Re: question about windows users
Problem was solved thanks to Ivan assistance, Main problem was on switch side and its configuration, Second problem was - proper certificate to proper certificate store And third - in my head :). Thank you again Bartosz. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: new to freeradius, securing LAN
ldap.lippogeneral.com a écrit : Hello All, I am very new to FreeRadius, some of users are already knew our LAN IPs .. so they can manually configure an interface on their PC and completely bypass our DHCP server.. can I solve this by using FreeRadius? I thought this can be done by checking its MAC address, so although they use valid IP address but if their MAC address not recognized by our server then they must be denied and they cannot go anywhere and cannot do anything in our LAN.. I need advise.. Hi, The problem is not really linked with radius, let's try to propose some directions anyway. Most recent switches proposes to do VLAN assignement based on port or MAC address. Check if your switches can do this. Radius can be used to authenticate a device (in your case, a PC) with informations like MAC address or a certificate. So you can also do some mac based authentication, but keep in mind that changing a MAC address is as easy as setting a static LAN IP on a PC, so it's definitely not enough if you wish to avoid what you described above. hope this'll help. many thanks in advance - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: question about windows users
Problem was solved thanks to Ivan assistance, Main problem was on switch side and its configuration, Second problem was - proper certificate to proper certificate store And third - in my head :). OK. Now that you have established that client certificates signed by CA work with XP SP3, can you check if server signed certificates (made by original Makefile) also work, or is XP SP3 rejecting them. Could you report to the list with the result. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: new to freeradius, securing LAN
so you meant, it's more better to avoid them physically.. ;( - Original Message - From: pkc_mls pkc_...@yahoo.fr To: FreeRadius users mailing list freeradius-users@lists.freeradius.org Sent: Friday, May 29, 2009 2:33 PM Subject: Re: new to freeradius, securing LAN ldap.lippogeneral.com a écrit : Hello All, I am very new to FreeRadius, some of users are already knew our LAN IPs .. so they can manually configure an interface on their PC and completely bypass our DHCP server.. can I solve this by using FreeRadius? I thought this can be done by checking its MAC address, so although they use valid IP address but if their MAC address not recognized by our server then they must be denied and they cannot go anywhere and cannot do anything in our LAN.. I need advise.. Hi, The problem is not really linked with radius, let's try to propose some directions anyway. Most recent switches proposes to do VLAN assignement based on port or MAC address. Check if your switches can do this. Radius can be used to authenticate a device (in your case, a PC) with informations like MAC address or a certificate. So you can also do some mac based authentication, but keep in mind that changing a MAC address is as easy as setting a static LAN IP on a PC, so it's definitely not enough if you wish to avoid what you described above. hope this'll help. many thanks in advance - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users..html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html *** Your mail has been scanned by MSS. ***-*** *** Our outgoing mail has been scanned by MSS. ***-*** - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: new to freeradius, securing LAN
so you meant, it's more better to avoid them physically.. ;( No, he means you should do proper authentication (username/password, not mac). If your equipment doesn't support 802.1x set up a PPPoE server. Have it do authentication before DHCP hands them an IP. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: new to freeradius, securing LAN
so you meant, it's more better to avoid them physically.. ;( No, he means you should do proper authentication (username/password, not mac). If your equipment doesn't support 802.1x set up a PPPoE server. Have it do authentication before DHCP hands them an IP. But how, if they can manually configure an interface on their PC and completely bypass our DHCP server.. *** Our outgoing mail has been scanned by MSS. ***-*** - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Not doing Peap/ttls
Help please and sorry for the long post. Quick description of the problem: New build Freeradius 2.1.4/5 on solaris x86 vmware. Client is a laptop running windows XP through a cisco switch configured for 802.1x. Will not do peap. Reconfigure the switch to use a different freeradius server (2.1.3 on sparc solaris) and it works fine. Output of raduisd -X on the non-working server below. Hm, is your (non-working) radius server multihomed? Is switch sending packets to one IP and getting them back from another. Clients will ignore packets from unknown servers just like servers ignore packets from unknown clients. Ivan Kalik Kalik Informatika ISP Of course, in order to ignore the packet, it first has to receive it! Network access list blocking new server. Many thanks for helping again. Leighton img src=http://www.hud.ac.uk/images/emails/neutral_navy_blue_003976.gif; alt=Inspiring tomorrow's professionals --- This transmission is confidential and may be legally privileged. If you receive it in error, please notify us immediately by e-mail and remove it from your system. If the content of this e-mail does not relate to the business of the University of Huddersfield, then we do not endorse it and will accept no liability. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: question about windows users
On Fri, May 29, 2009 at 10:32 AM, Ivan Kalik t...@kalik.net wrote: Problem was solved thanks to Ivan assistance, Main problem was on switch side and its configuration, Second problem was - proper certificate to proper certificate store And third - in my head :). OK. Now that you have established that client certificates signed by CA work with XP SP3, can you check if server signed certificates (made by original Makefile) also work, or is XP SP3 rejecting them. Could you report to the list with the result. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html No, standard Makefile is no working freeradius -X output: Ready to process requests. rad_recv: Access-Request packet from host 192.168.5.206 port 1812, id=160, length=147 NAS-IP-Address = 192.168.5.206 NAS-Port = 50046 NAS-Port-Type = Ethernet User-Name = u...@example.com Called-Station-Id = 00-0C-30-81-9B-EE Calling-Station-Id = 00-0A-E4-13-1A-02 Service-Type = Framed-User Framed-MTU = 1500 EAP-Message = 0x02150175736572406578616d706c652e636f6d Message-Authenticator = 0x3fa86bcca888e9174c33ff2206178e97 +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] Looking up realm example.com for User-Name = u...@example.com [suffix] No such realm example.com ++[suffix] returns noop [eap] EAP packet type response id 0 length 21 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[unix] returns notfound ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING! No known good password found for the user. Authentication may fail because of this. ++[pap] returns noop Found Auth-Type = EAP +- entering group authenticate {...} [eap] EAP Identity [eap] processing type tls [tls] Initiate [tls] Start returned 1 ++[eap] returns handled Sending Access-Challenge of id 160 to 192.168.5.206 port 1812 EAP-Message = 0x010100061920 Message-Authenticator = 0x State = 0x0a8a026e0a8b1bea4f51a121d61eb2bf Finished request 0. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.5.206 port 1812, id=161, length=150 NAS-IP-Address = 192.168.5.206 NAS-Port = 50046 NAS-Port-Type = Ethernet User-Name = u...@example.com Called-Station-Id = 00-0C-30-81-9B-EE Calling-Station-Id = 00-0A-E4-13-1A-02 Service-Type = Framed-User Framed-MTU = 1500 State = 0x0a8a026e0a8b1bea4f51a121d61eb2bf EAP-Message = 0x02010006030d Message-Authenticator = 0xe1ef7b423be0a169598a253da36247c0 +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] Looking up realm example.com for User-Name = u...@example.com [suffix] No such realm example.com ++[suffix] returns noop [eap] EAP packet type response id 1 length 6 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[unix] returns notfound ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING! No known good password found for the user. Authentication may fail because of this. ++[pap] returns noop Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP NAK [eap] EAP-NAK asked for EAP-Type/tls [eap] processing type tls [tls] Requiring client certificate [tls] Initiate [tls] Start returned 1 ++[eap] returns handled Sending Access-Challenge of id 161 to 192.168.5.206 port 1812 EAP-Message = 0x010200060d20 Message-Authenticator = 0x State = 0x0a8a026e0b880fea4f51a121d61eb2bf Finished request 1. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.5.206 port 1812, id=162, length=224 NAS-IP-Address = 192.168.5.206 NAS-Port = 50046 NAS-Port-Type = Ethernet User-Name = u...@example.com Called-Station-Id = 00-0C-30-81-9B-EE Calling-Station-Id = 00-0A-E4-13-1A-02 Service-Type = Framed-User Framed-MTU = 1500 State = 0x0a8a026e0b880fea4f51a121d61eb2bf EAP-Message = 0x020200500d8000461603010041013d03014a1fb693a40277392668182f296a92feb2a08a3e25a3c170dfa77f83d18f56941600040005000a0009006400 62000300060013001200630100 Message-Authenticator = 0xca0d351030f630125dd9b87f5d39e7e9 +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] Looking up realm example.com for User-Name = u...@example.com [suffix] No such realm example.com ++[suffix] returns noop [eap] EAP packet type response id 2 length 80 [eap] No EAP Start, assuming it's an on-going EAP
Re: rlm_raw not included in compile
Johan Meiring wrote: Hi all, I am trying to use the rlm_raw module to test a piece of code. OK After struggling for about 4 hours, I did the following 1) touch src/modules/rlm_raw/configure 2) ./autogen.sh 3) added rlm_raw to debian configure by editing debian/rules Now it tries to compile it, but fails horribly. (See compile failure below). Does anyone have a clue how to add rlm_raw to the current git tar file? PS: The rlm_raw I'm using comes from http://lists.cistron.nl/pipermail/freeradius-devel/2005-January/007873.html SNIP-- make[6]: Entering directory `/usr/src/freeradius-server-2.1.7-pre/freeradius-server-2.1.7/src/modules/rlm_raw' /usr/bin/libtool --mode=compile gcc -Wall -g -O2 -D_REENTRANT -D_POSIX_PTHREAD_SEMANTICS -Wall -D_GNU_SOURCE -g -Wshadow -Wpointer-arith -Wcast-qual -Wcast-align -Wwrite-strings -Wstrict-prototypes -Wmissing-prototypes -Wmissing-declarations -Wnested-externs -W -Wredundant-decls -Wundef -I/usr/src/freeradius-server-2.1.7-pre/freeradius-server-2.1.7/src -I/usr/src/freeradius-server-2.1.7-pre/freeradius-server-2.1.7/libltdl -D_LIBRADIUS -c rlm_raw.c gcc -Wall -g -O2 -D_REENTRANT -D_POSIX_PTHREAD_SEMANTICS -Wall -D_GNU_SOURCE -g -Wshadow -Wpointer-arith -Wcast-qual -Wcast-align -Wwrite-strings -Wstrict-prototypes -Wmissing-prototypes -Wmissing-declarations -Wnested-externs -W -Wredundant-decls -Wundef -I/usr/src/freeradius-server-2.1.7-pre/freeradius-server-2.1.7/src -I/usr/src/freeradius-server-2.1.7-pre/freeradius-server-2.1.7/libltdl -D_LIBRADIUS -c rlm_raw.c -fPIC -DPIC -o .libs/rlm_raw.o rlm_raw.c:22:22: error: autoconf.h: No such file or directory rlm_raw.c:23:23: error: libradius.h: No such file or directory rlm_raw.c:28:21: error: radiusd.h: No such file or directory rlm_raw.c:29:21: error: modules.h: No such file or directory rlm_raw.c:30:22: error: conffile.h: No such file or directory rlm_raw.c:46: error: expected specifier-qualifier-list before ‘uint8_t’ rlm_raw.c:57: error: expected declaration specifiers or ‘...’ before ‘REQUEST’ rlm_raw.c:59: error: expected declaration specifiers or ‘...’ before ‘RADIUS_ESCAPE_STRING’ rlm_raw.c: In function ‘raw_xlat’: rlm_raw.c:61: error: ‘uint8_t’ undeclared (first use in this function) rlm_raw.c:61: error: (Each undeclared identifier is reported only once rlm_raw.c:61: error: for each function it appears in.) rlm_raw.c:61: error: expected ‘;’ before ‘strvalue’ rlm_raw.c:62: error: ‘uint32_t’ undeclared (first use in this function) rlm_raw.c:62: error: expected ‘;’ before ‘lvalue’ rlm_raw.c:63: error: expected ‘;’ before ‘vendorcode’ rlm_raw.c:70: error: ‘PW_TYPE_OCTETS’ undeclared (first use in this function) rlm_raw.c:71: error: ‘ATTR_FLAGS’ undeclared (first use in this function) rlm_raw.c:71: error: expected ‘;’ before ‘flags’ rlm_raw.c:72: error: ‘DICT_ATTR’ undeclared (first use in this function) rlm_raw.c:72: error: ‘da’ undeclared (first use in this function) rlm_raw.c:73: error: ‘DICT_VALUE’ undeclared (first use in this function) rlm_raw.c:73: error: ‘dv’ undeclared (first use in this function) rlm_raw.c:76: error: ‘request’ undeclared (first use in this function) rlm_raw.c:77: error: ‘ptr’ undeclared (first use in this function) rlm_raw.c:77: error: ‘radius_packet_t’ has no member named ‘data’ rlm_raw.c:78: error: ‘subptr’ undeclared (first use in this function) rlm_raw.c:79: error: ‘AUTH_HDR_LEN’ undeclared (first use in this function) rlm_raw.c:82: error: storage size of ‘s_tm’ isn’t known rlm_raw.c:87: warning: implicit declaration of function ‘dict_attrbyname’ rlm_raw.c:87: warning: nested extern declaration of ‘dict_attrbyname’ rlm_raw.c:89: warning: implicit declaration of function ‘strNcpy’ rlm_raw.c:89: warning: nested extern declaration of ‘strNcpy’ rlm_raw.c:92: error: ‘flags’ undeclared (first use in this function) rlm_raw.c:96: error: ‘vendorcode’ undeclared (first use in this function) rlm_raw.c:109: error: ‘PW_VENDOR_SPECIFIC’ undeclared (first use in this function) rlm_raw.c:111: warning: implicit declaration of function ‘memcpy’ rlm_raw.c:111: warning: incompatible implicit declaration of built-in function ‘memcpy’ rlm_raw.c:111: error: ‘lvalue’ undeclared (first use in this function) rlm_raw.c:112: warning: implicit declaration of function ‘ntohl’ rlm_raw.c:112: warning: nested extern declaration of ‘ntohl’ rlm_raw.c:151: error: ‘VENDORPEC_USR’ undeclared (first use in this function) rlm_raw.c:154: warning: implicit declaration of function ‘dict_attrbyvalue’ rlm_raw.c:154: warning: nested extern declaration of ‘dict_attrbyvalue’ rlm_raw.c:180: error: ‘PW_TYPE_STRING’ undeclared (first use in this function) rlm_raw.c:182: warning: implicit declaration of function ‘TAG_VALID_ZERO’ rlm_raw.c:182: warning: nested extern declaration of ‘TAG_VALID_ZERO’ rlm_raw.c:182: error: ‘FLAG_ENCRYPT_TUNNEL_PASSWORD’ undeclared (first use in this function) rlm_raw.c:186: warning: incompatible implicit declaration of built-in function
rlm_raw
Apologies for reposting, but I was too lazy to type the address into my Thunderbird, replied to an old message, deleted subject/body, and I see my message sits at the bottom of the other thread Something remained in the headers, so people with threaded readers, will probably not see it. --- Hi all, I am trying to use the rlm_raw module to test a piece of code. Downloaded freeradius 2.1.7 pre from git Found rlm_raw here. http://lists.cistron.nl/pipermail/freeradius-devel/2005-January/007873.html After struggling for a few hours to convince my compiler to include the module, the following seemed to work. 1) touch src/modules/rlm_raw/configure 2) ./autogen.sh 3) added rlm_raw to debian configure by editing debian/rules Now it tries to compile it, but fails horribly. (See compile failure below). Does anyone have a clue how to add rlm_raw to the current git tar file? SNIP-- make[6]: Entering directory `/usr/src/freeradius-server-2.1.7-pre/freeradius-server-2.1.7/src/modules/rlm_raw' /usr/bin/libtool --mode=compile gcc -Wall -g -O2 -D_REENTRANT -D_POSIX_PTHREAD_SEMANTICS -Wall -D_GNU_SOURCE -g -Wshadow -Wpointer-arith -Wcast-qual -Wcast-align -Wwrite-strings -Wstrict-prototypes -Wmissing-prototypes -Wmissing-declarations -Wnested-externs -W -Wredundant-decls -Wundef -I/usr/src/freeradius-server-2.1.7-pre/freeradius-server-2.1.7/src -I/usr/src/freeradius-server-2.1.7-pre/freeradius-server-2.1.7/libltdl -D_LIBRADIUS -c rlm_raw.c gcc -Wall -g -O2 -D_REENTRANT -D_POSIX_PTHREAD_SEMANTICS -Wall -D_GNU_SOURCE -g -Wshadow -Wpointer-arith -Wcast-qual -Wcast-align -Wwrite-strings -Wstrict-prototypes -Wmissing-prototypes -Wmissing-declarations -Wnested-externs -W -Wredundant-decls -Wundef -I/usr/src/freeradius-server-2.1.7-pre/freeradius-server-2.1.7/src -I/usr/src/freeradius-server-2.1.7-pre/freeradius-server-2.1.7/libltdl -D_LIBRADIUS -c rlm_raw.c -fPIC -DPIC -o .libs/rlm_raw.o rlm_raw.c:22:22: error: autoconf.h: No such file or directory rlm_raw.c:23:23: error: libradius.h: No such file or directory rlm_raw.c:28:21: error: radiusd.h: No such file or directory rlm_raw.c:29:21: error: modules.h: No such file or directory rlm_raw.c:30:22: error: conffile.h: No such file or directory rlm_raw.c:46: error: expected specifier-qualifier-list before ‘uint8_t’ rlm_raw.c:57: error: expected declaration specifiers or ‘...’ before ‘REQUEST’ rlm_raw.c:59: error: expected declaration specifiers or ‘...’ before ‘RADIUS_ESCAPE_STRING’ rlm_raw.c: In function ‘raw_xlat’: rlm_raw.c:61: error: ‘uint8_t’ undeclared (first use in this function) rlm_raw.c:61: error: (Each undeclared identifier is reported only once rlm_raw.c:61: error: for each function it appears in.) rlm_raw.c:61: error: expected ‘;’ before ‘strvalue’ rlm_raw.c:62: error: ‘uint32_t’ undeclared (first use in this function) rlm_raw.c:62: error: expected ‘;’ before ‘lvalue’ rlm_raw.c:63: error: expected ‘;’ before ‘vendorcode’ rlm_raw.c:70: error: ‘PW_TYPE_OCTETS’ undeclared (first use in this function) rlm_raw.c:71: error: ‘ATTR_FLAGS’ undeclared (first use in this function) rlm_raw.c:71: error: expected ‘;’ before ‘flags’ rlm_raw.c:72: error: ‘DICT_ATTR’ undeclared (first use in this function) rlm_raw.c:72: error: ‘da’ undeclared (first use in this function) rlm_raw.c:73: error: ‘DICT_VALUE’ undeclared (first use in this function) rlm_raw.c:73: error: ‘dv’ undeclared (first use in this function) rlm_raw.c:76: error: ‘request’ undeclared (first use in this function) rlm_raw.c:77: error: ‘ptr’ undeclared (first use in this function) rlm_raw.c:77: error: ‘radius_packet_t’ has no member named ‘data’ rlm_raw.c:78: error: ‘subptr’ undeclared (first use in this function) rlm_raw.c:79: error: ‘AUTH_HDR_LEN’ undeclared (first use in this function) rlm_raw.c:82: error: storage size of ‘s_tm’ isn’t known rlm_raw.c:87: warning: implicit declaration of function ‘dict_attrbyname’ rlm_raw.c:87: warning: nested extern declaration of ‘dict_attrbyname’ rlm_raw.c:89: warning: implicit declaration of function ‘strNcpy’ rlm_raw.c:89: warning: nested extern declaration of ‘strNcpy’ rlm_raw.c:92: error: ‘flags’ undeclared (first use in this function) rlm_raw.c:96: error: ‘vendorcode’ undeclared (first use in this function) rlm_raw.c:109: error: ‘PW_VENDOR_SPECIFIC’ undeclared (first use in this function) rlm_raw.c:111: warning: implicit declaration of function ‘memcpy’ rlm_raw.c:111: warning: incompatible implicit declaration of built-in function ‘memcpy’ rlm_raw.c:111: error: ‘lvalue’ undeclared (first use in this function) rlm_raw.c:112: warning: implicit declaration of function ‘ntohl’ rlm_raw.c:112: warning: nested extern declaration of ‘ntohl’ rlm_raw.c:151: error: ‘VENDORPEC_USR’ undeclared (first use in this function) rlm_raw.c:154: warning: implicit declaration of function ‘dict_attrbyvalue’ rlm_raw.c:154: warning: nested extern declaration of
No authenticate method (Auth-Type) configuration found for the request: Rejecting the user - Failed to authenticate the user.
Hello People, I have some problems with my RADIUS, when I send a message with radtest, I get following error: DEBUG-INFO: FreeRADIUS Version 2.1.5, for host i686-pc-linux-gnu, built on Mar 26 2009 at 14:24:27 Copyright (C) 1999-2008 The FreeRADIUS server project and contributors. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License v2. Starting - reading configuration files ... including configuration file mypath/freeradius/etc/raddb/radiusd.conf including configuration file mypath/freeradius/etc/raddb/proxy.conf including configuration file mypath/freeradius/etc/raddb/clients.conf including files in directory mypath/freeradius/etc/raddb/modules/ including configuration file mypath/freeradius/etc/raddb/modules/chap including configuration file mypath/freeradius/etc/raddb/modules/acct_unique including configuration file mypath/freeradius/etc/raddb/modules/always including configuration file mypath/freeradius/etc/raddb/modules/attr_filter including configuration file mypath/freeradius/etc/raddb/modules/attr_rewrite including configuration file mypath/freeradius/etc/raddb/modules/checkval including configuration file mypath/freeradius/etc/raddb/modules/counter including configuration file mypath/freeradius/etc/raddb/modules/detail including configuration file mypath/freeradius/etc/raddb/modules/detail.example.com including configuration file mypath/freeradius/etc/raddb/modules/detail.log including configuration file mypath/freeradius/etc/raddb/modules/digest including configuration file mypath/freeradius/etc/raddb/modules/echo including configuration file mypath/freeradius/etc/raddb/modules/etc_group including configuration file mypath/freeradius/etc/raddb/modules/exec including configuration file mypath/freeradius/etc/raddb/modules/expiration including configuration file mypath/freeradius/etc/raddb/modules/expr including configuration file mypath/freeradius/etc/raddb/modules/files including configuration file mypath/freeradius/etc/raddb/modules/inner-eap including configuration file mypath/freeradius/etc/raddb/modules/ippool including configuration file mypath/freeradius/etc/raddb/modules/krb5 including configuration file mypath/freeradius/etc/raddb/modules/ldap including configuration file mypath/freeradius/etc/raddb/modules/linelog including configuration file mypath/freeradius/etc/raddb/modules/logintime including configuration file mypath/freeradius/etc/raddb/modules/mac2ip including configuration file mypath/freeradius/etc/raddb/modules/mac2vlan including configuration file mypath/freeradius/etc/raddb/modules/mschap including configuration file mypath/freeradius/etc/raddb/modules/otp including configuration file mypath/freeradius/etc/raddb/modules/pam including configuration file mypath/freeradius/etc/raddb/modules/pap including configuration file mypath/freeradius/etc/raddb/modules/passwd including configuration file mypath/freeradius/etc/raddb/modules/perl including configuration file mypath/freeradius/etc/raddb/modules/policy including configuration file mypath/freeradius/etc/raddb/modules/preprocess including configuration file mypath/freeradius/etc/raddb/modules/radutmp including configuration file mypath/freeradius/etc/raddb/modules/realm including configuration file mypath/freeradius/etc/raddb/modules/smbpasswd including configuration file mypath/freeradius/etc/raddb/modules/smsotp including configuration file mypath/freeradius/etc/raddb/modules/sql_log including configuration file mypath/freeradius/etc/raddb/modules/sqlcounter_expire_on_login including configuration file mypath/freeradius/etc/raddb/modules/sradutmp including configuration file mypath/freeradius/etc/raddb/modules/unix including configuration file mypath/freeradius/etc/raddb/modules/wimax including configuration file mypath/freeradius/etc/raddb/eap.conf including configuration file mypath/freeradius/etc/raddb/sql.conf including configuration file mypath/freeradius/etc/raddb/sql/mysql/dialup.conf including configuration file mypath/freeradius/etc/raddb/policy.conf including dictionary file mypath/freeradius/etc/raddb/dictionary main { prefix = mypath/freeradius localstatedir = mypath/freeradius/var logdir = mypath/freeradius/var/log/radius libdir = mypath/freeradius/lib radacctdir = mypath/freeradius/var/log/radius/radacct hostname_lookups = no max_request_time = 30 cleanup_delay = 5 max_requests = 1024 allow_core_dumps = no pidfile = mypath/freeradius/var/run/radiusd/radiusd.pid checkrad = mypath/freeradius/sbin/checkrad debug_level = 0 proxy_requests = yes log { stripped_names = no auth = no auth_badpass = no auth_goodpass = no } security { max_attributes = 200 reject_delay = 1 status_server = yes } } radiusd: Loading
Re: No authenticate method (Auth-Type) configuration found for the request: Rejecting the user - Failed to authenticate the user.
I have some problems with my RADIUS, when I send a message with radtest, I get following error: DEBUG-INFO: FreeRADIUS Version 2.1.5, for host i686-pc-linux-gnu, built on Mar 26 2009 at 14:24:27 Copyright (C) 1999-2008 The FreeRADIUS server project and contributors. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License v2. Starting - reading configuration files ... including configuration file mypath/freeradius/etc/raddb/radiusd.conf including configuration file mypath/freeradius/etc/raddb/proxy.conf including configuration file mypath/freeradius/etc/raddb/clients.conf including files in directory mypath/freeradius/etc/raddb/modules/ including configuration file mypath/freeradius/etc/raddb/modules/chap including configuration file mypath/freeradius/etc/raddb/modules/acct_unique including configuration file mypath/freeradius/etc/raddb/modules/always including configuration file mypath/freeradius/etc/raddb/modules/attr_filter including configuration file mypath/freeradius/etc/raddb/modules/attr_rewrite including configuration file mypath/freeradius/etc/raddb/modules/checkval including configuration file mypath/freeradius/etc/raddb/modules/counter including configuration file mypath/freeradius/etc/raddb/modules/detail including configuration file mypath/freeradius/etc/raddb/modules/detail.example.com including configuration file mypath/freeradius/etc/raddb/modules/detail.log including configuration file mypath/freeradius/etc/raddb/modules/digest including configuration file mypath/freeradius/etc/raddb/modules/echo including configuration file mypath/freeradius/etc/raddb/modules/etc_group including configuration file mypath/freeradius/etc/raddb/modules/exec including configuration file mypath/freeradius/etc/raddb/modules/expiration including configuration file mypath/freeradius/etc/raddb/modules/expr including configuration file mypath/freeradius/etc/raddb/modules/files including configuration file mypath/freeradius/etc/raddb/modules/inner-eap including configuration file mypath/freeradius/etc/raddb/modules/ippool including configuration file mypath/freeradius/etc/raddb/modules/krb5 including configuration file mypath/freeradius/etc/raddb/modules/ldap including configuration file mypath/freeradius/etc/raddb/modules/linelog including configuration file mypath/freeradius/etc/raddb/modules/logintime including configuration file mypath/freeradius/etc/raddb/modules/mac2ip including configuration file mypath/freeradius/etc/raddb/modules/mac2vlan including configuration file mypath/freeradius/etc/raddb/modules/mschap including configuration file mypath/freeradius/etc/raddb/modules/otp including configuration file mypath/freeradius/etc/raddb/modules/pam including configuration file mypath/freeradius/etc/raddb/modules/pap including configuration file mypath/freeradius/etc/raddb/modules/passwd including configuration file mypath/freeradius/etc/raddb/modules/perl including configuration file mypath/freeradius/etc/raddb/modules/policy including configuration file mypath/freeradius/etc/raddb/modules/preprocess including configuration file mypath/freeradius/etc/raddb/modules/radutmp including configuration file mypath/freeradius/etc/raddb/modules/realm including configuration file mypath/freeradius/etc/raddb/modules/smbpasswd including configuration file mypath/freeradius/etc/raddb/modules/smsotp including configuration file mypath/freeradius/etc/raddb/modules/sql_log including configuration file mypath/freeradius/etc/raddb/modules/sqlcounter_expire_on_login including configuration file mypath/freeradius/etc/raddb/modules/sradutmp including configuration file mypath/freeradius/etc/raddb/modules/unix including configuration file mypath/freeradius/etc/raddb/modules/wimax including configuration file mypath/freeradius/etc/raddb/eap.conf including configuration file mypath/freeradius/etc/raddb/sql.conf including configuration file mypath/freeradius/etc/raddb/sql/mysql/dialup.conf including configuration file mypath/freeradius/etc/raddb/policy.conf including dictionary file mypath/freeradius/etc/raddb/dictionary ... You have edited radiusd.conf and commented out virual servers (sites-enabled). Very effective way of disabling the server. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
AW: No authenticate method (Auth-Type) configuration found for the request: Rejecting the user - Failed to authenticate the user.
Hi, is this the complete message? I sent a lot more... DEBUG-INFO: FreeRADIUS Version 2.1.5, for host i686-pc-linux-gnu, built on Mar 26 2009 at 14:24:27 Copyright (C) 1999-2008 The FreeRADIUS server project and contributors. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License v2. Starting - reading configuration files ... including configuration file mypath/freeradius/etc/raddb/radiusd.conf including configuration file mypath/freeradius/etc/raddb/proxy.conf including configuration file mypath/freeradius/etc/raddb/clients.conf including files in directory mypath/freeradius/etc/raddb/modules/ including configuration file mypath/freeradius/etc/raddb/modules/chap including configuration file mypath/freeradius/etc/raddb/modules/acct_unique including configuration file mypath/freeradius/etc/raddb/modules/always including configuration file mypath/freeradius/etc/raddb/modules/attr_filter including configuration file mypath/freeradius/etc/raddb/modules/attr_rewrite including configuration file mypath/freeradius/etc/raddb/modules/checkval including configuration file mypath/freeradius/etc/raddb/modules/counter including configuration file mypath/freeradius/etc/raddb/modules/detail including configuration file mypath/freeradius/etc/raddb/modules/detail.example.com including configuration file mypath/freeradius/etc/raddb/modules/detail.log including configuration file mypath/freeradius/etc/raddb/modules/digest including configuration file mypath/freeradius/etc/raddb/modules/echo including configuration file mypath/freeradius/etc/raddb/modules/etc_group including configuration file mypath/freeradius/etc/raddb/modules/exec including configuration file mypath/freeradius/etc/raddb/modules/expiration including configuration file mypath/freeradius/etc/raddb/modules/expr including configuration file mypath/freeradius/etc/raddb/modules/files including configuration file mypath/freeradius/etc/raddb/modules/inner-eap including configuration file mypath/freeradius/etc/raddb/modules/ippool including configuration file mypath/freeradius/etc/raddb/modules/krb5 including configuration file mypath/freeradius/etc/raddb/modules/ldap including configuration file mypath/freeradius/etc/raddb/modules/linelog including configuration file mypath/freeradius/etc/raddb/modules/logintime including configuration file mypath/freeradius/etc/raddb/modules/mac2ip including configuration file mypath/freeradius/etc/raddb/modules/mac2vlan including configuration file mypath/freeradius/etc/raddb/modules/mschap including configuration file mypath/freeradius/etc/raddb/modules/otp including configuration file mypath/freeradius/etc/raddb/modules/pam including configuration file mypath/freeradius/etc/raddb/modules/pap including configuration file mypath/freeradius/etc/raddb/modules/passwd including configuration file mypath/freeradius/etc/raddb/modules/perl including configuration file mypath/freeradius/etc/raddb/modules/policy including configuration file mypath/freeradius/etc/raddb/modules/preprocess including configuration file mypath/freeradius/etc/raddb/modules/radutmp including configuration file mypath/freeradius/etc/raddb/modules/realm including configuration file mypath/freeradius/etc/raddb/modules/smbpasswd including configuration file mypath/freeradius/etc/raddb/modules/smsotp including configuration file mypath/freeradius/etc/raddb/modules/sql_log including configuration file mypath/freeradius/etc/raddb/modules/sqlcounter_expire_on_login including configuration file mypath/freeradius/etc/raddb/modules/sradutmp including configuration file mypath/freeradius/etc/raddb/modules/unix including configuration file mypath/freeradius/etc/raddb/modules/wimax including configuration file mypath/freeradius/etc/raddb/eap.conf including configuration file mypath/freeradius/etc/raddb/sql.conf including configuration file mypath/freeradius/etc/raddb/sql/mysql/dialup.conf including configuration file mypath/freeradius/etc/raddb/policy.conf including dictionary file mypath/freeradius/etc/raddb/dictionary main { prefix = mypath/freeradius localstatedir = mypath/freeradius/var logdir = mypath/freeradius/var/log/radius libdir = mypath/freeradius/lib radacctdir = mypath/freeradius/var/log/radius/radacct hostname_lookups = no max_request_time = 30 cleanup_delay = 5 max_requests = 1024 allow_core_dumps = no pidfile = mypath/freeradius/var/run/radiusd/radiusd.pid checkrad = mypath/freeradius/sbin/checkrad debug_level = 0 proxy_requests = yes log { stripped_names = no auth = no auth_badpass = no auth_goodpass = no } security { max_attributes = 200 reject_delay = 1 status_server = yes } } radiusd: Loading Realms and Home Servers proxy server {
FreeRadius with Novell
Hi, I'm using FreeRadius as a radius proxy to authenticate wireless users and send which VLAN ID they should be using. The authentication server is two Novell servers with two different trees. Now to the problem .. I can't use context less login since the FreeRadius first need to authenticate to place the user on a VLAN and then the client logs in to the Novell server. Is it possible somehow to have FreeRadius hardcoded with all possible contexts to search for the user or somehow first give a temporary VLAN to the user and then move the user to the real VLAN after the context less authentication? I hope you understand what I mean Best Regards, Magnus Larsson MCE, CWSP, BCCPP, WCSE+, CICSP _ AddPro AB Stubbengatan 2, SE-703 44 Örebro Mobile: +46 (0)70 417 45 02 Direct: +46 (0)19 760 45 02 magnus.lars...@addpro.semailto:magnus.lars...@addpro.se | www.addpro.sehttp://www.addpro.se/ AddPro_Signatur inline: image001.gif- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
1 freeradius with 2 openldap (multi master)
Hi All I have one freeradius and 2 openldap (multi - master). And I want my freeradius use the second openldap if the first crash. So in freeradius I instantiate the module ldap : Ldap ldapmaster { [...] } Ldap ldapbackup { [...] } And in my site-available/default I load the two modules. If my two openldap are alive, authentication succeed, but if one of them fall, authentication failed, so like this I have a « AND » between modules, and not a « OR » like I would. I don't know if I am really clear, i don't speak very well, sorry. So If some understand the problem that I try to describe and if you know how I can fix my problem, could you help me please ? thanks, Regards, François - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_raw not included in compile
Johan Meiring wrote: After struggling for about 4 hours, I did the following 1) touch src/modules/rlm_raw/configure 2) ./autogen.sh 3) added rlm_raw to debian configure by editing debian/rules Now it tries to compile it, but fails horribly. (See compile failure below). Does anyone have a clue how to add rlm_raw to the current git tar file? $ tar -zxf freeradius-server-2.1.7.tar.gz add rlm_raw $ tar -zcf freeradius-server-2.1.7.tar.gz freeradius-server-2.1.7 PS:he rlm_raw I'm using comes from http://lists.cistron.nl/pipermail/freeradius-devel/2005-January/007873.html That was before version 2.0 was released. You'll likely have to update the module to use the new API's header files in 2.0. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: 1 freeradius with 2 openldap (multi master)
François Mehault wrote: And in my site-available/default I load the two modules. If my two openldap are alive, authentication succeed, but if one of them fall, authentication failed, so like this I have a « AND » between modules, and not a « OR » like I would. I don’t know if I am really clear, i don’t speak very well, sorry. $ man unlang Look for redundant Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius with Novell
I'm using FreeRadius as a radius proxy to authenticate wireless users and send which VLAN ID they should be using. The authentication server is two Novell servers with two different trees. eDirectory servers? Read comments in ldap module how to set it up to work with eDirectory. You can get ldap attributes from a ldap sevrer and map them to radius attributes using ldap.attrmap. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: 1 freeradius with 2 openldap (multi master)
redundant-load-balance { ldap1 # 50%, unless ldap2 is down, then 100% ldap2 # 50%, unless ldap1 is down, then 100% } Seems perfect, thanks a lot ! -Message d'origine- De : freeradius-users-bounces+francois.mehault=netplus...@lists.freeradius.org [mailto:freeradius-users-bounces+francois.mehault=netplus...@lists.freeradius.org] De la part de Alan DeKok Envoyé : vendredi 29 mai 2009 15:10 À : FreeRadius users mailing list Objet : Re: 1 freeradius with 2 openldap (multi master) François Mehault wrote: And in my site-available/default I load the two modules. If my two openldap are alive, authentication succeed, but if one of them fall, authentication failed, so like this I have a « AND » between modules, and not a « OR » like I would. I don’t know if I am really clear, i don’t speak very well, sorry. $ man unlang Look for redundant Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
rlm eap problem
Hi folks, Now I got a new problem with rlm_eap and the server doesn't start anymore. You were right, I commented $INCLUDE sites-enabled/ in radiusd.conf. So what can I do now? Best regards Michael FreeRADIUS Version 2.1.5, for host i686-pc-linux-gnu, built on Mar 26 2009 at 14:24:27 Copyright (C) 1999-2008 The FreeRADIUS server project and contributors. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License v2. Starting - reading configuration files ... including configuration file /mypath/freeradius/etc/raddb/radiusd.conf including configuration file /mypath/freeradius/etc/raddb/proxy.conf including configuration file /mypath/freeradius/etc/raddb/clients.conf including files in directory /mypath/freeradius/etc/raddb/modules/ including configuration file /mypath/freeradius/etc/raddb/modules/chap including configuration file /mypath/freeradius/etc/raddb/modules/acct_unique including configuration file /mypath/freeradius/etc/raddb/modules/always including configuration file /mypath/freeradius/etc/raddb/modules/attr_filter including configuration file /mypath/freeradius/etc/raddb/modules/attr_rewrite including configuration file /mypath/freeradius/etc/raddb/modules/checkval including configuration file /mypath/freeradius/etc/raddb/modules/counter including configuration file /mypath/freeradius/etc/raddb/modules/detail including configuration file /mypath/freeradius/etc/raddb/modules/detail.example.com including configuration file /mypath/freeradius/etc/raddb/modules/detail.log including configuration file /mypath/freeradius/etc/raddb/modules/digest including configuration file /mypath/freeradius/etc/raddb/modules/echo including configuration file /mypath/freeradius/etc/raddb/modules/etc_group including configuration file /mypath/freeradius/etc/raddb/modules/exec including configuration file /mypath/freeradius/etc/raddb/modules/expiration including configuration file /mypath/freeradius/etc/raddb/modules/expr including configuration file /mypath/freeradius/etc/raddb/modules/files including configuration file /mypath/freeradius/etc/raddb/modules/inner-eap including configuration file /mypath/freeradius/etc/raddb/modules/ippool including configuration file /mypath/freeradius/etc/raddb/modules/krb5 including configuration file /mypath/freeradius/etc/raddb/modules/ldap including configuration file /mypath/freeradius/etc/raddb/modules/linelog including configuration file /mypath/freeradius/etc/raddb/modules/logintime including configuration file /mypath/freeradius/etc/raddb/modules/mac2ip including configuration file /mypath/freeradius/etc/raddb/modules/mac2vlan including configuration file /mypath/freeradius/etc/raddb/modules/mschap including configuration file /mypath/freeradius/etc/raddb/modules/otp including configuration file /mypath/freeradius/etc/raddb/modules/pam including configuration file /mypath/freeradius/etc/raddb/modules/pap including configuration file /mypath/freeradius/etc/raddb/modules/passwd including configuration file /mypath/freeradius/etc/raddb/modules/perl including configuration file /mypath/freeradius/etc/raddb/modules/policy including configuration file /mypath/freeradius/etc/raddb/modules/preprocess including configuration file /mypath/freeradius/etc/raddb/modules/radutmp including configuration file /mypath/freeradius/etc/raddb/modules/realm including configuration file /mypath/freeradius/etc/raddb/modules/smbpasswd including configuration file /mypath/freeradius/etc/raddb/modules/smsotp including configuration file /mypath/freeradius/etc/raddb/modules/sql_log including configuration file /mypath/freeradius/etc/raddb/modules/sqlcounter_expire_on_login including configuration file /mypath/freeradius/etc/raddb/modules/sradutmp including configuration file /mypath/freeradius/etc/raddb/modules/unix including configuration file /mypath/freeradius/etc/raddb/modules/wimax including configuration file /mypath/freeradius/etc/raddb/eap.conf including configuration file /mypath/freeradius/etc/raddb/sql.conf including configuration file /mypath/freeradius/etc/raddb/sql/mysql/dialup.conf including configuration file /mypath/freeradius/etc/raddb/policy.conf including files in directory /mypath/freeradius/etc/raddb/sites-enabled/ including configuration file /mypath/freeradius/etc/raddb/sites-enabled/default including configuration file /mypath/freeradius/etc/raddb/sites-enabled/inner-tunnel including configuration file /mypath/freeradius/etc/raddb/sites-enabled/control-socket including dictionary file /mypath/freeradius/etc/raddb/dictionary main { prefix = /mypath/freeradius localstatedir = /mypath/freeradius/var logdir = /mypath/freeradius/var/log/radius libdir = /mypath/freeradius/lib radacctdir = /mypath/freeradius/var/log/radius/radacct hostname_lookups = no max_request_time = 30 cleanup_delay = 5
Re: rlm eap problem
Hi, Now I got a new problem with rlm_eap and the server doesn't start anymore. You were right, I commented $INCLUDE sites-enabled/ in radiusd.conf. the errors are clear enough! Module: Instantiating eap-tls tls { rsa_key_exchange = no dh_key_exchange = yes rsa_key_length = 512 dh_key_length = 512 verify_depth = 0 pem_file_type = yes private_key_file = /mypath/freeradius/etc/raddb/certs/server.pem certificate_file = /mypath/freeradius/etc/raddb/certs/server.pem CA_file = /mypath/freeradius/etc/raddb/certs/ca.pem private_key_password = whatever dh_file = /mypath/freeradius/etc/raddb/certs/dh random_file = /mypath/freeradius/etc/raddb/certs/random fragment_size = 1024 include_length = yes check_crl = no cipher_list = DEFAULT make_cert_command = /mypath/freeradius/etc/raddb/certs/bootstrap cache { enable = no lifetime = 24 max_entries = 255 } } rlm_eap: SSL error error:02001002:system library:fopen:No such file or directory rlm_eap_tls: Error reading Trusted root CA list /mypath/freeradius/etc/raddb/certs/ca.pem ^^^ ta da! what couldnt be clearer? does that file exist, if so does it have the correct permissions? alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm eap problem
Now I got a new problem with rlm_eap and the server doesn't start anymore. You were right, I commented $INCLUDE sites-enabled/ in radiusd.conf. So what can I do now? ... rlm_eap: SSL error error:02001002:system library:fopen:No such file or directory rlm_eap_tls: Error reading Trusted root CA list /mypath/freeradius/etc/raddb/certs/ca.pem Nothing mysterious about that error. Is the file there? Permissions? Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
AW: rlm eap problem
Hi there, Yes, of course you were right, the file was named server.pem :) - bad mistake, sry... But now I get following errors, but now I don't know what's to do... rlm_eap: SSL error error::lib(0):func(0):reason(0) rlm_eap_tls: Error loading randomness rlm_eap: Failed to initialize type tls /mypath/freeradius/etc/raddb/eap.conf[17]: Instantiation failed for module eap /mypath/freeradius/etc/raddb/sites-enabled/inner-tunnel[223]: Failed to find module eap. /mypath/freeradius/etc/raddb/sites-enabled/inner-tunnel[176]: Errors parsing authenticate section. } } Errors initializing modules Sorry guys, but I don't have any experience with certificates ... Thanks Michael That's my eap.conf: # -*- text -*- ## ## eap.conf -- Configuration for EAP types (PEAP, TTLS, etc.) ## ## $Id$ ### # # Whatever you do, do NOT set 'Auth-Type := EAP'. The server # is smart enough to figure this out on its own. The most # common side effect of setting 'Auth-Type := EAP' is that the # users then cannot use ANY other authentication method. # # EAP types NOT listed here may be supported via the eap2 module. # See experimental.conf for documentation. # eap { # Invoke the default supported EAP type when # EAP-Identity response is received. # # The incoming EAP messages DO NOT specify which EAP # type they will be using, so it MUST be set here. # # For now, only one default EAP type may be used at a time. # # If the EAP-Type attribute is set by another module, # then that EAP type takes precedence over the # default type configured here. # default_eap_type = md5 # A list is maintained to correlate EAP-Response # packets with EAP-Request packets. After a # configurable length of time, entries in the list # expire, and are deleted. # timer_expire = 60 # There are many EAP types, but the server has support # for only a limited subset. If the server receives # a request for an EAP type it does not support, then # it normally rejects the request. By setting this # configuration to yes, you can tell the server to # instead keep processing the request. Another module # MUST then be configured to proxy the request to # another RADIUS server which supports that EAP type. # # If another module is NOT configured to handle the # request, then the request will still end up being # rejected. ignore_unknown_eap_types = no # Cisco AP1230B firmware 12.2(13)JA1 has a bug. When given # a User-Name attribute in an Access-Accept, it copies one # more byte than it should. # # We can work around it by configurably adding an extra # zero byte. cisco_accounting_username_bug = no # # Help prevent DoS attacks by limiting the number of # sessions that the server is tracking. Most systems # can handle ~30 EAP sessions/s, so the default limit # of 2048 is more than enough. max_sessions = 2048 # Supported EAP-types # # We do NOT recommend using EAP-MD5 authentication # for wireless connections. It is insecure, and does # not provide for dynamic WEP keys. # md5 { } # Cisco LEAP # # We do not recommend using LEAP in new deployments. See: # http://www.securiteam.com/tools/5TP012ACKE.html # # Cisco LEAP uses the MS-CHAP algorithm (but not # the MS-CHAP attributes) to perform it's authentication. # # As a result, LEAP *requires* access to the plain-text # User-Password, or the NT-Password attributes. # 'System' authentication is impossible with LEAP. # leap { } # Generic Token Card. # # Currently, this is only permitted inside of EAP-TTLS, # or EAP-PEAP. The module challenges the user with # text, and the response from the user is taken to be # the User-Password. # # Proxying the tunneled EAP-GTC session is a bad idea,
RE: 1 freeradius with 2 openldap (multi master)
Well, I fact I have two servers: A and B. A has freeradius + openldap B has openldap bacukp So on server A, I put in /site-available/default: In authentication section : Redundant { Ldapmaster Ldapbackup } and authorize section : Auth-Type LDAP { redundant { Ldapmaster Ldapbackup } } Modelue Ldapmaster has attribute server=127.0.0.1, and Ldapbackup has attribute server=192.168.x.x (Ip of server B) Well, If I shutdown my openldap on server A, freeradius on server A will discuss with openldap on server B, and it works perfectly ! [Ldapbackup] user fmehault authenticated succesfully ++[ Ldapbackup] returns ok +- entering group post-auth {...} ++[exec] returns noop Sending Access-Accept of id 93 to 192.168.0.50 port 1812 Reply-Message = Utilisateur: fmehault, group: Administrateur Cisco-AVPair = shell:priv-lvl=15 Service-Type = NAS-Prompt-User Finished request 0. Going to the next request Waking up in 4.9 seconds. Cleaning up request 0 ID 93 with timestamp +11 Ready to process requests. Another test, I stop daemon openldap on server B and start openldap on server A, so I imagine my freeradius will discuss with openldap on server A. But PB : [Ldapmaster] user fmehault authenticated succesfully +++[ Ldapmaster] returns ok ++- policy redundant returns ok +- entering group post-auth {...} ++[exec] returns noop Sending Access-Accept of id 94 to 192.168.0.50 port 1812 Finished request 0. Going to the next request Waking up in 4.9 seconds. Cleaning up request 0 ID 94 with timestamp +10 Ready to process requests. My NAS is Cisco Catalyst 2950, and I use radius VSA Cisco-AVPair. As you can see in the log, I am succesfully authenticated, And freeradius send me Access-Accept, without Raply-Message, Cisco-AVPair, Service-Type ... Why ??? On cisco: User Access Verification Username: fmehault Password: % Authorization failed. My two ldaps are both striclty the same, it's sur because if I don't use unlang redundant, it works. Someone has an idea ?? Thanks for your help, Regards, François -Message d'origine- De : freeradius-users-bounces+francois.mehault=netplus...@lists.freeradius.org [mailto:freeradius-users-bounces+francois.mehault=netplus...@lists.freeradius.org] De la part de François Mehault Envoyé : vendredi 29 mai 2009 15:27 À : FreeRadius users mailing list Objet : RE: 1 freeradius with 2 openldap (multi master) redundant-load-balance { ldap1 # 50%, unless ldap2 is down, then 100% ldap2 # 50%, unless ldap1 is down, then 100% } Seems perfect, thanks a lot ! -Message d'origine- De : freeradius-users-bounces+francois.mehault=netplus...@lists.freeradius.org [mailto:freeradius-users-bounces+francois.mehault=netplus...@lists.freeradius.org] De la part de Alan DeKok Envoyé : vendredi 29 mai 2009 15:10 À : FreeRadius users mailing list Objet : Re: 1 freeradius with 2 openldap (multi master) François Mehault wrote: And in my site-available/default I load the two modules. If my two openldap are alive, authentication succeed, but if one of them fall, authentication failed, so like this I have a « AND » between modules, and not a « OR » like I would. I don’t know if I am really clear, i don’t speak very well, sorry. $ man unlang Look for redundant Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: rlm eap problem
Do these files exist? dh_file = ${certdir}/dh random_file = ${certdir}/random Hints here: http://www.mail-archive.com/freeradius-us...@lists.cistron.nl/msg09589.html -Original Message- From: freeradius-users- bounces+jmdanner=samford@lists.freeradius.org [mailto:freeradius- users-bounces+jmdanner=samford@lists.freeradius.org] On Behalf Of Michael Ziemann Sent: Friday, May 29, 2009 9:19 AM To: FreeRadius users mailing list Subject: AW: rlm eap problem Hi there, Yes, of course you were right, the file was named server.pem :) - bad mistake, sry... But now I get following errors, but now I don't know what's to do... rlm_eap: SSL error error::lib(0):func(0):reason(0) rlm_eap_tls: Error loading randomness rlm_eap: Failed to initialize type tls /mypath/freeradius/etc/raddb/eap.conf[17]: Instantiation failed for module eap /mypath/freeradius/etc/raddb/sites-enabled/inner-tunnel[223]: Failed to find module eap. /mypath/freeradius/etc/raddb/sites-enabled/inner-tunnel[176]: Errors parsing authenticate section. } } Errors initializing modules Sorry guys, but I don't have any experience with certificates ... Thanks Michael That's my eap.conf: # -*- text -*- ## ## eap.conf -- Configuration for EAP types (PEAP, TTLS, etc.) ## ##$Id$ ### # # Whatever you do, do NOT set 'Auth-Type := EAP'. The server # is smart enough to figure this out on its own. The most # common side effect of setting 'Auth-Type := EAP' is that the # users then cannot use ANY other authentication method. # # EAP types NOT listed here may be supported via the eap2 module. # See experimental.conf for documentation. # eap { # Invoke the default supported EAP type when # EAP-Identity response is received. # # The incoming EAP messages DO NOT specify which EAP # type they will be using, so it MUST be set here. # # For now, only one default EAP type may be used at a time. # # If the EAP-Type attribute is set by another module, # then that EAP type takes precedence over the # default type configured here. # default_eap_type = md5 # A list is maintained to correlate EAP-Response # packets with EAP-Request packets. After a # configurable length of time, entries in the list # expire, and are deleted. # timer_expire = 60 # There are many EAP types, but the server has support # for only a limited subset. If the server receives # a request for an EAP type it does not support, then # it normally rejects the request. By setting this # configuration to yes, you can tell the server to # instead keep processing the request. Another module # MUST then be configured to proxy the request to # another RADIUS server which supports that EAP type. # # If another module is NOT configured to handle the # request, then the request will still end up being # rejected. ignore_unknown_eap_types = no # Cisco AP1230B firmware 12.2(13)JA1 has a bug. When given # a User-Name attribute in an Access-Accept, it copies one # more byte than it should. # # We can work around it by configurably adding an extra # zero byte. cisco_accounting_username_bug = no # # Help prevent DoS attacks by limiting the number of # sessions that the server is tracking. Most systems # can handle ~30 EAP sessions/s, so the default limit # of 2048 is more than enough. max_sessions = 2048 # Supported EAP-types # # We do NOT recommend using EAP-MD5 authentication # for wireless connections. It is insecure, and does # not provide for dynamic WEP keys. # md5 { } # Cisco LEAP # # We do not recommend using LEAP in new deployments. See: # http://www.securiteam.com/tools/5TP012ACKE.html # # Cisco LEAP uses the MS-CHAP algorithm (but not # the MS-CHAP attributes) to perform it's authentication. # # As a result, LEAP *requires* access to the plain-text # User-Password, or the NT-Password attributes. # 'System'
Re: new to freeradius, securing LAN
ldap.lippogeneral.com a écrit : But how, if they can manually configure an interface on their PC and completely bypass our DHCP server.. this is typically why you'd like to set up authentication, so the physical access to your switch port is not sufficient to get access to your network. please check if your network devices can do 802.1x, then try the authentication you'd like. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: 1 freeradius with 2 openldap (multi master)
Hi, And now, if I start radiusd and slapd on server A and not on server B, it works. And if I stop slapd on server A, and start slapd on server B, it doesn't work. It's maybe a lead... this is documented http://wiki.freeradius.org/Fail-over you need the group to be failable etc alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_raw not included in compile
Alan DeKok wrote: Does anyone have a clue how to add rlm_raw to the current git tar file? $ tar -zxf freeradius-server-2.1.7.tar.gz add rlm_raw $ tar -zcf freeradius-server-2.1.7.tar.gz freeradius-server-2.1.7 It wasn't that simple because rlm_raw did not contain a configure script. You had to run autogen.sh first. PS:he rlm_raw I'm using comes from http://lists.cistron.nl/pipermail/freeradius-devel/2005-January/007873.html That was before version 2.0 was released. You'll likely have to update the module to use the new API's header files in 2.0. Using my copy and paste method of c coding (I know VERY little about c) I maneged to copy the code from the old rlm_raw into rlm_example. I needed to make two changes to get it to compile. 1) replace strNcpy with strncpy 2) replace radlib_safeprint with fr_print_string It compiled and IT WORKS!!! Alan DeKok. -- Johan Meiring Cape PC Services CC Tel: (021) 883-8271 Fax: (021) 886-7782 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_raw not included in compile
Johan Meiring wrote: Alan DeKok wrote: It compiled and IT WORKS!!! Forgot to attach the module incase anyone wants it. -- Johan Meiring Cape PC Services CC Tel: (021) 883-8271 Fax: (021) 886-7782 rlm_raw.tar.bz2 Description: Binary data - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius with Novell
You will need to have all your users in one tree so I suggest you use idm to sync all your users from both trees into a third auth tree. Then you can point your login to the basedn and search the subtree for the users. On 30/05/2009, at 12:58 AM, Magnus Larsson magnus.lars...@addpro.se wrote: Hi, I’m using FreeRadius as a “radius proxy” to authenticate wireless users and send which VLAN ID they should be using. The auth entication server is two Novell servers with two different trees. Now to the problem .. I can’t use context less login since the FreeR adius first need to authenticate to place the user on a VLAN and the n the client logs in to the Novell server. Is it possible somehow to have FreeRadius hardcoded with all possible contexts to search for the user or somehow first give a temporary VLAN to the user and then move the user to the real VLAN after the context less authentication? I hope you understand what I mean Best Regards, Magnus Larsson MCE, CWSP, BCCPP, WCSE+, CICSP _ AddPro AB Stubbengatan 2, SE-703 44 Örebro Mobile: +46 (0)70 417 45 02 Direct: +46 (0)19 760 45 02 magnus.lars...@addpro.se | www.addpro.se image001.gif - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
freeradius-users@lists.freeradius.org
Is there any way to setup freeRADIUS to connect to my_db instead of radius database? I have setup freeRADIUS successfully to connect to a backend PostgreSQL database. My original TEST setup is done by following the standard instruction bt creating a radius database radius role/User. sql.con has the following instructions,which I believe make this connection; database = postgres server = pg1 login = radius password = radpass When I start the RADIUS in the DEBUG mode, I see this line; rad...@pg1:/radius and it connects no error is displayed. No I want to change the database tomy_db a Schema radius. PostgreSQL is both of them created. I changed sql.conf to: database = postgres server = pg1 login = my_db password = radpass This does not work. - Is there any way to further change the freeRADIUS configuration to have it connect tomy_db radius Schema? Is it possible that freeRADIUS software is hard coded that it will only connect to a radius Database with radius Schema? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius-users@lists.freeradius.org
Is there any way to setup freeRADIUS to connect to my_db instead of radius database? Yes. I have setup freeRADIUS successfully to connect to a backend PostgreSQL database. My original TEST setup is done by following the standard instruction bt creating a radius database radius role/User. sql.con has the following instructions,which I believe make this connection; database = postgres server = pg1 login = radius password = radpass When I start the RADIUS in the DEBUG mode, I see this line; rad...@pg1:/radius and it connects no error is displayed. No I want to change the database tomy_db a Schema radius. PostgreSQL is both of them created. I changed sql.conf to: database = postgres server = pg1 login = my_db That's database login username you changed. password = radpass This does not work. No wonder. What is the next config line in sql.conf, after these? Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius-users@lists.freeradius.org
Ivan Kalik wrote: password = radpass This does not work. No wonder. What is the next config line in sql.conf, after these? Ivan Kalik Kalik Informatika ISP I don't know how I MISSED it? BIG THANKS. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html