Configuring own VSA to FreeRADIUS server

[Sourav Chakraborty]

Hi Everyone,

We are tring to add our own VSA to the Access-Accept message sent out
by FreeRADIUS server.Can you please outline the steps as to how this
can be done?We require this urgently.

Thanks in advance for the help sought.

Regards
Sourav
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Freeradius-client in pppd

[Stefan Winter]

Hi,

> I don't think there is a pppd mail list. Thats why I ask here.

The README in pppd states:

Contacts.
*

The comp.protocols.ppp newsgroup is a useful place to get help if you
have trouble getting your ppp connections to work.  Please do not send
me questions of the form "please help me get connected to my ISP" -
I'm sorry, but I simply do not have the time to answer all the
questions like this that I get.



I wonder if that really still exists... usenet... I already feel old just 
because I'm old enough to know what usenet and newsgroups *are*.

-- 
Stefan WINTER

Stiftung RESTENA - Réseau Téléinformatique de l'Education Nationale et de 
la Recherche
Ingenieur Forschung & Entwicklung

6, rue Richard Coudenhove-Kalergi
L-1359 Luxembourg
E-Mail: [EMAIL PROTECTED]     Tel.:     +352 424409-1
http://www.restena.lu                Fax:      +352 422473


signature.asc
Description: This is a digitally signed message part.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: RPM install error.

[mohsen rahmanian]

>
> > I install freeradius-1.1.7-7.1.i386.rpm few days ago, When I try to
> > install, upgrade or remove freeradius-1.1.7-7.1.i386.rpm get this error:
> >
> > /var/tmp/rpm-tmp.25681: line 1: fg: no job control
> > error: %postun( freeradius-1.1.7-7.1.i386) scriptlet failed, exit status
> 1
> >
> > I use Fedora Core 6 on Toshiba laptop.
> >
> > I try it with apt-get, but get previous error.
> > Can you tell me why?
>
> Which rpm are you using? Where did you download it from?



Hello Peter,
I'm using freeradius-1.1.7-7.1.i386.rpm. I download it from "
http://ftp.twaren.net/Linux/OpenSuSE/repositories/network:/aaa/Fedora_Extras_6/i386/
 "

I download "freeradius-1.1.7-3.1.fc6.i386.rpm" from rpmfind and work, but
can't remove "freeradius-1.1.7-7.1.i386.rpm"

-- 
Best Regards
Rahmanian
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Freeradius-client in pppd

[tnt]

>
>I don't think there is a pppd mail list. Thats why I ask here.
>

http://us4.samba.org/samba/archives.html

Ivan Kalik
Kalik Informatika ISP

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Freeradius-client in pppd

[Damjan]

>>> Is there any patch to make pppd use this radius client instead of it's
>>> own copy of the old radiusclient?
>>
>> No comments on this???
> 
> Maybe if you ask this question on a pppd mailing list, chances of getting a 
> response are higher.

I don't think there is a pppd mail list. Thats why I ask here.

Also because freeradius-client is a ofspring of libradiusclient that was
used in pppd. I thought that freeradius people might know what the
changes were from that old version to today.


-- 
damjan | дамјан
This is my jabber ID --> [EMAIL PROTECTED] 
 -- not my mail address, it's a Jabber ID --^ :)
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: different authentication methods in users file

[Alan DeKok]

Johan wrote:
> I'd like to authenticate some users request coming from a firewall with perl,
> and some other coming from a Brocade box with LDAP.

  Use 2.0 (CVS head) and virtual servers.  It will be trivial.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Stopping LDAP searches during each part of EAP session?

[Alan DeKok]

Matt Alexander wrote:
> When I look through the debug logs, however, I see that the rlm_ldap
> module is doing an LDAP search for my username during each stage of the
> EAP session.  Is there a way to configure freeradius so that it won't
> try LDAP auth in the middle of an EAP session?

  See the example "authorize" section and "eap" config in 1.1.7.

  In 2.0, this is a lot easier to control.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

different authentication methods in users file

[Johan]

Hi list

I'd like to authenticate some users request coming from a firewall with perl,
and some other coming from a Brocade box with LDAP.

Each authentication alone works, but I haven't figure out how make
things work toghether.

This combinaison works, but I'd rather have a generic statement :

firewalluser Auth-Type == perl
Fall-Through = no

DEFAULT Auth-Type == ldap
Fall-Through = Yes

DEFAULT Huntgroup-Name == netadmin
Auth-Type = ldap,
Brocade-Auth-Role = "admin",
Fall-Through = no

if I replace the user name firewalluser by DEFAULT, and add a property
like NAS-IP-Address = 192.168.9.111, or Login-IP-Host = 192.168.9.111
that doesn;t work.

What's wrong ?
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Stopping LDAP searches during each part of EAP session?

[Matt Alexander]

I have a freeradius server configured to do both EAP-TLS and LDAP auth.  It
works great so far.  If I have a cert. configured, then I'm authenticated
with the cert.  If I don't have a cert then I get prompted for my un/pw on
my NAS's Captive Portal page, which then passes my username/password on to
the Radius server which then checks my LDAP server if my un/pw are correct.

When I look through the debug logs, however, I see that the rlm_ldap module
is doing an LDAP search for my username during each stage of the EAP
session.  Is there a way to configure freeradius so that it won't try LDAP
auth in the middle of an EAP session?

Here's my radiusd.conf:

prefix = /usr
exec_prefix = /usr
sysconfdir = /etc
localstatedir = /var
sbindir = /usr/sbin
logdir = ${localstatedir}/log/radius
raddbdir = ${sysconfdir}/raddb
radacctdir = ${logdir}/radacct
confdir = ${raddbdir}
run_dir = ${localstatedir}/run/radiusd
log_file = ${logdir}/radius.log
libdir = /usr/lib
pidfile = ${run_dir}/radiusd.pid
user = radius
group = radius
max_request_time = 30
delete_blocked_requests = no
cleanup_delay = 5
max_requests = 8192
bind_address = *
port = 0
hostname_lookups = no
allow_core_dumps = no
regular_expressions = yes
extended_expressions= yes
log_stripped_names = no
log_auth = yes
log_auth_badpass = no
log_auth_goodpass = no
usercollide = no
lower_user = after
lower_pass = no
nospace_user = no
nospace_pass = no
checkrad = ${sbindir}/checkrad
security {
max_attributes = 200
reject_delay = 0
status_server = yes
}
proxy_requests  = no
$INCLUDE  ${confdir}/clients.conf
snmp= no
thread pool {
start_servers = 10
max_servers = 128
min_spare_servers = 3
max_spare_servers = 20
max_requests_per_server = 0
}
modules {
pap {
encryption_scheme = crypt
}
chap {
authtype = CHAP
}
pam {
pam_auth = radiusd
}
unix {
cache = no
cache_reload = 600
shadow = /etc/shadow
radwtmp = ${logdir}/radwtmp
}
$INCLUDE ${confdir}/eap.conf
mschap {
authtype = MS-CHAP
}
ldap {
server = "ldap.mycompany.com"
basedn = "ou=people,dc=mycompany,dc=com"
filter =
"(&(accountInstance=wireless)(uid=%{Stripped-User-Name:-%{User-Name}}))"
start_tls = yes
dictionary_mapping = ${raddbdir}/ldap.attrmap
ldap_connections_number = 25
timeout = 10
timelimit = 10
net_timeout = 1
access_attr_used_for_allow = yes
}
realm suffix {
format = suffix
delimiter = "@"
ignore_default = no
ignore_null = no
}
realm realmpercent {
format = suffix
delimiter = "%"
ignore_default = no
ignore_null = no
}
realm ntdomain {
format = prefix
delimiter = "\\"
ignore_default = no
ignore_null = no
}
checkval {
item-name = Calling-Station-Id
check-name = Calling-Station-Id
data-type = string
}
preprocess {
huntgroups = ${confdir}/huntgroups
hints = ${confdir}/hints
with_ascend_hack = no
ascend_channels_per_line = 23
with_ntdomain_hack = no
with_specialix_jetstream_hack = no
with_cisco_vsa_hack = no
}
files {
usersfile = ${confdir}/users
acctusersfile = ${confdir}/acct_users
compat = no
}
detail {
detailfile =
${radacctdir}/%{Client-IP-Address}/detail-%Y%m%d
detailperm = 0600
}
acct_unique {
key = "User-Name, Acct-Session-Id, NAS-IP-Address,
Client-IP-Address, NAS-Port"
}
radutmp {
filename = ${logdir}/radutmp
username = %{User-Name}
case_sensitive = yes
check_with_nas = yes
perm = 0600
callerid = "yes"
}
radutmp sradutmp {
filename = ${logdir}/sradutmp
perm = 0644
callerid = "no"
}
attr_filter {
attrsfile = ${confdir}/attrs
}
counter daily {
filename = ${raddbdir}/db.daily
key = User-Name
count-attribute = Acct-Session-Time
reset = daily
counter-name = Daily-Session-Time
check-name = Max-Daily-Session
allowed-servicetype = Framed-User
cache-size = 5000
  

Re: Freeradius-client in pppd

[Stefan Winter]

> > Is there any patch to make pppd use this radius client instead of it's
> > own copy of the old radiusclient?
>
> No comments on this???

Maybe if you ask this question on a pppd mailing list, chances of getting a 
response are higher.

-- 
Stefan WINTER

Stiftung RESTENA - Réseau Téléinformatique de l'Education Nationale et de 
la Recherche
Ingenieur Forschung & Entwicklung

6, rue Richard Coudenhove-Kalergi
L-1359 Luxembourg
E-Mail: [EMAIL PROTECTED]     Tel.:     +352 424409-1
http://www.restena.lu                Fax:      +352 422473


signature.asc
Description: This is a digitally signed message part.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: RPM install error.

[Peter Nixon]

On Wed 09 Jan 2008, mohsen rahmanian wrote:
> His name
>
> I install freeradius-1.1.7-7.1.i386.rpm few days ago, When I try to
> install, upgrade or remove freeradius-1.1.7-7.1.i386.rpm get this error:
>
> /var/tmp/rpm-tmp.25681: line 1: fg: no job control
> error: %postun( freeradius-1.1.7-7.1.i386) scriptlet failed, exit status 1
>
> I use Fedora Core 6 on Toshiba laptop.
>
> I try it with apt-get, but get previous error.
> Can you tell me why?

Which rpm are you using? Where did you download it from?

Regards

Peter

-- 

Peter Nixon
http://peternixon.net/
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Freeradius-client in pppd

[Damjan]

> I need the feature to specify the local ip address for the radius
> requests in PPPd and I see that freeradius-client-1.1.5 has that
> feature. 
> 
> Is there any patch to make pppd use this radius client instead of it's
> own copy of the old radiusclient?

No comments on this???



-- 
damjan | дамјан
This is my jabber ID --> [EMAIL PROTECTED] 
 -- not my mail address, it's a Jabber ID --^ :)
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: OpenSSH, PAM and pam_radius_auth

[Alan DeKok]

Sobanbabu Bakthavathsalu wrote:
>>> We have entry in the /etc/hosts file for radius1 server, but the pam_auth 
>>> module is having issues in reading it.
>>> You have seen the error, even if we give the IP address, it tries to 
>>> resolve it to IP again.

  Hmm... I think it may be necessary also to add an entry to /etc/hosts
for the *local* machine hostname -> IP mapping.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: How to Make Digital Certificates in Radius

[Alan DeKok]

orion wrote:
> isnt there a way to browse by web the cvs archives on cvs.freeradius.org
>  without opting to use
> the cvs build , `cause i have a working server but dont want to mess it up.

 The instructions on the web page include how to CHECK OUT the
source code.  You do not have to INSTALL it.

> after all ,all i need are the docs of the new releases.

  Then check out the source code, and look in raddb/certs/README.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: How to Make Digital Certificates in Radius

[orion]

Never mind.
thanx anyway.

On 09/01/2008, orion <[EMAIL PROTECTED]> wrote:
>
> isnt there a way to browse by web the cvs archives on 
> cvs.freeradius.orgwithout opting to use
> the cvs build , `cause i have a working server but dont want to mess it
> up.
>
> after all ,all i need are the docs of the new releases.
>
> On 09/01/2008, Alan DeKok <[EMAIL PROTECTED] > wrote:
> >
> > niel m wrote:
> > > I have already read the README file under this directory (
> > > /etc/raddb/certs )
> >
> >   No.  I said to grab the CVS head.  The NEW version of that README
> > contains additional information.  You are looking at the OLD version of
> > that README.
> >
> >   Following PART of the instructions will get you PART of the solution.
> >
> >   Alan DeKok.
> > -
> > List info/subscribe/unsubscribe? See
> > http://www.freeradius.org/list/users.html
> >
>
>
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: How to Make Digital Certificates in Radius

[orion]

isnt there a way to browse by web the cvs archives on
cvs.freeradius.orgwithout opting to use
the cvs build , `cause i have a working server but dont want to mess it up.

after all ,all i need are the docs of the new releases.

On 09/01/2008, Alan DeKok <[EMAIL PROTECTED]> wrote:
>
> niel m wrote:
> > I have already read the README file under this directory (
> > /etc/raddb/certs )
>
>   No.  I said to grab the CVS head.  The NEW version of that README
> contains additional information.  You are looking at the OLD version of
> that README.
>
>   Following PART of the instructions will get you PART of the solution.
>
>   Alan DeKok.
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: ldap group membership required

[Daniel Durgin]

Thank you for the quick reply.  I beat my head against it again, and 
again.  Then noticed the clients file.  I got it working.


Alan DeKok wrote:

Daniel Durgin wrote:

I have search the archives and google, and there seems to be lots of
confusion on the subject: Requiring membership to and LDAP group to
authenticate.


  No.

  Authentication involves checking credentials.  Authorization involves
*additional* and *independent* filter rules specifying when and where
people can authenticate.

  If you think of checking group membership as authentication, it means
that you're conceptual model of how the system works is wrong.  Hence
designs of any solution will be wrong, and confusion will be multiplied.


I can seem to get it to work.  Notice the misspelling og the member:

dn: cn=radius_wifi,ou=Groups,dc=fu,dc=bar
cn: min_radius_wifi
objectClass: groupOfNames
objectClass: top
member: cn=tes guest,ou=Guests,dc=fu,dc=bar


The real user, cn=test guest,ou=Guests,dc=fu,dc=bar, is still able to
login.


  So... read the debug output to see why.  This is mentioned in no many
places that there is NO excuse for not doing it.

  I also fail to understand why people look at the *configuration* to
see how the server is *running*.It's like driving car while looking
only at a map, and not at the road in front of you.  If all goes well,
it might work.  But as soon as a pedestrian steps in front of your car,
you fail to see him, and *boom*, bad things happen.


FreeRadius Version: freeradius-1.0.1


  Why?  That version is *years* old.


It comes with CentOS 5, or one of them Yum Repos.  I just needed a 
radius server to gateway for my LDAP server.



  Alan DeKok
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html



Thank you for the lesson I learned a lot.

-Dan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: OpenSSH, PAM and pam_radius_auth

[Sobanbabu Bakthavathsalu]

Hi Alan,

  So fix DNS so that it has a name to IP mapping for that host.  Or,
add that name to IP mapping into /etc/hosts.

  The module can't do anything if you tell it to use "radius1" as a
RADIUS server, and the don't tell it where "radius1" is on the network.

>> We have entry in the /etc/hosts file for radius1 server, but the pam_auth 
>> module is having issues in reading it.
>> You have seen the error, even if we give the IP address, it tries to resolve 
>> it to IP again.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

 CAUTION - Disclaimer *
This e-mail contains PRIVILEGED AND CONFIDENTIAL INFORMATION intended solely 
for the use of the addressee(s). If you are not the intended recipient, please 
notify the sender by e-mail and delete the original message. Further, you are 
not to copy, disclose, or distribute this e-mail or its contents to any other 
person and any such actions are unlawful. This e-mail may contain viruses. 
Infosys has taken every reasonable precaution to minimize this risk, but is not 
liable for any damage you may sustain as a result of any virus in this e-mail. 
You should carry out your own virus checks before opening the e-mail or 
attachment. Infosys reserves the right to monitor and review the content of all 
messages sent to or from this e-mail address. Messages sent to or from this 
e-mail address may be stored on the Infosys e-mail system.
***INFOSYS End of Disclaimer INFOSYS***

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: How to enable only EAP-TTLS type and not EAP-TLS?

[Alan DeKok]

nikitha george wrote:
> Hi,
> I want to enable only TTLS authentication and if the client is
> requesting any other types EAP-TLS or PEAP the authentication should be
> denied.
> I am running freeradius-1.1.6, and if try to disable EAP-TLS module the
> server itself is not starting up.
> Please let me know if there are any ways to achieve this.

  Put this at the top of the "users" file:

DEFAULT EAP-Type != EAP-TTLS, Auth-Type := Reject

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: How to enable only EAP-TTLS type and not EAP-TLS?

[Riccardo Veraldi]

Yes this is much better, but anyway I had disabled PEAP in eap.conf.

thanks

Rick

Arran Cudbard-Bell ha scritto:

Riccardo Veraldi wrote:

I think there is a cleaner way.
I enabled only EAP-TTLS and disabled EAP-TLS just puttting this lin 
in /etc/radddb/users


DEFAULTEAP-Type == EAP-TLS, Auth-Type := Reject

It works, I think Alan gave me this hint 1 year ago, maybe it could 
be put in the FAQ

since it is an interesting way to solve the problem.

Don't you want

DEFAULTEAP-Type != EAP-TTLS, Auth-Type := Reject

or in unlang

if("%{EAP-Type}" != 'EAP-TTLS'){
   reject
}


Rick

Reimer Karlsen-Masur, DFN-CERT ha scritto:

Hi,

nikitha george wrote on 09.01.2008 10:04:
 

Hi,
I want to enable only TTLS authentication and if the client is
requesting any other types EAP-TLS or PEAP the authentication 
should be

denied.



within the eap section you must configure the tls and the ttls section.
Delete the peap section.

 
I am running freeradius-1.1.6, and if try to disable EAP-TLS module 
the

server itself is not starting up.
Please let me know if there are any ways to achieve this.



Then to disable the eap-tls functionality you must create an *empty*
directory  e.g. ${raddbdir}/certs/trustedCAsForRoamingClients/ and then
within the tls section define

CA_path = ${raddbdir}/certs/trustedCAsForRoamingClients/

Also you must remove the definition of the parameter

CA_file =

This way you don't have any accepted CAs in your config that are 
trusted CAs

for issued client certificates for eap-tls authentication

Make sure though that you put the radius server certificate and its 
CA chain
including the root CA certificate in PEM format into the file 
specified with

the

certificate_file

option in the tls section.

HTH

  
 



-
List info/subscribe/unsubscribe? See 
http://www.freeradius.org/list/users.html


-
List info/subscribe/unsubscribe? See 
http://www.freeradius.org/list/users.html





-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: How to enable only EAP-TTLS type and not EAP-TLS?

[A . L . M . Buxey]

Hi,
> Hi,
> I want to enable only TTLS authentication and if the client is requesting
> any other types EAP-TLS or PEAP the authentication should be denied.
> I am running freeradius-1.1.6, and if try to disable EAP-TLS module the
> server itself is not starting up.
> Please let me know if there are any ways to achieve this.

as per eap.conf


remove the unwanted sections (eg peap) - all apart from TLS as you
always need for TTLS and set the 

ignore_unknown_eap_types = yes

alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: How to enable only EAP-TTLS type and not EAP-TLS?

[Arran Cudbard-Bell]

Riccardo Veraldi wrote:

I think there is a cleaner way.
I enabled only EAP-TTLS and disabled EAP-TLS just puttting this lin in 
/etc/radddb/users


DEFAULTEAP-Type == EAP-TLS, Auth-Type := Reject

It works, I think Alan gave me this hint 1 year ago, maybe it could be 
put in the FAQ

since it is an interesting way to solve the problem.

Don't you want

DEFAULTEAP-Type != EAP-TTLS, Auth-Type := Reject

or in unlang

if("%{EAP-Type}" != 'EAP-TTLS'){
   reject
}


Rick

Reimer Karlsen-Masur, DFN-CERT ha scritto:

Hi,

nikitha george wrote on 09.01.2008 10:04:
 

Hi,
I want to enable only TTLS authentication and if the client is
requesting any other types EAP-TLS or PEAP the authentication should be
denied.



within the eap section you must configure the tls and the ttls section.
Delete the peap section.

 

I am running freeradius-1.1.6, and if try to disable EAP-TLS module the
server itself is not starting up.
Please let me know if there are any ways to achieve this.



Then to disable the eap-tls functionality you must create an *empty*
directory  e.g. ${raddbdir}/certs/trustedCAsForRoamingClients/ and then
within the tls section define

CA_path = ${raddbdir}/certs/trustedCAsForRoamingClients/

Also you must remove the definition of the parameter

CA_file =

This way you don't have any accepted CAs in your config that are 
trusted CAs

for issued client certificates for eap-tls authentication

Make sure though that you put the radius server certificate and its 
CA chain
including the root CA certificate in PEM format into the file 
specified with

the

certificate_file

option in the tls section.

HTH

  



-
List info/subscribe/unsubscribe? See 
http://www.freeradius.org/list/users.html


-
List info/subscribe/unsubscribe? See 
http://www.freeradius.org/list/users.html



--
Arran Cudbard-Bell ([EMAIL PROTECTED])
Authentication, Authorisation and Accounting Officer
Infrastructure Services | ENG1 E1-1-08 
University Of Sussex, Brighton

EXT:01273 873900 | INT: 3900

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: How to enable only EAP-TTLS type and not EAP-TLS?

[Riccardo Veraldi]

I think there is a cleaner way.
I enabled only EAP-TTLS and disabled EAP-TLS just puttting this lin in 
/etc/radddb/users


DEFAULTEAP-Type == EAP-TLS, Auth-Type := Reject

It works, I think Alan gave me this hint 1 year ago, maybe it could be 
put in the FAQ

since it is an interesting way to solve the problem.

Rick

Reimer Karlsen-Masur, DFN-CERT ha scritto:

Hi,

nikitha george wrote on 09.01.2008 10:04:
  

Hi,
I want to enable only TTLS authentication and if the client is
requesting any other types EAP-TLS or PEAP the authentication should be
denied.



within the eap section you must configure the tls and the ttls section.
Delete the peap section.

  

I am running freeradius-1.1.6, and if try to disable EAP-TLS module the
server itself is not starting up.
Please let me know if there are any ways to achieve this.



Then to disable the eap-tls functionality you must create an *empty*
directory  e.g. ${raddbdir}/certs/trustedCAsForRoamingClients/ and then
within the tls section define

CA_path = ${raddbdir}/certs/trustedCAsForRoamingClients/

Also you must remove the definition of the parameter

CA_file =

This way you don't have any accepted CAs in your config that are trusted CAs
for issued client certificates for eap-tls authentication

Make sure though that you put the radius server certificate and its CA chain
including the root CA certificate in PEM format into the file specified with
the

certificate_file

option in the tls section.

HTH

  



-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: How to enable only EAP-TTLS type and not EAP-TLS?

[Reimer Karlsen-Masur, DFN-CERT]

Hi,

nikitha george wrote on 09.01.2008 10:04:
> Hi,
> I want to enable only TTLS authentication and if the client is
> requesting any other types EAP-TLS or PEAP the authentication should be
> denied.

within the eap section you must configure the tls and the ttls section.
Delete the peap section.

> I am running freeradius-1.1.6, and if try to disable EAP-TLS module the
> server itself is not starting up.
> Please let me know if there are any ways to achieve this.

Then to disable the eap-tls functionality you must create an *empty*
directory  e.g. ${raddbdir}/certs/trustedCAsForRoamingClients/ and then
within the tls section define

CA_path = ${raddbdir}/certs/trustedCAsForRoamingClients/

Also you must remove the definition of the parameter

CA_file =

This way you don't have any accepted CAs in your config that are trusted CAs
for issued client certificates for eap-tls authentication

Make sure though that you put the radius server certificate and its CA chain
including the root CA certificate in PEM format into the file specified with
the

certificate_file

option in the tls section.

HTH

-- 
Beste Gruesse / Kind Regards

Reimer Karlsen-Masur

DFN-PKI FAQ: https://www.pki.dfn.de/faqpki

15 Jahre DFN-CERT + 15. DFN-Workshop "Sicherheit in vernetzten Systemen"
am 13./14. Februar 2008 im CCH Hamburg - https://www.dfn-cert.de/ws2008/
--
Dipl.-Inform. Reimer Karlsen-Masur (PKI Team),   Phone   +49 40 808077-615

DFN-CERT Services GmbH, https://www.dfn-cert.de,  Phone  +49 40 808077-555
Sitz / Register: Hamburg, AG Hamburg, HRB 88805,  Ust-IdNr.:  DE 232129737
Sachsenstr. 5,   20097 Hamburg/Germany,   CEO: Dr. Klaus-Peter Kossakowski


smime.p7s
Description: S/MIME Cryptographic Signature
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

How to enable only EAP-TTLS type and not EAP-TLS?

[nikitha george]

Hi,
I want to enable only TTLS authentication and if the client is requesting
any other types EAP-TLS or PEAP the authentication should be denied.
I am running freeradius-1.1.6, and if try to disable EAP-TLS module the
server itself is not starting up.
Please let me know if there are any ways to achieve this.

Thanks a lot..
Nikitha.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html