Re: Dot1x on cisco 3560
Hi, > Hi i have problems again with authentication , i trying to use > freeradius and cisco 802.1x. > Windows said authentication error. > This is my users file: > > Cleartext-Password := "Pl" >Service-Type = NAS-Prompt-User, >cisco-avpair = "shell:priv-lvl=15" > > yyy User-Password == "" > > DEFAULT Auth-Type := Reject this is for users to log into the admin interface of the switch - or are you trying to configure the switch such that end users need to 802.1X to get a network via a switchport access interface on the switch? if its the former, then read the cisco 802.1X docs to ensure your IOS is configured properly. dont quote some random old 3rd party URL if it the latter then clear text passwords dont work with PEAP you need to use NT-hashes alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Dot1x on cisco 3560
On Fri, Apr 25, 2008 at 9:15 AM, <[EMAIL PROTECTED]> wrote:
>
> this is for users to log into the admin interface of
> the switch - or are you trying to configure the switch
> such that end users need to 802.1X to get a network via
> a switchport access interface on the switch?
I´m trying to configure a switchport access interface on the switch.
> if its the former, then read the cisco 802.1X docs
> to ensure your IOS is configured properly. dont quote
> some random old 3rd party URL
I think it is properly configure i also follow
http://www.cisco.com/en/US/docs/switches/lan/catalyst3560/software/release/12.1_19_ea1/configuration/guide/swauthen.html#wp1020691
And i think problem is on radius users file.
> if it the latter then clear text passwords dont work with PEAP
> you need to use NT-hashes
I using MD5 challange on windows autentication, i need put NT-HASH on
users file?
Anyone has 802.1x configured with free radius?
--
Xgalaga se disfruta más sobre NetBSD sparc64
Content Rules:
/
\\\///
///\\\ The Duke of Url.
{ O--O }
/ /\ \
\ -- /
[||]
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Dot1x on cisco 3560
Hi, > I using MD5 challange on windows autentication, i need put NT-HASH on > users file? > > Anyone has 802.1x configured with free radius? yes - 2,000 edge ports and 360 APs. dealing with 2,100 concurrent users. how are you doing MD5 challenge on windows authentication, 3rd party supplicant? alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Dot1x on cisco 3560
Hi, > Cleartext-Password := "Pl" >Service-Type = NAS-Prompt-User, >cisco-avpair = "shell:priv-lvl=15" ^ this sort of stuff it for admin access to the switch > Sending Access-Challenge of id 60 to 172.29.11.1:21645 > Framed-IP-Address = 255.255.255.254 > Framed-MTU = 576 > Service-Type = Framed-User > EAP-Message = 0x010300160410245db5b7205b11398ead15f567f6ed77 > Message-Authenticator = 0x > State = 0xb307e1b51eedc6cc895b65e64bcd34a3 > Finished request 0 > Going to the next request > --- Walking the entire request list --- > Waking up in 6 seconds... > rad_recv: Access-Request packet from host 172.29.11.1:21645, id=60, length=123 > Sending duplicate reply to client authenticator-short-name:21645 - ID: 60 > Re-sending Access-Challenge of id 60 to 172.29.11.1:21645 lots of these. looks like FR is sending challenges but the switch is not responding. whats your IOS config look like? if you 'debug aaa' on the switch can you see stuff happening at all? alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Dot1x on cisco 3560
On Fri, Apr 25, 2008 at 9:45 AM, <[EMAIL PROTECTED]> wrote:
> Hi,
>
>
> > I using MD5 challange on windows autentication, i need put NT-HASH on
> > users file?
> >
> > Anyone has 802.1x configured with free radius?
>
> yes - 2,000 edge ports and 360 APs. dealing with 2,100
> concurrent users.
>
> how are you doing MD5 challenge on windows authentication, 3rd party
> supplicant?
I´m using windows XP SP 2 suplicant.
Are you using certificates? or MD5 challenge ?
I think that you are using LDAP or MySQL to manage your users.
What do you have in your users files.
Thanks again :).
--
Xgalaga se disfruta más sobre NetBSD sparc64
Content Rules:
/
\\\///
///\\\ The Duke of Url.
{ O--O }
/ /\ \
\ -- /
[||]
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Dot1x on cisco 3560
Hi, ignore my question about MD5 - too ealry int he day ;-) yes, windows standard OS uspplicant will do MD5 on the wired as an EAP-Type. though why you'd use MD5 is beyond me as its totally broken ;-) alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Dot1x on cisco 3560
Hi, > Are you using certificates? or MD5 challenge ? PEAPv0/EAP-MSCHAPv2 > I think that you are using LDAP or MySQL to manage your users. thanks for guessing. but no, we use Active Directory with ntlm_auth > What do you have in your users files. very very little. and at this point in time your users file is almost useless because the FreeRADIUS is not getting any responses from the switch. whats your IOS config? do you have the 'pap' module enabled too? that deals with Cleartext-Password conversions. heck, why not break all and set your users config to MD5-Password == "blah" ? alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Event-Timestamp
Alan DeKok wrote:
Arran Cudbard-Bell wrote:
* In the default SQL accounting schemas %S is used over the
Event-Timestamp attribute included in the accounting packet. I guess
this is because of the potential drift between NAS, and it makes
correlation easier. Is this the real reason or is it just an omission ?
Many NASes have broken clocks. Many, many, have broken clocks.
* RFC 2869 Specifies the format of Event-Timestamp to be number of
seconds since the Unix Epoch. Yet FR prints it as Event-Timestamp =
"Apr 24 2008 20:06:52 BST". Is this FR's interpretation of the integer
timestamp as a date string or is the NAS sending the timestamp as a string?
It's being *printed* as a string. The contents of it in the packets
are always 32-bit integers.
Ok and it's expanded to the string form with the double quotation marks?
why ?
It may be worth adding some logic to the server to double-check for
"bad" Event-Timestamps...
* In accounting detail packets, a timestamp attribute is included. But I
can't figure out how to access it as an attribute when the detail
entries are read back into the server. Any ideas how to ?
Hmm... you can't. It may be useful to add it as something like
Packet-Original-Timestamp, to distinguish it from Event-Timestamp.
That's not hard to do.
Indeed, I did something in unlang, but it'd be nice to have it in the
server core. Then I can update the SQL queries with
%{%{Packet-Original-Timestamp}:-%S} and it should all just work.
It would be
better to use this in accounting queries than %S and there will be a
delay between the packet arriving and the packet being inserted into the
SQL db.
Yes. But the server adds Acct-Delay-Time to the accounting packet,
with exactly that time difference.
Hmmm, the Acct Start Time and Acct Start Time are written as the packet
is inserted into the database... are you saying if I subtracted
Acct-Delay-Time from %S i'd get the equivalent to Packet-Original-Timestamp?
Another thing I noticed recently: For file based buffers the server
takes the detail file moves it to detail.work, processes all entries in
the work file then repeats the process.
On one of our servers I made a typo when recreating the symbolic link to
start the detail reading server, I didn't notice the error for a number
of days, by which time the detail file was ~400mb. Our servers are
restarted nightly and the rate of inserts is so slow that the server
can't get through 400mb of detail file in under 24hrs. So when it's
restarted the whole process starts again.
It's not a huge problem, as accounting data isn't massively important to
us, but possibly putting an upper limit on the .work file might be useful.
Arran
But I see what you mean...
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Key problem
Hello!I add a new eap type and I konw that there is a session key that needs to be sent to the client through the AP.Do you know how to generate the key?Where should I add the code,in the rlm_eap.c or rlm_eap_XXX?Thank you! Xiningtom_1986- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Dot1x on cisco 3560
On Fri, Apr 25, 2008 at 9:51 AM, <[EMAIL PROTECTED]> wrote:
> Hi,
>
>
> > Cleartext-Password := "Pl"
> >Service-Type = NAS-Prompt-User,
> >cisco-avpair = "shell:priv-lvl=15"
> ^
>
> this sort of stuff it for admin access to the switch
>
>
> > Sending Access-Challenge of id 60 to 172.29.11.1:21645
> > Framed-IP-Address = 255.255.255.254
> > Framed-MTU = 576
> > Service-Type = Framed-User
> > EAP-Message = 0x010300160410245db5b7205b11398ead15f567f6ed77
> > Message-Authenticator = 0x
> > State = 0xb307e1b51eedc6cc895b65e64bcd34a3
> > Finished request 0
> > Going to the next request
> > --- Walking the entire request list ---
> > Waking up in 6 seconds...
> > rad_recv: Access-Request packet from host 172.29.11.1:21645, id=60,
> length=123
> > Sending duplicate reply to client authenticator-short-name:21645 - ID: 60
> > Re-sending Access-Challenge of id 60 to 172.29.11.1:21645
>
> lots of these. looks like FR is sending challenges but the switch is not
> responding. whats your IOS config look like? if you 'debug aaa' on the
> switch
> can you see stuff happening at all?
Mmmm is curious:
04-25-2008 10:27:16 Local7.Warning 172.29.11.1
67648: 070624: *Apr 14 13:06:59: %RADIUS-4-RADIUS_ALIVE: RADIUS
server 172.29.11.7:1812,1813 has returned.
04-25-2008 10:27:16 Local7.Warning 172.29.11.1
67647: 070623: *Apr 14 13:06:59: %RADIUS-4-RADIUS_DEAD: RADIUS
server 172.29.11.7:1812,1813 is not responding.
Using debug in AAA on my switch.
I have this radius settings on my cisco switch:
#sh run | include radius
aaa authentication dot1x default group radius
aaa authorization network default group radius
radius-server host 172.29.11.7 auth-port 1812 acct-port 1813 timeout 3
radius-server key mecago
#
Any other line could be necessary ?
I´m using MD5 challenge because i´m testing and i don´t want deploy
certificates or certificate server.
Are you using MS certificate Server with FR?
--
Xgalaga se disfruta más sobre NetBSD sparc64
Content Rules:
/
\\\///
///\\\ The Duke of Url.
{ O--O }
/ /\ \
\ -- /
[||]
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Key problem
xiningtom_1986 wrote: > Hello!I add a new eap type and I konw that there is a session key > that needs to be sent to the client through the AP.Do you know how to > generate the key?Where should I add the code,in the rlm_eap.c or > rlm_eap_XXX?Thank you! In the new EAP type. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Dot1x on cisco 3560
Hi, > Mmmm is curious: > 04-25-2008 10:27:16 Local7.Warning 172.29.11.1 > 67648: 070624: *Apr 14 13:06:59: %RADIUS-4-RADIUS_ALIVE: RADIUS > server 172.29.11.7:1812,1813 has returned. > 04-25-2008 10:27:16 Local7.Warning 172.29.11.1 > 67647: 070623: *Apr 14 13:06:59: %RADIUS-4-RADIUS_DEAD: RADIUS > server 172.29.11.7:1812,1813 is not responding. > Using debug in AAA on my switch. > > I have this radius settings on my cisco switch: > > #sh run | include radius > aaa authentication dot1x default group radius > aaa authorization network default group radius > radius-server host 172.29.11.7 auth-port 1812 acct-port 1813 timeout 3 > radius-server key mecago very sparsewhat about eg radius-server retransmit 2 radius-server timeout 2 radius-server deadtime 10 radius-server vsa send authentication what do you have on the edge port for RADIUS? eg timeouts... interface TenGigabitEthernet0/1 dot1x pae authenticator dot1x port-control auto dot1x timeout quiet-period 5 dot1x timeout tx-period 1 dot1x timeout reauth-period server dot1x timeout supp-timeout 1 dot1x timeout server-timeout 5 dot1x max-req 3 dot1x max-reauth-req 1 dot1x guest-vlan XXX dot1x reauthentication dot1x auth-fail vlan XXX ! alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Need to check Freeradius V1.1.4
Dear all, I need to perform some changes in our post-auth process. We need to check a value in a sql database. If value = XX , i need to add a reply item. We already have links to the radius database for ip-pool but we need to connect to an other database to achieve this. Do you have an idea ? I didn't find any modules to achieve this. Maybe i can modify the sqlippool module, but i need some help I can create a sql query in the sqlippool.conf and connect in the sqlippool.c like this. > sqlippool_command(data->stop_begin, sqlsocket, instance, request, (char *) NULL, 0); > but is it possible to directly connect to the database and the table in this sqlippool_command ? adding the sql_db after the sqlsocket ? Any others ideas? Thanks - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Need to check Freeradius V1.1.4
Hi, > > Dear all, > > I need to perform some changes in our post-auth process. > > We need to check a value in a sql database. > If value = XX , i need to add a reply item. > > We already have links to the radius database for ip-pool but we > need to connect to an other database to achieve this. > > Do you have an idea ? > > I didn't find any modules to achieve this. > > Maybe i can modify the sqlippool module, but i need some help > > I can create a sql query in the sqlippool.conf and connect > in the sqlippool.c > > like this. > > > sqlippool_command(data->stop_begin, sqlsocket, instance, request, > (char *) NULL, 0); > > > > but is it possible to directly connect to the database and the table > in this sqlippool_command ? > adding the sql_db after the sqlsocket ? > > Any others ideas? options. 1) upgrade to 2.x and use unlang to do what you need in post-auth. very nice. very easy 2) create another database entry and use the post-auth feature to do as you want. the other database can be talking to another DB with no issues. for a while we had MySQL and PostgresQL both running at same time - we called which ever one we needed in the appropriate radiusd.conf (or sites-enabled/* files for 2.x) alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Dot1x on cisco 3560
I'd have something like:
radius-server host 192.168.1.50 auth-port 1812 acct-port 1813 key
radius-server timeout 2
radius-server deadtime 1
radius-server vsa send authentication
!
aaa new-model
!
!
aaa group server radius RADIUS-SERVERS
server 192.168.1.50 auth-port 1812 acct-port 1813
!
aaa authentication dot1x default group RADIUS-SERVERS
aaa accounting dot1x default start-stop group RADIUS-SERVERS
!
dot1x system-auth-control
dot1x guest-vlan supplicant
!
int fa0/1
dot1x pae authenticator
dot1x port-control auto
dot1x host-mode multi-host
dot1x timeout quiet-period 5
dot1x timeout server-timeout 5
dot1x timeout reauth-period server
dot1x timeout tx-period 5
dot1x timeout supp-timeout 5
dot1x max-req 1
dot1x max-reauth-req 1
dot1x reauthentication
dot1x guest-vlan 100
dot1x auth-fail vlan 100
> -Original Message-
> From: freeradius-users-
> [EMAIL PROTECTED]
> [mailto:freeradius-users-
> [EMAIL PROTECTED] On Behalf Of
> Omar Lopez Limonta
> Sent: 25 April 2008 09:36
> To: FreeRadius users mailing list
> Subject: Re: Dot1x on cisco 3560
>
> On Fri, Apr 25, 2008 at 9:51 AM, <[EMAIL PROTECTED]> wrote:
> > Hi,
> >
> >
> > > Cleartext-Password := "Pl"
> > >Service-Type = NAS-Prompt-User,
> > >cisco-avpair = "shell:priv-lvl=15"
> > ^
> >
> > this sort of stuff it for admin access to the switch
> >
> >
> > > Sending Access-Challenge of id 60 to 172.29.11.1:21645
> > > Framed-IP-Address = 255.255.255.254
> > > Framed-MTU = 576
> > > Service-Type = Framed-User
> > > EAP-Message =
> 0x010300160410245db5b7205b11398ead15f567f6ed77
> > > Message-Authenticator = 0x
> > > State = 0xb307e1b51eedc6cc895b65e64bcd34a3
> > > Finished request 0
> > > Going to the next request
> > > --- Walking the entire request list ---
> > > Waking up in 6 seconds...
> > > rad_recv: Access-Request packet from host 172.29.11.1:21645,
> id=60, length=123
> > > Sending duplicate reply to client authenticator-short-name:21645 -
> ID: 60
> > > Re-sending Access-Challenge of id 60 to 172.29.11.1:21645
> >
> > lots of these. looks like FR is sending challenges but the switch is
> not
> > responding. whats your IOS config look like? if you 'debug aaa' on
> the switch
> > can you see stuff happening at all?
>
> Mmmm is curious:
> 04-25-2008 10:27:16 Local7.Warning 172.29.11.1
> 67648: 070624: *Apr 14 13:06:59: %RADIUS-4-RADIUS_ALIVE: RADIUS
> server 172.29.11.7:1812,1813 has returned.
> 04-25-2008 10:27:16 Local7.Warning 172.29.11.1
> 67647: 070623: *Apr 14 13:06:59: %RADIUS-4-RADIUS_DEAD: RADIUS
> server 172.29.11.7:1812,1813 is not responding.
> Using debug in AAA on my switch.
>
> I have this radius settings on my cisco switch:
>
> #sh run | include radius
> aaa authentication dot1x default group radius
> aaa authorization network default group radius
> radius-server host 172.29.11.7 auth-port 1812 acct-port 1813 timeout 3
> radius-server key mecago
> #
>
> Any other line could be necessary ?
>
> I´m using MD5 challenge because i´m testing and i don´t want deploy
> certificates or certificate server.
> Are you using MS certificate Server with FR?
>
> --
> Xgalaga se disfruta más sobre NetBSD sparc64
>
> Content Rules:
>
> /
>\\\///
>///\\\ The Duke of Url.
> { O--O }
>/ /\ \
>\ -- /
> [||]
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Event-Timestamp
Arran Cudbard-Bell wrote:
> Ok and it's expanded to the string form with the double quotation marks?
> why ?
Bug. Some things have extra quotation marks. This is fix in 2.0.3,
or maybe CVS.
> Indeed, I did something in unlang, but it'd be nice to have it in the
> server core. Then I can update the SQL queries with
> %{%{Packet-Original-Timestamp}:-%S} and it should all just work.
Done.
> Another thing I noticed recently: For file based buffers the server
> takes the detail file moves it to detail.work, processes all entries in
> the work file then repeats the process.
Yes. It has to do that for a number of reasons.
> On one of our servers I made a typo when recreating the symbolic link to
> start the detail reading server, I didn't notice the error for a number
> of days, by which time the detail file was ~400mb. Our servers are
> restarted nightly and the rate of inserts is so slow that the server
> can't get through 400mb of detail file in under 24hrs. So when it's
> restarted the whole process starts again.
>
> It's not a huge problem, as accounting data isn't massively important to
> us, but possibly putting an upper limit on the .work file might be useful.
It can't, because it's just a renamed "detail" file. If the detail
file is 400M, so is detail.work.
The larger issue is that it's hard to keep track of which parts of the
"detail.work" file have been read && responded to. I've had a few
ideas, but nothing that really makes sense.
I'll play with some things to see if I can get that last piece fixed.
if you're OK with the "detail.work" file being written to, there may be
a solution.
Or, update it so that it reads *all* of the detail files in a
directory. That way, the process writing the detail files can write
them every hour, day, etc.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
60% Off All Luxury Designer Shoes & Boots Men & Women Gucci Prada Chanel
Thought I would let you know about the Fashion Footwear SPRING Sale! Men and Women Designer Shoes, Heels, Sandals and Boots, All Half-OFF, Buy Direct, Forget Department Store Prices, Get Exclusive 2008 Gucci Prada Chanel, Christian Dior, Dsquared, Versace D&G, Uggs and More! They Ship International for FREE on all Orders! http://stowetangofest.com/images/menu/gif/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: 60% Off All Luxury Designer Shoes & Boots Men & Women Gucci Prada Chanel
freeradius-users@lists.freeradius.org wrote: Thought I would let you know about the Fashion Footwear SPRING Sale! Men and Women Designer Shoes, Heels, Sandals and Boots, All Half-OFF, Buy Direct, Forget Department Store Prices, Get Exclusive 2008 Gucci Prada Chanel, Christian Dior, Dsquared, Versace D&G, Uggs and More! They Ship International for FREE on all Orders! http://stowetangofest.com/images/menu/gif/ What the hell ? How are we getting spam on the list ? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Arran Cudbard-Bell ([EMAIL PROTECTED]) Authentication, Authorisation and Accounting Officer Infrastructure Services | ENG1 E1-1-08 University Of Sussex, Brighton EXT:01273 873900 | INT: 3900 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Event-Timestamp
Alan DeKok wrote:
Arran Cudbard-Bell wrote:
Ok and it's expanded to the string form with the double quotation marks?
why ?
Bug. Some things have extra quotation marks. This is fix in 2.0.3,
or maybe CVS.
Hmm running 2.0.3 must be CVS.
Indeed, I did something in unlang, but it'd be nice to have it in the
server core. Then I can update the SQL queries with
%{%{Packet-Original-Timestamp}:-%S} and it should all just work.
Done.
Thanks. I didn't realise that the server updated the acctdelay stuff
too... woo so many options...
Did you have time to add the module return codes for authentication
success / failure messages ?
Another thing I noticed recently: For file based buffers the server
takes the detail file moves it to detail.work, processes all entries in
the work file then repeats the process.
Yes. It has to do that for a number of reasons.
On one of our servers I made a typo when recreating the symbolic link to
start the detail reading server, I didn't notice the error for a number
of days, by which time the detail file was ~400mb. Our servers are
restarted nightly and the rate of inserts is so slow that the server
can't get through 400mb of detail file in under 24hrs. So when it's
restarted the whole process starts again.
It's not a huge problem, as accounting data isn't massively important to
us, but possibly putting an upper limit on the .work file might be useful.
It can't, because it's just a renamed "detail" file. If the detail
file is 400M, so is detail.work.
Yes I was talking about taking a slice of the detail file, and writing
it to the work file, but that's a lot more work that just moving the
detail file (in terms of disk I/O).
Or, update it so that it reads *all* of the detail files in a
directory. That way, the process writing the detail files can write
them every hour, day, etc.
Yep that seems like the most sensible/ flexible solution. So you just
specify a directory in the listen section for it to search for detail
files in.
Thanks,
Arran
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Dot1x on cisco 3560
On Fri, Apr 25, 2008 at 11:14 AM, <[EMAIL PROTECTED]> wrote:
> very sparsewhat about eg
>
> radius-server retransmit 2
> radius-server timeout 2
> radius-server deadtime 10
>
> radius-server vsa send authentication
No with your AAA configs i don´t get %RADIUS-4-RADIUS_DEAD or any
other error on debug via syslog.
> what do you have on the edge port for RADIUS? eg timeouts...
interface FastEthernet0/5
switchport access vlan 2
switchport mode access
dot1x pae authenticator
dot1x port-control auto
spanning-tree portfast
!
Any other ideas?
--
Xgalaga se disfruta más sobre NetBSD sparc64
Content Rules:
/
\\\///
///\\\ The Duke of Url.
{ O--O }
/ /\ \
\ -- /
[||]
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: a newbie testing freeradius need help
Hi all,
I installed new version of openssl and built the radius with the following
command
./configure --with-openssl-includes=/usr/local/include/openssl \
--with-openssl-libraries=/usr/local/lib \
--prefix=/usr/local/radius
make
make install
the radtest and the radeapclient test was through, i thought to test with
the eapol_test, i have the following error (same error), any help will be
appreciated.
Note: i have the development headers at /usr/local/include/openssl, the lib
files at /usr/local/lib and the bin files at /usr/local/bin and finally the
conf files at /usr/local/openssl.
THE RADIUS SERVER SCREEN OUTPUT
[EMAIL PROTECTED]:/usr/src/802/radius/freeradius-server-2.0.3#
/usr/local/radius/sbin/radiusd -X
FreeRADIUS Version 2.0.3, for host i686-pc-linux-gnu, built on Apr 24 2008
at 16:14:51
Copyright (C) 1999-2008 The FreeRADIUS server project and contributors.
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE.
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License.
Starting - reading configuration files ...
including configuration file /usr/local/radius/etc/raddb/radiusd.conf
including configuration file /usr/local/radius/etc/raddb/proxy.conf
including configuration file /usr/local/radius/etc/raddb/clients.conf
including configuration file /usr/local/radius/etc/raddb/snmp.conf
including configuration file /usr/local/radius/etc/raddb/eap.conf
including configuration file /usr/local/radius/etc/raddb/sql.conf
including configuration file
/usr/local/radius/etc/raddb/sql/mysql/dialup.conf
including configuration file
/usr/local/radius/etc/raddb/sql/mysql/counter.conf
including configuration file /usr/local/radius/etc/raddb/policy.conf
including files in directory /usr/local/radius/etc/raddb/sites-enabled/
including configuration file
/usr/local/radius/etc/raddb/sites-enabled/default
including dictionary file /usr/local/radius/etc/raddb/dictionary
main {
prefix = "/usr/local/radius"
localstatedir = "/usr/local/radius/var"
logdir = "/usr/local/radius/var/log/radius"
libdir = "/usr/local/radius/lib"
radacctdir = "/usr/local/radius/var/log/radius/radacct"
hostname_lookups = no
max_request_time = 30
cleanup_delay = 5
max_requests = 1024
allow_core_dumps = no
pidfile = "/usr/local/radius/var/run/radiusd/radiusd.pid"
checkrad = "/usr/local/radius/sbin/checkrad"
debug_level = 0
proxy_requests = yes
security {
max_attributes = 200
reject_delay = 1
status_server = yes
}
}
client localhost {
ipaddr = 127.0.0.1
require_message_authenticator = no
secret = "testing123"
nastype = "other"
}
radiusd: Loading Realms and Home Servers
proxy server {
retry_delay = 5
retry_count = 3
default_fallback = no
dead_time = 120
wake_all_if_all_dead = no
}
home_server localhost {
ipaddr = 127.0.0.1
port = 1812
type = "auth"
secret = "testing123"
response_window = 20
max_outstanding = 65536
zombie_period = 40
status_check = "status-server"
ping_check = "none"
ping_interval = 30
check_interval = 30
num_answers_to_alive = 3
num_pings_to_alive = 3
revive_interval = 120
status_check_timeout = 4
}
home_server_pool my_auth_failover {
type = fail-over
home_server = localhost
}
realm example.com {
auth_pool = my_auth_failover
}
realm LOCAL {
}
radiusd: Instantiating modules
instantiate {
Module: Linked to module rlm_exec
Module: Instantiating exec
exec {
wait = yes
input_pairs = "request"
shell_escape = yes
}
Module: Linked to module rlm_expr
Module: Instantiating expr
Module: Linked to module rlm_expiration
Module: Instantiating expiration
expiration {
reply-message = "Password Has Expired "
}
Module: Linked to module rlm_logintime
Module: Instantiating logintime
logintime {
reply-message = "You are calling outside your allowed timespan "
minimum-timeout = 60
}
}
radiusd: Loading Virtual Servers
server {
modules {
Module: Checking authenticate {...} for more modules to load
Module: Linked to module rlm_pap
Module: Instantiating pap
pap {
encryption_scheme = "auto"
auto_header = no
}
Module: Linked to module rlm_chap
Module: Instantiating chap
Module: Linked to module rlm_mschap
Module: Instantiating mschap
mschap {
use_mppe = yes
require_encryption = no
require_strong = no
with_ntdomain_hack = no
}
Module: Linked to module rlm_unix
Module: Instantiating unix
unix {
radwtmp = "/usr/local/radius/var/log/radius/radwtmp"
}
Module: Linked to module rlm_eap
Module: Instantiating eap
eap {
default_eap_type = "md5"
Re: Failed Auth using users file (sometimes)
Configuration changes do take effect on restart. It could of been made days or weeks before but they kick in when you restart. Ivan Kalik Kalik Informatika ISP Dana 25/4/2008, "Mike O'Connor" <[EMAIL PROTECTED]> piše: >Hi Ivan > >Thanks for your response, my question why would it not work then just >work, no changes other than a restart between the two. > >Its running freeradius 1.1.7 > >Mike > >Mike > > >Ivan Kalik wrote: >>>rlm_realm: Looking up realm "xxx.com" for User-Name = >>> "[EMAIL PROTECTED]" >>>rlm_realm: Found realm "xxx.com" >>>rlm_realm: Proxying request from user nyp2inter to realm xxx.com >>>rlm_realm: Adding Realm = "xxx.com" >>>rlm_realm: Authentication realm is LOCAL. >>> modcall[authorize]: module "suffix" returns noop for request 1647 >>> rlm_eap: No EAP-Message, not doing EAP >>> modcall[authorize]: module "eap" returns noop for request 1647 >>> modcall[authorize]: module "files" returns notfound for request 1647 >>> >> >> >>>rlm_realm: Looking up realm "xxx.com" for User-Name = >>> "[EMAIL PROTECTED]" >>>rlm_realm: Found realm "xxx.com" >>>rlm_realm: Adding Stripped-User-Name = "nyp2inter" >>>rlm_realm: Proxying request from user nyp2inter to realm xxx.com >>>rlm_realm: Adding Realm = "xxx.com" >>>rlm_realm: Preparing to proxy authentication request to realm "xxx.com" >>> modcall[authorize]: module "suffix" returns updated for request 1675 >>> rlm_eap: No EAP-Message, not doing EAP >>> modcall[authorize]: module "eap" returns noop for request 1675 >>>users: Matched entry nyp2inter at line 18 >>> modcall[authorize]: module "files" returns ok for request 1675 >>> >> >> First debug doesn't strip the realm so there is no match in users file. >> >> Ivan Kalik >> Kalik Informatika ISP >> >> - >> List info/subscribe/unsubscribe? See >> http://www.freeradius.org/list/users.html >> > >- >List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
MAC Authentication and
Hello All, I'm setupping my corporate wifi with freeradius as RADIUS server. I want to implement WEP network with MAC Authentication thought freeradius. I have three access point and I want to store mac database in text file. Here is an example: 00-22-de-4e-8f-1d Auth-Type:=Local, User-Password == "secret1" Here is my MAC request: Packet-Type = Access-Request Thu Apr 24 11:42:49 2008 User-Name = "00-1c-26-20-9c-00" User-Password = "secret1" NAS-IP-Address = 192.168.11.1 Called-Station-Id = "00-20-a6-87-86-09:WEP" Calling-Station-Id = "00-1c-26-20-9c-00;WEP" NAS-Port = 2 NAS-Port-Type = Wireless-802.11 Client-IP-Address = 192.168.11.1 The user-password field takes from radius clients(ap) configuration of freeradius. The problem is that I have different radius access password for three access points. I want to have one list for all AP. Is the way to setup _one_ radius password for all AP only one? Another interesting point is: do I right understand that I need to restart freeradius every time when I correct users file? Is is complicated for me, what is other way? Maybe store MAC's in LDAP or SQL database? Thanks Alexey - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: a newbie testing freeradius need help
jreubens wrote: > I installed new version of openssl and built the radius with the following > command > ./configure --with-openssl-includes=/usr/local/include/openssl \ > --with-openssl-libraries=/usr/local/lib \ Did it *find* the OpenSSL includes and libraries? The output of the "configure" process will tell you this. > the radtest and the radeapclient test was through, i thought to test with > the eapol_test, i have the following error (same error), any help will be > appreciated. > > Note: i have the development headers at /usr/local/include/openssl, the lib > files at /usr/local/lib and the bin files at /usr/local/bin and finally the > conf files at /usr/local/openssl. ... > rlm_eap: Ignoring EAP-Type/tls because we do not have OpenSSL support. // I > DONT UNDERSTAND THIS LINE What part is unclear? The server was not built with OpenSSL support. Exactly *why* this happened is a question for the "configure" script. See the output of "configure", and the "config.log" file. Maybe there's something wrong with your OpenSSL installation. Does your OS have a pre-packaged version of OpenSSL? > i generated the test certificates as mentioned in the README doc in certs > folder. i havnt changed anything in eap.conf except the ceritificates path, > as you might have noticed i installed the freeradius in /usr/local/radius. > and i deleted the make_cert_command. Thats all i did. What OS are you using? Why is it impossible to use a version of OpenSSL that comes with the OS? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Event-Timestamp
Arran Cudbard-Bell wrote: > Hmm running 2.0.3 must be CVS. Yes. > Did you have time to add the module return codes for authentication > success / failure messages ? It should be there now. > Yep that seems like the most sensible/ flexible solution. So you just > specify a directory in the listen section for it to search for detail > files in. Or just use file globbing. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MAC Authentication and
Don't use the password. 00-22-de-4e-8f-1d Auth-Type:= Accept You are lucky that they are all sending mac addresses in same format. One could be using - for delimiter, another : and the third one no delimiter. Then you would need to store usernames (mac addresses) without delimiters and remove delimiters from usernames that are recieved with them. Ivan Kalik Kalik Informatika ISP Dana 25/4/2008, "Alexey Eronko" <[EMAIL PROTECTED]> piše: >Hello All, > >I'm setupping my corporate wifi with freeradius as RADIUS >server. I want to implement WEP network with MAC Authentication thought >freeradius. I have three access point and I want to store mac database in >text file. > >Here is an example: > >00-22-de-4e-8f-1d Auth-Type:=Local, User-Password == "secret1" > >Here is my MAC request: > >Packet-Type = Access-Request > >Thu Apr 24 11:42:49 2008 > >User-Name = "00-1c-26-20-9c-00" > >User-Password = "secret1" > >NAS-IP-Address = 192.168.11.1 > >Called-Station-Id = "00-20-a6-87-86-09:WEP" > >Calling-Station-Id = "00-1c-26-20-9c-00;WEP" > >NAS-Port = 2 > >NAS-Port-Type = Wireless-802.11 > >Client-IP-Address = 192.168.11.1 > > > >The user-password field takes from radius clients(ap) configuration of >freeradius. The problem is that I have different radius access password for >three access points. I want to have one list for all AP. > >Is the way to setup _one_ radius password for all AP only one? > >Another interesting point is: do I right understand that I need to restart >freeradius every time when I correct users file? Is is complicated for me, >what is other way? Maybe store MAC's in LDAP or SQL database? > > > >Thanks > > > >Alexey > > > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: MAC Authentication and
Thanks for replay. I adjusted all AP to send MAC in one format. What about this question : Another interesting point is: do I right understand that I need to restart freeradius every time when I correct users file? Is is complicated for me, what is other way? Maybe store MAC's in LDAP or SQL database? Alexey -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] g] On Behalf Of Ivan Kalik Sent: Friday, April 25, 2008 4:09 PM To: FreeRadius users mailing list Subject: Re: MAC Authentication and Don't use the password. 00-22-de-4e-8f-1d Auth-Type:= Accept You are lucky that they are all sending mac addresses in same format. One could be using - for delimiter, another : and the third one no delimiter. Then you would need to store usernames (mac addresses) without delimiters and remove delimiters from usernames that are recieved with them. Ivan Kalik Kalik Informatika ISP Dana 25/4/2008, "Alexey Eronko" <[EMAIL PROTECTED]> piše: >Hello All, > >I'm setupping my corporate wifi with freeradius as RADIUS >server. I want to implement WEP network with MAC Authentication thought >freeradius. I have three access point and I want to store mac database in >text file. > >Here is an example: > >00-22-de-4e-8f-1d Auth-Type:=Local, User-Password == "secret1" > >Here is my MAC request: > >Packet-Type = Access-Request > >Thu Apr 24 11:42:49 2008 > >User-Name = "00-1c-26-20-9c-00" > >User-Password = "secret1" > >NAS-IP-Address = 192.168.11.1 > >Called-Station-Id = "00-20-a6-87-86-09:WEP" > >Calling-Station-Id = "00-1c-26-20-9c-00;WEP" > >NAS-Port = 2 > >NAS-Port-Type = Wireless-802.11 > >Client-IP-Address = 192.168.11.1 > > > >The user-password field takes from radius clients(ap) configuration of >freeradius. The problem is that I have different radius access password for >three access points. I want to have one list for all AP. > >Is the way to setup _one_ radius password for all AP only one? > >Another interesting point is: do I right understand that I need to restart >freeradius every time when I correct users file? Is is complicated for me, >what is other way? Maybe store MAC's in LDAP or SQL database? > > > >Thanks > > > >Alexey > > > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: a newbie testing freeradius need help
Am 25.04.2008 um 13:45 schrieb jreubens: Hi all, I installed new version of openssl and built the radius with the following command ./configure --with-openssl-includes=/usr/local/include/openssl \ --with-openssl-libraries=/usr/local/lib \ --prefix=/usr/local/radius make make install the radtest and the radeapclient test was through, i thought to test with the eapol_test, i have the following error (same error), any help will be appreciated. Note: i have the development headers at /usr/local/include/openssl, the lib files at /usr/local/lib and the bin files at /usr/local/bin and finally the conf files at /usr/local/openssl. Is your path (environment variable $PATH) also pointing to /usr/local/ bin ? Configuration often calls programs to see if a particular feature is there (and to get some other needed data). [...] Nicolas Goutte extragroup GmbH - Karlsruhe Waldstr. 49 76133 Karlsruhe Germany Geschäftsführer: Stephan Mönninghoff, Hans Martin Kern, Tilman Haerdle Registergericht: Amtsgericht Münster / HRB: 5624 Steuer Nr.: 337/5903/0421 / UstID: DE 204607841 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: MAC Authentication and
>Another interesting point is: do I right understand that I need to restart >freeradius every time when I correct users file? Is is complicated for me, >what is other way? Maybe store MAC's in LDAP or SQL database? > >Alexey > Yes, if you store details in users file you will need to restart for new entries to take effect. If you store them in sql or ldap you can manage them independantly of freeradius. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: a newbie testing freeradius need help
Hi alan,
i found some thing in the config.log file and i think the path is identified.
here with i am attaching a part of the config.log (i dont want to crowd the
mailling list). if you give me an hint that would highly appreciable. Thank you.
I am using linux (ubuntu 7.10), it has a pre packed openssl which is a "e"
version, i read in a article and it says that it is a engine version "You are
probably not interested in engine ("e") version neither as it is mostly for
crypto _hardware_." quoting from the orginal article the url was kind of big so
i am not posting the url.
Before my original post i relied on the pre packed version of the openssl, then
when i wanted to use eapol_test, it asked for a openssl, then i installed a new
one.
After the first (eapol_test) test failed, you suggested to use the one that
come with the distribution... but i didnt see any development headers and
binaries. So i over write the OS and made a fresh install of ubuntu then tired
to install openssl lastest version and free radius. now i am getting the same
error.
Thank you for the time you are taking on me,
Regards,
Jreubens
Alan DeKok <[EMAIL PROTECTED]> wrote: jreubens wrote:
> I installed new version of openssl and built the radius with the following
> command
> ./configure --with-openssl-includes=/usr/local/include/openssl \
> --with-openssl-libraries=/usr/local/lib \
Did it *find* the OpenSSL includes and libraries? The output of the
"configure" process will tell you this.
> the radtest and the radeapclient test was through, i thought to test with
> the eapol_test, i have the following error (same error), any help will be
> appreciated.
>
> Note: i have the development headers at /usr/local/include/openssl, the lib
> files at /usr/local/lib and the bin files at /usr/local/bin and finally the
> conf files at /usr/local/openssl.
...
> rlm_eap: Ignoring EAP-Type/tls because we do not have OpenSSL support. // I
> DONT UNDERSTAND THIS LINE
What part is unclear? The server was not built with OpenSSL support.
Exactly *why* this happened is a question for the "configure" script.
See the output of "configure", and the "config.log" file.
Maybe there's something wrong with your OpenSSL installation.
Does your OS have a pre-packaged version of OpenSSL?
> i generated the test certificates as mentioned in the README doc in certs
> folder. i havnt changed anything in eap.conf except the ceritificates path,
> as you might have noticed i installed the freeradius in /usr/local/radius.
> and i deleted the make_cert_command. Thats all i did.
What OS are you using? Why is it impossible to use a version of
OpenSSL that comes with the OS?
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
Be a better friend, newshound, and know-it-all with Yahoo! Mobile. Try it now.
config.log_freeradius
Description: 1612991938-config.log_freeradius
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Accounting logs
I see any detail-%Y%m%d log files but only auth-detail-%Y%m%d files.
What am I doing wrong?
My config files:
radiusd.conf:
prefix = /usr/local-2.0.2
exec_prefix = ${prefix}
sysconfdir = ${prefix}/etc
localstatedir = ${prefix}/var
sbindir = ${exec_prefix}/sbin
logdir = ${localstatedir}/log/radius
raddbdir = ${sysconfdir}/raddb
radacctdir = ${logdir}/radacct
confdir = ${raddbdir}
run_dir = ${localstatedir}/run/radiusd
db_dir = $(raddbdir)
libdir = ${exec_prefix}/lib
pidfile = ${run_dir}/radiusd.pid
user = radiusd
group = radiusd
max_request_time = 30
cleanup_delay = 5
max_requests = 1024
listen {
type = auth
ipaddr = 190.125.213.5
port = 0
}
listen {
ipaddr = 190.125.213.5
port = 0
type = acct
}
hostname_lookups = no
allow_core_dumps = no
regular_expressions = yes
extended_expressions= yes
log {
destination = files
file = ${logdir}/radius.log
syslog_facility = daemon
stripped_names = yes
auth = yes
auth_badpass = no
auth_goodpass = no
}
checkrad = ${sbindir}/checkrad
security {
max_attributes = 190
reject_delay = 1
status_server = yes
}
proxy_requests = no
$INCLUDE proxy.conf
$INCLUDE clients.conf
snmp= no
$INCLUDE snmp.conf
thread pool {
start_servers = 5
max_servers = 32
min_spare_servers = 3
max_spare_servers = 10
max_requests_per_server = 0
}
modules {
pap {
auto_header = yes
}
chap {
authtype = CHAP
}
pam {
pam_auth = radiusd
}
unix {
radwtmp = ${logdir}/radwtmp
}
$INCLUDE eap.conf
mschap {
}
ldap {
server = "ldap.cadorna.biz
identity = "cn=freeradius,ou=applications,dc=cadorna,dc=biz"
port = 636
password = jejeje0essoleplop
basedn = "ou=people,dc=cadorna,dc=biz"
filter = "(uid=%{Stripped-User-Name:-%{User-Name}})"
ldap_connections_number = 5
timeout = 4
timelimit = 3
net_timeout = 1
tls {
start_tls = no
cacertfile = /etc/raddb-2.0.2/cacert.pem
randfile= /dev/urandom
require_cert= "allow"
}
access_attr = "radiusAllowed"
dictionary_mapping = ${confdir}/ldap.attrmap
edir_account_policy_check = no
}
realm IPASS {
format = prefix
delimiter = "/"
}
realm suffix {
format = suffix
delimiter = "@"
}
realm realmpercent {
format = suffix
delimiter = "%"
}
realm ntdomain {
format = prefix
delimiter = "\\"
}
checkval {
item-name = Calling-Station-Id
check-name = Calling-Station-Id
data-type = string
}
preprocess {
huntgroups = ${confdir}/huntgroups
hints = ${confdir}/hints
with_ascend_hack = no
ascend_channels_per_line = 23
with_ntdomain_hack = no
with_specialix_jetstream_hack = no
with_cisco_vsa_hack = no
}
files {
usersfile = ${confdir}/users
acctusersfile = ${confdir}/acct_users
preproxy_usersfile = ${confdir}/preproxy_users
compat = no
}
detail {
detailfile = ${radacctdir}/%{Client-IP-Address}/detail-%Y%m%d
detailperm = 0600
header = "%t"
suppress {
User-Password
}
}
detail auth_log {
detailfile =
${radacctdir}/%{Client-IP-Address}/auth-detail-%Y%m%d
suppress {
User-Password
}
}
acct_unique {
key = "User-Name, Acct-Session-Id, NAS-IP-Address,
Client-IP-Address, NAS-Port"
}
$INCLUDE sql.conf
radutmp {
filename = ${logdir}/radutmp
username = %{User-Name}
case_sensitive = yes
check_with_nas = yes
perm = 0600
callerid = "yes"
}
radutmp sradutmp {
filename = ${logdir}/sradutmp
perm = 0644
callerid = "no"
}
attr_filter attr_filter.post-proxy {
attrsfile = ${confdir}/attrs
}
attr_filter attr_filter.pre-proxy {
attrsfile = ${confdir}/attrs.pre-proxy
}
Re: a newbie testing freeradius need help
Hi, Here is my PATH contents PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games" i have another doubt here, i have my check-rad, check-radiusd-config, radiusd,radwatch, rc.radiusd everything at /usr/local/radius/sbin... does that means that i have to change the environment variable to point to /usr/local/radius/sbin? Thank you for the time you are taking for me, BR, Jreubens Nicolas Goutte <[EMAIL PROTECTED]> wrote: Am 25.04.2008 um 13:45 schrieb jreubens: > > Hi all, > > I installed new version of openssl and built the radius with the > following > command > ./configure --with-openssl-includes=/usr/local/include/openssl \ > --with-openssl-libraries=/usr/local/lib \ > --prefix=/usr/local/radius > make > make install > > the radtest and the radeapclient test was through, i thought to > test with > the eapol_test, i have the following error (same error), any help > will be > appreciated. > > Note: i have the development headers at /usr/local/include/openssl, > the lib > files at /usr/local/lib and the bin files at /usr/local/bin and > finally the > conf files at /usr/local/openssl. Is your path (environment variable $PATH) also pointing to /usr/local/ bin ? Configuration often calls programs to see if a particular feature is there (and to get some other needed data). [...] > Nicolas Goutte extragroup GmbH - Karlsruhe Waldstr. 49 76133 Karlsruhe Germany Geschäftsführer: Stephan Mönninghoff, Hans Martin Kern, Tilman Haerdle Registergericht: Amtsgericht Münster / HRB: 5624 Steuer Nr.: 337/5903/0421 / UstID: DE 204607841 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - Be a better friend, newshound, and know-it-all with Yahoo! Mobile. Try it now.- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: a newbie testing freeradius need help
Hi, > > Hi all, > > I installed new version of openssl and built the radius with the following > command > ./configure --with-openssl-includes=/usr/local/include/openssl \ > --with-openssl-libraries=/usr/local/lib \ > --prefix=/usr/local/radius could you pipe that above command through gerp eg ./configure -blahblah blah | grep WARN > rlm_eap: Ignoring EAP-Type/tls because we do not have OpenSSL support. // I > DONT UNDERSTAND THIS LINE > rlm_eap: Ignoring EAP-Type/ttls because we do not have OpenSSL support. > rlm_eap: Ignoring EAP-Type/peap because we do not have OpenSSL support. ^^ fairly simple. no OpenSSL support. radiusd not built with any ability that you want. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: a newbie testing freeradius need help
Hi, > Before my original post i relied on the pre packed version of the openssl, > then when i wanted to use eapol_test, it asked for a openssl, then i > installed a new one. > > After the first (eapol_test) test failed, you suggested to use the one that > come with the distribution... but i didnt see any development headers and > binaries. So i over write the OS and made a fresh install of ubuntu then > tired to install openssl lastest version and free radius. now i am getting > the same error. ubuntu? you'll need to install "libssl-dev" package alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Have some questions - new to FreeRadius
Greetings all.. Overview Our local network folks have a FirePass VPN to allow external access to an application. We are needing to setup a Radius server to authenticate to the FirePass VPN appliance. Testing. I have FreeRadius 1.1.7 set up on a zone on a Solaris 10 box and have begun testing.. This zone will only do this one task.. (Packages installed from SunFreeware - Blastwave FreeRadius package is 1.01) - Going through the output from /local/sbin/radiusd -X - Tested with radtest test test localhost 0 testing123 One error - Although this might be normal Output Sending Access-Request of id 169 to 127.0.0.1 port 1812 User-Name = "test" User-Password = "test" NAS-IP-Address = 255.255.255.255 NAS-Port = 0 rad_recv: Access-Reject packet from host 127.0.0.1:1812, id=169, length=20 --- I am also reading the entire radiusd.conf file to get familiar with the settings. Per the FAQ it *looks* like I need to use CHAP for authentication but have currently not gotten any farther than that. Sent an email to F5 (makers of FirePass) requesting information as to what protocol the "Radius" setting is expecting.. If anyone has any input if this combination will work, - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: a newbie testing freeradius need help
Am 25.04.2008 um 15:32 schrieb jennie susan: Hi, Here is my PATH contents PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/ usr/games" i have another doubt here, i have my check-rad, check-radiusd- config, radiusd,radwatch, rc.radiusd everything at /usr/local/ radius/sbin... does that means that i have to change the environment variable to point to /usr/local/radius/sbin? At least at first it is not necessary, as you can start the programs with the full path, e.g.: /usr/local/radius/sbin/radiusd -X Have a nice day! Thank you for the time you are taking for me, BR, Jreubens Nicolas Goutte <[EMAIL PROTECTED]> wrote: Am 25.04.2008 um 13:45 schrieb jreubens: > > Hi all, > > I installed new version of openssl and built the radius with the > following > command > ./configure --with-openssl-includes=/usr/local/include/openssl \ > --with-openssl-libraries=/usr/local/lib \ > --prefix=/usr/local/radius > make > make install > > the radtest and the radeapclient test was through, i thought to > test with > the eapol_test, i have the following error (same error), any help > will be > appreciated. > > Note: i have the development headers at /usr/local/include/openssl, > the lib > files at /usr/local/lib and the bin files at /usr/local/bin and > finally the > conf files at /usr/local/openssl. Is your path (environment variable $PATH) also pointing to /usr/local/ bin ? Configuration often calls programs to see if a particular feature is there (and to get some other needed data). [...] > Nicolas Goutte extragroup GmbH - Karlsruhe Waldstr. 49 76133 Karlsruhe Germany Geschäftsführer: Stephan Mönninghoff, Hans Martin Kern, Tilman Haerdle Registergericht: Amtsgericht Münster / HRB: 5624 Steuer Nr.: 337/5903/0421 / UstID: DE 204607841 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/ users.html Be a better friend, newshound, and know-it-all with Yahoo! Mobile. Try it now. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/ users.html Nicolas Goutte extragroup GmbH - Karlsruhe Waldstr. 49 76133 Karlsruhe Germany Geschäftsführer: Stephan Mönninghoff, Hans Martin Kern, Tilman Haerdle Registergericht: Amtsgericht Münster / HRB: 5624 Steuer Nr.: 337/5903/0421 / UstID: DE 204607841 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Accounting logs
Is your NAS sending accounting packets?
Ivan Kalik
Kalik Informatika ISP
Dana 25/4/2008, "Sergio Belkin" <[EMAIL PROTECTED]> piše:
>I see any detail-%Y%m%d log files but only auth-detail-%Y%m%d files.
>What am I doing wrong?
>
>My config files:
>
>radiusd.conf:
>
>prefix = /usr/local-2.0.2
>exec_prefix = ${prefix}
>sysconfdir = ${prefix}/etc
>localstatedir = ${prefix}/var
>sbindir = ${exec_prefix}/sbin
>logdir = ${localstatedir}/log/radius
>raddbdir = ${sysconfdir}/raddb
>radacctdir = ${logdir}/radacct
>confdir = ${raddbdir}
>run_dir = ${localstatedir}/run/radiusd
>db_dir = $(raddbdir)
>libdir = ${exec_prefix}/lib
>pidfile = ${run_dir}/radiusd.pid
>user = radiusd
>group = radiusd
>max_request_time = 30
>cleanup_delay = 5
>max_requests = 1024
>listen {
> type = auth
> ipaddr = 190.125.213.5
> port = 0
>}
>listen {
> ipaddr = 190.125.213.5
> port = 0
> type = acct
>}
>hostname_lookups = no
>allow_core_dumps = no
>regular_expressions= yes
>extended_expressions = yes
>log {
> destination = files
> file = ${logdir}/radius.log
> syslog_facility = daemon
> stripped_names = yes
> auth = yes
> auth_badpass = no
> auth_goodpass = no
>}
>checkrad = ${sbindir}/checkrad
>security {
> max_attributes = 190
> reject_delay = 1
> status_server = yes
>}
>proxy_requests = no
>$INCLUDE proxy.conf
>$INCLUDE clients.conf
>snmp = no
>$INCLUDE snmp.conf
>thread pool {
> start_servers = 5
> max_servers = 32
> min_spare_servers = 3
> max_spare_servers = 10
> max_requests_per_server = 0
>}
>modules {
> pap {
> auto_header = yes
> }
> chap {
> authtype = CHAP
> }
> pam {
> pam_auth = radiusd
> }
> unix {
> radwtmp = ${logdir}/radwtmp
> }
>$INCLUDE eap.conf
> mschap {
> }
> ldap {
> server = "ldap.cadorna.biz
> identity = "cn=freeradius,ou=applications,dc=cadorna,dc=biz"
> port = 636
> password = jejeje0essoleplop
> basedn = "ou=people,dc=cadorna,dc=biz"
> filter = "(uid=%{Stripped-User-Name:-%{User-Name}})"
> ldap_connections_number = 5
> timeout = 4
> timelimit = 3
> net_timeout = 1
> tls {
> start_tls = no
> cacertfile = /etc/raddb-2.0.2/cacert.pem
> randfile= /dev/urandom
> require_cert= "allow"
> }
> access_attr = "radiusAllowed"
> dictionary_mapping = ${confdir}/ldap.attrmap
> edir_account_policy_check = no
> }
> realm IPASS {
> format = prefix
> delimiter = "/"
> }
> realm suffix {
> format = suffix
> delimiter = "@"
> }
> realm realmpercent {
> format = suffix
> delimiter = "%"
> }
> realm ntdomain {
> format = prefix
> delimiter = "\\"
> }
> checkval {
> item-name = Calling-Station-Id
> check-name = Calling-Station-Id
> data-type = string
> }
>
> preprocess {
> huntgroups = ${confdir}/huntgroups
> hints = ${confdir}/hints
> with_ascend_hack = no
> ascend_channels_per_line = 23
> with_ntdomain_hack = no
> with_specialix_jetstream_hack = no
> with_cisco_vsa_hack = no
> }
> files {
> usersfile = ${confdir}/users
> acctusersfile = ${confdir}/acct_users
> preproxy_usersfile = ${confdir}/preproxy_users
> compat = no
> }
> detail {
> detailfile = ${radacctdir}/%{Client-IP-Address}/detail-%Y%m%d
> detailperm = 0600
> header = "%t"
> suppress {
>User-Password
> }
> }
>detail auth_log {
>detailfile =
> ${radacctdir}/%{Client-IP-Address}/auth-detail-%Y%m%d
> suppress {
>User-Password
> }
>}
> acct_unique {
> key = "User-Name, Acct-Session-Id, NAS-IP-Address,
>Client-IP-Address, NAS-Port"
> }
> $INCLUDE sql.conf
>
> radutmp {
> filename = ${logdir}/radutmp
> username = %{User-Name}
> case_sensitive = yes
> check_with_nas = yes
> perm = 0600
> callerid = "yes"
> }
> radutmp sradutmp {
> filename = ${logdir}/sradutmp
> perm = 0644
> callerid = "no"
> }
> attr_filter attr_filter.post-proxy {
>
Re: a newbie testing freeradius need help
Am 25.04.2008 um 14:59 schrieb jennie susan:
Hi alan,
i found some thing in the config.log file and i think the path is
identified. here with i am attaching a part of the config.log (i
dont want to crowd the mailling list). if you give me an hint that
would highly appreciable. Thank you.
I would guess that other development packages are missing. I am not
sure where dlopen is, but probably in the C library.
Have a nice day!
I am using linux (ubuntu 7.10), it has a pre packed openssl which
is a "e" version, i read in a article and it says that it is a
engine version "You are probably not interested in engine ("e")
version neither as it is mostly for crypto _hardware_." quoting
from the orginal article the url was kind of big so i am not
posting the url.
Before my original post i relied on the pre packed version of the
openssl, then when i wanted to use eapol_test, it asked for a
openssl, then i installed a new one.
After the first (eapol_test) test failed, you suggested to use the
one that come with the distribution... but i didnt see any
development headers and binaries. So i over write the OS and made a
fresh install of ubuntu then tired to install openssl lastest
version and free radius. now i am getting the same error.
Thank you for the time you are taking on me,
Regards,
Jreubens
Alan DeKok <[EMAIL PROTECTED]> wrote:
jreubens wrote:
> I installed new version of openssl and built the radius with the
following
> command
> ./configure --with-openssl-includes=/usr/local/include/openssl \
> --with-openssl-libraries=/usr/local/lib \
Did it *find* the OpenSSL includes and libraries? The output of the
"configure" process will tell you this.
> the radtest and the radeapclient test was through, i thought to
test with
> the eapol_test, i have the following error (same error), any help
will be
> appreciated.
>
> Note: i have the development headers at /usr/local/include/
openssl, the lib
> files at /usr/local/lib and the bin files at /usr/local/bin and
finally the
> conf files at /usr/local/openssl.
...
> rlm_eap: Ignoring EAP-Type/tls because we do not have OpenSSL
support. // I
> DONT UNDERSTAND THIS LINE
What part is unclear? The server was not built with OpenSSL support.
Exactly *why* this happened is a question for the "configure" script.
See the output of "configure", and the "config.log" file.
Maybe there's something wrong with your OpenSSL installation.
Does your OS have a pre-packaged version of OpenSSL?
> i generated the test certificates as mentioned in the README doc
in certs
> folder. i havnt changed anything in eap.conf except the
ceritificates path,
> as you might have noticed i installed the freeradius in /usr/
local/radius.
> and i deleted the make_cert_command. Thats all i did.
What OS are you using? Why is it impossible to use a version of
OpenSSL that comes with the OS?
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/
users.html
Be a better friend, newshound, and know-it-all with Yahoo! Mobile.
Try it now.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/
users.html
Nicolas Goutte
extragroup GmbH - Karlsruhe
Waldstr. 49
76133 Karlsruhe
Germany
Geschäftsführer: Stephan Mönninghoff, Hans Martin Kern, Tilman Haerdle
Registergericht: Amtsgericht Münster / HRB: 5624
Steuer Nr.: 337/5903/0421 / UstID: DE 204607841
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Have some questions - new to FreeRadius
>- Going through the output from /local/sbin/radiusd -X You didn't post the output. >- Tested with >radtest test test localhost 0 testing123 >One error - Although this might be normal >Output >Sending Access-Request of id 169 to 127.0.0.1 port 1812 >User-Name = "test" >User-Password = "test" >NAS-IP-Address = 255.255.255.255 >NAS-Port = 0 >rad_recv: Access-Reject packet from host 127.0.0.1:1812, id=169, length=20 Where is the user/pass entry? Users file? Somewhere else? Post that too. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Have some questions - new to FreeRadius
I have not yet created the users file, just using the default one for
testing..
It is the standard client.conf (apologize if this is not what you are asking
for)
Some additional notes:
All user accounts /passwords will be on the Radius Server, FirePass just
talks to the Radius server.
Here is the output from /local/sbin/radiusd -X
---
sm1gw1# /local/sbin/radiusd -X
Starting - reading configuration files ...
reread_config: reading radiusd.conf
Config: including file: /usr/local/etc/raddb/proxy.conf
Config: including file: /usr/local/etc/raddb/clients.conf
Config: including file: /usr/local/etc/raddb/snmp.conf
Config: including file: /usr/local/etc/raddb/eap.conf
Config: including file: /usr/local/etc/raddb/sql.conf
main: prefix = "/usr/local"
main: localstatedir = "/usr/local/var"
main: logdir = "/usr/local/var/log/radius"
main: libdir = "/usr/local/lib"
main: radacctdir = "/usr/local/var/log/radius/radacct"
main: hostname_lookups = no
main: snmp = no
main: max_request_time = 30
main: cleanup_delay = 5
main: max_requests = 1024
main: delete_blocked_requests = 0
main: port = 0
main: allow_core_dumps = no
main: log_stripped_names = no
main: log_file = "/usr/local/var/log/radius/radius.log"
main: log_auth = no
main: log_auth_badpass = no
main: log_auth_goodpass = no
main: pidfile = "/usr/local/var/run/radiusd/radiusd.pid"
main: user = "(null)"
main: group = "(null)"
main: usercollide = no
main: lower_user = "no"
main: lower_pass = "no"
main: nospace_user = "no"
main: nospace_pass = "no"
main: checkrad = "/usr/local/sbin/checkrad"
main: proxy_requests = yes
proxy: retry_delay = 5
proxy: retry_count = 3
proxy: synchronous = no
proxy: default_fallback = yes
proxy: dead_time = 120
proxy: post_proxy_authorize = no
proxy: wake_all_if_all_dead = no
security: max_attributes = 200
security: reject_delay = 1
security: status_server = no
main: debug_level = 0
read_config_files: reading dictionary
read_config_files: reading naslist
Using deprecated naslist file. Support for this will go away soon.
read_config_files: reading clients
read_config_files: reading realms
radiusd: entering modules setup
Module: Library search path is /usr/local/lib
Module: Loaded exec
exec: wait = yes
exec: program = "(null)"
exec: input_pairs = "request"
exec: output_pairs = "(null)"
exec: packet_type = "(null)"
rlm_exec: Wait=yes but no output defined. Did you mean output=none?
Module: Instantiated exec (exec)
Module: Loaded expr
Module: Instantiated expr (expr)
Module: Loaded PAP
pap: encryption_scheme = "crypt"
pap: auto_header = no
Module: Instantiated pap (pap)
Module: Loaded CHAP
Module: Instantiated chap (chap)
Module: Loaded MS-CHAP
mschap: use_mppe = yes
mschap: require_encryption = no
mschap: require_strong = no
mschap: with_ntdomain_hack = no
mschap: passwd = "(null)"
mschap: ntlm_auth = "(null)"
Module: Instantiated mschap (mschap)
Module: Loaded System
unix: cache = no
unix: passwd = "(null)"
unix: shadow = "(null)"
unix: group = "(null)"
unix: radwtmp = "/usr/local/var/log/radius/radwtmp"
unix: usegroup = no
unix: cache_reload = 600
Module: Instantiated unix (unix)
Module: Loaded eap
eap: default_eap_type = "md5"
eap: timer_expire = 60
eap: ignore_unknown_eap_types = no
eap: cisco_accounting_username_bug = no
rlm_eap: Loaded and initialized type md5
rlm_eap: Loaded and initialized type leap
gtc: challenge = "Password: "
gtc: auth_type = "PAP"
rlm_eap: Loaded and initialized type gtc
mschapv2: with_ntdomain_hack = no
rlm_eap: Loaded and initialized type mschapv2
Module: Instantiated eap (eap)
Module: Loaded preprocess
preprocess: huntgroups = "/usr/local/etc/raddb/huntgroups"
preprocess: hints = "/usr/local/etc/raddb/hints"
preprocess: with_ascend_hack = no
preprocess: ascend_channels_per_line = 23
preprocess: with_ntdomain_hack = no
preprocess: with_specialix_jetstream_hack = no
preprocess: with_cisco_vsa_hack = no
preprocess: with_alvarion_vsa_hack = no
Module: Instantiated preprocess (preprocess)
Module: Loaded realm
realm: format = "suffix"
realm: delimiter = "@"
realm: ignore_default = no
realm: ignore_null = no
Module: Instantiated realm (suffix)
Module: Loaded files
files: usersfile = "/usr/local/etc/raddb/users"
files: acctusersfile = "/usr/local/etc/raddb/acct_users"
files: preproxy_usersfile = "/usr/local/etc/raddb/preproxy_users"
files: compat = "no"
Module: Instantiated files (files)
Module: Loaded Acct-Unique-Session-Id
acct_unique: key = "User-Name, Acct-Session-Id, NAS-IP-Address,
Client-IP-Address, NAS-Port"
Module: Instantiated acct_unique (acct_unique)
Module: Loaded detail
detail: detailfile =
"/usr/local/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d"
detail: detailperm = 384
detail: dirperm = 493
detail: locking = no
Module: Instantiated detail (detail)
Module: Loaded radutmp
radutmp: filename = "/usr/local/var/log/radius/radutmp"
radutmp: username = "%{User-Name}"
radutmp: case_sensitive = ye
Radius-based windows authentication
Hello, I'm working on VLAN assignement with FreeRadius, with windows XP users. The FreeRadius server is using openLdap, and works overs EAP-TTLS. The goal of my work is for the users to be on different Vlans depending on their status. The radius part is working fine, since the switch sets the right vlan when the user gives his login and password. My question was : is it possible to authenticate via radius at the windows login screen ? For now, it is using the samba database, but if I want to set up a dynamic vlan assignement, the network needs to be up before the samba partitions are mounted. Thanks ! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Radius-based windows authentication
Mike Perdide wrote: Hello, I'm working on VLAN assignement with FreeRadius, with windows XP users. The FreeRadius server is using openLdap, and works overs EAP-TTLS. The goal of my work is for the users to be on different Vlans depending on their status. The radius part is working fine, since the switch sets the right vlan when the user gives his login and password. My question was : is it possible to authenticate via radius at the windows login screen ? Is the windows machine a domain member? For now, it is using the samba database, but if I want to set up a dynamic vlan assignement, the network needs to be up before the samba partitions are mounted. This last paragraph doesn't make sense to me. I don't know what "samba database" and "samba partitions" are. I think you are asking "is it possible for the client to do 802.1x with the username/password typed into the login box" and the answer is "yes". There are three ways to achieve this (that I know of). 1. Using the windows native supplicant and machine account authentication. Basically the process is this: * machine powers on - no-one logged in * machine uses its own domain account to login "host/$machinename" * user presses ctrl+alt+del * machine validates credentials to the domain controller, over the current network connection * machine downloads the users profile * once the profile is download, the machine does an EAP-Logoff and then re-authenticates using the user credentials * when the user logs out, the machine does and EAP-Logoff and then logs back in using the machine account 2. Using cached profiles - the user logs in without a network connection using a cached profile, then 802.1x starts 3. Using a different supplicant which has a GINA plugin; I believe the Odyssey supplicant (which you have to pay for) can do this. SecureW2 (which is open source) may. Obviously you have to install software. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Start at boot Freeradius
Hello again to all. I'm very happy why my FR it's working fine again and I have Vista support too. Thank a lot of Alan Dekok, I was installed the 1.7 version. Later I will try to upgrade, but at this moment it's all. FR is the best. Now, , I have maybe a fool question but I need help again. When I try to add my FR at BOOT from my Linux with chkconfig, it's sends and follow error: # service radiusd does not support chkconfig If I run manually # radiusd <- alone or with -X -A, etc it work fine. How can I to add FR at boot? Thanks for your answers to all. Gustavo. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Start at boot Freeradius
Gustavo Chavelas wrote: > When I try to add my FR at BOOT from my Linux with chkconfig, it's sends > and follow error: > # service radiusd does not support chkconfig > > If I run manually # radiusd <- alone or with -X -A, etc it work fine. > > How can I to add FR at boot? Manually add the links in /etc/rc[0-6].d. That's all chkconfig does... Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Radius-based windows authentication
Phil Mayers wrote: > Is the windows machine a domain member? No it's not. Only the users are. > I think you are asking "is it possible for the client to do 802.1x with > the username/password typed into the login box" and the answer is "yes". That's exactly my question, thanks ;). > 1. Using the windows native supplicant and machine account > authentication. Basically the process is this: > * machine powers on - no-one logged in > * machine uses its own domain account to login "host/$machinename" > * user presses ctrl+alt+del When you say user presses ctrl+alt+del, you mean that he closes the session and uses his own login ? > * machine validates credentials to the domain controller, over the > current network connection How did the machine obtain network connection ? > * machine downloads the users profile > * once the profile is download, the machine does an EAP-Logoff and > then re-authenticates using the user credentials > * when the user logs out, the machine does and EAP-Logoff and then > logs back in using the machine account > 3. Using a different supplicant which has a GINA plugin; I believe the > Odyssey supplicant (which you have to pay for) can do this. SecureW2 > (which is open source) may. Obviously you have to install software. I am currently using SecureW2 TTLS, and I did not see such thing as GINA plugin. I am gonna look for documentation about that. Thanks for your help. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Radius-based windows authentication
2008/4/25 Phil Mayers <[EMAIL PROTECTED]>: > Mike Perdide wrote: > > > Hello, > > > > I'm working on VLAN assignement with FreeRadius, with windows XP users. > > The FreeRadius server is using openLdap, and works overs EAP-TTLS. > > The goal of my work is for the users to be on different Vlans depending on > their status. > > The radius part is working fine, since the switch sets the right vlan when > the user gives his login and password. > > > > My question was : is it possible to authenticate via radius at the windows > login screen ? > > > > Is the windows machine a domain member? > > > > > > > For now, it is using the samba database, but if I want to set up a dynamic > vlan assignement, the network needs to be up before the samba partitions are > mounted. > > > > This last paragraph doesn't make sense to me. I don't know what "samba > database" and "samba partitions" are. > > I think you are asking "is it possible for the client to do 802.1x with the > username/password typed into the login box" and the answer is "yes". There > are three ways to achieve this (that I know of). > > 1. Using the windows native supplicant and machine account authentication. > Basically the process is this: > * machine powers on - no-one logged in > * machine uses its own domain account to login "host/$machinename" > * user presses ctrl+alt+del > * machine validates credentials to the domain controller, over the > current network connection > * machine downloads the users profile > * once the profile is download, the machine does an EAP-Logoff and then > re-authenticates using the user credentials > * when the user logs out, the machine does and EAP-Logoff and then logs > back in using the machine account > > 2. Using cached profiles - the user logs in without a network connection > using a cached profile, then 802.1x starts > > 3. Using a different supplicant which has a GINA plugin; I believe the > Odyssey supplicant (which you have to pay for) can do this. SecureW2 (which > is open source) may. Obviously you have to install software. > The Odyssey client can certainly do this but it is very important to note that GINA is not making use of the RADIUS server to actually authenticate the user to the Windows machine. It is simply stopping the windows login, taking a copy of the credentials typed into the windows login screen and using those to authenticate using 802.1x so that a secured port is open *before* the windows login is complete, then once the 802.1x process is complete, it returns control of the login process back to windows which authenticates the user either against the local database or using the Active Directory service. Normally, for this to work well, you would have the RADIUS server used for the 802.1x authentication make a call to the AD servers too (using either NTLM or LDAP). That way, you actually have two calls made to the AD, one by the RADIUS server and then another by the user's PC. The dynamic VLAN assignment is almost invariably performed as part of the 802.1x RADIUS authentication response and the actual mechanism used depends very much on the vendor of your Authenticator (the switch or AP). Rgds, Guy - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Accounting logs
Good Point :D
Port 1813 is filtered, thanks Ivan I'll see if modifying that it works.
2008/4/25, Ivan Kalik <[EMAIL PROTECTED]>:
> Is your NAS sending accounting packets?
>
> Ivan Kalik
> Kalik Informatika ISP
>
>
> Dana 25/4/2008, "Sergio Belkin" <[EMAIL PROTECTED]> piše:
>
>
> >I see any detail-%Y%m%d log files but only auth-detail-%Y%m%d files.
> >What am I doing wrong?
> >
> >My config files:
> >
> >radiusd.conf:
> >
> >prefix = /usr/local-2.0.2
> >exec_prefix = ${prefix}
> >sysconfdir = ${prefix}/etc
> >localstatedir = ${prefix}/var
> >sbindir = ${exec_prefix}/sbin
> >logdir = ${localstatedir}/log/radius
> >raddbdir = ${sysconfdir}/raddb
> >radacctdir = ${logdir}/radacct
> >confdir = ${raddbdir}
> >run_dir = ${localstatedir}/run/radiusd
> >db_dir = $(raddbdir)
> >libdir = ${exec_prefix}/lib
> >pidfile = ${run_dir}/radiusd.pid
> >user = radiusd
> >group = radiusd
> >max_request_time = 30
> >cleanup_delay = 5
> >max_requests = 1024
> >listen {
> > type = auth
> > ipaddr = 190.125.213.5
> > port = 0
> >}
> >listen {
> > ipaddr = 190.125.213.5
> > port = 0
> > type = acct
> >}
> >hostname_lookups = no
> >allow_core_dumps = no
> >regular_expressions= yes
> >extended_expressions = yes
> >log {
> > destination = files
> > file = ${logdir}/radius.log
> > syslog_facility = daemon
> > stripped_names = yes
> > auth = yes
> > auth_badpass = no
> > auth_goodpass = no
> >}
> >checkrad = ${sbindir}/checkrad
> >security {
> > max_attributes = 190
> > reject_delay = 1
> > status_server = yes
> >}
> >proxy_requests = no
> >$INCLUDE proxy.conf
> >$INCLUDE clients.conf
> >snmp = no
> >$INCLUDE snmp.conf
> >thread pool {
> > start_servers = 5
> > max_servers = 32
> > min_spare_servers = 3
> > max_spare_servers = 10
> > max_requests_per_server = 0
> >}
> >modules {
> > pap {
> > auto_header = yes
> > }
> > chap {
> > authtype = CHAP
> > }
> > pam {
> > pam_auth = radiusd
> > }
> > unix {
> > radwtmp = ${logdir}/radwtmp
> > }
> >$INCLUDE eap.conf
> > mschap {
> > }
> > ldap {
> > server = "ldap.cadorna.biz
> > identity = "cn=freeradius,ou=applications,dc=cadorna,dc=biz"
> > port = 636
> > password = jejeje0essoleplop
> > basedn = "ou=people,dc=cadorna,dc=biz"
> > filter = "(uid=%{Stripped-User-Name:-%{User-Name}})"
> > ldap_connections_number = 5
> > timeout = 4
> > timelimit = 3
> > net_timeout = 1
> > tls {
> > start_tls = no
> > cacertfile = /etc/raddb-2.0.2/cacert.pem
> > randfile= /dev/urandom
> > require_cert= "allow"
> > }
> > access_attr = "radiusAllowed"
> > dictionary_mapping = ${confdir}/ldap.attrmap
> > edir_account_policy_check = no
> > }
> > realm IPASS {
> > format = prefix
> > delimiter = "/"
> > }
> > realm suffix {
> > format = suffix
> > delimiter = "@"
> > }
> > realm realmpercent {
> > format = suffix
> > delimiter = "%"
> > }
> > realm ntdomain {
> > format = prefix
> > delimiter = "\\"
> > }
> > checkval {
> > item-name = Calling-Station-Id
> > check-name = Calling-Station-Id
> > data-type = string
> > }
> >
> > preprocess {
> > huntgroups = ${confdir}/huntgroups
> > hints = ${confdir}/hints
> > with_ascend_hack = no
> > ascend_channels_per_line = 23
> > with_ntdomain_hack = no
> > with_specialix_jetstream_hack = no
> > with_cisco_vsa_hack = no
> > }
> > files {
> > usersfile = ${confdir}/users
> > acctusersfile = ${confdir}/acct_users
> > preproxy_usersfile = ${confdir}/preproxy_users
> > compat = no
> > }
> > detail {
> > detailfile = ${radacctdir}/%{Client-IP-Address}/detail-%Y%m%d
> > detailperm = 0600
> > header = "%t"
> > suppress {
> >User-Password
> > }
> > }
> >detail auth_log {
> >detailfile =
> ${radacctdir}/%{Client-IP-Address}/auth-detail-%Y%m%d
> > suppress {
> >User-Password
> > }
> >
Re: Have some questions - new to FreeRadius
more output This came after the service was running a while.. --- Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module "preprocess" returns ok for request 0 modcall[authorize]: module "chap" returns noop for request 0 modcall[authorize]: module "mschap" returns noop for request 0 rlm_realm: No '@' in User-Name = "test", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 0 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module "eap" returns noop for request 0 users: Matched entry DEFAULT at line 152 modcall[authorize]: module "files" returns ok for request 0 modcall: leaving group authorize (returns ok) for request 0 rad_check_password: Found Auth-Type System auth: type "System" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 0 modcall[authenticate]: module "unix" returns notfound for request 0 modcall: leaving group authenticate (returns notfound) for request 0 auth: Failed to validate the user. Delaying request 0 for 1 seconds Finished request 0 Going to the next request --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Sending Access-Reject of id 246 to 127.0.0.1 port 33184 Waking up in 4 seconds... --- Walking the entire request list --- Cleaning up request 0 ID 246 with timestamp 4811f1f3 Nothing to do. Sleeping until we see a request. --- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Start at boot Freeradius
Hi, > When I try to add my FR at BOOT from my Linux with chkconfig, it's sends and > follow error: > # service radiusd does not support chkconfig have you put the radiusd init script into eg /etc/init.d/ ? alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Have some questions - new to FreeRadius
Hi, > more output > This came after the service was running a while.. in your users file you have a line like DEFAULT auth-Type == System if you dont use /etc/passwd etc for auth, remove it alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Radius-based windows authentication
Mike Perdide wrote: Phil Mayers wrote: Is the windows machine a domain member? No it's not. Only the users are. ? When you sit at the login screen, and press ctrl+alt+del, are you logging in with a username and password which is checked against the domain controllers? If so, then the machine *is* joined into the domain. I think you are asking "is it possible for the client to do 802.1x with the username/password typed into the login box" and the answer is "yes". That's exactly my question, thanks ;). 1. Using the windows native supplicant and machine account authentication. Basically the process is this: * machine powers on - no-one logged in * machine uses its own domain account to login "host/$machinename" * user presses ctrl+alt+del When you say user presses ctrl+alt+del, you mean that he closes the session and uses his own login ? No. The machine is sitting at the login prompt, and the user presses ctrl+alt+del to bring up the login box. * machine validates credentials to the domain controller, over the current network connection How did the machine obtain network connection ? * machine downloads the users profile * once the profile is download, the machine does an EAP-Logoff and then re-authenticates using the user credentials * when the user logs out, the machine does and EAP-Logoff and then logs back in using the machine account 3. Using a different supplicant which has a GINA plugin; I believe the Odyssey supplicant (which you have to pay for) can do this. SecureW2 (which is open source) may. Obviously you have to install software. I am currently using SecureW2 TTLS, and I did not see such thing as GINA plugin. I am gonna look for documentation about that. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Radius-based windows authentication
> Phil Mayers wrote: >>> Is the windows machine a domain member? >> No it's not. Only the users are. > ? > When you sit at the login screen, and press ctrl+alt+del, are you > logging in with a username and password which is checked against the > domain controllers? > If so, then the machine *is* joined into the domain. You're right, it is, I am not familiar with the windows domains. > >> * machine validates credentials to the domain controller, over the > >> current network connection > > How did the machine obtain network connection ? It has to go throught freeradius authorization, hasn't it ? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Radius-based windows authentication
Hi, > > Phil Mayers wrote: > >>> Is the windows machine a domain member? > >> No it's not. Only the users are. > > ? > > > When you sit at the login screen, and press ctrl+alt+del, are you > > logging in with a username and password which is checked against the > > domain controllers? > > If so, then the machine *is* joined into the domain. > You're right, it is, I am not familiar with the windows domains. > > > >> * machine validates credentials to the domain controller, over the > > >> current network connection > > > > How did the machine obtain network connection ? It has to go throught > freeradius authorization, hasn't it ? yep alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Radius-based windows authentication
Mike Perdide wrote: Phil Mayers wrote: Is the windows machine a domain member? No it's not. Only the users are. ? When you sit at the login screen, and press ctrl+alt+del, are you logging in with a username and password which is checked against the domain controllers? If so, then the machine *is* joined into the domain. You're right, it is, I am not familiar with the windows domains. * machine validates credentials to the domain controller, over the current network connection How did the machine obtain network connection ? It has to go throught freeradius authorization, hasn't it ? Yes, using the machine account - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Have some questions - new to FreeRadius
Server needs a username and password stored somewhere in order to compare with ones in the request. It doesn't work without it. Add entry for you test user to users file and try again. Ivan Kalik Kalik informatika ISP Dana 25/4/2008, "thekat" <[EMAIL PROTECTED]> piše: >I have not yet created the users file, just using the default one for >testing.. >It is the standard client.conf (apologize if this is not what you are asking >for) > >Some additional notes: >All user accounts /passwords will be on the Radius Server, FirePass just >talks to the Radius server. > >Here is the output from /local/sbin/radiusd -X >--- >sm1gw1# /local/sbin/radiusd -X >Starting - reading configuration files ... >reread_config: reading radiusd.conf >Config: including file: /usr/local/etc/raddb/proxy.conf >Config: including file: /usr/local/etc/raddb/clients.conf >Config: including file: /usr/local/etc/raddb/snmp.conf >Config: including file: /usr/local/etc/raddb/eap.conf >Config: including file: /usr/local/etc/raddb/sql.conf > main: prefix = "/usr/local" > main: localstatedir = "/usr/local/var" > main: logdir = "/usr/local/var/log/radius" > main: libdir = "/usr/local/lib" > main: radacctdir = "/usr/local/var/log/radius/radacct" > main: hostname_lookups = no > main: snmp = no > main: max_request_time = 30 > main: cleanup_delay = 5 > main: max_requests = 1024 > main: delete_blocked_requests = 0 > main: port = 0 > main: allow_core_dumps = no > main: log_stripped_names = no > main: log_file = "/usr/local/var/log/radius/radius.log" > main: log_auth = no > main: log_auth_badpass = no > main: log_auth_goodpass = no > main: pidfile = "/usr/local/var/run/radiusd/radiusd.pid" > main: user = "(null)" > main: group = "(null)" > main: usercollide = no > main: lower_user = "no" > main: lower_pass = "no" > main: nospace_user = "no" > main: nospace_pass = "no" > main: checkrad = "/usr/local/sbin/checkrad" > main: proxy_requests = yes > proxy: retry_delay = 5 > proxy: retry_count = 3 > proxy: synchronous = no > proxy: default_fallback = yes > proxy: dead_time = 120 > proxy: post_proxy_authorize = no > proxy: wake_all_if_all_dead = no > security: max_attributes = 200 > security: reject_delay = 1 > security: status_server = no > main: debug_level = 0 >read_config_files: reading dictionary >read_config_files: reading naslist >Using deprecated naslist file. Support for this will go away soon. >read_config_files: reading clients >read_config_files: reading realms >radiusd: entering modules setup >Module: Library search path is /usr/local/lib >Module: Loaded exec > exec: wait = yes > exec: program = "(null)" > exec: input_pairs = "request" > exec: output_pairs = "(null)" > exec: packet_type = "(null)" >rlm_exec: Wait=yes but no output defined. Did you mean output=none? >Module: Instantiated exec (exec) >Module: Loaded expr >Module: Instantiated expr (expr) >Module: Loaded PAP > pap: encryption_scheme = "crypt" > pap: auto_header = no >Module: Instantiated pap (pap) >Module: Loaded CHAP >Module: Instantiated chap (chap) >Module: Loaded MS-CHAP > mschap: use_mppe = yes > mschap: require_encryption = no > mschap: require_strong = no > mschap: with_ntdomain_hack = no > mschap: passwd = "(null)" > mschap: ntlm_auth = "(null)" >Module: Instantiated mschap (mschap) >Module: Loaded System > unix: cache = no > unix: passwd = "(null)" > unix: shadow = "(null)" > unix: group = "(null)" > unix: radwtmp = "/usr/local/var/log/radius/radwtmp" > unix: usegroup = no > unix: cache_reload = 600 >Module: Instantiated unix (unix) >Module: Loaded eap > eap: default_eap_type = "md5" > eap: timer_expire = 60 > eap: ignore_unknown_eap_types = no > eap: cisco_accounting_username_bug = no >rlm_eap: Loaded and initialized type md5 >rlm_eap: Loaded and initialized type leap > gtc: challenge = "Password: " > gtc: auth_type = "PAP" >rlm_eap: Loaded and initialized type gtc > mschapv2: with_ntdomain_hack = no >rlm_eap: Loaded and initialized type mschapv2 >Module: Instantiated eap (eap) >Module: Loaded preprocess > preprocess: huntgroups = "/usr/local/etc/raddb/huntgroups" > preprocess: hints = "/usr/local/etc/raddb/hints" > preprocess: with_ascend_hack = no > preprocess: ascend_channels_per_line = 23 > preprocess: with_ntdomain_hack = no > preprocess: with_specialix_jetstream_hack = no > preprocess: with_cisco_vsa_hack = no > preprocess: with_alvarion_vsa_hack = no >Module: Instantiated preprocess (preprocess) >Module: Loaded realm > realm: format = "suffix" > realm: delimiter = "@" > realm: ignore_default = no > realm: ignore_null = no >Module: Instantiated realm (suffix) >Module: Loaded files > files: usersfile = "/usr/local/etc/raddb/users" > files: acctusersfile = "/usr/local/etc/raddb/acct_users" > files: preproxy_usersfile = "/usr/local/etc/raddb/preproxy_users" > files: compat = "no" >Module: Instantiated files (files) >Module: Loaded Acct-Unique-Session-Id > acct_unique: key = "User-Name, Acct-Session-Id, NAS-IP-Address, >Client-IP-Address, NAS-Port" >Modul
Re: Have some questions - new to FreeRadius
I am still wading through the docs.. and trying to get my head wrapped around the settings.. Also, still waiting on a response from F5 to see what type of Radius Authentication is used by the FirePass appliance.. Hoping it is CHAP.. Appreciate the response.. Charles 2008/4/25 Ivan Kalik <[EMAIL PROTECTED]>: > Server needs a username and password stored somewhere in order to compare > with ones in the request. It doesn't work without it. Add entry for you > test user to users file and try again. > > Ivan Kalik > Kalik informatika ISP > > > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Start at boot Freeradius
Yes, radiusd its in /etc/init.d -Mensaje original- De: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] En nombre de [EMAIL PROTECTED] Enviado el: Viernes, 25 de Abril de 2008 11:57 a.m. Para: freeradius-users@lists.freeradius.org Asunto: Freeradius-Users Digest, Vol 36, Issue 161 Message: 2 Date: Fri, 25 Apr 2008 16:27:34 +0100 From: [EMAIL PROTECTED] Subject: Re: Start at boot Freeradius To: FreeRadius users mailing list Message-ID: <[EMAIL PROTECTED]> Content-Type: text/plain; charset=us-ascii Hi, > When I try to add my FR at BOOT from my Linux with chkconfig, it's sends and > follow error: > # service radiusd does not support chkconfig have you put the radiusd init script into eg /etc/init.d/ ? alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Start at boot Freeradius
Hi, > > Yes, radiusd its in /etc/init.d from $src/scripts/rc.radiusd? yes, i think i can see the issue. ensure that the top of the radiusd file contains eg #!/bin/sh # # chkconfig: - 88 10 # description: Start/Stop the RADIUS server daemon alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Have some questions - new to FreeRadius
For VPN it's usually mschapv2. Whatever it is (pap, chap, mschap) it will work with cleartext passwords. Read instructions in users file. That's all you will need - default configuration will work for those protocols. Apart from that you only need to enter details of your VPN server in clents.conf. If you are thinking about using sql database to store user details read sql.conf and SQL Howto on the wiki. If you are thinking about using ldap have a look at ldap section in radiusd.conf, rlm_ldap on the wiki and ldap.attrmap file. Ivan Kalik Kalik Informatika ISP Dana 25/4/2008, "thekat" <[EMAIL PROTECTED]> piše: >I am still wading through the docs.. and trying to get my >head wrapped around the settings.. > >Also, still waiting on a response from F5 to see what type of >Radius Authentication is used by the FirePass appliance.. >Hoping it is CHAP.. > >Appreciate the response.. >Charles > > >2008/4/25 Ivan Kalik <[EMAIL PROTECTED]>: > >> Server needs a username and password stored somewhere in order to compare >> with ones in the request. It doesn't work without it. Add entry for you >> test user to users file and try again. >> >> Ivan Kalik >> Kalik informatika ISP >> >> >> > > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Have some questions - new to FreeRadius
Ivan.. Much thanks for the reply and the very helpful recommendations.. We will only have about 100 users (very low utilization) so sql probably won't be needed.. I will be working on this tomorrow.. Charles 2008/4/25 Ivan Kalik <[EMAIL PROTECTED]>: > For VPN it's usually mschapv2. Whatever it is (pap, chap, mschap) it > will work with cleartext passwords. Read instructions in users file. > That's all you will need - default configuration will work for those > protocols. Apart from that you only need to enter details of your VPN > server in clents.conf. > > If you are thinking about using sql database to store user details read > sql.conf and SQL Howto on the wiki. If you are thinking about using ldap > have a look at ldap section in radiusd.conf, rlm_ldap on the wiki and > ldap.attrmap file. > > Ivan Kalik > Kalik Informatika ISP > > > Dana 25/4/2008, "thekat" <[EMAIL PROTECTED]> piše: > > >I am still wading through the docs.. and trying to get my > >head wrapped around the settings.. > > > >Also, still waiting on a response from F5 to see what type of > >Radius Authentication is used by the FirePass appliance.. > >Hoping it is CHAP.. > > > >Appreciate the response.. > >Charles > > > > > >2008/4/25 Ivan Kalik <[EMAIL PROTECTED]>: > > > >> Server needs a username and password stored somewhere in order to > compare > >> with ones in the request. It doesn't work without it. Add entry for you > >> test user to users file and try again. > >> > >> Ivan Kalik > >> Kalik informatika ISP > >> > >> > >> > > > > > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Deny/Allow access between clients
Hi, I would like to know if its possible to deny/allow traffic between clients or groups. I've already searched for a solution but I just found out how to limit some ports for a user. Thanks for you help. bye julian - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Key problem
Hello! Thank you for your reply!But do you know how to generate the key?Can I use the fuction of LEAP that is used for generateing the key? Xiningtom_1986- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
a problem about the key
Hello! Do you know how I pass the session key to the AP? Does it in the EAP-SUCCESS message or in some other special tunnel? Xiningtom_1986- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Deny/Allow access between clients
Julian Stöver wrote: > Hi, > I would like to know if its possible to deny/allow traffic between > clients or groups. I've already searched for a solution but I just found > out how to limit some ports for a user. i.e. firewall rules? See the NAS documentation for what kinds of rules it supports. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Key problem
[EMAIL PROTECTED] wrote: > Hello! > Thank you for your reply!But do you know how to generate the key?Can I > use the fuction of LEAP that is used for generateing the key? Key generation methods are specific to each EAP type. If you don't know how to generate a key, and you don't know in which packet the key should be sent, I suggest you learn more about EAP. See the RFC's and IETF drafts for examples. If you need examples, read the FreeRADIUS code. It is *all* available. There is *no* need to ask questions on the list, when the answers are already in front of you. i.e. this mailing list isn't the place to learn about EAP standards. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
