Re: The best encryption/access control scheme
Ian Truelsen wrote: The major stumbling block is that we have clients with equipment that cannot deal with WPA encryption, Wireless cards that support WPA are cheap. and so, I think, I am forced to use WEP key. Now, the main concern is access control, as in the past there have been those in the area abusing the open AP and draining all the bandwidth. So, what would be the best scheme to use for setting this up? Is a freeradius login/pass scheme with WEP key encryption the best that I can manage, or are there other options? If you use WEP, the AP won't do RADIUS. You'll have to have a hotspot login page to control user access, like Chillispot. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Basic usage: What do I do next to get this to work?
Doc. Caliban wrote: All of our public workstations are on this interface so the machines are verified at the proxy. Now I just need to get the RADIUS piece in place to validate the users. IPCop can require RADIUS authentication on top of the MAC filter. So... how does it do that? EAP? Then you configure the clients to dp EAP. If it has a captive web page, then that's how the clients authentication. Almost all of the RADIUS magic is in the NAS or AP. It controls much of the access process. The RADIUS server just tells it yes/no for particular users. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radiusd deadlock on recvfrom on port 1814
Ryan Melendez wrote: recvfrom() blocks on datagram sockets just like any other type of socket unless it gets a S0_RCVTIMEO or the O_NONBLOCK is set (in which case you would receive an error). Hmm... I guess I hadn't run into that before, because select() never lied about data being available. The simplest solution on your system is to set O_NONBLOCK on the sockets. But that is just a work-around for the kernel bug (i.e. race condition). If data is ready on a socket, it means that data is ready... blocking on the recvfrom() after telling the application that data is ready is not very nice. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: web based admin
Hey Michael, On 10/31/07, Hawkins, Michael [EMAIL PROTECTED] wrote: Why would I pick ldap over mysql? Is it because ldap is geared around user entities as well as an organizational hierarchy? Does phpLDAPadmin Well in general, LDAP is considered as a more enterprise-environment because of it's directory structure nature, much like the concept of AD on Windows. One benefit of setting up an LDAP authentication is if you plan on authenticating your users against an already running LDAP directory setup or connecting it to MS Windows AD which saves you the trouble of maintaining 2 different databases of users. Regards, Liran. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Basic usage: What do I do next to get this to work?
On 10/31/07, Doc. Caliban [EMAIL PROTECTED] wrote: [EMAIL PROTECTED] IPCop is actually pretty good for this as it uses one of it's interfaces for wireless access based on granting each node specific access by MAC, but it can be any network node, it doesn't have to be a wireless device. All of our public workstations are on this interface so the machines are verified at the proxy. Now I just need to get the RADIUS piece in place to validate the users. IPCop can require RADIUS authentication on top of the MAC filter. It sounds good on paper, I just need to find the easiest way possible for my users to deal with the RADIUS piece of the model. Alternativley you could install the copspot plugin on ipcop ( http://www.ban-solms.de/t/IPCop-copspot.html ) It implements chillispot and gives you a captive portal which can talk to you radius for AAA. Kind regards Yves - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Turn of user acc - MySQL
Subject: Re: Turn of user acc - MySQL
Deleting user from the database - bad idea. You do want him back?
I have users inside another table (name, address, id etc..) and only
those who need access I transfer to radcheck table. So if I remove
them from radcheck, I can easily turn them back.
Auth-Type Reject is a check item so it would go into rad(group)check
table. It's better to create a group for suspended users and swithch
user to it than to add the attribute to each user.
Think about using sqlcounters and/or Epiration attribute.
Good ideas so I will think about it...
Best regards
Ivan Kalik
Kalik Informatika ISP
Dana 30/10/2007, Marinko Tarlac [EMAIL PROTECTED] pi?e:
Hello
I made small web based application and it uses MySql database. I can
add user accounts, create packages, add access points etc and now I
need to create script for user control.
Question is next. Is it better to remove the username from radcheck
table or it is better option to add access-reject atribute for
specific user in radreply table. Is there any better solution. Also
I'm thinking to create small perl script which I can call during auth
process.
I'm not sure did you understand me :)
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
--
Message: 7
Date: Wed, 31 Oct 2007 11:53:23 +1000 (EST)
From: David Hobley [EMAIL PROTECTED]
Subject: Re: Configure authentication via LDAP Group membership issue
[sec=unclassified]
To: FreeRadius users mailing list
freeradius-users@lists.freeradius.org
Message-ID: [EMAIL PROTECTED]
Content-Type: text/plain; charset=utf-8
Frank,
Thank you - greatly appreciated. This made me realise that my thinking was
foggy when I had defined group memberships. All working now.
Cheers,
David
- Original Message -
From: Frank MR Ranner [EMAIL PROTECTED]
To: FreeRadius users mailing list freeradius-users@lists.freeradius.org
Sent: Wednesday, 31 October 2007 10:20:36 AM (GMT+1000) Australia/Brisbane
Subject: RE: Configure authentication via LDAP Group membership issue
[sec=unclassified]
...
___
The memberUid attribute in a posixgroup is supposed to hold the uid, not
the uidNumber. That would make your groupmembership_filter =
(memberUid=%{User-Name}) or more robustly,
groupmembership_filter =
((memberUid=%{Stripped-User-Name:-%{User-Name}})(objectClass=posixGrou
p))
Regards,
Frank Ranner
-- next part --
An HTML attachment was scrubbed...
URL:
https://lists.freeradius.org/pipermail/freeradius-users/attachments/20071031/258fde31/attachment.html
--
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
End of Freeradius-Users Digest, Vol 30, Issue 117
*
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
R: Sqlippool debian - sql_get_socket unresolved symbol
Try editing the Makefiles so that rlm_sqlippool links to rlm_sql. Maybe that will solve the problem. I tried to do this, but I'm not a good coder so I filed a bug against the debian package. Alan DeKok. Thanks, Francesco. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
R: Sqlippool debian - sql_get_socket unresolved symbol
Update: assigned bug number #448699 . http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=448699 Greetings, Francesco. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
AW: Basic usage: What do I do next to get this to work?
I'm new to RADIUS, too...and I'm trying do get this work the same way. I set up a WLAN and a RADIUS Server with a MySQL Database and a user authentication by username and password. I want to use PEAP (MSCHAPv2) and I read about a server certificate to install on my client computer to get it work? Of course, I could be wrong ;). But when I just do this: Simplest thing for your users with Win XP/Vista would be PEAP. Setup is the same for wired and wireless. Connection/Properties/click on Authentication tab/tick enable 802.1x box/select PEAP from the box/click on Properties button/ and use MSCHAPv2 on configure button it does not work. So I tried to create a certificate and import it - still doesn't work - think the cause is me and my missing experience with Radius. ;) What do you think? -Ursprüngliche Nachricht- Von: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Im Auftrag von [EMAIL PROTECTED] Gesendet: Mittwoch, 31. Oktober 2007 04:45 An: FreeRadius users mailing list Betreff: Re: Basic usage: What do I do next to get this to work? PS. Time to go to bed. Clear the Automatically use Windows logon blah, blah box. Confirm everything and you are done. Ivan Kalik Kalik Informatika ISP Dana 31/10/2007, Doc. Caliban [EMAIL PROTECTED] piše: [EMAIL PROTECTED] wrote: Hm, don't know much about IPCop but I would have some doubts about it authenticating wired users on a local network. IPCop is actually pretty good for this as it uses one of it's interfaces for wireless access based on granting each node specific access by MAC, but it can be any network node, it doesn't have to be a wireless device. All of our public workstations are on this interface so the machines are verified at the proxy. Now I just need to get the RADIUS piece in place to validate the users. IPCop can require RADIUS authentication on top of the MAC filter. It sounds good on paper, I just need to find the easiest way possible for my users to deal with the RADIUS piece of the model. You are on the right track with wireless. That's good to hear. Again, I just need to find the simplest implementation possible for starters. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: PAM_RADIUS_AUTH
Hi Alan, First time I tried with IP address only, and got the following error. Oct 25 19:58:20 ada-delegate1 login: [ID 801593 auth.error] pam_radius_auth: Failed looking up IP address for RADIUS server 10.213.31.186 (errcode=12) Oct 25 19:58:20 ada-delegate1 login: [ID 801593 auth.error] pam_radius_auth: Failed looking up IP address for RADIUS server 10.213.69.133 (errcode=12) It was trying to resolve the IP address for an address again. Later I made a host entry and tried and the changed the config to name again. And getting the same error. Regards Soban From: [EMAIL PROTECTED] [EMAIL PROTECTED] On Behalf Of Alan DeKok [EMAIL PROTECTED] Sent: 30 October 2007 17:28 To: FreeRadius users mailing list Subject: Re: PAM_RADIUS_AUTH Sobanbabu Bakthavathsalu wrote: Thank you for the response. There is no firewall in between the RADIUS server and Solaris server (RADIUS client), only an Cisco router with standard ACL. I have verified the ACL matches counter and found that the request from the clinet itself is not reachign the router. Is that host entries in /etc/hosts file wont work for this, do I need a DNS server for RADIUS server name authentication to work with pam_radius_auth. No. You *can* enter just an IP address... Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html CAUTION - Disclaimer * This e-mail contains PRIVILEGED AND CONFIDENTIAL INFORMATION intended solely for the use of the addressee(s). If you are not the intended recipient, please notify the sender by e-mail and delete the original message. Further, you are not to copy, disclose, or distribute this e-mail or its contents to any other person and any such actions are unlawful. This e-mail may contain viruses. Infosys has taken every reasonable precaution to minimize this risk, but is not liable for any damage you may sustain as a result of any virus in this e-mail. You should carry out your own virus checks before opening the e-mail or attachment. Infosys reserves the right to monitor and review the content of all messages sent to or from this e-mail address. Messages sent to or from this e-mail address may be stored on the Infosys e-mail system. ***INFOSYS End of Disclaimer INFOSYS*** - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Basic usage: What do I do next to get this to work?
Alan DeKok wrote: Doc. Caliban wrote: All of our public workstations are on this interface so the machines are verified at the proxy. So... how does it do that? IPCop, the network router, is the NAS in this case. It has 3 interfaces, the WAN, LAN, and WiFi Access. (Known in IPCop as Red, Green, and Blue.) A fourth interface (Orange) can be added as a DMZ, but I don't need that at this time. The Blue interface requires a MAC address for each node allowed to connect. Typically you'd just put the AP's MAC in there and let the AP act as the DHCP server. In reality you can add the MAC for any device you want, which is how the public machines are verified: The only way they can connect in the first place is that I've added their MAC addresses to the access list. IPCop can also require user authentication across both the Green and Blue interfaces (It's all or nothing in that regard) via a local ACL, identd, LDAP, Windows authentication, or RADIUS. My user database already exists in MySQL for other reasons, so using RADIUS to tap into that is the easiest solution. For various reasons, I also do not want to add about 80% of the users to the windows AD. The plus side of this is that anyone using a public machine will have to be a valid user. The downside is that the few people who are on the LAN (Green) interface will also have to deal with RADIUS even though they are already validated in the Windows domain. It had been suggested to add their MAC's to the user database in MySQL and arrange it so that they are allowed to skip the RADIUS process, but dealing with that is well out of my skill set. In January we will receive a bunch of Cisco AP's to replace the rather motley collection that we are using now. At that point I will look at handing the NAS functions to them, but for now it will happen at the router. From the feedback, it sounds like I'm heading in the right direction with PEAP / MS-CHAP-V2, which is what my test laptop came up with automatically. I will also be sure to incorporate the suggestions regarding the proper configuration of the clients in implementing this. This has been a great resource! Thanks to everyone who has responded, and to whoever set up and maintains the mailing list. Regards, -Doc - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Basic usage: What do I do next to get this to work?
[EMAIL PROTECTED] wrote: PS. Time to go to bed. I know the feeling! Thanks for all the info on doing this properly. You've no doubt saved me a bunch of time and frustration. -Doc - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Basic usage: What do I do next to get this to work?
Jon Reynolds wrote: Also, uncheck the Authenticate as computer when information is available and Enable Fast Reconnect, the latter will drive you crazy because it will keep resetting your settings back to default. Jon Perfect, thank you! -Doc - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Basic usage: What do I do next to get this to work?
YvesDM wrote: Alternativley you could install the copspot plugin on ipcop ( http://www.ban-solms.de/t/IPCop-copspot.html ) It implements chillispot and gives you a captive portal which can talk to you radius for AAA. Kind regards Yves That's a great suggestion, and something that I'd looked into at one point. The problem is that CopSpot only allows for HTTP traffic and not HTTPS. That will certainly be a big problem for a lot of my users. If there was an easy way around that, I'd probably try it out. Thank you for the reply! -Doc - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: AW: Basic usage: What do I do next to get this to work?
Bernd wrote: snip when I just do this: Simplest thing for your users with Win XP/Vista would be PEAP. Setup is the same for wired and wireless. Connection/Properties/click on Authentication tab/tick enable 802.1x box/select PEAP from the box/click on Properties button/ and use MSCHAPv2 on configure button it does not work. So I tried to create a certificate and import it - still doesn't work - think the cause is me and my missing experience with Radius. ;) It sounds like we're in the same boat, but you're one step ahead of me. I haven't been able to try the latest suggestions yet. (Probably tomorrow). I'm hoping to not have to deal with certificates unless it's completely automated for my users. Most of them have little or no computer skills beyond basic usage. -Doc - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: AW: Basic usage: What do I do next to get this to work?
button/ and use MSCHAPv2 on configure button it does not work. So I tried to create a certificate and import it - still doesn't work - think the cause is me and my missing experience with Radius. ;) What do you think? http://wiki.freeradius.org/index.php/FreeRADIUS_Wiki:FAQ#It_still_doesn.27t_work.21 Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Basic usage: What do I do next to get this to work?
On 10/31/07, Doc. Caliban [EMAIL PROTECTED] wrote: YvesDM wrote: Alternativley you could install the copspot plugin on ipcop ( http://www.ban-solms.de/t/IPCop-copspot.html ) It implements chillispot and gives you a captive portal which can talk to you radius for AAA. Kind regards Yves That's a great suggestion, and something that I'd looked into at one point. The problem is that CopSpot only allows for HTTP traffic and not HTTPS. That will certainly be a big problem for a lot of my users. If there was an easy way around that, I'd probably try it out. Strange, according to the copspot link I've sent you it uses https. (on non-standard port) I never used ipcop myself though. Kind regards Yves - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: AW: Basic usage: What do I do next to get this to work?
You will need to buy a server certificate then. Those will have root CA already installed on Windows. If you make your own users will need to import it. Ivan Kalik Kalik Informatika ISP Dana 31/10/2007, Doc. Caliban [EMAIL PROTECTED] piše: Bernd wrote: snip when I just do this: Simplest thing for your users with Win XP/Vista would be PEAP. Setup is the same for wired and wireless. Connection/Properties/click on Authentication tab/tick enable 802.1x box/select PEAP from the box/click on Properties button/ and use MSCHAPv2 on configure button it does not work. So I tried to create a certificate and import it - still doesn't work - think the cause is me and my missing experience with Radius. ;) It sounds like we're in the same boat, but you're one step ahead of me. I haven't been able to try the latest suggestions yet. (Probably tomorrow). I'm hoping to not have to deal with certificates unless it's completely automated for my users. Most of them have little or no computer skills beyond basic usage. -Doc - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
AW: AW: Basic usage: What do I do next to get this to work?
I'm trying to do it with openSSL - so no certificates to buy -Ursprüngliche Nachricht- Von: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Im Auftrag von [EMAIL PROTECTED] Gesendet: Mittwoch, 31. Oktober 2007 13:35 An: FreeRadius users mailing list Betreff: Re: AW: Basic usage: What do I do next to get this to work? You will need to buy a server certificate then. Those will have root CA already installed on Windows. If you make your own users will need to import it. Ivan Kalik Kalik Informatika ISP Dana 31/10/2007, Doc. Caliban [EMAIL PROTECTED] piše: Bernd wrote: snip when I just do this: Simplest thing for your users with Win XP/Vista would be PEAP. Setup is the same for wired and wireless. Connection/Properties/click on Authentication tab/tick enable 802.1x box/select PEAP from the box/click on Properties button/ and use MSCHAPv2 on configure button it does not work. So I tried to create a certificate and import it - still doesn't work - think the cause is me and my missing experience with Radius. ;) It sounds like we're in the same boat, but you're one step ahead of me. I haven't been able to try the latest suggestions yet. (Probably tomorrow). I'm hoping to not have to deal with certificates unless it's completely automated for my users. Most of them have little or no computer skills beyond basic usage. -Doc - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Newbie question - number of radius requests per session?
I have FreeRadius 1.1.7 installed and talking to our eDirectory servers via LDAP to authenticate users to our wireless network. It works great, but our eDirectory servers get hit with 11 requests each time a single client authenticates. Running FreeRadius in debug mode, I see 10 requests of the format Access-Request packet from host 10.0.0.1 and then Sending Access-Challenge of id 0 to 10.0.0.1 port 1082. Then I see a single final request of the format Access-Request packet from host 10.0.0.1 and then Sending Access-Accept of id 0 to 10.0.0.1 port 1082. Each one of these 11 requests performs a check of the user on our eDirectory servers, hence the 11 hits each time a single client authenticates. Is this normal or do I need to fix something? I'd be glad to send the entire debug capture and my config if this is not normal. Thanks for your help, Nathan Nathan P. Hay Network Engineer Computer Services Cedarville University www.cedarville.edu ( http://www.cedarville.edu/ ) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Basic usage: What do I do next to get this to work?
YvesDM wrote: Strange, according to the copspot link I've sent you it uses https. (on non-standard port) I never used ipcop myself though. Kind regards Yves Oh, weird. It must be in the details somewhere. That's the page I'd looked at and this line had caught my eye: Currently the portal user will only be able to use http (tcp port 80) into the internet. All other access is blocked. I'll read through it more carefully though as this would be a great way to go, thanks again! -Doc - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Newbie question - number of radius requests per session?
On Wed, 2007-10-31 at 08:59 -0400, Nathan Hay wrote:
I have FreeRadius 1.1.7 installed and talking to our eDirectory
servers via LDAP to authenticate users to our wireless network. It
works great, but our eDirectory servers get hit with 11 requests each
time a single client authenticates. Running FreeRadius in debug mode,
I see 10 requests of the format Access-Request packet from host
10.0.0.1 and then Sending Access-Challenge of id 0 to 10.0.0.1 port
1082. Then I see a single final request of the format
Access-Request packet from host 10.0.0.1 and then Sending
Access-Accept of id 0 to 10.0.0.1 port 1082. Each one of these 11
requests performs a check of the user on our eDirectory servers, hence
the 11 hits each time a single client authenticates.
Is this normal or do I need to fix something? I'd be glad to send the
entire debug capture and my config if this is not normal.
EAP sessions typically cover tens of request/challenge packets.
You have configured to server to run the LDAP lookups on each packet, as
opposed to just once.
The easiest thing is to do this:
authorize {
preprocess
...etc...
eap
...etc...
Autz-Type INNER {
ldap
}
}
...and in the users file:
DEFAULT Freeradius-Proxied-To == 127.0.0.1, Autz-Type := INNER
This will match the inner packets of the EAP session, and tell the
server to run the Autz-Type sub-block of authorize (containing LDAP)
You may still see 2 lookups, since there may be a request/challenge and
request/accept inside the EAP tunnel, but it's better than 11.
Getting down to 1 lookup requires FreeRadius 2.0 (not currently
released)
Thanks for your help,
Nathan
Nathan P. Hay
Network Engineer
Computer Services
Cedarville University
www.cedarville.edu
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
AW: AW: Basic usage: What do I do next to get this to work?
I think we do. Lately I tried to get PEAP MSCHAPv2 to work. All settings in conf.s and laptop are made like described in tutorial for AD integration. And I get a response in Debug Mode when I try to connect to my WLAN. It says this: rad_recv: Access-Request packet from host 192.168.1.6:1027, id=171, length=139 User-Name = bnickaes NAS-IP-Address = 192.168.1.6 NAS-Identifier = BBi5 Framed-MTU = 1496 Called-Station-Id = 00-19-cb-1f-66-2d:BBi WLAN test Calling-Station-Id = 00-14-a5-3e-a8-ba NAS-Port-Type = Wireless-802.11 EAP-Message = 0x0201000d01626e69636b616573 Message-Authenticator = 0x90e3fac9ac07c6554cc915f9084b7e7e rlm_sql (sql): Reserving sql socket id: 4 rlm_sql_mysql: query: SELECT id, UserName, Attribute, Value, op FROM radcheck WHERE Username = 'bnickaes' ORDER BY id rlm_sql_mysql: query: SELECT radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupche ck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE usergroup.Username = 'bnickaes' AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id rlm_sql_mysql: query: SELECT id, UserName, Attribute, Value, op FROM radreply WHERE Username = 'bnickaes' ORDER BY id rlm_sql_mysql: query: SELECT radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgrouprep ly.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE usergroup.Username = 'bnickaes' AND usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id rlm_sql (sql): Released sql socket id: 4 Warning: Found 2 auth-types on request for user 'bnickaes' Sending Access-Challenge of id 171 to 192.168.1.6 port 1027 EAP-Message = 0x010200061920 Message-Authenticator = 0x State = 0xae0040259c6e0027d20f07497ad772e3 rad_recv: Access-Request packet from host 192.168.1.6:1027, id=172, length=256 User-Name = bnickaes NAS-IP-Address = 192.168.1.6 NAS-Identifier = BBi5 Framed-MTU = 1496 Called-Station-Id = 00-19-cb-1f-66-2d:BBi WLAN test Calling-Station-Id = 00-14-a5-3e-a8-ba NAS-Port-Type = Wireless-802.11 EAP-Message = 0x02020070198000661603010061015d0301472883f5c4aedc6e4983d6084e41a67f 7f0241f4463d2d4fd718ccdf9a8123b12008bc4f684a5c373d3851e80c2a33ad09d141a57835 6d335d892ac642491e6dec001600040005000a000900640062000300060013001200630100 State = 0xae0040259c6e0027d20f07497ad772e3 Message-Authenticator = 0xa1fa011f6381228ee1c9140adce8c222 rlm_sql (sql): Reserving sql socket id: 3 rlm_sql_mysql: query: SELECT id, UserName, Attribute, Value, op FROM radcheck WHERE Username = 'bnickaes' ORDER BY id rlm_sql_mysql: query: SELECT radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupche ck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE usergroup.Username = 'bnickaes' AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id rlm_sql_mysql: query: SELECT id, UserName, Attribute, Value, op FROM radreply WHERE Username = 'bnickaes' ORDER BY id rlm_sql_mysql: query: SELECT radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgrouprep ly.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE usergroup.Username = 'bnickaes' AND usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id rlm_sql (sql): Released sql socket id: 3 Warning: Found 2 auth-types on request for user 'bnickaes' The output is much longer - many attempts, I think So I belief this is the problem, but I dont know how to solve it. Warning: Found 2 auth-types on request for user 'bnickaes' ? There is an entry auth-type in mySQL Database, but I can find only one auth-type option for my user bnickaes there. _ Von: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Im Auftrag von Doc. Caliban Gesendet: Mittwoch, 31. Oktober 2007 13:14 An: FreeRadius users mailing list Betreff: Re: AW: Basic usage: What do I do next to get this to work? Bernd wrote: snip when I just do this: Simplest thing for your users with Win XP/Vista would be PEAP. Setup is the same for wired and wireless. Connection/Properties/click on Authentication tab/tick enable 802.1x box/select PEAP from the box/click on Properties button/ and use MSCHAPv2 on configure button it does not work. So I tried to create a certificate and import it - still doesn't work - think the cause is me and my missing experience with Radius. ;) It sounds like we're in the same boat, but you're one step ahead of me. I haven't been able to try the latest suggestions yet. (Probably tomorrow). I'm hoping to not have to deal with certificates unless it's completely automated for my users. Most of them have little or no computer skills beyond basic usage. -Doc -
Re: radiusd deadlock on recvfrom on port 1814
On Wed, 2007-10-31 at 08:13 +0100, Alan DeKok wrote: Ryan Melendez wrote: recvfrom() blocks on datagram sockets just like any other type of socket unless it gets a S0_RCVTIMEO or the O_NONBLOCK is set (in which case you would receive an error). Hmm... I guess I hadn't run into that before, because select() never lied about data being available. The simplest solution on your system is to set O_NONBLOCK on the sockets. But that is just a work-around for the kernel bug (i.e. race condition). If data is ready on a socket, it means that data is ready... blocking on the recvfrom() after telling the application that data is ready is not very nice. I'm not positive that select is lying about data being available. It could be that there is data when select is called, but _something_ out of line grabs it before recvfrom() can get to it. The only time I've ran into this in the past(not freeradius) is when some flavor of read is called on the socket outside the select loop (bad programming). I can't see anywhere this is happening in freeradius. Again, this only started happening when I began running two radiusd processes on different interfaces on a multihomed system. I also have radrelay binding to one interface and replicating acct packets to the other process. I suspect you are correct that some race condition in the kernel possibly regarding pthread. I'm going to continue investigating, I'll make the socket non-blocking as a last resort. If anyone has experienced this problem before, or has any suggestions please let me know. Thanks, Ryan Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
access-deny reply log to mysql
I would like to log to radpostauth table inside the mysql server not only the Access-Accept replies but the Access-deny replies too. How to? thanks for helping Arjuna - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: AW: AW: Basic usage: What do I do next to get this to work?
All settings in conf.s and laptop are made like described in tutorial for AD integration. The output is much longer - many attempts, I think So I belief this is the problem, but I dont know how to solve it. Warning: Found 2 auth-types on request for user 'bnickaes' ? There is an entry auth-type in mySQL Database, but I can find only one auth-type option for my user bnickaes there. Well, you made one and the server another. There is no mention of using Auth-Type in user profiles in any manuals. On the contrary. In several places you are instructed not to use it. Remove that from the database. Debug with capital X (radiusd -X not -x). Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Need help
Hi there !
Could someone please assisst me in configuring FreeRADIUS? I'm quite new to
FR and migrated a server from 0.6 on Solaris 8/SPARC to 1.1.7 on Solaris
10/x64.
On the old server, the users were authenticated by regular /etc/passwd
means. I got this working on the new server. As there are some new features
in the later versions, I'd prefer to move the RADIUS users to a separate
smbpasswd-like file but I can't get the authentication to work.
Some questions:
The old server querying itself for a /etc/passwd user:
[EMAIL PROTECTED] # ./radtest frank XXX localhost 10 test123
Sending Access-Request of id 161 to 127.0.0.1:1812
User-Name = frank
User-Password = D[\326\255h\016A\275\357%\367\027_y
NAS-IP-Address = XXX
NAS-Port-Id = 10
rad_recv: Access-Accept packet from host 127.0.0.1:1812, id=161, length=20
[EMAIL PROTECTED] #
The old server querying the new one for a /etc/passwd user:
[EMAIL PROTECTED] # ./radtest frank XXX new 10 test123
Sending Access-Request of id 216 to 10.1.1.12:1812
User-Name = frank
User-Password = T)n\244Lec\226\246)[EMAIL PROTECTED]%
NAS-IP-Address = XXX
NAS-Port-Id = 10
rad_recv: Access-Accept packet from host 10.1.1.12:1812, id=216, length=20
[EMAIL PROTECTED] #
The new server querying itself for the exact same user as above:
[EMAIL PROTECTED] ./radtest frank XXX localhost 10 test123
Sending Access-Request of id 177 to 127.0.0.1 port 1812
User-Name = frank
User-Password = XXX
NAS-IP-Address = 255.255.255.255
NAS-Port = 10
rad_recv: Access-Accept packet from host 127.0.0.1:1812, id=177, length=20
[EMAIL PROTECTED]
Why is the password displayed in plain text instead of hashed as on the old
server?
And how do I configure a separate user file? Currently, I have
passwd radpasswd {
filename = /opt/freeradius/etc/radpasswd
#format = *User-Name::LM-Password:NT-Password:SMB-Account-CTRL-TEXT::
format = *User-Name:LM-Password:NT-Password:
delimiter = :
# authtype = MS-CHAP
authtype = PAP
hashsize = 0
ignorenislike = yes
allowmultiplekeys = no
}
with radpasswd looking like
frank:A:B:Frank Winkler
with A and B created by smbencrypt.
I'm pretty unsure about the authtype. I can post debug outout of radiusd
but it looks like it finds the user in the file but cannot authenticate the
password.
TIA
fw
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Signing a certificate
Hi, I'm trying to sign a certificate using OpenSSL. I got cacert.pem and a password from a 3rd patry. 1. Is it sufficient to sign certificates? 2. Shouldn't I have the cakey.pem as well? 2. Where should I put those files? Thanks, Eyal Zolotov. - Envara, Ltd. This e-mail and any attachments may contain confidential material for the sole use of the intended recipient(s). Any review or distribution by others is strictly prohibited. If you are not the intended recipient, please contact the sender and delete all copies. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
FreeRadius and Clean Access Manager
Hello, Has anybody set up FreeRadius with Network Admission Control. I have a trouble to set up FreeRadius as an authentication server in Clean Access Manager. It works perfectly with ACS. Thanks for a help Dorota - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: FreeRadius and Clean Access Manager
Has anybody set up FreeRadius with Network Admission Control. I have a trouble to set up FreeRadius as an authentication server in Clean Access Manager. FreeRADIUS does not support Cisco NAC. It works perfectly with ACS. This is because it is a Cisco proprietary protocol. josh. JANET(UK) is a trading name of The JNT Association, a company limited by guarantee which is registered in England under No. 2881024 and whose Registered Office is at Lumen House, Library Avenue, Harwell Science and Innovation Campus, Didcot, Oxfordshire. OX11 0SG - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
FreeRadius and Clean Access Manager
Hello, Has anybody set up FreeRadius with Network Admission Control. I have a trouble to set up FreeRadius as an authentication server in Clean Access Manager. It works perfectly with ACS. Thanks for a help Dorota - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: FreeRadius and Clean Access Manager
Hello Josh, Actually I give another try just after I wrote to the group and I succeeded. I don't talk about TACACS+ here. Cisco Clean Access can have several authentication servers defined. I do confirm it works with FreeRadius as well. Dorota -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Josh Howlett Sent: Wednesday, October 31, 2007 11:35 AM To: FreeRadius users mailing list Cc: Josh Howlett Subject: RE: FreeRadius and Clean Access Manager Has anybody set up FreeRadius with Network Admission Control. I have a trouble to set up FreeRadius as an authentication server in Clean Access Manager. FreeRADIUS does not support Cisco NAC. It works perfectly with ACS. This is because it is a Cisco proprietary protocol. josh. JANET(UK) is a trading name of The JNT Association, a company limited by guarantee which is registered in England under No. 2881024 and whose Registered Office is at Lumen House, Library Avenue, Harwell Science and Innovation Campus, Didcot, Oxfordshire. OX11 0SG - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Basic usage: What do I do next to get this to work?
On 10/31/07, Doc. Caliban [EMAIL PROTECTED] wrote: YvesDM wrote: Strange, according to the copspot link I've sent you it uses https. (on non-standard port) I never used ipcop myself though. Kind regards Yves Oh, weird. It must be in the details somewhere. That's the page I'd looked at and this line had caught my eye: Currently the portal user will only be able to use http (tcp port 80) into the internet. All other access is blocked. I'll read through it more carefully though as this would be a great way to go, thanks again! Oh, i see, now I know what you mean. I thought you meant users weren't able to login through https. If your users need more opened ports this will probably be easy to modify through the firewall rules. But we're going off topic of this list. Good luck Kind regards. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: FreeRadius and Clean Access Manager
But you are just using FreeRADIUS for authentication. I didn't realise it was possible to separate posture assessment from authentication in Cisco NAC. Interesting to hear that you can. josh. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dorota Kupis Sent: 31 October 2007 18:50 To: FreeRadius users mailing list Subject: RE: FreeRadius and Clean Access Manager Hello Josh, Actually I give another try just after I wrote to the group and I succeeded. I don't talk about TACACS+ here. Cisco Clean Access can have several authentication servers defined. I do confirm it works with FreeRadius as well. Dorota -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Josh Howlett Sent: Wednesday, October 31, 2007 11:35 AM To: FreeRadius users mailing list Cc: Josh Howlett Subject: RE: FreeRadius and Clean Access Manager Has anybody set up FreeRadius with Network Admission Control. I have a trouble to set up FreeRadius as an authentication server in Clean Access Manager. FreeRADIUS does not support Cisco NAC. It works perfectly with ACS. This is because it is a Cisco proprietary protocol. josh. JANET(UK) is a trading name of The JNT Association, a company limited by guarantee which is registered in England under No. 2881024 and whose Registered Office is at Lumen House, Library Avenue, Harwell Science and Innovation Campus, Didcot, Oxfordshire. OX11 0SG - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html JANET(UK) is a trading name of The JNT Association, a company limited by guarantee which is registered in England under No. 2881024 and whose Registered Office is at Lumen House, Library Avenue, Harwell Science and Innovation Campus, Didcot, Oxfordshire. OX11 0SG - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius and Clean Access Manager
Hi, But you are just using FreeRADIUS for authentication. I didn't realise it was possible to separate posture assessment from authentication in Cisco NAC. Interesting to hear that you can. ..i guess we are all looking at development of EAP-TNC with interest.. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: FreeRadius and Clean Access Manager
Hi, But you are just using FreeRADIUS for authentication. I didn't realise it was possible to separate posture assessment from authentication in Cisco NAC. Interesting to hear that you can. ..i guess we are all looking at development of EAP-TNC with interest.. You betcha! josh. JANET(UK) is a trading name of The JNT Association, a company limited by guarantee which is registered in England under No. 2881024 and whose Registered Office is at Lumen House, Library Avenue, Harwell Science and Innovation Campus, Didcot, Oxfordshire. OX11 0SG - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
