /usr/sbin/checkrad main: proxy_requests = yes proxy: retry_delay = 5 proxy: retry_count = 3 proxy: synchronous = no proxy: default_fallback = yes proxy: dead_time = 120 proxy: post_proxy_authorize = no proxy: wake_all_if_all_dead = no security: max_attributes = 200 security: reject_delay = 1 security: status_server = no main: debug_level = 0 read_config_files: reading dictionary read_config_files: reading naslist Using deprecated naslist file. Support for this will go away soon. read_config_files: reading clients read_config_files: reading realms radiusd: entering modules setup Module: Library search path is /usr/lib/freeradius Module: Loaded exec exec: wait = yes exec: program = (null) exec: input_pairs = request exec: output_pairs = (null) exec: packet_type = (null) rlm_exec: Wait=yes but no output defined. Did you mean output=none? Module: Instantiated exec (exec) Module: Loaded expr Module: Instantiated expr (expr) Module: Loaded PAP pap: encryption_scheme = crypt pap: auto_header = yes Module: Instantiated pap (pap) Module: Loaded CHAP Module: Instantiated chap (chap) Module: Loaded MS-CHAP mschap: use_mppe = yes mschap: require_encryption = no mschap: require_strong = no mschap: with_ntdomain_hack = no mschap: passwd = (null) mschap: ntlm_auth = (null) Module: Instantiated mschap (mschap) Module: Loaded System unix: cache = no unix: passwd = (null) unix: shadow = /etc/shadow unix: group = (null) unix: radwtmp = /var/log/freeradius/radwtmp unix: usegroup = no unix: cache_reload = 600 Module: Instantiated unix (unix) Module: Loaded eap eap: default_eap_type = ttls eap: timer_expire = 60 eap: ignore_unknown_eap_types = no eap: cisco_accounting_username_bug = no tls: rsa_key_exchange = no tls: dh_key_exchange = yes tls: rsa_key_length = 512 tls: dh_key_length = 512 tls: verify_depth = 0 tls: CA_path = (null) tls: pem_file_type = yes tls: private_key_file = /etc/freeradius/certs/key-radius-staff.pem tls: certificate_file = /etc/freeradius/certs/cert-radius-staff.pem tls: CA_file = /etc/freeradius/certs/unimr-ssl-ca.pem tls: private_key_password = omihnl tls: dh_file = /etc/freeradius/certs/dh tls: random_file = /dev/urandom tls: fragment_size = 1024 tls: include_length = yes tls: check_crl = no tls: check_cert_cn = (null) tls: cipher_list = (null) tls: check_cert_issuer = (null) rlm_eap_tls: Loading the certificate file as a chain WARNING: rlm_eap_tls: Unable to set DH parameters. DH cipher suites may not work! WARNING: Fix this by running the OpenSSL command listed in eap.conf rlm_eap: Loaded and initialized type tls ttls: default_eap_type = md5 ttls: copy_request_to_tunnel = yes ttls: use_tunneled_reply = yes rlm_eap: Loaded and initialized type ttls Module: Instantiated eap (eap) Module: Loaded preprocess preprocess: huntgroups = /etc/freeradius/huntgroups preprocess: hints = /etc/freeradius/hints preprocess: with_ascend_hack = no preprocess: ascend_channels_per_line = 23 preprocess: with_ntdomain_hack = no preprocess: with_specialix_jetstream_hack = no preprocess: with_cisco_vsa_hack = no preprocess: with_alvarion_vsa_hack = no Module: Instantiated preprocess (preprocess) Module: Loaded realm realm: format = suffix realm: delimiter =
Re: PAM_RADIUS_AUTH
Sobanbabu Bakthavathsalu wrote: Thank you for the response. There is no firewall in between the RADIUS server and Solaris server (RADIUS client), only an Cisco router with standard ACL. I have verified the ACL matches counter and found that the request from the clinet itself is not reachign the router. Is that host entries in /etc/hosts file wont work for this, do I need a DNS server for RADIUS server name authentication to work with pam_radius_auth. No. You *can* enter just an IP address... Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Cert Problem with EAP-TTSL, SecureW2 (1.0.5--1.1.7)
Martin Pauly wrote: I'm trying to upgrade form 1.0.5 to 1.1.7. For a test run, I copied all the cert and key files (only server-side, it's TTLS) from the production server, and 1.1.7 starts up fine (well, almost, see below). So... did you run the command to set the DH parameters? When connecting with a SecureW2 client that goes along well with the 1.0.5 server, I get a dialog window presenting the cert, but SecureW2 complains it's unable to put it into the hierarchy (which is in place already). There is no way to go on then, installing manually won't work either. It *should* work. Most people who upgrade just upgrade... and have it work. Have I missed some change in the cert handling? Nope. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
delayed Access Reject response
Using freeradius-1.1.7 on Linux Fedora 7. Authentication backend is unix. Clients so far are Cisco and pam_radius_auth If authentication is correct, the reply from server is sent back to the client quick enough. If the password is incorrect, the Access Reject reply is delayed until the user enters the password the second time. It's like the server waits for the next auth attempt to send back the Reject. What could be the cause? -- Florin Andrei http://florin.myip.org/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius-Users Digest, Vol 30, Issue 105
Hola: [EMAIL PROTECTED] wrote: Send Freeradius-Users mailing list submissions to freeradius-users@lists.freeradius.org To subscribe or unsubscribe via the World Wide Web, visit http://lists.freeradius.org/mailman/listinfo/freeradius-users or, via email, send a message with subject or body 'help' to [EMAIL PROTECTED] You can reach the person managing the list at [EMAIL PROTECTED] When replying, please edit your Subject line so it is more specific than Re: Contents of Freeradius-Users digest... Today's Topics: 1. Re: web based admin (Peter Nixon) 2. RE: web based admin (Hawkins, Michael) 3. Class attribute in accounting record. (Mark J Elkins) 4. Re: Class attribute in accounting record. (Michael da Silva Pereira) 5. Re: Class attribute in accounting record. ([EMAIL PROTECTED]) 6. Re: Class attribute in accounting record. (Mark Elkins) -- Message: 1 Date: Mon, 29 Oct 2007 15:58:13 +0200 From: Peter Nixon Subject: Re: web based admin To: freeradius-users@lists.freeradius.org Cc: Hawkins, Michael Message-ID: [EMAIL PROTECTED] Content-Type: text/plain; charset=iso-8859-1 On Mon 29 Oct 2007, Hawkins, Michael wrote: Hi all, I am very familiar with Cisco Secure ACS for AAA of Cisco devices. I am considering using FreeRadius at another customer site instead of Cisco Secure ACS. Will I still be able to control command execution (authorization) etc via FreeRadius? Or would I be restricted to authentication only? By using the word still it implies that SecureACS can do this also, but as far as I know, unless something has changed recently, cisco equipment only supports this feature with TACACS+ and not RADIUS.. Comparing a SecureACS TACACS+ server with FreeRADIUS is comparing apples and oranges... FreeRADIUS is generally MUCH more powerfull than SecureACS in its RADIUS functionality.. FreeRADIUS, doe not however support TACACS+ at present.. -- Peter Nixon http://peternixon.net/ -- Message: 2 Date: Mon, 29 Oct 2007 10:21:32 -0400 From: Hawkins, Michael Subject: RE: web based admin To: Message-ID: [EMAIL PROTECTED] Content-Type: text/plain; charset=us-ascii Peter, Yes, I was comparing TACACS+ to RADIUS - my mistake. Any recommendations on the most appropriate web front end for FreeRadius when managing a Cisco network that is pointing at a FreeRadius AAA server? Mike Hawkins Office: 212-208-3888 Mobile: 917-887-3614 -Original Message- From: Peter Nixon [mailto:[EMAIL PROTECTED] Sent: Monday, October 29, 2007 9:58 AM To: freeradius-users@lists.freeradius.org Cc: Hawkins, Michael Subject: Re: web based admin On Mon 29 Oct 2007, Hawkins, Michael wrote: Hi all, I am very familiar with Cisco Secure ACS for AAA of Cisco devices. I am considering using FreeRadius at another customer site instead of Cisco Secure ACS. Will I still be able to control command execution (authorization) etc via FreeRadius? Or would I be restricted to authentication only? By using the word still it implies that SecureACS can do this also, but as far as I know, unless something has changed recently, cisco equipment only supports this feature with TACACS+ and not RADIUS.. Comparing a SecureACS TACACS+ server with FreeRADIUS is comparing apples and oranges... FreeRADIUS is generally MUCH more powerfull than SecureACS in its RADIUS functionality.. FreeRADIUS, doe not however support TACACS+ at present.. -- Peter Nixon http://peternixon.net/ - The information contained in this email is confidential and may also contain privileged information. Sender does not waive confidentiality or legal privilege. If you are not the intended recipient please notify the sender immediately; you should not retain this message or disclose its content to anyone. Internet communications are not secure or error free and the sender does not accept any liability for the content of the email. Although emails are routinely screened for viruses, the sender does not accept responsibility for any damage caused. Replies to this email may be monitored. - __ This email has been scanned by the MessageLabs Email Security System. For more information please visit http://www.messagelabs.com/email __ -- Message: 3 Date: Mon, 29 Oct 2007 16:45:14 +0200 From: Mark J Elkins Subject: Class attribute in accounting record. To: freeradius-users@lists.freeradius.org Message-ID: [EMAIL PROTECTED] Content-Type:
Re: Freeradius-Users Digest, Vol 30, Issue 106
Hola [EMAIL PROTECTED] wrote: Send Freeradius-Users mailing list submissions to freeradius-users@lists.freeradius.org To subscribe or unsubscribe via the World Wide Web, visit http://lists.freeradius.org/mailman/listinfo/freeradius-users or, via email, send a message with subject or body 'help' to [EMAIL PROTECTED] You can reach the person managing the list at [EMAIL PROTECTED] When replying, please edit your Subject line so it is more specific than Re: Contents of Freeradius-Users digest... Today's Topics: 1. Re: SSL certificate problems (Walter Gould) 2. Re: web based admin (Peter Nixon) 3. ??? Re: freeRADIUS + Openldap with TLS (Hangjun He) 4. Re: freeRADIUS + Openldap with TLS [sec=unclassified] (Ranner, Frank MR) 5. ??? Re: freeRADIUS + Openldap with TLS [sec=unclassified] (Hangjun He) -- Message: 1 Date: Mon, 29 Oct 2007 10:50:17 -0600 From: Walter Gould Subject: Re: SSL certificate problems To: FreeRadius users mailing list Message-ID: [EMAIL PROTECTED] Content-Type: text/plain; charset=ISO-8859-1; format=flowed Alan DeKok wrote: Walter Gould wrote: I am following the document FreeRADIUS Active Directory Integration HOWTO from the freeradius Wiki. I am having problems with creating SSL certificates. When I follow the instructions at the bottom of this doc and run the CA.all script, I see the following errors: Ugh. Download CVS head (see the web page for CVS instructions). $ cd raddb/certs $ vi *.cnf ca.cnf, server.cnf to set your local parameters $ ./bootstrap And you will have certificates than can be used in 1.1.x. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Alan list, Sorry to bother you guys again - I created new SSL certificates per your above instructions... After the certs were created, I then: 1. copied them to the /etc/raddb/certs directory 2. updated /etc/raddb/eap.conf with the certificate names private key password 3. copied and installed the new certificate (server.pem) onto my XP laptop and 4. started radiusd in debug mode, below is the output It is acting as you describe in the FAQ - the client sends a series of Access-Request messages, the server sends an series of Access-Challenge responses, and then... nothing happens. After a little wait, it all starts again. So, I am wondering will I need to install the hotfix as listed in the FAQ - and, will this have to be done on ALL Windows machines? I am thinking that I still do not have something configured right on my side. If I uncheck the validate server certs box on the XP client, I can connect and authenticate successfully. Thanks again - Walter Starting - reading configuration files ... reread_config: reading radiusd.conf Config: including file: /etc/raddb/proxy.conf Config: including file: /etc/raddb/clients.conf Config: including file: /etc/raddb/snmp.conf Config: including file: /etc/raddb/eap.conf main: prefix = /usr main: localstatedir = /var main: logdir = /var/log/radius main: libdir = /usr/lib main: radacctdir = /var/log/radius/radacct main: hostname_lookups = no main: snmp = no main: max_request_time = 30 main: cleanup_delay = 5 main: max_requests = 1024 main: delete_blocked_requests = 0 main: port = 0 main: allow_core_dumps = no main: log_stripped_names = no main: log_file = /var/log/radius/radius.log main: log_auth = yes main: log_auth_badpass = no main: log_auth_goodpass = no main: pidfile = /var/run/radiusd/radiusd.pid main: user = radiusd main: group = radiusd main: usercollide = no main: lower_user = no main: lower_pass = no main: nospace_user = no main: nospace_pass = no main: checkrad = /usr/sbin/checkrad main: proxy_requests = yes proxy: retry_delay = 5 proxy: retry_count = 3 proxy: synchronous = no proxy: default_fallback = yes proxy: dead_time = 120 proxy: post_proxy_authorize = no proxy: wake_all_if_all_dead = no security: max_attributes = 200 security: reject_delay = 1 security: status_server = no main: debug_level = 0 read_config_files: reading dictionary read_config_files: reading naslist Using deprecated naslist file. Support for this will go away soon. read_config_files: reading clients read_config_files: reading realms radiusd: entering modules setup Module: Library search path is /usr/lib Module: Loaded exec exec: wait = yes exec: program = (null) exec: input_pairs = request exec: output_pairs = (null) exec: packet_type = (null) rlm_exec: Wait=yes but no output defined. Did you mean output=none? Module: Instantiated exec (exec) Module: Loaded expr Module: Instantiated expr (expr) Module: Loaded MS-CHAP mschap: use_mppe = yes mschap: require_encryption = no mschap: require_strong = no mschap: with_ntdomain_hack = yes mschap: passwd = (null) mschap: ntlm_auth = /usr/bin/ntlm_auth --request-nt-key --username=%{mschap:User-Name} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00} Module: Instantiated mschap
Re: Freeradius-Users Digest, Vol 30, Issue 107
Hola: [EMAIL PROTECTED] wrote: Send Freeradius-Users mailing list submissions to freeradius-users@lists.freeradius.org To subscribe or unsubscribe via the World Wide Web, visit http://lists.freeradius.org/mailman/listinfo/freeradius-users or, via email, send a message with subject or body 'help' to [EMAIL PROTECTED] You can reach the person managing the list at [EMAIL PROTECTED] When replying, please edit your Subject line so it is more specific than Re: Contents of Freeradius-Users digest... Today's Topics: 1. Cisco sslvpn authentication with freeradius (satish patel) 2. freeRADIUS with Active-derectory (Hangjun He) 3. Re: freeRADIUS with Active-derectory (Alan DeKok) 4. Re: SSL certificate problems (Alan DeKok) 5. Re: Class attribute in accounting record. (Alan DeKok) 6. Re: web based admin (satish patel) -- Message: 1 Date: Tue, 30 Oct 2007 05:41:30 + (GMT) From: satish patel Subject: Cisco sslvpn authentication with freeradius To: freeradius-users Message-ID: [EMAIL PROTECTED] Content-Type: text/plain; charset=iso-8859-1 Dear all I have cisco SSLVPN gateway and i want to authenticate user freeradius authentication server but i need more input from community what type of control i can done with it ?? Is it possible to control some user session or number of time to control is there anybody have done it ??/ $ cat ~/satish/url.txt http://www.linuxbug.org _ - 5, 50, 500, 5000 - Store N number of mails in your inbox. Click here. -- next part -- An HTML attachment was scrubbed... URL: -- Message: 2 Date: Tue, 30 Oct 2007 14:25:24 +0800 (CST) From: Hangjun He Subject: freeRADIUS with Active-derectory To: FreeRadius users mailing list Message-ID: [EMAIL PROTECTED] Content-Type: text/plain; charset=gb2312 Hi, I have configured ntlm_auth in freeRADIUS talk to AD(user store). And It works well. Now I want to use ldap to get attribute from AD, It failed. It seems ldapsearch will search user's display name. And ntlm_auth will search user's user logon name. If I set display name same with user logon name, It can work. Is there a way let ldapsearch to search user logon name too?? relate configure in radiusd.conf: authorize { mschap suffix eap files ldap } authenticate { Auth-Type MS-CHAP { mschap } eap ldap } - ?? -- next part -- An HTML attachment was scrubbed... URL: -- Message: 3 Date: Tue, 30 Oct 2007 07:38:59 +0100 From: Alan DeKok Subject: Re: freeRADIUS with Active-derectory To: FreeRadius users mailing list Message-ID: [EMAIL PROTECTED] Content-Type: text/plain; charset=ISO-8859-1 Hangjun He wrote: I have configured ntlm_auth in freeRADIUS talk to AD(user store). And It works well. Now I want to use ldap to get attribute from AD, It failed. It seems ldapsearch will search user's *display name*. And ntlm_auth will search user's *user logon name.* If I set display name same with user logon name, It can work. Is there a way let ldapsearch to search user logon name too?? The LDAP search strings are editable in radiusd.conf. Alan DeKok. -- Message: 4 Date: Tue, 30 Oct 2007 07:40:24 +0100 From: Alan DeKok Subject: Re: SSL certificate problems To: FreeRadius users mailing list Message-ID: [EMAIL PROTECTED] Content-Type: text/plain; charset=ISO-8859-1 Walter Gould wrote: Sorry to bother you guys again - I created new SSL certificates per your above instructions... After the certs were created, I then: 1. copied them to the /etc/raddb/certs directory 2. updated /etc/raddb/eap.conf with the certificate names private key password 3. copied and installed the new certificate (server.pem) onto my XP laptop and 4. started radiusd in debug mode, below is the output It is acting as you describe in the FAQ - You didn't add the root certificate to the XP machine. See the EAP-TLS howto's on the web site. So, I am wondering will I need to install the hotfix as listed in the FAQ - and, will this have to be done on ALL Windows machines? I am thinking that I still do not have something configured right on my side. If I uncheck the validate server certs box on the XP client, I can connect and authenticate successfully. Yup. Ignore that we have no idea where this certificate came from, and do PEAP anyways. Alan DeKok. -- Message: 5 Date: Tue, 30 Oct 2007 07:41:38 +0100 From: Alan DeKok Subject: Re: Class attribute in accounting record. To: [EMAIL PROTECTED], FreeRadius users mailing list Message-ID: [EMAIL PROTECTED] Content-Type: text/plain; charset=ISO-8859-1 Mark Elkins wrote: .. which keeps personal changes to one place
Re: Freeradius-Users Digest, Vol 30, Issue 108
Hola: [EMAIL PROTECTED] wrote: Send Freeradius-Users mailing list submissions to freeradius-users@lists.freeradius.org To subscribe or unsubscribe via the World Wide Web, visit http://lists.freeradius.org/mailman/listinfo/freeradius-users or, via email, send a message with subject or body 'help' to [EMAIL PROTECTED] You can reach the person managing the list at [EMAIL PROTECTED] When replying, please edit your Subject line so it is more specific than Re: Contents of Freeradius-Users digest... Today's Topics: 1. Re: web based admin (liran tal) -- Message: 1 Date: Tue, 30 Oct 2007 11:29:38 +0200 From: liran tal Subject: Re: web based admin To: FreeRadius users mailing list Message-ID: [EMAIL PROTECTED] Content-Type: text/plain; charset=ISO-8859-1 Hey Michael, On 10/29/07, Hawkins, Michael wrote: What do people recommend I use as a web front end for FreeRadius when managing AAA on a Cisco network via FreeRadius? I've seen daloradius but that is geared to wireless hotspots. I've taken a quick look at phpRADmin and also ASN but I'm not sure which one is more mature and would like to know other peoples thoughts. Or is dailupadmin itself good enough? Any advice given is very much appreciated. I personally don't think of daloRADIUS as geared towards hotspots deployment but rather have an integrated support for that. If you find it lacking any enterprise scale features or missing some functionality that you require I'd love to hear from you so I can push all efforts for development on those topics. Regards, Liran. -- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html End of Freeradius-Users Digest, Vol 30, Issue 108 * CON CARIÑO MARIBEL HERNÁNDEZ LÓPEZ __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius-Users Digest, Vol 30, Issue 110
Hola: [EMAIL PROTECTED] wrote: Send Freeradius-Users mailing list submissions to freeradius-users@lists.freeradius.org To subscribe or unsubscribe via the World Wide Web, visit http://lists.freeradius.org/mailman/listinfo/freeradius-users or, via email, send a message with subject or body 'help' to [EMAIL PROTECTED] You can reach the person managing the list at [EMAIL PROTECTED] When replying, please edit your Subject line so it is more specific than Re: Contents of Freeradius-Users digest... Today's Topics: 1. RE: PAM_RADIUS_AUTH (Sobanbabu Bakthavathsalu) 2. pam_radius_auth updated spec file, please include in future releases (Florin Andrei) 3. Re: pam_radius_auth updated spec file, please include in future releases (Florin Andrei) 4. Cert Problem with EAP-TTSL, SecureW2 (1.0.5--1.1.7) (Martin Pauly) -- Message: 1 Date: Tue, 30 Oct 2007 21:31:09 +0530 From: Sobanbabu Bakthavathsalu Subject: RE: PAM_RADIUS_AUTH To: FreeRadius users mailing list Message-ID: [EMAIL PROTECTED] Content-Type: text/plain; charset=us-ascii Hi Nick, Thank you for the response. There is no firewall in between the RADIUS server and Solaris server (RADIUS client), only an Cisco router with standard ACL. I have verified the ACL matches counter and found that the request from the clinet itself is not reachign the router. Is that host entries in /etc/hosts file wont work for this, do I need a DNS server for RADIUS server name authentication to work with pam_radius_auth. The server in question is not configured for any DNS server for name resolution, it uses the hosts file only. Hope this provides more information. Regards Soban From: [EMAIL PROTECTED] [EMAIL PROTECTED] On Behalf Of Nick Owen [EMAIL PROTECTED] Sent: 30 October 2007 15:37 To: FreeRadius users mailing list Subject: Re: PAM_RADIUS_AUTH On 10/30/07, Sobanbabu Bakthavathsalu wrote: Hi I am trying install the PAM_RADIUS_AUTH on a Solaris 10 server to use RADIUS for user authentication. I have managed to successfully compile and install the pam plugin. When I tried to telnet to the machine from a different server I am getting the following error. Failed looking up IP address for RADIUS server radius1 (errcode=12) I have made a host entry for this server name in /etc/hosts file and able to ping the RADIUS server with name. But still its not working. Could you please help on resolving this. Lots of times this is a firewall issue where the port opening is set for tcp and not UDP. check that. Check that both are using port 1812, if that is what you are using. Have you edited your telnet pam entry? I'm not familiar with solaris, but that is what I would check. More info would be helpful too. HTH, Nick -- -- Nick Owen WiKID Systems, Inc. 404.962.8983 http://www.wikidsystems.com Commercial/Open Source Two-Factor Authentication - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html CAUTION - Disclaimer * This e-mail contains PRIVILEGED AND CONFIDENTIAL INFORMATION intended solely for the use of the addressee(s). If you are not the intended recipient, please notify the sender by e-mail and delete the original message. Further, you are not to copy, disclose, or distribute this e-mail or its contents to any other person and any such actions are unlawful. This e-mail may contain viruses. Infosys has taken every reasonable precaution to minimize this risk, but is not liable for any damage you may sustain as a result of any virus in this e-mail. You should carry out your own virus checks before opening the e-mail or attachment. Infosys reserves the right to monitor and review the content of all messages sent to or from this e-mail address. Messages sent to or from this e-mail address may be stored on the Infosys e-mail system. ***INFOSYS End of Disclaimer INFOSYS*** -- Message: 2 Date: Tue, 30 Oct 2007 09:51:56 -0700 From: Florin Andrei Subject: pam_radius_auth updated spec file, please include in future releases To: freeradius-users@lists.freeradius.org Message-ID: [EMAIL PROTECTED] Content-Type: text/plain; charset=ISO-8859-1; format=flowed I attached an updated spec file for pam_radius_auth. The original one fails when building as non-root. I fixed that and made a few other minor changes. It would be nice if the build system could generate this spec file from a template, automatically replace the version number inside the spec with the actual version of the pam_radius_auth tarball, and include the automatically generated spec in the tarball. That way, users could generate RPM packages out of the tarball by simply downloading the archive and running: rpmbuild -ta pam_radius...(version number here)...tar.gz Thanks, -- Florin Andrei http://florin.myip.org/ -- Message: 3
Basic usage: What do I do next to get this to work?
Hello, I hate to ask this, but I'm running out of time on this project and I'm completely new to RADIUS. I would be really happy if someone could just point me to a detailed HOW TO for what I need. I have freeRADIUS set up with an external MySQL user database and it's successfully authorizing requests from NTRadPing. Now I need to actually try it out In the field. I need people running XP, Vista (ugh), and Apple laptops to be able to auth using the MySQL database that I have set up. So far I'm not having any luck, and I don't mind saying that I'm a little over my head at this point. Someone familiar with this will probably see glaring problems. I will provide all the details I can think of, but please let me know if you need more. Server: FreeRADIUS 1.1.7 with MySQL module. Database: Remote MySQL Access Point: D-Link DWL-7100AP (Ciscos coming in January) WPA-EAP TKIP Client Laptop: WPA Enterprise TKIP PEAP (Other options: EAP-SIM, TLS, TTLS, LEAP, EAP-FAST) MS-CHAP-V2 (Other options: GTC, TLS) I set up an AP to use RADIUS, and the requests get through to the RADIUS server, but they always fail. Posted below is the debug output from the failed attempt. Ready to process requests. rad_recv: Access-Request packet from host 192.168.0.1:1030, id=0, length=193 Message-Authenticator = 0xf9c41895a382161a1d31b4a47bd830e0 Service-Type = Framed-User User-Name = testuser Framed-MTU = 1488 Called-Station-Id = 00-11-95-DA-16-A6:SUSOM Calling-Station-Id = 00-1B-77-28-B3-CF NAS-Identifier = D-Link Access Point NAS-Port-Type = Wireless-802.11 Connect-Info = CONNECT 54Mbps 802.11a EAP-Message = 0x020b01746261727468 NAS-IP-Address = 192.168.0.1 NAS-Port = 1 NAS-Port-Id = STA port # 1 rad_lowerpair: User-Name now 'testuser' Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module preprocess returns ok for request 0 modcall[authorize]: module chap returns noop for request 0 modcall[authorize]: module mschap returns noop for request 0 rlm_realm: No '@' in User-Name = testuser, looking up realm NULL rlm_realm: No such realm NULL modcall[authorize]: module suffix returns noop for request 0 rlm_eap: EAP packet type response id 0 length 11 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module eap returns updated for request 0 radius_xlat: 'testuser' rlm_sql (sql): sql_set_user escaped user -- 'testuser' radius_xlat: 'SELECT id, UserName, Attribute, Value, op FROM radcheck WHERE Username = 'testuser' ORDER BY id' rlm_sql (sql): Reserving sql socket id: 4 radius_xlat: 'SELECT radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE usergroup.Username = 'testuser' AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id' radius_xlat: 'SELECT id, UserName, Attribute, Value, op FROM radreply WHERE Username = 'testuser' ORDER BY id' radius_xlat: 'SELECT radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE usergroup.Username = 'testuser' AND usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id' rlm_sql (sql): Released sql socket id: 4 modcall[authorize]: module sql returns ok for request 0 rlm_pap: Found existing Auth-Type, not changing it. modcall[authorize]: module pap returns noop for request 0 modcall: leaving group authorize (returns updated) for request 0 rad_check_password: Found Auth-Type EAP auth: type EAP Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 0 rlm_eap: EAP Identity rlm_eap: processing type md5 rlm_eap_md5: Issuing Challenge modcall[authenticate]: module eap returns handled for request 0 modcall: leaving group authenticate (returns handled) for request 0 Sending Access-Challenge of id 0 to 192.168.0.1 port 1030 Framed-Protocol := PPP Service-Type := Framed-User Framed-MTU := 1500 Framed-Compression := Van-Jacobson-TCP-IP EAP-Message = 0x0101001604104e273ea966f4fb77466b296f9c607385 Message-Authenticator = 0x State = 0x149370a5228b3ae0acdd9dc3fb4a25a4 Finished request 0 Going to the next request --- Walking the entire request list --- Waking up in 6 seconds... rad_recv: Access-Request packet from host 192.168.0.1:1030, id=1, length=206 Message-Authenticator = 0xc9926863cf3df06ac150bbb6f77208eb Service-Type = Framed-User User-Name = testuser Framed-MTU = 1488 State = 0x149370a5228b3ae0acdd9dc3fb4a25a4 Called-Station-Id = 00-11-95-DA-16-A6:SUSOM Calling-Station-Id
Re: Basic usage: What do I do next to get this to work?
You haven't configured PEAP in eap.conf. You need to configure tls and peap sections. You will also need a server certificate and to export root certificate to XP clients (if you are signing them yourself). Read instructions in eap.conf, /scripts, wiki (about EAP) and howto for AD integration before doing anything. Ivan Kalik Kalik Informatika ISP Dana 30/10/2007, Doc. Caliban [EMAIL PROTECTED] piše: Hello, I hate to ask this, but I'm running out of time on this project and I'm completely new to RADIUS. I would be really happy if someone could just point me to a detailed HOW TO for what I need. I have freeRADIUS set up with an external MySQL user database and it's successfully authorizing requests from NTRadPing. Now I need to actually try it out In the field. I need people running XP, Vista (ugh), and Apple laptops to be able to auth using the MySQL database that I have set up. So far I'm not having any luck, and I don't mind saying that I'm a little over my head at this point. Someone familiar with this will probably see glaring problems. I will provide all the details I can think of, but please let me know if you need more. Server: FreeRADIUS 1.1.7 with MySQL module. Database: Remote MySQL Access Point: D-Link DWL-7100AP (Ciscos coming in January) WPA-EAP TKIP Client Laptop: WPA Enterprise TKIP PEAP (Other options: EAP-SIM, TLS, TTLS, LEAP, EAP-FAST) MS-CHAP-V2 (Other options: GTC, TLS) I set up an AP to use RADIUS, and the requests get through to the RADIUS server, but they always fail. Posted below is the debug output from the failed attempt. Ready to process requests. rad_recv: Access-Request packet from host 192.168.0.1:1030, id=0, length=193 Message-Authenticator = 0xf9c41895a382161a1d31b4a47bd830e0 Service-Type = Framed-User User-Name = testuser Framed-MTU = 1488 Called-Station-Id = 00-11-95-DA-16-A6:SUSOM Calling-Station-Id = 00-1B-77-28-B3-CF NAS-Identifier = D-Link Access Point NAS-Port-Type = Wireless-802.11 Connect-Info = CONNECT 54Mbps 802.11a EAP-Message = 0x020b01746261727468 NAS-IP-Address = 192.168.0.1 NAS-Port = 1 NAS-Port-Id = STA port # 1 rad_lowerpair: User-Name now 'testuser' Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module preprocess returns ok for request 0 modcall[authorize]: module chap returns noop for request 0 modcall[authorize]: module mschap returns noop for request 0 rlm_realm: No '@' in User-Name = testuser, looking up realm NULL rlm_realm: No such realm NULL modcall[authorize]: module suffix returns noop for request 0 rlm_eap: EAP packet type response id 0 length 11 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module eap returns updated for request 0 radius_xlat: 'testuser' rlm_sql (sql): sql_set_user escaped user -- 'testuser' radius_xlat: 'SELECT id, UserName, Attribute, Value, op FROM radcheck WHERE Username = 'testuser' ORDER BY id' rlm_sql (sql): Reserving sql socket id: 4 radius_xlat: 'SELECT radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE usergroup.Username = 'testuser' AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id' radius_xlat: 'SELECT id, UserName, Attribute, Value, op FROM radreply WHERE Username = 'testuser' ORDER BY id' radius_xlat: 'SELECT radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE usergroup.Username = 'testuser' AND usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id' rlm_sql (sql): Released sql socket id: 4 modcall[authorize]: module sql returns ok for request 0 rlm_pap: Found existing Auth-Type, not changing it. modcall[authorize]: module pap returns noop for request 0 modcall: leaving group authorize (returns updated) for request 0 rad_check_password: Found Auth-Type EAP auth: type EAP Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 0 rlm_eap: EAP Identity rlm_eap: processing type md5 rlm_eap_md5: Issuing Challenge modcall[authenticate]: module eap returns handled for request 0 modcall: leaving group authenticate (returns handled) for request 0 Sending Access-Challenge of id 0 to 192.168.0.1 port 1030 Framed-Protocol := PPP Service-Type := Framed-User Framed-MTU := 1500 Framed-Compression := Van-Jacobson-TCP-IP EAP-Message = 0x0101001604104e273ea966f4fb77466b296f9c607385 Message-Authenticator = 0x State = 0x149370a5228b3ae0acdd9dc3fb4a25a4 Finished request 0 Going to the next request ---
Re: Basic usage: What do I do next to get this to work?
Doc. Caliban wrote: I hate to ask this, but I'm running out of time on this project and I'm completely new to RADIUS. I would be really happy if someone could just point me to a detailed HOW TO for what I need. http://www.freeradius.org/doc/EAPTLS.pdf You need EAP-TLS to do PEAP. I have freeRADIUS set up with an external MySQL user database and it's successfully authorizing requests from NTRadPing. Which helps, but isn't enough. Wireless uses a LOT more technologies than just basic RADIUS. So far I'm not having any luck, and I don't mind saying that I'm a little over my head at this point. Someone familiar with this will probably see glaring problems. The debug output tries to be helpful. Honest. Access Point: D-Link DWL-7100AP (Ciscos coming in January) WPA-EAP TKIP Client Laptop: WPA Enterprise TKIP PEAP (Other options: EAP-SIM, TLS, TTLS, LEAP, EAP-FAST) So... that should be an indication that you need PEAP. I set up an AP to use RADIUS, and the requests get through to the RADIUS server, but they always fail. Posted below is the debug output from the failed attempt. ... rlm_eap: EAP-NAK asked for EAP-Type/peap rlm_eap: No such EAP type peap You say that the clients will do PEAP, but you haven't configured PEAP in the server. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: delayed Access Reject response
On 10/30/07, Florin Andrei [EMAIL PROTECTED] wrote: Using freeradius-1.1.7 on Linux Fedora 7. Authentication backend is unix. Clients so far are Cisco and pam_radius_auth If authentication is correct, the reply from server is sent back to the client quick enough. If the password is incorrect, the Access Reject reply is delayed until the user enters the password the second time. It's like the server waits for the next auth attempt to send back the Reject. What could be the cause? Look at reject_delay in radiusd.conf. May be that will answer your question. BR, Khalid - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: delayed Access Reject response
manIP wrote: On 10/30/07, *Florin Andrei* [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] wrote: If the password is incorrect, the Access Reject reply is delayed until the user enters the password the second time. It's like the server waits for the next auth attempt to send back the Reject. Look at reject_delay in radiusd.conf. May be that will answer your question. It was set to 1, but the actual delay is clearly bigger than that. In fact, it doesn't seem to be constant, it seems to wait until a new request was sent, and then it unleashes the reject. I set reject_delay to 0 and now there's no delay, but I'm not sure I like it that way, due to possible brute-force attacks. -- Florin Andrei http://florin.myip.org/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radiusd deadlock on recvfrom on port 1814
On Thu, 2007-10-18 at 01:10 +0200, Alan DeKok wrote: Ryan Melendez wrote: I've had FreeRADIUS Version 1.1.0 hang twice recently. The core dumps are very similar in that it appears that main is waiting on some stuff from port 1814. Honestly I don't know what 1814 is really for (proxy port?) but it seems as if fd_isset says so we should expect some data on that socket. Unless something _else_ had already received that data. 1814 is for proxying, yes. And it shouldn't hang... it should do *something* at least. I hadn't noticed this before I added radrelay and another radiusd process on the same box. Both radiusd processes are bound to different virtual interfaces and radrelay is duplicating acct packets from one to the other. It's not obvious why there would be a race condition on that socket, but my guess is something is going on there. It seems as though both radiusd processes are using the same descriptors for each of their three sockets. I've included some debug info from the core files. The descriptors are local to the process, and don't mean anything. Is this a know bug or can it be fixed with a configuration change? It sounds like a kernel bug to me. recvfrom() on a UDP socket *always* returns quickly. If there's no data, it returns immediately with an error. If there is data it returns the data. If recvfrom() hangs, then it's not the fault of the application. And there's nothing the application can do to fix it. recvfrom() blocks on datagram sockets just like any other type of socket unless it gets a S0_RCVTIMEO or the O_NONBLOCK is set (in which case you would receive an error). http://www.opengroup.org/onlinepubs/95399/functions/recvfrom.html If no messages are available at the socket and O_NONBLOCK is not set on the socket's file descriptor, recvfrom() shall block until a message arrives. If no messages are available at the socket and O_NONBLOCK is set on the socket's file descriptor, recvfrom() shall fail and set errno to [EAGAIN] or [EWOULDBLOCK]. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Basic usage: What do I do next to get this to work?
Hmm... All good info, but it makes me wonder if I'm going about this the best way. This is my goal: Wireless users and desktop computers on the same subnet (IPCop Blue, for those keeping score at home) will need to log in with a user name and password, which are kept on the MySQL server. I want this to be as easy as possible for as many people as possible. I came up with my client settings by going with the defaults. I would like to use whatever is easiest for the users to implement. I really appreciate you time, Thank you. Alan DeKok wrote: Doc. Caliban wrote: I hate to ask this, but I'm running out of time on this project and I'm completely new to RADIUS. I would be really happy if someone could just point me to a detailed HOW TO for what I need. http://www.freeradius.org/doc/EAPTLS.pdf You need EAP-TLS to do PEAP. I have freeRADIUS set up with an external MySQL user database and it's successfully authorizing requests from NTRadPing. Which helps, but isn't enough. Wireless uses a LOT more technologies than just basic RADIUS. So far I'm not having any luck, and I don't mind saying that I'm a little over my head at this point. Someone familiar with this will probably see glaring problems. The debug output tries to be helpful. Honest. Access Point: D-Link DWL-7100AP (Ciscos coming in January) WPA-EAP TKIP Client Laptop: WPA Enterprise TKIP PEAP (Other options: EAP-SIM, TLS, TTLS, LEAP, EAP-FAST) So... that should be an indication that you need PEAP. I set up an AP to use RADIUS, and the requests get through to the RADIUS server, but they always fail. Posted below is the debug output from the failed attempt. ... rlm_eap: EAP-NAK asked for EAP-Type/peap rlm_eap: No such EAP type peap You say that the clients will do PEAP, but you haven't configured PEAP in the server. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
The best encryption/access control scheme
I have become in charge of a small wireless ISP at my local marina and am looking for the best way to control access and encrypt for security. Currently I have a Linksys WRT54G router running DD-WRT firmware and a PC that I have now converted over to a linux box for freeradius, etc. The major stumbling block is that we have clients with equipment that cannot deal with WPA encryption, and so, I think, I am forced to use WEP key. Now, the main concern is access control, as in the past there have been those in the area abusing the open AP and draining all the bandwidth. So, what would be the best scheme to use for setting this up? Is a freeradius login/pass scheme with WEP key encryption the best that I can manage, or are there other options? Thanks. -- Ian Truelsen s/v Sting Email: [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: delayed Access Reject response
Hi, It was set to 1, but the actual delay is clearly bigger than that. In fact, it doesn't seem to be constant, it seems to wait until a new request was sent, and then it unleashes the reject. I set reject_delay to 0 and now there's no delay, but I'm not sure I like it that way, due to possible brute-force attacks. correct. that is why reject_delay exists. and yes, a value of 1 wont directly map to a count of 1 as there is also the cleanup_delay which occurs. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
problem with proxying
I wrote a little module for freeradius that is forwarding the incoming authentication requests to another server (to do the authentication). However I have to support proxying (in case there is a 3rd party RADIUS server). I can not take advantage of realms, because the users are login without any realm suffixes, prefixes, etc. (User bob simply uses username 'bob'). The problems is that bob can be a valid user on our server as well on the 3rd party RADIUS server. I tried to experiment with the Proxy-To-Realm attribute in the users file, but haven't had any luck either. Here is what I m trying to do: use my module rlm_xxx to authenticate user bob - if success i don't need anything else - if failure i want to proxy the authentication request to a 3rd party RADIUS server - if the authentication on the 3rd party RADIUS server succeeds I registered a post-proxy function in my module, where I m decreasing failed authentication count on the first server All these steps are working (separatelly) , but I m not able to make them work together, i.e. my authentication works, but no proxying, or the proxying works (when i setup the 3rd party RADIUS in the NULL realm) - but then my authentication against the first server is not called at all (my modules authenticate function is not called), the request is proxied without attempting my authentication function, only the post-proxy function on my module is called. I wonder if you could suggest how to configure freeradius to achieve what I m trying to do (if it is possible at all of course), cheers, martin - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Configure authentication via LDAP Group membership issue
All, I have still not been able to find a solution for this, it looks like I might be able to use an xlat rule for it, but I can't get my head around how to write it. Can anyone point me to suitable documentation for xlat - while I have read all the docco that comes with the FreeRadius (in /usr/share) I am missing something in order to apply it. Cheers, David - Original Message - From: David Hobley [EMAIL PROTECTED] To: freeradius-users@lists.freeradius.org Sent: Tuesday, 23 October 2007 04:10:51 PM (GMT+1000) Australia/Brisbane Subject: Configure authentication via LDAP Group membership issue I have set up a VPN pointing to a FreeRadius server and have it authenticating successfully against my LDAP server, but I would also like to limit access to only those people who are a member of the VPN group. Normally, this would be simple, but because of the LDAP server I am using, the hierarchy looks like this: User Account: ldapsearch -h ldap -x -b dc=MY,dc=DOMAIN (uid=firstname.lastname) dn: uid=firstname.lastname,ou=people,dc=MY,dc=DOMAIN uidNumber: 1024 ... Group entry is: ldapsearch -h ldap -x -b dc=MY,dc=DOMAIN (cn=VPN Users) dn: cn=VPN Users,ou=groups,dc=MY,dc=DOMAIN memberUid: 1024 ... So I need to somehow configure Radius to search on me, get my uidNumber and then search on the group. If I skip the searching to get the uidNumber, I can configure the Radius (for this single account) correctly: In the ldap module I include: ... groupname_attribute = cn groupmembership_filter = (memberUid=1024) with the following entry in the users file: DEFAULT Auth-Type = LDAP Fall-Through = 1 DEFAULT LDAP-Group == VPN Users Service-Type = Administrative-User and this works as expected, but is there any way I can substitute the 1024 for an ldap search result so I can dynamically return the uidNumber for the %{User-Name} field? Thanks! Cheers, David - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Configure authentication via LDAP Group membership issue [sec=unclassified]
___ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Hobley Sent: Wednesday, 31 October 2007 10:50 To: FreeRadius users mailing list Subject: Re: Configure authentication via LDAP Group membership issue All, I have still not been able to find a solution for this, it looks like I might be able to use an xlat rule for it, but I can't get my head around how to write it. Can anyone point me to suitable documentation for xlat - while I have read all the docco that comes with the FreeRadius (in /usr/share) I am missing something in order to apply it. Cheers, David - Original Message - From: David Hobley [EMAIL PROTECTED] To: freeradius-users@lists.freeradius.org Sent: Tuesday, 23 October 2007 04:10:51 PM (GMT+1000) Australia/Brisbane Subject: Configure authentication via LDAP Group membership issue I have set up a VPN pointing to a FreeRadius server and have it authenticating successfully against my LDAP server, but I would also like to limit access to only those people who are a member of the VPN group. Normally, this would be simple, but because of the LDAP server I am using, the hierarchy looks like this: User Account: ldapsearch -h ldap -x -b dc=MY,dc=DOMAIN (uid=firstname.lastname) dn: uid=firstname.lastname,ou=people,dc=MY,dc=DOMAIN uidNumber: 1024 ... Group entry is: ldapsearch -h ldap -x -b dc=MY,dc=DOMAIN (cn=VPN Users) dn: cn=VPN Users,ou=groups,dc=MY,dc=DOMAIN memberUid: 1024 ... So I need to somehow configure Radius to search on me, get my uidNumber and then search on the group. If I skip the searching to get the uidNumber, I can configure the Radius (for this single account) correctly: In the ldap module I include: ... groupname_attribute = cn groupmembership_filter = (memberUid=1024) with the following entry in the users file: DEFAULT Auth-Type = LDAP Fall-Through = 1 DEFAULT LDAP-Group == VPN Users Service-Type = Administrative-User and this works as expected, but is there any way I can substitute the 1024 for an ldap search result so I can dynamically return the uidNumber for the %{User-Name} field? Thanks! Cheers, David The memberUid attribute in a posixgroup is supposed to hold the uid, not the uidNumber. That would make your groupmembership_filter = (memberUid=%{User-Name}) or more robustly, groupmembership_filter = ((memberUid=%{Stripped-User-Name:-%{User-Name}})(objectClass=posixGrou p)) Regards, Frank Ranner - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Basic usage: What do I do next to get this to work?
This is my goal: Wireless users and desktop computers on the same subnet (IPCop Blue, for those keeping score at home) will need to log in with a user name and password, which are kept on the MySQL server. Hm, don't know much about IPCop but I would have some doubts about it authenticating wired users on a local network. My guess is that DHCP will just hand them an IP address and they will connect without authentication. Since you want wired clients on the same subnet as wireless ones think about using a captive portal like Chillispot. You are on the right track with wireless. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: web based admin
Peter, Thanks for your responses. As is common with newbies, the answers usually spawn another 4 questions (at least). Why would I pick ldap over mysql? Is it because ldap is geared around user entities as well as an organizational hierarchy? Does phpLDAPadmin already know about the requirements of FreeRadius structures or does FreeRadius already know how to plug into phpLDAPadmin? Sorry if these questions appear clueless, and even more apologies if they are in the FreeRadius FAQ's. Mike Hawkins Office: 212-208-3888 Mobile: 917-887-3614 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Peter Nixon Sent: Monday, October 29, 2007 2:19 PM To: FreeRadius users mailing list Subject: Re: web based admin On Mon 29 Oct 2007, Hawkins, Michael wrote: Peter, Yes, I was comparing TACACS+ to RADIUS - my mistake. Any recommendations on the most appropriate web front end for FreeRadius when managing a Cisco network that is pointing at a FreeRadius AAA server? It kind of depends on your backend to be honest. If you use an LDAP backend phpLDAPadmin is pretty good.. -- Peter Nixon http://peternixon.net/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - The information contained in this email is confidential and may also contain privileged information. Sender does not waive confidentiality or legal privilege. If you are not the intended recipient please notify the sender immediately; you should not retain this message or disclose its content to anyone. Internet communications are not secure or error free and the sender does not accept any liability for the content of the email. Although emails are routinely screened for viruses, the sender does not accept responsibility for any damage caused. Replies to this email may be monitored. - __ This email has been scanned by the MessageLabs Email Security System. For more information please visit http://www.messagelabs.com/email __ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Configure authentication via LDAP Group membership issue [sec=unclassified]
Frank, Thank you - greatly appreciated. This made me realise that my thinking was foggy when I had defined group memberships. All working now. Cheers, David - Original Message - From: Frank MR Ranner [EMAIL PROTECTED] To: FreeRadius users mailing list freeradius-users@lists.freeradius.org Sent: Wednesday, 31 October 2007 10:20:36 AM (GMT+1000) Australia/Brisbane Subject: RE: Configure authentication via LDAP Group membership issue [sec=unclassified] ... ___ The memberUid attribute in a posixgroup is supposed to hold the uid, not the uidNumber. That would make your groupmembership_filter = (memberUid=%{User-Name}) or more robustly, groupmembership_filter = ((memberUid=%{Stripped-User-Name:-%{User-Name}})(objectClass=posixGrou p)) Regards, Frank Ranner - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Turn of user acc - MySQL
Deleting user from the database - bad idea. You do want him back? Auth-Type Reject is a check item so it would go into rad(group)check table. It's better to create a group for suspended users and swithch user to it than to add the attribute to each user. Think about using sqlcounters and/or Epiration attribute. Ivan Kalik Kalik Informatika ISP Dana 30/10/2007, Marinko Tarlac [EMAIL PROTECTED] piše: Hello I made small web based application and it uses MySql database. I can add user accounts, create packages, add access points etc and now I need to create script for user control. Question is next. Is it better to remove the username from radcheck table or it is better option to add access-reject atribute for specific user in radreply table. Is there any better solution. Also I'm thinking to create small perl script which I can call during auth process. I'm not sure did you understand me :) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Basic usage: What do I do next to get this to work?
[EMAIL PROTECTED] wrote: Hm, don't know much about IPCop but I would have some doubts about it authenticating wired users on a local network. IPCop is actually pretty good for this as it uses one of it's interfaces for wireless access based on granting each node specific access by MAC, but it can be any network node, it doesn't have to be a wireless device. All of our public workstations are on this interface so the machines are verified at the proxy. Now I just need to get the RADIUS piece in place to validate the users. IPCop can require RADIUS authentication on top of the MAC filter. It sounds good on paper, I just need to find the easiest way possible for my users to deal with the RADIUS piece of the model. You are on the right track with wireless. That's good to hear. Again, I just need to find the simplest implementation possible for starters. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Basic usage: What do I do next to get this to work?
IPCop can require RADIUS authentication on top of the MAC filter. Fine. Enable it then. I assume it uses 802.1x for wired too. I just need to find the easiest way possible for my users to deal with the RADIUS piece of the model. Simplest thing for your users with Win XP/Vista would be PEAP. Setup is the same for wired and wireless. Connection/Properties/click on Authentication tab/tick enable 802.1x box/select PEAP from the box/click on Properties button/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Basic usage: What do I do next to get this to work?
PS. Time to go to bed. Clear the Automatically use Windows logon blah, blah box. Confirm everything and you are done. Ivan Kalik Kalik Informatika ISP Dana 31/10/2007, Doc. Caliban [EMAIL PROTECTED] piše: [EMAIL PROTECTED] wrote: Hm, don't know much about IPCop but I would have some doubts about it authenticating wired users on a local network. IPCop is actually pretty good for this as it uses one of it's interfaces for wireless access based on granting each node specific access by MAC, but it can be any network node, it doesn't have to be a wireless device. All of our public workstations are on this interface so the machines are verified at the proxy. Now I just need to get the RADIUS piece in place to validate the users. IPCop can require RADIUS authentication on top of the MAC filter. It sounds good on paper, I just need to find the easiest way possible for my users to deal with the RADIUS piece of the model. You are on the right track with wireless. That's good to hear. Again, I just need to find the simplest implementation possible for starters. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Basic usage: What do I do next to get this to work?
[EMAIL PROTECTED] wrote: PS. Time to go to bed. Clear the Automatically use Windows logon blah, blah box. Confirm everything and you are done. Ivan Kalik Kalik Informatika ISP Also, uncheck the Authenticate as computer when information is available and Enable Fast Reconnect, the latter will drive you crazy because it will keep resetting your settings back to default. Jon -- perl -le print scalar reverse qq/ten.ratsed\100rnoj/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Basic usage: What do I do next to get this to work?
PS. Oops, sent mail too early. Authentication method should be EAP-MSCHAPv2/click on Configure button/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html