Re: proxed EAP and eduroam project
On Feb 18, 2008 12:32 PM, [EMAIL PROTECTED] wrote: Hi, cleartext? not really. the proxied traffic will be at least This regards EAP-TLS: I meant that at least the username is shown, and you can get additional information reading the attribute values. Other than that, everything else seems useless but I just say the conversation is not completely encapsulated if that's what you mean. Anyways I'm not worried. encapsulated via a shared secret between each RADIUS end point. snip would give greater security. however, EAP-TLS is the defacto top-level way of doing it. platinum service, as it were - but you've got to have a full PKI infrastructure for creation, deployment and revokation. We have our PKI, we routinely revoke certificates and distribute the crl. This happens not without our share of anality, taken care of by scripts (written with my blood, over human skin) that restart radiusd and check that everything is still working fine, including the event of an expired/invalid crl or an out of service PKI. So, if there is any configuration option to encapsulate the full UDP payload without revealing anything, I'm more than glad to hear something about it because I must admit ignorance regarding this particular matter. If there isn't one, never mind, just means I misunderstood. looking to the future, RADSEC will be involved in 'beefing up' the RADIUS to RADIUS communication channel. as well as the automatic assignment/discovery of AAA end point systems. seems interesting bye! Inverse -- In a sea of glass shards, I hear you screaming --icchan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: proxed EAP and eduroam project
Hi, unless using very old method like EAP-MD5. which is forbidden in the eduroam policy anyway. For the exact reason of not providing sufficient security (no mutual authentication). looking to the future, RADSEC will be involved in 'beefing up' the RADIUS to RADIUS communication channel. as well as the automatic assignment/discovery of AAA end point systems. RadSec is RADIUS over TCP+TLS. This means that the attributes which are unencrypted in RADIUS (User-Name, Calling-Station-Id, ...) will be hidden inside a TLS tunnel and will only be visible to the RADIUS servers involved in proxying, not any IP node underway as is current with RADIUS alone. Concerning RadSec, you might like to read the current Internet-Draft: http://www.ietf.org/internet-drafts/draft-winter-radsec-01.txt Greetings, Stefan Winter -- Stefan WINTER Stiftung RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche Ingenieur Forschung Entwicklung 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg E-Mail: [EMAIL PROTECTED] Tel.: +352 424409-1 http://www.restena.lu Fax: +352 422473 signature.asc Description: This is a digitally signed message part. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Regex Ldap Group
On Tue, 19 Feb 2008, Alan DeKok wrote: Rohaizam Abu Bakar wrote: I tried to do regex match in Ldap-Group. From below users file, The NAS-Identifier regex works OK but for Ldap-Group match, it's not working as below DEBUG log. It doesn't work like that. The match is IF the user is in the named group. See src/modules/rlm_ldap/rlm_ldap.c, function ldap_groupcmp(). If you want it to do a regex match, you'll have to modify the code in rlm_ldap. Also not that LDAP typically doesnt allow substring search on any given attribute. My solution is to use a seperate script to perform a search in LDAP using ldap-search and output whatever you need in the attribute. Example, I have LDAP users in either ou=group1,ou=test,o=bla, or ou=group2,ou=test,o=bla, and there are no other LDAP-attributes to grab: #! /bin/sh # /usr/sbin/ldap2vlan GROUP=$(ldapsearch -x -LLL -h 10.0.0.92 -b ou=test,o=bla \ -D cn=admin,ou=test,o=bla -W mypasswd \ '(cn='${1}')' dn | sed -n 's/,ou=test,o=bla//;s/.*=//p') test ${GROUP = group1 echo -n 110 exit 0 test ${GROUP = group2 echo -n 120 exit 0 And then in the users file I have DEFAULT Freeradius-Proxied-To == 127.0.0.1 Tunnel-Type = VLAN, Tunnel-Medium-Type = IEEE-802, Tunnel-Private-Group-Id = `%{exec:/usr/sbin/ldap2vlan %{User-Name}` Tunnel-Private-Group-Id will then either be 110 or 120 depending on whether user is found in group1 or group2 (and group1 if found in both) Hope this helps... :) -- Kolbjørn Barmen UNINETT Driftsenter - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Regex Ldap Group
Rohaizam Abu Bakar wrote: I tried to do regex match in Ldap-Group. From below users file, The NAS-Identifier regex works OK but for Ldap-Group match, it's not working as below DEBUG log. It doesn't work like that. The match is IF the user is in the named group. See src/modules/rlm_ldap/rlm_ldap.c, function ldap_groupcmp(). If you want it to do a regex match, you'll have to modify the code in rlm_ldap. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Regex Ldap Group
FR: 1.1.2 Openldap 2.3.X I tried to do regex match in Ldap-Group. From below users file, The NAS-Identifier regex works OK but for Ldap-Group match, it's not working as below DEBUG log. value to match (jarService = Y5-IPOH, NAS-Identifier=Y5-IPOH) Users file === NAS-Identifier =~ Y5, ldapmain1-Ldap-Group =~ Y5, Autz-Type := Y5 radiusd.conf = ldap ldapmain1 { .. groupname_attribute = jarService groupmembership_filter = ((uid=%{Stripped-User-Name:-%{User-Name}})(objectclass=radiusprofile)) } Debug: = rlm_ldap: performing search in ou=CUSTOMER,ou=People,dc=x,dc=xx, with filter ((jarService=Y5)((uid=bacang)(objectclass=radiusprofile))) rlm_ldap: object not found or got ambiguous search result --haizam - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: one username and 2 NAS
Not easy. For instance you can add NAS-IP-Address field to usergroup table and alter the group membership query. But making it work for other users might be difficult. So you can make multiple SQL instances ... It might be more trouble than it's worth. In most cases it makes more sense to use provided functionality than to go hacking the configuration files. Ivan Kalik Kalik informatika ISP Dana 19/2/2008, Enrico Fanti [EMAIL PROTECTED] piše: Ok, Thank you. But for yiu, it's possible to use mysql for my target ? If yes, do you have any ideas? I would like to have a system (PHP-Mysql) to configure my server radius without use text files. Thank you Enrico Ivan Kalik wrote: It's a file in raddb directory, not a part of the database schema. Ivan Kalik Kalik Informatika ISP Dana 18/2/2008, Enrico Fanti [EMAIL PROTECTED] piše: Sorry. I mistake with my thunderbird button. I would like to know whatt'is the huntgroups concept in radius database. I have this db schema: mysql show tables; +--+ | Tables_in_radius | +--+ | nas | | radacct | | radcheck | | radgroupcheck| | radgroupreply| | radippool| | radpostauth | | radreply | | usergroup| +--+ Thank you Enrico Ivan Kalik wrote: You have asked this once already. It has been answered. Ivan Kalik Kalik Informatika ISP Dana 18/2/2008, Enrico Fanti [EMAIL PROTECTED] piše: Hi , I have freeradius configured with Mysql. I would like to have a user pippo can ssh login to 2 server linux wich uses pam_radius in /etc/pam.d/sshd (i.e. 2 NAS , same username). Freeradius must make the control if NAS-IP Address is ok for this user in the radcheck table.. I use the == operator end my radcheck table is: mysql SELECT id, UserName, Attribute, Value, op from radcheck WHERE Username = 'pippo' order by id; ++--++---++ | id | UserName | Attribute | Value | op | ++--++---++ | 39 | pippo| NAS-IP-Address | 10.0.0.52 http://10.0.0.52 | == | | 40 | pippo| NAS-IP-Address | 10.0.0.49 http://10.0.0.49 | == | | 41 | pippo| Expiration | 1203325200| == | | 42 | pippo| Crypt-Password | v7fawImvQUoXM | == | ++--++---++ It doesn't work.. Some ideas ??? Thank you Enrico - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/usershtml - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/usershtml - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Cisco AV-PAIRS
And why do you have password in two locations? If you store it in Ldap you don't need it in users file and vice versa. Ivan Kalik Kalik Informatika ISP Dana 19/2/2008, David W Bell [EMAIL PROTECTED] piše: Hi there. My Saga continues I have freeRADIUS working with openLDAP and can log into CISCO kit and pass the priv-level from the raddb/users file. Is there any way that this information can be passed from the openLDAP user details instead? I am looking to do a single-signon system and it seems a little awkward to have to change a password (as is required in the users file) in 2 locations. Thanks David - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: one username and 2 NAS
Ok, Thank you. But for yiu, it's possible to use mysql for my target ? If yes, do you have any ideas? I would like to have a system (PHP-Mysql) to configure my server radius without use text files. Thank you Enrico Ivan Kalik wrote: It's a file in raddb directory, not a part of the database schema. Ivan Kalik Kalik Informatika ISP Dana 18/2/2008, Enrico Fanti [EMAIL PROTECTED] piše: Sorry. I mistake with my thunderbird button. I would like to know whatt'is the huntgroups concept in radius database. I have this db schema: mysql show tables; +--+ | Tables_in_radius | +--+ | nas | | radacct | | radcheck | | radgroupcheck| | radgroupreply| | radippool| | radpostauth | | radreply | | usergroup| +--+ Thank you Enrico Ivan Kalik wrote: You have asked this once already. It has been answered. Ivan Kalik Kalik Informatika ISP Dana 18/2/2008, Enrico Fanti [EMAIL PROTECTED] piše: Hi , I have freeradius configured with Mysql. I would like to have a user pippo can ssh login to 2 server linux wich uses pam_radius in /etc/pam.d/sshd (i.e. 2 NAS , same username). Freeradius must make the control if NAS-IP Address is ok for this user in the radcheck table.. I use the == operator end my radcheck table is: mysql SELECT id, UserName, Attribute, Value, op from radcheck WHERE Username = 'pippo' order by id; ++--++---++ | id | UserName | Attribute | Value | op | ++--++---++ | 39 | pippo| NAS-IP-Address | 10.0.0.52 http://10.0.0.52 | == | | 40 | pippo| NAS-IP-Address | 10.0.0.49 http://10.0.0.49 | == | | 41 | pippo| Expiration | 1203325200| == | | 42 | pippo| Crypt-Password | v7fawImvQUoXM | == | ++--++---++ It doesn't work.. Some ideas ??? Thank you Enrico - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/usershtml - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Cisco AV-PAIRS
I was wondering the same thing :-) On the subject of getting the attributes from LDAP, the Cisco AV pairs are just another AV Pair. Sure, Cisco have broken their AVs up with sub-AVs, but it's still just passing a value back from LDAP and manipulating the format so that it is placed correctly into the correct AV. The priv-level (as you have clearly worked out) is presented as... Cisco-AV-Pair=priv-level=value value = 0 to 15 If you have an attribute in your LDAP schema that is called Cisco-AV-Pair and it contains the string priv-level=15, then you should be able to return that attribute and map it to the contents of the Cisco-AV-Pair RADIUS attribute. I don't *think* it's any different to mapping any other string based AV Pair. Rgds, Guy On 19/02/2008, Ivan Kalik [EMAIL PROTECTED] wrote: And why do you have password in two locations? If you store it in Ldap you don't need it in users file and vice versa. Ivan Kalik Kalik Informatika ISP Dana 19/2/2008, David W Bell [EMAIL PROTECTED] piše: Hi there. My Saga continues I have freeRADIUS working with openLDAP and can log into CISCO kit and pass the priv-level from the raddb/users file. Is there any way that this information can be passed from the openLDAP user details instead? I am looking to do a single-signon system and it seems a little awkward to have to change a password (as is required in the users file) in 2 locations. Thanks David - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
How to get iphop attributes coming into cisco av-pairs?
Greetings! I'm using freeradius 1.1.6 on gentoo (2.6.15-gentoo-r5) to account sip calls via radius client on cisco 26xx and have a problem: I need to get iphop attributes from radius accounting packets, but I can't :( While running freeradius in debug mode (-X key), I see required attributes as shown below: Acct-Session-Id = 4D005CBF Calling-Station-Id = 1004603 Called-Station-Id = #7495100 Cisco-AVPair = call-id=ZDgxMWUwZDFlODQ5Yzc1MmViZTZmM2UyMmY1ZjdiNzc. - Cisco-AVPair = iphop=count:3 - Cisco-AVPair = iphop=hop1:213.248.63.122 - Cisco-AVPair = iphop=hop2:213.248.63.122 - Cisco-AVPair = iphop=hop3:213.248.12.121 h323-setup-time = h323-setup-time=12:15:03.844 MSK Tue Feb 19 2008 h323-gw-id = h323-gw-id=voice5.di-net.ru h323-conf-id = h323-conf-id=FD2F9C59 DE0111DC A013E229 E5B23AB5 h323-call-origin = h323-call-origin=answer h323-call-type = h323-call-type=VoIP Cisco-AVPair = h323-incoming-conf-id=FD2F9C59 DE0111DC A013E229 E5B23AB5 Cisco-AVPair = subscriber=Unknown Cisco-AVPair = session-protocol=sipv2 Cisco-AVPair = gw-rxd-cdn=ton:0,npi:0,#:#7495100 Cisco-AVPair = feature-vsa=fn:TWC,ft:02/19/2008 12:15:03.844,cgn:1004603,cdn:#7495100,frs:0,fid:3195,fcid:FD2F9C59DE0111DCA013E229E5B23AB5,legID:D05 User-Name = 1004603 Cisco-AVPair = connect-progress=Call Up Acct-Status-Type = Start Service-Type = Login-User NAS-IP-Address = 213.219.200.35 Acct-Delay-Time = 0 I'm using oracle freeradius driver of sql module to log all the packets into database. I can use all other atrributes in my sql queries (with using cisco_avpair_hack of course). All other, but not thouse ones - they're always comes empty. Here is one of the queries in oraclesql.conf: accounting_start_query = INSERT INTO ACC (\ACCT-STATUS-TYPE\, \NAS-IP-ADDRESS\, \H323-CALL-ORIGIN\, \CALLED-STATION-ID\, \CALLING-STATION-ID\, \ACCT-SESSION-ID\, \CALL-ID\, \SIP-TO-TAG\, \SIP-FROM-TAG\, \SIP-TRANSLATED-REQUEST-URI\, \USER-NAME\, \SIP-SOURCE-IP-ADDRESS\, \SIP-SOURCE-PORT\, \ACCT-SESSION-TIME\, \H323-CONNECT-TIME\, \H323-SETUP-TIME\, \H323-DISCONNECT-TIME\, \H323-DISCONNECT-CAUSE\, \PREV-HOP-VIA\, \PREV-HOP-IP\, \NEXT-HOP-IP\, \NEXT-HOP-DN\) VALUES ('%{ACCT-STATUS-TYPE}', '%{NAS-IP-ADDRESS}', '%{H323-CALL-ORIGIN}', '%{CALLED-STATION-ID}', '%{CALLING-STATION-ID}', '%{ACCT-SESSION-ID}', '%{CALL-ID}', '%{SIP-TO-TAG}', '%{SIP-FROM-TAG}', '%{SIP-TRANSLATED-REQUEST-URI}', '%{USER-NAME}', '%{SIP-SOURCE-IP-ADDRESS}', '%{SIP-SOURCE-PORT}', '%{ACCT-SESSION-TIME}', '%{H323-CONNECT-TIME}', '%{H323-SETUP-TIME}', '%{H323-DISCONNECT-TIME}', '%{H323-DISCONNECT-CAUSE}', '%{PREV-HOP-VIA}', '%{PREV-HOP-IP}', '%{NEXT-HOP-IP}', '%{IPHOP}') - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Cisco AV-PAIRS
Hi there. My Saga continues I have freeRADIUS working with openLDAP and can log into CISCO kit and pass the priv-level from the raddb/users file. Is there any way that this information can be passed from the openLDAP user details instead? I am looking to do a single-signon system and it seems a little awkward to have to change a password (as is required in the users file) in 2 locations. Thanks David - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Cisco AV-PAIRS
Only way I have found to get RADIUS to pass the AV-PAIRS back is from the users file. If I have missed something, please let me know David And why do you have password in two locations? If you store it in Ldap you don't need it in users file and vice versa. Ivan Kalik Kalik Informatika ISP Dana 19/2/2008, David W Bell [EMAIL PROTECTED] piše: Hi there. My Saga continues I have freeRADIUS working with openLDAP and can log into CISCO kit and pass the priv-level from the raddb/users file. Is there any way that this information can be passed from the openLDAP user details instead? I am looking to do a single-signon system and it seems a little awkward to have to change a password (as is required in the users file) in 2 locations. Thanks David - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Cisco AV-PAIRS
Password is a check item. It has nothing to do with what's in the reply (av-pairs are reply items). Just remove the password and it will still work the same. You *can* leave the check line blank in users file. Ivan Kalik Kalik Informatika ISP Dana 19/2/2008, David W Bell [EMAIL PROTECTED] piše: Only way I have found to get RADIUS to pass the AV-PAIRS back is from the users file. If I have missed something, please let me know David And why do you have password in two locations? If you store it in Ldap you don't need it in users file and vice versa. Ivan Kalik Kalik Informatika ISP Dana 19/2/2008, David W Bell [EMAIL PROTECTED] piše: Hi there. My Saga continues I have freeRADIUS working with openLDAP and can log into CISCO kit and pass the priv-level from the raddb/users file. Is there any way that this information can be passed from the openLDAP user details instead? I am looking to do a single-signon system and it seems a little awkward to have to change a password (as is required in the users file) in 2 locations. Thanks David - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/usershtml - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Cisco AV-PAIRS
David W Bell escribió: Only way I have found to get RADIUS to pass the AV-PAIRS back is from the users file. Try using Reply-items in ldap.attrmap. Or the users file without authenticating users against it. If I have missed something, please let me know David And why do you have password in two locations? If you store it in Ldap you don't need it in users file and vice versa. Ivan Kalik Kalik Informatika ISP Dana 19/2/2008, David W Bell [EMAIL PROTECTED] piše: Hi there. My Saga continues I have freeRADIUS working with openLDAP and can log into CISCO kit and pass the priv-level from the raddb/users file. Is there any way that this information can be passed from the openLDAP user details instead? I am looking to do a single-signon system and it seems a little awkward to have to change a password (as is required in the users file) in 2 locations. Thanks David - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
FreeRadius question
I am trying to find out how I can check what options the freeradius binary available for download was compiled with. I have STFW and RTFM, but still am not sure as to how to check. radiusd -X gives some information, but nothing about what freeradius was compiled with. I am interested in finding out if the binary was compiled with e-Directory support. Thanks for any help. WHICH binary available for download? alan Hello Alan, Thanks for the quick response. The binaries I was talking about are on the download page: http://www.freeradius.org/download.html I was interested in the Fedora one. Looking for last minute shopping deals? Find them fast with Yahoo! Search. http://tools.search.yahoo.com/newsearch/category.php?category=shopping - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
radius and cisco
I'm a newbie and looking for instructions on how to setup FreeRADIUS Version 1.1.7 on a SLES 10 linux box to use for authenication and logging for a cisco 2801 router. I want to track users connecting from the outside world using Cisco's vpn client and cisco sayes radius is the answer. I'd like to start with just allowing users from the linux /etc/passwd access and then move onto authenication from my Netware 6.5 LDAP server. I've read all I can find on freeradius.org and cisco, but still don't understandhard learner I guess. radiusd -xx gives: Starting - reading configuration files ... reread_config: reading radiusd.conf Config: including file: /etc/raddb/proxy.conf Config: including file: /etc/raddb/clients.conf Config: including file: /etc/raddb/snmp.conf Config: including file: /etc/raddb/eap.conf Config: including file: /etc/raddb/sql.conf main: prefix = /usr main: localstatedir = /var main: logdir = /var/log/radius main: libdir = /usr/lib/freeradius main: radacctdir = /var/log/radius/radacct main: hostname_lookups = no main: snmp = no main: max_request_time = 30 main: cleanup_delay = 5 main: max_requests = 1024 main: delete_blocked_requests = 0 main: port = 0 main: allow_core_dumps = no main: log_stripped_names = yes main: log_file = /var/log/radius/radius.log main: log_auth = yes main: log_auth_badpass = yes main: log_auth_goodpass = yes main: pidfile = /var/run/radiusd/radiusd.pid main: user = radiusd main: group = radiusd main: usercollide = no main: lower_user = no main: lower_pass = no main: nospace_user = no main: nospace_pass = no main: checkrad = /usr/sbin/checkrad main: proxy_requests = yes proxy: retry_delay = 5 proxy: retry_count = 3 proxy: synchronous = no proxy: default_fallback = yes proxy: dead_time = 120 proxy: post_proxy_authorize = no proxy: wake_all_if_all_dead = no security: max_attributes = 200 security: reject_delay = 1 security: status_server = no main: debug_level = 0 read_config_files: reading dictionary read_config_files: reading naslist read_config_files: reading clients read_config_files: reading realms radiusd: entering modules setup Module: Library search path is /usr/lib/freeradius Initializing the thread pool... thread: start_servers = 5 thread: max_servers = 32 thread: min_spare_servers = 3 thread: max_spare_servers = 10 thread: max_requests_per_server = 0 thread: cleanup_delay = 5 Thread spawned new child 1. Total threads in pool: 1 Thread spawned new child 2. Total threads in pool: 2 Thread spawned new child 3. Total threads in pool: 3 Thread spawned new child 4. Total threads in pool: 4 Thread 1 waiting to be assigned a request Thread 2 waiting to be assigned a request Thread 3 waiting to be assigned a request Thread 4 waiting to be assigned a request Thread 5 waiting to be assigned a request Thread spawned new child 5. Total threads in pool: 5 Thread pool initialized Listening on authentication *:1812 Listening on accounting *:1813 Ready to process requests. My radius.conf is what was installed as default. Q1? Do I need to add anything other than the below to client.conf? In my client.conf I've added: # Test on cisco 2801 router(internal ip of router) client 192.168.135.3 { secret =xxx shortname =myrouter nastype =cisco } I believe the relavent part of the users file is: DEFAULT Auth-Type = System Fall-Through = 1 and DEFAULT Service-Type == Framed-User Framed-IP-Address = 255.255.255.254, Framed-MTU = 576, Service-Type = Framed-User, Fall-Through = Yes Notes I've read say to change this to 255.255.255.255 ?? Q2? I believe I also need to add something similar to the below in the users file? youruser Cleartext-Password := somepass Service-Type = NAS-Prompt-User, cisco-avpair = shell:priv-lvl=15 Q3? Does youruser and somepass need to be a valid user from /etc/passwd? I'm unclear if there is a link between users in this file and valid users in /etc/passwd of the linux box. My cisco 2801 currently has info like: aaa new-model ! ! aaa authentication login default local aaa authorization exec default local if-authenticated aaa authorization network default local ! aaa session-id common ! ! crypto isakmp policy 1 encr 3des authentication pre-share group 2 ! crypto isakmp client configuration group VPNCLIENTS key xxx dns 192.168.135.15 domain xxx.com pool CLIENTPOOL acl 150 netmask 255.255.255.0 crypto isakmp profile IKE1 match identity group VPNCLIENTS client authentication list default isakmp authorization list default client configuration address respond ! Q4? Do I need to remove any of this info, or just replace the stuff at the top with something like: aaa new-model aaa authentication login default group radius local aaa authentication login localauth local aaa authentication ppp default if-needed group radius local
SSL error
I'm trying to build a radius server with PEAP-mschap but it's not working because an ssl error: short Log below: modcall[authorize]: module eap returns updated for request 1 users: Matched entry teste at line 59 modcall[authorize]: module files returns ok for request 1 modcall: leaving group authorize (returns updated) for request 1 rad_check_password: Found Auth-Type EAP auth: type EAP Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 1 rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Length Included eaptls_verify returned 11 (other): before/accept initialization TLS_accept: before/accept initialization rlm_eap_tls: TLS 1.0 Handshake [length 0041], ClientHello TLS_accept: SSLv3 read client hello A rlm_eap_tls: TLS 1.0 Handshake [length 004a], ServerHello TLS_accept: SSLv3 write server hello A rlm_eap_tls: TLS 1.0 Handshake [length 0613], Certificate TLS_accept: SSLv3 write certificate A rlm_eap_tls: TLS 1.0 Handshake [length 0004], ServerHelloDone TLS_accept: SSLv3 write server done A TLS_accept: SSLv3 flush data TLS_accept:error in SSLv3 read client certificate A rlm_eap: SSL error error::lib(0):func(0):reason(0) In SSL Handshake Phase In SSL Accept mode eaptls_process returned 13 rlm_eap_peap: EAPTLS_HANDLED modcall[authenticate]: module eap returns handled for request 1 modcall: leaving group authenticate (returns handled) for request 1 Sending Access-Challenge of id 1 to 10.0.0.245 port 1056 Idle-Timeout = 10 Any ideas - Abra sua conta no Yahoo! Mail, o único sem limite de espaço para armazenamento! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: SSL error
No. You have no client cerftificate so there is nothing to be read. That's normal. But PEAP conversation stopping in the middle with an Access-Challenge is another matter - described in FAQ, eap.conf, ... Ivan Kalik Kalik Informatika ISP Dana 19/2/2008, Eduardo Lima [EMAIL PROTECTED] piše: I'm trying to build a radius server with PEAP-mschap but it's not working because an ssl error: short Log below: modcall[authorize]: module eap returns updated for request 1 users: Matched entry teste at line 59 modcall[authorize]: module files returns ok for request 1 modcall: leaving group authorize (returns updated) for request 1 rad_check_password: Found Auth-Type EAP auth: type EAP Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 1 rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Length Included eaptls_verify returned 11 (other): before/accept initialization TLS_accept: before/accept initialization rlm_eap_tls: TLS 1.0 Handshake [length 0041], ClientHello TLS_accept: SSLv3 read client hello A rlm_eap_tls: TLS 1.0 Handshake [length 004a], ServerHello TLS_accept: SSLv3 write server hello A rlm_eap_tls: TLS 1.0 Handshake [length 0613], Certificate TLS_accept: SSLv3 write certificate A rlm_eap_tls: TLS 1.0 Handshake [length 0004], ServerHelloDone TLS_accept: SSLv3 write server done A TLS_accept: SSLv3 flush data TLS_accept:error in SSLv3 read client certificate A rlm_eap: SSL error error::lib(0):func(0):reason(0) In SSL Handshake Phase In SSL Accept mode eaptls_process returned 13 rlm_eap_peap: EAPTLS_HANDLED modcall[authenticate]: module eap returns handled for request 1 modcall: leaving group authenticate (returns handled) for request 1 Sending Access-Challenge of id 1 to 10.0.0.245 port 1056 Idle-Timeout = 10 Any ideas - Abra sua conta no Yahoo! Mail, o único sem limite de espaço para armazenamento! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radius and cisco
My radius.conf is what was installed as default. Q1? Do I need to add anything other than the below to client.conf? In my client.conf I've added: # Test on cisco 2801 router(internal ip of router) client 192.168.135.3 { secret =xxx shortname =myrouter nastype =cisco } I believe the relavent part of the users file is: DEFAULT Auth-Type = System Fall-Through = 1 and DEFAULT Service-Type == Framed-User Framed-IP-Address = 255.255.255.254, Framed-MTU = 576, Service-Type = Framed-User, Fall-Through = Yes Notes I've read say to change this to 255.255.255.255 ?? That looks fine. Notes are likely about the netmask not IP address. Q2? I believe I also need to add something similar to the below in the users file? youruser Cleartext-Password := somepass Service-Type = NAS-Prompt-User, cisco-avpair = shell:priv-lvl=15 Remove the password. You said that it will be stored in /etc/passwd. If you put the password here you dont need /etc/passwd check (Auth-Type System) at all. Q3? Does youruser and somepass need to be a valid user from /etc/passwd? I'm unclear if there is a link between users in this file and valid users in /etc/passwd of the linux box. Link is the username. You want to store password in /etc/passwd and reply attributes in users file. My cisco 2801 currently has info like: aaa new-model ! ! aaa authentication login default local aaa authorization exec default local if-authenticated aaa authorization network default local ! aaa session-id common ! ! crypto isakmp policy 1 encr 3des authentication pre-share group 2 ! crypto isakmp client configuration group VPNCLIENTS key xxx dns 192.168.135.15 domain xxx.com pool CLIENTPOOL acl 150 netmask 255.255.255.0 crypto isakmp profile IKE1 match identity group VPNCLIENTS client authentication list default isakmp authorization list default client configuration address respond ! Q4? Do I need to remove any of this info, or just replace the stuff at the top with something like: aaa new-model aaa authentication login default group radius local aaa authentication login localauth local aaa authentication ppp default if-needed group radius local aaa authorization exec default group radius local aaa authorization network default group radius local aaa accounting delay-start aaa accounting exec default start-stop group radius aaa accounting network default start-stop group radius aaa processes 6 aaa accounting delay-start This is from here: http://wiki.freeradius.org/Cisco Q5? Do I also need a line similar to below on the cisco? radius-server host 192.168.135.3 radius-server key radius-server auth-port 1812 That IP address is the same as the one for the router. That can't be correct - linux box IP should go here. You have not set up accounting - and that was the whole point of this exercise. Add that. If radius IP is also on the private subnet it's quite likely that you wont have to force the router to use the IP address defined in clients.conf - it should select it on it's own. If it doesn't you can force radius source interface in router config. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: SSL error
Eduardo Lima wrote: I'm trying to build a radius server with PEAP-mschap but it's not working because an ssl error: No. The error is 0, meaning no error. Seeing the error in the debug log also means you're using an old version of the server, and should upgrade to at least 1.1.7. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radius and cisco
Jim McIver wrote: I'm a newbie and looking for instructions on how to setup FreeRADIUS Version 1.1.7 on a SLES 10 linux box to use for authenication and logging for a cisco 2801 router. I want to track users connecting from the outside world using Cisco's vpn client and cisco sayes radius is the answer. Yes. I'd like to start with just allowing users from the linux /etc/passwd access and then move onto authenication from my Netware 6.5 LDAP server. See the FAQ for getting started with FreeRADIUS. I've read all I can find on freeradius.org and cisco, but still don't understandhard learner I guess. radiusd -xx gives: ... Ready to process requests. And no packets. The server has to receive a request for it to be able to do something. My radius.conf is what was installed as default. Q1? Do I need to add anything other than the below to client.conf? No. I believe the relavent part of the users file is: DEFAULT Auth-Type = System Fall-Through = 1 Yes. Notes I've read say to change this to 255.255.255.255 ?? Maybe. Only if you're assigning IP addresses. Q2? I believe I also need to add something similar to the below in the users file? Not if the users are being authenticated from /etc/passwd. Q3? Does youruser and somepass need to be a valid user from /etc/passwd? I'm unclear if there is a link between users in this file and valid users in /etc/passwd of the linux box. They are independent. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: how can I configure CHAP or PAP
If you have freeradius installed just type radtest at the command prompt, hit enter and see what happens. Ivan Kalik Kalik Informatika ISP Dana 19/2/2008, Sarp Kaya [EMAIL PROTECTED] piše: Sorry Ivan, I am newbie. I couldn't find any file that called radtest or something like that. 2008/2/19 Ivan Kalik [EMAIL PROTECTED]: http://wiki.freeradius.org/index.php/FreeRADIUS_Wiki:FAQ#It_still_doesn.27t_work.21 Ivan Kalik Kalik Informatika ISP Dana 18/2/2008, Sarp Kaya [EMAIL PROTECTED] piše: Hello, how can I do it I don't know. I am using Antcor OS router and it has hotspot settings. I also have a pc which has ubuntu. and I installed Freeradius 1.1.6-2 but my router cannot connect to freeradius. How can I solve this? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/usershtml - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: how can I configure CHAP or PAP
Sorry Ivan, I am newbie. I couldn't find any file that called radtest or something like that. 2008/2/19 Ivan Kalik [EMAIL PROTECTED]: http://wiki.freeradius.org/index.php/FreeRADIUS_Wiki:FAQ#It_still_doesn.27t_work.21 Ivan Kalik Kalik Informatika ISP Dana 18/2/2008, Sarp Kaya [EMAIL PROTECTED] piše: Hello, how can I do it I don't know. I am using Antcor OS router and it has hotspot settings. I also have a pc which has ubuntu. and I installed Freeradius 1.1.6-2 but my router cannot connect to freeradius. How can I solve this? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
PEAP/EAP-TTLS acquires DEFAULT reply attributes via outer identity
Hi folks, I am working on an issue like this: In my users file, I have user1 attribute1=val1 user2 attribute2=val2 DEFAULT attribute1=def_val1 attribute2=def_val2 My intention is that - for individual users, like user1 and user2, I will get individual attributes I specified in their dedicated entries, - and for everybody else, I will get a default set of attributes. That has a problem with the 2-phase EAP methods like PEAP/EAP-TTLS. The reason is, in the first phase, the outer Identity, say anonymous, is used and it hits the DEFAULT entry and acquires the default set of attributes, and then it proceeds to phase 2 and acquires the individual attributes. In the end, freeradius will combine the two together. So, for example, user1 will get attribute1=def_val1 attribute2=def_val2 attribute1=val1 Is there any way so that for the individual users won't acquire any attributes from DEFAULT when using methods like PEAP/EAP-TTLS? A naive solution is to put a check of DEFAULT User-Name != anonymous but it is not a reliable way since there is no guarantee that the outer id is anonymous. I wonder if there is another way to check this in DEFAULT or if there is any other different trick to do this? thanks! -gong - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PEAP/EAP-TTLS acquires DEFAULT reply attributes via outer identity
Add FreeRADIUS-Proxied-To == 127.0.0.1 as a check item. Ivan Kalik Kalik informatika ISP Dana 19/2/2008, Gong Cheng [EMAIL PROTECTED] piše: Hi folks, I am working on an issue like this: In my users file, I have user1 attribute1=val1 user2 attribute2=val2 DEFAULT attribute1=def_val1 attribute2=def_val2 My intention is that - for individual users, like user1 and user2, I will get individual attributes I specified in their dedicated entries, - and for everybody else, I will get a default set of attributes. That has a problem with the 2-phase EAP methods like PEAP/EAP-TTLS. The reason is, in the first phase, the outer Identity, say anonymous, is used and it hits the DEFAULT entry and acquires the default set of attributes, and then it proceeds to phase 2 and acquires the individual attributes. In the end, freeradius will combine the two together. So, for example, user1 will get attribute1=def_val1 attribute2=def_val2 attribute1=val1 Is there any way so that for the individual users won't acquire any attributes from DEFAULT when using methods like PEAP/EAP-TTLS? A naive solution is to put a check of DEFAULT User-Name != anonymous . but it is not a reliable way since there is no guarantee that the outer id is anonymous. I wonder if there is another way to check this in DEFAULT or if there is any other different trick to do this? thanks! -gong - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PEAP/EAP-TTLS acquires DEFAULT reply attributes via outer identity
Gong Cheng wrote: Hi folks, I am working on an issue like this: In my users file, I have user1 attribute1=val1 user2 attribute2=val2 DEFAULT attribute1=def_val1 attribute2=def_val2 My intention is that - for individual users, like user1 and user2, I will get individual attributes I specified in their dedicated entries, - and for everybody else, I will get a default set of attributes. That has a problem with the 2-phase EAP methods like PEAP/EAP-TTLS. The reason is, in the first phase, the outer Identity, say anonymous, is used and it hits the DEFAULT entry and acquires the default set of attributes, and then it proceeds to phase 2 and acquires the individual attributes. In the end, freeradius will combine the two together. So, for example, user1 will get attribute1=def_val1 attribute2=def_val2 attribute1=val1 Is there any way so that for the individual users won't acquire any attributes from DEFAULT when using methods like PEAP/EAP-TTLS? A naive solution is to put a check of DEFAULT User-Name != anonymous Normally one would do this: modules { files { ... } # define a 2nd copy of the module files files_inner { ... } } authorize { preprocess eap files Autz-Type INNER { files_inner } } Then in users: DEFAULT Freeradius-Proxied-To == 127.0.0.1, Autz-Type := INNER Then in users_inner (or whatever you call it) put your actual user info. This is also helpful if you're doing LDAP or SQL lookups (or any other expensive operation) In FreeRadius 2 you can accomplish the same thing by sending the inner request to a different virtual server and putting the files module there; see raddb/sites-available/inner-tunnel and the virtual_server option in raddb/eap ttls/peap sections. This will but it is not a reliable way since there is no guarantee that the outer id is anonymous. I wonder if there is another way to check this in DEFAULT or if there is any other different trick to do this? thanks! -gong - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PEAP/EAP-TTLS acquires DEFAULT reply attributes via outer identity
I found myself not knowing how to reply directly from the post, but here is a thank you to Ivan and Phil, that works for me! thanks. -gong - Original Message From: Gong Cheng [EMAIL PROTECTED] To: freeradius-users@lists.freeradius.org Sent: Tuesday, February 19, 2008 3:14:13 PM Subject: PEAP/EAP-TTLS acquires DEFAULT reply attributes via outer identity Hi folks, I am working on an issue like this: In my users file, I have user1 attribute1=val1 user2 attribute2=val2 DEFAULT attribute1=def_val1 attribute2=def_val2 My intention is that - for individual users, like user1 and user2, I will get individual attributes I specified in their dedicated entries, - and for everybody else, I will get a default set of attributes. That has a problem with the 2-phase EAP methods like PEAP/EAP-TTLS. The reason is, in the first phase, the outer Identity, say anonymous, is used and it hits the DEFAULT entry and acquires the default set of attributes, and then it proceeds to phase 2 and acquires the individual attributes. In the end, freeradius will combine the two together. So, for example, user1 will get attribute1=def_val1 attribute2=def_val2 attribute1=val1 Is there any way so that for the individual users won't acquire any attributes from DEFAULT when using methods like PEAP/EAP-TTLS? A naive solution is to put a check of DEFAULT User-Name != anonymous but it is not a reliable way since there is no guarantee that the outer id is anonymous. I wonder if there is another way to check this in DEFAULT or if there is any other different trick to do this? thanks! -gong - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Regex Ldap Group
Noted TQ. Will try the proposed solution. --haizam - Original Message - From: Kolbjørn Barmen [EMAIL PROTECTED] To: FreeRadius users mailing list freeradius-users@lists.freeradius.org Sent: Tuesday, February 19, 2008 6:07 PM Subject: Re: Regex Ldap Group On Tue, 19 Feb 2008, Alan DeKok wrote: Rohaizam Abu Bakar wrote: I tried to do regex match in Ldap-Group. From below users file, The NAS-Identifier regex works OK but for Ldap-Group match, it's not working as below DEBUG log. It doesn't work like that. The match is IF the user is in the named group. See src/modules/rlm_ldap/rlm_ldap.c, function ldap_groupcmp(). If you want it to do a regex match, you'll have to modify the code in rlm_ldap. Also not that LDAP typically doesnt allow substring search on any given attribute. My solution is to use a seperate script to perform a search in LDAP using ldap-search and output whatever you need in the attribute. Example, I have LDAP users in either ou=group1,ou=test,o=bla, or ou=group2,ou=test,o=bla, and there are no other LDAP-attributes to grab: #! /bin/sh # /usr/sbin/ldap2vlan GROUP=$(ldapsearch -x -LLL -h 10.0.0.92 -b ou=test,o=bla \ -D cn=admin,ou=test,o=bla -W mypasswd \ '(cn='${1}')' dn | sed -n 's/,ou=test,o=bla//;s/.*=//p') test ${GROUP = group1 echo -n 110 exit 0 test ${GROUP = group2 echo -n 120 exit 0 And then in the users file I have DEFAULT Freeradius-Proxied-To == 127.0.0.1 Tunnel-Type = VLAN, Tunnel-Medium-Type = IEEE-802, Tunnel-Private-Group-Id = `%{exec:/usr/sbin/ldap2vlan %{User-Name}` Tunnel-Private-Group-Id will then either be 110 or 120 depending on whether user is found in group1 or group2 (and group1 if found in both) Hope this helps... :) -- Kolbjørn Barmen UNINETT Driftsenter - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html