make install without messing with previous configuration?

[Stefan Winter]

Hello,

I wonder if there's a way to install FreeRADIUS, but *not* have it
install config files in its raddb dir.

The reason being that if you have a previous version and a
well-shepherded config directory with only exactly the needed files, a
make install will clutter your raddb dir with default files. You can
delete the unnecessary files afterwards for sure, but it would be
preferable if raddb could remain untouched on request.
I even had one instance where I got bitten by it: a server didn't have a
sites-enabled/default. make install during an upgrade helpfully
created it with a set of module calls in it which weren't configured. As
a result, the server refused to start afterwards until the default
server was deleted.

So, is there some kind of make install-no-config, ./configure
--no-touch-raddb or similar?

Greetings,

Stefan Winter

-- 
Stefan WINTER
Ingenieur de Recherche
Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la 
Recherche
6, rue Richard Coudenhove-Kalergi
L-1359 Luxembourg

Tel: +352 424409 1
Fax: +352 422473

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

rlm_eap_md5: Cleartext-Password is required for EAP-MD5authentication

[youler]

My running environment is freeraius-2.1.3，The authentication type is EAP/MD5.
It's running not well with individual 'user' file.I can't find the problem.
My mainly configuration file as follow:
IN sites-enabled/default
--
authorize {
eap {
ok = return
}
files
#sql
expiration
logintime
} 
authenticate {
eap
} 
IN eap.conf
--
eap {
default_eap_type = md5
timer_expire = 60
ignore_unknown_eap_types = no
 max_sessions = 2048
md5 {
}
}
IN users

chenyongle  Cleartext-Password := 123456
--
debug information as following:
rad_recv: Access-Request packet from host 127.0.0.1 port 43289, id=134,
length=260
EAP-Message =
0x0285002004108010475cd7f849537fae81777bc3287f6368656e796f6e676c65
User-Name = chenyon...@localhost
Prompt = 0x313233343536
Service-Type = Framed-User
Framed-MTU = 1400
State = 0xa554770ea5d17374eb266130b8a3c5d8
Message-Authenticator = 0xd3f3ddc1a6813a6862213b0e5bc2fc02
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] Looking up realm localhost for User-Name = chenyon...@localhost
[suffix] No such realm localhost
++[suffix] returns noop
++[files] returns noop
[eap] EAP packet type response id 133 length 32
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[unix] returns notfound
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No known good password found for the user.  Authentication
may fail because of this.
++[pap] returns noop
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/md5
[eap] processing type md5
rlm_eap_md5: Cleartext-Password is required for EAP-MD5 authentication
[eap] Handler failed in EAP/md5
[eap] Failed in EAP select
++[eap] returns invalid
Failed to authenticate the user.
Using Post-Auth-Type Reject
+- entering group REJECT {...}
[attr_filter.access_reject] expand: %{User-Name} - chenyon...@localhost
 attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 1 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
rad_recv: Access-Request packet from host 127.0.0.1 port 43289, id=134,
length=260
Waiting to send Access-Reject to client localhost port 43289 - ID: 134
Sending delayed reject for request 1
Sending Access-Reject of id 134 to 127.0.0.1 port 43289
EAP-Message = 0x04850004
Message-Authenticator = 0x
-- 
View this message in context: 
http://www.nabble.com/rlm_eap_md5%3A-Cleartext-Password-is-required-for-EAP-MD5authentication-tp24492879p24492879.html
Sent from the FreeRadius - User mailing list archive at Nabble.com.


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: make install without messing with previous configuration?

[Nicolas Goutte]

Am 15.07.2009 um 08:16 schrieb Stefan Winter:


Hello,

I wonder if there's a way to install FreeRADIUS, but *not* have it
install config files in its raddb dir.

The reason being that if you have a previous version and a
well-shepherded config directory with only exactly the needed files, a
make install will clutter your raddb dir with default files. You can
delete the unnecessary files afterwards for sure, but it would be
preferable if raddb could remain untouched on request.
I even had one instance where I got bitten by it: a server didn't  
have a

sites-enabled/default. make install during an upgrade helpfully
created it with a set of module calls in it which weren't  
configured. As

a result, the server refused to start afterwards until the default
server was deleted.

So, is there some kind of make install-no-config, ./configure
--no-touch-raddb or similar?


I do not know how to do it at compile time but you can do it at  
runtime by specifing -d your_directory to radiusd.


So perhaps a make install will install many configuration files but  
not where *your* configuration is.




Greetings,

Stefan Winter


Have a nice day!



--
Stefan WINTER
Ingenieur de Recherche
Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale  
et de la Recherche

6, rue Richard Coudenhove-Kalergi
L-1359 Luxembourg

Tel: +352 424409 1
Fax: +352 422473

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


Nicolas Goutte


extragroup GmbH - Karlsruhe
Waldstr. 49
76133 Karlsruhe
Germany

Geschäftsführer: Stephan Mönninghoff, Hans Martin Kern, Tilman Haerdle
Registergericht: Amtsgericht Münster / HRB: 5624
Steuer Nr.: 337/5903/0421 / UstID: DE 204607841




-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: rlm_eap_md5: Cleartext-Password is required for EAP-MD5authentication

[Nicolas Goutte]

We are receiving your messages. You do not need to post them multiple  
times. (Posting to a mailing list is never immediate.)


(See also the archives: http://lists.freeradius.org/pipermail/freeradius-users/2009-July/date.html 
 )


Have a nice day!

Am 15.07.2009 um 09:40 schrieb youler:



My running environment is freeraius-2.1.3，The authentication type  
is EAP/MD5.
It's running not well with individual 'user' file.I can't find the  
problem.

My mainly configuration file as follow:



[...]



-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


Nicolas Goutte


extragroup GmbH - Karlsruhe
Waldstr. 49
76133 Karlsruhe
Germany

Geschäftsführer: Stephan Mönninghoff, Hans Martin Kern, Tilman  
Haerdle

Registergericht: Amtsgericht Münster / HRB: 5624
Steuer Nr.: 337/5903/0421 / UstID: DE 204607841




-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: make install without messing with previous configuration?

[Stefan Winter]

Hi,

 I do not know how to do it at compile time but you can do it at
 runtime by specifing -d your_directory to radiusd.

 So perhaps a make install will install many configuration files but
 not where *your* configuration is.

Yes, I considered pointing --with-raddb-dir=/tmp/trash or so. But I
don't want a one-time installation problem to require attention whenever
I run the service in the future. It is then something to remember
constantly (and to document for on-duty personnel etc. ...), only to fix
a single-shot problem. It just doesn't sound right to me.

Greetings,

Stefan

-- 
Stefan WINTER
Ingenieur de Recherche
Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la 
Recherche
6, rue Richard Coudenhove-Kalergi
L-1359 Luxembourg

Tel: +352 424409 1
Fax: +352 422473

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: make install without messing with previous configuration?

[Alan DeKok]

Stefan Winter wrote:
 I wonder if there's a way to install FreeRADIUS, but *not* have it
 install config files in its raddb dir.

$ rm -rf ./raddb
$ make install

  ?  Might work...

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: make install without messing with previous configuration?

[Nicolas Goutte]

Am 15.07.2009 um 09:53 schrieb Stefan Winter:


Hi,


I do not know how to do it at compile time but you can do it at
runtime by specifing -d your_directory to radiusd.

So perhaps a make install will install many configuration files but
not where *your* configuration is.


Yes, I considered pointing --with-raddb-dir=/tmp/trash or so. But I


I am not sure but does that mean that the binary that you create would  
point to that directory too. So in that case, you would have to  
specify the real directory at runtime too.


don't want a one-time installation problem to require attention  
whenever

I run the service in the future. It is then something to remember
constantly (and to document for on-duty personnel etc. ...), only to  
fix

a single-shot problem. It just doesn't sound right to me.


Yes, I had not seen it from that point of view.



Greetings,


Have a nice day!



Stefan

--
Stefan WINTER
Ingenieur de Recherche
Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale  
et de la Recherche

6, rue Richard Coudenhove-Kalergi
L-1359 Luxembourg

Tel: +352 424409 1
Fax: +352 422473

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


Nicolas Goutte


extragroup GmbH - Karlsruhe
Waldstr. 49
76133 Karlsruhe
Germany

Geschäftsführer: Stephan Mönninghoff, Hans Martin Kern, Tilman Haerdle
Registergericht: Amtsgericht Münster / HRB: 5624
Steuer Nr.: 337/5903/0421 / UstID: DE 204607841




-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: make install without messing with previous configuration?

[Leighton Man]

Hi,
I tar the entire raddb directory (from the level above), reinstall, and untar 
the original config over the top of the new one. That way I can keep multiple 
configs whilst experimenting and switch between them.
Regards,
Leighton

 -Original Message-
 From:
 freeradius-users-bounces+l.j.man=hud.ac...@lists.freeradius.or
 g
 [mailto:freeradius-users-bounces+l.j.man=hud.ac...@lists.freer
adius.org] On Behalf Of Nicolas Goutte
 Sent: 15 July 2009 09:03
 To: FreeRadius users mailing list
 Subject: Re: make install without messing with previous configuration?


 Am 15.07.2009 um 09:53 schrieb Stefan Winter:

  Hi,
 
  I do not know how to do it at compile time but you can do it at
  runtime by specifing -d your_directory to radiusd.
 
  So perhaps a make install will install many configuration
 files but
  not where *your* configuration is.
 
  Yes, I considered pointing --with-raddb-dir=/tmp/trash or so. But I

 I am not sure but does that mean that the binary that you
 create would point to that directory too. So in that case,
 you would have to specify the real directory at runtime too.

  don't want a one-time installation problem to require attention
  whenever I run the service in the future. It is then something to
  remember constantly (and to document for on-duty personnel
 etc. ...),
  only to fix a single-shot problem. It just doesn't sound
 right to me.

 Yes, I had not seen it from that point of view.

 
  Greetings,

 Have a nice day!

 
  Stefan
 
  --
  Stefan WINTER
  Ingenieur de Recherche
  Fondation RESTENA - Réseau Téléinformatique de l'Education
 Nationale
  et de la Recherche 6, rue Richard Coudenhove-Kalergi
  L-1359 Luxembourg
 
  Tel: +352 424409 1
  Fax: +352 422473
 
  -
  List info/subscribe/unsubscribe? See
  http://www.freeradius.org/list/users.html

 Nicolas Goutte


 extragroup GmbH - Karlsruhe
 Waldstr. 49
 76133 Karlsruhe
 Germany

 Geschäftsführer: Stephan Mönninghoff, Hans Martin Kern, Tilman Haerdle
 Registergericht: Amtsgericht Münster / HRB: 5624 Steuer Nr.:
 337/5903/0421 / UstID: DE 204607841




 -
 List info/subscribe/unsubscribe? See
 http://www.freeradius.org/list/users.html


img src=http://www.hud.ac.uk/images/emails/neutral_navy_blue_003976.gif; 
alt=Inspiring tomorrow's professionals
---
This transmission is confidential and may be legally privileged. If you receive 
it in error, please notify us immediately by e-mail and remove it from your 
system. If the content of this e-mail does not relate to the business of the 
University of Huddersfield, then we do not endorse it and will accept no 
liability.

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: rlm_eap_md5: Cleartext-Password is required for EAP-MD5authentication

[Ivan Kalik]

 IN users
 
 chenyongle  Cleartext-Password := 123456
 --
 debug information as following:
...
 ++[files] returns noop
...

Check if users file you are changing *is* the one server is using. Look at
list of included files and see if raddb directory is the one where users
file you have changed is. Also check that you haven't mistyped the
username.

Ivan Kalik
Kalik Informatika ISP

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: HELP! EAP-TLS: how can I install a cert on a workstation so that it works for all users

[Ivan Kalik]

 Can I create a client cert for a computer so that any user that logs
 in may use it automatically under Windows XP? I have successfully
 created a client.p12 with the FQDN of the workstation I am using,
 installed it and been authenticated by Freeradius. However when I log
 in to the computer under a different windows profile authentication
 fails.

Yes, that's how user certificates work.

 How should I create this file and where do I place this cert so that
 it's available for any user logging on?

The whole idea of user certificates is for this not to be possible.

Ivan Kalik
Kalik Informatika ISP

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: make install without messing with previous configuration?

[Arran Cudbard-Bell]

Leighton Man wrote:
 Hi,
 I tar the entire raddb directory (from the level above), reinstall, and untar 
 the original config over the top of the new one. That way I can keep multiple 
 configs whilst experimenting and switch between them.
   
Just move the raddb directory to /etc/raddb and change the install path
to /usr/local, then modify the startup script to use -d /etc/raddb.

/etc/raddb is actually a working copy checked out from our subversion
repository, so we can switch between development and production
configurations very easily.


Arran
 -Original Message-
 From:
 freeradius-users-bounces+l.j.man=hud.ac...@lists.freeradius.or
 g
 [mailto:freeradius-users-bounces+l.j.man=hud.ac...@lists.freer
 
 adius.org] On Behalf Of Nicolas Goutte
   
 Sent: 15 July 2009 09:03
 To: FreeRadius users mailing list
 Subject: Re: make install without messing with previous configuration?


 Am 15.07.2009 um 09:53 schrieb Stefan Winter:

 
 Hi,

   
 I do not know how to do it at compile time but you can do it at
 runtime by specifing -d your_directory to radiusd.

 So perhaps a make install will install many configuration
 
 files but
 
 not where *your* configuration is.
 
 Yes, I considered pointing --with-raddb-dir=/tmp/trash or so. But I
   
 I am not sure but does that mean that the binary that you
 create would point to that directory too. So in that case,
 you would have to specify the real directory at runtime too.

 
 don't want a one-time installation problem to require attention
 whenever I run the service in the future. It is then something to
 remember constantly (and to document for on-duty personnel
   
 etc. ...),
 
 only to fix a single-shot problem. It just doesn't sound
   
 right to me.

 Yes, I had not seen it from that point of view.

 
 Greetings,
   
 Have a nice day!

 
 Stefan

 --
 Stefan WINTER
 Ingenieur de Recherche
 Fondation RESTENA - Réseau Téléinformatique de l'Education
   
 Nationale
 
 et de la Recherche 6, rue Richard Coudenhove-Kalergi
 L-1359 Luxembourg

 Tel: +352 424409 1
 Fax: +352 422473

 -
 List info/subscribe/unsubscribe? See
 http://www.freeradius.org/list/users.html
   
 Nicolas Goutte


 extragroup GmbH - Karlsruhe
 Waldstr. 49
 76133 Karlsruhe
 Germany

 Geschäftsführer: Stephan Mönninghoff, Hans Martin Kern, Tilman Haerdle
 Registergericht: Amtsgericht Münster / HRB: 5624 Steuer Nr.:
 337/5903/0421 / UstID: DE 204607841




 -
 List info/subscribe/unsubscribe? See
 http://www.freeradius.org/list/users.html

 

 img src=http://www.hud.ac.uk/images/emails/neutral_navy_blue_003976.gif; 
 alt=Inspiring tomorrow's professionals
 ---
 This transmission is confidential and may be legally privileged. If you 
 receive it in error, please notify us immediately by e-mail and remove it 
 from your system. If the content of this e-mail does not relate to the 
 business of the University of Huddersfield, then we do not endorse it and 
 will accept no liability.

 -
 List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
   




signature.asc
Description: OpenPGP digital signature
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: How to publish vendor specific dictionary file?

[Alan DeKok]

Ila Palanisamy wrote:
 Hi Ivan,
 
 Our dictionary is already existing, it is called dictionary.foundry. We
 need update in this file.
 
 Here is the new list

  Which you pasted as text... and your mailer helpfully reformatted so
that it is nearly useless.

  Please add it as an attachment so that it doesn't get destroyed when
you post it to the list.  Even better, send a diff, so that we can see
what changed.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Help required in defining new string Attribute

[Alan DeKok]

Ila Palanisamy wrote:
 Can someone help me in defining new string Attribute in freeradius.

  Edit the dictionaries that the server is using.

 I have added a new attribute Foundry-INM-Role-AOR-List as string in
 dictionary and I’m trying to set this attribute for a user. With the
 below configuration radius server is not coming up.

  You are editing a dictionary that the server isn't using.

 Any help in resolving this issue will be greatly appreciated.

  Run the server in debugging mode.  It will print out the path to the
dictionaries it's using.  Edit those.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Store message Multiple logins in MySQL.

[Alan DeKok]

Daniel Aparecido Martins Rosa wrote:
 Hi All!
 I need to register in a database when occurs simultaneous use. Currently
 I stored by postauth_query through the variable '% (reply:
 Packet-Type)', but the message is generic, ranging from Access-Reject or
 Access-Accept.

  Why?  Why not just use the simultaneous use queries  accounting logs
from the default config?

 When a connection occurs simultaneously,  The freeradius stores the
 message Access-Reject

  Because that's what you configured it to do.  If you don't want it to
do that, don't configure SQL in the post-auth-type Reject section.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: rlm_ippool performance

[Alan DeKok]

Santosh wrote:
 Error: WARNING: Unresponsive child for request 282, in module main_pool1
 component post-auth

  That message comes out after the request has been blocked for ~30
seconds.  If that's happening, you have a MAJOR problem that is
unrelated to performance.

  i.e. the database is on an NFS mount, and NFS has gone away.

 The question here is will rlm_ippool be able to give away ip addresses
 to 100's of clients per second? or do I need to look at some thing else?
 Please suggest.

  Maybe the SQL IPpool module?

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: problem with checking dhcp-packet type

[Alan DeKok]

Alexander Kubatkin wrote:
 On Понедельник 13 июля 2009 11:53:23 Alan DeKok wrote:
 Alexander Kubatkin wrote:
 when it(fix) come to us?

   If you want the latest version, use git.
 last changes 4 days ago
   Did you download the version using git, as I said?  The fix was
 available there when I sent my message.
 
 yes, i did, problem with build isn't fixed, i was trying and under FreeBSD 7 
 and under Linux kubuntu 9.04.

  OK.  The fix should now be in git.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Store message Multiple logins in MySQL.

[Daniel Aparecido Martins Rosa]

Thanks Kalik, think about this possibility.

Alan,
I use control simultaneous use using SQL, working perfectly. Why do I need
to provide an Web interface to the Help Desk, to report the reason for which
the user is not connected, and a generic message Access-Reject no
difference if the error during the authentication is invalid username or
password  or problem of simultaneous use.

The valuable information that I have is that it is restricted in radius.log
Auth: Multiple logins (max 1) [MPP attempt]: [login @ realm.

If it were possible to write the message Multiple logins in Database would
be perfect, I suggested that the Kalik.
Thank you.

Daniel Aparecido Martins Rosa


2009/7/15 Alan DeKok al...@deployingradius.com

 Daniel Aparecido Martins Rosa wrote:
  Hi All!
  I need to register in a database when occurs simultaneous use. Currently
  I stored by postauth_query through the variable '% (reply:
  Packet-Type)', but the message is generic, ranging from Access-Reject or
  Access-Accept.

   Why?  Why not just use the simultaneous use queries  accounting logs
 from the default config?

  When a connection occurs simultaneously,  The freeradius stores the
  message Access-Reject

   Because that's what you configured it to do.  If you don't want it to
 do that, don't configure SQL in the post-auth-type Reject section.

  Alan DeKok.
 -
 List info/subscribe/unsubscribe? See
 http://www.freeradius.org/list/users.html

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: make install without messing with previous configuration?

[Stefan Winter]

Hi,

 $ rm -rf ./raddb
 $ make install

   ?  Might work...
   

Not really...

gmake[2]: Leaving directory
`/home/swinter/packages/linux/freeradius-server-2.1.6/src'
Making install in raddb...
gmake: Entering an unknown directory
gmake: *** raddb: Datei oder Verzeichnis nicht gefunden.  Schluss.
gmake: Leaving an unknown directory
gmake[1]: *** [common] Fehler 2
gmake[1]: Leaving directory
`/home/swinter/packages/linux/freeradius-server-2.1.6'
make: *** [install] Fehler 2

And it breaks the next time you run configure:

[...]
config.status: creating ./src/main/Makefile
config.status: creating ./src/main/checkrad.pl
config.status: creating ./src/main/radlast
config.status: creating ./src/main/radtest
config.status: creating ./scripts/rc.radiusd
config.status: creating ./scripts/radwatch
config.status: creating ./scripts/radiusd.cron.daily
config.status: creating ./scripts/radiusd.cron.monthly
config.status: creating ./scripts/cryptpasswd
config.status: error: cannot find input file: ./raddb/dictionary.in

Greetings,

Stefan Winter

-- 
Stefan WINTER
Ingenieur de Recherche
Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la 
Recherche
6, rue Richard Coudenhove-Kalergi
L-1359 Luxembourg

Tel: +352 424409 1
Fax: +352 422473

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Store message Multiple logins in MySQL.

[Ivan Kalik]

 The valuable information that I have is that it is restricted in
 radius.log
 Auth: Multiple logins (max 1) [MPP attempt]: [login @ realm.

 If it were possible to write the message Multiple logins in Database
 would
 be perfect, I suggested that the Kalik.

That would require (small) source code change. By default message is only
written to the log. You can add a line that places it into an attribute
that you can later use in post-auth query.

Ivan Kalik
Kalik Informatika ISP

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

./configure

[shivashankar]

hi all,

this is shiva shankar.

when i am isntalling freeradius-server-2.1.6 on solaris10. it is showing
some warnings.

plz help me out how to remove those warining

miboss3:root$./configure log.txt
configure: WARNING: snmpget not found - Simultaneous-Use and checkrad.pl may
not work
configure: WARNING: snmpwalk not found - Simultaneous-Use and checkrad.pl
may not work
configure: WARNING: pcap library not found, silently disabling the RADIUS
sniffer.
config.status: WARNING:  ./Make.inc.in seems to ignore the --datarootdir
setting
config.status: WARNING:  ./src/include/build-radpaths-h.in seems to ignore
the --datarootdir setting
configure: WARNING: silently not building rlm_counter.
configure: WARNING: FAILURE: rlm_counter requires:  libgdbm.
configure: WARNING: silently not building rlm_eap_ikev2.
configure: WARNING: FAILURE: rlm_eap_ikev2 requires:  libeap-ikev2
EAPIKEv2/connector.h.
configure: WARNING: silently not building rlm_eap_peap.
configure: WARNING: FAILURE: rlm_eap_peap requires: OpenSSL.
configure: WARNING: silently not building rlm_eap_tls.
configure: WARNING: FAILURE: rlm_eap_tls requires: OpenSSL.
configure: WARNING: the TNCS library isn't found!
configure: WARNING: silently not building rlm_eap_tnc.
configure: WARNING: FAILURE: rlm_eap_tnc requires:  -lTNCS.
configure: WARNING: silently not building rlm_eap_ttls.
configure: WARNING: FAILURE: rlm_eap_ttls requires: OpenSSL.
configure: WARNING: silently not building rlm_ippool.
configure: WARNING: FAILURE: rlm_ippool requires:  libgdbm.
configure: WARNING: neither krb5 'k5crypto' nor 'crypto' libraries are
found!
configure: WARNING: the comm_err library isn't found!
configure: WARNING: silently not building rlm_krb5.
configure: WARNING: FAILURE: rlm_krb5 requires:  krb5.h.
configure: WARNING: silently not building rlm_ldap.
configure: WARNING: FAILURE: rlm_ldap requires:  libldap_r.
configure: WARNING: silently not building rlm_otp.
configure: WARNING: FAILURE: rlm_otp requires:  openssl-libs
openssl-includes openssl-includes openssl-includes openssl-includes
openssl-includes.
configure: WARNING: silently not building rlm_perl.
configure: WARNING: FAILURE: rlm_perl requires:  EXTERN.h perl.h libperl.so.
configure: WARNING: silently not building rlm_sql_iodbc.
configure: WARNING: FAILURE: rlm_sql_iodbc requires: libiodbc isql.h.
configure: WARNING: MySQL libraries not found. Use
--with-mysql-lib-dir=path.
configure: WARNING: silently not building rlm_sql_mysql.
configure: WARNING: FAILURE: rlm_sql_mysql requires: libmysqlclient_r.
configure: WARNING: oracle headers not found.  Use
--with-oracle-home-dir=path.
configure: WARNING: silently not building rlm_sql_oracle.
configure: WARNING: FAILURE: rlm_sql_oracle requires: oci.h.
configure: WARNING: silently not building rlm_sql_unixodbc.
configure: WARNING: FAILURE: rlm_sql_unixodbc requires: libodbc sql.h.


i set path like this

/usr/sbin :/usr/bin: /usr/local/bin :/usr/local/ssl/bin: /usr/ccs/bin
:/usr/sfw/bin

plz help me out.it is orgent for me.
thax for advance

-- 
View this message in context: 
http://www.nabble.com/.-configure-tp24497117p24497117.html
Sent from the FreeRadius - User mailing list archive at Nabble.com.

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: make install without messing with previous configuration?

[Alan DeKok]

Stefan Winter wrote:
 Not really...
 
 gmake[2]: Leaving directory
 `/home/swinter/packages/linux/freeradius-server-2.1.6/src'
 Making install in raddb...
 gmake: Entering an unknown directory

  OK how about this.  Edit Makefile.  Change:

SUBDIRS = $(LTDL_SUBDIRS) src raddb scripts doc

  to

SUBDIRS = $(LTDL_SUBDIRS) $(wildcard src raddb scripts doc)


  Then configure;rm -rf raddb;make;make install

 And it breaks the next time you run configure:

  Well, that's what tar -zxf is for.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: ./configure

[Alan DeKok]

shivashankar wrote:
 when i am isntalling freeradius-server-2.1.6 on solaris10. it is showing
 some warnings.
 
 plz help me out how to remove those warining

  You don't.  They are WARNINGS, not ERRORS.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: ./configure

[shiva shankar]

hi aland

is is giveing problem while doing  make.

regard's
shiva shankar

2009/7/15 Alan DeKok al...@deployingradius.com

 shivashankar wrote:
  when i am isntalling freeradius-server-2.1.6 on solaris10. it is showing
  some warnings.
 
  plz help me out how to remove those warining

  You don't.  They are WARNINGS, not ERRORS.

  Alan DeKok.
  -
 List info/subscribe/unsubscribe? See
 http://www.freeradius.org/list/users.html




-- 

regard's
shiva shankar
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: ./configure

[Ivan Kalik]

 when i am isntalling freeradius-server-2.1.6 on solaris10. it is showing
 some warnings.

 plz help me out how to remove those warining

Why? Do you need any of mentioned modules. openSSL is probably important.
Do you have development headers for it installed?

Ivan Kalik
Kalik Informatika ISP

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: ./configure

[John Dennis]

On 07/15/2009 09:20 AM, shivashankar wrote:

hi all,

this is shiva shankar.

when i am isntalling freeradius-server-2.1.6 on solaris10. it is showing
some warnings.

plz help me out how to remove those warining

miboss3:root$./configurelog.txt
configure: WARNING: snmpget not found - Simultaneous-Use and checkrad.pl may
not work
configure: WARNING: snmpwalk not found - Simultaneous-Use and checkrad.pl
may not work
configure: WARNING: pcap library not found, silently disabling the RADIUS
sniffer.
config.status: WARNING:  ./Make.inc.in seems to ignore the --datarootdir
setting
config.status: WARNING:  ./src/include/build-radpaths-h.in seems to ignore
the --datarootdir setting
configure: WARNING: silently not building rlm_counter.
configure: WARNING: FAILURE: rlm_counter requires:  libgdbm.
configure: WARNING: silently not building rlm_eap_ikev2.
configure: WARNING: FAILURE: rlm_eap_ikev2 requires:  libeap-ikev2
EAPIKEv2/connector.h.
configure: WARNING: silently not building rlm_eap_peap.
configure: WARNING: FAILURE: rlm_eap_peap requires: OpenSSL.
configure: WARNING: silently not building rlm_eap_tls.
configure: WARNING: FAILURE: rlm_eap_tls requires: OpenSSL.
configure: WARNING: the TNCS library isn't found!
configure: WARNING: silently not building rlm_eap_tnc.
configure: WARNING: FAILURE: rlm_eap_tnc requires:  -lTNCS.
configure: WARNING: silently not building rlm_eap_ttls.
configure: WARNING: FAILURE: rlm_eap_ttls requires: OpenSSL.
configure: WARNING: silently not building rlm_ippool.
configure: WARNING: FAILURE: rlm_ippool requires:  libgdbm.
configure: WARNING: neither krb5 'k5crypto' nor 'crypto' libraries are
found!
configure: WARNING: the comm_err library isn't found!
configure: WARNING: silently not building rlm_krb5.
configure: WARNING: FAILURE: rlm_krb5 requires:  krb5.h.
configure: WARNING: silently not building rlm_ldap.
configure: WARNING: FAILURE: rlm_ldap requires:  libldap_r.
configure: WARNING: silently not building rlm_otp.
configure: WARNING: FAILURE: rlm_otp requires:  openssl-libs
openssl-includes openssl-includes openssl-includes openssl-includes
openssl-includes.
configure: WARNING: silently not building rlm_perl.
configure: WARNING: FAILURE: rlm_perl requires:  EXTERN.h perl.h libperl.so.
configure: WARNING: silently not building rlm_sql_iodbc.
configure: WARNING: FAILURE: rlm_sql_iodbc requires: libiodbc isql.h.
configure: WARNING: MySQL libraries not found. Use
--with-mysql-lib-dir=path.
configure: WARNING: silently not building rlm_sql_mysql.
configure: WARNING: FAILURE: rlm_sql_mysql requires: libmysqlclient_r.
configure: WARNING: oracle headers not found.  Use
--with-oracle-home-dir=path.
configure: WARNING: silently not building rlm_sql_oracle.
configure: WARNING: FAILURE: rlm_sql_oracle requires: oci.h.
configure: WARNING: silently not building rlm_sql_unixodbc.
configure: WARNING: FAILURE: rlm_sql_unixodbc requires: libodbc sql.h.


i set path like this

/usr/sbin :/usr/bin: /usr/local/bin :/usr/local/ssl/bin: /usr/ccs/bin
:/usr/sfw/bin

plz help me out.it is orgent for me.
thax for advance



The bulk of these are because you do not have build dependencies 
installed. You need to install the libraries and header files. I don't 
know how that's done on Solaris but for many OS's these are found in 
development packages which are not normally installed because most 
users won't need them, only if you're doing development, e.g. building.


Also note, if aren't going to use a feature (e.g. mysql) you don't need 
to install the mysql development packages, you can either disable the 
build of the module by passing --withoutXXX to configure or just let 
configure figure it out on it's own and live with the warnings.


--
John Dennis jden...@redhat.com

Looking to carve out IT costs?
www.redhat.com/carveoutcosts/
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: ./configure

[Nicolas Goutte]

Am 15.07.2009 um 15:45 schrieb shiva shankar:


hi aland

is is giveing problem while doing  make.


Then please post the relevant lines of the bottom of the output of make.




regard's
shiva shankar


Have a nice day!



2009/7/15 Alan DeKok al...@deployingradius.com
shivashankar wrote:
 when i am isntalling freeradius-server-2.1.6 on solaris10. it is  
showing

 some warnings.

 plz help me out how to remove those warining

 You don't.  They are WARNINGS, not ERRORS.

 Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html



--

regard's
shiva shankar
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


Nicolas Goutte


extragroup GmbH - Karlsruhe
Waldstr. 49
76133 Karlsruhe
Germany

Geschäftsführer: Stephan Mönninghoff, Hans Martin Kern, Tilman Haerdle
Registergericht: Amtsgericht Münster / HRB: 5624
Steuer Nr.: 337/5903/0421 / UstID: DE 204607841



-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: ./configure

[shiva shankar]

hi all,


i am facing bleow problem while make




gmake[10]: Nothing to be done for `all'.
gmake[10]: Leaving directory
`/opt/packages/freeradius-server-2.1.6/src/modules/rlm_sql/drivers/rlm_sql_unixodbc'
gmake[9]: Leaving directory
`/opt/packages/freeradius-server-2.1.6/src/modules/rlm_sql/drivers'
gmake[8]: Leaving directory
`/opt/packages/freeradius-server-2.1.6/src/modules/rlm_sql/drivers'
gmake[7]: Leaving directory
`/opt/packages/freeradius-server-2.1.6/src/modules/rlm_sql'
for x in .libs/* rlm_sql.la; do \
rm -rf /opt/packages/freeradius-server-2.1.6/src/modules/lib/$x; \
ln -s /opt/packages/freeradius-server-2.1.6/src/modules/rlm_sql/$x
/opt/packages/freeradius-server-2.1.6/src/modules/lib/$x; \
done
gmake[6]: Leaving directory
`/opt/packages/freeradius-server-2.1.6/src/modules/rlm_sql'
Making all in rlm_sqlcounter...
gmake[6]: Entering directory
`/opt/packages/freeradius-server-2.1.6/src/modules/rlm_sqlcounter'
for x in .libs/* rlm_sqlcounter.la; do \
rm -rf /opt/packages/freeradius-server-2.1.6/src/modules/lib/$x; \
ln -s
/opt/packages/freeradius-server-2.1.6/src/modules/rlm_sqlcounter/$x
/opt/packages/freeradius-server-2.1.6/src/modules/lib/$x; \
done
gmake[6]: Leaving directory
`/opt/packages/freeradius-server-2.1.6/src/modules/rlm_sqlcounter'
Making all in rlm_sqlippool...
gmake[6]: Entering directory
`/opt/packages/freeradius-server-2.1.6/src/modules/rlm_sqlippool'
for x in .libs/* rlm_sqlippool.la; do \
rm -rf /opt/packages/freeradius-server-2.1.6/src/modules/lib/$x; \
ln -s
/opt/packages/freeradius-server-2.1.6/src/modules/rlm_sqlippool/$x
/opt/packages/freeradius-server-2.1.6/src/modules/lib/$x; \
done
gmake[6]: Leaving directory
`/opt/packages/freeradius-server-2.1.6/src/modules/rlm_sqlippool'
Making all in rlm_sql_log...
gmake[6]: Entering directory
`/opt/packages/freeradius-server-2.1.6/src/modules/rlm_sql_log'
for x in .libs/* rlm_sql_log.la; do \
rm -rf /opt/packages/freeradius-server-2.1.6/src/modules/lib/$x; \
ln -s
/opt/packages/freeradius-server-2.1.6/src/modules/rlm_sql_log/$x
/opt/packages/freeradius-server-2.1.6/src/modules/lib/$x; \
done
gmake[6]: Leaving directory
`/opt/packages/freeradius-server-2.1.6/src/modules/rlm_sql_log'
Making all in rlm_unix...
gmake[6]: Entering directory
`/opt/packages/freeradius-server-2.1.6/src/modules/rlm_unix'
for x in .libs/* rlm_unix.la; do \
rm -rf /opt/packages/freeradius-server-2.1.6/src/modules/lib/$x; \
ln -s /opt/packages/freeradius-server-2.1.6/src/modules/rlm_unix/$x
/opt/packages/freeradius-server-2.1.6/src/modules/lib/$x; \
done
gmake[6]: Leaving directory
`/opt/packages/freeradius-server-2.1.6/src/modules/rlm_unix'
Making all in rlm_policy...
gmake[6]: Entering directory
`/opt/packages/freeradius-server-2.1.6/src/modules/rlm_policy'
for x in .libs/* rlm_policy.la; do \
rm -rf /opt/packages/freeradius-server-2.1.6/src/modules/lib/$x; \
ln -s
/opt/packages/freeradius-server-2.1.6/src/modules/rlm_policy/$x
/opt/packages/freeradius-server-2.1.6/src/modules/lib/$x; \
done
gmake[6]: Leaving directory
`/opt/packages/freeradius-server-2.1.6/src/modules/rlm_policy'
Making all in rlm_dynamic_clients...
gmake[6]: Entering directory
`/opt/packages/freeradius-server-2.1.6/src/modules/rlm_dynamic_clients'
for x in .libs/* rlm_dynamic_clients.la; do \
rm -rf /opt/packages/freeradius-server-2.1.6/src/modules/lib/$x; \
ln -s
/opt/packages/freeradius-server-2.1.6/src/modules/rlm_dynamic_clients/$x
/opt/packages/freeradius-server-2.1.6/src/modules/lib/$x; \
done
gmake[6]: Leaving directory
`/opt/packages/freeradius-server-2.1.6/src/modules/rlm_dynamic_clients'
gmake[5]: Leaving directory
`/opt/packages/freeradius-server-2.1.6/src/modules'
gmake[4]: Leaving directory
`/opt/packages/freeradius-server-2.1.6/src/modules'
Making all in main...
gmake[4]: Entering directory
`/opt/packages/freeradius-server-2.1.6/src/main'
gmake[4]: Nothing to be done for `all'.
gmake[4]: Leaving directory `/opt/packages/freeradius-server-2.1.6/src/main'
gmake[3]: Leaving directory `/opt/packages/freeradius-server-2.1.6/src'
gmake[2]: Leaving directory `/opt/packages/freeradius-server-2.1.6/src'
Making all in raddb...
gmake[2]: Entering directory `/opt/packages/freeradius-server-2.1.6/raddb'
gmake[2]: Leaving directory `/opt/packages/freeradius-server-2.1.6/raddb'
Making all in scripts...
gmake[2]: Entering directory `/opt/packages/freeradius-server-2.1.6/scripts'
gmake[2]: Nothing to be done for `all'.
gmake[2]: Leaving directory `/opt/packages/freeradius-server-2.1.6/scripts'
Making all in doc...
gmake[2]: Entering directory `/opt/packages/freeradius-server-2.1.6/doc'
gmake[3]: Entering directory `/opt/packages/freeradius-server-2.1.6/doc'
Making all in examples...
gmake[4]: Entering directory
`/opt/packages/freeradius-server-2.1.6/doc/examples'
gmake[4]: Nothing to be done for `all'.
gmake[4]: Leaving directory

Re: ./configure

[shiva shankar]

plz find

gmake[10]: Nothing to be done for `all'.
gmake[10]: Leaving directory
`/opt/packages/freeradius-server-2.1.6/src/modules/rlm_sql/drivers/rlm_sql_unixodbc'
gmake[9]: Leaving directory
`/opt/packages/freeradius-server-2.1.6/src/modules/rlm_sql/drivers'
gmake[8]: Leaving directory
`/opt/packages/freeradius-server-2.1.6/src/modules/rlm_sql/drivers'
gmake[7]: Leaving directory
`/opt/packages/freeradius-server-2.1.6/src/modules/rlm_sql'
for x in .libs/* rlm_sql.la; do \
rm -rf /opt/packages/freeradius-server-2.1.6/src/modules/lib/$x; \
ln -s /opt/packages/freeradius-server-2.1.6/src/modules/rlm_sql/$x
/opt/packages/freeradius-server-2.1.6/src/modules/lib/$x; \
done
gmake[6]: Leaving directory
`/opt/packages/freeradius-server-2.1.6/src/modules/rlm_sql'
Making all in rlm_sqlcounter...
gmake[6]: Entering directory
`/opt/packages/freeradius-server-2.1.6/src/modules/rlm_sqlcounter'
for x in .libs/* rlm_sqlcounter.la; do \
rm -rf /opt/packages/freeradius-server-2.1.6/src/modules/lib/$x; \
ln -s
/opt/packages/freeradius-server-2.1.6/src/modules/rlm_sqlcounter/$x
/opt/packages/freeradius-server-2.1.6/src/modules/lib/$x; \
done
gmake[6]: Leaving directory
`/opt/packages/freeradius-server-2.1.6/src/modules/rlm_sqlcounter'
Making all in rlm_sqlippool...
gmake[6]: Entering directory
`/opt/packages/freeradius-server-2.1.6/src/modules/rlm_sqlippool'
for x in .libs/* rlm_sqlippool.la; do \
rm -rf /opt/packages/freeradius-server-2.1.6/src/modules/lib/$x; \
ln -s
/opt/packages/freeradius-server-2.1.6/src/modules/rlm_sqlippool/$x
/opt/packages/freeradius-server-2.1.6/src/modules/lib/$x; \
done
gmake[6]: Leaving directory
`/opt/packages/freeradius-server-2.1.6/src/modules/rlm_sqlippool'
Making all in rlm_sql_log...
gmake[6]: Entering directory
`/opt/packages/freeradius-server-2.1.6/src/modules/rlm_sql_log'
for x in .libs/* rlm_sql_log.la; do \
rm -rf /opt/packages/freeradius-server-2.1.6/src/modules/lib/$x; \
ln -s
/opt/packages/freeradius-server-2.1.6/src/modules/rlm_sql_log/$x
/opt/packages/freeradius-server-2.1.6/src/modules/lib/$x; \
done
gmake[6]: Leaving directory
`/opt/packages/freeradius-server-2.1.6/src/modules/rlm_sql_log'
Making all in rlm_unix...
gmake[6]: Entering directory
`/opt/packages/freeradius-server-2.1.6/src/modules/rlm_unix'
for x in .libs/* rlm_unix.la; do \
rm -rf /opt/packages/freeradius-server-2.1.6/src/modules/lib/$x; \
ln -s /opt/packages/freeradius-server-2.1.6/src/modules/rlm_unix/$x
/opt/packages/freeradius-server-2.1.6/src/modules/lib/$x; \
done
gmake[6]: Leaving directory
`/opt/packages/freeradius-server-2.1.6/src/modules/rlm_unix'
Making all in rlm_policy...
gmake[6]: Entering directory
`/opt/packages/freeradius-server-2.1.6/src/modules/rlm_policy'
for x in .libs/* rlm_policy.la; do \
rm -rf /opt/packages/freeradius-server-2.1.6/src/modules/lib/$x; \
ln -s
/opt/packages/freeradius-server-2.1.6/src/modules/rlm_policy/$x
/opt/packages/freeradius-server-2.1.6/src/modules/lib/$x; \
done
gmake[6]: Leaving directory
`/opt/packages/freeradius-server-2.1.6/src/modules/rlm_policy'
Making all in rlm_dynamic_clients...
gmake[6]: Entering directory
`/opt/packages/freeradius-server-2.1.6/src/modules/rlm_dynamic_clients'
for x in .libs/* rlm_dynamic_clients.la; do \
rm -rf /opt/packages/freeradius-server-2.1.6/src/modules/lib/$x; \
ln -s
/opt/packages/freeradius-server-2.1.6/src/modules/rlm_dynamic_clients/$x
/opt/packages/freeradius-server-2.1.6/src/modules/lib/$x; \
done
gmake[6]: Leaving directory
`/opt/packages/freeradius-server-2.1.6/src/modules/rlm_dynamic_clients'
gmake[5]: Leaving directory
`/opt/packages/freeradius-server-2.1.6/src/modules'
gmake[4]: Leaving directory
`/opt/packages/freeradius-server-2.1.6/src/modules'
Making all in main...
gmake[4]: Entering directory
`/opt/packages/freeradius-server-2.1.6/src/main'
gmake[4]: Nothing to be done for `all'.
gmake[4]: Leaving directory `/opt/packages/freeradius-server-2.1.6/src/main'
gmake[3]: Leaving directory `/opt/packages/freeradius-server-2.1.6/src'
gmake[2]: Leaving directory `/opt/packages/freeradius-server-2.1.6/src'
Making all in raddb...
gmake[2]: Entering directory `/opt/packages/freeradius-server-2.1.6/raddb'
gmake[2]: Leaving directory `/opt/packages/freeradius-server-2.1.6/raddb'
Making all in scripts...
gmake[2]: Entering directory `/opt/packages/freeradius-server-2.1.6/scripts'
gmake[2]: Nothing to be done for `all'.
gmake[2]: Leaving directory `/opt/packages/freeradius-server-2.1.6/scripts'
Making all in doc...
gmake[2]: Entering directory `/opt/packages/freeradius-server-2.1.6/doc'
gmake[3]: Entering directory `/opt/packages/freeradius-server-2.1.6/doc'
Making all in examples...
gmake[4]: Entering directory
`/opt/packages/freeradius-server-2.1.6/doc/examples'
gmake[4]: Nothing to be done for `all'.
gmake[4]: Leaving directory
`/opt/packages/freeradius-server-2.1.6/doc/examples'
Making all in rfc...
gmake[4]: 

Re: ./configure

[Alan DeKok]

shiva shankar wrote:
 hi aland
  
 is is giveing problem while doing  make.

  So you posted the output of configure, and not make.

  Hmm...

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

How to reject when a user logs in without realm?

[Navin]

Hi,
  I am new to radius . hence kindly excuse if my terminologies
are different from what is expected.

I am using Freeradius Version 1.1.7.
Is it possible to reject when a request comes from the NAS server
with a user logging in without a realm as suffix?

For example, if the FreeRadius server receives an authentication
request for the user navin , it has to reject. but if it receives
the request as na...@freescale.com it has to authenticate him.

I tried the below options:

I am not using the proxy request support.
Hence commenting proxy.conf file and setting proxy_requests  = no
in the radiusd.conf file.

Added the below in the radiusd.conf file with the intention that
users of realm freescale.com has to be authenticated and other users
should be rejected.

realm freescale.com {
type= radius
authhost= LOCAL
accthost= LOCAL
}

realm NULL {
type=  radius
authhost=  LOCAL
accthost=  LOCAL
secret  =  test
}

In the radiusd.conf  under the section realm module config  options
ignore_null = yes
ignore_default = yes

for u...@realm.

In the users file, added
na...@freescale.com Cleartext-Password := navin123

meaning authenticate navin having a password navin123.

But what i observed is, i get authenticated when i login as
navin and also as na...@freescale.com .

This has been verified with the radtest client program which
came along with the freeradius server.

Kindly do let me know if the user can be rejected access if he logs 
in without realm.


have a nice day,
navin


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: ./configure

[shiva shankar]

i thought configure has a no.of warnings that's why make giveing problem

2009/7/15 Alan DeKok al...@deployingradius.com

 shiva shankar wrote:
  hi aland
 
  is is giveing problem while doing  make.

  So you posted the output of configure, and not make.

  Hmm...

  Alan DeKok.
 -
 List info/subscribe/unsubscribe? See
 http://www.freeradius.org/list/users.html




-- 

regard's
shiva shankar
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: How to reject when a user logs in without realm?

[Ivan Kalik]

I am new to radius . hence kindly excuse if my terminologies
 are different from what is expected.

 I am using Freeradius Version 1.1.7.
 Is it possible to reject when a request comes from the NAS server
 with a user logging in without a realm as suffix?

 For example, if the FreeRadius server receives an authentication
 request for the user navin , it has to reject. but if it receives
 the request as na...@freescale.com it has to authenticate him.

 I tried the below options:

 I am not using the proxy request support.
 Hence commenting proxy.conf file and setting proxy_requests  = no
 in the radiusd.conf file.

 Added the below in the radiusd.conf file with the intention that
 users of realm freescale.com has to be authenticated and other users
 should be rejected.

 realm freescale.com {
  type= radius
  authhost= LOCAL
  accthost= LOCAL
 }

Remove that. Your user file entry will sort out who gets authenticated and
who doesn't.

Ivan Kalik
Kalik Informatika ISP

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

LDAP + TTLS PAP

[jpablorp]

Hi.
I've been trying  to setup freeradius with LDAP + TTLS PAP.
I use the default radius, eap users files configuration, I configure my
modules/ldap file to connect to my ldap, sites-avilable/default file to
authorize ldap, and ldap.attrmap to check Cleartext-Password against
userPassword.
 
Everything seems normal, when I test it  with 
radtest user pass 10.14.56.26 0 secret
is accepted.

but when i try from mi XP client the debug show this:

+- entering group authorize {...}
++[chap] returns noop
++[mschap] returns noop
++[unix] returns notfound
[suffix] No '@' in User-Name = user, looking up realm NULL
[suffix] No such realm NULL
++[suffix] returns noop
++[control] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns noop
No authenticate method (Auth-Type) configuration found for the request:
Rejecting the user
Failed to authenticate the user.
} # server inner-tunnel
[ttls] Got tunneled reply code 3
[ttls] Got tunneled Access-Reject
[eap] Handler failed in EAP/ttls
[eap] Failed in EAP select
++[eap] returns invalid
Failed to authenticate the user.
Using Post-Auth-Type Reject
+- entering group REJECT {...}

Here my /sites-avilable/default authorize section:

authorize {
preprocess
chap
mschap
eap {
ok = return
}
unix
files
ldap
expiration
logintime
pap
}

Any Ideas?

Thanks.
-- 
View this message in context: 
http://www.nabble.com/LDAP-%2B-TTLS-PAP-tp24498710p24498710.html
Sent from the FreeRadius - User mailing list archive at Nabble.com.

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: ./configure

[Alan DeKok]

shiva shankar wrote:
 i thought configure has a no.of warnings that's why make giveing problem

  They are different programs...

  And the output of make showed no errors.

  Why do you think there are errors?

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: ./configure

[John Dennis]

On 07/15/2009 09:55 AM, shiva shankar wrote:

hi all,
i am facing bleow problem while make
gmake[10]: Nothing to be done for `all'.


Well you don't say what you're problem is. Is it because make says 
everything is already done? Well that's probably true if you've already 
done a build. Note, if you change anything in your environment such as 
adding missing libraries and headers you'll have to run .configure and 
make again.


A couple of suggestions:

Please don't post the same thing multiple times, we're not deaf.

Please be specific about your issues.

Please go elsewhere to learn basic Unix tasks and come back and ask 
FreeRADIUS specific questions here, this is not a help forum for how to 
use basic Unix tools.


--
John Dennis jden...@redhat.com

Looking to carve out IT costs?
www.redhat.com/carveoutcosts/
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: make install without messing with previous configuration?

[Stefan Winter]

Hi,

   OK how about this.  Edit Makefile.  Change:

 SUBDIRS   = $(LTDL_SUBDIRS) src raddb scripts doc

   to

 SUBDIRS   = $(LTDL_SUBDIRS) $(wildcard src raddb scripts doc)


   Then configure;rm -rf raddb;make;make install
   

Cute, works.

I don't like deleting raddb; doing

mv raddb getouttatheway
make install
mv getouttatheway raddb

is maybe not really elegant, but good enough. Thanks!

This new SUBDIRS shouldn't do harm either way. Any chance to push this
into 2.1.7?

Greetings,

Stefan Winter

-- 
Stefan WINTER
Ingenieur de Recherche
Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la 
Recherche
6, rue Richard Coudenhove-Kalergi
L-1359 Luxembourg

Tel: +352 424409 1
Fax: +352 422473

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: make install without messing with previous configuration?

[Alan DeKok]

Stefan Winter wrote:
 This new SUBDIRS shouldn't do harm either way. Any chance to push this
 into 2.1.7?

  Done.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: LDAP + TTLS PAP

[Ivan Kalik]

 but when i try from mi XP client the debug show this:

You have deleted the interesting part of the debug.

Ivan Kalik
Kalik Informatika ISP

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: How to reject when a user logs in without realm?

[Navin]

Hi,
  Hope you are referring to
realm freescale.com {
  type= radius
  authhost= LOCAL
  accthost= LOCAL

present in the radiusd.conf file. removed it.  Restarted the freeradius server.

The user file contains
na...@freescale.com Cleartext-Password := navin123

Even then when tested with radtest tool , the users navin  
na...@freescale.com
are both getting authenticated. I would prefer only 
na...@freescale.com get authenticated

and user navin should get rejected.

have a nice day,
navin

At 07:37 PM 7/15/2009, you wrote:

I am new to radius . hence kindly excuse if my terminologies
 are different from what is expected.

 I am using Freeradius Version 1.1.7.
 Is it possible to reject when a request comes from the NAS server
 with a user logging in without a realm as suffix?

 For example, if the FreeRadius server receives an authentication
 request for the user navin , it has to reject. but if it receives
 the request as na...@freescale.com it has to authenticate him.

 I tried the below options:

 I am not using the proxy request support.
 Hence commenting proxy.conf file and setting proxy_requests  = no
 in the radiusd.conf file.

 Added the below in the radiusd.conf file with the intention that
 users of realm freescale.com has to be authenticated and other users
 should be rejected.

 realm freescale.com {
  type= radius
  authhost= LOCAL
  accthost= LOCAL
 }

Remove that. Your user file entry will sort out who gets authenticated and
who doesn't.

Ivan Kalik
Kalik Informatika ISP

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html



-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: How to reject when a user logs in without realm?

[Ivan Kalik]

Hope you are referring to
 realm freescale.com {
type= radius
authhost= LOCAL
accthost= LOCAL

 present in the radiusd.conf file. removed it.  Restarted the freeradius
 server.

 The user file contains
 na...@freescale.com Cleartext-Password := navin123

 Even then when tested with radtest tool , the users navin 
 na...@freescale.com
 are both getting authenticated. I would prefer only
 na...@freescale.com get authenticated
 and user navin should get rejected.

There is something else there then as well. Post the debug for navin. You
can probably safely disable suffix as well. But lets first see what is
stripping the username. There is nothing in the default configuration that
does that.

Ivan Kalik
Kalik Informatika ISP

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: problem with checking dhcp-packet type

[Alexander Kubatkin]

On Среда 15 июля 2009 14:07:18 Alan DeKok wrote:
 Alexander Kubatkin wrote:
  On Понедельник 13 июля 2009 11:53:23 Alan DeKok wrote:
  Alexander Kubatkin wrote:
  when it(fix) come to us?
 
If you want the latest version, use git.
 
  last changes 4 days ago
 
Did you download the version using git, as I said?  The fix was
  available there when I sent my message.
 
  yes, i did, problem with build isn't fixed, i was trying and under
  FreeBSD 7 and under Linux kubuntu 9.04.

   OK.  The fix should now be in git.

yes, it's working, thank you.

test with trendnet soho-router will be later.


   Alan DeKok.

-- 
__
Alexander Kubatkin

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: LDAP + TTLS PAP

[jpablorp]

Ivan Kalik wrote:
 
 
 You have deleted the interesting part of the debug.
 
Ivan Kalik
Kalik Informatika ISP
 
 

Sorry 
Here is my all debug.
Ready to process requests.
rad_recv: Access-Request packet from host 10.14.56.33 port 32768, id=2,
length=163
User-Name = user
Calling-Station-Id = 00-24-2C-83-AA-92
Called-Station-Id = 00-21-A1-9E-F9-30:testGDL
NAS-Port = 1
NAS-IP-Address = 10.14.56.33
NAS-Identifier = test-gdl-wlc
Airespace-Wlan-Id = 1
Service-Type = Framed-User
Framed-MTU = 1300
NAS-Port-Type = Wireless-802.11
EAP-Message = 0x020800090175736572
Message-Authenticator = 0xb86c778d5e5cbb982425e05ea5b4b6e8
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = user, looking up realm NULL
[suffix] No such realm NULL
++[suffix] returns noop
[eap] EAP packet type response id 8 length 9
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[unix] returns notfound
++[files] returns noop
[ldap] performing user authorization for user
[ldap] WARNING: Deprecated conditional expansion :-.  See man unlang for
details
[ldap]  expand: (cn=%{Stripped-User-Name:-%{User-Name}}) - (cn=user)
[ldap]  expand: ou=Wireless,dc=local,dc=test,dc=com -
ou=Wireless,dc=local,dc=test,dc=com
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in ou=Wireless,dc=local,dc=test,dc=com, with
filter (cn=user)
[ldap] No default NMAS login sequence
[ldap] looking for check items in directory...
rlm_ldap: userPassword - Cleartext-Password == Newuser01
[ldap] looking for reply items in directory...
[ldap] user user authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
++[ldap] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] Found existing Auth-Type, not changing it.
++[pap] returns noop
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] EAP Identity
[eap] processing type md5
rlm_eap_md5: Issuing Challenge
++[eap] returns handled
Sending Access-Challenge of id 2 to 10.14.56.33 port 32768
EAP-Message = 0x010900160410a1a022fc9a0dfa06c749cc18033a2a4a
Message-Authenticator = 0x
State = 0xeb2a1c90eb2318c7f00b52ffc2a1bc44
Finished request 1.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.14.56.33 port 32768, id=2,
length=163
Sending duplicate reply to client 10.14.56.33 port 32768 - ID: 2
Sending Access-Challenge of id 2 to 10.14.56.33 port 32768
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.14.56.33 port 32768, id=2,
length=163
Sending duplicate reply to client 10.14.56.33 port 32768 - ID: 2
Sending Access-Challenge of id 2 to 10.14.56.33 port 32768
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.14.56.33 port 32768, id=3,
length=178
User-Name = user
Calling-Station-Id = 00-24-2C-83-AA-92
Called-Station-Id = 00-21-A1-9E-F9-30:testGDL
NAS-Port = 1
NAS-IP-Address = 10.14.56.33
NAS-Identifier = test-gdl-wlc
Airespace-Wlan-Id = 1
Service-Type = Framed-User
Framed-MTU = 1300
NAS-Port-Type = Wireless-802.11
EAP-Message = 0x020900060315
State = 0xeb2a1c90eb2318c7f00b52ffc2a1bc44
Message-Authenticator = 0xbe3af8eada8201dbfd51322d12e53c40
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = user, looking up realm NULL
[suffix] No such realm NULL
++[suffix] returns noop
[eap] EAP packet type response id 9 length 6
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[unix] returns notfound
++[files] returns noop
[ldap] performing user authorization for user
[ldap] WARNING: Deprecated conditional expansion :-.  See man unlang for
details
[ldap]  expand: (cn=%{Stripped-User-Name:-%{User-Name}}) - (cn=user)
[ldap]  expand: ou=Wireless,dc=local,dc=test,dc=com -
ou=Wireless,dc=local,dc=test,dc=com
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in ou=Wireless,dc=local,dc=test,dc=com, with
filter (cn=user)
[ldap] No default NMAS login sequence
[ldap] looking for check items in directory...
rlm_ldap: userPassword - Cleartext-Password == Newuser01
[ldap] looking for reply items in directory...
[ldap] user user authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
++[ldap] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] Found existing Auth-Type, not changing it.
++[pap] returns noop
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP NAK
[eap] EAP-NAK asked for EAP-Type/ttls
[eap] processing type tls
[tls] Initiate

Re: LDAP + TTLS PAP

[Ivan Kalik]

 Here is my all debug.

Enable ldap in inner-tunnel virtual server as well.

Ivan Kalik
Kalik Informatika ISP

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Mysql and SHA256 or SHA-2

[Mouncif Benniane]

I am using freeradius 2.1.6 with mysql backend, user's password are stored
in database in SHA256 format , question is: does freeradius support this
type of encryption?. I know it support SHA-1 and SSHA but it's not what I
want.

Thank you
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

TTLS to require client cert

[Petar Marinkovic]

Hi all, I need help once again. I want TTLS to require client cert. I put
EAP-TLS-Require-client-cert = YES in ttls { part of eap.conf but it's not
working. What I am doing wrong here?
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: LDAP + TTLS PAP

[jpablorp]

Ivan Kalik wrote:
 
 Here is my all debug.
 
 Enable ldap in inner-tunnel virtual server as well.
 
 Ivan Kalik
 Kalik Informatika ISP
 
 -
 List info/subscribe/unsubscribe? See
 http://www.freeradius.org/list/users.html
 
 

Thanks for your help Ivan. 

Now everything looks fine.
-- 
View this message in context: 
http://www.nabble.com/LDAP-%2B-TTLS-PAP-tp24498710p24500243.html
Sent from the FreeRadius - User mailing list archive at Nabble.com.

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

error 734

[Issa Nkusi Karera [MTN Rwanda - MTN Centre]]

Hello folks,

Below is log message after an attempt to authenticate.

Wed Jul 15 16:31:31 2009 : Auth: Login OK: [t...@wimax.mtnonline.rw]
(from client XX-bras-1 port 0)

 

It is bring error 734 on a windows machine. Therefore, the user cannot
be connected.

 

Thanks in advance for you advise.

 

Best regards,

 

Issa

 

 

This mail has been scanned by Symantec Mail Scan
MTN Mail administrator-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

wpa2-psk and radiusd possible?

[Stefan Jensen]

Hi,...

i'm pretty new to radiusd, so this may be a dump question. :-)

Is it possible to use something like MAC-based WPA2-PSK's to-
gether with radiusd?

I have used a single hostapd installation as AP, configured
with unique WPA2-PSK's for each MAC-Addr that should have access.
(which prevents trading the PSK)

Now i want extend our network with a couple of Linksys Router, so
I've installed radiusd and got EAP,PEAP,802.1X to work so far.

But my users find it complicated to mess around with the Certs, so
i decided to use the same PSK on all NAS-Clients (dd-wrt) and
only doing MAC-Auth with radiusd.

Is there a way to have different PSK's for every MAC? I bed, it is
not a job for radius and maybe a complete wrong concept?

best regards

stefan

PS: sorry for bad english ;-)
-- 
Stefan Jensen sjen...@versanet.de


signature.asc
Description: Dies ist ein digital signierter Nachrichtenteil
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: problem with checking dhcp-packet type

[Alexander Kubatkin]

On Среда 15 июля 2009 18:33:11 Alexander Kubatkin wrote:
 On Среда 15 июля 2009 14:07:18 Alan DeKok wrote:
  Alexander Kubatkin wrote:
   On Понедельник 13 июля 2009 11:53:23 Alan DeKok wrote:
   Alexander Kubatkin wrote:
   when it(fix) come to us?
  
 If you want the latest version, use git.
  
   last changes 4 days ago
  
 Did you download the version using git, as I said?  The fix was
   available there when I sent my message.
  
   yes, i did, problem with build isn't fixed, i was trying and under
   FreeBSD 7 and under Linux kubuntu 9.04.
 
OK.  The fix should now be in git.

 yes, it's working, thank you.

 test with trendnet soho-router will be later.

test passed.



Alan DeKok.

-- 
__
Alexander Kubatkin

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: error 734

[Issa Nkusi Karera [MTN Rwanda - MTN Centre]]

Don't worry, the issue is fixed. A vrf congiguration was missing.

 

From: Issa Nkusi Karera [MTN Rwanda - MTN Centre] 
Sent: Wednesday, July 15, 2009 6:10 PM
To: freeradius-users@lists.freeradius.org
Subject: error 734 

 

Hello folks,

Below is log message after an attempt to authenticate.

Wed Jul 15 16:31:31 2009 : Auth: Login OK: [t...@wimax.mtnonline.rw]
(from client XX-bras-1 port 0)

 

It is bring error 734 on a windows machine. Therefore, the user cannot
be connected.

 

Thanks in advance for you advise.

 

Best regards,

 

Issa

 

 

This mail has been scanned by Symantec Mail Scan
MTN Mail administrator-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: HELP! EAP-TLS: how can I install a cert on a workstation so that it works for all users

[john]

On Wed, Jul 15, 2009 at 1:52 AM, Ivan Kalikt...@kalik.net wrote:
 Can I create a client cert for a computer so that any user that logs
 in may use it automatically under Windows XP? I have successfully
 created a client.p12 with the FQDN of the workstation I am using,
 installed it and been authenticated by Freeradius. However when I log
 in to the computer under a different windows profile authentication
 fails.

 Yes, that's how user certificates work.

 How should I create this file and where do I place this cert so that
 it's available for any user logging on?

 The whole idea of user certificates is for this not to be possible.

Thanks for the reply Ivan,

So are the following correct?:

(1) I can create a single cert for a computer and distribute it to all
users who may use that computer


(2) I can create a cert for every user and distribute it to every
computer that a user logs into.

(3) I cannot create a generic computer cert that authenticates the
computer and opens the port?

Thanks!

John
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: HELP! EAP-TLS: how can I install a cert on a workstation so that it works for all users

[Ivan Kalik]

 So are the following correct?:

 (1) I can create a single cert for a computer and distribute it to all
 users who may use that computer

You can give same user certificate to any user using the computer - you
can place it on the desktop with installatioon instructions. But don't you
hear a voice in your head: what is the point of these certificates?.

 (2) I can create a cert for every user and distribute it to every
 computer that a user logs into.

Yes. In normal circumstances such user will have his certificate on the
smart card and computers will be equiped with reders. So, user certificate
is with the (mobile) user, not any possible computer he might use.

 (3) I cannot create a generic computer cert that authenticates the
 computer and opens the port?

Yes, you can. But as soon as some user logs onto that computer ...

Ivan Kalik
Kalik Informatika ISP

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: TTLS to require client cert

[Ivan Kalik]

 Hi all, I need help once again. I want TTLS to require client cert. I put
 EAP-TLS-Require-client-cert = YES in ttls { part of eap.conf but it's not
 working. What I am doing wrong here?

What isn't working? Freeradius can request a certificate - does your
supplicant support that?

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: HELP! EAP-TLS: how can I install a cert on a workstation so that it works for all users

[john]

 (3) I cannot create a generic computer cert that authenticates the
 computer and opens the port?

 Yes, you can. But as soon as some user logs onto that computer ...

 Ivan Kalik
 Kalik Informatika ISP

Thanks for the reply Ivan. I am fine with folks logging in and having
access from computer that have already been authenticate via a
computer certificate. If my users make it that far they have domain
credentials and are supposed to be there. What I am trying to prevent
is users from bringing their laptops from home and plugging them into
a spare port (or removing the cable from the back of a school
computer) in one of our computer labs.

I am pretty sure I can put a cert into the computer that will
authenticate the computer *before* a user even logs in. Once they
provide their domain credentials they should have access to all the
services we provide int the lab.

I am having a hard time figuring out how to make this work. Where/how
does the cert get imported. Do I need to make a registry change in
KEY_LOCAL_MACHINE\Software\Microsoft\EAPOL\Parameters\General\Global
to make this work? I hope this is the part someone on the list will
have done before and be able to guide me or point me at a howto.

Thanks!

John
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: HELP! EAP-TLS: how can I install a cert on a workstation so that it works for all users

[John Dennis]

On 07/15/2009 01:08 PM, john wrote:

So are the following correct?:

(1) I can create a single cert for a computer and distribute it to all
users who may use that computer


(2) I can create a cert for every user and distribute it to every
computer that a user logs into.

(3) I cannot create a generic computer cert that authenticates the
computer and opens the port?


Think long and hard about what you want authentication to accomplish 
from a security standpoint, then worry about the implementation details.


Ask the question Who are you authenticating? or What has permission 
to use the network? Am I trying to restrict access to a specific set of 
users or am I trying to restrict access to a specific set of machines? 
If it's the later does that mean anyone who sits down at that machine 
has access?


In a very very simplified view a certificate is nothing more than a 
password. Would you give the same password to every user? Would you put 
that password on every machine?


What you're learning is that certificate management is complex and often 
requires additional certificate management support.


If you want users to be authenticated no matter what machine they are 
logging in from *and* you want to use certificates as opposed to 
passwords, you essentially have two choices.


1) The user is in physical possession of the certificate, he carries it 
from machine to machine. This is the smart card (i.e. token) solution. 
To protect against theft or loss of the token the use has to unlock the 
token using a password upon insertion of the token in the device.


2) The per user certificate is stored in a central location where only 
the user can access it. Usually this requires OS support and another 
layer of authentication.


If you want to do machine authentication then per machine certificates 
must be generated and distributed (which is where your question began). 
There is no easy secure way to do this for a large number of devices in 
the absence of sophisticated certificate management software, this is 
why certificate management software is a growth industry.


I'm not a Windows guy, but my understanding is that Microsoft offers 
(expensive) solutions. In the Linux world you might consider DogTag 
(http://pki.fedoraproject.org/wiki/PKI_Main_Page), this is the same 
certificate management system used by the DoD (Dept of Defense) and 
other high profile organizations which Red Hat has generously made 
available as open source after it's acquisition from Netscape.


Note that DogTag supports Auto-Enrollment Proxy (AEP) for Windows, which 
allows users and computers in a Microsoft Windows domain to 
automatically enroll for certificates issued from Certificate System.


Of course if you don't want to deal with the complexity of certificate 
based authentication you could just use passwords. Passwords are much 
less secure, but much simpler.



--
John Dennis jden...@redhat.com

Looking to carve out IT costs?
www.redhat.com/carveoutcosts/
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: HELP! EAP-TLS: how can I install a cert on a workstation so that it works for all users

[john]

Hi John thanks for taking the time to reply,


 Ask the question Who are you authenticating? or What has permission to
 use the network? Am I trying to restrict access to a specific set of users
 or am I trying to restrict access to a specific set of machines? If it's the
 later does that mean anyone who sits down at that machine has access?


In this instance I am trying to the network so that only computers
which carry a credential are allowed to have port access. My users
credentials are managed via Active Directory and I am trying to avoid
issuing user certs if possible. More specifically we have a number of
computer labs where users are in the habit of bringing in computers
from home and plugging in, I'd like to prevent this. So what I am
hoping to find out is that I can create a cert with the FQDN of the
computer. Install it on the computer itself, and have the computer
negotiate via the NAS with free-radius for access. I hope this process
is completely transparent to the user.



 In a very very simplified view a certificate is nothing more than a
 password. Would you give the same password to every user? Would you put that
 password on every machine?

Sort of. I guess I see it as a sort of 2 factor auth scheme. The
computer has a credential which is processed by free-radius and the
user has a separate credential which is processed by Active Directory.





 2) The per user certificate is stored in a central location where only the
 user can access it. Usually this requires OS support and another layer of
 authentication.

I am pretty sure that Windows XP can use a Computer Cert for dot1X
auth via EAP. I've seen references to it. I've even found a mention of
a registry hack that forces the computer to use machine auth for dot1X
in lieu of user certs, but I am not sure how to correctly implement it
when using free-radius, everythings written for IAS.


 If you want to do machine authentication then per machine certificates must
 be generated and distributed (which is where your question began). There is
 no easy secure way to do this for a large number of devices in the absence
 of sophisticated certificate management software, this is why certificate
 management software is a growth industry.

I am willing to do it by hand if the process seems reasonably
straight-forward. I've got about 200 machines and 1600 users, many
users user multiple machines. You can see why I'd rather tackle the
machines. :-

 I'm not a Windows guy, but my understanding is that Microsoft offers
 (expensive) solutions. In the Linux world you might consider DogTag
 (http://pki.fedoraproject.org/wiki/PKI_Main_Page), this is the same
 certificate management system used by the DoD (Dept of Defense) and other
 high profile organizations which Red Hat has generously made available as
 open source after it's acquisition from Netscape.

Thanks for this resource.

 Note that DogTag supports Auto-Enrollment Proxy (AEP) for Windows, which
 allows users and computers in a Microsoft Windows domain to automatically
 enroll for certificates issued from Certificate System.

 Of course if you don't want to deal with the complexity of certificate based
 authentication you could just use passwords. Passwords are much less secure,
 but much simpler.

Yes but then we're back to the problem of a user just providing domain
credentials to gain port access. I can imagine a student downloading
secure-w2 or similar and providing domain credentials to get access
for their laptop.

Thanks again John. I appreciate your insights.

John
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: TTLS to require client cert

[Petar Marinkovic]

Yes, it does,  but something isnt working, he is just not checking the
client certificate

On 07/15/2009, Ivan Kalik t...@kalik.net wrote:
 Hi all, I need help once again. I want TTLS to require client cert. I put
 EAP-TLS-Require-client-cert = YES in ttls { part of eap.conf but it's not
 working. What I am doing wrong here?

 What isn't working? Freeradius can request a certificate - does your
 supplicant support that?

 -
 List info/subscribe/unsubscribe? See
 http://www.freeradius.org/list/users.html

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

radius.log permissions issue

[Philip Molter]

With freeradius 2.1.6, I have a configuration such as this in my 
radiusd.conf file:


user = radiusd
group = radiusd

When I start up radiusd for the first time, the radius.log file gets 
created with 0640 permissions, owned by root:radiusd, instead of 
radiusd:radiusd.  This doesn't prevent the RADIUS process from working, 
but it does prevent any useful information from being logged.


Is this a known bug?  Is there a workaround other than creating the file 
by hand and setting its ownership before starting freeradius?


Philip
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

question about freeradius vs AA(ldap) and A(mysql)

[Tony P.]

hi, i have freeradius server over Debian Etch version

FreeRADIUS Version 1.1.3 and making Accounting with MySQL radius DB.

I want to make new form to authenticate my users to not have 2 password
databases separated... so.. need auth ldap and account into mysql..

I test to make authorization + authentication with Ldap and keep going making
Accounting into MySQL... and works but just basic mode.

My question is how can i change the usergroup, radgroupcheck, radgroupreply,
tables into Ldap to authorization-authentication step, with more options to
check like Calling-Station-Id, Called-Station-Id, Hint, Groupnames, etc etc???

And in the schema of freeradius into Ldap, i load scheme but when i try to add
new attribute to user like (option in the radiusd.conf)
access_attr = dialupAccess what i type in the value?? .. just know string by
the scheme explain but don't know that string exactly it is

can help me any one..???

thanxs and regards and sorry by my english

Tony



signature.asc
Description: OpenPGP digital signature
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: question about freeradius vs AA(ldap) and A(mysql)

[Tony P.]

ok i found this

http://freeradius.org/radiusd/doc/ldap_howto.txt

i guess to have many stuff to read and try my problem any way i can read more
solutions to can make my trouble in fast way and short time.

Regards again.

Tony

Tony P. escribió:
 hi, i have freeradius server over Debian Etch version
 
 FreeRADIUS Version 1.1.3 and making Accounting with MySQL radius DB.
 
 I want to make new form to authenticate my users to not have 2 password
 databases separated... so.. need auth ldap and account into mysql..
 
 I test to make authorization + authentication with Ldap and keep going making
 Accounting into MySQL... and works but just basic mode.
 
 My question is how can i change the usergroup, radgroupcheck, radgroupreply,
 tables into Ldap to authorization-authentication step, with more options to
 check like Calling-Station-Id, Called-Station-Id, Hint, Groupnames, etc etc???
 
 And in the schema of freeradius into Ldap, i load scheme but when i try to add
 new attribute to user like (option in the radiusd.conf)
 access_attr = dialupAccess what i type in the value?? .. just know string 
 by
 the scheme explain but don't know that string exactly it is
 
 can help me any one..???
 
 thanxs and regards and sorry by my english
 
 Tony
 
 
 
 
 
 -
 List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html



signature.asc
Description: OpenPGP digital signature
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html