Re: question about windows users
Problem was solved thanks to Ivan assistance, Main problem was on switch side and its configuration, Second problem was - proper certificate to proper certificate store And third - in my head :). Thank you again Bartosz. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: new to freeradius, securing LAN
ldap.lippogeneral.com a écrit : Hello All, I am very new to FreeRadius, some of users are already knew our LAN IPs .. so they can manually configure an interface on their PC and completely bypass our DHCP server.. can I solve this by using FreeRadius? I thought this can be done by checking its MAC address, so although they use valid IP address but if their MAC address not recognized by our server then they must be denied and they cannot go anywhere and cannot do anything in our LAN.. I need advise.. Hi, The problem is not really linked with radius, let's try to propose some directions anyway. Most recent switches proposes to do VLAN assignement based on port or MAC address. Check if your switches can do this. Radius can be used to authenticate a device (in your case, a PC) with informations like MAC address or a certificate. So you can also do some mac based authentication, but keep in mind that changing a MAC address is as easy as setting a static LAN IP on a PC, so it's definitely not enough if you wish to avoid what you described above. hope this'll help. many thanks in advance - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: question about windows users
Problem was solved thanks to Ivan assistance, Main problem was on switch side and its configuration, Second problem was - proper certificate to proper certificate store And third - in my head :). OK. Now that you have established that client certificates signed by CA work with XP SP3, can you check if server signed certificates (made by original Makefile) also work, or is XP SP3 rejecting them. Could you report to the list with the result. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: new to freeradius, securing LAN
so you meant, it's more better to avoid them physically.. ;( - Original Message - From: pkc_mls pkc_...@yahoo.fr To: FreeRadius users mailing list freeradius-users@lists.freeradius.org Sent: Friday, May 29, 2009 2:33 PM Subject: Re: new to freeradius, securing LAN ldap.lippogeneral.com a écrit : Hello All, I am very new to FreeRadius, some of users are already knew our LAN IPs .. so they can manually configure an interface on their PC and completely bypass our DHCP server.. can I solve this by using FreeRadius? I thought this can be done by checking its MAC address, so although they use valid IP address but if their MAC address not recognized by our server then they must be denied and they cannot go anywhere and cannot do anything in our LAN.. I need advise.. Hi, The problem is not really linked with radius, let's try to propose some directions anyway. Most recent switches proposes to do VLAN assignement based on port or MAC address. Check if your switches can do this. Radius can be used to authenticate a device (in your case, a PC) with informations like MAC address or a certificate. So you can also do some mac based authentication, but keep in mind that changing a MAC address is as easy as setting a static LAN IP on a PC, so it's definitely not enough if you wish to avoid what you described above. hope this'll help. many thanks in advance - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users..html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html *** Your mail has been scanned by MSS. ***-*** *** Our outgoing mail has been scanned by MSS. ***-*** - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: new to freeradius, securing LAN
so you meant, it's more better to avoid them physically.. ;( No, he means you should do proper authentication (username/password, not mac). If your equipment doesn't support 802.1x set up a PPPoE server. Have it do authentication before DHCP hands them an IP. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: new to freeradius, securing LAN
so you meant, it's more better to avoid them physically.. ;( No, he means you should do proper authentication (username/password, not mac). If your equipment doesn't support 802.1x set up a PPPoE server. Have it do authentication before DHCP hands them an IP. But how, if they can manually configure an interface on their PC and completely bypass our DHCP server.. *** Our outgoing mail has been scanned by MSS. ***-*** - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Not doing Peap/ttls
Help please and sorry for the long post. Quick description of the problem: New build Freeradius 2.1.4/5 on solaris x86 vmware. Client is a laptop running windows XP through a cisco switch configured for 802.1x. Will not do peap. Reconfigure the switch to use a different freeradius server (2.1.3 on sparc solaris) and it works fine. Output of raduisd -X on the non-working server below. Hm, is your (non-working) radius server multihomed? Is switch sending packets to one IP and getting them back from another. Clients will ignore packets from unknown servers just like servers ignore packets from unknown clients. Ivan Kalik Kalik Informatika ISP Of course, in order to ignore the packet, it first has to receive it! Network access list blocking new server. Many thanks for helping again. Leighton img src=http://www.hud.ac.uk/images/emails/neutral_navy_blue_003976.gif; alt=Inspiring tomorrow's professionals --- This transmission is confidential and may be legally privileged. If you receive it in error, please notify us immediately by e-mail and remove it from your system. If the content of this e-mail does not relate to the business of the University of Huddersfield, then we do not endorse it and will accept no liability. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: question about windows users
On Fri, May 29, 2009 at 10:32 AM, Ivan Kalik t...@kalik.net wrote:
Problem was solved thanks to Ivan assistance,
Main problem was on switch side and its configuration,
Second problem was - proper certificate to proper certificate store
And third - in my head :).
OK. Now that you have established that client certificates signed by CA
work with XP SP3, can you check if server signed certificates (made by
original Makefile) also work, or is XP SP3 rejecting them. Could you
report to the list with the result.
Ivan Kalik
Kalik Informatika ISP
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
No, standard Makefile is no working
freeradius -X output:
Ready to process requests.
rad_recv: Access-Request packet from host 192.168.5.206 port 1812, id=160,
length=147
NAS-IP-Address = 192.168.5.206
NAS-Port = 50046
NAS-Port-Type = Ethernet
User-Name = u...@example.com
Called-Station-Id = 00-0C-30-81-9B-EE
Calling-Station-Id = 00-0A-E4-13-1A-02
Service-Type = Framed-User
Framed-MTU = 1500
EAP-Message = 0x02150175736572406578616d706c652e636f6d
Message-Authenticator = 0x3fa86bcca888e9174c33ff2206178e97
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] Looking up realm example.com for User-Name = u...@example.com
[suffix] No such realm example.com
++[suffix] returns noop
[eap] EAP packet type response id 0 length 21
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[unix] returns notfound
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No known good password found for the user. Authentication
may fail because of this.
++[pap] returns noop
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] EAP Identity
[eap] processing type tls
[tls] Initiate
[tls] Start returned 1
++[eap] returns handled
Sending Access-Challenge of id 160 to 192.168.5.206 port 1812
EAP-Message = 0x010100061920
Message-Authenticator = 0x
State = 0x0a8a026e0a8b1bea4f51a121d61eb2bf
Finished request 0.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 192.168.5.206 port 1812, id=161,
length=150
NAS-IP-Address = 192.168.5.206
NAS-Port = 50046
NAS-Port-Type = Ethernet
User-Name = u...@example.com
Called-Station-Id = 00-0C-30-81-9B-EE
Calling-Station-Id = 00-0A-E4-13-1A-02
Service-Type = Framed-User
Framed-MTU = 1500
State = 0x0a8a026e0a8b1bea4f51a121d61eb2bf
EAP-Message = 0x02010006030d
Message-Authenticator = 0xe1ef7b423be0a169598a253da36247c0
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] Looking up realm example.com for User-Name = u...@example.com
[suffix] No such realm example.com
++[suffix] returns noop
[eap] EAP packet type response id 1 length 6
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[unix] returns notfound
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No known good password found for the user. Authentication
may fail because of this.
++[pap] returns noop
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP NAK
[eap] EAP-NAK asked for EAP-Type/tls
[eap] processing type tls
[tls] Requiring client certificate
[tls] Initiate
[tls] Start returned 1
++[eap] returns handled
Sending Access-Challenge of id 161 to 192.168.5.206 port 1812
EAP-Message = 0x010200060d20
Message-Authenticator = 0x
State = 0x0a8a026e0b880fea4f51a121d61eb2bf
Finished request 1.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 192.168.5.206 port 1812, id=162,
length=224
NAS-IP-Address = 192.168.5.206
NAS-Port = 50046
NAS-Port-Type = Ethernet
User-Name = u...@example.com
Called-Station-Id = 00-0C-30-81-9B-EE
Calling-Station-Id = 00-0A-E4-13-1A-02
Service-Type = Framed-User
Framed-MTU = 1500
State = 0x0a8a026e0b880fea4f51a121d61eb2bf
EAP-Message =
0x020200500d8000461603010041013d03014a1fb693a40277392668182f296a92feb2a08a3e25a3c170dfa77f83d18f56941600040005000a0009006400
62000300060013001200630100
Message-Authenticator = 0xca0d351030f630125dd9b87f5d39e7e9
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] Looking up realm example.com for User-Name = u...@example.com
[suffix] No such realm example.com
++[suffix] returns noop
[eap] EAP packet type response id 2 length 80
[eap] No EAP Start, assuming it's an on-going EAP
Re: rlm_raw not included in compile
Johan Meiring wrote: Hi all, I am trying to use the rlm_raw module to test a piece of code. OK After struggling for about 4 hours, I did the following 1) touch src/modules/rlm_raw/configure 2) ./autogen.sh 3) added rlm_raw to debian configure by editing debian/rules Now it tries to compile it, but fails horribly. (See compile failure below). Does anyone have a clue how to add rlm_raw to the current git tar file? PS: The rlm_raw I'm using comes from http://lists.cistron.nl/pipermail/freeradius-devel/2005-January/007873.html SNIP-- make[6]: Entering directory `/usr/src/freeradius-server-2.1.7-pre/freeradius-server-2.1.7/src/modules/rlm_raw' /usr/bin/libtool --mode=compile gcc -Wall -g -O2 -D_REENTRANT -D_POSIX_PTHREAD_SEMANTICS -Wall -D_GNU_SOURCE -g -Wshadow -Wpointer-arith -Wcast-qual -Wcast-align -Wwrite-strings -Wstrict-prototypes -Wmissing-prototypes -Wmissing-declarations -Wnested-externs -W -Wredundant-decls -Wundef -I/usr/src/freeradius-server-2.1.7-pre/freeradius-server-2.1.7/src -I/usr/src/freeradius-server-2.1.7-pre/freeradius-server-2.1.7/libltdl -D_LIBRADIUS -c rlm_raw.c gcc -Wall -g -O2 -D_REENTRANT -D_POSIX_PTHREAD_SEMANTICS -Wall -D_GNU_SOURCE -g -Wshadow -Wpointer-arith -Wcast-qual -Wcast-align -Wwrite-strings -Wstrict-prototypes -Wmissing-prototypes -Wmissing-declarations -Wnested-externs -W -Wredundant-decls -Wundef -I/usr/src/freeradius-server-2.1.7-pre/freeradius-server-2.1.7/src -I/usr/src/freeradius-server-2.1.7-pre/freeradius-server-2.1.7/libltdl -D_LIBRADIUS -c rlm_raw.c -fPIC -DPIC -o .libs/rlm_raw.o rlm_raw.c:22:22: error: autoconf.h: No such file or directory rlm_raw.c:23:23: error: libradius.h: No such file or directory rlm_raw.c:28:21: error: radiusd.h: No such file or directory rlm_raw.c:29:21: error: modules.h: No such file or directory rlm_raw.c:30:22: error: conffile.h: No such file or directory rlm_raw.c:46: error: expected specifier-qualifier-list before ‘uint8_t’ rlm_raw.c:57: error: expected declaration specifiers or ‘...’ before ‘REQUEST’ rlm_raw.c:59: error: expected declaration specifiers or ‘...’ before ‘RADIUS_ESCAPE_STRING’ rlm_raw.c: In function ‘raw_xlat’: rlm_raw.c:61: error: ‘uint8_t’ undeclared (first use in this function) rlm_raw.c:61: error: (Each undeclared identifier is reported only once rlm_raw.c:61: error: for each function it appears in.) rlm_raw.c:61: error: expected ‘;’ before ‘strvalue’ rlm_raw.c:62: error: ‘uint32_t’ undeclared (first use in this function) rlm_raw.c:62: error: expected ‘;’ before ‘lvalue’ rlm_raw.c:63: error: expected ‘;’ before ‘vendorcode’ rlm_raw.c:70: error: ‘PW_TYPE_OCTETS’ undeclared (first use in this function) rlm_raw.c:71: error: ‘ATTR_FLAGS’ undeclared (first use in this function) rlm_raw.c:71: error: expected ‘;’ before ‘flags’ rlm_raw.c:72: error: ‘DICT_ATTR’ undeclared (first use in this function) rlm_raw.c:72: error: ‘da’ undeclared (first use in this function) rlm_raw.c:73: error: ‘DICT_VALUE’ undeclared (first use in this function) rlm_raw.c:73: error: ‘dv’ undeclared (first use in this function) rlm_raw.c:76: error: ‘request’ undeclared (first use in this function) rlm_raw.c:77: error: ‘ptr’ undeclared (first use in this function) rlm_raw.c:77: error: ‘radius_packet_t’ has no member named ‘data’ rlm_raw.c:78: error: ‘subptr’ undeclared (first use in this function) rlm_raw.c:79: error: ‘AUTH_HDR_LEN’ undeclared (first use in this function) rlm_raw.c:82: error: storage size of ‘s_tm’ isn’t known rlm_raw.c:87: warning: implicit declaration of function ‘dict_attrbyname’ rlm_raw.c:87: warning: nested extern declaration of ‘dict_attrbyname’ rlm_raw.c:89: warning: implicit declaration of function ‘strNcpy’ rlm_raw.c:89: warning: nested extern declaration of ‘strNcpy’ rlm_raw.c:92: error: ‘flags’ undeclared (first use in this function) rlm_raw.c:96: error: ‘vendorcode’ undeclared (first use in this function) rlm_raw.c:109: error: ‘PW_VENDOR_SPECIFIC’ undeclared (first use in this function) rlm_raw.c:111: warning: implicit declaration of function ‘memcpy’ rlm_raw.c:111: warning: incompatible implicit declaration of built-in function ‘memcpy’ rlm_raw.c:111: error: ‘lvalue’ undeclared (first use in this function) rlm_raw.c:112: warning: implicit declaration of function ‘ntohl’ rlm_raw.c:112: warning: nested extern declaration of ‘ntohl’ rlm_raw.c:151: error: ‘VENDORPEC_USR’ undeclared (first use in this function) rlm_raw.c:154: warning: implicit declaration of function ‘dict_attrbyvalue’ rlm_raw.c:154: warning: nested extern declaration of ‘dict_attrbyvalue’ rlm_raw.c:180: error: ‘PW_TYPE_STRING’ undeclared (first use in this function) rlm_raw.c:182: warning: implicit declaration of function ‘TAG_VALID_ZERO’ rlm_raw.c:182: warning: nested extern declaration of ‘TAG_VALID_ZERO’ rlm_raw.c:182: error: ‘FLAG_ENCRYPT_TUNNEL_PASSWORD’ undeclared (first use in this function) rlm_raw.c:186: warning: incompatible implicit declaration of built-in function
rlm_raw
Apologies for reposting, but I was too lazy to type the address into my Thunderbird, replied to an old message, deleted subject/body, and I see my message sits at the bottom of the other thread Something remained in the headers, so people with threaded readers, will probably not see it. --- Hi all, I am trying to use the rlm_raw module to test a piece of code. Downloaded freeradius 2.1.7 pre from git Found rlm_raw here. http://lists.cistron.nl/pipermail/freeradius-devel/2005-January/007873.html After struggling for a few hours to convince my compiler to include the module, the following seemed to work. 1) touch src/modules/rlm_raw/configure 2) ./autogen.sh 3) added rlm_raw to debian configure by editing debian/rules Now it tries to compile it, but fails horribly. (See compile failure below). Does anyone have a clue how to add rlm_raw to the current git tar file? SNIP-- make[6]: Entering directory `/usr/src/freeradius-server-2.1.7-pre/freeradius-server-2.1.7/src/modules/rlm_raw' /usr/bin/libtool --mode=compile gcc -Wall -g -O2 -D_REENTRANT -D_POSIX_PTHREAD_SEMANTICS -Wall -D_GNU_SOURCE -g -Wshadow -Wpointer-arith -Wcast-qual -Wcast-align -Wwrite-strings -Wstrict-prototypes -Wmissing-prototypes -Wmissing-declarations -Wnested-externs -W -Wredundant-decls -Wundef -I/usr/src/freeradius-server-2.1.7-pre/freeradius-server-2.1.7/src -I/usr/src/freeradius-server-2.1.7-pre/freeradius-server-2.1.7/libltdl -D_LIBRADIUS -c rlm_raw.c gcc -Wall -g -O2 -D_REENTRANT -D_POSIX_PTHREAD_SEMANTICS -Wall -D_GNU_SOURCE -g -Wshadow -Wpointer-arith -Wcast-qual -Wcast-align -Wwrite-strings -Wstrict-prototypes -Wmissing-prototypes -Wmissing-declarations -Wnested-externs -W -Wredundant-decls -Wundef -I/usr/src/freeradius-server-2.1.7-pre/freeradius-server-2.1.7/src -I/usr/src/freeradius-server-2.1.7-pre/freeradius-server-2.1.7/libltdl -D_LIBRADIUS -c rlm_raw.c -fPIC -DPIC -o .libs/rlm_raw.o rlm_raw.c:22:22: error: autoconf.h: No such file or directory rlm_raw.c:23:23: error: libradius.h: No such file or directory rlm_raw.c:28:21: error: radiusd.h: No such file or directory rlm_raw.c:29:21: error: modules.h: No such file or directory rlm_raw.c:30:22: error: conffile.h: No such file or directory rlm_raw.c:46: error: expected specifier-qualifier-list before ‘uint8_t’ rlm_raw.c:57: error: expected declaration specifiers or ‘...’ before ‘REQUEST’ rlm_raw.c:59: error: expected declaration specifiers or ‘...’ before ‘RADIUS_ESCAPE_STRING’ rlm_raw.c: In function ‘raw_xlat’: rlm_raw.c:61: error: ‘uint8_t’ undeclared (first use in this function) rlm_raw.c:61: error: (Each undeclared identifier is reported only once rlm_raw.c:61: error: for each function it appears in.) rlm_raw.c:61: error: expected ‘;’ before ‘strvalue’ rlm_raw.c:62: error: ‘uint32_t’ undeclared (first use in this function) rlm_raw.c:62: error: expected ‘;’ before ‘lvalue’ rlm_raw.c:63: error: expected ‘;’ before ‘vendorcode’ rlm_raw.c:70: error: ‘PW_TYPE_OCTETS’ undeclared (first use in this function) rlm_raw.c:71: error: ‘ATTR_FLAGS’ undeclared (first use in this function) rlm_raw.c:71: error: expected ‘;’ before ‘flags’ rlm_raw.c:72: error: ‘DICT_ATTR’ undeclared (first use in this function) rlm_raw.c:72: error: ‘da’ undeclared (first use in this function) rlm_raw.c:73: error: ‘DICT_VALUE’ undeclared (first use in this function) rlm_raw.c:73: error: ‘dv’ undeclared (first use in this function) rlm_raw.c:76: error: ‘request’ undeclared (first use in this function) rlm_raw.c:77: error: ‘ptr’ undeclared (first use in this function) rlm_raw.c:77: error: ‘radius_packet_t’ has no member named ‘data’ rlm_raw.c:78: error: ‘subptr’ undeclared (first use in this function) rlm_raw.c:79: error: ‘AUTH_HDR_LEN’ undeclared (first use in this function) rlm_raw.c:82: error: storage size of ‘s_tm’ isn’t known rlm_raw.c:87: warning: implicit declaration of function ‘dict_attrbyname’ rlm_raw.c:87: warning: nested extern declaration of ‘dict_attrbyname’ rlm_raw.c:89: warning: implicit declaration of function ‘strNcpy’ rlm_raw.c:89: warning: nested extern declaration of ‘strNcpy’ rlm_raw.c:92: error: ‘flags’ undeclared (first use in this function) rlm_raw.c:96: error: ‘vendorcode’ undeclared (first use in this function) rlm_raw.c:109: error: ‘PW_VENDOR_SPECIFIC’ undeclared (first use in this function) rlm_raw.c:111: warning: implicit declaration of function ‘memcpy’ rlm_raw.c:111: warning: incompatible implicit declaration of built-in function ‘memcpy’ rlm_raw.c:111: error: ‘lvalue’ undeclared (first use in this function) rlm_raw.c:112: warning: implicit declaration of function ‘ntohl’ rlm_raw.c:112: warning: nested extern declaration of ‘ntohl’ rlm_raw.c:151: error: ‘VENDORPEC_USR’ undeclared (first use in this function) rlm_raw.c:154: warning: implicit declaration of function ‘dict_attrbyvalue’ rlm_raw.c:154: warning: nested extern declaration of
No authenticate method (Auth-Type) configuration found for the request: Rejecting the user - Failed to authenticate the user.
Hello People,
I have some problems with my RADIUS, when I send a message with radtest, I get
following error:
DEBUG-INFO:
FreeRADIUS Version 2.1.5, for host i686-pc-linux-gnu, built on Mar 26 2009 at
14:24:27 Copyright (C) 1999-2008 The FreeRADIUS server project and contributors.
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR
PURPOSE.
You may redistribute copies of FreeRADIUS under the terms of the GNU General
Public License v2.
Starting - reading configuration files ...
including configuration file mypath/freeradius/etc/raddb/radiusd.conf
including configuration file mypath/freeradius/etc/raddb/proxy.conf
including configuration file mypath/freeradius/etc/raddb/clients.conf
including files in directory mypath/freeradius/etc/raddb/modules/
including configuration file mypath/freeradius/etc/raddb/modules/chap
including configuration file mypath/freeradius/etc/raddb/modules/acct_unique
including configuration file mypath/freeradius/etc/raddb/modules/always
including configuration file mypath/freeradius/etc/raddb/modules/attr_filter
including configuration file mypath/freeradius/etc/raddb/modules/attr_rewrite
including configuration file mypath/freeradius/etc/raddb/modules/checkval
including configuration file mypath/freeradius/etc/raddb/modules/counter
including configuration file mypath/freeradius/etc/raddb/modules/detail
including configuration file
mypath/freeradius/etc/raddb/modules/detail.example.com
including configuration file mypath/freeradius/etc/raddb/modules/detail.log
including configuration file mypath/freeradius/etc/raddb/modules/digest
including configuration file mypath/freeradius/etc/raddb/modules/echo
including configuration file mypath/freeradius/etc/raddb/modules/etc_group
including configuration file mypath/freeradius/etc/raddb/modules/exec
including configuration file mypath/freeradius/etc/raddb/modules/expiration
including configuration file mypath/freeradius/etc/raddb/modules/expr
including configuration file mypath/freeradius/etc/raddb/modules/files
including configuration file mypath/freeradius/etc/raddb/modules/inner-eap
including configuration file mypath/freeradius/etc/raddb/modules/ippool
including configuration file mypath/freeradius/etc/raddb/modules/krb5
including configuration file mypath/freeradius/etc/raddb/modules/ldap
including configuration file mypath/freeradius/etc/raddb/modules/linelog
including configuration file mypath/freeradius/etc/raddb/modules/logintime
including configuration file mypath/freeradius/etc/raddb/modules/mac2ip
including configuration file mypath/freeradius/etc/raddb/modules/mac2vlan
including configuration file mypath/freeradius/etc/raddb/modules/mschap
including configuration file mypath/freeradius/etc/raddb/modules/otp
including configuration file mypath/freeradius/etc/raddb/modules/pam
including configuration file mypath/freeradius/etc/raddb/modules/pap
including configuration file mypath/freeradius/etc/raddb/modules/passwd
including configuration file mypath/freeradius/etc/raddb/modules/perl
including configuration file mypath/freeradius/etc/raddb/modules/policy
including configuration file mypath/freeradius/etc/raddb/modules/preprocess
including configuration file mypath/freeradius/etc/raddb/modules/radutmp
including configuration file mypath/freeradius/etc/raddb/modules/realm
including configuration file mypath/freeradius/etc/raddb/modules/smbpasswd
including configuration file mypath/freeradius/etc/raddb/modules/smsotp
including configuration file mypath/freeradius/etc/raddb/modules/sql_log
including configuration file
mypath/freeradius/etc/raddb/modules/sqlcounter_expire_on_login
including configuration file mypath/freeradius/etc/raddb/modules/sradutmp
including configuration file mypath/freeradius/etc/raddb/modules/unix
including configuration file mypath/freeradius/etc/raddb/modules/wimax
including configuration file mypath/freeradius/etc/raddb/eap.conf
including configuration file mypath/freeradius/etc/raddb/sql.conf
including configuration file mypath/freeradius/etc/raddb/sql/mysql/dialup.conf
including configuration file mypath/freeradius/etc/raddb/policy.conf
including dictionary file mypath/freeradius/etc/raddb/dictionary
main {
prefix = mypath/freeradius
localstatedir = mypath/freeradius/var
logdir = mypath/freeradius/var/log/radius
libdir = mypath/freeradius/lib
radacctdir = mypath/freeradius/var/log/radius/radacct
hostname_lookups = no
max_request_time = 30
cleanup_delay = 5
max_requests = 1024
allow_core_dumps = no
pidfile = mypath/freeradius/var/run/radiusd/radiusd.pid
checkrad = mypath/freeradius/sbin/checkrad
debug_level = 0
proxy_requests = yes
log {
stripped_names = no
auth = no
auth_badpass = no
auth_goodpass = no
}
security {
max_attributes = 200
reject_delay = 1
status_server = yes
}
}
radiusd: Loading
Re: No authenticate method (Auth-Type) configuration found for the request: Rejecting the user - Failed to authenticate the user.
I have some problems with my RADIUS, when I send a message with radtest, I get following error: DEBUG-INFO: FreeRADIUS Version 2.1.5, for host i686-pc-linux-gnu, built on Mar 26 2009 at 14:24:27 Copyright (C) 1999-2008 The FreeRADIUS server project and contributors. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License v2. Starting - reading configuration files ... including configuration file mypath/freeradius/etc/raddb/radiusd.conf including configuration file mypath/freeradius/etc/raddb/proxy.conf including configuration file mypath/freeradius/etc/raddb/clients.conf including files in directory mypath/freeradius/etc/raddb/modules/ including configuration file mypath/freeradius/etc/raddb/modules/chap including configuration file mypath/freeradius/etc/raddb/modules/acct_unique including configuration file mypath/freeradius/etc/raddb/modules/always including configuration file mypath/freeradius/etc/raddb/modules/attr_filter including configuration file mypath/freeradius/etc/raddb/modules/attr_rewrite including configuration file mypath/freeradius/etc/raddb/modules/checkval including configuration file mypath/freeradius/etc/raddb/modules/counter including configuration file mypath/freeradius/etc/raddb/modules/detail including configuration file mypath/freeradius/etc/raddb/modules/detail.example.com including configuration file mypath/freeradius/etc/raddb/modules/detail.log including configuration file mypath/freeradius/etc/raddb/modules/digest including configuration file mypath/freeradius/etc/raddb/modules/echo including configuration file mypath/freeradius/etc/raddb/modules/etc_group including configuration file mypath/freeradius/etc/raddb/modules/exec including configuration file mypath/freeradius/etc/raddb/modules/expiration including configuration file mypath/freeradius/etc/raddb/modules/expr including configuration file mypath/freeradius/etc/raddb/modules/files including configuration file mypath/freeradius/etc/raddb/modules/inner-eap including configuration file mypath/freeradius/etc/raddb/modules/ippool including configuration file mypath/freeradius/etc/raddb/modules/krb5 including configuration file mypath/freeradius/etc/raddb/modules/ldap including configuration file mypath/freeradius/etc/raddb/modules/linelog including configuration file mypath/freeradius/etc/raddb/modules/logintime including configuration file mypath/freeradius/etc/raddb/modules/mac2ip including configuration file mypath/freeradius/etc/raddb/modules/mac2vlan including configuration file mypath/freeradius/etc/raddb/modules/mschap including configuration file mypath/freeradius/etc/raddb/modules/otp including configuration file mypath/freeradius/etc/raddb/modules/pam including configuration file mypath/freeradius/etc/raddb/modules/pap including configuration file mypath/freeradius/etc/raddb/modules/passwd including configuration file mypath/freeradius/etc/raddb/modules/perl including configuration file mypath/freeradius/etc/raddb/modules/policy including configuration file mypath/freeradius/etc/raddb/modules/preprocess including configuration file mypath/freeradius/etc/raddb/modules/radutmp including configuration file mypath/freeradius/etc/raddb/modules/realm including configuration file mypath/freeradius/etc/raddb/modules/smbpasswd including configuration file mypath/freeradius/etc/raddb/modules/smsotp including configuration file mypath/freeradius/etc/raddb/modules/sql_log including configuration file mypath/freeradius/etc/raddb/modules/sqlcounter_expire_on_login including configuration file mypath/freeradius/etc/raddb/modules/sradutmp including configuration file mypath/freeradius/etc/raddb/modules/unix including configuration file mypath/freeradius/etc/raddb/modules/wimax including configuration file mypath/freeradius/etc/raddb/eap.conf including configuration file mypath/freeradius/etc/raddb/sql.conf including configuration file mypath/freeradius/etc/raddb/sql/mysql/dialup.conf including configuration file mypath/freeradius/etc/raddb/policy.conf including dictionary file mypath/freeradius/etc/raddb/dictionary ... You have edited radiusd.conf and commented out virual servers (sites-enabled). Very effective way of disabling the server. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
AW: No authenticate method (Auth-Type) configuration found for the request: Rejecting the user - Failed to authenticate the user.
Hi,
is this the complete message? I sent a lot more...
DEBUG-INFO:
FreeRADIUS Version 2.1.5, for host i686-pc-linux-gnu, built on Mar 26 2009 at
14:24:27 Copyright (C) 1999-2008 The FreeRADIUS server project and contributors.
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR
PURPOSE.
You may redistribute copies of FreeRADIUS under the terms of the GNU General
Public License v2.
Starting - reading configuration files ...
including configuration file mypath/freeradius/etc/raddb/radiusd.conf
including configuration file mypath/freeradius/etc/raddb/proxy.conf
including configuration file mypath/freeradius/etc/raddb/clients.conf
including files in directory mypath/freeradius/etc/raddb/modules/
including configuration file mypath/freeradius/etc/raddb/modules/chap
including configuration file mypath/freeradius/etc/raddb/modules/acct_unique
including configuration file mypath/freeradius/etc/raddb/modules/always
including configuration file mypath/freeradius/etc/raddb/modules/attr_filter
including configuration file mypath/freeradius/etc/raddb/modules/attr_rewrite
including configuration file mypath/freeradius/etc/raddb/modules/checkval
including configuration file mypath/freeradius/etc/raddb/modules/counter
including configuration file mypath/freeradius/etc/raddb/modules/detail
including configuration file
mypath/freeradius/etc/raddb/modules/detail.example.com
including configuration file mypath/freeradius/etc/raddb/modules/detail.log
including configuration file mypath/freeradius/etc/raddb/modules/digest
including configuration file mypath/freeradius/etc/raddb/modules/echo
including configuration file mypath/freeradius/etc/raddb/modules/etc_group
including configuration file mypath/freeradius/etc/raddb/modules/exec
including configuration file mypath/freeradius/etc/raddb/modules/expiration
including configuration file mypath/freeradius/etc/raddb/modules/expr
including configuration file mypath/freeradius/etc/raddb/modules/files
including configuration file mypath/freeradius/etc/raddb/modules/inner-eap
including configuration file mypath/freeradius/etc/raddb/modules/ippool
including configuration file mypath/freeradius/etc/raddb/modules/krb5
including configuration file mypath/freeradius/etc/raddb/modules/ldap
including configuration file mypath/freeradius/etc/raddb/modules/linelog
including configuration file mypath/freeradius/etc/raddb/modules/logintime
including configuration file mypath/freeradius/etc/raddb/modules/mac2ip
including configuration file mypath/freeradius/etc/raddb/modules/mac2vlan
including configuration file mypath/freeradius/etc/raddb/modules/mschap
including configuration file mypath/freeradius/etc/raddb/modules/otp
including configuration file mypath/freeradius/etc/raddb/modules/pam
including configuration file mypath/freeradius/etc/raddb/modules/pap
including configuration file mypath/freeradius/etc/raddb/modules/passwd
including configuration file mypath/freeradius/etc/raddb/modules/perl
including configuration file mypath/freeradius/etc/raddb/modules/policy
including configuration file mypath/freeradius/etc/raddb/modules/preprocess
including configuration file mypath/freeradius/etc/raddb/modules/radutmp
including configuration file mypath/freeradius/etc/raddb/modules/realm
including configuration file mypath/freeradius/etc/raddb/modules/smbpasswd
including configuration file mypath/freeradius/etc/raddb/modules/smsotp
including configuration file mypath/freeradius/etc/raddb/modules/sql_log
including configuration file
mypath/freeradius/etc/raddb/modules/sqlcounter_expire_on_login
including configuration file mypath/freeradius/etc/raddb/modules/sradutmp
including configuration file mypath/freeradius/etc/raddb/modules/unix
including configuration file mypath/freeradius/etc/raddb/modules/wimax
including configuration file mypath/freeradius/etc/raddb/eap.conf
including configuration file mypath/freeradius/etc/raddb/sql.conf
including configuration file mypath/freeradius/etc/raddb/sql/mysql/dialup.conf
including configuration file mypath/freeradius/etc/raddb/policy.conf
including dictionary file mypath/freeradius/etc/raddb/dictionary
main {
prefix = mypath/freeradius
localstatedir = mypath/freeradius/var
logdir = mypath/freeradius/var/log/radius
libdir = mypath/freeradius/lib
radacctdir = mypath/freeradius/var/log/radius/radacct
hostname_lookups = no
max_request_time = 30
cleanup_delay = 5
max_requests = 1024
allow_core_dumps = no
pidfile = mypath/freeradius/var/run/radiusd/radiusd.pid
checkrad = mypath/freeradius/sbin/checkrad
debug_level = 0
proxy_requests = yes
log {
stripped_names = no
auth = no
auth_badpass = no
auth_goodpass = no
}
security {
max_attributes = 200
reject_delay = 1
status_server = yes
}
}
radiusd: Loading Realms and Home Servers proxy server {
FreeRadius with Novell
Hi, I'm using FreeRadius as a radius proxy to authenticate wireless users and send which VLAN ID they should be using. The authentication server is two Novell servers with two different trees. Now to the problem .. I can't use context less login since the FreeRadius first need to authenticate to place the user on a VLAN and then the client logs in to the Novell server. Is it possible somehow to have FreeRadius hardcoded with all possible contexts to search for the user or somehow first give a temporary VLAN to the user and then move the user to the real VLAN after the context less authentication? I hope you understand what I mean Best Regards, Magnus Larsson MCE, CWSP, BCCPP, WCSE+, CICSP _ AddPro AB Stubbengatan 2, SE-703 44 Örebro Mobile: +46 (0)70 417 45 02 Direct: +46 (0)19 760 45 02 magnus.lars...@addpro.semailto:magnus.lars...@addpro.se | www.addpro.sehttp://www.addpro.se/ AddPro_Signatur inline: image001.gif- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
1 freeradius with 2 openldap (multi master)
Hi All
I have one freeradius and 2 openldap (multi - master). And I want my freeradius
use the second openldap if the first crash. So in freeradius I instantiate the
module ldap :
Ldap ldapmaster {
[...]
}
Ldap ldapbackup {
[...]
}
And in my site-available/default I load the two modules. If my two openldap are
alive, authentication succeed, but if one of them fall, authentication failed,
so like this I have a « AND » between modules, and not a « OR » like I would. I
don't know if I am really clear, i don't speak very well, sorry.
So If some understand the problem that I try to describe and if you know how I
can fix my problem, could you help me please ? thanks,
Regards,
François
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_raw not included in compile
Johan Meiring wrote: After struggling for about 4 hours, I did the following 1) touch src/modules/rlm_raw/configure 2) ./autogen.sh 3) added rlm_raw to debian configure by editing debian/rules Now it tries to compile it, but fails horribly. (See compile failure below). Does anyone have a clue how to add rlm_raw to the current git tar file? $ tar -zxf freeradius-server-2.1.7.tar.gz add rlm_raw $ tar -zcf freeradius-server-2.1.7.tar.gz freeradius-server-2.1.7 PS:he rlm_raw I'm using comes from http://lists.cistron.nl/pipermail/freeradius-devel/2005-January/007873.html That was before version 2.0 was released. You'll likely have to update the module to use the new API's header files in 2.0. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: 1 freeradius with 2 openldap (multi master)
François Mehault wrote: And in my site-available/default I load the two modules. If my two openldap are alive, authentication succeed, but if one of them fall, authentication failed, so like this I have a « AND » between modules, and not a « OR » like I would. I don’t know if I am really clear, i don’t speak very well, sorry. $ man unlang Look for redundant Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius with Novell
I'm using FreeRadius as a radius proxy to authenticate wireless users and send which VLAN ID they should be using. The authentication server is two Novell servers with two different trees. eDirectory servers? Read comments in ldap module how to set it up to work with eDirectory. You can get ldap attributes from a ldap sevrer and map them to radius attributes using ldap.attrmap. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: 1 freeradius with 2 openldap (multi master)
redundant-load-balance {
ldap1 # 50%, unless ldap2 is down, then 100%
ldap2 # 50%, unless ldap1 is down, then 100%
}
Seems perfect, thanks a lot !
-Message d'origine-
De : freeradius-users-bounces+francois.mehault=netplus...@lists.freeradius.org
[mailto:freeradius-users-bounces+francois.mehault=netplus...@lists.freeradius.org]
De la part de Alan DeKok
Envoyé : vendredi 29 mai 2009 15:10
À : FreeRadius users mailing list
Objet : Re: 1 freeradius with 2 openldap (multi master)
François Mehault wrote:
And in my site-available/default I load the two modules. If my two
openldap are alive, authentication succeed, but if one of them fall,
authentication failed, so like this I have a « AND » between modules,
and not a « OR » like I would. I don’t know if I am really clear, i
don’t speak very well, sorry.
$ man unlang
Look for redundant
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
rlm eap problem
Hi folks,
Now I got a new problem with rlm_eap and the server doesn't start
anymore. You were right, I commented $INCLUDE sites-enabled/ in
radiusd.conf.
So what can I do now?
Best regards
Michael
FreeRADIUS Version 2.1.5, for host i686-pc-linux-gnu, built on Mar 26
2009 at 14:24:27
Copyright (C) 1999-2008 The FreeRADIUS server project and contributors.
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE.
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License v2.
Starting - reading configuration files ...
including configuration file /mypath/freeradius/etc/raddb/radiusd.conf
including configuration file /mypath/freeradius/etc/raddb/proxy.conf
including configuration file /mypath/freeradius/etc/raddb/clients.conf
including files in directory /mypath/freeradius/etc/raddb/modules/
including configuration file /mypath/freeradius/etc/raddb/modules/chap
including configuration file
/mypath/freeradius/etc/raddb/modules/acct_unique
including configuration file /mypath/freeradius/etc/raddb/modules/always
including configuration file
/mypath/freeradius/etc/raddb/modules/attr_filter
including configuration file
/mypath/freeradius/etc/raddb/modules/attr_rewrite
including configuration file
/mypath/freeradius/etc/raddb/modules/checkval
including configuration file
/mypath/freeradius/etc/raddb/modules/counter
including configuration file /mypath/freeradius/etc/raddb/modules/detail
including configuration file
/mypath/freeradius/etc/raddb/modules/detail.example.com
including configuration file
/mypath/freeradius/etc/raddb/modules/detail.log
including configuration file /mypath/freeradius/etc/raddb/modules/digest
including configuration file /mypath/freeradius/etc/raddb/modules/echo
including configuration file
/mypath/freeradius/etc/raddb/modules/etc_group
including configuration file /mypath/freeradius/etc/raddb/modules/exec
including configuration file
/mypath/freeradius/etc/raddb/modules/expiration
including configuration file /mypath/freeradius/etc/raddb/modules/expr
including configuration file /mypath/freeradius/etc/raddb/modules/files
including configuration file
/mypath/freeradius/etc/raddb/modules/inner-eap
including configuration file /mypath/freeradius/etc/raddb/modules/ippool
including configuration file /mypath/freeradius/etc/raddb/modules/krb5
including configuration file /mypath/freeradius/etc/raddb/modules/ldap
including configuration file
/mypath/freeradius/etc/raddb/modules/linelog
including configuration file
/mypath/freeradius/etc/raddb/modules/logintime
including configuration file /mypath/freeradius/etc/raddb/modules/mac2ip
including configuration file
/mypath/freeradius/etc/raddb/modules/mac2vlan
including configuration file /mypath/freeradius/etc/raddb/modules/mschap
including configuration file /mypath/freeradius/etc/raddb/modules/otp
including configuration file /mypath/freeradius/etc/raddb/modules/pam
including configuration file /mypath/freeradius/etc/raddb/modules/pap
including configuration file /mypath/freeradius/etc/raddb/modules/passwd
including configuration file /mypath/freeradius/etc/raddb/modules/perl
including configuration file /mypath/freeradius/etc/raddb/modules/policy
including configuration file
/mypath/freeradius/etc/raddb/modules/preprocess
including configuration file
/mypath/freeradius/etc/raddb/modules/radutmp
including configuration file /mypath/freeradius/etc/raddb/modules/realm
including configuration file
/mypath/freeradius/etc/raddb/modules/smbpasswd
including configuration file /mypath/freeradius/etc/raddb/modules/smsotp
including configuration file
/mypath/freeradius/etc/raddb/modules/sql_log
including configuration file
/mypath/freeradius/etc/raddb/modules/sqlcounter_expire_on_login
including configuration file
/mypath/freeradius/etc/raddb/modules/sradutmp
including configuration file /mypath/freeradius/etc/raddb/modules/unix
including configuration file /mypath/freeradius/etc/raddb/modules/wimax
including configuration file /mypath/freeradius/etc/raddb/eap.conf
including configuration file /mypath/freeradius/etc/raddb/sql.conf
including configuration file
/mypath/freeradius/etc/raddb/sql/mysql/dialup.conf
including configuration file /mypath/freeradius/etc/raddb/policy.conf
including files in directory /mypath/freeradius/etc/raddb/sites-enabled/
including configuration file
/mypath/freeradius/etc/raddb/sites-enabled/default
including configuration file
/mypath/freeradius/etc/raddb/sites-enabled/inner-tunnel
including configuration file
/mypath/freeradius/etc/raddb/sites-enabled/control-socket
including dictionary file /mypath/freeradius/etc/raddb/dictionary
main {
prefix = /mypath/freeradius
localstatedir = /mypath/freeradius/var
logdir = /mypath/freeradius/var/log/radius
libdir = /mypath/freeradius/lib
radacctdir = /mypath/freeradius/var/log/radius/radacct
hostname_lookups = no
max_request_time = 30
cleanup_delay = 5
Re: rlm eap problem
Hi,
Now I got a new problem with rlm_eap and the server doesn't start
anymore. You were right, I commented $INCLUDE sites-enabled/ in
radiusd.conf.
the errors are clear enough!
Module: Instantiating eap-tls
tls {
rsa_key_exchange = no
dh_key_exchange = yes
rsa_key_length = 512
dh_key_length = 512
verify_depth = 0
pem_file_type = yes
private_key_file =
/mypath/freeradius/etc/raddb/certs/server.pem
certificate_file =
/mypath/freeradius/etc/raddb/certs/server.pem
CA_file = /mypath/freeradius/etc/raddb/certs/ca.pem
private_key_password = whatever
dh_file = /mypath/freeradius/etc/raddb/certs/dh
random_file = /mypath/freeradius/etc/raddb/certs/random
fragment_size = 1024
include_length = yes
check_crl = no
cipher_list = DEFAULT
make_cert_command =
/mypath/freeradius/etc/raddb/certs/bootstrap
cache {
enable = no
lifetime = 24
max_entries = 255
}
}
rlm_eap: SSL error error:02001002:system library:fopen:No such file or
directory
rlm_eap_tls: Error reading Trusted root CA list
/mypath/freeradius/etc/raddb/certs/ca.pem
^^^
ta da! what couldnt be clearer? does that file exist, if so does it have
the correct permissions?
alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm eap problem
Now I got a new problem with rlm_eap and the server doesn't start anymore. You were right, I commented $INCLUDE sites-enabled/ in radiusd.conf. So what can I do now? ... rlm_eap: SSL error error:02001002:system library:fopen:No such file or directory rlm_eap_tls: Error reading Trusted root CA list /mypath/freeradius/etc/raddb/certs/ca.pem Nothing mysterious about that error. Is the file there? Permissions? Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
AW: rlm eap problem
Hi there,
Yes, of course you were right, the file was named server.pem :) - bad mistake,
sry...
But now I get following errors, but now I don't know what's to do...
rlm_eap: SSL error error::lib(0):func(0):reason(0)
rlm_eap_tls: Error loading randomness
rlm_eap: Failed to initialize type tls
/mypath/freeradius/etc/raddb/eap.conf[17]: Instantiation failed for module eap
/mypath/freeradius/etc/raddb/sites-enabled/inner-tunnel[223]: Failed to find
module eap.
/mypath/freeradius/etc/raddb/sites-enabled/inner-tunnel[176]: Errors parsing
authenticate section.
}
}
Errors initializing modules
Sorry guys, but I don't have any experience with certificates ...
Thanks
Michael
That's my eap.conf:
# -*- text -*-
##
## eap.conf -- Configuration for EAP types (PEAP, TTLS, etc.)
##
## $Id$
###
#
# Whatever you do, do NOT set 'Auth-Type := EAP'. The server
# is smart enough to figure this out on its own. The most
# common side effect of setting 'Auth-Type := EAP' is that the
# users then cannot use ANY other authentication method.
#
# EAP types NOT listed here may be supported via the eap2 module.
# See experimental.conf for documentation.
#
eap {
# Invoke the default supported EAP type when
# EAP-Identity response is received.
#
# The incoming EAP messages DO NOT specify which EAP
# type they will be using, so it MUST be set here.
#
# For now, only one default EAP type may be used at a time.
#
# If the EAP-Type attribute is set by another module,
# then that EAP type takes precedence over the
# default type configured here.
#
default_eap_type = md5
# A list is maintained to correlate EAP-Response
# packets with EAP-Request packets. After a
# configurable length of time, entries in the list
# expire, and are deleted.
#
timer_expire = 60
# There are many EAP types, but the server has support
# for only a limited subset. If the server receives
# a request for an EAP type it does not support, then
# it normally rejects the request. By setting this
# configuration to yes, you can tell the server to
# instead keep processing the request. Another module
# MUST then be configured to proxy the request to
# another RADIUS server which supports that EAP type.
#
# If another module is NOT configured to handle the
# request, then the request will still end up being
# rejected.
ignore_unknown_eap_types = no
# Cisco AP1230B firmware 12.2(13)JA1 has a bug. When given
# a User-Name attribute in an Access-Accept, it copies one
# more byte than it should.
#
# We can work around it by configurably adding an extra
# zero byte.
cisco_accounting_username_bug = no
#
# Help prevent DoS attacks by limiting the number of
# sessions that the server is tracking. Most systems
# can handle ~30 EAP sessions/s, so the default limit
# of 2048 is more than enough.
max_sessions = 2048
# Supported EAP-types
#
# We do NOT recommend using EAP-MD5 authentication
# for wireless connections. It is insecure, and does
# not provide for dynamic WEP keys.
#
md5 {
}
# Cisco LEAP
#
# We do not recommend using LEAP in new deployments. See:
# http://www.securiteam.com/tools/5TP012ACKE.html
#
# Cisco LEAP uses the MS-CHAP algorithm (but not
# the MS-CHAP attributes) to perform it's authentication.
#
# As a result, LEAP *requires* access to the plain-text
# User-Password, or the NT-Password attributes.
# 'System' authentication is impossible with LEAP.
#
leap {
}
# Generic Token Card.
#
# Currently, this is only permitted inside of EAP-TTLS,
# or EAP-PEAP. The module challenges the user with
# text, and the response from the user is taken to be
# the User-Password.
#
# Proxying the tunneled EAP-GTC session is a bad idea,
RE: 1 freeradius with 2 openldap (multi master)
Well, I fact I have two servers: A and B.
A has freeradius + openldap
B has openldap bacukp
So on server A, I put in /site-available/default:
In authentication section :
Redundant {
Ldapmaster
Ldapbackup
}
and authorize section :
Auth-Type LDAP {
redundant {
Ldapmaster
Ldapbackup
}
}
Modelue Ldapmaster has attribute server=127.0.0.1, and Ldapbackup has
attribute server=192.168.x.x (Ip of server B)
Well, If I shutdown my openldap on server A, freeradius on server A will
discuss with openldap on server B, and it works perfectly !
[Ldapbackup] user fmehault authenticated succesfully
++[ Ldapbackup] returns ok
+- entering group post-auth {...}
++[exec] returns noop
Sending Access-Accept of id 93 to 192.168.0.50 port 1812
Reply-Message = Utilisateur: fmehault, group: Administrateur
Cisco-AVPair = shell:priv-lvl=15
Service-Type = NAS-Prompt-User
Finished request 0.
Going to the next request
Waking up in 4.9 seconds.
Cleaning up request 0 ID 93 with timestamp +11
Ready to process requests.
Another test, I stop daemon openldap on server B and start openldap on server
A, so I imagine my freeradius will discuss with openldap on server A. But PB :
[Ldapmaster] user fmehault authenticated succesfully
+++[ Ldapmaster] returns ok
++- policy redundant returns ok
+- entering group post-auth {...}
++[exec] returns noop
Sending Access-Accept of id 94 to 192.168.0.50 port 1812
Finished request 0.
Going to the next request
Waking up in 4.9 seconds.
Cleaning up request 0 ID 94 with timestamp +10
Ready to process requests.
My NAS is Cisco Catalyst 2950, and I use radius VSA Cisco-AVPair. As you can
see in the log, I am succesfully authenticated, And freeradius send me
Access-Accept, without Raply-Message, Cisco-AVPair, Service-Type ... Why ???
On cisco:
User Access Verification
Username: fmehault
Password:
% Authorization failed.
My two ldaps are both striclty the same, it's sur because if I don't use unlang
redundant, it works.
Someone has an idea ??
Thanks for your help,
Regards,
François
-Message d'origine-
De : freeradius-users-bounces+francois.mehault=netplus...@lists.freeradius.org
[mailto:freeradius-users-bounces+francois.mehault=netplus...@lists.freeradius.org]
De la part de François Mehault
Envoyé : vendredi 29 mai 2009 15:27
À : FreeRadius users mailing list
Objet : RE: 1 freeradius with 2 openldap (multi master)
redundant-load-balance {
ldap1 # 50%, unless ldap2 is down, then 100%
ldap2 # 50%, unless ldap1 is down, then 100%
}
Seems perfect, thanks a lot !
-Message d'origine-
De : freeradius-users-bounces+francois.mehault=netplus...@lists.freeradius.org
[mailto:freeradius-users-bounces+francois.mehault=netplus...@lists.freeradius.org]
De la part de Alan DeKok
Envoyé : vendredi 29 mai 2009 15:10
À : FreeRadius users mailing list
Objet : Re: 1 freeradius with 2 openldap (multi master)
François Mehault wrote:
And in my site-available/default I load the two modules. If my two
openldap are alive, authentication succeed, but if one of them fall,
authentication failed, so like this I have a « AND » between modules,
and not a « OR » like I would. I don’t know if I am really clear, i
don’t speak very well, sorry.
$ man unlang
Look for redundant
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: rlm eap problem
Do these files exist?
dh_file = ${certdir}/dh
random_file = ${certdir}/random
Hints here:
http://www.mail-archive.com/freeradius-us...@lists.cistron.nl/msg09589.html
-Original Message-
From: freeradius-users-
bounces+jmdanner=samford@lists.freeradius.org [mailto:freeradius-
users-bounces+jmdanner=samford@lists.freeradius.org] On Behalf Of
Michael Ziemann
Sent: Friday, May 29, 2009 9:19 AM
To: FreeRadius users mailing list
Subject: AW: rlm eap problem
Hi there,
Yes, of course you were right, the file was named server.pem :) - bad
mistake, sry...
But now I get following errors, but now I don't know what's to do...
rlm_eap: SSL error error::lib(0):func(0):reason(0)
rlm_eap_tls: Error loading randomness
rlm_eap: Failed to initialize type tls
/mypath/freeradius/etc/raddb/eap.conf[17]: Instantiation failed for
module eap
/mypath/freeradius/etc/raddb/sites-enabled/inner-tunnel[223]: Failed to
find module eap.
/mypath/freeradius/etc/raddb/sites-enabled/inner-tunnel[176]: Errors
parsing authenticate section.
}
}
Errors initializing modules
Sorry guys, but I don't have any experience with certificates ...
Thanks
Michael
That's my eap.conf:
# -*- text -*-
##
## eap.conf -- Configuration for EAP types (PEAP, TTLS, etc.)
##
##$Id$
###
#
# Whatever you do, do NOT set 'Auth-Type := EAP'. The server
# is smart enough to figure this out on its own. The most
# common side effect of setting 'Auth-Type := EAP' is that the
# users then cannot use ANY other authentication method.
#
# EAP types NOT listed here may be supported via the eap2 module.
# See experimental.conf for documentation.
#
eap {
# Invoke the default supported EAP type when
# EAP-Identity response is received.
#
# The incoming EAP messages DO NOT specify which EAP
# type they will be using, so it MUST be set here.
#
# For now, only one default EAP type may be used at a
time.
#
# If the EAP-Type attribute is set by another module,
# then that EAP type takes precedence over the
# default type configured here.
#
default_eap_type = md5
# A list is maintained to correlate EAP-Response
# packets with EAP-Request packets. After a
# configurable length of time, entries in the list
# expire, and are deleted.
#
timer_expire = 60
# There are many EAP types, but the server has support
# for only a limited subset. If the server receives
# a request for an EAP type it does not support, then
# it normally rejects the request. By setting this
# configuration to yes, you can tell the server to
# instead keep processing the request. Another module
# MUST then be configured to proxy the request to
# another RADIUS server which supports that EAP type.
#
# If another module is NOT configured to handle the
# request, then the request will still end up being
# rejected.
ignore_unknown_eap_types = no
# Cisco AP1230B firmware 12.2(13)JA1 has a bug. When given
# a User-Name attribute in an Access-Accept, it copies one
# more byte than it should.
#
# We can work around it by configurably adding an extra
# zero byte.
cisco_accounting_username_bug = no
#
# Help prevent DoS attacks by limiting the number of
# sessions that the server is tracking. Most systems
# can handle ~30 EAP sessions/s, so the default limit
# of 2048 is more than enough.
max_sessions = 2048
# Supported EAP-types
#
# We do NOT recommend using EAP-MD5 authentication
# for wireless connections. It is insecure, and does
# not provide for dynamic WEP keys.
#
md5 {
}
# Cisco LEAP
#
# We do not recommend using LEAP in new deployments. See:
# http://www.securiteam.com/tools/5TP012ACKE.html
#
# Cisco LEAP uses the MS-CHAP algorithm (but not
# the MS-CHAP attributes) to perform it's authentication.
#
# As a result, LEAP *requires* access to the plain-text
# User-Password, or the NT-Password attributes.
# 'System'
Re: new to freeradius, securing LAN
ldap.lippogeneral.com a écrit : But how, if they can manually configure an interface on their PC and completely bypass our DHCP server.. this is typically why you'd like to set up authentication, so the physical access to your switch port is not sufficient to get access to your network. please check if your network devices can do 802.1x, then try the authentication you'd like. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: 1 freeradius with 2 openldap (multi master)
Hi, And now, if I start radiusd and slapd on server A and not on server B, it works. And if I stop slapd on server A, and start slapd on server B, it doesn't work. It's maybe a lead... this is documented http://wiki.freeradius.org/Fail-over you need the group to be failable etc alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_raw not included in compile
Alan DeKok wrote: Does anyone have a clue how to add rlm_raw to the current git tar file? $ tar -zxf freeradius-server-2.1.7.tar.gz add rlm_raw $ tar -zcf freeradius-server-2.1.7.tar.gz freeradius-server-2.1.7 It wasn't that simple because rlm_raw did not contain a configure script. You had to run autogen.sh first. PS:he rlm_raw I'm using comes from http://lists.cistron.nl/pipermail/freeradius-devel/2005-January/007873.html That was before version 2.0 was released. You'll likely have to update the module to use the new API's header files in 2.0. Using my copy and paste method of c coding (I know VERY little about c) I maneged to copy the code from the old rlm_raw into rlm_example. I needed to make two changes to get it to compile. 1) replace strNcpy with strncpy 2) replace radlib_safeprint with fr_print_string It compiled and IT WORKS!!! Alan DeKok. -- Johan Meiring Cape PC Services CC Tel: (021) 883-8271 Fax: (021) 886-7782 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_raw not included in compile
Johan Meiring wrote: Alan DeKok wrote: It compiled and IT WORKS!!! Forgot to attach the module incase anyone wants it. -- Johan Meiring Cape PC Services CC Tel: (021) 883-8271 Fax: (021) 886-7782 rlm_raw.tar.bz2 Description: Binary data - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius with Novell
You will need to have all your users in one tree so I suggest you use idm to sync all your users from both trees into a third auth tree. Then you can point your login to the basedn and search the subtree for the users. On 30/05/2009, at 12:58 AM, Magnus Larsson magnus.lars...@addpro.se wrote: Hi, I’m using FreeRadius as a “radius proxy” to authenticate wireless users and send which VLAN ID they should be using. The auth entication server is two Novell servers with two different trees. Now to the problem .. I can’t use context less login since the FreeR adius first need to authenticate to place the user on a VLAN and the n the client logs in to the Novell server. Is it possible somehow to have FreeRadius hardcoded with all possible contexts to search for the user or somehow first give a temporary VLAN to the user and then move the user to the real VLAN after the context less authentication? I hope you understand what I mean Best Regards, Magnus Larsson MCE, CWSP, BCCPP, WCSE+, CICSP _ AddPro AB Stubbengatan 2, SE-703 44 Örebro Mobile: +46 (0)70 417 45 02 Direct: +46 (0)19 760 45 02 magnus.lars...@addpro.se | www.addpro.se image001.gif - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
freeradius-users@lists.freeradius.org
Is there any way to setup freeRADIUS to connect to my_db instead of radius database? I have setup freeRADIUS successfully to connect to a backend PostgreSQL database. My original TEST setup is done by following the standard instruction bt creating a radius database radius role/User. sql.con has the following instructions,which I believe make this connection; database = postgres server = pg1 login = radius password = radpass When I start the RADIUS in the DEBUG mode, I see this line; rad...@pg1:/radius and it connects no error is displayed. No I want to change the database tomy_db a Schema radius. PostgreSQL is both of them created. I changed sql.conf to: database = postgres server = pg1 login = my_db password = radpass This does not work. - Is there any way to further change the freeRADIUS configuration to have it connect tomy_db radius Schema? Is it possible that freeRADIUS software is hard coded that it will only connect to a radius Database with radius Schema? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius-users@lists.freeradius.org
Is there any way to setup freeRADIUS to connect to my_db instead of radius database? Yes. I have setup freeRADIUS successfully to connect to a backend PostgreSQL database. My original TEST setup is done by following the standard instruction bt creating a radius database radius role/User. sql.con has the following instructions,which I believe make this connection; database = postgres server = pg1 login = radius password = radpass When I start the RADIUS in the DEBUG mode, I see this line; rad...@pg1:/radius and it connects no error is displayed. No I want to change the database tomy_db a Schema radius. PostgreSQL is both of them created. I changed sql.conf to: database = postgres server = pg1 login = my_db That's database login username you changed. password = radpass This does not work. No wonder. What is the next config line in sql.conf, after these? Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius-users@lists.freeradius.org
Ivan Kalik wrote: password = radpass This does not work. No wonder. What is the next config line in sql.conf, after these? Ivan Kalik Kalik Informatika ISP I don't know how I MISSED it? BIG THANKS. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
