RE: (err=2)! (Shared secret is incorrect.)
The shared secret is the password that clients use to connect to the RADIUS server. It's located in the client.conf file in your freeradius configuration directory. Note, that this shared secret is used to secure RADIUS traffic. User names and passwords of users which are authenticating via EAP are stored in the users file. -- Jason Wittlin-Cohen Yale Law School, Class of 2010 [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re[2]: (err=2)! (Shared secret is incorrect.)
Title: Re[2]: (err=2)! (Shared secret is incorrect.) Jason, thank you for you prompt reply but i've already solved the problem withRe[2]: (err=2)! (Shared secret is incorrect.) But i met another one like this: 'rad_recv: Access-Reject packet from host 127.0.0.1 port 1812, id=194, length=20' i think that the problem is in users file, but just now can not understand where exactly... Can you please help me with it? have a good day, ilya ilya vishnyov billing department baykalwestcom 68, 2-zheleznodorozhnaya str., irkutsk, 664005, russia gsm: +7 9025 113 992 e-mail: [EMAIL PROTECTED] icq #: 988-0-229 The shared secret is the password that clients use to connect to the RADIUS server. It's located in the "client.conf" file in your freeradius configuration directory. Note, that this shared secret is used to secure RADIUS traffic. User names and passwords of users which are authenticating via EAP are stored in the "users" file. -- Jason Wittlin-Cohen Yale Law School, Class of 2010 [EMAIL PROTECTED] radius.log Description: Binary data - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: domain security problem
[EMAIL PROTECTED] wrote: my configuration: radius 2.X , win 2003 AD, domain: TEST, 802.1x I have a problem: If the pc is in the domain(TEST) it can authenticate good. If it is not in domain it can't auth, it is good, BUT when i set the computer name to TEST and it is not in the domain(simple workgroup) it CAN authenticate. I use ntml_auth for the authentigation. ntlm_auth = /usr/bin/ntlm_auth --request-nt-key --domain=%{mschap:NT-Domain} --username=%{mschap:User-Name} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00} Debug (radiusd -X). Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html here is the debug: (user-test- who is not in domain but his computer name is TEST authenticate successfully) rad_recv: Access-Request packet from host 192.168.1.1 port 1812, id=234, length=246 NAS-IP-Address = 192.168.3.1 NAS-Port = 50003 Cisco-NAS-Port = FastEthernet0/3 NAS-Port-Type = Ethernet User-Name = TEST\\test Called-Station-Id = 00-09-B7-94-CA-83 Calling-Station-Id = 00-13-D4-E7-B3-FB Service-Type = Framed-User Framed-MTU = 1500 State = 0xb4d9bca1b3d1a56aa83deffb03301769 EAP-Message = 0x020800561900170301004b70414bb754d5972dbf56e05aebf049af1a0ab69f67432122002d22c83e316d653444c9d47e3354733ecfc7d96cbcfd9d6d2df91f812c48cce9c300d9e9ffb09ea87d05f76fda12dab39168 Message-Authenticator = 0x6ed87b7fe86db42fcae2b6f15124f8ce +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = TEST\test, looking up realm NULL [suffix] No such realm NULL ++[suffix] returns noop [eap] EAP packet type response id 8 length 86 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] EAP type mschapv2 [peap] Got tunnled request EAP-Message = 0x0208003f1a0208003a31b2e512df868f6a94b69f521554c63d2d2b4dda1057bbf603f10d79c87e09e6203b600788c29e7ff50074657374 server (null) { PEAP: Setting User-Name to TEST\test Sending tunneled request EAP-Message = 0x0208003f1a0208003a31b2e512df868f6a94b69f521554c63d2d2b4dda1057bbf603f10d79c87e09e6203b600788c29e7ff50074657374 FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = TEST\\test State = 0xaa9b924faa9388a2f1432c8ee6fbd40f server inner-tunnel { +- entering group authorize {...} ++[chap] returns noop ++[mschap] returns noop ++[unix] returns notfound [suffix] No '@' in User-Name = TEST\test, looking up realm NULL [suffix] No such realm NULL ++[suffix] returns noop ++[control] returns noop [eap] EAP packet type response id 8 length 63 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns noop Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/mschapv2 [eap] processing type mschapv2 [mschapv2] +- entering group MS-CHAP {...} [mschap] No Cleartext-Password configured. Cannot create LM-Password. [mschap] No Cleartext-Password configured. Cannot create NT-Password. [mschap] Told to do MS-CHAPv2 for test with NT-Password [mschap] expand: --domain=%{mschap:NT-Domain} - --domain=TEST [mschap] expand: --username=%{mschap:User-Name} - --username=test [mschap] mschap2: 10 [mschap] expand: --challenge=%{mschap:Challenge:-00} - --challenge=ad923676ac4c1b76 [mschap] expand: --nt-response=%{mschap:NT-Response:-00} - --nt-response=2b4dda1057bbf603f10d79c87e09e6203b600788c29e7ff5 Exec-Program output: NT_KEY: 2066656E05C22F3A995AD9ECFED913D6 Exec-Program-Wait: plaintext: NT_KEY: 2066656E05C22F3A995AD9ECFED913D6 Exec-Program: returned: 0 [mschap] adding MS-CHAPv2 MPPE keys ++[mschap] returns ok MSCHAP Success ++[eap] returns handled } # server inner-tunnel [peap] Got tunneled reply code 11 EAP-Message = 0x010900331a0308002e533d44453836304437453245334344333045343338363130463136393441413135323336323135423546 Message-Authenticator = 0x State = 0xaa9b924fab9288a2f1432c8ee6fbd40f [peap] Got tunneled reply RADIUS code 11 EAP-Message = 0x010900331a0308002e533d44453836304437453245334344333045343338363130463136393441413135323336323135423546 Message-Authenticator = 0x State = 0xaa9b924fab9288a2f1432c8ee6fbd40f [peap] Got tunneled Access-Challenge ++[eap] returns handled Sending Access-Challenge of id 234 to 192.168.1.1 port 1812 EAP-Message =
Re: EAP/TLS TLS_accept error
henry1412 wrote: I want to build a IEEE 802.1x authentication environoment and I have installed freeradius-1.0.2, Why? It's outdated and has serious security flaws in EAP. I just do some testing with old version who had more documents. It seem the old version also can run well, but I cann't config them running. Can you give me some suggestion at these old version. Upgrade. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: wimax support
Ying DONG wrote: I am using the freeradius server 2.1.1 as the Radius server in the network to authenticate a wimax user. It seems that it could support the wimax VSA, since I found the dictionary.wimax in the dictionary directory. If you look at the *rest* of the configuration files, you'll see more references to WiMAX. Also, the release announcements, the web page... However, in my application, in the Access Accept message, the freeradius server Include the attributes of vendor-id 311 (microsoft), not having the expected attributes of wimax (such as MSK attribute). Because you have to configure it to do that. I want to how the radius server determine which dictionary it should use to response the incoming request? That's not how RADIUS works. It doesn't determine a dictionary to use. What I should do to make the freeradius server set the wimax specified attribute in the access-accept msg? Read raddb/modules/wimax. This is documented. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: (err=2)! (Shared secret is incorrect.)
for example: clients.conf file: client 192.168.1.0/24 { secret= cisco shortname = not_important } users file: username Cleartext-password:=pasSw0rd for test it local uncomment this section in clients.conf(if it is commented): client localhost { ipaddr=127.0.0.1 secret= testing123 } and test it like this(on the server local): radtest username pasSw0rd localhost 0 testing123 Gabor - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP/TLS TLS_accept error
Under my freeradius and ap current configuration, I can be success authenticated by windows xp client, but failed by linux client of wpa_supplicant-0.4.8. What's wrong with my setting? Is my wpa_supplicant version too old or my wpa_supplicant config file has some problem? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
EAP-AKA
Hi all, I'm trying to configure EAP-AKA using EAP2, where do I insert the quintets?.. in the same way as EAP-SIM? Thanks, Fernando. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP/TLS TLS_accept error
Under my freeradius and ap current configuration, I can be success authenticated by windows xp client, but failed by linux client of wpa_supplicant-0.4.8 What's wrong with my setting? Is my wpa_supplicant version too old or my wpa_supplicant config file has some problem? And you are asking this on freeradius list because ... Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
rad_recv: Access-Reject
hello! debugging freeRADIUS i met the problem like this: At the beginning I thought that the problem was in the users file but in radiusd.log I saw the message: rlm_sql (sql): Driver rlm_sql_oracle (module rlm_sql_oracle) loaded and linked rlm_sql (sql): Attempting to connect to [EMAIL PROTECTED]:/raddb rlm_sql (sql): starting 0 rlm_sql (sql): Attempting to connect rlm_sql_oracle #0 rlm_sql_oracle: Couldn't init Oracle OCI environment (OCIEnvCreate()) rlm_sql (sql): Failed to connect DB handle #0 rlm_sql (sql): starting 1 rlm_sql (sql): starting 2 rlm_sql (sql): starting 3 rlm_sql (sql): starting 4 rlm_sql (sql): Failed to connect to any SQL server. Module: Checking preacct {...} for more modules to load Module: Linked to module rlm_acct_unique what's wrong? could anybody help me plz? radiusd -X log , users file and cliens.conf is attached. have a good day, ilya ilya vishnyov billing department baykalwestcom 68, 2-zheleznodorozhnaya str., irkutsk, 664005, russia gsm: +7 9025 113 992 e-mail: [EMAIL PROTECTED] icq #: 988-0-229 clients.conf Description: Binary data users Description: Binary data radius.log Description: Binary data - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Re[2]: (err=2)! (Shared secret is incorrect.)
You say you read the FAQ. Did you see this: http://wiki.freeradius.org/FAQ#It_still_doesn.27t_work.21 Ivan Kalik Kalik Informatika ISP Jason, thank you for you prompt reply but i've already solved the problem with Re[2]: (err=2)! (Shared secret is incorrect.) But i met another one like this: 'rad_recv: Access-Reject packet from host 127.0.0.1 port 1812, id=194, length=20 ' i think that the problem is in users file, but just now can not understand where exactly... Can you please help me with it? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: fr group howto
Hegedus Gabor wrote: Hi all! I have 802.1x authentication, which works. I want use dynamic vlan assignment: The radius authenticate the user (use ntlm_auth) and after this, it use ldap to get user indormation form database (username=samaccount name). ldap.attrmap changes the attributes and send to the switch, it is okay. It is not so confortable, I wanna try something else: 1. I create groups: vlan21, vlan333, and so on. expand the vlan schema with 3 attrib (you know VLAN, IEEE-802, and VLANID). I put users and computers to the groups. How can I get users vlan info, I can't create ldap query, cos : - i have samaccount name what is not the cn, and the member, member of attribs are contains cn. i don't know how can i do a good query, the good attrib is in vlanXY group. - get vlan? ok but i have just samaccount name, no cn - get user? ok but the good attribs is in the vlan group how? 2. I don't expand the vlanXY schema, I get user info(by samaccname) contains member of attr, and in the freeradius user file I create group. If group in the users file equals member of attrib send back the vlan info to the switch: (i know it is not good yet) DEFAULT Ldap-Group == cn=vlan10,ou=vlans,dc=test,dc=hu Tunnel-Type = VLAN, Tunnel-Medium-Type = IEEE-802, Tunnel-Private-Group-Id = 10, Reply-Message = You are in vlan 10 ldap modul: groupname_attribute = cn groupmembership_filter = ((memberof=cn=vlan10,ou=vlans,dc=test,dc=hu)(samaccountname=%{mschap:user-name})) ## i know it is bad, but what is the good do you understand what i want? I test both prospect, pls help Thx Gabor - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html any idea? (login name = samaccountname = hege) how can i make query for this: search for vlan(one group) which member's samaccountname equals hege dn: CN=vlan10,OU=vlans,DC=test,DC=hu objectClass: top objectClass: group cn: vlan10 member: CN=hegedus gab,CN=Users,DC=test,DC=hu distinguishedName: CN=vlan10,OU=vlans,DC=test,DC=hu instanceType: 4 whenCreated: 20081202130318.0Z whenChanged: 20081202130354.0Z uSNCreated: 16494 uSNChanged: 16499 name: vlan10 objectGUID:: wdVRLxlU+Eqobg1FpLtVvA== objectSid:: AQUAAAUV/iEMgYVoYPNcURmzXwQAAA== sAMAccountName: vlan10 sAMAccountType: 268435456 groupType: -2147483646 objectCategory: CN=Group,CN=Schema,CN=Configuration,DC=test,DC=hu dn: CN=hegedus gab,CN=Users,DC=test,DC=hu objectClass: top objectClass: person objectClass: organizationalPerson objectClass: user cn: hegedus gab sn: gab l: VLAN postOfficeBox: IEEE-802 givenName: hegedus distinguishedName: CN=hegedus gab,CN=Users,DC=test,DC=hu instanceType: 4 whenCreated: 20081128084825.0Z whenChanged: 20081202124457.0Z displayName: hegedus gab uSNCreated: 14074 memberOf: CN=vlan10,OU=vlans,DC=test,DC=hu uSNChanged: 16484 streetAddress: 9 name: hegedus gab objectGUID:: SZnqGh1Bp0i0liC1PU+vkQ== userAccountControl: 66048 badPwdCount: 3 codePage: 0 countryCode: 0 badPasswordTime: 128732900775156250 lastLogoff: 0 lastLogon: 0 pwdLastSet: 128726954971562500 primaryGroupID: 513 objectSid:: AQUAAAUV/iEMgYVoYPNcURmzXQQAAA== accountExpires: 9223372036854775807 logonCount: 0 sAMAccountName: hege sAMAccountType: 805306368 userPrincipalName: [EMAIL PROTECTED] objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=test,DC=hu pls help. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: domain security problem
here is the debug: (user-test- who is not in domain Well, he was found in AD. And in that domain. And with correct password. [mschap] expand: --domain=%{mschap:NT-Domain} - --domain=TEST [mschap] expand: --username=%{mschap:User-Name} - --username=test [mschap] mschap2: 10 [mschap] expand: --challenge=%{mschap:Challenge:-00} - --challenge=ad923676ac4c1b76 [mschap] expand: --nt-response=%{mschap:NT-Response:-00} - --nt-response=2b4dda1057bbf603f10d79c87e09e6203b600788c29e7ff5 Exec-Program output: NT_KEY: 2066656E05C22F3A995AD9ECFED913D6 Exec-Program-Wait: plaintext: NT_KEY: 2066656E05C22F3A995AD9ECFED913D6 Exec-Program: returned: 0 [mschap] adding MS-CHAPv2 MPPE keys ++[mschap] returns ok MSCHAP Success Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Programatically provision users to server.
Yes I do plan on using a RoR application to make the changes to the MySQL database. So I think this is coming together. However, the username and password... where is the user responsible for using those credentials. Would a user connect to my WiFi network, then authenticate against the RADIUS server using credentials obtained through a Ruby on Rails application? Here's the workflow I am thinking to build this: 1. User connects to WiFi network. 2. User is directed to a Ruby on Rails application. 3. Application authorizes user to connect, creates credentials and propagates them to FreeRadius. 4. Application gives credentials to user. 5. User enters credentials (where?) Oh, you are thinking of building a captive portal, not just something that will adminster users. I need hotspot functionality so I am almost there in terms of everything I need to build. Are these points rational? Probably not. How long do you think on spending on this? Months? Years? Also, where are the credentials entered in #5? If you are seriously thinking of making a captive portal (and not using ready made one) - you will have to make user interface too. Wouldn't I just need to deliver an IP or something to that machine at that point? Oh no. There is so much more to it than that. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Building FreeRadius
On Wed, Dec 10, 2008 at 11:01:05AM +0100, Abdelmonam Kouka wrote: I am new on FreeRadius, I tried to build it from sources on ubuntu 8.04, when I run ./configure all is OK, but when I run make I have got this error: /home/kouka/Desktop/freeradius-server-2.1.2/src/freeradius-devel/modpriv.h:9:18: error: ltdl.h: No such file or directory In file included from listen.c:29: Any idea? from where I can got this ltdl.h? ltdl.h belongs to libtool. I can't speak for Ubuntu, but this file is part of the libtool package in RHEL/Fedora. -- --Jos Vos [EMAIL PROTECTED] --X/OS Experts in Open Systems BV | Phone: +31 20 6938364 --Amsterdam, The Netherlands| Fax: +31 20 6948204 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: fr group howto
2. I don't expand the vlanXY schema, I get user info(by samaccname) contains member of attr, and in the freeradius user file I create group. If group in the users file equals member of attrib send back the vlan info to the switch: (i know it is not good yet) DEFAULT Ldap-Group == cn=vlan10,ou=vlans,dc=test,dc=hu Tunnel-Type = VLAN, Tunnel-Medium-Type = IEEE-802, Tunnel-Private-Group-Id = 10, Reply-Message = You are in vlan 10 ldap modul: groupname_attribute = cn groupmembership_filter = ((memberof=cn=vlan10,ou=vlans,dc=test,dc=hu)(samaccountname=%{mschap:user-name})) ## i know it is bad, but what is the good I would go with that option. how can i make query for this: search for vlan(one group) which member's samaccountname equals hege Read a ldap manual. Something like: http://docs.sun.com/source/816-6696-10/cmdline.html#14656 Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: domain security problem
certainly, hi is in the AD it is correct, the problem is the domain win send the - DOMAIN\username if it is in domain, - HOSTNAME\username if it is not in domain (only workgroup) but when i set TEST(my domain) as hostname (it still not in domain), it will send this and freeradius think it is correct. how can I config the freeradius to reject auth, when it is not in domain(but send domain name as hostname) like: ntdomain or something proxy.conf modification or hack, i have no idea what is the solution. There is no problem with the user. User is in the AD. Your problem is with the machine. How did the machine get access onto the network? If you don't control computer accounts there is no way to prevent this. If you allow users to plug in any machine into the network and you don't control at least mac address ... Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: python error in complie freeradius-2.1.3
henry1412 wrote: I install freeradius-2.1.3 on redhat9, the python version is 2.2 Is my python version too old ? As was stated numerous times, all your software versions are old and you should upgrade to current versions. RedHat 9 and all the software which came with it is 5 years old. The follow on to RedHat 9 is Fedora and we're already up to the 10th release of Fedora. Please visit www.fedoraproject.org, download the current version of Fedora and install it. I would suggest you don't bother the list with further questions until you're running current versions of all the software components. -- John Dennis [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
rad_recv: Access-Reject #plz ignore the previous letter
hello! debugging freeRADIUS i met the problem like this: 'rad_recv: Access-Reject packet from host 127.0.0.1 port 1812, id=194, length=20' At the beginning I thought that the problem was in the users file but in radiusd.log I saw the message: rlm_sql (sql): Driver rlm_sql_oracle (module rlm_sql_oracle) loaded and linked rlm_sql (sql): Attempting to connect to [EMAIL PROTECTED]:/raddb rlm_sql (sql): starting 0 rlm_sql (sql): Attempting to connect rlm_sql_oracle #0 rlm_sql_oracle: Couldn't init Oracle OCI environment (OCIEnvCreate()) rlm_sql (sql): Failed to connect DB handle #0 rlm_sql (sql): starting 1 rlm_sql (sql): starting 2 rlm_sql (sql): starting 3 rlm_sql (sql): starting 4 rlm_sql (sql): Failed to connect to any SQL server. Module: Checking preacct {...} for more modules to load Module: Linked to module rlm_acct_unique what's wrong? could anybody help me plz? radiusd -X log , users file and cliens.conf is attached. have a good day, ilya ilya vishnyov billing department baykalwestcom 68, 2-zheleznodorozhnaya str., irkutsk, 664005, russia gsm: +7 9025 113 992 e-mail: [EMAIL PROTECTED] icq #: 988-0-229 clients.conf Description: Binary data users Description: Binary data radius.log Description: Binary data - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Building FreeRadius
Salem, I am new on FreeRadius, I tried to build it from sources on ubuntu 8.04, when I run ./configure all is OK, but when I run make I have got this error: /home/kouka/Desktop/freeradius-server-2.1.2/src/freeradius-devel/modpriv.h:9:18: error: ltdl.h: No such file or directory In file included from listen.c:29: Any idea? from where I can got this ltdl.h? Regards -- عبد المنعم كوكة Abdelmonam Kouka Software Engineer GNU/Linux user #450141 GPG Fingerprint: EC21 1E4E 5B0C E4E7 0D64 3305 0D62 75C9 2C15 16E0 Some people see things as they are and say why. I dream things that never were and say why not? [George Bernard Shaw] http://www.ubuntume.com/ http://arabeyes.org/ http://www.ubuntu-tn.org/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: domain security problem
[EMAIL PROTECTED] wrote: here is the debug: (user-test- who is not in domain Well, he was found in AD. And in that domain. And with correct password. certainly, hi is in the AD it is correct, the problem is the domain win send the - DOMAIN\username if it is in domain, - HOSTNAME\username if it is not in domain (only workgroup) but when i set TEST(my domain) as hostname (it still not in domain), it will send this and freeradius think it is correct. how can I config the freeradius to reject auth, when it is not in domain(but send domain name as hostname) like: ntdomain or something proxy.conf modification or hack, i have no idea what is the solution. [mschap] expand: --domain=%{mschap:NT-Domain} - --domain=TEST [mschap] expand: --username=%{mschap:User-Name} - --username=test [mschap] mschap2: 10 [mschap] expand: --challenge=%{mschap:Challenge:-00} - --challenge=ad923676ac4c1b76 [mschap] expand: --nt-response=%{mschap:NT-Response:-00} - --nt-response=2b4dda1057bbf603f10d79c87e09e6203b600788c29e7ff5 Exec-Program output: NT_KEY: 2066656E05C22F3A995AD9ECFED913D6 Exec-Program-Wait: plaintext: NT_KEY: 2066656E05C22F3A995AD9ECFED913D6 Exec-Program: returned: 0 [mschap] adding MS-CHAPv2 MPPE keys ++[mschap] returns ok MSCHAP Success Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: domain security problem
[EMAIL PROTECTED] wrote: certainly, hi is in the AD it is correct, the problem is the domain win send the - DOMAIN\username if it is in domain, - HOSTNAME\username if it is not in domain (only workgroup) but when i set TEST(my domain) as hostname (it still not in domain), it will send this and freeradius think it is correct. how can I config the freeradius to reject auth, when it is not in domain(but send domain name as hostname) like: ntdomain or something proxy.conf modification or hack, i have no idea what is the solution. There is no problem with the user. User is in the AD. Your problem is with the machine. How did the machine get access onto the network? If you don't control computer accounts there is no way to prevent this. If you allow users to plug in any machine into the network and you don't control at least mac address ... Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html It is bad news, you say check mac address too no way reject it simple without mac... thank you - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
version 2.1.3 available for Fedora 10 and Fedora 9
The new version of FreeRADIUS, 2.1.3, is available in the testing repositories for Fedora 10 and Fedora 9. Please note they are in the testing repositories and have not been pushed to stable yet. If you have questions or issues please consult the FreeRadius Red Hat FAQ (http://wiki.freeradius.org/Red_Hat_FAQ) first. If you have success with it I would appreciate knowing that because that will be the key for me to push it to stable and a wider audience. Comments to this effect can be added to the package release on Bohdi, the Fedora Update System (https://admin.fedoraproject.org/updates). -- John Dennis [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
EAP-SIM
Hey, This may be a stupid question, but if I don't have access to a carriers HLR. Can I still do EAP-SIM if I have a sim reader. Sorry for this question I am just having trouble finding a definitive answer. Thanks, Leigh - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: No log destination specified.
|-I have a problem where I upgraded v1 to v2 of freeradius and now I can only |-start it with mode radius -X , if I try use script is simply does following. |- |- |- |-/usr/local/etc/rc.d]# ./rc.radiusd start |-Starting FreeRADIUS:radiusd: Error: No log destination specified. |-Radius |- |- |-Any advise? |- |-FYI - I have now made a startup script to the following. |- |-/usr/local/sbin/radiusd -X /dev/null 21 |- |-To Run Freeradius as this is a production machine. It is complaining that you have not specified a place to write a log file. == logdir = /var/log # # The logging messages for the server are appended to the # tail of this file. # log_file = ${logdir}/radius.log == This is from my radiusd.conf file. Radius writes log file messages (few and far between) to /var/log/radius.log Fix that and you wont have to use the redirect to /dev/null, which I would not use anyway as you want log files to know if something is going wrong. This is the beginning of my radius.conf, it seems the entry is indeed there and valid as it's same as old installation. prefix = /usr/local exec_prefix = ${prefix} sysconfdir = ${prefix}/etc localstatedir = /var sbindir = ${exec_prefix}/sbin logdir = /var/log raddbdir = ${sysconfdir}/raddb radacctdir = ${logdir}/radacct # Location of config and logfiles. confdir = ${raddbdir} run_dir = ${localstatedir}/run/radiusd # # The logging messages for the server are appended to the # tail of this file. # log_file = ${logdir}/radius.log HTH, Keith - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: No log destination specified.
Have you checked permissions of the file / dir? Marcel Grandemange wrote: |-I have a problem where I upgraded v1 to v2 of freeradius and now I can only |-start it with mode radius -X , if I try use script is simply does following. |- |- |- |-/usr/local/etc/rc.d]# ./rc.radiusd start |-Starting FreeRADIUS:radiusd: Error: No log destination specified. |-Radius |- |- |-Any advise? |- |-FYI - I have now made a startup script to the following. |- |-/usr/local/sbin/radiusd -X /dev/null 21 |- |-To Run Freeradius as this is a production machine. It is complaining that you have not specified a place to write a log file. == logdir = /var/log # # The logging messages for the server are appended to the # tail of this file. # log_file = ${logdir}/radius.log == This is from my radiusd.conf file. Radius writes log file messages (few and far between) to /var/log/radius.log Fix that and you wont have to use the redirect to /dev/null, which I would not use anyway as you want log files to know if something is going wrong. This is the beginning of my radius.conf, it seems the entry is indeed there and valid as it's same as old installation. prefix = /usr/local exec_prefix = ${prefix} sysconfdir = ${prefix}/etc localstatedir = /var sbindir = ${exec_prefix}/sbin logdir = /var/log raddbdir = ${sysconfdir}/raddb radacctdir = ${logdir}/radacct # Location of config and logfiles. confdir = ${raddbdir} run_dir = ${localstatedir}/run/radiusd # # The logging messages for the server are appended to the # tail of this file. # log_file = ${logdir}/radius.log HTH, Keith - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: No log destination specified.
On Wed, 10 Dec 2008, Marcel Grandemange wrote: |- |-|-I have a problem where I upgraded v1 to v2 of freeradius and now I can |-only |-|-start it with mode radius -X , if I try use script is simply does |-following. |-|- |-|-/usr/local/etc/rc.d]# ./rc.radiusd start |-|-Starting FreeRADIUS:radiusd: Error: No log destination specified. |-|-Radius |-== |-logdir = /var/log |-# |-# The logging messages for the server are appended to the |-# tail of this file. |-# |-log_file = ${logdir}/radius.log |-== I am still running 1.1.7. We only have about 200 dialup users left, so I have never upgraded beyond that version as I don't feel the need and dialup is the only thing we use Radius for. Two things, one, have the config options between the 1.x and 2.x changed for logging? I have not looked at v2 so I don't know. The other is possibly permissions on the file or directory. But I don't think that is it as you would probably get a different error. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
ldap question
still a few issues so I upgraded to 2.1.1 and in debug mode (and I have enabled ldap), I see this... [ldap] checking if remote access for $SOME_USER is allowed by uid [ldap] looking for check items in directory... rlm_ldap: sambaNtPassword - NT-Password == 0x... rlm_ldap: sambaLmPassword - LM-Password == 0x... [ldap] looking for reply items in directory... WARNING: No known good password was found in LDAP. Are you sure that the user is configured correctly? [ldap] user $SOME_USER authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 ++[ldap] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] Normalizing NT-Password from hex encoding [pap] Normalizing LM-Password from hex encoding [pap] Found existing Auth-Type, not changing it. ++[pap] returns noop Found Auth-Type = EAP should I just disable pap? (I can't think of anything that I need to use it for) OR... considering that the LDAP 'userPassword' is essentially the same password that is contained in sambaNTPassword and sambaLMPassword, do I just somehow enable # password_attribute = userPassword as it talks about in rlm_ldap doc file? Craig - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Building FreeRadius
Abdelmonam Kouka wrote: I am new on FreeRadius, I tried to build it from sources on ubuntu 8.04, when I run ./configure all is OK, but when I run make I have got this error: /home/kouka/Desktop/freeradius-server-2.1.2/src/freeradius-devel/modpriv.h:9:18: Delete 2.1.2, and install 2.1.3. See http://freeradius.org for comments. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Accounting Software
Hello: My first try on freeRADIUS. I am going to setup a test freeRADIUS server with CentOS 5.2 mySQL for learning about RADIUS server. Questions: 1. Is there a GUI application to setup freeRADIUS? 2. Is there a free accounting package (must interface with mySQL) I can use? Thanks. Sam - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: domain security problem
It is bad news, you say check mac address too no way reject it simple without mac... How much simpler can you get? You say that it is a problem that a user with AD account gets access from an unauthorized machine. The only answer is to check machine credentials. mac filtering is the simplest thing you could posssibly do. People who consider this a real problem use machine certificates. Or NAC. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Programatically provision users to server.
Ok. So if I used a ready made captive portal solution, would my solution still work? Captive Portal authenticates users (using FreeRadius?) WLAN controller delivers an IP. On Wed, Dec 10, 2008 at 2:38 AM, [EMAIL PROTECTED] wrote: Yes I do plan on using a RoR application to make the changes to the MySQL database. So I think this is coming together. However, the username and password... where is the user responsible for using those credentials. Would a user connect to my WiFi network, then authenticate against the RADIUS server using credentials obtained through a Ruby on Rails application? Here's the workflow I am thinking to build this: 1. User connects to WiFi network. 2. User is directed to a Ruby on Rails application. 3. Application authorizes user to connect, creates credentials and propagates them to FreeRadius. 4. Application gives credentials to user. 5. User enters credentials (where?) Oh, you are thinking of building a captive portal, not just something that will adminster users. I need hotspot functionality so I am almost there in terms of everything I need to build. Are these points rational? Probably not. How long do you think on spending on this? Months? Years? Also, where are the credentials entered in #5? If you are seriously thinking of making a captive portal (and not using ready made one) - you will have to make user interface too. Wouldn't I just need to deliver an IP or something to that machine at that point? Oh no. There is so much more to it than that. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Matthew Carriere [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: mysql fail over
Peter Ellens wrote: If I stop the first sql server service, freeradius starts to use the second sql server, as expected. But if I stop the entire first server (ie poweroff) freeradius still continues to try and use sql1, hanging... FreeRADIUS is at the mercy of the MySQL client libraries. It asks them to connect, and if they never return... there's little that the server can do. Any ideas how to get it working correctly? I presume that there's some magic MySQL client setting, saying don't screw up this badly, but I don't know what it is. We would really like to be able to use a read/write master and read only slave, but it looks to me that the sqlippool needs to be writeable to mark the IP address as used and avoid duplicate IP allocation. Yes. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Accounting Software
Just E. Mail wrote: 1. Is there a GUI application to setup freeRADIUS? daloradius, dialupadmin, 2. Is there a free accounting package (must interface with mySQL) I can use? To do... what? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Programatically provision users to server.
So if I used a ready made captive portal solution, would my solution still work? Captive Portal authenticates users (using FreeRadius?) Yes. It will provide login screen and most of them can be set up to use radius. WLAN controller delivers an IP. Yes. And you Ruby application hadles user administration (ie. radius database). Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Is sqlippool fast enough in 2.1.3
I have had a number of problems with 1.1.7 and sqlippool that its simply not able to process more than 10-20 connections at any one time. I will upgrade to 2.1.3 if its capable of handing 50-80 connections at one time? Does any one know? My server is a p4 dual core 3.0ghz and its also handing some load of emails for about 200 accounts. I tried to optimize my mysql installation, etc num_server but I could never get it fast enough. Anyone know of tricks, or if 2.1.3 freeradius is any better? or should I be looking at some other way to hand out IPs? I really like the sqlippool way of doing things. Thanks! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Is 2.1.3 sqlippool fast enough?
(repost, was posted as part of wrong thread) I have had a number of problems with 1.1.7 and sqlippool that its simply not able to process more than 10-20 connections at any one time. I will upgrade to 2.1.3 if its capable of handing 50-80 connections at one time? Does any one know? My server is a p4 dual core 3.0ghz and its also handing some load of emails for about 200 accounts. I tried to optimize my mysql installation, etc num_server but I could never get it fast enough. Anyone know of tricks, or if 2.1.3 freeradius is any better? or should I be looking at some other way to hand out IPs? I really like the sqlippool way of doing things. Thanks! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Does FreeRADIUS support PEAPv0/EAP-TLS?
On Tue, Dec 9, 2008 at 5:35 AM, Alan DeKok [EMAIL PROTECTED]wrote: Jason Wittlin-Cohen wrote: I already do that with the Juniper Access Client. The problem is that the client certificate has the user's name as the Common Name and that is sent in the clear. PEAP/EAP-TLS sends the user's certificate through the tunnel obviating the issue. I admit this isn't a large problem but it would be a nice feature to have. FreeRADIUS doesn't support RFC 5216, it's too new. It has been tested with PEAPv0/EAP-TLS in the past, but it's not a common configuration. So it might not work now. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Alan, I installed FreeRADIUS 2.1.3 on my Ubuntu 8.10 server and encountered the same failure with PEAPv0/EAP-TLS. I think I've discovered the problem. FreeRADIUS expects the client certificate to be sent before the SSL tunnel is established. When the client sends a response without a certificate, it complains that the client did not return a certificate and rejects the user. I've tested with the Juniper Access Client, Intel ProSet client, and XP's own supplicant and got the same result each time, so I don't think this is a client-side problem. Log: [peap] TLS 1.0 Handshake [length 0007], Certificate [peap] TLS 1.0 Alert [length 0002], fatal handshake_failure TLS Alert write:fatal:handshake failure TLS_accept:error in SSLv3 read client certificate B rlm_eap: SSL error error:140890C7:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:peer did not return a certificate SSL: SSL_read failed in a system call (-1), TLS session fails. TLS receive handshake failed during operation [peap] eaptls_process returned 4 [peap] EAPTLS_OTHERS [eap] Handler failed in EAP/peap [eap] Failed in EAP select ++[eap] returns invalid Failed to authenticate the user. Login incorrect: [Jason Wittlin-Cohen] (from client Wireless port 55 cli 0013e87d571d) What's interesting is that if I send a certificate outside the tunnel (Juniper allows you to send a certificate in addition to any authentication method - which would in this case, lead to the certificate being sent once outside the tunnel and again inside), authentication still fails, this time with the No EAP session matching the State variable error. rlm_eap: No EAP session matching the State variable. [eap] Either EAP-request timed out OR EAP-response to an unknown EAP-request [eap] Failed in handler ++[eap] returns invalid Failed to authenticate the user. Login incorrect: [Jason Wittlin-Cohen] (from client Wireless port 0 via TLS tunnel) eap.conf: Module: Linked to module rlm_eap Module: Instantiating eap eap { default_eap_type = peap timer_expire = 60 ignore_unknown_eap_types = no cisco_accounting_username_bug = no max_sessions = 2048 } Module: Linked to sub-module rlm_eap_tls Module: Instantiating eap-tls tls { rsa_key_exchange = no dh_key_exchange = yes rsa_key_length = 512 dh_key_length = 512 verify_depth = 0 CA_path = /etc/freeradius/certs/ pem_file_type = yes private_key_file = /etc/freeradius/certs/server.key certificate_file = /etc/freeradius/certs/server.crt CA_file = /etc/freeradius/certs/ca.crt dh_file = /etc/freeradius/certs/dh3072.pem random_file = /dev/urandom fragment_size = 1024 include_length = yes check_crl = yes cipher_list = HIGH check_cert_issuer = /C=US/O=FreeRadius CA/CN=FreeRadius CA/[EMAIL PROTECTED] cache { enable = no lifetime = 24 max_entries = 255 } } Module: Linked to sub-module rlm_eap_peap Module: Instantiating eap-peap peap { default_eap_type = tls copy_request_to_tunnel = no use_tunneled_reply = no proxy_tunneled_request_as_eap = no } Module: Linked to sub-module rlm_eap_mschapv2 Module: Instantiating eap-mschapv2 mschapv2 { with_ntdomain_hack = no } Jason Wittlin-Cohen - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
client certs
freeradius-2.1.1-2 (rebuild SRPM from Fedora on CentOS 5) followed instructions in certs/README perfectly - so I believe. server certs seem fine but generated client cert in Windows shows Windows does not have enough information to verify and yes, I have loaded the 'ca.der' file generated by the instructions on the Windows client and that installs in 'Trusted Root Authorities'. The 'client' cert seems to install in 'Other People', and does include the XPextensions stuff. So I'm trying to verify the client certificate... # openssl verify -CAfile ca.pem [EMAIL PROTECTED] [EMAIL PROTECTED]: /C=US/ST=Arizona/O=MyOrg/[EMAIL PROTECTED]/[EMAIL PROTECTED] error 20 at 0 depth lookup:unable to get local issuer certificate so I figured I would try to verify it against the server file... # openssl verify -CAfile server.pem [EMAIL PROTECTED] [EMAIL PROTECTED]: /C=US/ST=Arizona/O=MyOrg/CN=Radius Server Certificate/[EMAIL PROTECTED] error 2 at 1 depth lookup:unable to get issuer certificate but indeed the server file verifies... # openssl verify -CAfile ca.pem server.crt server.crt: OK # openssl verify -CAfile ca.pem server.pem server.pem: OK This would seem pretty simple (the directions make it seem simple) edited client.cnf changed input/output password values to the same, simple value changed the e-mail address and cn to the same value as shown above What am I doing wrong? Craig - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Which version?
OK.. I am ready to install freeRADIUS!. I have setup a LINUX server with: CentOS 5.2 mySQL-server-5.0.25-7 I noticed that 2.1.3 is the latest freeRADIUS version. Does it work with the above OS mySQL versions or I need to fall back to a previous version of freeRADIUS? I am pretty new and this is my first freeRADIUS installation! Sam - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Which version?
Just E. Mail wrote: OK.. I am ready to install freeRADIUS!. I have setup a LINUX server with: CentOS 5.2 mySQL-server-5.0.25-7 I noticed that 2.1.3 is the latest freeRADIUS version. Does it work with the above OS mySQL versions or I need to fall back to a previous version of freeRADIUS? I am pretty new and this is my first freeRADIUS installation! version 2.1.3 should work fine on CentOS 5.2 (which only has an old version of FreeRADIUS, 1.1.3). To build it for CentOS follow the directions on the wiki, http://wiki.freeradius.org/Red_Hat_FAQ -- John Dennis [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: client certs
freeradius-2.1.1-2 (rebuild SRPM from Fedora on CentOS 5) followed instructions in certs/README perfectly - so I believe. server certs seem fine but generated client cert in Windows shows Windows does not have enough information to verify and yes, I have loaded the 'ca.der' file generated by the instructions on the Windows client and that installs in 'Trusted Root Authorities'. The 'client' cert seems to install in 'Other People', and does include the XPextensions stuff. So I'm trying to verify the client certificate... # openssl verify -CAfile ca.pem [EMAIL PROTECTED] [EMAIL PROTECTED]: /C=US/ST=Arizona/O=MyOrg/[EMAIL PROTECTED]/[EMAIL PROTECTED] error 20 at 0 depth lookup:unable to get local issuer certificate so I figured I would try to verify it against the server file... # openssl verify -CAfile server.pem [EMAIL PROTECTED] [EMAIL PROTECTED]: /C=US/ST=Arizona/O=MyOrg/CN=Radius Server Certificate/[EMAIL PROTECTED] error 2 at 1 depth lookup:unable to get issuer certificate but indeed the server file verifies... # openssl verify -CAfile ca.pem server.crt server.crt: OK # openssl verify -CAfile ca.pem server.pem server.pem: OK This would seem pretty simple (the directions make it seem simple) edited client.cnf changed input/output password values to the same, simple value changed the e-mail address and cn to the same value as shown above What am I doing wrong? Try attached Makefile. It has been altered so client certificates are signed by the ca and not server certificate. I was unable to persuade up-to-date Windows PCs to accept server certificate as an Intermediate CA. Changing the issuer resolved the problem. Ivan Kalik Kalik Informatika ISP Makefile Description: Binary data - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: client certs
On Thu, 2008-12-11 at 01:13 +0100, [EMAIL PROTECTED] wrote: freeradius-2.1.1-2 (rebuild SRPM from Fedora on CentOS 5) followed instructions in certs/README perfectly - so I believe. server certs seem fine but generated client cert in Windows shows Windows does not have enough information to verify and yes, I have loaded the 'ca.der' file generated by the instructions on the Windows client and that installs in 'Trusted Root Authorities'. The 'client' cert seems to install in 'Other People', and does include the XPextensions stuff. So I'm trying to verify the client certificate... # openssl verify -CAfile ca.pem [EMAIL PROTECTED] [EMAIL PROTECTED]: /C=US/ST=Arizona/O=MyOrg/[EMAIL PROTECTED]/[EMAIL PROTECTED] error 20 at 0 depth lookup:unable to get local issuer certificate so I figured I would try to verify it against the server file... # openssl verify -CAfile server.pem [EMAIL PROTECTED] [EMAIL PROTECTED]: /C=US/ST=Arizona/O=MyOrg/CN=Radius Server Certificate/[EMAIL PROTECTED] error 2 at 1 depth lookup:unable to get issuer certificate but indeed the server file verifies... # openssl verify -CAfile ca.pem server.crt server.crt: OK # openssl verify -CAfile ca.pem server.pem server.pem: OK This would seem pretty simple (the directions make it seem simple) edited client.cnf changed input/output password values to the same, simple value changed the e-mail address and cn to the same value as shown above What am I doing wrong? Try attached Makefile. It has been altered so client certificates are signed by the ca and not server certificate. I was unable to persuade up-to-date Windows PCs to accept server certificate as an Intermediate CA. Changing the issuer resolved the problem. OK - question... I only re-generated the 'client' certificate but in doing a diff, it appears that every level of cert generation has changed...do I have to start over? Windows is still complaining with new client certificate and yes, system is XP Service Pack 3 so it's pretty much up-to-date Craig - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: client certs
server certs seem fine but generated client cert in Windows shows Windows does not have enough information to verify and yes, I have loaded the 'ca.der' file generated by the instructions on the Windows client and that installs in 'Trusted Root Authorities'. The 'client' cert seems to install in 'Other People', and does include the XPextensions stuff. Craig Craig, You have to install the root certificate and client certificate to the correct certificate store. You have two options - the machine store or the personal certificate store of your current Windows user. The personal certificate store is probably what you want. Double click the client certificate, select install certificate and choose Place the certificate in the following store. Select the Personal certificate store. That should solve your problem. Jason -- Jason Wittlin-Cohen Yale Law School, Class of 2010 [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: client certs
I only re-generated the 'client' certificate but in doing a diff, it appears that every level of cert generation has changed...do I have to start over? You should. Original Makefile was creating ca certificate that was valid only for 30 days. This one will use value from ca.cnf. Windows is still complaining with new client certificate and yes, system is XP Service Pack 3 so it's pretty much up-to-date Then you haven't got the (correct) ca.der certificate in your trusted root certificate store. Ivan Kalik Kalik informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: client certs
On Wed, 2008-12-10 at 19:32 -0500, Jason Wittlin-Cohen wrote: server certs seem fine but generated client cert in Windows shows Windows does not have enough information to verify and yes, I have loaded the 'ca.der' file generated by the instructions on the Windows client and that installs in 'Trusted Root Authorities'. The 'client' cert seems to install in 'Other People', and does include the XPextensions stuff. Craig Craig, You have to install the root certificate and client certificate to the correct certificate store. You have two options - the machine store or the personal certificate store of your current Windows user. The personal certificate store is probably what you want. Double click the client certificate, select install certificate and choose Place the certificate in the following store. Select the Personal certificate store. That should solve your problem. Thanks...I sort of thought so but this has been a frustrating experience and I'm not that dumb. Is it normal for this 'client' certificate to show Windows does not have enough information to verify this certificate when you view it? I did take the 'ca.der' and that is loaded in 'Trusted Root Authorities' and seems to be happy there but the client certificate, even newly generated from the scripts and the new Makefile from Ivan still shows that warning. It seems possible to me that the certificate provided by the server should provide the link between the CA certificate and the client certificate installed on the Windows client and make it happy but I haven't gotten this to work right - at least consistently. Craig - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: client certs
Craig, Apparently Windows automatically sends non-CA certificates in DER or PEM format to the Other People' certificate store. More importantly, the wireless supplicant in Windows XP \will not work with PEM or DER formatted client certificates. It'll complain that you have no certificate. You must convert to pkcs12 as the documentation states. openssl pkcs12 -export -in certname.pem \ -inkey keyname.key -out name.p12 -clcerts* * Jason -- Jason Wittlin-Cohen Yale Law School, Class of 2010 [EMAIL PROTECTED] (908) 420-0861 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: client certs
On Thu, 2008-12-11 at 01:49 +0100, [EMAIL PROTECTED] wrote: I only re-generated the 'client' certificate but in doing a diff, it appears that every level of cert generation has changed...do I have to start over? You should. Original Makefile was creating ca certificate that was valid only for 30 days. This one will use value from ca.cnf. Windows is still complaining with new client certificate and yes, system is XP Service Pack 3 so it's pretty much up-to-date Then you haven't got the (correct) ca.der certificate in your trusted root certificate store. I was afraid you were gonna say that... I am honing by BOFH chops...each time I make new certs, I chase the iPhone users through their setup to accept the new cert. ;-) Though I was pretty certain that the certs I was making through my own scripts were right, I thought if I used the cert creation scripts from freeradius, things would just work... OK - I'll look at the cnf options because it would be nice to have more than 30 days anyway Thanks Craig - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: client certs
Is it normal for this 'client' certificate to show Windows does not have enough information to verify this certificate when you view it? No. Click on the details and see who is the issuer - server or ca. You should give users .p12 certificates which can't be installed without a password used to create them. They can be viewed once they are installed. I did take the 'ca.der' and that is loaded in 'Trusted Root Authorities' and seems to be happy there but the client certificate, even newly generated from the scripts and the new Makefile from Ivan still shows that warning. It seems possible to me that the certificate provided by the server should provide the link between the CA certificate and the client certificate installed on the Windows client and make it happy but I haven't gotten this to work right - at least consistently. Link between them exists when ca is the issuer. It is listed in client certificate details. In theory, it is better for server certificate ti issue client certificates. In practice, Windows won't recongnize intermediate CA role for server certificate. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
FreeRadius and Ubuntu 8.10
I am also about to install FreeRadius, anyone have experience with installing on Ubuntu 8.10 Server 32 Bit? -- Matthew Carriere [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: client certs
Apparently Windows automatically sends non-CA certificates in DER or PEM format to the Other People' certificate store. More importantly, the wireless supplicant in Windows XP \will not work with PEM or DER formatted client certificates. It'll complain that you have no certificate. You must convert to pkcs12 as the documentation states. openssl pkcs12 -export -in certname.pem \ -inkey keyname.key -out name.p12 -clcerts* * Jason No need to convert. make client.pem creates client.p12 as well. He just has to import it. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: wimax support
Hi, thanks for your quick reply. I have seen the documents related with wimax in the freeradius, files in rlm_wimax directory, dictionary.wimax, /modules/wimax. However, I didn't figure out how to configure it to let it use the wimax vender specified attribute. I also find the MSK is set to 32 bytes length. I am a little confused. Why not set the length to 64 bytes as the standard specified? In this case, how to generate 64-byte MSK in the access accept msg? Thanks, ying -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alan DeKok Sent: 2008年12月10日 16:48 To: FreeRadius users mailing list Subject: Re: wimax support Ying DONG wrote: I am using the freeradius server 2.1.1 as the Radius server in the network to authenticate a wimax user. It seems that it could support the wimax VSA, since I found the dictionary.wimax in the dictionary directory. If you look at the *rest* of the configuration files, you'll see more references to WiMAX. Also, the release announcements, the web page... However, in my application, in the Access Accept message, the freeradius server Include the attributes of vendor-id 311 (microsoft), not having the expected attributes of wimax (such as MSK attribute). Because you have to configure it to do that. I want to how the radius server determine which dictionary it should use to response the incoming request? That's not how RADIUS works. It doesn't determine a dictionary to use. What I should do to make the freeradius server set the wimax specified attribute in the access-accept msg? Read raddb/modules/wimax. This is documented. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html ~ This message (including any attachments) is for the named addressee(s)'s use only. It may contain sensitive, confidential, private proprietary or legally privileged information intended for a specific individual and purpose, and is protected by law. If you are not the intended recipient, please immediately delete it and all copies of it from your system, destroy any hard copies of it and notify the sender. Any use, disclosure, copying, or distribution of this message and/or any attachments is strictly prohibited. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: client certs
On Wed, 2008-12-10 at 19:51 -0500, Jason Wittlin-Cohen wrote: Craig, Apparently Windows automatically sends non-CA certificates in DER or PEM format to the Other People' certificate store. More importantly, the wireless supplicant in Windows XP \will not work with PEM or DER formatted client certificates. It'll complain that you have no certificate. You must convert to pkcs12 as the documentation states. openssl pkcs12 -export -in certname.pem \ -inkey keyname.key -out name.p12 -clcerts Jason Thanks for the help. Last week when I was generating certificates my own way, I was doing that and yes, as Ivan points out, the 'scripted' way that make client.pem does make the p12 cert for the client. My issue now - and obviously sh*t happens as I change things around is that with the certificates newly generated and radiusd restarted in 'debug' mode, the newly minted ca.der and client.p12 certificates installed in their proper homes in 'certificates' following the instructions here... http://wiki.freeradius.org/WPA_HOWTO#Step_4:_Configure_the_Client I 'repair' or 'refresh' Network Connection (obviously the repair is for the Wireless) and it hems/haws and finally says Authentication failed but the wireless AP never makes an effort to connect to the radius server. Just rebooted the laptop and checked for stale info in regedit HKCU\Software\Microsoft\EAPOL (none) This AP has been talking to the radius server for weeks now (and all day today) and authenticating Macintosh and iPhone clients but Windows is making me absolutely nuts. The radius server is also authenticating for my RRAS server on a Windows server on the LAN...my only issue has been Windows laptops ;-( At least earlier with my otherwise generated certificates, I could get through the AP and to the radius server but now...it's like no one is home. The Wireless AP does show my connection but that's it. I'm very frustrated Craig - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
How to configure RADIUS on 2 IP address Server
Hi, I'm setting up RADIUS server to use with Wireless network 1) RADIUS server is Debian (eth0=192.168.25.254 (support all local computer, Access point) and eth1=192.168.2.45 (to Internet) 2) Access Point is LinkSys WAP54G (192.168.25.75) 3) Client is Dell Inspiron with Intel Broadcom wireless network card. My setting RADIUS server has 2 network cards. They are I started installing, ,setting, running ./radiusd -X with default configuration. Everything seems find. Server is running. == On Server terminal, I test with radtest test test localhost 0 testing123 Debug message shows up: Sending Access-Request of id 102 to 127.0.0.1 port 1812 User-Name = test User-Password = test NAS-IP-Address = 127.0.1.1 NAS-Port = 0 rad_recv: Access-Request packet from host *192.168.2.45 *port 36272, id=102, length=56 User-Name = test User-Password = test NAS-IP-Address = 127.0.1.1 NAS-Port = 0 then it ends with Sending Access-Accept of id 102 to* 192.168.2.45* port 36272 Framed-MTU = 1400 NAS-IP-Address = 192.168.25.77 NAS-Port = 15 Finished request 5. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Accept packet from host 192.168.2.45 port 1812, id=102, length=38 radclient: received response to request we did not send. (id=102 socket 3) Sending Access-Request of id 102 to 127.0.0.1 port 1812 User-Name = test User-Password = test NAS-IP-Address = 127.0.1.1 NAS-Port = 0 My question is why the Access-Accept is to 192.168.2.45 (It should be 192.168.25.254??) I also try to use RTRadPing Test Utility from local computer-WinXP SP3 ( 192.168.25.142) asking Authentication Request to 192.168.25.254 RTRadPing says no response from server, timeout. Seems like my ./radiusd runs on *192.168.2.45* ?? (eth1) == On Server terminal, I try again with radtest test test 192.168.25.254 0 testing123 Sending Access-Request of id 162 to 192.168.25.254 port 1812 User-Name = test User-Password = test NAS-IP-Address = 127.0.1.1 NAS-Port = 0 rad_recv: Access-Request packet from host 192.168.25.254 port 36275, id=162, length=56 User-Name = test User-Password = test NAS-IP-Address = 127.0.1.1 NAS-Port = 0 then it ends with Sending Access-Accept of id 162 to 192.168.25.254 port 36275 Framed-MTU = 1400 NAS-IP-Address = 192.168.25.77 NAS-Port = 15 Finished request 6. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Accept packet from host 192.168.25.254 port 1812, id=162, length=38 Framed-MTU = 1400 NAS-IP-Address = 192.168.25.77 NAS-Port = 15 == Then, I kill ./radiusd start with ./radiusd -i 192.168.25.254 -p 1812 -X (I start it in background mode, fix IP+Port) It ends with... radiusd: Opening IP addresses and Ports Listening on authentication address 192.168.25.254 port 1812 Listening on accounting address 192.168.25.254 port 1813 Listening on proxy address 192.168.25.254 port 1814 Ready to process requests. Seems like RADIUS is listening on 192.168.25.254. :D == On Server terminal, I test with radtest test test localhost 0 testing123 Sending Access-Request of id 103 to 127.0.0.1 port 1812 User-Name = test User-Password = test NAS-IP-Address = 127.0.1.1 NAS-Port = 0 *There is no response at all* if I try with radtest test test 192.168.25.254 0 testing123 It ends with Sending Access-Accept of id 88 to 192.168.25.254 port 36277 Framed-MTU = 1400 NAS-IP-Address = 192.168.25.77 NAS-Port = 15 Finished request 1. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Accept packet from host 192.168.25.254 port 1812, id=88, length=38 Framed-MTU = 1400 NAS-IP-Address = 192.168.25.77 NAS-Port = 15 It replies!! Seems like it is listening at eth0 192.168.25.254 port 1812 BUT when I use RTRadPing Test Utility from local computer-WinXP SP3 ( 192.168.25.142) asking Authentication Request to 192.168.25.254 RTRadPing says no response from server, timeout. What should I do next?? Somebody can suggest me? I think this is just the first step, then I need to install OpenSSL and testa long way to go.. Best regards, Pongsak - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: client certs
Craig, Have you tried authenticating with the same certificate from a different computer, or using a different supplicant? The XP supplicant is pretty awful. If you have an Intel card, you can download the Intel PROset software for free which has more features than XP's supplicant, supports more authentication options, and tends to work better. My personal favorite is Juniper's Open Access client. Juniper has a 30-day trial if you want to test to see if that solves your problems. In addition, I find that if the sever is down while a client tries to connect, I have to refresh the settings on the AP, restarting the wireless, or the RADIUS server will show no activity at all. Restarting Windows or repairing the wireless connection doesn't help as it appears to be an issue with the AP. So, if you had the the RADIUS server down for even a short while, try restarting the AP. You can also see if there's a valid certificate chain. Start Run mmc. File Add Snap-In. Add Certificates. Choose My User. You should see a Certificates - Current User tree. Expand it, then open Personal Certificates. You should see your certificate in the list. Double click the certificate and check the Certificate Path tab. Certificate Status should be OK, and you should see both your client cert and the CA. If your certificate was signed by the server key and not the CA key, certificate verification will fail. Also, run freeradius with freeradius -X to check to see whether Windows is even communicating with the RADIUS server. I was having problems with my Ubuntu laptop and found it was timing out before even attempting to authenticate with the RADIUS server due to a driver issue. Jason On Wed, Dec 10, 2008 at 9:17 PM, Craig White [EMAIL PROTECTED] wrote: On Wed, 2008-12-10 at 19:51 -0500, Jason Wittlin-Cohen wrote: Craig, Apparently Windows automatically sends non-CA certificates in DER or PEM format to the Other People' certificate store. More importantly, the wireless supplicant in Windows XP \will not work with PEM or DER formatted client certificates. It'll complain that you have no certificate. You must convert to pkcs12 as the documentation states. openssl pkcs12 -export -in certname.pem \ -inkey keyname.key -out name.p12 -clcerts Jason Thanks for the help. Last week when I was generating certificates my own way, I was doing that and yes, as Ivan points out, the 'scripted' way that make client.pem does make the p12 cert for the client. My issue now - and obviously sh*t happens as I change things around is that with the certificates newly generated and radiusd restarted in 'debug' mode, the newly minted ca.der and client.p12 certificates installed in their proper homes in 'certificates' following the instructions here... http://wiki.freeradius.org/WPA_HOWTO#Step_4:_Configure_the_Client I 'repair' or 'refresh' Network Connection (obviously the repair is for the Wireless) and it hems/haws and finally says Authentication failed but the wireless AP never makes an effort to connect to the radius server. Just rebooted the laptop and checked for stale info in regedit HKCU\Software\Microsoft\EAPOL (none) This AP has been talking to the radius server for weeks now (and all day today) and authenticating Macintosh and iPhone clients but Windows is making me absolutely nuts. The radius server is also authenticating for my RRAS server on a Windows server on the LAN...my only issue has been Windows laptops ;-( At least earlier with my otherwise generated certificates, I could get through the AP and to the radius server but now...it's like no one is home. The Wireless AP does show my connection but that's it. I'm very frustrated Craig - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Jason Wittlin-Cohen Yale Law School, Class of 2010 [EMAIL PROTECTED] (908) 420-0861 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Regarding Dynamic Vlan
Hi This is Durai Velan C, from India. I would like to know about the Free Radius Version that supports, Dynamic VLAN Association for an User that is getting authenticated from Radius Server. Here by, I would require the Free Radius Server Configurations document to aid the Same. Requirements. 1.) My Radius Server IP auth = 172.21.185.142, acct = 172.21.185.142 2.) User = alcatel , Domain = adilab.com 3.) User password = alcatel 4.) Authentication: 8021.X , through MD5-Challenge. If possible, kindly provide me the Radius Server COnfiguration for the above mentioned, details Your help on the same would be great Regards Durai velan C - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: client certs
On Wed, 2008-12-10 at 21:36 -0500, Jason Wittlin-Cohen wrote: Craig, Have you tried authenticating with the same certificate from a different computer, or using a different supplicant? The XP supplicant is pretty awful. If you have an Intel card, you can download the Intel PROset software for free which has more features than XP's supplicant, supports more authentication options, and tends to work better. My personal favorite is Juniper's Open Access client. Juniper has a 30-day trial if you want to test to see if that solves your problems. yes, this laptop has Intel ProSet and I've been using that but with this latest round of certs, I've been unable get from Laptop to Radius, even with Intel ProSet. ;-( In addition, I find that if the sever is down while a client tries to connect, I have to refresh the settings on the AP, restarting the wireless, or the RADIUS server will show no activity at all. Restarting Windows or repairing the wireless connection doesn't help as it appears to be an issue with the AP. So, if you had the the RADIUS server down for even a short while, try restarting the AP. I did that about an hour ago but it never hurts and I'll do that when I start my next go 'round after dinner You can also see if there's a valid certificate chain. Start Run mmc. File Add Snap-In. Add Certificates. Choose My User. You should see a Certificates - Current User tree. Expand it, then open Personal Certificates. You should see your certificate in the list. Double click the certificate and check the Certificate Path tab. Certificate Status should be OK, and you should see both your client cert and the CA. there is and I've been checking that very thing all along - looks good - If your certificate was signed by the server key and not the CA key, certificate verification will fail. check Also, run freeradius with freeradius -X to check to see whether Windows is even communicating with the RADIUS server. I was having problems with my Ubuntu laptop and found it was timing out before even attempting to authenticate with the RADIUS server due to a driver issue. that's what I was referring to 'debug' mode I have enough hours logged in Radius configuration (first 1.1.2 and now 2.1.1) to know where all the bodies are buried and have googled and looked at the wiki.freeradius.org till I'm blind. Macintosh and iPhone's were easy because they just ask you to accept certificate(s) presented by server. Windows RRAS authentication against Radius server was simple. LDAP authentication seemed to be easy WinXP laptops - argh... Craig - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius and Ubuntu 8.10
Sudo apt-get install freeradius Its a bit of an older version if i remember correctly, so if you need virtual hosts (or whatever they are called) you should compile from source. First get the tar file tar -xvf freeradius* cd freeradius* ./configure (with whatever modules you need) make sudo make install pretty simple if i may say. On Wed, Dec 10, 2008 at 5:23 PM, Matthew Carriere [EMAIL PROTECTED] wrote: I am also about to install FreeRadius, anyone have experience with installing on Ubuntu 8.10 Server 32 Bit? -- Matthew Carriere [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Random quote of the week/month/whenever i get to updating it: Opportunity knocked. My doorman threw him out. - Adrienne Gusoff At school you don't get parole, good behavior only brings a longer sentence. - The History Boys - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius and Ubuntu 8.10
Note that the version of FreeRADIUS packaged by Ubuntu doesn't have SSL support (so no TLS, PEAP, TTLS). If you decide to install from source you should build a .deb package. It'll make it easier to administer and upgrade/uninstall in the future. tar -xvf freeradius* cd freeradius* apt-get build-dep freeradius dpatch dpkg-buildpackage -rfakeroot cd / dpkg -i freeradius_2.1.3-0_i386.deb On Thu, Dec 11, 2008 at 1:47 AM, Paul Bartell [EMAIL PROTECTED]wrote: Sudo apt-get install freeradius Its a bit of an older version if i remember correctly, so if you need virtual hosts (or whatever they are called) you should compile from source. First get the tar file tar -xvf freeradius* cd freeradius* ./configure (with whatever modules you need) make sudo make install pretty simple if i may say. On Wed, Dec 10, 2008 at 5:23 PM, Matthew Carriere [EMAIL PROTECTED] wrote: I am also about to install FreeRadius, anyone have experience with installing on Ubuntu 8.10 Server 32 Bit? -- Matthew Carriere [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Random quote of the week/month/whenever i get to updating it: Opportunity knocked. My doorman threw him out. - Adrienne Gusoff At school you don't get parole, good behavior only brings a longer sentence. - The History Boys - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Jason Wittlin-Cohen Yale Law School, Class of 2010 [EMAIL PROTECTED] (908) 420-0861 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius and Ubuntu 8.10
Sorry, that should be apt-get build-dep freeradius apt-get install dpatch dpatch is necessary to build the source package but isn't including as a build dependency. On Thu, Dec 11, 2008 at 2:09 AM, Jason Wittlin-Cohen [EMAIL PROTECTED] wrote: Note that the version of FreeRADIUS packaged by Ubuntu doesn't have SSL support (so no TLS, PEAP, TTLS). If you decide to install from source you should build a .deb package. It'll make it easier to administer and upgrade/uninstall in the future. tar -xvf freeradius* cd freeradius* apt-get build-dep freeradius dpatch dpkg-buildpackage -rfakeroot cd / dpkg -i freeradius_2.1.3-0_i386.deb On Thu, Dec 11, 2008 at 1:47 AM, Paul Bartell [EMAIL PROTECTED]wrote: Sudo apt-get install freeradius Its a bit of an older version if i remember correctly, so if you need virtual hosts (or whatever they are called) you should compile from source. First get the tar file tar -xvf freeradius* cd freeradius* ./configure (with whatever modules you need) make sudo make install pretty simple if i may say. On Wed, Dec 10, 2008 at 5:23 PM, Matthew Carriere [EMAIL PROTECTED] wrote: I am also about to install FreeRadius, anyone have experience with installing on Ubuntu 8.10 Server 32 Bit? -- Matthew Carriere [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Random quote of the week/month/whenever i get to updating it: Opportunity knocked. My doorman threw him out. - Adrienne Gusoff At school you don't get parole, good behavior only brings a longer sentence. - The History Boys - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Jason Wittlin-Cohen Yale Law School, Class of 2010 [EMAIL PROTECTED] (908) 420-0861 -- Jason Wittlin-Cohen Yale Law School, Class of 2010 [EMAIL PROTECTED] (908) 420-0861 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Regarding Dynamic Vlan
Hi, 1.) My Radius Server IP auth = 172.21.185.142, acct = 172.21.185.142 2.) User = alcatel , Domain = adilab.com 3.) User password = alcatel 4.) Authentication: 8021.X , through MD5-Challenge. If possible, kindly provide me the Radius Server COnfiguration for the above mentioned, details all of this is clearly documented - this mailing list is for help to those people who have put the effort in to getting the basics working - what you are asking for is someone to do your job for free. I'm sure the configs you require can be supplied for the usual pro-rata fee for time and effort. hint: (1) clients.conf, (2,3) 'users' file, (4) eap.conf alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html