About sqlippool
Hello, Sorry for ask newbie question. I would like to implement sqlippool functionality on FreeRADIUS 2.1.3. I read /usr/local/share/doc/freeradius/rlm_sqlippool there has following note "IP-Pool Attribute (Keep in mind that its a **CHECK** item, not reply)" I didn't understand. which attribute (IP-Pool or Pool-Name) needed for sqlippool? and I also defined sqlippool in accounting { ...} and post-auth {...} directive. But pool didn't work. You can see more detailed below. Thanks for any help. accounting { # # Create a 'detail'ed log of the packets. # Note that accounting requests which are proxied # are also logged in the detail file. detail # daily # Update the wtmp file # # If you don't use "radlast", you can delete this line. #unix # # Log traffic to an SQL database. # # See "Accounting queries" in sql.conf sql *sqlippool* # # For Simultaneous-Use tracking. # # Due to packet losses in the network, the data here # may be incorrect. There is little we can do about it. radutmp # sradutmp # Return an address to the IP Pool when we see a stop record. # main_pool # # Instead of sending the query to the SQL server, # write it into a log file. # # sql_log # Cisco VoIP specific bulk accounting # pgsql-voip # Filter attributes from the accounting response. attr_filter.accounting_response # # See "Autz-Type Status-Server" for how this works. # # Acct-Type Status-Server { # # } } and post-auth { # Get an address from the IP Pool. # main_pool # # If you want to have a log of authentication replies, # un-comment the following line, and the 'detail reply_log' # section, above. # reply_log # # After authenticating the user, do another SQL query. # # See "Authentication Logging Queries" in sql.conf sql *sqlippool* # # Instead of sending the query to the SQL server, # write it into a log file. # # sql_log # # Un-comment the following if you have set # 'edir_account_policy_check = yes' in the ldap module sub-section of # the 'modules' section. # # ldap exec # # Access-Reject packets are sent through the REJECT sub-section of the # post-auth section. # # Add the ldap module name (or instance) if you have set # 'edir_account_policy_check = yes' in the ldap module configuration # Post-Auth-Type REJECT { attr_filter.access_reject } } - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: other device to store configuration!
new conf wrote: Hello; I realize that my smart card has a non-standard structure (and private keys are stored in a table) non structured with pkcs#12 or 15. So I have to request it to have that keys. I have the commands to do that. My question is, it is possible to convert the outputs of th smartcard( APDUs in hexadecimal format) to a ".pem" file that my server can request? please, have you an idea? a suggestions? You cannot extract private keys from a smartcard. The whole purpose of a smartcard is to store a private key such that it can't be read directly, thus the question you're asking is nonsensical. This is why I proposed the list of questions for you last week, but I get the feeling you haven't researched them because of the question you're asking. But let me give you a hint. The radius server needs it's private key for SSL/TLS handshaking. Different SSL/TLS implementations store private keys differently. OpenSSL which is what FreeRADIUS utilizes for it's SSL/TLS implementation stores keys in pem files. So why do different SSL/TLS implementations store keys differently than OpenSSL? Because a private key is gold, once someone has your private key they can impersonate your server. Thus protecting a private key is critical. Storing a private key in a file, although commonly done, is a dubious security practice because anyone with appropriate access can steal your key. Do you want your private key on backup tapes? You get the idea. So what can you do such that your private key is never visible to anyone? One thing you can do is use a smartcard. How does a smartcard work? In simplest terms your private key is stored on the card. It *NEVER* leaves the card, the only way someone can be in possesion of your private key is to be in possession of your smartcard. If the private key never leaves the card then how does the SSL/TLS implementation get access to your private key to perform the cryptographic operations necessary during SSL/TLS handshake? The answer is it doesn't. What happens instead is that the SSL/TLS impementation instead asks the smartcard to perform the cryptographic operation using your key *ON THE CARD* and then return the result. This is one reason they're called smartcards, they're smart enough to do these things for you. So what does this mean? It means if you want to use a smart card to store your private key material your SSL/TLS implementation must know enough to ask the smart card to perform cryptographic operations instead of doing the crytographic operation itself using your private key (in a pem file). The interface for smartcards is PKCS11, this is why I said you'll need to understand OpenSSL's support for PKCS11. I'm not an OpenSSL expert so I can't help you on that front. Another question to consider is if a smartcard will give you adequate performance for your server load, a different type of hardware based key management might be more appropriate than using a smartcard for a server. Smartcards are typically used for "client" authentication and signing where the volume of cryptographic operations is relatively low. The following PDF from RSA gives an overview of Cryptographic Smart Cards: http://www.afina.com.mx/download/docs/rsa/SecurIDSmartCard.pdf Now do you understand why your question doesn't make any sense? -- John Dennis Looking to carve out IT costs? www.redhat.com/carveoutcosts/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Poll: Bug reporting system
Alan DeKok wrote: > > Due to a HD loss, bugs.freeradius.org is down, and won't be coming > back. Unfortunately, this means a loss of patches, reports, user > accounts, etc. > > Before we put another bug system online, we would like to ask for your > input. > > Which bug reporting system do you use? Which one do you prefer? > Which ones are horrible, and shouldn't be considered? > My heart sinks everytime I stumble onto Mantis... Cheers -- Alexander Clouter .sigmonster says: "Trust me": Translation of the Latin "caveat emptor." - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Poll: Bug reporting system
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 phil lemelin wrote: > Personnaly, I like the simplicity of TRAC. Easy to install, easy to > maintain et does the job quite well. The integration with > subversion makes it very interesting. > > It seems it also supports GIT. If it works like subversion, the > integration is very intersting since you can link code with > tickets. +1 for Trac. It's what were going to deploy for software development. If it supports GIT all the better :) Might require an upgrade, but you've got all the basic stuff in place already IIRC ? Arran -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.9 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAknk3cIACgkQcaklux5oVKIsSQCffQfMTj8di2IH7uDRzgcykQTm NN0AnjCD5Hcu/JSJoXu/3ndqeRKsT4GG =bozw -END PGP SIGNATURE- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Poll: Bug reporting system
Personnaly, I like the simplicity of TRAC. Easy to install, easy to maintain et does the job quite well. The integration with subversion makes it very interesting. It seems it also supports GIT. If it works like subversion, the integration is very intersting since you can link code with tickets. -- Philippe-Alexandre Lemelin - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Poll: Bug reporting system
Am Dienstag, 14. April 2009 19:51:36 schrieb Michael Schwartzkopff: > On Tuesday 14 April 2009 19:42:17 Alan DeKok wrote: > > Due to a HD loss, bugs.freeradius.org is down, and won't be coming > > back. Unfortunately, this means a loss of patches, reports, user > > accounts, etc. > > > > Before we put another bug system online, we would like to ask for your > > input. > > > > Which bug reporting system do you use? Which one do you prefer? > > Which ones are horrible, and shouldn't be considered? > > > > Alan DeKok. > > - > > List info/subscribe/unsubscribe? See > > http://www.freeradius.org/list/users.html > > In our comapany we use bugzilla. I installed it also at several customers. > All are happy. We are very satisfied with it. Take care that you get a > quite recent version. -- Dr. Michael Schwartzkopff MultiNET Services GmbH Addresse: Bretonischer Ring 7; 85630 Grasbrunn; Germany Tel: +49 - 89 - 45 69 11 0 Fax: +49 - 89 - 45 69 11 21 mob: +49 - 174 - 343 28 75 mail: mi...@multinet.de web: www.multinet.de Sitz der Gesellschaft: 85630 Grasbrunn Registergericht: Amtsgericht München HRB 114375 Geschäftsführer: Günter Jurgeneit, Hubert Martens --- PGP Fingerprint: F919 3919 FF12 ED5A 2801 DEA6 AA77 57A4 EDD8 979B Skype: misch42 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Poll: Bug reporting system
On Tuesday 14 April 2009 19:42:17 Alan DeKok wrote: > Due to a HD loss, bugs.freeradius.org is down, and won't be coming > back. Unfortunately, this means a loss of patches, reports, user > accounts, etc. > > Before we put another bug system online, we would like to ask for your > input. > > Which bug reporting system do you use? Which one do you prefer? > Which ones are horrible, and shouldn't be considered? > > Alan DeKok. > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html In our comapany we use bugzilla. I installed it also at several customers. All are happy. We are very satisfied with it. Take care that you get a quite recent version. -- Dr. Michael Schwartzkopff MultiNET Services GmbH Addresse: Bretonischer Ring 7; 85630 Grasbrunn; Germany Tel: +49 - 89 - 45 69 11 0 Fax: +49 - 89 - 45 69 11 21 mob: +49 - 174 - 343 28 75 mail: mi...@multinet.de web: www.multinet.de Sitz der Gesellschaft: 85630 Grasbrunn Registergericht: Amtsgericht München HRB 114375 Geschäftsführer: Günter Jurgeneit, Hubert Martens --- PGP Fingerprint: F919 3919 FF12 ED5A 2801 DEA6 AA77 57A4 EDD8 979B Skype: misch42 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Poll: Bug reporting system
Due to a HD loss, bugs.freeradius.org is down, and won't be coming back. Unfortunately, this means a loss of patches, reports, user accounts, etc. Before we put another bug system online, we would like to ask for your input. Which bug reporting system do you use? Which one do you prefer? Which ones are horrible, and shouldn't be considered? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: 3Com 3226 .1X to freeradius fails
john wrote: > On Tue, Apr 14, 2009 at 2:47 AM, Alan DeKok wrote: > Possibly so. I have the latest firmware. I have a dozen or so of these > switches. I'll try a different one. I was hoping that they might have > a reputation someone was aware of in regard to .1X. There have been a number of reports of problems related to 3com switches. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Dynamically set password_attribute
Is it possible to dynamically set the password_attribute ldap module option? I tried setting it to %{Ldap-Pass-Attr}, but it doesn't seem to expand this. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: 3Com 3226 .1X to freeradius fails
>> > > maybe ur switch is not defined it clients.conf file. > - Here's the entry. Perhaps it's incorrectly defined? } client 10.1.8.100 { require_message_authenticator = no secret = "testing123" shortname = "10.1.8.100" nastype = "other" } - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: 3Com 3226 .1X to freeradius fails
On Tue, Apr 14, 2009 at 2:47 AM, Alan DeKok wrote: > john wrote: >> I am trying to connect a Windows XP/sp2 machine to my network using a >> 3com 3226 superstack switch as a NAS. This windows Client can >> successfully authenticate via an wireless access point when using >> WPA2/AES via PEAP/mschap2. >> >> However when I plug the same client into my 3com 3226 switch >> configured for .1X I am unable to authenticate. > > Then the switch is broken. Upgrade the firmware, or buy another one. > > Alan DeKok. > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > Possibly so. I have the latest firmware. I have a dozen or so of these switches. I'll try a different one. I was hoping that they might have a reputation someone was aware of in regard to .1X. John - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: help for radius
> Please let me know .. Is it compulsory to configure EAP/PEAP . No. But it is enabled in freeradius by default - ie. it "just works". > Or it will work with EAP -md5 (that is default configuration , without any change after installation ...!!) also ..?? That is enabled by default as well. BTW EAP-MD5 is default for wired Windows clients. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: NAS table
Post radiusd -X output of server startup. Is sql enabled anywhere in the configuration? It isn't by default. Ivan Kalik Kalik Informatika ISP -Original Message- From: freeradius-users-bounces+tnt=kalik@lists.freeradius.org [mailto:freeradius-users-bounces+tnt=kalik@lists.freeradius.org] On Behalf Of Nizar Zulmi Sent: 14 April 2009 08:00 To: FreeRadius users mailing list Subject: Re: NAS table i comment out this on clients.conf #client 127.0.0.1 { # secret = passwordradius # shortname = localhost # nastype = other # localhost isn't usually a NAS... #} and i add this to NAS table on radius database. insert into nas (nasname, shortname, secret) values ("client 127.0.0.1","localhost","passwordradius"); i restart the mysql server and then i perform test using radtest and got this message: radtest Nizar 123456 localhost 1812 passwordradius Sending Access-Request of id 104 to 127.0.0.1 port 1812 User-Name = "Nizar" User-Password = "123456" NAS-IP-Address = 255.255.255.255 NAS-Port = 1812 Re-sending Access-Request of id 104 to 127.0.0.1 port 1812 User-Name = "Nizar" User-Password = "123456" NAS-IP-Address = 255.255.255.255 NAS-Port = 1812 radclient: no response from server for ID 104 why its still dosn't work..?? clue plase... --- On Tue, 4/14/09, JDL wrote: From: JDL Subject: Re: NAS table To: "FreeRadius users mailing list" Date: Tuesday, April 14, 2009, 11:42 AM Nizar Zulmi wrote: > i enable this on sql.conf > readclients = yes > > do i have to remove this : > client 127.0.0.1 { Do you have a "127.0.0.1" client in your the nas table? If so, then yes, you will need to remove it or else you will end up with a duplicate. If this client is not in your nas table, then you can just leave the 127.0.0.1 client in the clients.conf file. BTW, I think the 127.0.0.1 client is just there for testing purposes. I do not believe it will break anything if it is completely removed (unless, of course, you are running also running some sort of radius client on the same server as FreeRADIUS). Jim L. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html No virus found in this incoming message. Checked by AVG - www.avg.com Version: 8.0.238 / Virus Database: 270.11.53/2054 - Release Date: 04/11/09 10:51:00 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: eap issues
>So I have two sections in eap.conf, ttls and peap which both ask for 'default_eap_type = *' and I have set them both to mschapv2 > >and in the eap section at the top, I changed default_eap_type to tls > >Does this make sense? It doesn't matter a lot. EAP negotiation will set the correct type. If correct type is preset you save one EAP exchange. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: 3Com 3226 .1X to freeradius fails
Alan DeKok wrote: john wrote: I am trying to connect a Windows XP/sp2 machine to my network using a 3com 3226 superstack switch as a NAS. This windows Client can successfully authenticate via an wireless access point when using WPA2/AES via PEAP/mschap2. However when I plug the same client into my 3com 3226 switch configured for .1X I am unable to authenticate. Then the switch is broken. Upgrade the firmware, or buy another one. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html maybe ur switch is not defined it clients.conf file. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: 3Com 3226 .1X to freeradius fails
john wrote: > I am trying to connect a Windows XP/sp2 machine to my network using a > 3com 3226 superstack switch as a NAS. This windows Client can > successfully authenticate via an wireless access point when using > WPA2/AES via PEAP/mschap2. > > However when I plug the same client into my 3com 3226 switch > configured for .1X I am unable to authenticate. Then the switch is broken. Upgrade the firmware, or buy another one. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: NAS table
i comment out this on clients.conf #client 127.0.0.1 { # secret = passwordradius # shortname = localhost # nastype = other # localhost isn't usually a NAS... #} and i add this to NAS table on radius database. insert into nas (nasname, shortname, secret) values ("client 127.0.0.1","localhost","passwordradius"); i restart the mysql server and then i perform test using radtest and got this message: radtest Nizar 123456 localhost 1812 passwordradius Sending Access-Request of id 104 to 127.0.0.1 port 1812 User-Name = "Nizar" User-Password = "123456" NAS-IP-Address = 255.255.255.255 NAS-Port = 1812 Re-sending Access-Request of id 104 to 127.0.0.1 port 1812 User-Name = "Nizar" User-Password = "123456" NAS-IP-Address = 255.255.255.255 NAS-Port = 1812 radclient: no response from server for ID 104 why its still dosn't work..?? clue plase... --- On Tue, 4/14/09, JDL wrote: From: JDL Subject: Re: NAS table To: "FreeRadius users mailing list" Date: Tuesday, April 14, 2009, 11:42 AM Nizar Zulmi wrote: > i enable this on sql.conf > readclients = yes > > do i have to remove this : > client 127.0.0.1 { Do you have a "127.0.0.1" client in your the nas table? If so, then yes, you will need to remove it or else you will end up with a duplicate. If this client is not in your nas table, then you can just leave the 127.0.0.1 client in the clients.conf file. BTW, I think the 127.0.0.1 client is just there for testing purposes. I do not believe it will break anything if it is completely removed (unless, of course, you are running also running some sort of radius client on the same server as FreeRADIUS). Jim L. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html