Re: HOWTO PEAP + FreeRadius + XP Client
George KNIGHT wrote: A person like you who is dealing with freeradius on a daily basis may have a tendency of thinking that using/installing/troubleshooting freeradius is very easy. The goal is to *make* it that easy. A large number of problems on the list are because people think it's complicated, and start changing large amounts of the default config. Based on the feedback I got from people, everyone seems to agree that it provided them a simple and easy to follow steps for the installation. I felt happy that I helped other people the way that I was helped at all the time through different forums on the internet. Based on the feedback I've seen, I've edited/updated the software itself to be easier to use. I don't like reading howto's, because many are out of date, and many others are simply wrong. I would *prefer* that people shipped software that worked, and was easy to use. When I started implementing the FreeRadius, I thought I would find some documentation to start with. But unfortunately, after spending days, i couldn't find such a document. The more I read, the more i surprised that I couldn't figure this out. I know that it shouldn't be much difficult but here I am still struggling to make this work. The 5-6 line instructions I gave are all that's needed. I installed the FreeRadous 2.0.2 with Yast tool with SuSE SLES. It installed it OK. And then i made changes to eap.conf and radiusd.conf files to start my test. I run radiusd -X and here is what I got; Why change eap.conf radiusd.conf? # radiusd -X ... rlm_eap: SSL error error:0200100D:system library:fopen:Permission denied That should be a pretty simple problem to fix. It's file permissions... Are you starting the server as root? And other thing is that the command bootstrap couldn't finish creating certificates. Why not? What's the error message? Is it secret? Did you run the bootstrap script as root? How may I solve this problem. And if finish creating certs successfully, which certificates should I install to the XP SP2 client and where? To be honest, you *shouldn't* install the default certificates. They're only for testing. For testing, un-check the validate server certificate in XP. For real certificates, edit the conf files as described in the raddb/certs/ documentation, and re-build the certs. Then, install the CA cert, as described in the EAP-TLS howto... with pictures. You suggested to read the file at http://freeradius.org/doc/EAPTLS.pdf but believe me it didn't help me. And it also gives information for TLS implementation. NOthing for PEAP. PEAP *is* EAP-TLS. It's a variation of EAP-TLS, and all of the certificate requirements for EAP-TLS apply to PEAP, too. If you have any ideas for what documentation needs to be updated, please submit suggested text. We can include it in the next release. But my experience (unfortunately) is that the people who have the most problems are reading third-party howtos that are *wrong*, and are ignoring the server documentation that is *right*. That's a problem I can't fix. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Weird shared secret issues
Hey Tuc, This might happen because of interface changes. Also add a record to the nas table for the 127.0.0.1 ip address (or the other IP address you have configured on your ethernet interface). And I'm also assuming you have configured the nas table in sql.conf Regards, Liran Tal. On Wed, Apr 30, 2008 at 11:41 PM, Tuc at T-B-O-H.NET [EMAIL PROTECTED] wrote: Hi, Running FreeRadius 2.0.3 built from source on Centos 5.1 with a Mysql 5.0.45 back end. We've been doing testing on our setup for MONTHS (First FR1, now FR2) and its been flawless. Today we went to put our first unit into production and am having issues. We are reading NAS from SQL. The entry is : (3,'192.168.25.13','SBC-1918','other',0,'KhLcPALLdzTcJs3f','GLRXTAFLfhf3N4zT','First Install') From the user table I have : (1, 'tuc','User-Password',':=','PLAINTEXT') And when I run : #!/bin/sh (echo 'User-Name = tuc' echo 'User-Password = PLAINTEXT' echo 'NAS-IP-Address = 192.168.25.13' echo 'NAS-Port = 0') | /usr/local/bin/radclient -x localhost auth KhLcPALLdzTcJs3f I get : [EMAIL PROTECTED] ~]# sh TESTRAD User-Name = tuc User-Password = PLAINTEXT NAS-IP-Address = 192.168.25.13 NAS-Port = 0 rad_verify: Received Access-Reject packet from client 127.0.0.1 port 1812 with invalid signature (err=2)! (Shared secret is incorrect.) and in radius.log I see : Wed Apr 30 16:38:43 2008 : Auth: Login incorrect: [tuc/eY\261ã¡(c)\226`\305\020y\366/Â?\333] (from client localhost port 0) HELP... I can't see what I'm doing wrong. Thanks, Tuc - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Can't get the value of 'Digest-User-name', 'Digest-Realm', 'Digest-Method', 'Digest-Uri', 'Digest-Nonce', 'Digest-Response'
hi,
I am using free Radius 2.0.3. I m configured my AAA through rlm_perl. I
need to do the authorization by using the following attributes.
Digest-Realm
Digest-Method
Digest-Uri
Digest-Nonce
Digest-Nonce
Digest-Response
Unfortunately i did not get any value from these attributes when i called
using $RAD_REQUEST. Please tell me any idea to get these values.
Here is the piece of output when the radius is run in debugging mode:
[EMAIL PROTECTED] raddb]# radiusd -X
FreeRADIUS Version 2.0.3, for host i686-pc-linux-gnu, built on Apr 9 2008
at 21:42:16
Copyright (C) 1999-2008 The FreeRADIUS server project and contributors.
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE.
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License.
Starting - reading configuration files ...
including configuration file /usr/local/etc/raddb/radiusd.conf
including configuration file /usr/local/etc/raddb/clients.conf
including configuration file /usr/local/etc/raddb/snmp.conf
including configuration file /usr/local/etc/raddb/eap.conf
including configuration file /usr/local/etc/raddb/sql.conf
including configuration file /usr/local/etc/raddb/policy.conf
including files in directory /usr/local/etc/raddb/sites-enabled/
including configuration file /usr/local/etc/raddb/sites-enabled/default
including dictionary file /usr/local/etc/raddb/dictionary
main {
prefix = /usr/local
localstatedir = /usr/local/var
logdir = /usr/local/var/log/radius
libdir = /usr/local/lib
radacctdir = /usr/local/var/log/radius/radacct
hostname_lookups = no
max_request_time = 30
cleanup_delay = 5
max_requests = 1024
allow_core_dumps = no
pidfile = /usr/local/var/run/radiusd/radiusd.pid
checkrad = /usr/local/sbin/checkrad
debug_level = 0
proxy_requests = yes
security {
max_attributes = 200
reject_delay = 1
status_server = yes
}
}
client localhost {
ipaddr = 127.0.0.1
require_message_authenticator = no
secret = testing123
shortname = localhost
nastype = other
}
client 192.168.1.227 {
require_message_authenticator = no
secret = johnson
}
radiusd: Loading Realms and Home Servers
radiusd: Instantiating modules
instantiate {
Module: Linked to module rlm_exec
Module: Instantiating exec
exec {
wait = yes
input_pairs = request
shell_escape = yes
}
Module: Linked to module rlm_expr
Module: Instantiating expr
Module: Linked to module rlm_expiration
Module: Instantiating expiration
expiration {
reply-message = Password Has Expired
}
Module: Linked to module rlm_logintime
Module: Instantiating logintime
logintime {
reply-message = You are calling outside your allowed timespan
minimum-timeout = 60
}
}
radiusd: Loading Virtual Servers
server {
modules {
Module: Checking authenticate {...} for more modules to load
Module: Linked to module rlm_perl
Module: Instantiating perl
perl {
module = /usr/local/etc/raddb/myperltemp.pl
func_authorize = authorize
func_authenticate = authenticate
func_accounting = accounting
func_preacct = preacct
func_checksimul = checksimul
func_detach = detach
func_xlat = xlat
func_pre_proxy = pre_proxy
func_post_proxy = post_proxy
func_post_auth = post_auth
}
perl {
max_clones = 32
start_clones = 32
min_spare_clones = 0
max_spare_clones = 32
cleanup_delay = 5
max_request_per_clone = 0
}
Module: Checking authorize {...} for more modules to load
Module: Linked to module rlm_preprocess
Module: Instantiating preprocess
preprocess {
huntgroups = /usr/local/etc/raddb/huntgroups
hints = /usr/local/etc/raddb/hints
with_ascend_hack = no
ascend_channels_per_line = 23
with_ntdomain_hack = no
with_specialix_jetstream_hack = no
with_cisco_vsa_hack = no
with_alvarion_vsa_hack = no
}
Module: Linked to module rlm_realm
Module: Instantiating suffix
realm suffix {
format = suffix
delimiter = @
ignore_default = no
ignore_null = no
}
Module: Linked to module rlm_eap
Module: Instantiating eap
eap {
default_eap_type = md5
timer_expire = 60
ignore_unknown_eap_types = no
cisco_accounting_username_bug = no
}
Module: Linked to sub-module rlm_eap_md5
Module: Instantiating eap-md5
Module: Linked to sub-module rlm_eap_leap
Module: Instantiating eap-leap
Module: Linked to sub-module rlm_eap_gtc
Module: Instantiating eap-gtc
gtc {
challenge = Password:
auth_type = PAP
}
Module: Linked to sub-module rlm_eap_tls
Module: Instantiating eap-tls
tls {
rsa_key_exchange = no
Re: Can't get the value of 'Digest-User-name', 'Digest-Realm', 'Digest-Method', 'Digest-Uri', 'Digest-Nonce', 'Digest-Response'
hi, I am using free Radius 2.0.3. I m configured my AAA through rlm_perl. I need to do the authorization by using the following attributes. Digest-Realm Digest-Method Digest-Uri Digest-Nonce Digest-Nonce Digest-Response Unfortunately i did not get any value from these attributes when i called using $RAD_REQUEST. Please tell me any idea to get these values. .. rad_recv: Access-Request packet from host 127.0.0.1 port 32795, id=73, length=59 User-Name = johnson User-Password = johnson NAS-IP-Address = 127.0.0.1 NAS-Port = 0 That's a pap request. Send a request with Digest-Attributes and you will get digest attributes. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Can't get the value of 'Digest-User-name', 'Digest-Realm', 'Digest-Method', 'Digest-Uri', 'Digest-Nonce', 'Digest-Response'
That's a pap request. Send a request with Digest-Attributes and you will
get digest attributes.
hi,
As advice by Ivan Kalik, I've tried sending the request with
Digest-Attributes, unfortunately i didn't get any values from these
attributes:
'Digest-User-name', 'Digest-Realm', 'Digest-Method', 'Digest-Uri',
'Digest-Nonce', 'Digest-Response'.
here is the piece of perl code that i have used to access the values
$dUserName= $RAD_REQUEST{'Digest-User-Name'};
$dRealm= $RAD_REQUEST{'Digest-Realm'};
$dMethod = $RAD_REQUEST{'Digest-Method'};
$dUri= $RAD_REQUEST{'Digest-URI'};
$dNonce=$RAD_REQUEST{'Digest-Nonce'};
$dResponse=$RAD_REQUEST{'Digest-Response'};
I've used md5 algorithm in my perl script, is there anything to be done in
the eap.conf or in radius.conf ?
Regards,
Elangbam Johnson
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Weird shared secret issues
Hi, I have a record for 127.0.0.1, and for the ip of the machine itself (Fixed dedicated IP). The end result is that I found that no matter what IP I used to pass on the NAS-IP-Address, it used the machines IP to match the secret. The problem I had is we placed the device out in the field, and I wanted to verify the tech used the right secret. I was hoping to be able to tell radclient to pretend it was another IP, and therefore search for that IPs secret to try. Unfortunately, it doesn't seem like it has that capability. I don't understand what use then is the ability to change the NAS-IP-Address if it still only cared about the secret for the local machine. Thanks, Tuc Hey Tuc, This might happen because of interface changes. Also add a record to the nas table for the 127.0.0.1 ip address (or the other IP address you have configured on your ethernet interface). And I'm also assuming you have configured the nas table in sql.conf Regards, Liran Tal. On Wed, Apr 30, 2008 at 11:41 PM, Tuc at T-B-O-H.NET [EMAIL PROTECTED] wrote= : Hi, Running FreeRadius 2.0.3 built from source on Centos 5.1 with a Mysql 5.0.45 back end. We've been doing testing on our setup for MONTHS (First FR1, now FR2) and its been flawless. Today we went to put our first unit into production and am having issues. We are reading NAS from SQL. The entry is : (3,'192.168.25.13','SBC-1918','other',0,'KhLcPALLdzTcJs3f','GLRXTAFLfhf3N= 4zT','First Install') From the user table I have : (1, 'tuc','User-Password',':=3D','PLAINTEXT') And when I run : #!/bin/sh (echo 'User-Name =3D tuc' echo 'User-Password =3D PLAINTEXT' echo 'NAS-IP-Address =3D 192.168.25.13' echo 'NAS-Port =3D 0') | /usr/local/bin/radclient -x localhost auth KhLcPALLdzTcJs3f I get : [EMAIL PROTECTED] ~]# sh TESTRAD User-Name =3D tuc User-Password =3D PLAINTEXT NAS-IP-Address =3D 192.168.25.13 NAS-Port =3D 0 rad_verify: Received Access-Reject packet from client 127.0.0.1 port 1812 with invalid signature (err=3D2)! (Shared secret is incorrect.) and in radius.log I see : Wed Apr 30 16:38:43 2008 : Auth: Login incorrect: [tuc/eY\261=E3=A1(c)\226`\305\020y\366/=C2?\333] (from client localhost p= ort 0) HELP... I can't see what I'm doing wrong. Thanks, Tuc - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html --=_Part_6964_29469845.1209627227987 Content-Type: text/html; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Content-Disposition: inline Hey Tuc,brbrThis might happen because of interface changes.brAlso add= a record to the nas table for the a href=3Dhttp://127.0.0.1;127.0.0.1/= a ip address (or the otherbrIP address you have configured on your ether= net interface).br And I#39;m also assuming you have configured the nas table in sql.confbr= brbrRegards,brLiran Tal.brbrdiv class=3Dgmail_quoteOn Wed, Ap= r 30, 2008 at 11:41 PM, Tuc at a href=3Dhttp://T-B-O-H.NET;T-B-O-H.NET/= a lt;a href=3Dmailto:[EMAIL PROTECTED][EMAIL PROTECTED]/agt; wrote:br blockquote class=3Dgmail_quote style=3Dborder-left: 1px solid rgb(204, = 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;Hi,br br nbsp; nbsp; nbsp; nbsp;Running FreeRadius 2.0.3 built from source on C= entos 5.1 withbr a Mysql 5.0.45 back end.br br nbsp; nbsp; nbsp; nbsp;We#39;ve been doing testing on our setup for M= ONTHS (First FR1,br now FR2) and its been flawless. Today we went to put our first unit intobr= production and am having issues.br br nbsp; nbsp; nbsp; nbsp;We are reading NAS from SQL. The entry is :br br (3,#39;a href=3Dhttp://192.168.25.13; target=3D_blank192.168.25.13/a= #39;,#39;SBC-1918#39;,#39;other#39;,0,#39;KhLcPALLdzTcJs3f#39;,#39= ;GLRXTAFLfhf3N4zT#39;,#39;First Install#39;)br br nbsp; nbsp; nbsp; nbsp;From the user table I have :br br (1, #39;tuc#39;,#39;User-Password#39;,#39;:=3D#39;,#39;PLAINTEXT#39= ;)br br nbsp; nbsp; nbsp; nbsp;And when I run :br br #!/bin/shbr (echo #39;User-Name =3D quot;tucquot;#39;br echo #39;User-Password =3D quot;PLAINTEXTquot;#39;br echo #39;NAS-IP-Address =3D a href=3Dhttp://192.168.25.13; target=3D_bl= ank192.168.25.13/a#39;br echo #39;NAS-Port =3D 0#39;) | /usr/local/bin/radclient -x localhost auth= nbsp;KhLcPALLdzTcJs3fbr br nbsp; nbsp; nbsp; nbsp;I get :br br [EMAIL PROTECTED] ~]# sh TESTRADbr nbsp; nbsp; nbsp; nbsp;User-Name =3D quot;tucquot;br nbsp; nbsp; nbsp; nbsp;User-Password =3D quot;PLAINTEXTquot;br nbsp; nbsp; nbsp; nbsp;NAS-IP-Address =3D a href=3Dhttp://192.168.25= .13 target=3D_blank192.168.25.13/abr nbsp; nbsp; nbsp; nbsp;NAS-Port =3D 0br rad_verify: Received Access-Reject packet from client a href=3Dhttp://127= .0.0.1 target=3D_blank127.0.0.1/a port 1812 with invalid signature (e=
Re: Can't get the value of 'Digest-User-name', 'Digest-Realm', 'Digest-Method', 'Digest-Uri', 'Digest-Nonce', 'Digest-Response'
As advice by Ivan Kalik, I've tried sending the request with
Digest-Attributes, unfortunately i didn't get any values from these
attributes:
'Digest-User-name', 'Digest-Realm', 'Digest-Method', 'Digest-Uri',
'Digest-Nonce', 'Digest-Response'.
here is the piece of perl code that i have used to access the values
$dUserName= $RAD_REQUEST{'Digest-User-Name'};
$dRealm= $RAD_REQUEST{'Digest-Realm'};
$dMethod = $RAD_REQUEST{'Digest-Method'};
$dUri= $RAD_REQUEST{'Digest-URI'};
$dNonce=$RAD_REQUEST{'Digest-Nonce'};
$dResponse=$RAD_REQUEST{'Digest-Response'};
I've used md5 algorithm in my perl script, is there anything to be done in
the eap.conf or in radius.conf ?
No, there is a digest module in default radiusd.conf that should decode
the attributes. Post radiusd -X for request with Digest-Attributes.
Those attributes you want are not in the request - have you tried
$RAD_CHECK.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Deny Users AD on Freeradius + WirelessVPN
Thanks for lead Ivan. I was able to make it work by changing radiusd.conf
I add module
files {
usersfile = ${confdir}/users
acctusersfile = ${confdir}/acct_users
preproxy_usersfile = ${confdir}/preproxy_users
compat = no
}
and on authorize {
files
Thanks also Nicolas.
2008/4/30 Ivan Kalik [EMAIL PROTECTED]:
I am afraid your radiusd.conf is seriously butchered. fiels module and
quite a few others are missing. It should be before detail but you have
deleted it.
Ivan Kalik
Kalik Informatika ISP
Dana 30/4/2008, rmp dmd [EMAIL PROTECTED] piše:
Hi,
I checked around and see this
The *MS-CHAP-Use-NTLM-Auth := 0*, will tell that freeradius with aduser1
will not be preprocessed by the ntlm_auth auxiliary program, this is,
will
not request the key to compare credentials against the Active Directory,
instead, will compare against the users file of the freeradius
configuration
directory.
I also read that It is important to verify that the line on
radiusd.conf:
authorize {
files
}
It was not on my radiusd.conf so I add it and restart radiusd but now
it's
has errors
Wed Apr 30 15:15:52 2008 : Info: rlm_eap_tls: Loading the certificate
file
as a chain
Wed Apr 30 15:15:52 2008 : Error: ERROR: Cannot find a configuration
entry
for module files.
Wed Apr 30 15:15:52 2008 : Error: radiusd.conf[111] Unknown module
files.
Wed Apr 30 15:15:52 2008 : Error: radiusd.conf[108] Failed to parse
authorize section.
Is there something else that should be configured?
Here's the complete radiusd.conf
##
## radiusd.conf -- FreeRADIUS server configuration file.
##
prefix = /usr
exec_prefix = ${prefix}
sysconfdir = /etc
localstatedir = /var
sbindir = ${exec_prefix}/sbin
logdir = ${localstatedir}/log/radius
raddbdir = ${sysconfdir}/raddb
radacctdir = ${logdir}/radacct
confdir = ${raddbdir}
run_dir = ${localstatedir}/run/radiusd
log_file = ${logdir}/radius.log
libdir = /usr/lib/freeradius
pidfile = ${run_dir}/radiusd.pid
user = radiusd
group = radiusd
max_request_time = 30
delete_blocked_requests = no
cleanup_delay = 5
max_requests = 1024
bind_address = *
port = 0
hostname_lookups = no
allow_core_dumps = no
regular_expressions = yes
extended_expressions= yes
log_stripped_names = no
log_auth = yes
log_auth_badpass = no
log_auth_goodpass = no
usercollide = no
lower_user = no
lower_pass = no
nospace_user = no
nospace_pass = no
checkrad = ${sbindir}/checkrad
security {
max_attributes = 200
reject_delay = 1
status_server = no
}
proxy_requests = yes
$INCLUDE ${confdir}/proxy.conf
# Client configuration is defined in clients.conf.
$INCLUDE ${confdir}/clients.conf
# To enable SNMP querying of the server, set the value of the
# 'snmp' attribute to 'yes'
snmp= no
$INCLUDE ${confdir}/snmp.conf
thread pool {
start_servers = 5
max_servers = 32
min_spare_servers = 3
max_spare_servers = 10
max_requests_per_server = 0
}
modules {
detail {
detailfile =
${radacctdir}/%{Client-IP-Address}/detail-%Y%m%d
detailperm = 0600
}
mschap {
authtype = MS-CHAP
use_mppe = yes
require_encryption = yes
require_strong = yes
ntlm_auth = /usr/bin/ntlm_auth --request-nt-key
--username=%{Stripped-User-Name:-%{User-Name:-None}}
--challenge=%{mschap:Challenge:-00}
--nt-response=%{mschap:NT-Response:-00}
}
eap {
default_eap_type = ttls
timer_expire = 60
ignore_unknown_eap_types = no
cisco_accounting_username_bug = no
tls {
private_key_file =
${raddbdir}/certs/ttls-server-echowlan.key
certificate_file =
${raddbdir}/certs/ttls-server-echowlan.crt
CA_file = ${raddbdir}/certs/ca.crt
dh_file = ${raddbdir}/certs/dh2048.pem
random_file = /dev/urandom
}
ttls {
default_eap_type = mschapv2
copy_request_to_tunnel = no
use_tunneled_reply = no
}
peap {
default_eap_type = mschapv2
}
mschapv2 {
}
}
}
authorize {
mschap
eap
}
authenticate {
Auth-Type MS-CHAP {
mschap
}
eap
}
accounting {
detail}
post-auth {
}
Here's the
On Wed, Apr 30, 2008 at 12:52 PM, rmp dmd [EMAIL PROTECTED] wrote:
Thanks.
I put it on users
aduser1 MS-CHAP-Use-NTLM-Auth := 0, Auth-Type :=
LDAP Not recognising User-Name attribute in tunneled authentication FR 2.0.4
Hi,
Exactly the same config used between 2.0.3 and 2.0.4, but now the LDAP
module fails lookups because it claims it can't find the User-Name
attribute
PEAP: Got tunneled EAP-Message
EAP-Message =
0x02fe004d1a02fe004831623806335a6bfd5678650649fdd76c20949c9809c8a97e6c717a5
PEAP: Setting User-Name to [EMAIL PROTECTED]
PEAP: Sending tunneled request
EAP-Message =
0x02fe004d1a02fe004831623806335a6bfd5678650649fdd76c20949c9809c8a97e6c717a5
FreeRADIUS-Proxied-To = 127.0.0.1
User-Name = [EMAIL PROTECTED]
State = 0xc771177ac78f0d80e7ad35c717d8d32f
Framed-MTU = 1480
NAS-IP-Address = 139.184.6.156
NAS-Identifier = hp-e-falm-g-77-sw1
Service-Type = Framed-User
Framed-Protocol = PPP
NAS-Port = 1
NAS-Port-Type = Ethernet
NAS-Port-Id = 1
Called-Station-Id = 001c2ec47180
Calling-Station-Id = 001b63a3a8dd
Connect-Info = CONNECT Ethernet 100Mbps Full duplex
Tunnel-Type:0 = VLAN
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Private-Group-Id:0 = 1
server default-inner {
+- entering group authorize
expand: %{outer.request:Realm} - local
expand: %{outer.request:NAS-Flags} - 01001011000
expand: %{outer.request:SS-Flags} - 00
expand: %{outer.request:Supplicant-Flags} - 000100
expand: %{outer.request:Called-Station-SSID} -
++[request] returns notfound
++? if (%{User-Name})
expand: %{User-Name} - [EMAIL PROTECTED]
? Evaluating (%{User-Name}) - TRUE
++? if (%{User-Name}) - TRUE
++- entering if (%{User-Name})
+++? if (%{User-Name} =~ /^([EMAIL PROTECTED])(@([-[:alnum:].]+))?$/)
expand: %{User-Name} - [EMAIL PROTECTED]
? Evaluating (%{User-Name} =~ /^([EMAIL PROTECTED])(@([-[:alnum:].]+))?$/) -
TRUE
+++? if (%{User-Name} =~ /^([EMAIL PROTECTED])(@([-[:alnum:].]+))?$/) - TRUE
+++- entering if (%{User-Name} =~ /^([EMAIL PROTECTED])(@([-[:alnum:].]+))?$/)
expand: %{1} - ac221
[request] returns notfound
expand: %{3} - sussex.ac.uk
expand: %{%{3}:-sussex.ac.uk} - sussex.ac.uk
[request] returns notfound
+++- if (%{User-Name} =~ /^([EMAIL PROTECTED])(@([-[:alnum:].]+))?$/) returns
notfound
+++ ... skipping else for request 5: Preceding if was taken
++- if (%{User-Name}) returns notfound
rlm_ldap: - authorize
rlm_ldap: Attribute User-Name is required for authorization.
++[ldap] returns noop
Relevant filter line in LDAP is :
filter = (uid=%{%{Stripped-User-Name}:-%{User-Name}})
Why is there now a static requirement for the User-Name attribute to be present
anyway? Especially when the filter is defined in the config...
--
Arran Cudbard-Bell ([EMAIL PROTECTED])
Authentication, Authorisation and Accounting Officer
Infrastructure Services | ENG1 E1-1-08
University Of Sussex, Brighton
EXT:01273 873900 | INT: 3900
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: LDAP Not recognising User-Name attribute in tunneled authentication FR 2.0.4
Arran Cudbard-Bell wrote: Exactly the same config used between 2.0.3 and 2.0.4, but now the LDAP module fails lookups because it claims it can't find the User-Name attribute Arg... grab src/main/evaluate.c from CVS. In short, a pointer to the user name is cached in a data structure. Keeping it up to date is a PITA. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FR 1.1.7 + AD 2003 + LDAP
Hello Everyone, So in my world we have been able to diagnose that the authentication issue is related to the username case (only difference in Radius) and I have not found anything other than a statement in an old post from Alan about AD being case sensitive with usernames? Is there any information somewhere to help me correct this? Usernames have for as long as I can remember not been case sensitive. Thanks Thu May 1 08:34:37 2008 : Auth: Login OK: [BrooksK/no User-Password attribute] (from client localhost port 0) Thu May 1 08:34:37 2008 : Auth: Login OK: [BrooksK/no User-Password attribute] (from client 10.0.1.11 port 60005 cli 00-0E-7B-B5-30-6F) Thu May 1 08:36:24 2008 : Auth: Login OK: [BrooksK/no User-Password attribute] (from client localhost port 0) Thu May 1 08:36:24 2008 : Auth: Login OK: [BrooksK/no User-Password attribute] (from client 10.0.1.11 port 60005 cli 00-0E-7B-B5-30-6F) Thu May 1 08:37:24 2008 : Auth: Login incorrect (rlm_mschap: Logon failure (0xc06d)): [brooksk/no User-Password attribute] (from client localhost port 0) Thu May 1 08:37:24 2008 : Auth: Login incorrect: [brooksk/no User-Password attribute] (from client 10.0.1.11 port 60005 cli 00-0E-7B-B5-30-6F) Thu May 1 08:41:39 2008 : Auth: Login incorrect (rlm_mschap: Logon failure (0xc06d)): [brooksk/no User-Password attribute] (from client localhost port 0) Thu May 1 08:41:39 2008 : Auth: Login incorrect: [brooksk/no User-Password attribute] (from client 10.0.1.11 port 60005 cli 00-0E-7B-B5-30-6F) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FR 1.1.7 + AD 2003 + LDAP
Just me again, User has reset there password the usual way however we are still getting fail login. Anyone with an idea or what I can provide to help solve this puzzle? Thx Thu May 1 09:07:33 2008 : Auth: Login incorrect: [brebberm/no User-Password attribute] (from client 10.0.1.12 port 60035 cli 00-14-22-5A-D5-CD) Thu May 1 09:08:43 2008 : Auth: Login incorrect (rlm_mschap: Account locked out (0xc234)): [BrebberM/no User-Password attribute] (from client localhost port 0) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: LDAP Not recognising User-Name attribute in tunneled authentication FR 2.0.4
Alan DeKok wrote: Arran Cudbard-Bell wrote: Exactly the same config used between 2.0.3 and 2.0.4, but now the LDAP module fails lookups because it claims it can't find the User-Name attribute Arg... grab src/main/evaluate.c from CVS. In short, a pointer to the user name is cached in a data structure. Keeping it up to date is a PITA. Yep that worked. 2.041? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Arran -- Arran Cudbard-Bell ([EMAIL PROTECTED]) Authentication, Authorisation and Accounting Officer Infrastructure Services | ENG1 E1-1-08 University Of Sussex, Brighton EXT:01273 873900 | INT: 3900 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: HOWTO PEAP + FreeRadius + XP Client
George KNIGHT wrote: Yes, I run all the commands as a root. Is this wrong? No. When I run the bootstrap script, again, as a root, here is what I get; sigh You said it had errors. You need to show what those errors are. Showing that it runs *without* errors doesn't help. I will use the default certs for just testing purposes. Once I make this work with defaults ones, I will sure go ahead and create new certificates. But at this moment, all I want to see a working version of PEAP authentication in my test environment. Follow the instructions. It WILL work. - uncheck validate server certificate in Windows. - add username/password to FreeRADIUS as per the FAQ - start the server - verify that PEAP works. That's what I do. It's not complicated. It doesn't require special knowledge or experience. It really *is* that easy. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: HOWTO PEAP + FreeRadius + XP Client
Alan,
I feel extremely stupid even though I know I am not.
Running radiusd -X command as a root gives me the following error message as
I posted here yesterday;
PS: I'm just posting last part of the output here. The full output can be
seen at my previous email that I sent yesterday.
---
Module: Instantiating eap
eap {
default_eap_type = peap
timer_expire = 60
ignore_unknown_eap_types = no
cisco_accounting_username_bug = no
}
Module: Linked to sub-module rlm_eap_md5
Module: Instantiating eap-md5
Module: Linked to sub-module rlm_eap_leap
Module: Instantiating eap-leap
Module: Linked to sub-module rlm_eap_gtc
Module: Instantiating eap-gtc
gtc {
challenge = Password:
auth_type = PAP
}
Module: Linked to sub-module rlm_eap_tls
Module: Instantiating eap-tls
tls {
rsa_key_exchange = no
dh_key_exchange = yes
rsa_key_length = 512
dh_key_length = 512
verify_depth = 0
pem_file_type = yes
private_key_file = /etc/raddb/certs/server.pem
certificate_file = /etc/raddb/certs/server.pem
CA_file = /etc/raddb/certs/ca.pem
private_key_password = whatever
dh_file = /etc/raddb/certs/dh
random_file = /etc/raddb/certs/random
fragment_size = 1024
include_length = yes
check_crl = no
cipher_list = DEFAULT
make_cert_command = /etc/raddb/certs/bootstrap
}
rlm_eap: SSL error error:0200100D:system library:fopen:Permission denied
rlm_eap_tls: Error reading certificate file /etc/raddb/certs/server.pem
rlm_eap: Failed to initialize type tls
/etc/raddb/eap.conf[17]: Instantiation failed for module eap
/etc/raddb/sites-enabled/default[252]: Failed to find module eap.
/etc/raddb/sites-enabled/default[199]: Errors parsing authenticate section.
}
}
Errors initializing modules
comp-010:/home/srn #
-
It says a 'permission denied' and you asked me earlier if I was running the
command as a root, which the answer is yes. So, how can I overcome this
problem?
Thank you
George
On Thu, May 1, 2008 at 11:50 AM, Alan DeKok [EMAIL PROTECTED]
wrote:
George KNIGHT wrote:
Yes, I run all the commands as a root. Is this wrong?
No.
When I run the bootstrap script, again, as a root, here is what I get;
sigh You said it had errors. You need to show what those errors
are. Showing that it runs *without* errors doesn't help.
I will use the default certs for just testing purposes. Once I make this
work with defaults ones, I will sure go ahead and create new
certificates. But at this moment, all I want to see a working version
of PEAP authentication in my test environment.
Follow the instructions. It WILL work.
- uncheck validate server certificate in Windows.
- add username/password to FreeRADIUS as per the FAQ
- start the server
- verify that PEAP works.
That's what I do. It's not complicated. It doesn't require special
knowledge or experience. It really *is* that easy.
Alan DeKok.
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Deny AD groups
Hi, I have a security group in AD 'noremote' that I would like to deny VPN access. Reading the FAQ, I edit users to include DEFAULT Group == noremote, Auth-Type := Reject Reply-Message = Your account is not allowed. but this doesn't work. I also tried below which I based on my previous query to deny AD users (this is working) DEFAULT Group == noremote, MS-CHAP-Use-NTLM-Auth := 0,Auth-Type := Reject Reply-Message = Your account is not allowed. but still doesn't work. I'm not sure how the group should be used. So I also tested including the domain such as Group==DOMAIN\\noremote, Group==DOMAIN+noremote but still no success. Thanks in advance! Roehl - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: HOWTO PEAP + FreeRadius + XP Client
George KNIGHT wrote: Running radiusd -X command as a root gives me the following error message as I posted here yesterday; And the permissions on that directory are... ? It says a 'permission denied' and you asked me earlier if I was running the command as a root, which the answer is yes. So, how can I overcome this problem? Can you look at the directory as root, from the shell? In this case, the server is just calling OpenSSL... which calls the normal file API. If that returns no permission, OpenSSL is at the mercy of the file system, and FreeRADIUS is at the mercy of OpenSSL. If worse comes to worse, for testing do: $ cd /etc/raddb $ chmod -R ug+rwx . Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Deny AD groups
rmp dmd wrote: I have a security group in AD 'noremote' that I would like to deny VPN access. Reading the FAQ, I edit users to include DEFAULT Group == noremote, Auth-Type := Reject Reply-Message = Your account is not allowed. but this doesn't work. The Group attribute is for UNIX groups. i.e. /etc/group. If you want to check an LDAP group, use the LDAP-Group attribute. This isn't well documented... Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: HOWTO PEAP + FreeRadius + XP Client
Permissions are as follow; comp-010:/etc/raddb # dir total 289 -rw-r- 1 root radiusd 718 2008-02-14 10:35 acct_users -rw-r- 1 root radiusd 4187 2008-02-14 10:35 attrs -rw-r- 1 root radiusd 516 2008-02-14 10:35 attrs.access_reject -rw-r- 1 root radiusd 501 2008-02-14 10:35 attrs.accounting_response -rw-r- 1 root radiusd 1969 2008-02-14 10:35 attrs.pre-proxy drwxr-x--- 2 root radiusd 680 2008-04-30 17:48 certs -rw-r- 1 root radiusd 6727 2008-04-30 12:06 clients.conf -rw-r- 1 root radiusd 929 2008-02-14 10:35 dictionary -rw-r- 1 root radiusd 13648 2008-04-30 17:53 eap.conf -rw-r- 1 root root13647 2008-04-25 14:01 eap.conf.orig -rw-r- 1 root radiusd 4609 2008-02-14 10:35 example.pl -rw-r- 1 root radiusd 14536 2008-02-14 10:35 experimental.conf -rw-r- 1 root radiusd 2396 2008-02-14 10:35 hints -rw-r- 1 root radiusd 1604 2008-02-14 10:35 huntgroups -rw-r- 1 root radiusd 2985 2008-02-14 10:35 ldap.attrmap -rw-r- 1 root radiusd 3357 2008-02-14 10:35 otp.conf -rw-r- 1 root radiusd 1204 2008-02-14 10:35 policy.conf -rw-r- 1 root radiusd 4922 2008-02-14 10:35 policy.txt -rw-r- 1 root radiusd 1035 2008-02-14 10:35 preproxy_users -rw-r- 1 root radiusd 17889 2008-02-14 10:35 proxy.conf -rw-r- 1 root radiusd 60371 2008-04-30 12:18 radiusd.conf -rw-r- 1 root root60371 2008-04-25 13:14 radiusd.conf.orig drwxr-xr-x 2 root root 120 2008-04-25 10:17 sites-available drwxr-xr-x 2 root root 72 2008-04-25 10:17 sites-enabled -rw-r- 1 root radiusd 1276 2008-02-14 10:35 snmp.conf drw-r- 6 root radiusd 152 2008-02-14 10:35 sql -rw-r- 1 root radiusd 2533 2008-02-14 10:35 sql.conf -rw-r- 1 root radiusd 1988 2008-02-14 10:35 sqlippool.conf -rw-r- 1 root radiusd 3503 2008-02-14 10:35 templates.conf -rw-r- 1 root radiusd 6603 2008-04-30 15:50 users comp-010:/etc/raddb # dir ./certs total 104 -rw-r- 1 root root4210 2008-04-25 10:17 01.pem -rwxr-x--- 1 root radiusd 524 2008-02-14 10:35 bootstrap -rw-r- 1 root radiusd 1155 2008-02-14 10:35 ca.cnf -rw-r- 1 root root1743 2008-04-25 10:17 ca.key -rw-r- 1 root root1322 2008-04-25 10:17 ca.pem -rw-r- 1 root radiusd 1109 2008-02-14 10:35 client.cnf -rw-r- 1 root root 245 2008-04-25 10:18 dh -rw-r- 1 root root 120 2008-04-25 10:17 index.txt -rw-r- 1 root root 21 2008-04-25 10:17 index.txt.attr -rw-r- 1 root root 0 2008-04-25 10:17 index.txt.old -rw-r- 1 root radiusd 4430 2008-02-14 10:35 Makefile -rw-r- 1 root root5120 2008-04-25 10:18 random -rw-r- 1 root radiusd 5343 2008-02-14 10:35 README -rw-r- 1 root root 3 2008-04-25 10:17 serial -rw-r- 1 root root 3 2008-04-25 10:17 serial.old -rw-r- 1 root radiusd 1123 2008-02-14 10:35 server.cnf -rw-r- 1 root root4210 2008-04-25 10:17 server.crt -rw-r- 1 root root1062 2008-04-25 10:17 server.csr -rw-r- 1 root root1743 2008-04-25 10:17 server.key -rw-r- 1 root root2525 2008-04-25 10:17 server.p12 -rw-r- 1 root root3495 2008-04-25 10:17 server.pem -rw-r- 1 root radiusd 578 2008-02-14 10:35 xpextensions comp-010:/etc/raddb # Thank you. George On Thu, May 1, 2008 at 12:47 PM, Alan DeKok [EMAIL PROTECTED] wrote: George KNIGHT wrote: Running radiusd -X command as a root gives me the following error message as I posted here yesterday; And the permissions on that directory are... ? It says a 'permission denied' and you asked me earlier if I was running the command as a root, which the answer is yes. So, how can I overcome this problem? Can you look at the directory as root, from the shell? In this case, the server is just calling OpenSSL... which calls the normal file API. If that returns no permission, OpenSSL is at the mercy of the file system, and FreeRADIUS is at the mercy of OpenSSL. If worse comes to worse, for testing do: $ cd /etc/raddb $ chmod -R ug+rwx . Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Can't get the value of 'Digest-User-name', 'Digest-Realm', 'Digest-Method', 'Digest-Uri', 'Digest-Nonce', 'Digest-Response'
No, there is a digest module in default radiusd.conf that should decode
the attributes. Post radiusd -X for request with Digest-Attributes.
Those attributes you want are not in the request - have you tried
$RAD_CHECK.
hi Kalik,
I've tried $RAD_CHECK but it doesn't work, I've found a digest
module in radiusd.conf but actually don't have any idea how to handle the
module.
Here is the full output when the radius is run in debugging mode:
[EMAIL PROTECTED] raddb]# radiusd -X
FreeRADIUS Version 2.0.3, for host i686-pc-linux-gnu, built on Apr 9 2008
at 21:42:16
Copyright (C) 1999-2008 The FreeRADIUS server project and contributors.
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE.
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License.
Starting - reading configuration files ...
including configuration file /usr/local/etc/raddb/radiusd.conf
including configuration file /usr/local/etc/raddb/clients.conf
including configuration file /usr/local/etc/raddb/snmp.conf
including configuration file /usr/local/etc/raddb/eap.conf
including configuration file /usr/local/etc/raddb/sql.conf
including configuration file /usr/local/etc/raddb/policy.conf
including files in directory /usr/local/etc/raddb/sites-enabled/
including configuration file /usr/local/etc/raddb/sites-enabled/default
including dictionary file /usr/local/etc/raddb/dictionary
main {
prefix = /usr/local
localstatedir = /usr/local/var
logdir = /usr/local/var/log/radius
libdir = /usr/local/lib
radacctdir = /usr/local/var/log/radius/radacct
hostname_lookups = no
max_request_time = 30
cleanup_delay = 5
max_requests = 1024
allow_core_dumps = no
pidfile = /usr/local/var/run/radiusd/radiusd.pid
checkrad = /usr/local/sbin/checkrad
debug_level = 0
proxy_requests = yes
security {
max_attributes = 200
reject_delay = 1
status_server = yes
}
}
client localhost {
ipaddr = 127.0.0.1
require_message_authenticator = no
secret = testing123
shortname = localhost
nastype = other
}
client 192.168.1.227 {
require_message_authenticator = no
secret = johnson
}
radiusd: Loading Realms and Home Servers
radiusd: Instantiating modules
instantiate {
Module: Linked to module rlm_exec
Module: Instantiating exec
exec {
wait = yes
input_pairs = request
shell_escape = yes
}
Module: Linked to module rlm_expr
Module: Instantiating expr
Module: Linked to module rlm_expiration
Module: Instantiating expiration
expiration {
reply-message = Password Has Expired
}
Module: Linked to module rlm_logintime
Module: Instantiating logintime
logintime {
reply-message = You are calling outside your allowed timespan
minimum-timeout = 60
}
}
radiusd: Loading Virtual Servers
server {
modules {
Module: Checking authenticate {...} for more modules to load
Module: Linked to module rlm_perl
Module: Instantiating perl
perl {
module = /usr/local/etc/raddb/myperltemp.pl
func_authorize = authorize
func_authenticate = authenticate
func_accounting = accounting
func_preacct = preacct
func_checksimul = checksimul
func_detach = detach
func_xlat = xlat
func_pre_proxy = pre_proxy
func_post_proxy = post_proxy
func_post_auth = post_auth
}
perl {
max_clones = 32
start_clones = 32
min_spare_clones = 0
max_spare_clones = 32
cleanup_delay = 5
max_request_per_clone = 0
}
Module: Checking authorize {...} for more modules to load
Module: Linked to module rlm_preprocess
Module: Instantiating preprocess
preprocess {
huntgroups = /usr/local/etc/raddb/huntgroups
hints = /usr/local/etc/raddb/hints
with_ascend_hack = no
ascend_channels_per_line = 23
with_ntdomain_hack = no
with_specialix_jetstream_hack = no
with_cisco_vsa_hack = no
with_alvarion_vsa_hack = no
}
Module: Linked to module rlm_realm
Module: Instantiating suffix
realm suffix {
format = suffix
delimiter = @
ignore_default = no
ignore_null = no
}
Module: Linked to module rlm_eap
Module: Instantiating eap
eap {
default_eap_type = md5
timer_expire = 60
ignore_unknown_eap_types = no
cisco_accounting_username_bug = no
}
Module: Linked to sub-module rlm_eap_md5
Module: Instantiating eap-md5
Module: Linked to sub-module rlm_eap_leap
Module: Instantiating eap-leap
Module: Linked to sub-module rlm_eap_gtc
Module: Instantiating eap-gtc
gtc {
challenge = Password:
auth_type = PAP
}
Module: Linked to sub-module rlm_eap_tls
Module: Instantiating eap-tls
tls {
rsa_key_exchange
Re: HOWTO PEAP + FreeRadius + XP Client
OK, I have changed the ownership of the following files from root:root to root:radiusd server.pem ca.pem random dh and now radiusd -X is working. The problem arisen because the root:root permissions on the abovementioned files. Will get back to you for either further questions and or a success message. Thank you Alan George Knight On Thu, May 1, 2008 at 1:06 PM, George KNIGHT [EMAIL PROTECTED] wrote: Permissions are as follow; comp-010:/etc/raddb # dir total 289 -rw-r- 1 root radiusd 718 2008-02-14 10:35 acct_users -rw-r- 1 root radiusd 4187 2008-02-14 10:35 attrs -rw-r- 1 root radiusd 516 2008-02-14 10:35 attrs.access_reject -rw-r- 1 root radiusd 501 2008-02-14 10:35 attrs.accounting_response -rw-r- 1 root radiusd 1969 2008-02-14 10:35 attrs.pre-proxy drwxr-x--- 2 root radiusd 680 2008-04-30 17:48 certs -rw-r- 1 root radiusd 6727 2008-04-30 12:06 clients.conf -rw-r- 1 root radiusd 929 2008-02-14 10:35 dictionary -rw-r- 1 root radiusd 13648 2008-04-30 17:53 eap.conf -rw-r- 1 root root13647 2008-04-25 14:01 eap.conf.orig -rw-r- 1 root radiusd 4609 2008-02-14 10:35 example.pl -rw-r- 1 root radiusd 14536 2008-02-14 10:35 experimental.conf -rw-r- 1 root radiusd 2396 2008-02-14 10:35 hints -rw-r- 1 root radiusd 1604 2008-02-14 10:35 huntgroups -rw-r- 1 root radiusd 2985 2008-02-14 10:35 ldap.attrmap -rw-r- 1 root radiusd 3357 2008-02-14 10:35 otp.conf -rw-r- 1 root radiusd 1204 2008-02-14 10:35 policy.conf -rw-r- 1 root radiusd 4922 2008-02-14 10:35 policy.txt -rw-r- 1 root radiusd 1035 2008-02-14 10:35 preproxy_users -rw-r- 1 root radiusd 17889 2008-02-14 10:35 proxy.conf -rw-r- 1 root radiusd 60371 2008-04-30 12:18 radiusd.conf -rw-r- 1 root root60371 2008-04-25 13:14 radiusd.conf.orig drwxr-xr-x 2 root root 120 2008-04-25 10:17 sites-available drwxr-xr-x 2 root root 72 2008-04-25 10:17 sites-enabled -rw-r- 1 root radiusd 1276 2008-02-14 10:35 snmp.conf drw-r- 6 root radiusd 152 2008-02-14 10:35 sql -rw-r- 1 root radiusd 2533 2008-02-14 10:35 sql.conf -rw-r- 1 root radiusd 1988 2008-02-14 10:35 sqlippool.conf -rw-r- 1 root radiusd 3503 2008-02-14 10:35 templates.conf -rw-r- 1 root radiusd 6603 2008-04-30 15:50 users comp-010:/etc/raddb # dir ./certs total 104 -rw-r- 1 root root4210 2008-04-25 10:17 01.pem -rwxr-x--- 1 root radiusd 524 2008-02-14 10:35 bootstrap -rw-r- 1 root radiusd 1155 2008-02-14 10:35 ca.cnf -rw-r- 1 root root1743 2008-04-25 10:17 ca.key -rw-r- 1 root root1322 2008-04-25 10:17 ca.pem -rw-r- 1 root radiusd 1109 2008-02-14 10:35 client.cnf -rw-r- 1 root root 245 2008-04-25 10:18 dh -rw-r- 1 root root 120 2008-04-25 10:17 index.txt -rw-r- 1 root root 21 2008-04-25 10:17 index.txt.attr -rw-r- 1 root root 0 2008-04-25 10:17 index.txt.old -rw-r- 1 root radiusd 4430 2008-02-14 10:35 Makefile -rw-r- 1 root root5120 2008-04-25 10:18 random -rw-r- 1 root radiusd 5343 2008-02-14 10:35 README -rw-r- 1 root root 3 2008-04-25 10:17 serial -rw-r- 1 root root 3 2008-04-25 10:17 serial.old -rw-r- 1 root radiusd 1123 2008-02-14 10:35 server.cnf -rw-r- 1 root root4210 2008-04-25 10:17 server.crt -rw-r- 1 root root1062 2008-04-25 10:17 server.csr -rw-r- 1 root root1743 2008-04-25 10:17 server.key -rw-r- 1 root root2525 2008-04-25 10:17 server.p12 -rw-r- 1 root root3495 2008-04-25 10:17 server.pem -rw-r- 1 root radiusd 578 2008-02-14 10:35 xpextensions comp-010:/etc/raddb # Thank you. George On Thu, May 1, 2008 at 12:47 PM, Alan DeKok [EMAIL PROTECTED] wrote: George KNIGHT wrote: Running radiusd -X command as a root gives me the following error message as I posted here yesterday; And the permissions on that directory are... ? It says a 'permission denied' and you asked me earlier if I was running the command as a root, which the answer is yes. So, how can I overcome this problem? Can you look at the directory as root, from the shell? In this case, the server is just calling OpenSSL... which calls the normal file API. If that returns no permission, OpenSSL is at the mercy of the file system, and FreeRADIUS is at the mercy of OpenSSL. If worse comes to worse, for testing do: $ cd /etc/raddb $ chmod -R ug+rwx . Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: HOWTO PEAP + FreeRadius + XP Client
George KNIGHT wrote: Permissions are as follow; .. comp-010:/etc/raddb # dir Uh... which OS are you using? In any case, this is an OS issue. FreeRADIUS OpenSSL use the normal OS API's to access files. If the server gets a permission denied error, it's because the OS is denying permission. So... the OS needs to be fixed. I have no idea how to do that. Maybe you're running some security feature that blocks access to files. e.g. AppArmor, SELinux, etc. Go see your OS documentation for details. i.e. Sorry, this isn't a FreeRADIUS problem. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: HOWTO PEAP + FreeRadius + XP Client
Alan, The permission problem has been solved as I mentioned at my earlier email. Now, as a last step, I'm installing the certificates. I created the certificates by following the README file under /etc/raddb/certs/ folder. Now I have the following certificates; ca.der ca.key ca.pem client.crt client.csr client.key client.p12 client.pem server.crt server.csr server.key server.p12 server.pem I used ca.der and client.p12 to be installed to Windows XP SP2 client. I followed the instructions at the http://freeradius.org/doc/EAPTLS.pdf. But at the end of the installation, where the client certificate installation is tested at page 16, I have a different Windows message; it says Windows does not have enough information to verify this certificate. I followed all the instructions there without any problem. Am I missing anything? Are those the right certificates that copied to the Windows machine? Why are there so many certificates created and we are just using 2? Thank you George Knight On Thu, May 1, 2008 at 1:29 PM, Alan DeKok [EMAIL PROTECTED] wrote: George KNIGHT wrote: Permissions are as follow; .. comp-010:/etc/raddb # dir Uh... which OS are you using? In any case, this is an OS issue. FreeRADIUS OpenSSL use the normal OS API's to access files. If the server gets a permission denied error, it's because the OS is denying permission. So... the OS needs to be fixed. I have no idea how to do that. Maybe you're running some security feature that blocks access to files. e.g. AppArmor, SELinux, etc. Go see your OS documentation for details. i.e. Sorry, this isn't a FreeRADIUS problem. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
FR failing
We have two FR servers (running 1.1.15) on Red Hat machines. We are using it to authenticate wireless users against an LDAP directory. Occasionally, one of the FR servers (it happens to each, just not at the same time), stops working. The service remains up, but it's like the conversation between radius and ldap doesn't work for some reason, and radius stops trying altogether afterwards. The log shows: Thu May 1 14:33:02 2008 : Error: rlm_eap: Either EAP-request timed out OR EAP-response to an unknown EAP-request Thu May 1 14:33:02 2008 : Auth: Login incorrect: [rsmall] (from client unbsj111 port 32401 cli 00-1E-C2-C0-8E-36) Thu May 1 14:33:15 2008 : Error: rlm_eap: Either EAP-request timed out OR EAP-response to an unknown EAP-request Thu May 1 14:33:15 2008 : Auth: Login incorrect: [anonymous] (from client hh2380 port 45380 cli 00-12-F0-D3-3C-03) Thu May 1 14:34:02 2008 : Error: Discarding duplicate request from client hh2380:20001 - ID: 200 due to unfinished request 1428 Any help is greatly appreciated. Thanks Matt A [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Can't get the value of 'Digest-User-name', 'Digest-Realm', 'Digest-Method', 'Digest-Uri', 'Digest-Nonce', 'Digest-Response'
No, there is a digest module in default radiusd.conf that should decode
the attributes. Post radiusd -X for request with Digest-Attributes.
Those attributes you want are not in the request - have you tried
$ RAD_CHECK.
hi Kalik,
I've tried $RAD_CHECK but it doesn't work, I've found a digest
module in radiusd.conf but actually don't have any idea how to handle the
module.
There is nothing to handle. digest {} module will decode information
from the Digest-Attributes and produce those attributes you are looking
for.
rad_recv: Access-Request packet from host 127.0.0.1 port 32795, id=73,
length=59
User-Name = johnson
User-Password = johnson
NAS-IP-Address = 127.0.0.1
NAS-Port = 0
Do you see Digest-Attributes in this request? I don't.
Ivan Kalik
Kalik Informatika ISP
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Recommendations for manging user password
Thank you all for responding to my first post in getting FreeRadius set up and working on a Solaris 10 box. I am working on creating the (non-priviledged) user environment that will run the server. I have successfully set up a working Radius server to work with a FirePass VPN appliance.. FirePass uses PAP for authentication.. however I have authenticated using both local and PAP. code charlie Auth-Type := Local, User-Password == hello Reply-Message = Hello, %u charles Auth-Type := PAP, User-Password == hello Reply-Message = Hello, %u /code This works like this: -- FirePass appliaance has a SSL login page. -- User enters creditials - validates against FreeRadius -- User is shown a static page on the FirePass Server with a Static Link. I will have about 75 users and need to set up password aging.. Using system (non-shell) accounts with IDs in /etc/password could be an option I did read the Expired thread and I can write a script to update that field if necessary.. My Goal --- let the user know their password has expired --- let them change it themselves.. --- age the password for 90 days --- I really don't want a MySQL database ( I don't know MySQL but could learn if I have to) I am hoping someone can point me in the right direction.. Charles - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: LDAP Not recognising User-Name attribute in tunneled authentication FR 2.0.4
Arran Cudbard-Bell wrote: Alan DeKok wrote: Arran Cudbard-Bell wrote: Exactly the same config used between 2.0.3 and 2.0.4, but now the LDAP module fails lookups because it claims it can't find the User-Name attribute Arg... grab src/main/evaluate.c from CVS. In short, a pointer to the user name is cached in a data structure. Keeping it up to date is a PITA. Yep that worked. 2.041? Erg now it's not working in the outer tunnel for with LDAP... Thanks, Arran Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Arran - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
