Re: 2.0.3 - sites-enabled/inner-tunnel and sites-available/inner-tunnel
David Wood wrote: In 2.0.3, raddb/Makefile now creates a for sites-enabled/inner-tunnel. However, sites-available/inner-tunnel, the destination of that link, isn't installed because it has been omitted from the definition of FILES in raddb/Makefile. Is this a mistake? Yes. If there's a problem here, I'll patch it in the FreeBSD port in anticipation of a FreeRADIUS fix in 2.0.4. I've committed a fix to raddb/Makefile. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Postgres SQL Alarm on duplicated record
HI,
I supposed you have in radiusd.conf file this code:
# Create a unique accounting session Id. Many NASes re-use or# repeat
values for Acct-Session-Id, causing no end of# confusion.#
# This module will add a (probably) unique session id# to an
accounting packet based on the attributes listed# below found in the
packet. See doc/rlm_acct_unique for# more information.#
acct_unique {key = User-Name, Acct-Session-Id,
NAS-IP-Address, Client-IP-Address, NAS-Port}
However, it is true that there is sometimes a duplicate key. This is because of
in the original configuration of database schema, the primary key of radacct
table is only radacctid. I modified the primary keys by (radacctid,
acctuniqueid)
CREATE TABLE radacct( radacctid bigserial NOT NULL, acctsessionid varchar(32)
NOT NULL, acctuniqueid varchar(32) NOT NULL, username varchar(127), realm
varchar(30), nasipaddress inet NOT NULL, nasportid varchar(32), nasporttype
varchar(32), acctstarttime timestamptz, acctstoptime timestamptz,
acctsessiontime int8, acctauthentic varchar(32), connectinfo_start
varchar(32), connectinfo_stop varchar(32), acctinputoctets int8,
acctoutputoctets int8, calledstationid varchar(50), callingstationid
varchar(50), acctterminatecause varchar(32), servicetype varchar(32),
framedprotocol varchar(32), framedipaddress inet, acctstartdelay int8,
acctstopdelay int8, nasidentifier varchar(40), clientipaddress inet,
CONSTRAINT radacct_pkey PRIMARY KEY (acctuniqueid, radacctid))
Date: Fri, 14 Mar 2008 03:38:52 -0700 From: [EMAIL PROTECTED] To:
freeradius-users@lists.freeradius.org Subject: Postgres SQL Alarm on
duplicated record Hello. Some times my NAS resend START record to
RADIUS. The And I get the alarm messages like that , because the
differences in this start record is only in Start time and
radacct_acctuniqueid_key are always equal for such sessions. : Wed Mar
12 18:05:10 2008 : Error: rlm_sql (sql): Couldn't insert SQL accounting
START record - ERROR: duplicate key violates unique constraint
radacct_acctuniqueid_key But, in any case all such start records are
put to database. How I cat stop put such duplicate records? -- View
this message in context:
http://www.nabble.com/Postgres-SQL-Alarm-on-duplicated-record-tp16046727p16046727.html
Sent from the FreeRadius - User mailing list archive at Nabble.com. -
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
_
MSN Video.
http://video.msn.com/?mkt=es-es-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rpmbuild freeradius-server-2.0.3.tar.gz
Andrew Long wrote:
Just hoping that these changes get written into the next release OR
that someone can point out my stupidity and where I am erring in the
build process that the initial rpmbuild fails with the supplied spec
file.
I think it's because the server installs dictionaries in
/usr/share/freeradius, and the spec file expects to see them in
/user/share/freeradius-server.
Change this line:
%{_datadir}/%{name}
to:
%{_datadir}/freeradius
The spec file *should* then work with the
freeradius-server-2.0.3.tar.gz file, subject to the _incdir comments below.
Also, I think I am not alone in using CentOS, so a note might be nice
in the INSTALL or README regarding the need to add %_incdir
/usr/include to .rpmmacros on Cent (or, to change it to _includedir -
as pointed out by Richard Siddal).
Ok...
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius Execute Script
http://www.freeradius.org/radiusd/doc/variables.txt Ivan Kalik Kalik Informatika ISP Dana 17/3/2008, fvt3 [EMAIL PROTECTED] piše: I understand that it is possible to have Freeradius execute a script when a user authenticate. What I want to do is to be able to pass that user name and the client's ip address to the script. This is my setup, I have freeradius with mysql setup. radgroupreply table: testprogramExec-Program-Wait==/usr/local/etc/raddb/test.pl When user Joe authenticates with his credential, radius would look in mysql and execute the test.pl script. How can I pass the user name joe and client's ip address to the test.pl script? Never miss a thing. Make Yahoo your home page. http://www.yahoo.com/r/hs - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Error EAP
You have broken eap.conf. Go back to the default and try again. Read instructions in the file first and *don't* delete anything you are not certain about. Ivan Kalik Kalik Informatika ISP Dana 17/3/2008, Gustavo Chavelas [EMAIL PROTECTED] piše: Hi to all. I'm installing freeradius-server-2.0.2.tar.gz,i was to configured it, but when I try to start radiusd -X, I have an error : rlm_eap: No such sub-type for default EAP type peap /usr/local/etc/raddb/eap.conf[17]: Instantiation failed for module eap /usr/local/etc/raddb/radiusd.conf[1944]: Failed to find module eap. /usr/local/etc/raddb/radiusd.conf[1891]: Errors parsing authenticate section. } } Errors initializing modules Im searching for solve this error, something have any suggest? Saludos cordiales, - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius + openldap + 802.1x - Solved....
But now... i would like to know.. if there is any way to check the Group that the user is. I would like to configure to accept all users from the group Users. Regardless of the passwords? How can i do it? DEFAULT Ldap-Group == Users, Auth-Type := Accept Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Help me with proxying certain packets
On Tue, Mar 18, 2008 at 02:36:25AM +0100, Alan DeKok wrote:
Dmytro O. Redchuk wrote:
So, when some conditions occur, i need freeradius to proxy such a
request to first, specific destination (not default one).
That should be relatively easy.
I have got working config for authorization in like this way:
-- radiusd.conf: -
modules {
...
files files_default {
# ... as default -- acct_users etc
}
files files_specific {
# ... acct_users.specific etc
}
# this python module sets Autz-Type to Specific
# if some conditions occur:
python my_py_specific {
# ...
}
...
}
authorize {
preprocess
my_py_specific
files_default
Autz-Type Specific {
files_specific
}
}
--
-- users:
DEFAULT Called-Station-Id == KLMNOPQ, Proxy-To-Realm := specific
DEFAULT Proxy-To-Realm := DEFAULT
--
-- users.specific: ---
DEFAULT Proxy-To-Realm := specific
--
This works for authorization, but i could not get it working for
accounting, i dont know why.
(pre-acct {my_py_specific} and then Acct-Type in accounting {...},
right?)
But my question now is: is this right way? How i could do this better?
I have FreeRADIUS 1.1.7 with rlm_python.
I suggest upgrading to 2.0.3. It has a large number of bugs fixed
over 1.1.7, and is generally compatible with the 1.1.7 configuration files.
Tried to rebuild and will try (and possibly ask,) of course. I have to use
rpm builds only on that server.
Thank you.
Alan DeKok.
--
Dmytro O. Redchuk
(+380) 44 2474832
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
incorrect shared secret entry authenticates successfully for freerradius
Hi, I am using the following configuration: O/S: rhel4_u5_i386 Freeradius 1.1.7 Client to test: NTRadPing 1.5 Steps undertaken: - Installed a fresh system with rhel4_u5_i386 - Build and compile freeradius 1.1.7 on it. - Update the clients.conf file to add the client entries for the machine that uses NTRadPing 1.5 (IP of the client machine and the shared secret) - Start the radiusd daemon in debug mode (radiusd -X) - Now generate a simple PAP authentication request using NTRadPing. (Port is 1812, also provide the shared secret correctly). The authentication passes successfully as it should. Now give a junk secret key in the NTRadPing utility. The access is rejected. - However when the same cases are tried for CHAP we can see the difference. In the first case the authentication is successful; however when we give a junk shared secret the authentication should ideally have been rejected. However the authentication passes successfully. NOTE: I tried the same for MSCHAPv1 and MSCHAPv2 authentication using VPN client. There I can see clearly that the access is not granted to the VPN client. However when we look at the radius logs it can be seen that the Authentication requests responds with a Successful message. Any help or info in this regards would be highly appreciated. Thanks. The information contained in this electronic message and any attachments to this message are intended for the exclusive use of the addressee(s) and may contain proprietary, confidential or privileged information. If you are not the intended recipient, you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately and destroy all copies of this message and any attachments. WARNING: Computer viruses can be transmitted via email. The recipient should check this email and any attachments for the presence of viruses. The company accepts no liability for any damage caused by any virus transmitted by this email. www.wipro.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: incorrect shared secret entry authenticates successfully for freerradius
[EMAIL PROTECTED] wrote: Hi, I am using the following configuration: O/S: rhel4_u5_i386 Freeradius 1.1.7 Client to test: NTRadPing 1.5 Steps undertaken: - Installed a fresh system with rhel4_u5_i386 - Build and compile freeradius 1.1.7 on it. - Update the clients.conf file to add the client entries for the machine that uses NTRadPing 1.5 (IP of the client machine and the shared secret) - Start the radiusd daemon in debug mode (radiusd -X) - Now generate a simple PAP authentication request using NTRadPing. (Port is 1812, also provide the shared secret correctly). The authentication passes successfully as it should. Now give a junk secret key in the NTRadPing utility. The access is rejected. - However when the same cases are tried for CHAP we can see the difference. In the first case the authentication is successful; however when we give a junk shared secret the authentication should ideally have been rejected. However the authentication passes successfully. NOTE: I tried the same for MSCHAPv1 and MSCHAPv2 authentication using VPN client. There I can see clearly that the access is not granted to the VPN client. However when we look at the radius logs it can be seen that the Authentication requests responds with a Successful message. Any help or info in this regards would be highly appreciated. Only certain radius AVPs are encrypted with the shared secret: fgrep encrypt /usr/share/freeradius/dictionary* User-Password is one, so PAP fails if the shared secret is wrong. The CHAP attributes are not, so the request succeeds. The MS-CHAP-MPPE-Keys or MS-MPPE-Send-Key/MS-MPPE-Recv-Key reply attributes are encrypted, so MS-CHAP will fail. Many recent radius clients support the Message-Authenticator attribute, which is a signature over the entire packets AVPs encrypted with the shared secret. This will cause incorrect shared secrets to reject an entire packet. See section 3.2 of RFC3579. If your NAS supply Message-Authenticator, you could refuse packets without one: DEFAULT Message-Authenticator !* ANY, Auth-Type := Reject - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: incorrect shared secret entry authenticates successfully for freerradius
[EMAIL PROTECTED] wrote: - However when the same cases are tried for CHAP we can see the difference. In the first case the authentication is successful; however when we give a junk shared secret the authentication should ideally have been rejected. The key word is ideally. RADIUS isn't ideal. This weakness has been known for over 10 years in RADIUS. All RADIUS servers are vulnerable to this issue. It isn't news. RFC 5080 (of which I am co-author) suggests that all RADIUS clients add a Message-Authenticator to the Access-Request. This additional enables the RADIUS server to catch the case of an incorrect shared secret. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Error EAP
Hi,
rlm_eap: No such sub-type for default EAP type peap
looks like you didn't configure the peap { } stanza in eap.conf, but listed
peap as default eap-type near the beginning of the eap.conf file. That is a
quite obvious contradiction, you should fix that.
Stefan Winter
--
Stefan WINTER
Stiftung RESTENA - Réseau Téléinformatique de l'Education Nationale et de
la Recherche
Ingenieur Forschung Entwicklung
6, rue Richard Coudenhove-Kalergi
L-1359 Luxembourg
E-Mail: [EMAIL PROTECTED] Tel.: +352 424409-1
http://www.restena.lu Fax: +352 422473
signature.asc
Description: This is a digitally signed message part.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: incorrect shared secret entry authenticates successfully for freerradius
Phil Mayers wrote: If your NAS supply Message-Authenticator, you could refuse packets without one: Edit the client section and set require_message_authenticator = yes. The recommendations of RFC 5080 have been implemented in FreeRADIUS. Sometimes years before any other RADIUS server. Apparently Radiator didn't do duplicate detection until RFC 5080... see their changelog for the 4.x series. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius 2.0.2
OK, I solved problem I asked before... But I have another... When I try to authorise with Chap-Password he selects row from MySql Table, and returns cleartext-password in debug same as one in database, but radius says it is wrong password... Anyone has any clue... I put my old configuration, it works fine on 2.0.1 radius server... Please, help I need it ASAP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius 2.0.2
Debug (radiusd -X). Ivan Kalik Kalik Informatika ISP Dana 18/3/2008, srdjan mish [EMAIL PROTECTED] piše: OK, I solved problem I asked before... But I have another... When I try to authorise with Chap-Password he selects row from MySql Table, and returns cleartext-password in debug same as one in database, but radius says it is wrong password... Anyone has any clue... I put my old configuration, it works fine on 2.0.1 radius server... Please, help I need it ASAP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Problem Freeradius+Ipcop ProxyAdv with mysql
Hi, excuse me for my english. I used freeradius in this scenery: - A server with Centos 4.6 + freeradius - A pc with Ipcop firewall + Advanced Proxy for radius authentication - A pc with Windows Xp or Ubuntu with a browser configured for proxy connection (ipcop ip) If I use only freeradius without mysql everything works well, but if I use freeradius with a mysql database, the browser authentication doesn't work. Dialupadmin is ok, mysql database is ok but authentication fails. I used clear text password too, but the problem is not resolved. This is radiusd -x log when I try an access from browser: Starting - reading configuration files ... Module: Loaded exec rlm_exec: Wait=yes but no output defined. Did you mean output=none? Module: Instantiated exec (exec) Module: Loaded expr Module: Instantiated expr (expr) Module: Loaded PAP Module: Instantiated pap (pap) Module: Loaded CHAP Module: Instantiated chap (chap) Module: Loaded MS-CHAP Module: Instantiated mschap (mschap) Module: Loaded System Module: Instantiated unix (unix) Module: Loaded eap rlm_eap: Loaded and initialized type md5 rlm_eap: Loaded and initialized type leap rlm_eap: Loaded and initialized type gtc rlm_eap: Loaded and initialized type mschapv2 Module: Instantiated eap (eap) Module: Loaded preprocess Module: Instantiated preprocess (preprocess) Module: Loaded realm Module: Instantiated realm (suffix) Module: Loaded files Module: Instantiated files (files) Module: Loaded SQL rlm_sql (sql): Driver rlm_sql_mysql (module rlm_sql_mysql) loaded and linked rlm_sql (sql): Attempting to connect to [EMAIL PROTECTED]:/radius rlm_sql (sql): starting 0 rlm_sql (sql): Attempting to connect rlm_sql_mysql #0 rlm_sql_mysql: Starting connect to MySQL server for #0 rlm_sql (sql): Connected new DB handle, #0 rlm_sql (sql): starting 1 rlm_sql (sql): Attempting to connect rlm_sql_mysql #1 rlm_sql_mysql: Starting connect to MySQL server for #1 rlm_sql (sql): Connected new DB handle, #1 rlm_sql (sql): starting 2 rlm_sql (sql): Attempting to connect rlm_sql_mysql #2 rlm_sql_mysql: Starting connect to MySQL server for #2 rlm_sql (sql): Connected new DB handle, #2 rlm_sql (sql): starting 3 rlm_sql (sql): Attempting to connect rlm_sql_mysql #3 rlm_sql_mysql: Starting connect to MySQL server for #3 rlm_sql (sql): Connected new DB handle, #3 rlm_sql (sql): starting 4 rlm_sql (sql): Attempting to connect rlm_sql_mysql #4 rlm_sql_mysql: Starting connect to MySQL server for #4 rlm_sql (sql): Connected new DB handle, #4 Module: Instantiated sql (sql) Module: Loaded Acct-Unique-Session-Id Module: Instantiated acct_unique (acct_unique) Module: Loaded detail Module: Instantiated detail (detail) Module: Loaded radutmp Module: Instantiated radutmp (radutmp) Initializing the thread pool... Listening on authentication *:1812 Listening on accounting *:1813 Ready to process requests. rad_recv: Access-Request packet from host 192.168.0.1:32770, id=1, length=59 User-Name = user1 User-Password = user NAS-Port = 111 NAS-IP-Address = 192.168.0.1 rlm_sql (sql): Reserving sql socket id: 4 rlm_sql (sql): Released sql socket id: 4 Login incorrect: [utente1/utente] (from client ipcop port 111) rad_recv: Access-Request packet from host 192.168.0.1:32770, id=1, length=59 Sending Access-Reject of id 1 to 192.168.0.1 port 32770 What is the problem?? Thank you very much. -- View this message in context: http://www.nabble.com/Problem-Freeradius%2BIpcop-ProxyAdv-with-mysql-tp16122096p16122096.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: incorrect shared secret entry authenticates successfully for freerradius
Alan DeKok wrote: Phil Mayers wrote: If your NAS supply Message-Authenticator, you could refuse packets without one: Edit the client section and set require_message_authenticator = yes. Ah thanks - I didn't know about that The recommendations of RFC 5080 have been implemented in FreeRADIUS. Sometimes years before any other RADIUS server. Apparently Radiator didn't do duplicate detection until RFC 5080... see their changelog for the 4.x series. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem Freeradius+Ipcop ProxyAdv with mysql
This is radiusd -x log when I try an access from browser: radiusd -X (capital x) Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem Freeradius+Ipcop ProxyAdv with mysql
vabbè wrote: This is radiusd -x log when I try an access from browser: Use radiusd -X. The upper-case X is important, and is suggested everywhere. What is the problem?? Run radiusd -X. It will tell you. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
libpam-radius-auth password problem
I am trying to configure a linux machine (Ubuntu 8.04 alpha, 32 bit) with
radius authentication using libpam-radius-auth.
I installed freeradius-2.0.3 (from selfbuilded deb package) on the same machine
and added this line at the top of users file:
testuser Cleartext-Password := testing
Then I installed
libpam-radius-auth 1.3.17-0ubuntu1
from the ubuntu repositories.
I added the radius entry in /etc/pam.d/sshd:
[...]
auth required pam_env.so envfile=/etc/default/locale
auth sufficient pam_radius_auth.so debug
# Standard Un*x authentication.
@include common-auth
[...]
and this on pam_radius_auth.conf:
# server[:port] shared_secret timeout (s)
127.0.0.1 testing123 1
When I try to authenticate with ssh into the machine I noticed that freeradius receive
this password \010\n\r\177INCORRECT, that it's not the one I typed.
This is the output of auth.log:
Mar 18 18:05:59 test sshd[2533]: pam_radius_auth: Got user name testuser
Mar 18 18:05:59 test sshd[2533]: pam_radius_auth: Sending RADIUS request code 1
Mar 18 18:05:59 test sshd[2533]: pam_radius_auth: DEBUG: getservbyname(radius,
udp) returned -1211761632.
Mar 18 18:06:00 test sshd[2533]: pam_radius_auth: RADIUS server 127.0.0.1
failed to respond
Mar 18 18:06:00 test sshd[2533]: pam_radius_auth: All RADIUS servers failed to
respond.
Mar 18 18:06:00 test sshd[2533]: pam_radius_auth: authentication failed
Mar 18 18:06:00 test sshd[2533]: pam_unix(sshd:auth): check pass; user unknown
Mar 18 18:06:00 test sshd[2533]: pam_unix(sshd:auth): authentication failure;
logname= uid=0 euid=0 tty=ssh ruser= rhost=fabio-mac.local
Mar 18 18:06:02 test sshd[2533]: Failed password for invalid user testuser from
10.33.4.8 port 57680 ssh2
This is the output of freeradius -X
rad_recv: Access-Request packet from host 127.0.0.1 port 3558, id=65, length=93
User-Name = testuser
User-Password = \010\n\r\177INCORRECT
NAS-IP-Address = 127.0.1.1
NAS-Identifier = sshd
NAS-Port = 2533
NAS-Port-Type = Virtual
Service-Type = Authenticate-Only
Calling-Station-Id = fabio-mac.local
+- entering group authorize
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
rlm_realm: No '@' in User-Name = testuser, looking up realm NULL
rlm_realm: No such realm NULL
++[suffix] returns noop
rlm_eap: No EAP-Message, not doing EAP
++[eap] returns noop
++[unix] returns notfound
users: Matched entry testuser at line 50
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns updated
rad_check_password: Found Auth-Type
auth: type PAP
+- entering group PAP
rlm_pap: login attempt with password ? INCORRECT
rlm_pap: Using clear text password testing
rlm_pap: Passwords don't match
++[pap] returns reject
auth: Failed to validate the user.
Login incorrect (rlm_pap: CLEAR TEXT password check failed):
[testuser/\010\n\r\177INCORRECT] (from client localhost port 2533 cli
fabio-mac.local)
WARNING: Unprintable characters in the password.Double-check the
shared secret on the server and the NAS!
Found Post-Auth-Type Reject
+- entering group REJECT
expand: %{User-Name} - testuser
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 2 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 2
Sending Access-Reject of id 65 to 127.0.0.1 port 3558
Waking up in 4.9 seconds.
Cleaning up request 2 ID 65 with timestamp +135
Ready to process requests.
Testig with radtest works fine.
I noticed a similar problem some time ago, that seemed to be related to 64 bit
machines:
http://lists.cistron.nl/pipermail/freeradius-users/2006-August/055877.html
However I am using a 32 bit machine on an updated system. Where could be the
problem?
Thanks,
Fabio
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: libpam-radius-auth password problem
Fabio Pedretti wrote: When I try to authenticate with ssh into the machine I noticed that freeradius receive this password \010\n\r\177INCORRECT, that it's not the one I typed. That's a PAM problem. There's little you can do to RADIUS to fix that. I suggest asking on a PAM list. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Unix group authentication
Hello, I have compiled and installed successfully FreeRADIUS2.0.3 on Debian (had to add a trailer to debian/changelog after the 2.0.3 section) and have setup EAP-TTLS for authenticating wireless users to UNIX accounts. What I would like to do is have FreeRADIUS check if the user is a member of the UNIX group wireless that I created and only allow members of that group to authenticate. Is this possible, and if so how? We are planning to migrate all of our servers to OpenLDAP in the summer, which we have tested successfully, but I was hoping to get FreeRADIUS to do this in the meantime. Thanks - Looking for the perfect gift? Give the gift of Flickr!- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem Freeradius+Ipcop ProxyAdv with mysql
Ok, thank you for reply. This is the log of radiusd -X http://www.nabble.com/file/p16128173/radius.txt radius.txt -- View this message in context: http://www.nabble.com/Problem-Freeradius%2BIpcop-ProxyAdv-with-mysql-tp16122096p16128173.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem Freeradius+Ipcop ProxyAdv with mysql
1. There is quite a clear warning in the debug. 2. Comment out the entry in users file setting Auth-Type System if you are not using it. Ivan Kalik Kalik Informatika ISP Dana 18/3/2008, vabb#232; [EMAIL PROTECTED] piše: Ok, thank you for reply. This is the log of radiusd -X http://www.nabble.com/file/p16128173/radius.txt radius.txt -- View this message in context: http://www.nabble.com/Problem-Freeradius%2BIpcop-ProxyAdv-with-mysql-tp16122096p16128173.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Unix group authentication
Shawn Storey wrote: I have compiled and installed successfully FreeRADIUS2.0.3 on Debian (had to add a trailer to debian/changelog after the 2.0.3 section) and have setup EAP-TTLS for authenticating wireless users to UNIX accounts. What I would like to do is have FreeRADIUS check if the user is a member of the UNIX group wireless that I created and only allow members of that group to authenticate. Is this possible, and if so how? Something similar is in the FAQ. Put this at the top of the users file: DEFAULT Group != Wireless, Auth-Type := Reject That's it. We are planning to migrate all of our servers to OpenLDAP in the summer, which we have tested successfully, but I was hoping to get FreeRADIUS to do this in the meantime. You can't ask for much better than a 1-line change to a configuration file. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: virtual server configuration
I'm using FreeRADIUS Version 2.0.2, for host i686-suse-linux-gnu, built
on Feb 14 2008 at 15:20:55
I got back to testing allowing only PEAP-GTC on one virtual server. I
used the included self-signed certs this time, but as I suspected, the
results were the same whenever I comment out CA_file:
Module: Instantiating eap-tls
tls {
rsa_key_exchange = no
dh_key_exchange = yes
rsa_key_length = 512
dh_key_length = 512
verify_depth = 0
pem_file_type = yes
private_key_file = /etc/raddb/certs/server.key
certificate_file = /etc/raddb/certs/server-ca.pem
private_key_password = whatever
dh_file = /etc/raddb/certs/dh
random_file = /etc/raddb/certs/random
fragment_size = 1024
include_length = yes
check_crl = no
cipher_list = DEFAULT
}
rlm_eap: SSL error error::lib(0):func(0):reason(0)
rlm_eap_tls: Error reading Trusted root CA list (null)
rlm_eap: Failed to initialize type tls
I think we might be trying the wrong thing. Although the comments
together say:
# If CA_file (below) is not used, then the
# certificate_file below MUST include not
# only the server certificate, but ALSO all
# of the CA certificates used to sign the
# server certificate.
certificate_file = ${certdir}/wifiserver.pem
# This parameter is used only for EAP-TLS,
# when you issue client certificates. If you do
# not use client certificates, and you do not want
# to permit EAP-TLS authentication, then delete
# this configuration item.
#CA_file = ${cadir}/wifiserver.pem
The first comment might be giving you just another place to provide your
CA cert, whereas the second comment clearly talks about not permiting
EAP-TLS. I say this, because I don't see why the CA would be required at
all if EAP-TLS will be denied. All you need is a server cert and private
key. In PEAP, the client is the one who needs the CA cert, if he wants
to verify the server cert, but even that is optional.
Anyway, can we say now that not providing a CA_file doesn't work?
If there's something else I should test, just mention it.
Thanks.
On Thu, 13 Mar 2008 11:58:48 +0100, Alan DeKok
[EMAIL PROTECTED] said:
[EMAIL PROTECTED] wrote:
Except that my server cert does contain a CA cert. I'm not 100% sure
it's sufficient, because it was issued from an intermediate CA (it needs
to be the signer(s) not the issuer, right?), so I went to another CA got
a webserver cert in pem format directly from the root. Downloaded the
root CA cert in pem format and appended them same error:
You generally want to use self-signed certs for 802.1x. See
raddb/certs/README
Do we know this mode is working (No CA_File, but certificate file with
server cert + ca cert)? In any case, I'd be willing to experiment more.
It should work in 2.0.2.
Alan DeKok.
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
--
[EMAIL PROTECTED]
--
http://www.fastmail.fm - I mean, what is it about a decent email service?
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: incorrect shared secret entry authenticates successfully forfreerradius
Hi Phil, Do you mean the clients.conf file? I don't see require_message_authenticator there. If it is some other file then please let me know the details. I am a new user so not much aware of the configuration files. Thanks -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] dius.org] On Behalf Of Phil Mayers Sent: Tuesday, March 18, 2008 10:25 PM To: FreeRadius users mailing list Subject: Re: incorrect shared secret entry authenticates successfully forfreerradius Alan DeKok wrote: Phil Mayers wrote: If your NAS supply Message-Authenticator, you could refuse packets without one: Edit the client section and set require_message_authenticator = yes. Ah thanks - I didn't know about that The recommendations of RFC 5080 have been implemented in FreeRADIUS. Sometimes years before any other RADIUS server. Apparently Radiator didn't do duplicate detection until RFC 5080... see their changelog for the 4.x series. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html The information contained in this electronic message and any attachments to this message are intended for the exclusive use of the addressee(s) and may contain proprietary, confidential or privileged information. If you are not the intended recipient, you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately and destroy all copies of this message and any attachments. WARNING: Computer viruses can be transmitted via email. The recipient should check this email and any attachments for the presence of viruses. The company accepts no liability for any damage caused by any virus transmitted by this email. www.wipro.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
