Re: proxed EAP and eduroam project
On Feb 18, 2008 12:32 PM, [EMAIL PROTECTED] wrote: Hi, cleartext? not really. the proxied traffic will be at least This regards EAP-TLS: I meant that at least the username is shown, and you can get additional information reading the attribute values. Other than that, everything else seems useless but I just say the conversation is not completely encapsulated if that's what you mean. Anyways I'm not worried. encapsulated via a shared secret between each RADIUS end point. snip would give greater security. however, EAP-TLS is the defacto top-level way of doing it. platinum service, as it were - but you've got to have a full PKI infrastructure for creation, deployment and revokation. We have our PKI, we routinely revoke certificates and distribute the crl. This happens not without our share of anality, taken care of by scripts (written with my blood, over human skin) that restart radiusd and check that everything is still working fine, including the event of an expired/invalid crl or an out of service PKI. So, if there is any configuration option to encapsulate the full UDP payload without revealing anything, I'm more than glad to hear something about it because I must admit ignorance regarding this particular matter. If there isn't one, never mind, just means I misunderstood. looking to the future, RADSEC will be involved in 'beefing up' the RADIUS to RADIUS communication channel. as well as the automatic assignment/discovery of AAA end point systems. seems interesting bye! Inverse -- In a sea of glass shards, I hear you screaming --icchan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: proxed EAP and eduroam project
Hi, unless using very old method like EAP-MD5. which is forbidden in the eduroam policy anyway. For the exact reason of not providing sufficient security (no mutual authentication). looking to the future, RADSEC will be involved in 'beefing up' the RADIUS to RADIUS communication channel. as well as the automatic assignment/discovery of AAA end point systems. RadSec is RADIUS over TCP+TLS. This means that the attributes which are unencrypted in RADIUS (User-Name, Calling-Station-Id, ...) will be hidden inside a TLS tunnel and will only be visible to the RADIUS servers involved in proxying, not any IP node underway as is current with RADIUS alone. Concerning RadSec, you might like to read the current Internet-Draft: http://www.ietf.org/internet-drafts/draft-winter-radsec-01.txt Greetings, Stefan Winter -- Stefan WINTER Stiftung RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche Ingenieur Forschung Entwicklung 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg E-Mail: [EMAIL PROTECTED] Tel.: +352 424409-1 http://www.restena.lu Fax: +352 422473 signature.asc Description: This is a digitally signed message part. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Regex Ldap Group
On Tue, 19 Feb 2008, Alan DeKok wrote:
Rohaizam Abu Bakar wrote:
I tried to do regex match in Ldap-Group. From below users file, The
NAS-Identifier regex works OK but for Ldap-Group match, it's not
working as below DEBUG log.
It doesn't work like that. The match is IF the user is in the named
group. See src/modules/rlm_ldap/rlm_ldap.c, function ldap_groupcmp().
If you want it to do a regex match, you'll have to modify the code in
rlm_ldap.
Also not that LDAP typically doesnt allow substring search on any given
attribute.
My solution is to use a seperate script to perform a search in LDAP using
ldap-search and output whatever you need in the attribute.
Example, I have LDAP users in either ou=group1,ou=test,o=bla, or
ou=group2,ou=test,o=bla, and there are no other LDAP-attributes to grab:
#! /bin/sh
# /usr/sbin/ldap2vlan
GROUP=$(ldapsearch -x -LLL -h 10.0.0.92 -b ou=test,o=bla \
-D cn=admin,ou=test,o=bla -W mypasswd \
'(cn='${1}')' dn | sed -n 's/,ou=test,o=bla//;s/.*=//p')
test ${GROUP = group1 echo -n 110 exit 0
test ${GROUP = group2 echo -n 120 exit 0
And then in the users file I have
DEFAULT Freeradius-Proxied-To == 127.0.0.1
Tunnel-Type = VLAN,
Tunnel-Medium-Type = IEEE-802,
Tunnel-Private-Group-Id = `%{exec:/usr/sbin/ldap2vlan %{User-Name}`
Tunnel-Private-Group-Id will then either be 110 or 120 depending on
whether user is found in group1 or group2 (and group1 if found in both)
Hope this helps... :)
--
Kolbjørn Barmen
UNINETT Driftsenter
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Regex Ldap Group
Rohaizam Abu Bakar wrote: I tried to do regex match in Ldap-Group. From below users file, The NAS-Identifier regex works OK but for Ldap-Group match, it's not working as below DEBUG log. It doesn't work like that. The match is IF the user is in the named group. See src/modules/rlm_ldap/rlm_ldap.c, function ldap_groupcmp(). If you want it to do a regex match, you'll have to modify the code in rlm_ldap. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Regex Ldap Group
FR: 1.1.2
Openldap 2.3.X
I tried to do regex match in Ldap-Group. From below users file, The
NAS-Identifier regex works OK but for Ldap-Group match, it's not working
as below DEBUG log.
value to match (jarService = Y5-IPOH, NAS-Identifier=Y5-IPOH)
Users file
===
NAS-Identifier =~ Y5, ldapmain1-Ldap-Group =~ Y5, Autz-Type := Y5
radiusd.conf
=
ldap ldapmain1 {
..
groupname_attribute = jarService
groupmembership_filter =
((uid=%{Stripped-User-Name:-%{User-Name}})(objectclass=radiusprofile))
}
Debug:
=
rlm_ldap: performing search in ou=CUSTOMER,ou=People,dc=x,dc=xx, with
filter ((jarService=Y5)((uid=bacang)(objectclass=radiusprofile)))
rlm_ldap: object not found or got ambiguous search result
--haizam
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: one username and 2 NAS
Not easy. For instance you can add NAS-IP-Address field to usergroup table and alter the group membership query. But making it work for other users might be difficult. So you can make multiple SQL instances ... It might be more trouble than it's worth. In most cases it makes more sense to use provided functionality than to go hacking the configuration files. Ivan Kalik Kalik informatika ISP Dana 19/2/2008, Enrico Fanti [EMAIL PROTECTED] piše: Ok, Thank you. But for yiu, it's possible to use mysql for my target ? If yes, do you have any ideas? I would like to have a system (PHP-Mysql) to configure my server radius without use text files. Thank you Enrico Ivan Kalik wrote: It's a file in raddb directory, not a part of the database schema. Ivan Kalik Kalik Informatika ISP Dana 18/2/2008, Enrico Fanti [EMAIL PROTECTED] piše: Sorry. I mistake with my thunderbird button. I would like to know whatt'is the huntgroups concept in radius database. I have this db schema: mysql show tables; +--+ | Tables_in_radius | +--+ | nas | | radacct | | radcheck | | radgroupcheck| | radgroupreply| | radippool| | radpostauth | | radreply | | usergroup| +--+ Thank you Enrico Ivan Kalik wrote: You have asked this once already. It has been answered. Ivan Kalik Kalik Informatika ISP Dana 18/2/2008, Enrico Fanti [EMAIL PROTECTED] piše: Hi , I have freeradius configured with Mysql. I would like to have a user pippo can ssh login to 2 server linux wich uses pam_radius in /etc/pam.d/sshd (i.e. 2 NAS , same username). Freeradius must make the control if NAS-IP Address is ok for this user in the radcheck table.. I use the == operator end my radcheck table is: mysql SELECT id, UserName, Attribute, Value, op from radcheck WHERE Username = 'pippo' order by id; ++--++---++ | id | UserName | Attribute | Value | op | ++--++---++ | 39 | pippo| NAS-IP-Address | 10.0.0.52 http://10.0.0.52 | == | | 40 | pippo| NAS-IP-Address | 10.0.0.49 http://10.0.0.49 | == | | 41 | pippo| Expiration | 1203325200| == | | 42 | pippo| Crypt-Password | v7fawImvQUoXM | == | ++--++---++ It doesn't work.. Some ideas ??? Thank you Enrico - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/usershtml - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/usershtml - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Cisco AV-PAIRS
And why do you have password in two locations? If you store it in Ldap you don't need it in users file and vice versa. Ivan Kalik Kalik Informatika ISP Dana 19/2/2008, David W Bell [EMAIL PROTECTED] piše: Hi there. My Saga continues I have freeRADIUS working with openLDAP and can log into CISCO kit and pass the priv-level from the raddb/users file. Is there any way that this information can be passed from the openLDAP user details instead? I am looking to do a single-signon system and it seems a little awkward to have to change a password (as is required in the users file) in 2 locations. Thanks David - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: one username and 2 NAS
Ok, Thank you. But for yiu, it's possible to use mysql for my target ? If yes, do you have any ideas? I would like to have a system (PHP-Mysql) to configure my server radius without use text files. Thank you Enrico Ivan Kalik wrote: It's a file in raddb directory, not a part of the database schema. Ivan Kalik Kalik Informatika ISP Dana 18/2/2008, Enrico Fanti [EMAIL PROTECTED] piše: Sorry. I mistake with my thunderbird button. I would like to know whatt'is the huntgroups concept in radius database. I have this db schema: mysql show tables; +--+ | Tables_in_radius | +--+ | nas | | radacct | | radcheck | | radgroupcheck| | radgroupreply| | radippool| | radpostauth | | radreply | | usergroup| +--+ Thank you Enrico Ivan Kalik wrote: You have asked this once already. It has been answered. Ivan Kalik Kalik Informatika ISP Dana 18/2/2008, Enrico Fanti [EMAIL PROTECTED] piše: Hi , I have freeradius configured with Mysql. I would like to have a user pippo can ssh login to 2 server linux wich uses pam_radius in /etc/pam.d/sshd (i.e. 2 NAS , same username). Freeradius must make the control if NAS-IP Address is ok for this user in the radcheck table.. I use the == operator end my radcheck table is: mysql SELECT id, UserName, Attribute, Value, op from radcheck WHERE Username = 'pippo' order by id; ++--++---++ | id | UserName | Attribute | Value | op | ++--++---++ | 39 | pippo| NAS-IP-Address | 10.0.0.52 http://10.0.0.52 | == | | 40 | pippo| NAS-IP-Address | 10.0.0.49 http://10.0.0.49 | == | | 41 | pippo| Expiration | 1203325200| == | | 42 | pippo| Crypt-Password | v7fawImvQUoXM | == | ++--++---++ It doesn't work.. Some ideas ??? Thank you Enrico - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/usershtml - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Cisco AV-PAIRS
I was wondering the same thing :-) On the subject of getting the attributes from LDAP, the Cisco AV pairs are just another AV Pair. Sure, Cisco have broken their AVs up with sub-AVs, but it's still just passing a value back from LDAP and manipulating the format so that it is placed correctly into the correct AV. The priv-level (as you have clearly worked out) is presented as... Cisco-AV-Pair=priv-level=value value = 0 to 15 If you have an attribute in your LDAP schema that is called Cisco-AV-Pair and it contains the string priv-level=15, then you should be able to return that attribute and map it to the contents of the Cisco-AV-Pair RADIUS attribute. I don't *think* it's any different to mapping any other string based AV Pair. Rgds, Guy On 19/02/2008, Ivan Kalik [EMAIL PROTECTED] wrote: And why do you have password in two locations? If you store it in Ldap you don't need it in users file and vice versa. Ivan Kalik Kalik Informatika ISP Dana 19/2/2008, David W Bell [EMAIL PROTECTED] piše: Hi there. My Saga continues I have freeRADIUS working with openLDAP and can log into CISCO kit and pass the priv-level from the raddb/users file. Is there any way that this information can be passed from the openLDAP user details instead? I am looking to do a single-signon system and it seems a little awkward to have to change a password (as is required in the users file) in 2 locations. Thanks David - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
How to get iphop attributes coming into cisco av-pairs?
Greetings! I'm using freeradius 1.1.6 on gentoo (2.6.15-gentoo-r5) to account
sip calls via radius client on cisco 26xx and have a problem: I need to get
iphop attributes from radius accounting packets, but I can't :( While running
freeradius in debug mode (-X key), I see required attributes as shown below:
Acct-Session-Id = 4D005CBF
Calling-Station-Id = 1004603
Called-Station-Id = #7495100
Cisco-AVPair = call-id=ZDgxMWUwZDFlODQ5Yzc1MmViZTZmM2UyMmY1ZjdiNzc.
- Cisco-AVPair = iphop=count:3
- Cisco-AVPair = iphop=hop1:213.248.63.122
- Cisco-AVPair = iphop=hop2:213.248.63.122
- Cisco-AVPair = iphop=hop3:213.248.12.121
h323-setup-time = h323-setup-time=12:15:03.844 MSK Tue Feb 19 2008
h323-gw-id = h323-gw-id=voice5.di-net.ru
h323-conf-id = h323-conf-id=FD2F9C59 DE0111DC A013E229 E5B23AB5
h323-call-origin = h323-call-origin=answer
h323-call-type = h323-call-type=VoIP
Cisco-AVPair = h323-incoming-conf-id=FD2F9C59 DE0111DC
A013E229 E5B23AB5
Cisco-AVPair = subscriber=Unknown
Cisco-AVPair = session-protocol=sipv2
Cisco-AVPair = gw-rxd-cdn=ton:0,npi:0,#:#7495100
Cisco-AVPair = feature-vsa=fn:TWC,ft:02/19/2008
12:15:03.844,cgn:1004603,cdn:#7495100,frs:0,fid:3195,fcid:FD2F9C59DE0111DCA013E229E5B23AB5,legID:D05
User-Name = 1004603
Cisco-AVPair = connect-progress=Call Up
Acct-Status-Type = Start
Service-Type = Login-User
NAS-IP-Address = 213.219.200.35
Acct-Delay-Time = 0
I'm using oracle freeradius driver of sql module to log all the packets into
database. I can use all other atrributes in my sql queries (with using
cisco_avpair_hack of course). All other, but not thouse ones - they're always
comes empty. Here is one of the queries in oraclesql.conf:
accounting_start_query = INSERT INTO ACC (\ACCT-STATUS-TYPE\,
\NAS-IP-ADDRESS\, \H323-CALL-ORIGIN\, \CALLED-STATION-ID\,
\CALLING-STATION-ID\, \ACCT-SESSION-ID\, \CALL-ID\, \SIP-TO-TAG\,
\SIP-FROM-TAG\, \SIP-TRANSLATED-REQUEST-URI\, \USER-NAME\,
\SIP-SOURCE-IP-ADDRESS\, \SIP-SOURCE-PORT\, \ACCT-SESSION-TIME\,
\H323-CONNECT-TIME\, \H323-SETUP-TIME\, \H323-DISCONNECT-TIME\,
\H323-DISCONNECT-CAUSE\, \PREV-HOP-VIA\, \PREV-HOP-IP\, \NEXT-HOP-IP\,
\NEXT-HOP-DN\) VALUES ('%{ACCT-STATUS-TYPE}', '%{NAS-IP-ADDRESS}',
'%{H323-CALL-ORIGIN}', '%{CALLED-STATION-ID}', '%{CALLING-STATION-ID}',
'%{ACCT-SESSION-ID}', '%{CALL-ID}', '%{SIP-TO-TAG}', '%{SIP-FROM-TAG}',
'%{SIP-TRANSLATED-REQUEST-URI}', '%{USER-NAME}', '%{SIP-SOURCE-IP-ADDRESS}',
'%{SIP-SOURCE-PORT}', '%{ACCT-SESSION-TIME}', '%{H323-CONNECT-TIME}',
'%{H323-SETUP-TIME}', '%{H323-DISCONNECT-TIME}', '%{H323-DISCONNECT-CAUSE}',
'%{PREV-HOP-VIA}', '%{PREV-HOP-IP}', '%{NEXT-HOP-IP}', '%{IPHOP}')
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Cisco AV-PAIRS
Hi there. My Saga continues I have freeRADIUS working with openLDAP and can log into CISCO kit and pass the priv-level from the raddb/users file. Is there any way that this information can be passed from the openLDAP user details instead? I am looking to do a single-signon system and it seems a little awkward to have to change a password (as is required in the users file) in 2 locations. Thanks David - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Cisco AV-PAIRS
Only way I have found to get RADIUS to pass the AV-PAIRS back is from the users file. If I have missed something, please let me know David And why do you have password in two locations? If you store it in Ldap you don't need it in users file and vice versa. Ivan Kalik Kalik Informatika ISP Dana 19/2/2008, David W Bell [EMAIL PROTECTED] piše: Hi there. My Saga continues I have freeRADIUS working with openLDAP and can log into CISCO kit and pass the priv-level from the raddb/users file. Is there any way that this information can be passed from the openLDAP user details instead? I am looking to do a single-signon system and it seems a little awkward to have to change a password (as is required in the users file) in 2 locations. Thanks David - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Cisco AV-PAIRS
Password is a check item. It has nothing to do with what's in the reply (av-pairs are reply items). Just remove the password and it will still work the same. You *can* leave the check line blank in users file. Ivan Kalik Kalik Informatika ISP Dana 19/2/2008, David W Bell [EMAIL PROTECTED] piše: Only way I have found to get RADIUS to pass the AV-PAIRS back is from the users file. If I have missed something, please let me know David And why do you have password in two locations? If you store it in Ldap you don't need it in users file and vice versa. Ivan Kalik Kalik Informatika ISP Dana 19/2/2008, David W Bell [EMAIL PROTECTED] piše: Hi there. My Saga continues I have freeRADIUS working with openLDAP and can log into CISCO kit and pass the priv-level from the raddb/users file. Is there any way that this information can be passed from the openLDAP user details instead? I am looking to do a single-signon system and it seems a little awkward to have to change a password (as is required in the users file) in 2 locations. Thanks David - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/usershtml - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Cisco AV-PAIRS
David W Bell escribió: Only way I have found to get RADIUS to pass the AV-PAIRS back is from the users file. Try using Reply-items in ldap.attrmap. Or the users file without authenticating users against it. If I have missed something, please let me know David And why do you have password in two locations? If you store it in Ldap you don't need it in users file and vice versa. Ivan Kalik Kalik Informatika ISP Dana 19/2/2008, David W Bell [EMAIL PROTECTED] piše: Hi there. My Saga continues I have freeRADIUS working with openLDAP and can log into CISCO kit and pass the priv-level from the raddb/users file. Is there any way that this information can be passed from the openLDAP user details instead? I am looking to do a single-signon system and it seems a little awkward to have to change a password (as is required in the users file) in 2 locations. Thanks David - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
FreeRadius question
I am trying to find out how I can check what options the freeradius binary available for download was compiled with. I have STFW and RTFM, but still am not sure as to how to check. radiusd -X gives some information, but nothing about what freeradius was compiled with. I am interested in finding out if the binary was compiled with e-Directory support. Thanks for any help. WHICH binary available for download? alan Hello Alan, Thanks for the quick response. The binaries I was talking about are on the download page: http://www.freeradius.org/download.html I was interested in the Fedora one. Looking for last minute shopping deals? Find them fast with Yahoo! Search. http://tools.search.yahoo.com/newsearch/category.php?category=shopping - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
radius and cisco
I'm a newbie and looking for instructions on how to setup FreeRADIUS
Version 1.1.7 on a SLES 10 linux box to use for authenication and
logging for a cisco 2801 router. I want to track users connecting
from the outside world using Cisco's vpn client and cisco sayes
radius is the answer.
I'd like to start with just allowing users from the linux /etc/passwd
access and then move onto authenication from my Netware 6.5 LDAP
server.
I've read all I can find on freeradius.org and cisco, but still don't
understandhard learner I guess.
radiusd -xx gives:
Starting - reading configuration files ...
reread_config: reading radiusd.conf
Config: including file: /etc/raddb/proxy.conf
Config: including file: /etc/raddb/clients.conf
Config: including file: /etc/raddb/snmp.conf
Config: including file: /etc/raddb/eap.conf
Config: including file: /etc/raddb/sql.conf
main: prefix = /usr
main: localstatedir = /var
main: logdir = /var/log/radius
main: libdir = /usr/lib/freeradius
main: radacctdir = /var/log/radius/radacct
main: hostname_lookups = no
main: snmp = no
main: max_request_time = 30
main: cleanup_delay = 5
main: max_requests = 1024
main: delete_blocked_requests = 0
main: port = 0
main: allow_core_dumps = no
main: log_stripped_names = yes
main: log_file = /var/log/radius/radius.log
main: log_auth = yes
main: log_auth_badpass = yes
main: log_auth_goodpass = yes
main: pidfile = /var/run/radiusd/radiusd.pid
main: user = radiusd
main: group = radiusd
main: usercollide = no
main: lower_user = no
main: lower_pass = no
main: nospace_user = no
main: nospace_pass = no
main: checkrad = /usr/sbin/checkrad
main: proxy_requests = yes
proxy: retry_delay = 5
proxy: retry_count = 3
proxy: synchronous = no
proxy: default_fallback = yes
proxy: dead_time = 120
proxy: post_proxy_authorize = no
proxy: wake_all_if_all_dead = no
security: max_attributes = 200
security: reject_delay = 1
security: status_server = no
main: debug_level = 0
read_config_files: reading dictionary
read_config_files: reading naslist
read_config_files: reading clients
read_config_files: reading realms
radiusd: entering modules setup
Module: Library search path is /usr/lib/freeradius
Initializing the thread pool...
thread: start_servers = 5
thread: max_servers = 32
thread: min_spare_servers = 3
thread: max_spare_servers = 10
thread: max_requests_per_server = 0
thread: cleanup_delay = 5
Thread spawned new child 1. Total threads in pool: 1
Thread spawned new child 2. Total threads in pool: 2
Thread spawned new child 3. Total threads in pool: 3
Thread spawned new child 4. Total threads in pool: 4
Thread 1 waiting to be assigned a request
Thread 2 waiting to be assigned a request
Thread 3 waiting to be assigned a request
Thread 4 waiting to be assigned a request
Thread 5 waiting to be assigned a request
Thread spawned new child 5. Total threads in pool: 5
Thread pool initialized
Listening on authentication *:1812
Listening on accounting *:1813
Ready to process requests.
My radius.conf is what was installed as default.
Q1? Do I need to add anything other than the below to client.conf?
In my client.conf I've added:
# Test on cisco 2801 router(internal ip of router)
client 192.168.135.3 {
secret =xxx
shortname =myrouter
nastype =cisco
}
I believe the relavent part of the users file is:
DEFAULT Auth-Type = System
Fall-Through = 1
and
DEFAULT Service-Type == Framed-User
Framed-IP-Address = 255.255.255.254,
Framed-MTU = 576,
Service-Type = Framed-User,
Fall-Through = Yes
Notes I've read say to change this to 255.255.255.255 ??
Q2? I believe I also need to add something similar to the below in
the users file?
youruser Cleartext-Password := somepass
Service-Type = NAS-Prompt-User,
cisco-avpair = shell:priv-lvl=15
Q3? Does youruser and somepass need to be a valid user from
/etc/passwd? I'm unclear if there is a link between users in this
file and valid users in /etc/passwd of the linux box.
My cisco 2801 currently has info like:
aaa new-model
!
!
aaa authentication login default local
aaa authorization exec default local if-authenticated
aaa authorization network default local
!
aaa session-id common
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
!
crypto isakmp client configuration group VPNCLIENTS
key xxx
dns 192.168.135.15
domain xxx.com
pool CLIENTPOOL
acl 150
netmask 255.255.255.0
crypto isakmp profile IKE1
match identity group VPNCLIENTS
client authentication list default
isakmp authorization list default
client configuration address respond
!
Q4? Do I need to remove any of this info, or just replace the stuff
at the top with something like:
aaa new-model
aaa authentication login default group radius local
aaa authentication login localauth local
aaa authentication ppp default if-needed group radius local
SSL error
I'm trying to build a radius server with PEAP-mschap but it's not working because an ssl error: short Log below: modcall[authorize]: module eap returns updated for request 1 users: Matched entry teste at line 59 modcall[authorize]: module files returns ok for request 1 modcall: leaving group authorize (returns updated) for request 1 rad_check_password: Found Auth-Type EAP auth: type EAP Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 1 rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Length Included eaptls_verify returned 11 (other): before/accept initialization TLS_accept: before/accept initialization rlm_eap_tls: TLS 1.0 Handshake [length 0041], ClientHello TLS_accept: SSLv3 read client hello A rlm_eap_tls: TLS 1.0 Handshake [length 004a], ServerHello TLS_accept: SSLv3 write server hello A rlm_eap_tls: TLS 1.0 Handshake [length 0613], Certificate TLS_accept: SSLv3 write certificate A rlm_eap_tls: TLS 1.0 Handshake [length 0004], ServerHelloDone TLS_accept: SSLv3 write server done A TLS_accept: SSLv3 flush data TLS_accept:error in SSLv3 read client certificate A rlm_eap: SSL error error::lib(0):func(0):reason(0) In SSL Handshake Phase In SSL Accept mode eaptls_process returned 13 rlm_eap_peap: EAPTLS_HANDLED modcall[authenticate]: module eap returns handled for request 1 modcall: leaving group authenticate (returns handled) for request 1 Sending Access-Challenge of id 1 to 10.0.0.245 port 1056 Idle-Timeout = 10 Any ideas - Abra sua conta no Yahoo! Mail, o único sem limite de espaço para armazenamento! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: SSL error
No. You have no client cerftificate so there is nothing to be read. That's normal. But PEAP conversation stopping in the middle with an Access-Challenge is another matter - described in FAQ, eap.conf, ... Ivan Kalik Kalik Informatika ISP Dana 19/2/2008, Eduardo Lima [EMAIL PROTECTED] piše: I'm trying to build a radius server with PEAP-mschap but it's not working because an ssl error: short Log below: modcall[authorize]: module eap returns updated for request 1 users: Matched entry teste at line 59 modcall[authorize]: module files returns ok for request 1 modcall: leaving group authorize (returns updated) for request 1 rad_check_password: Found Auth-Type EAP auth: type EAP Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 1 rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Length Included eaptls_verify returned 11 (other): before/accept initialization TLS_accept: before/accept initialization rlm_eap_tls: TLS 1.0 Handshake [length 0041], ClientHello TLS_accept: SSLv3 read client hello A rlm_eap_tls: TLS 1.0 Handshake [length 004a], ServerHello TLS_accept: SSLv3 write server hello A rlm_eap_tls: TLS 1.0 Handshake [length 0613], Certificate TLS_accept: SSLv3 write certificate A rlm_eap_tls: TLS 1.0 Handshake [length 0004], ServerHelloDone TLS_accept: SSLv3 write server done A TLS_accept: SSLv3 flush data TLS_accept:error in SSLv3 read client certificate A rlm_eap: SSL error error::lib(0):func(0):reason(0) In SSL Handshake Phase In SSL Accept mode eaptls_process returned 13 rlm_eap_peap: EAPTLS_HANDLED modcall[authenticate]: module eap returns handled for request 1 modcall: leaving group authenticate (returns handled) for request 1 Sending Access-Challenge of id 1 to 10.0.0.245 port 1056 Idle-Timeout = 10 Any ideas - Abra sua conta no Yahoo! Mail, o único sem limite de espaço para armazenamento! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radius and cisco
My radius.conf is what was installed as default.
Q1? Do I need to add anything other than the below to client.conf?
In my client.conf I've added:
# Test on cisco 2801 router(internal ip of router)
client 192.168.135.3 {
secret =xxx
shortname =myrouter
nastype =cisco
}
I believe the relavent part of the users file is:
DEFAULT Auth-Type = System
Fall-Through = 1
and
DEFAULT Service-Type == Framed-User
Framed-IP-Address = 255.255.255.254,
Framed-MTU = 576,
Service-Type = Framed-User,
Fall-Through = Yes
Notes I've read say to change this to 255.255.255.255 ??
That looks fine. Notes are likely about the netmask not IP address.
Q2? I believe I also need to add something similar to the below in
the users file?
youruser Cleartext-Password := somepass
Service-Type = NAS-Prompt-User,
cisco-avpair = shell:priv-lvl=15
Remove the password. You said that it will be stored in /etc/passwd. If
you put the password here you dont need /etc/passwd check (Auth-Type
System) at all.
Q3? Does youruser and somepass need to be a valid user from
/etc/passwd? I'm unclear if there is a link between users in this
file and valid users in /etc/passwd of the linux box.
Link is the username. You want to store password in /etc/passwd and reply
attributes in users file.
My cisco 2801 currently has info like:
aaa new-model
!
!
aaa authentication login default local
aaa authorization exec default local if-authenticated
aaa authorization network default local
!
aaa session-id common
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
!
crypto isakmp client configuration group VPNCLIENTS
key xxx
dns 192.168.135.15
domain xxx.com
pool CLIENTPOOL
acl 150
netmask 255.255.255.0
crypto isakmp profile IKE1
match identity group VPNCLIENTS
client authentication list default
isakmp authorization list default
client configuration address respond
!
Q4? Do I need to remove any of this info, or just replace the stuff
at the top with something like:
aaa new-model
aaa authentication login default group radius local
aaa authentication login localauth local
aaa authentication ppp default if-needed group radius local
aaa authorization exec default group radius local
aaa authorization network default group radius local
aaa accounting delay-start
aaa accounting exec default start-stop group radius
aaa accounting network default start-stop group radius
aaa processes 6
aaa accounting delay-start
This is from here: http://wiki.freeradius.org/Cisco
Q5? Do I also need a line similar to below on the cisco?
radius-server host 192.168.135.3
radius-server key
radius-server auth-port 1812
That IP address is the same as the one for the router. That can't be
correct - linux box IP should go here. You have not set up accounting -
and that was the whole point of this exercise. Add that. If radius IP is
also on the private subnet it's quite likely that you wont have to
force the router to use the IP address defined in clients.conf - it
should select it on it's own. If it doesn't you can force radius
source interface in router config.
Ivan Kalik
Kalik Informatika ISP
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: SSL error
Eduardo Lima wrote: I'm trying to build a radius server with PEAP-mschap but it's not working because an ssl error: No. The error is 0, meaning no error. Seeing the error in the debug log also means you're using an old version of the server, and should upgrade to at least 1.1.7. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radius and cisco
Jim McIver wrote: I'm a newbie and looking for instructions on how to setup FreeRADIUS Version 1.1.7 on a SLES 10 linux box to use for authenication and logging for a cisco 2801 router. I want to track users connecting from the outside world using Cisco's vpn client and cisco sayes radius is the answer. Yes. I'd like to start with just allowing users from the linux /etc/passwd access and then move onto authenication from my Netware 6.5 LDAP server. See the FAQ for getting started with FreeRADIUS. I've read all I can find on freeradius.org and cisco, but still don't understandhard learner I guess. radiusd -xx gives: ... Ready to process requests. And no packets. The server has to receive a request for it to be able to do something. My radius.conf is what was installed as default. Q1? Do I need to add anything other than the below to client.conf? No. I believe the relavent part of the users file is: DEFAULT Auth-Type = System Fall-Through = 1 Yes. Notes I've read say to change this to 255.255.255.255 ?? Maybe. Only if you're assigning IP addresses. Q2? I believe I also need to add something similar to the below in the users file? Not if the users are being authenticated from /etc/passwd. Q3? Does youruser and somepass need to be a valid user from /etc/passwd? I'm unclear if there is a link between users in this file and valid users in /etc/passwd of the linux box. They are independent. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: how can I configure CHAP or PAP
If you have freeradius installed just type radtest at the command prompt, hit enter and see what happens. Ivan Kalik Kalik Informatika ISP Dana 19/2/2008, Sarp Kaya [EMAIL PROTECTED] piše: Sorry Ivan, I am newbie. I couldn't find any file that called radtest or something like that. 2008/2/19 Ivan Kalik [EMAIL PROTECTED]: http://wiki.freeradius.org/index.php/FreeRADIUS_Wiki:FAQ#It_still_doesn.27t_work.21 Ivan Kalik Kalik Informatika ISP Dana 18/2/2008, Sarp Kaya [EMAIL PROTECTED] piše: Hello, how can I do it I don't know. I am using Antcor OS router and it has hotspot settings. I also have a pc which has ubuntu. and I installed Freeradius 1.1.6-2 but my router cannot connect to freeradius. How can I solve this? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/usershtml - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: how can I configure CHAP or PAP
Sorry Ivan, I am newbie. I couldn't find any file that called radtest or something like that. 2008/2/19 Ivan Kalik [EMAIL PROTECTED]: http://wiki.freeradius.org/index.php/FreeRADIUS_Wiki:FAQ#It_still_doesn.27t_work.21 Ivan Kalik Kalik Informatika ISP Dana 18/2/2008, Sarp Kaya [EMAIL PROTECTED] piše: Hello, how can I do it I don't know. I am using Antcor OS router and it has hotspot settings. I also have a pc which has ubuntu. and I installed Freeradius 1.1.6-2 but my router cannot connect to freeradius. How can I solve this? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
PEAP/EAP-TTLS acquires DEFAULT reply attributes via outer identity
Hi folks, I am working on an issue like this: In my users file, I have user1 attribute1=val1 user2 attribute2=val2 DEFAULT attribute1=def_val1 attribute2=def_val2 My intention is that - for individual users, like user1 and user2, I will get individual attributes I specified in their dedicated entries, - and for everybody else, I will get a default set of attributes. That has a problem with the 2-phase EAP methods like PEAP/EAP-TTLS. The reason is, in the first phase, the outer Identity, say anonymous, is used and it hits the DEFAULT entry and acquires the default set of attributes, and then it proceeds to phase 2 and acquires the individual attributes. In the end, freeradius will combine the two together. So, for example, user1 will get attribute1=def_val1 attribute2=def_val2 attribute1=val1 Is there any way so that for the individual users won't acquire any attributes from DEFAULT when using methods like PEAP/EAP-TTLS? A naive solution is to put a check of DEFAULT User-Name != anonymous but it is not a reliable way since there is no guarantee that the outer id is anonymous. I wonder if there is another way to check this in DEFAULT or if there is any other different trick to do this? thanks! -gong - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PEAP/EAP-TTLS acquires DEFAULT reply attributes via outer identity
Add FreeRADIUS-Proxied-To == 127.0.0.1 as a check item. Ivan Kalik Kalik informatika ISP Dana 19/2/2008, Gong Cheng [EMAIL PROTECTED] piše: Hi folks, I am working on an issue like this: In my users file, I have user1 attribute1=val1 user2 attribute2=val2 DEFAULT attribute1=def_val1 attribute2=def_val2 My intention is that - for individual users, like user1 and user2, I will get individual attributes I specified in their dedicated entries, - and for everybody else, I will get a default set of attributes. That has a problem with the 2-phase EAP methods like PEAP/EAP-TTLS. The reason is, in the first phase, the outer Identity, say anonymous, is used and it hits the DEFAULT entry and acquires the default set of attributes, and then it proceeds to phase 2 and acquires the individual attributes. In the end, freeradius will combine the two together. So, for example, user1 will get attribute1=def_val1 attribute2=def_val2 attribute1=val1 Is there any way so that for the individual users won't acquire any attributes from DEFAULT when using methods like PEAP/EAP-TTLS? A naive solution is to put a check of DEFAULT User-Name != anonymous . but it is not a reliable way since there is no guarantee that the outer id is anonymous. I wonder if there is another way to check this in DEFAULT or if there is any other different trick to do this? thanks! -gong - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PEAP/EAP-TTLS acquires DEFAULT reply attributes via outer identity
Gong Cheng wrote:
Hi folks,
I am working on an issue like this:
In my users file, I have
user1
attribute1=val1
user2
attribute2=val2
DEFAULT
attribute1=def_val1
attribute2=def_val2
My intention is that
- for individual users, like user1 and user2, I will get individual attributes I specified in their dedicated entries,
- and for everybody else, I will get a default set of attributes.
That has a problem with the 2-phase EAP methods like PEAP/EAP-TTLS. The reason is, in the first phase, the outer Identity, say anonymous, is used and it hits the DEFAULT entry and acquires the default set of attributes, and then it proceeds to phase 2 and acquires the individual attributes. In the end, freeradius will combine the two together.
So, for example, user1 will get
attribute1=def_val1
attribute2=def_val2
attribute1=val1
Is there any way so that for the individual users won't acquire any attributes
from DEFAULT when using methods like PEAP/EAP-TTLS?
A naive solution is to put a check of
DEFAULT User-Name != anonymous
Normally one would do this:
modules {
files { ... }
# define a 2nd copy of the module
files files_inner { ... }
}
authorize {
preprocess
eap
files
Autz-Type INNER {
files_inner
}
}
Then in users:
DEFAULT Freeradius-Proxied-To == 127.0.0.1, Autz-Type := INNER
Then in users_inner (or whatever you call it) put your actual user
info. This is also helpful if you're doing LDAP or SQL lookups (or any
other expensive operation)
In FreeRadius 2 you can accomplish the same thing by sending the inner
request to a different virtual server and putting the files module
there; see raddb/sites-available/inner-tunnel and the virtual_server
option in raddb/eap ttls/peap sections.
This will
but it is not a reliable way since there is no guarantee that the outer id is
anonymous.
I wonder if there is another way to check this in DEFAULT or if there is any
other different trick to do this?
thanks!
-gong
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PEAP/EAP-TTLS acquires DEFAULT reply attributes via outer identity
I found myself not knowing how to reply directly from the post, but here is a thank you to Ivan and Phil, that works for me! thanks. -gong - Original Message From: Gong Cheng [EMAIL PROTECTED] To: freeradius-users@lists.freeradius.org Sent: Tuesday, February 19, 2008 3:14:13 PM Subject: PEAP/EAP-TTLS acquires DEFAULT reply attributes via outer identity Hi folks, I am working on an issue like this: In my users file, I have user1 attribute1=val1 user2 attribute2=val2 DEFAULT attribute1=def_val1 attribute2=def_val2 My intention is that - for individual users, like user1 and user2, I will get individual attributes I specified in their dedicated entries, - and for everybody else, I will get a default set of attributes. That has a problem with the 2-phase EAP methods like PEAP/EAP-TTLS. The reason is, in the first phase, the outer Identity, say anonymous, is used and it hits the DEFAULT entry and acquires the default set of attributes, and then it proceeds to phase 2 and acquires the individual attributes. In the end, freeradius will combine the two together. So, for example, user1 will get attribute1=def_val1 attribute2=def_val2 attribute1=val1 Is there any way so that for the individual users won't acquire any attributes from DEFAULT when using methods like PEAP/EAP-TTLS? A naive solution is to put a check of DEFAULT User-Name != anonymous but it is not a reliable way since there is no guarantee that the outer id is anonymous. I wonder if there is another way to check this in DEFAULT or if there is any other different trick to do this? thanks! -gong - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Regex Ldap Group
Noted TQ. Will try the proposed solution.
--haizam
- Original Message -
From: Kolbjørn Barmen [EMAIL PROTECTED]
To: FreeRadius users mailing list freeradius-users@lists.freeradius.org
Sent: Tuesday, February 19, 2008 6:07 PM
Subject: Re: Regex Ldap Group
On Tue, 19 Feb 2008, Alan DeKok wrote:
Rohaizam Abu Bakar wrote:
I tried to do regex match in Ldap-Group. From below users file, The
NAS-Identifier regex works OK but for Ldap-Group match, it's not
working as below DEBUG log.
It doesn't work like that. The match is IF the user is in the named
group. See src/modules/rlm_ldap/rlm_ldap.c, function ldap_groupcmp().
If you want it to do a regex match, you'll have to modify the code in
rlm_ldap.
Also not that LDAP typically doesnt allow substring search on any given
attribute.
My solution is to use a seperate script to perform a search in LDAP using
ldap-search and output whatever you need in the attribute.
Example, I have LDAP users in either ou=group1,ou=test,o=bla, or
ou=group2,ou=test,o=bla, and there are no other LDAP-attributes to grab:
#! /bin/sh
# /usr/sbin/ldap2vlan
GROUP=$(ldapsearch -x -LLL -h 10.0.0.92 -b ou=test,o=bla \
-D cn=admin,ou=test,o=bla -W mypasswd \
'(cn='${1}')' dn | sed -n 's/,ou=test,o=bla//;s/.*=//p')
test ${GROUP = group1 echo -n 110 exit 0
test ${GROUP = group2 echo -n 120 exit 0
And then in the users file I have
DEFAULT Freeradius-Proxied-To == 127.0.0.1
Tunnel-Type = VLAN,
Tunnel-Medium-Type = IEEE-802,
Tunnel-Private-Group-Id = `%{exec:/usr/sbin/ldap2vlan %{User-Name}`
Tunnel-Private-Group-Id will then either be 110 or 120 depending on
whether user is found in group1 or group2 (and group1 if found in both)
Hope this helps... :)
--
Kolbjørn Barmen
UNINETT Driftsenter
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
