Re: HOWTO PEAP + FreeRadius + XP Client
George KNIGHT wrote: A person like you who is dealing with freeradius on a daily basis may have a tendency of thinking that using/installing/troubleshooting freeradius is very easy. The goal is to *make* it that easy. A large number of problems on the list are because people think it's complicated, and start changing large amounts of the default config. Based on the feedback I got from people, everyone seems to agree that it provided them a simple and easy to follow steps for the installation. I felt happy that I helped other people the way that I was helped at all the time through different forums on the internet. Based on the feedback I've seen, I've edited/updated the software itself to be easier to use. I don't like reading howto's, because many are out of date, and many others are simply wrong. I would *prefer* that people shipped software that worked, and was easy to use. When I started implementing the FreeRadius, I thought I would find some documentation to start with. But unfortunately, after spending days, i couldn't find such a document. The more I read, the more i surprised that I couldn't figure this out. I know that it shouldn't be much difficult but here I am still struggling to make this work. The 5-6 line instructions I gave are all that's needed. I installed the FreeRadous 2.0.2 with Yast tool with SuSE SLES. It installed it OK. And then i made changes to eap.conf and radiusd.conf files to start my test. I run radiusd -X and here is what I got; Why change eap.conf radiusd.conf? # radiusd -X ... rlm_eap: SSL error error:0200100D:system library:fopen:Permission denied That should be a pretty simple problem to fix. It's file permissions... Are you starting the server as root? And other thing is that the command bootstrap couldn't finish creating certificates. Why not? What's the error message? Is it secret? Did you run the bootstrap script as root? How may I solve this problem. And if finish creating certs successfully, which certificates should I install to the XP SP2 client and where? To be honest, you *shouldn't* install the default certificates. They're only for testing. For testing, un-check the validate server certificate in XP. For real certificates, edit the conf files as described in the raddb/certs/ documentation, and re-build the certs. Then, install the CA cert, as described in the EAP-TLS howto... with pictures. You suggested to read the file at http://freeradius.org/doc/EAPTLS.pdf but believe me it didn't help me. And it also gives information for TLS implementation. NOthing for PEAP. PEAP *is* EAP-TLS. It's a variation of EAP-TLS, and all of the certificate requirements for EAP-TLS apply to PEAP, too. If you have any ideas for what documentation needs to be updated, please submit suggested text. We can include it in the next release. But my experience (unfortunately) is that the people who have the most problems are reading third-party howtos that are *wrong*, and are ignoring the server documentation that is *right*. That's a problem I can't fix. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Weird shared secret issues
Hey Tuc, This might happen because of interface changes. Also add a record to the nas table for the 127.0.0.1 ip address (or the other IP address you have configured on your ethernet interface). And I'm also assuming you have configured the nas table in sql.conf Regards, Liran Tal. On Wed, Apr 30, 2008 at 11:41 PM, Tuc at T-B-O-H.NET [EMAIL PROTECTED] wrote: Hi, Running FreeRadius 2.0.3 built from source on Centos 5.1 with a Mysql 5.0.45 back end. We've been doing testing on our setup for MONTHS (First FR1, now FR2) and its been flawless. Today we went to put our first unit into production and am having issues. We are reading NAS from SQL. The entry is : (3,'192.168.25.13','SBC-1918','other',0,'KhLcPALLdzTcJs3f','GLRXTAFLfhf3N4zT','First Install') From the user table I have : (1, 'tuc','User-Password',':=','PLAINTEXT') And when I run : #!/bin/sh (echo 'User-Name = tuc' echo 'User-Password = PLAINTEXT' echo 'NAS-IP-Address = 192.168.25.13' echo 'NAS-Port = 0') | /usr/local/bin/radclient -x localhost auth KhLcPALLdzTcJs3f I get : [EMAIL PROTECTED] ~]# sh TESTRAD User-Name = tuc User-Password = PLAINTEXT NAS-IP-Address = 192.168.25.13 NAS-Port = 0 rad_verify: Received Access-Reject packet from client 127.0.0.1 port 1812 with invalid signature (err=2)! (Shared secret is incorrect.) and in radius.log I see : Wed Apr 30 16:38:43 2008 : Auth: Login incorrect: [tuc/eY\261ã¡(c)\226`\305\020y\366/Â?\333] (from client localhost port 0) HELP... I can't see what I'm doing wrong. Thanks, Tuc - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Can't get the value of 'Digest-User-name', 'Digest-Realm', 'Digest-Method', 'Digest-Uri', 'Digest-Nonce', 'Digest-Response'
hi, I am using free Radius 2.0.3. I m configured my AAA through rlm_perl. I need to do the authorization by using the following attributes. Digest-Realm Digest-Method Digest-Uri Digest-Nonce Digest-Nonce Digest-Response Unfortunately i did not get any value from these attributes when i called using $RAD_REQUEST. Please tell me any idea to get these values. Here is the piece of output when the radius is run in debugging mode: [EMAIL PROTECTED] raddb]# radiusd -X FreeRADIUS Version 2.0.3, for host i686-pc-linux-gnu, built on Apr 9 2008 at 21:42:16 Copyright (C) 1999-2008 The FreeRADIUS server project and contributors. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License. Starting - reading configuration files ... including configuration file /usr/local/etc/raddb/radiusd.conf including configuration file /usr/local/etc/raddb/clients.conf including configuration file /usr/local/etc/raddb/snmp.conf including configuration file /usr/local/etc/raddb/eap.conf including configuration file /usr/local/etc/raddb/sql.conf including configuration file /usr/local/etc/raddb/policy.conf including files in directory /usr/local/etc/raddb/sites-enabled/ including configuration file /usr/local/etc/raddb/sites-enabled/default including dictionary file /usr/local/etc/raddb/dictionary main { prefix = /usr/local localstatedir = /usr/local/var logdir = /usr/local/var/log/radius libdir = /usr/local/lib radacctdir = /usr/local/var/log/radius/radacct hostname_lookups = no max_request_time = 30 cleanup_delay = 5 max_requests = 1024 allow_core_dumps = no pidfile = /usr/local/var/run/radiusd/radiusd.pid checkrad = /usr/local/sbin/checkrad debug_level = 0 proxy_requests = yes security { max_attributes = 200 reject_delay = 1 status_server = yes } } client localhost { ipaddr = 127.0.0.1 require_message_authenticator = no secret = testing123 shortname = localhost nastype = other } client 192.168.1.227 { require_message_authenticator = no secret = johnson } radiusd: Loading Realms and Home Servers radiusd: Instantiating modules instantiate { Module: Linked to module rlm_exec Module: Instantiating exec exec { wait = yes input_pairs = request shell_escape = yes } Module: Linked to module rlm_expr Module: Instantiating expr Module: Linked to module rlm_expiration Module: Instantiating expiration expiration { reply-message = Password Has Expired } Module: Linked to module rlm_logintime Module: Instantiating logintime logintime { reply-message = You are calling outside your allowed timespan minimum-timeout = 60 } } radiusd: Loading Virtual Servers server { modules { Module: Checking authenticate {...} for more modules to load Module: Linked to module rlm_perl Module: Instantiating perl perl { module = /usr/local/etc/raddb/myperltemp.pl func_authorize = authorize func_authenticate = authenticate func_accounting = accounting func_preacct = preacct func_checksimul = checksimul func_detach = detach func_xlat = xlat func_pre_proxy = pre_proxy func_post_proxy = post_proxy func_post_auth = post_auth } perl { max_clones = 32 start_clones = 32 min_spare_clones = 0 max_spare_clones = 32 cleanup_delay = 5 max_request_per_clone = 0 } Module: Checking authorize {...} for more modules to load Module: Linked to module rlm_preprocess Module: Instantiating preprocess preprocess { huntgroups = /usr/local/etc/raddb/huntgroups hints = /usr/local/etc/raddb/hints with_ascend_hack = no ascend_channels_per_line = 23 with_ntdomain_hack = no with_specialix_jetstream_hack = no with_cisco_vsa_hack = no with_alvarion_vsa_hack = no } Module: Linked to module rlm_realm Module: Instantiating suffix realm suffix { format = suffix delimiter = @ ignore_default = no ignore_null = no } Module: Linked to module rlm_eap Module: Instantiating eap eap { default_eap_type = md5 timer_expire = 60 ignore_unknown_eap_types = no cisco_accounting_username_bug = no } Module: Linked to sub-module rlm_eap_md5 Module: Instantiating eap-md5 Module: Linked to sub-module rlm_eap_leap Module: Instantiating eap-leap Module: Linked to sub-module rlm_eap_gtc Module: Instantiating eap-gtc gtc { challenge = Password: auth_type = PAP } Module: Linked to sub-module rlm_eap_tls Module: Instantiating eap-tls tls { rsa_key_exchange = no
Re: Can't get the value of 'Digest-User-name', 'Digest-Realm', 'Digest-Method', 'Digest-Uri', 'Digest-Nonce', 'Digest-Response'
hi, I am using free Radius 2.0.3. I m configured my AAA through rlm_perl. I need to do the authorization by using the following attributes. Digest-Realm Digest-Method Digest-Uri Digest-Nonce Digest-Nonce Digest-Response Unfortunately i did not get any value from these attributes when i called using $RAD_REQUEST. Please tell me any idea to get these values. .. rad_recv: Access-Request packet from host 127.0.0.1 port 32795, id=73, length=59 User-Name = johnson User-Password = johnson NAS-IP-Address = 127.0.0.1 NAS-Port = 0 That's a pap request. Send a request with Digest-Attributes and you will get digest attributes. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Can't get the value of 'Digest-User-name', 'Digest-Realm', 'Digest-Method', 'Digest-Uri', 'Digest-Nonce', 'Digest-Response'
That's a pap request. Send a request with Digest-Attributes and you will get digest attributes. hi, As advice by Ivan Kalik, I've tried sending the request with Digest-Attributes, unfortunately i didn't get any values from these attributes: 'Digest-User-name', 'Digest-Realm', 'Digest-Method', 'Digest-Uri', 'Digest-Nonce', 'Digest-Response'. here is the piece of perl code that i have used to access the values $dUserName= $RAD_REQUEST{'Digest-User-Name'}; $dRealm= $RAD_REQUEST{'Digest-Realm'}; $dMethod = $RAD_REQUEST{'Digest-Method'}; $dUri= $RAD_REQUEST{'Digest-URI'}; $dNonce=$RAD_REQUEST{'Digest-Nonce'}; $dResponse=$RAD_REQUEST{'Digest-Response'}; I've used md5 algorithm in my perl script, is there anything to be done in the eap.conf or in radius.conf ? Regards, Elangbam Johnson - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Weird shared secret issues
Hi, I have a record for 127.0.0.1, and for the ip of the machine itself (Fixed dedicated IP). The end result is that I found that no matter what IP I used to pass on the NAS-IP-Address, it used the machines IP to match the secret. The problem I had is we placed the device out in the field, and I wanted to verify the tech used the right secret. I was hoping to be able to tell radclient to pretend it was another IP, and therefore search for that IPs secret to try. Unfortunately, it doesn't seem like it has that capability. I don't understand what use then is the ability to change the NAS-IP-Address if it still only cared about the secret for the local machine. Thanks, Tuc Hey Tuc, This might happen because of interface changes. Also add a record to the nas table for the 127.0.0.1 ip address (or the other IP address you have configured on your ethernet interface). And I'm also assuming you have configured the nas table in sql.conf Regards, Liran Tal. On Wed, Apr 30, 2008 at 11:41 PM, Tuc at T-B-O-H.NET [EMAIL PROTECTED] wrote= : Hi, Running FreeRadius 2.0.3 built from source on Centos 5.1 with a Mysql 5.0.45 back end. We've been doing testing on our setup for MONTHS (First FR1, now FR2) and its been flawless. Today we went to put our first unit into production and am having issues. We are reading NAS from SQL. The entry is : (3,'192.168.25.13','SBC-1918','other',0,'KhLcPALLdzTcJs3f','GLRXTAFLfhf3N= 4zT','First Install') From the user table I have : (1, 'tuc','User-Password',':=3D','PLAINTEXT') And when I run : #!/bin/sh (echo 'User-Name =3D tuc' echo 'User-Password =3D PLAINTEXT' echo 'NAS-IP-Address =3D 192.168.25.13' echo 'NAS-Port =3D 0') | /usr/local/bin/radclient -x localhost auth KhLcPALLdzTcJs3f I get : [EMAIL PROTECTED] ~]# sh TESTRAD User-Name =3D tuc User-Password =3D PLAINTEXT NAS-IP-Address =3D 192.168.25.13 NAS-Port =3D 0 rad_verify: Received Access-Reject packet from client 127.0.0.1 port 1812 with invalid signature (err=3D2)! (Shared secret is incorrect.) and in radius.log I see : Wed Apr 30 16:38:43 2008 : Auth: Login incorrect: [tuc/eY\261=E3=A1(c)\226`\305\020y\366/=C2?\333] (from client localhost p= ort 0) HELP... I can't see what I'm doing wrong. Thanks, Tuc - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html --=_Part_6964_29469845.1209627227987 Content-Type: text/html; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Content-Disposition: inline Hey Tuc,brbrThis might happen because of interface changes.brAlso add= a record to the nas table for the a href=3Dhttp://127.0.0.1;127.0.0.1/= a ip address (or the otherbrIP address you have configured on your ether= net interface).br And I#39;m also assuming you have configured the nas table in sql.confbr= brbrRegards,brLiran Tal.brbrdiv class=3Dgmail_quoteOn Wed, Ap= r 30, 2008 at 11:41 PM, Tuc at a href=3Dhttp://T-B-O-H.NET;T-B-O-H.NET/= a lt;a href=3Dmailto:[EMAIL PROTECTED][EMAIL PROTECTED]/agt; wrote:br blockquote class=3Dgmail_quote style=3Dborder-left: 1px solid rgb(204, = 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;Hi,br br nbsp; nbsp; nbsp; nbsp;Running FreeRadius 2.0.3 built from source on C= entos 5.1 withbr a Mysql 5.0.45 back end.br br nbsp; nbsp; nbsp; nbsp;We#39;ve been doing testing on our setup for M= ONTHS (First FR1,br now FR2) and its been flawless. Today we went to put our first unit intobr= production and am having issues.br br nbsp; nbsp; nbsp; nbsp;We are reading NAS from SQL. The entry is :br br (3,#39;a href=3Dhttp://192.168.25.13; target=3D_blank192.168.25.13/a= #39;,#39;SBC-1918#39;,#39;other#39;,0,#39;KhLcPALLdzTcJs3f#39;,#39= ;GLRXTAFLfhf3N4zT#39;,#39;First Install#39;)br br nbsp; nbsp; nbsp; nbsp;From the user table I have :br br (1, #39;tuc#39;,#39;User-Password#39;,#39;:=3D#39;,#39;PLAINTEXT#39= ;)br br nbsp; nbsp; nbsp; nbsp;And when I run :br br #!/bin/shbr (echo #39;User-Name =3D quot;tucquot;#39;br echo #39;User-Password =3D quot;PLAINTEXTquot;#39;br echo #39;NAS-IP-Address =3D a href=3Dhttp://192.168.25.13; target=3D_bl= ank192.168.25.13/a#39;br echo #39;NAS-Port =3D 0#39;) | /usr/local/bin/radclient -x localhost auth= nbsp;KhLcPALLdzTcJs3fbr br nbsp; nbsp; nbsp; nbsp;I get :br br [EMAIL PROTECTED] ~]# sh TESTRADbr nbsp; nbsp; nbsp; nbsp;User-Name =3D quot;tucquot;br nbsp; nbsp; nbsp; nbsp;User-Password =3D quot;PLAINTEXTquot;br nbsp; nbsp; nbsp; nbsp;NAS-IP-Address =3D a href=3Dhttp://192.168.25= .13 target=3D_blank192.168.25.13/abr nbsp; nbsp; nbsp; nbsp;NAS-Port =3D 0br rad_verify: Received Access-Reject packet from client a href=3Dhttp://127= .0.0.1 target=3D_blank127.0.0.1/a port 1812 with invalid signature (e=
Re: Can't get the value of 'Digest-User-name', 'Digest-Realm', 'Digest-Method', 'Digest-Uri', 'Digest-Nonce', 'Digest-Response'
As advice by Ivan Kalik, I've tried sending the request with Digest-Attributes, unfortunately i didn't get any values from these attributes: 'Digest-User-name', 'Digest-Realm', 'Digest-Method', 'Digest-Uri', 'Digest-Nonce', 'Digest-Response'. here is the piece of perl code that i have used to access the values $dUserName= $RAD_REQUEST{'Digest-User-Name'}; $dRealm= $RAD_REQUEST{'Digest-Realm'}; $dMethod = $RAD_REQUEST{'Digest-Method'}; $dUri= $RAD_REQUEST{'Digest-URI'}; $dNonce=$RAD_REQUEST{'Digest-Nonce'}; $dResponse=$RAD_REQUEST{'Digest-Response'}; I've used md5 algorithm in my perl script, is there anything to be done in the eap.conf or in radius.conf ? No, there is a digest module in default radiusd.conf that should decode the attributes. Post radiusd -X for request with Digest-Attributes. Those attributes you want are not in the request - have you tried $RAD_CHECK. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Deny Users AD on Freeradius + WirelessVPN
Thanks for lead Ivan. I was able to make it work by changing radiusd.conf I add module files { usersfile = ${confdir}/users acctusersfile = ${confdir}/acct_users preproxy_usersfile = ${confdir}/preproxy_users compat = no } and on authorize { files Thanks also Nicolas. 2008/4/30 Ivan Kalik [EMAIL PROTECTED]: I am afraid your radiusd.conf is seriously butchered. fiels module and quite a few others are missing. It should be before detail but you have deleted it. Ivan Kalik Kalik Informatika ISP Dana 30/4/2008, rmp dmd [EMAIL PROTECTED] piše: Hi, I checked around and see this The *MS-CHAP-Use-NTLM-Auth := 0*, will tell that freeradius with aduser1 will not be preprocessed by the ntlm_auth auxiliary program, this is, will not request the key to compare credentials against the Active Directory, instead, will compare against the users file of the freeradius configuration directory. I also read that It is important to verify that the line on radiusd.conf: authorize { files } It was not on my radiusd.conf so I add it and restart radiusd but now it's has errors Wed Apr 30 15:15:52 2008 : Info: rlm_eap_tls: Loading the certificate file as a chain Wed Apr 30 15:15:52 2008 : Error: ERROR: Cannot find a configuration entry for module files. Wed Apr 30 15:15:52 2008 : Error: radiusd.conf[111] Unknown module files. Wed Apr 30 15:15:52 2008 : Error: radiusd.conf[108] Failed to parse authorize section. Is there something else that should be configured? Here's the complete radiusd.conf ## ## radiusd.conf -- FreeRADIUS server configuration file. ## prefix = /usr exec_prefix = ${prefix} sysconfdir = /etc localstatedir = /var sbindir = ${exec_prefix}/sbin logdir = ${localstatedir}/log/radius raddbdir = ${sysconfdir}/raddb radacctdir = ${logdir}/radacct confdir = ${raddbdir} run_dir = ${localstatedir}/run/radiusd log_file = ${logdir}/radius.log libdir = /usr/lib/freeradius pidfile = ${run_dir}/radiusd.pid user = radiusd group = radiusd max_request_time = 30 delete_blocked_requests = no cleanup_delay = 5 max_requests = 1024 bind_address = * port = 0 hostname_lookups = no allow_core_dumps = no regular_expressions = yes extended_expressions= yes log_stripped_names = no log_auth = yes log_auth_badpass = no log_auth_goodpass = no usercollide = no lower_user = no lower_pass = no nospace_user = no nospace_pass = no checkrad = ${sbindir}/checkrad security { max_attributes = 200 reject_delay = 1 status_server = no } proxy_requests = yes $INCLUDE ${confdir}/proxy.conf # Client configuration is defined in clients.conf. $INCLUDE ${confdir}/clients.conf # To enable SNMP querying of the server, set the value of the # 'snmp' attribute to 'yes' snmp= no $INCLUDE ${confdir}/snmp.conf thread pool { start_servers = 5 max_servers = 32 min_spare_servers = 3 max_spare_servers = 10 max_requests_per_server = 0 } modules { detail { detailfile = ${radacctdir}/%{Client-IP-Address}/detail-%Y%m%d detailperm = 0600 } mschap { authtype = MS-CHAP use_mppe = yes require_encryption = yes require_strong = yes ntlm_auth = /usr/bin/ntlm_auth --request-nt-key --username=%{Stripped-User-Name:-%{User-Name:-None}} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00} } eap { default_eap_type = ttls timer_expire = 60 ignore_unknown_eap_types = no cisco_accounting_username_bug = no tls { private_key_file = ${raddbdir}/certs/ttls-server-echowlan.key certificate_file = ${raddbdir}/certs/ttls-server-echowlan.crt CA_file = ${raddbdir}/certs/ca.crt dh_file = ${raddbdir}/certs/dh2048.pem random_file = /dev/urandom } ttls { default_eap_type = mschapv2 copy_request_to_tunnel = no use_tunneled_reply = no } peap { default_eap_type = mschapv2 } mschapv2 { } } } authorize { mschap eap } authenticate { Auth-Type MS-CHAP { mschap } eap } accounting { detail} post-auth { } Here's the On Wed, Apr 30, 2008 at 12:52 PM, rmp dmd [EMAIL PROTECTED] wrote: Thanks. I put it on users aduser1 MS-CHAP-Use-NTLM-Auth := 0, Auth-Type :=
LDAP Not recognising User-Name attribute in tunneled authentication FR 2.0.4
Hi, Exactly the same config used between 2.0.3 and 2.0.4, but now the LDAP module fails lookups because it claims it can't find the User-Name attribute PEAP: Got tunneled EAP-Message EAP-Message = 0x02fe004d1a02fe004831623806335a6bfd5678650649fdd76c20949c9809c8a97e6c717a5 PEAP: Setting User-Name to [EMAIL PROTECTED] PEAP: Sending tunneled request EAP-Message = 0x02fe004d1a02fe004831623806335a6bfd5678650649fdd76c20949c9809c8a97e6c717a5 FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = [EMAIL PROTECTED] State = 0xc771177ac78f0d80e7ad35c717d8d32f Framed-MTU = 1480 NAS-IP-Address = 139.184.6.156 NAS-Identifier = hp-e-falm-g-77-sw1 Service-Type = Framed-User Framed-Protocol = PPP NAS-Port = 1 NAS-Port-Type = Ethernet NAS-Port-Id = 1 Called-Station-Id = 001c2ec47180 Calling-Station-Id = 001b63a3a8dd Connect-Info = CONNECT Ethernet 100Mbps Full duplex Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = 1 server default-inner { +- entering group authorize expand: %{outer.request:Realm} - local expand: %{outer.request:NAS-Flags} - 01001011000 expand: %{outer.request:SS-Flags} - 00 expand: %{outer.request:Supplicant-Flags} - 000100 expand: %{outer.request:Called-Station-SSID} - ++[request] returns notfound ++? if (%{User-Name}) expand: %{User-Name} - [EMAIL PROTECTED] ? Evaluating (%{User-Name}) - TRUE ++? if (%{User-Name}) - TRUE ++- entering if (%{User-Name}) +++? if (%{User-Name} =~ /^([EMAIL PROTECTED])(@([-[:alnum:].]+))?$/) expand: %{User-Name} - [EMAIL PROTECTED] ? Evaluating (%{User-Name} =~ /^([EMAIL PROTECTED])(@([-[:alnum:].]+))?$/) - TRUE +++? if (%{User-Name} =~ /^([EMAIL PROTECTED])(@([-[:alnum:].]+))?$/) - TRUE +++- entering if (%{User-Name} =~ /^([EMAIL PROTECTED])(@([-[:alnum:].]+))?$/) expand: %{1} - ac221 [request] returns notfound expand: %{3} - sussex.ac.uk expand: %{%{3}:-sussex.ac.uk} - sussex.ac.uk [request] returns notfound +++- if (%{User-Name} =~ /^([EMAIL PROTECTED])(@([-[:alnum:].]+))?$/) returns notfound +++ ... skipping else for request 5: Preceding if was taken ++- if (%{User-Name}) returns notfound rlm_ldap: - authorize rlm_ldap: Attribute User-Name is required for authorization. ++[ldap] returns noop Relevant filter line in LDAP is : filter = (uid=%{%{Stripped-User-Name}:-%{User-Name}}) Why is there now a static requirement for the User-Name attribute to be present anyway? Especially when the filter is defined in the config... -- Arran Cudbard-Bell ([EMAIL PROTECTED]) Authentication, Authorisation and Accounting Officer Infrastructure Services | ENG1 E1-1-08 University Of Sussex, Brighton EXT:01273 873900 | INT: 3900 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: LDAP Not recognising User-Name attribute in tunneled authentication FR 2.0.4
Arran Cudbard-Bell wrote: Exactly the same config used between 2.0.3 and 2.0.4, but now the LDAP module fails lookups because it claims it can't find the User-Name attribute Arg... grab src/main/evaluate.c from CVS. In short, a pointer to the user name is cached in a data structure. Keeping it up to date is a PITA. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FR 1.1.7 + AD 2003 + LDAP
Hello Everyone, So in my world we have been able to diagnose that the authentication issue is related to the username case (only difference in Radius) and I have not found anything other than a statement in an old post from Alan about AD being case sensitive with usernames? Is there any information somewhere to help me correct this? Usernames have for as long as I can remember not been case sensitive. Thanks Thu May 1 08:34:37 2008 : Auth: Login OK: [BrooksK/no User-Password attribute] (from client localhost port 0) Thu May 1 08:34:37 2008 : Auth: Login OK: [BrooksK/no User-Password attribute] (from client 10.0.1.11 port 60005 cli 00-0E-7B-B5-30-6F) Thu May 1 08:36:24 2008 : Auth: Login OK: [BrooksK/no User-Password attribute] (from client localhost port 0) Thu May 1 08:36:24 2008 : Auth: Login OK: [BrooksK/no User-Password attribute] (from client 10.0.1.11 port 60005 cli 00-0E-7B-B5-30-6F) Thu May 1 08:37:24 2008 : Auth: Login incorrect (rlm_mschap: Logon failure (0xc06d)): [brooksk/no User-Password attribute] (from client localhost port 0) Thu May 1 08:37:24 2008 : Auth: Login incorrect: [brooksk/no User-Password attribute] (from client 10.0.1.11 port 60005 cli 00-0E-7B-B5-30-6F) Thu May 1 08:41:39 2008 : Auth: Login incorrect (rlm_mschap: Logon failure (0xc06d)): [brooksk/no User-Password attribute] (from client localhost port 0) Thu May 1 08:41:39 2008 : Auth: Login incorrect: [brooksk/no User-Password attribute] (from client 10.0.1.11 port 60005 cli 00-0E-7B-B5-30-6F) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FR 1.1.7 + AD 2003 + LDAP
Just me again, User has reset there password the usual way however we are still getting fail login. Anyone with an idea or what I can provide to help solve this puzzle? Thx Thu May 1 09:07:33 2008 : Auth: Login incorrect: [brebberm/no User-Password attribute] (from client 10.0.1.12 port 60035 cli 00-14-22-5A-D5-CD) Thu May 1 09:08:43 2008 : Auth: Login incorrect (rlm_mschap: Account locked out (0xc234)): [BrebberM/no User-Password attribute] (from client localhost port 0) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: LDAP Not recognising User-Name attribute in tunneled authentication FR 2.0.4
Alan DeKok wrote: Arran Cudbard-Bell wrote: Exactly the same config used between 2.0.3 and 2.0.4, but now the LDAP module fails lookups because it claims it can't find the User-Name attribute Arg... grab src/main/evaluate.c from CVS. In short, a pointer to the user name is cached in a data structure. Keeping it up to date is a PITA. Yep that worked. 2.041? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Arran -- Arran Cudbard-Bell ([EMAIL PROTECTED]) Authentication, Authorisation and Accounting Officer Infrastructure Services | ENG1 E1-1-08 University Of Sussex, Brighton EXT:01273 873900 | INT: 3900 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: HOWTO PEAP + FreeRadius + XP Client
George KNIGHT wrote: Yes, I run all the commands as a root. Is this wrong? No. When I run the bootstrap script, again, as a root, here is what I get; sigh You said it had errors. You need to show what those errors are. Showing that it runs *without* errors doesn't help. I will use the default certs for just testing purposes. Once I make this work with defaults ones, I will sure go ahead and create new certificates. But at this moment, all I want to see a working version of PEAP authentication in my test environment. Follow the instructions. It WILL work. - uncheck validate server certificate in Windows. - add username/password to FreeRADIUS as per the FAQ - start the server - verify that PEAP works. That's what I do. It's not complicated. It doesn't require special knowledge or experience. It really *is* that easy. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: HOWTO PEAP + FreeRadius + XP Client
Alan, I feel extremely stupid even though I know I am not. Running radiusd -X command as a root gives me the following error message as I posted here yesterday; PS: I'm just posting last part of the output here. The full output can be seen at my previous email that I sent yesterday. --- Module: Instantiating eap eap { default_eap_type = peap timer_expire = 60 ignore_unknown_eap_types = no cisco_accounting_username_bug = no } Module: Linked to sub-module rlm_eap_md5 Module: Instantiating eap-md5 Module: Linked to sub-module rlm_eap_leap Module: Instantiating eap-leap Module: Linked to sub-module rlm_eap_gtc Module: Instantiating eap-gtc gtc { challenge = Password: auth_type = PAP } Module: Linked to sub-module rlm_eap_tls Module: Instantiating eap-tls tls { rsa_key_exchange = no dh_key_exchange = yes rsa_key_length = 512 dh_key_length = 512 verify_depth = 0 pem_file_type = yes private_key_file = /etc/raddb/certs/server.pem certificate_file = /etc/raddb/certs/server.pem CA_file = /etc/raddb/certs/ca.pem private_key_password = whatever dh_file = /etc/raddb/certs/dh random_file = /etc/raddb/certs/random fragment_size = 1024 include_length = yes check_crl = no cipher_list = DEFAULT make_cert_command = /etc/raddb/certs/bootstrap } rlm_eap: SSL error error:0200100D:system library:fopen:Permission denied rlm_eap_tls: Error reading certificate file /etc/raddb/certs/server.pem rlm_eap: Failed to initialize type tls /etc/raddb/eap.conf[17]: Instantiation failed for module eap /etc/raddb/sites-enabled/default[252]: Failed to find module eap. /etc/raddb/sites-enabled/default[199]: Errors parsing authenticate section. } } Errors initializing modules comp-010:/home/srn # - It says a 'permission denied' and you asked me earlier if I was running the command as a root, which the answer is yes. So, how can I overcome this problem? Thank you George On Thu, May 1, 2008 at 11:50 AM, Alan DeKok [EMAIL PROTECTED] wrote: George KNIGHT wrote: Yes, I run all the commands as a root. Is this wrong? No. When I run the bootstrap script, again, as a root, here is what I get; sigh You said it had errors. You need to show what those errors are. Showing that it runs *without* errors doesn't help. I will use the default certs for just testing purposes. Once I make this work with defaults ones, I will sure go ahead and create new certificates. But at this moment, all I want to see a working version of PEAP authentication in my test environment. Follow the instructions. It WILL work. - uncheck validate server certificate in Windows. - add username/password to FreeRADIUS as per the FAQ - start the server - verify that PEAP works. That's what I do. It's not complicated. It doesn't require special knowledge or experience. It really *is* that easy. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Deny AD groups
Hi, I have a security group in AD 'noremote' that I would like to deny VPN access. Reading the FAQ, I edit users to include DEFAULT Group == noremote, Auth-Type := Reject Reply-Message = Your account is not allowed. but this doesn't work. I also tried below which I based on my previous query to deny AD users (this is working) DEFAULT Group == noremote, MS-CHAP-Use-NTLM-Auth := 0,Auth-Type := Reject Reply-Message = Your account is not allowed. but still doesn't work. I'm not sure how the group should be used. So I also tested including the domain such as Group==DOMAIN\\noremote, Group==DOMAIN+noremote but still no success. Thanks in advance! Roehl - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: HOWTO PEAP + FreeRadius + XP Client
George KNIGHT wrote: Running radiusd -X command as a root gives me the following error message as I posted here yesterday; And the permissions on that directory are... ? It says a 'permission denied' and you asked me earlier if I was running the command as a root, which the answer is yes. So, how can I overcome this problem? Can you look at the directory as root, from the shell? In this case, the server is just calling OpenSSL... which calls the normal file API. If that returns no permission, OpenSSL is at the mercy of the file system, and FreeRADIUS is at the mercy of OpenSSL. If worse comes to worse, for testing do: $ cd /etc/raddb $ chmod -R ug+rwx . Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Deny AD groups
rmp dmd wrote: I have a security group in AD 'noremote' that I would like to deny VPN access. Reading the FAQ, I edit users to include DEFAULT Group == noremote, Auth-Type := Reject Reply-Message = Your account is not allowed. but this doesn't work. The Group attribute is for UNIX groups. i.e. /etc/group. If you want to check an LDAP group, use the LDAP-Group attribute. This isn't well documented... Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: HOWTO PEAP + FreeRadius + XP Client
Permissions are as follow; comp-010:/etc/raddb # dir total 289 -rw-r- 1 root radiusd 718 2008-02-14 10:35 acct_users -rw-r- 1 root radiusd 4187 2008-02-14 10:35 attrs -rw-r- 1 root radiusd 516 2008-02-14 10:35 attrs.access_reject -rw-r- 1 root radiusd 501 2008-02-14 10:35 attrs.accounting_response -rw-r- 1 root radiusd 1969 2008-02-14 10:35 attrs.pre-proxy drwxr-x--- 2 root radiusd 680 2008-04-30 17:48 certs -rw-r- 1 root radiusd 6727 2008-04-30 12:06 clients.conf -rw-r- 1 root radiusd 929 2008-02-14 10:35 dictionary -rw-r- 1 root radiusd 13648 2008-04-30 17:53 eap.conf -rw-r- 1 root root13647 2008-04-25 14:01 eap.conf.orig -rw-r- 1 root radiusd 4609 2008-02-14 10:35 example.pl -rw-r- 1 root radiusd 14536 2008-02-14 10:35 experimental.conf -rw-r- 1 root radiusd 2396 2008-02-14 10:35 hints -rw-r- 1 root radiusd 1604 2008-02-14 10:35 huntgroups -rw-r- 1 root radiusd 2985 2008-02-14 10:35 ldap.attrmap -rw-r- 1 root radiusd 3357 2008-02-14 10:35 otp.conf -rw-r- 1 root radiusd 1204 2008-02-14 10:35 policy.conf -rw-r- 1 root radiusd 4922 2008-02-14 10:35 policy.txt -rw-r- 1 root radiusd 1035 2008-02-14 10:35 preproxy_users -rw-r- 1 root radiusd 17889 2008-02-14 10:35 proxy.conf -rw-r- 1 root radiusd 60371 2008-04-30 12:18 radiusd.conf -rw-r- 1 root root60371 2008-04-25 13:14 radiusd.conf.orig drwxr-xr-x 2 root root 120 2008-04-25 10:17 sites-available drwxr-xr-x 2 root root 72 2008-04-25 10:17 sites-enabled -rw-r- 1 root radiusd 1276 2008-02-14 10:35 snmp.conf drw-r- 6 root radiusd 152 2008-02-14 10:35 sql -rw-r- 1 root radiusd 2533 2008-02-14 10:35 sql.conf -rw-r- 1 root radiusd 1988 2008-02-14 10:35 sqlippool.conf -rw-r- 1 root radiusd 3503 2008-02-14 10:35 templates.conf -rw-r- 1 root radiusd 6603 2008-04-30 15:50 users comp-010:/etc/raddb # dir ./certs total 104 -rw-r- 1 root root4210 2008-04-25 10:17 01.pem -rwxr-x--- 1 root radiusd 524 2008-02-14 10:35 bootstrap -rw-r- 1 root radiusd 1155 2008-02-14 10:35 ca.cnf -rw-r- 1 root root1743 2008-04-25 10:17 ca.key -rw-r- 1 root root1322 2008-04-25 10:17 ca.pem -rw-r- 1 root radiusd 1109 2008-02-14 10:35 client.cnf -rw-r- 1 root root 245 2008-04-25 10:18 dh -rw-r- 1 root root 120 2008-04-25 10:17 index.txt -rw-r- 1 root root 21 2008-04-25 10:17 index.txt.attr -rw-r- 1 root root 0 2008-04-25 10:17 index.txt.old -rw-r- 1 root radiusd 4430 2008-02-14 10:35 Makefile -rw-r- 1 root root5120 2008-04-25 10:18 random -rw-r- 1 root radiusd 5343 2008-02-14 10:35 README -rw-r- 1 root root 3 2008-04-25 10:17 serial -rw-r- 1 root root 3 2008-04-25 10:17 serial.old -rw-r- 1 root radiusd 1123 2008-02-14 10:35 server.cnf -rw-r- 1 root root4210 2008-04-25 10:17 server.crt -rw-r- 1 root root1062 2008-04-25 10:17 server.csr -rw-r- 1 root root1743 2008-04-25 10:17 server.key -rw-r- 1 root root2525 2008-04-25 10:17 server.p12 -rw-r- 1 root root3495 2008-04-25 10:17 server.pem -rw-r- 1 root radiusd 578 2008-02-14 10:35 xpextensions comp-010:/etc/raddb # Thank you. George On Thu, May 1, 2008 at 12:47 PM, Alan DeKok [EMAIL PROTECTED] wrote: George KNIGHT wrote: Running radiusd -X command as a root gives me the following error message as I posted here yesterday; And the permissions on that directory are... ? It says a 'permission denied' and you asked me earlier if I was running the command as a root, which the answer is yes. So, how can I overcome this problem? Can you look at the directory as root, from the shell? In this case, the server is just calling OpenSSL... which calls the normal file API. If that returns no permission, OpenSSL is at the mercy of the file system, and FreeRADIUS is at the mercy of OpenSSL. If worse comes to worse, for testing do: $ cd /etc/raddb $ chmod -R ug+rwx . Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Can't get the value of 'Digest-User-name', 'Digest-Realm', 'Digest-Method', 'Digest-Uri', 'Digest-Nonce', 'Digest-Response'
No, there is a digest module in default radiusd.conf that should decode the attributes. Post radiusd -X for request with Digest-Attributes. Those attributes you want are not in the request - have you tried $RAD_CHECK. hi Kalik, I've tried $RAD_CHECK but it doesn't work, I've found a digest module in radiusd.conf but actually don't have any idea how to handle the module. Here is the full output when the radius is run in debugging mode: [EMAIL PROTECTED] raddb]# radiusd -X FreeRADIUS Version 2.0.3, for host i686-pc-linux-gnu, built on Apr 9 2008 at 21:42:16 Copyright (C) 1999-2008 The FreeRADIUS server project and contributors. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License. Starting - reading configuration files ... including configuration file /usr/local/etc/raddb/radiusd.conf including configuration file /usr/local/etc/raddb/clients.conf including configuration file /usr/local/etc/raddb/snmp.conf including configuration file /usr/local/etc/raddb/eap.conf including configuration file /usr/local/etc/raddb/sql.conf including configuration file /usr/local/etc/raddb/policy.conf including files in directory /usr/local/etc/raddb/sites-enabled/ including configuration file /usr/local/etc/raddb/sites-enabled/default including dictionary file /usr/local/etc/raddb/dictionary main { prefix = /usr/local localstatedir = /usr/local/var logdir = /usr/local/var/log/radius libdir = /usr/local/lib radacctdir = /usr/local/var/log/radius/radacct hostname_lookups = no max_request_time = 30 cleanup_delay = 5 max_requests = 1024 allow_core_dumps = no pidfile = /usr/local/var/run/radiusd/radiusd.pid checkrad = /usr/local/sbin/checkrad debug_level = 0 proxy_requests = yes security { max_attributes = 200 reject_delay = 1 status_server = yes } } client localhost { ipaddr = 127.0.0.1 require_message_authenticator = no secret = testing123 shortname = localhost nastype = other } client 192.168.1.227 { require_message_authenticator = no secret = johnson } radiusd: Loading Realms and Home Servers radiusd: Instantiating modules instantiate { Module: Linked to module rlm_exec Module: Instantiating exec exec { wait = yes input_pairs = request shell_escape = yes } Module: Linked to module rlm_expr Module: Instantiating expr Module: Linked to module rlm_expiration Module: Instantiating expiration expiration { reply-message = Password Has Expired } Module: Linked to module rlm_logintime Module: Instantiating logintime logintime { reply-message = You are calling outside your allowed timespan minimum-timeout = 60 } } radiusd: Loading Virtual Servers server { modules { Module: Checking authenticate {...} for more modules to load Module: Linked to module rlm_perl Module: Instantiating perl perl { module = /usr/local/etc/raddb/myperltemp.pl func_authorize = authorize func_authenticate = authenticate func_accounting = accounting func_preacct = preacct func_checksimul = checksimul func_detach = detach func_xlat = xlat func_pre_proxy = pre_proxy func_post_proxy = post_proxy func_post_auth = post_auth } perl { max_clones = 32 start_clones = 32 min_spare_clones = 0 max_spare_clones = 32 cleanup_delay = 5 max_request_per_clone = 0 } Module: Checking authorize {...} for more modules to load Module: Linked to module rlm_preprocess Module: Instantiating preprocess preprocess { huntgroups = /usr/local/etc/raddb/huntgroups hints = /usr/local/etc/raddb/hints with_ascend_hack = no ascend_channels_per_line = 23 with_ntdomain_hack = no with_specialix_jetstream_hack = no with_cisco_vsa_hack = no with_alvarion_vsa_hack = no } Module: Linked to module rlm_realm Module: Instantiating suffix realm suffix { format = suffix delimiter = @ ignore_default = no ignore_null = no } Module: Linked to module rlm_eap Module: Instantiating eap eap { default_eap_type = md5 timer_expire = 60 ignore_unknown_eap_types = no cisco_accounting_username_bug = no } Module: Linked to sub-module rlm_eap_md5 Module: Instantiating eap-md5 Module: Linked to sub-module rlm_eap_leap Module: Instantiating eap-leap Module: Linked to sub-module rlm_eap_gtc Module: Instantiating eap-gtc gtc { challenge = Password: auth_type = PAP } Module: Linked to sub-module rlm_eap_tls Module: Instantiating eap-tls tls { rsa_key_exchange
Re: HOWTO PEAP + FreeRadius + XP Client
OK, I have changed the ownership of the following files from root:root to root:radiusd server.pem ca.pem random dh and now radiusd -X is working. The problem arisen because the root:root permissions on the abovementioned files. Will get back to you for either further questions and or a success message. Thank you Alan George Knight On Thu, May 1, 2008 at 1:06 PM, George KNIGHT [EMAIL PROTECTED] wrote: Permissions are as follow; comp-010:/etc/raddb # dir total 289 -rw-r- 1 root radiusd 718 2008-02-14 10:35 acct_users -rw-r- 1 root radiusd 4187 2008-02-14 10:35 attrs -rw-r- 1 root radiusd 516 2008-02-14 10:35 attrs.access_reject -rw-r- 1 root radiusd 501 2008-02-14 10:35 attrs.accounting_response -rw-r- 1 root radiusd 1969 2008-02-14 10:35 attrs.pre-proxy drwxr-x--- 2 root radiusd 680 2008-04-30 17:48 certs -rw-r- 1 root radiusd 6727 2008-04-30 12:06 clients.conf -rw-r- 1 root radiusd 929 2008-02-14 10:35 dictionary -rw-r- 1 root radiusd 13648 2008-04-30 17:53 eap.conf -rw-r- 1 root root13647 2008-04-25 14:01 eap.conf.orig -rw-r- 1 root radiusd 4609 2008-02-14 10:35 example.pl -rw-r- 1 root radiusd 14536 2008-02-14 10:35 experimental.conf -rw-r- 1 root radiusd 2396 2008-02-14 10:35 hints -rw-r- 1 root radiusd 1604 2008-02-14 10:35 huntgroups -rw-r- 1 root radiusd 2985 2008-02-14 10:35 ldap.attrmap -rw-r- 1 root radiusd 3357 2008-02-14 10:35 otp.conf -rw-r- 1 root radiusd 1204 2008-02-14 10:35 policy.conf -rw-r- 1 root radiusd 4922 2008-02-14 10:35 policy.txt -rw-r- 1 root radiusd 1035 2008-02-14 10:35 preproxy_users -rw-r- 1 root radiusd 17889 2008-02-14 10:35 proxy.conf -rw-r- 1 root radiusd 60371 2008-04-30 12:18 radiusd.conf -rw-r- 1 root root60371 2008-04-25 13:14 radiusd.conf.orig drwxr-xr-x 2 root root 120 2008-04-25 10:17 sites-available drwxr-xr-x 2 root root 72 2008-04-25 10:17 sites-enabled -rw-r- 1 root radiusd 1276 2008-02-14 10:35 snmp.conf drw-r- 6 root radiusd 152 2008-02-14 10:35 sql -rw-r- 1 root radiusd 2533 2008-02-14 10:35 sql.conf -rw-r- 1 root radiusd 1988 2008-02-14 10:35 sqlippool.conf -rw-r- 1 root radiusd 3503 2008-02-14 10:35 templates.conf -rw-r- 1 root radiusd 6603 2008-04-30 15:50 users comp-010:/etc/raddb # dir ./certs total 104 -rw-r- 1 root root4210 2008-04-25 10:17 01.pem -rwxr-x--- 1 root radiusd 524 2008-02-14 10:35 bootstrap -rw-r- 1 root radiusd 1155 2008-02-14 10:35 ca.cnf -rw-r- 1 root root1743 2008-04-25 10:17 ca.key -rw-r- 1 root root1322 2008-04-25 10:17 ca.pem -rw-r- 1 root radiusd 1109 2008-02-14 10:35 client.cnf -rw-r- 1 root root 245 2008-04-25 10:18 dh -rw-r- 1 root root 120 2008-04-25 10:17 index.txt -rw-r- 1 root root 21 2008-04-25 10:17 index.txt.attr -rw-r- 1 root root 0 2008-04-25 10:17 index.txt.old -rw-r- 1 root radiusd 4430 2008-02-14 10:35 Makefile -rw-r- 1 root root5120 2008-04-25 10:18 random -rw-r- 1 root radiusd 5343 2008-02-14 10:35 README -rw-r- 1 root root 3 2008-04-25 10:17 serial -rw-r- 1 root root 3 2008-04-25 10:17 serial.old -rw-r- 1 root radiusd 1123 2008-02-14 10:35 server.cnf -rw-r- 1 root root4210 2008-04-25 10:17 server.crt -rw-r- 1 root root1062 2008-04-25 10:17 server.csr -rw-r- 1 root root1743 2008-04-25 10:17 server.key -rw-r- 1 root root2525 2008-04-25 10:17 server.p12 -rw-r- 1 root root3495 2008-04-25 10:17 server.pem -rw-r- 1 root radiusd 578 2008-02-14 10:35 xpextensions comp-010:/etc/raddb # Thank you. George On Thu, May 1, 2008 at 12:47 PM, Alan DeKok [EMAIL PROTECTED] wrote: George KNIGHT wrote: Running radiusd -X command as a root gives me the following error message as I posted here yesterday; And the permissions on that directory are... ? It says a 'permission denied' and you asked me earlier if I was running the command as a root, which the answer is yes. So, how can I overcome this problem? Can you look at the directory as root, from the shell? In this case, the server is just calling OpenSSL... which calls the normal file API. If that returns no permission, OpenSSL is at the mercy of the file system, and FreeRADIUS is at the mercy of OpenSSL. If worse comes to worse, for testing do: $ cd /etc/raddb $ chmod -R ug+rwx . Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: HOWTO PEAP + FreeRadius + XP Client
George KNIGHT wrote: Permissions are as follow; .. comp-010:/etc/raddb # dir Uh... which OS are you using? In any case, this is an OS issue. FreeRADIUS OpenSSL use the normal OS API's to access files. If the server gets a permission denied error, it's because the OS is denying permission. So... the OS needs to be fixed. I have no idea how to do that. Maybe you're running some security feature that blocks access to files. e.g. AppArmor, SELinux, etc. Go see your OS documentation for details. i.e. Sorry, this isn't a FreeRADIUS problem. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: HOWTO PEAP + FreeRadius + XP Client
Alan, The permission problem has been solved as I mentioned at my earlier email. Now, as a last step, I'm installing the certificates. I created the certificates by following the README file under /etc/raddb/certs/ folder. Now I have the following certificates; ca.der ca.key ca.pem client.crt client.csr client.key client.p12 client.pem server.crt server.csr server.key server.p12 server.pem I used ca.der and client.p12 to be installed to Windows XP SP2 client. I followed the instructions at the http://freeradius.org/doc/EAPTLS.pdf. But at the end of the installation, where the client certificate installation is tested at page 16, I have a different Windows message; it says Windows does not have enough information to verify this certificate. I followed all the instructions there without any problem. Am I missing anything? Are those the right certificates that copied to the Windows machine? Why are there so many certificates created and we are just using 2? Thank you George Knight On Thu, May 1, 2008 at 1:29 PM, Alan DeKok [EMAIL PROTECTED] wrote: George KNIGHT wrote: Permissions are as follow; .. comp-010:/etc/raddb # dir Uh... which OS are you using? In any case, this is an OS issue. FreeRADIUS OpenSSL use the normal OS API's to access files. If the server gets a permission denied error, it's because the OS is denying permission. So... the OS needs to be fixed. I have no idea how to do that. Maybe you're running some security feature that blocks access to files. e.g. AppArmor, SELinux, etc. Go see your OS documentation for details. i.e. Sorry, this isn't a FreeRADIUS problem. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
FR failing
We have two FR servers (running 1.1.15) on Red Hat machines. We are using it to authenticate wireless users against an LDAP directory. Occasionally, one of the FR servers (it happens to each, just not at the same time), stops working. The service remains up, but it's like the conversation between radius and ldap doesn't work for some reason, and radius stops trying altogether afterwards. The log shows: Thu May 1 14:33:02 2008 : Error: rlm_eap: Either EAP-request timed out OR EAP-response to an unknown EAP-request Thu May 1 14:33:02 2008 : Auth: Login incorrect: [rsmall] (from client unbsj111 port 32401 cli 00-1E-C2-C0-8E-36) Thu May 1 14:33:15 2008 : Error: rlm_eap: Either EAP-request timed out OR EAP-response to an unknown EAP-request Thu May 1 14:33:15 2008 : Auth: Login incorrect: [anonymous] (from client hh2380 port 45380 cli 00-12-F0-D3-3C-03) Thu May 1 14:34:02 2008 : Error: Discarding duplicate request from client hh2380:20001 - ID: 200 due to unfinished request 1428 Any help is greatly appreciated. Thanks Matt A [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Can't get the value of 'Digest-User-name', 'Digest-Realm', 'Digest-Method', 'Digest-Uri', 'Digest-Nonce', 'Digest-Response'
No, there is a digest module in default radiusd.conf that should decode the attributes. Post radiusd -X for request with Digest-Attributes. Those attributes you want are not in the request - have you tried $ RAD_CHECK. hi Kalik, I've tried $RAD_CHECK but it doesn't work, I've found a digest module in radiusd.conf but actually don't have any idea how to handle the module. There is nothing to handle. digest {} module will decode information from the Digest-Attributes and produce those attributes you are looking for. rad_recv: Access-Request packet from host 127.0.0.1 port 32795, id=73, length=59 User-Name = johnson User-Password = johnson NAS-IP-Address = 127.0.0.1 NAS-Port = 0 Do you see Digest-Attributes in this request? I don't. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Recommendations for manging user password
Thank you all for responding to my first post in getting FreeRadius set up and working on a Solaris 10 box. I am working on creating the (non-priviledged) user environment that will run the server. I have successfully set up a working Radius server to work with a FirePass VPN appliance.. FirePass uses PAP for authentication.. however I have authenticated using both local and PAP. code charlie Auth-Type := Local, User-Password == hello Reply-Message = Hello, %u charles Auth-Type := PAP, User-Password == hello Reply-Message = Hello, %u /code This works like this: -- FirePass appliaance has a SSL login page. -- User enters creditials - validates against FreeRadius -- User is shown a static page on the FirePass Server with a Static Link. I will have about 75 users and need to set up password aging.. Using system (non-shell) accounts with IDs in /etc/password could be an option I did read the Expired thread and I can write a script to update that field if necessary.. My Goal --- let the user know their password has expired --- let them change it themselves.. --- age the password for 90 days --- I really don't want a MySQL database ( I don't know MySQL but could learn if I have to) I am hoping someone can point me in the right direction.. Charles - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: LDAP Not recognising User-Name attribute in tunneled authentication FR 2.0.4
Arran Cudbard-Bell wrote: Alan DeKok wrote: Arran Cudbard-Bell wrote: Exactly the same config used between 2.0.3 and 2.0.4, but now the LDAP module fails lookups because it claims it can't find the User-Name attribute Arg... grab src/main/evaluate.c from CVS. In short, a pointer to the user name is cached in a data structure. Keeping it up to date is a PITA. Yep that worked. 2.041? Erg now it's not working in the outer tunnel for with LDAP... Thanks, Arran Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Arran - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html