Re: wpa2-psk and radiusd possible?
Hi, Is there a way to have different PSK's for every MAC? I bed, it is not a job for radius and maybe a complete wrong concept? Your bet is correct: WPAx-PSK does not consult a RADIUS server at all. One PSK is for the whole SSID, there is not usually a PSK-per-user. So how did you do that with hostap; have one SSID for every MAC, and one PSK associated to it? If you want individual keys per client, WPAx-Enterprise with 802.1X authentication is the commodity way. If your users get confused with the certs, either create a pre-configured site deployment of your supplicant which sets stuff up for them (exists for many supplicants) or educate your users until they get it. Greetings, Another Stefan best regards stefan PS: sorry for bad english ;-) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Stefan WINTER Ingenieur de Recherche Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg Tel: +352 424409 1 Fax: +352 422473 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Info regarding Radius and Ipv6
Hi , Please let me know 1) Whether there Radius Server (Linux / Windows) is available with IPv6 support. 2) Whether Radius Server is available which listens on IPv6 address. Rgds, Vamsi DISCLAIMER: This message is proprietary to Aricent and is intended solely for the use of the individual to whom it is addressed. It may contain privileged or confidential information and should not be circulated or used for any purpose other than for what it is intended. If you have received this message in error,please notify the originator immediately. If you are not the intended recipient, you are notified that you are strictly prohibited from using, copying, altering, or disclosing the contents of this message. Aricent accepts no responsibility for loss or damage arising from the use of the information transmitted by this email including damage from virus. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Info regarding Radius and Ipv6
Am Donnerstag, 16. Juli 2009 09:57:44 schrieb Vamsi Krishna Valiveti: Hi , Please let me know 1) Whether there Radius Server (Linux / Windows) is available with IPv6 support. 2) Whether Radius Server is available which listens on IPv6 address. Rgds, Vamsi Google freeradius ipv6 gives: http://wiki.freeradius.org/FreeRADIUS_Wiki:FAQ#Does_FreeRADIUS_Support_IPv6.3F RTFM! -- Dr. Michael Schwartzkopff MultiNET Services GmbH Addresse: Bretonischer Ring 7; 85630 Grasbrunn; Germany Tel: +49 - 89 - 45 69 11 0 Fax: +49 - 89 - 45 69 11 21 mob: +49 - 174 - 343 28 75 mail: mi...@multinet.de web: www.multinet.de Sitz der Gesellschaft: 85630 Grasbrunn Registergericht: Amtsgericht München HRB 114375 Geschäftsführer: Günter Jurgeneit, Hubert Martens --- PGP Fingerprint: F919 3919 FF12 ED5A 2801 DEA6 AA77 57A4 EDD8 979B Skype: misch42 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: make install without messing with previous configuration?
hi,
if you really want to do this
cp -R /etc/raddb /etc/raddb.old
make install
rm -rf /etc/raddb
cp -R /etc/raddb.old /etc/raddb
but you then lose 'sight' of new virtual servers, new config options etc
and slowly but surely this will bite you (in my case a while back the
logging config of the server changed and things b0rked nicely)
far better to have a details overview or diff of your changes and
then
cp -R /etc/raddb /etc/raddb.old
make install
{edit the /etc/raddb file as required...easily putting in files by copying from
their backed up location}
done!
alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ./configure
hi, those WARNINGs that ./configure prints out - do you *CARE* about any of the functions that are being warned about? ie do you want to use MySQL support? do you want to do EAP methods? (if so, you'll need OpenSSL), do you want to do any simultaneous usage checking? etc if you DO need any of these things, then you'll need to install the appropriate development libraries for those packages. other than that, it all looks normal alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radius.log permissions issue
Hi, Is this a known bug? Is there a workaround other than creating the file by hand and setting its ownership before starting freeradius? ?? how are you starting this server - the file/directory should be radiusd:radiusd and when run it will do the 'correct thing' alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Info regarding Radius and Ipv6
Hi, 1) Whether there Radius Server (Linux / Windows) is available with IPv6 support. 2) Whether Radius Server is available which listens on IPv6 address. FreeRADIUS works fine with IPv6 thanks - both responding and listening to RADIUS on the IPv6 stack. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: question about freeradius vs AA(ldap) and A(mysql)
My question is how can i change the usergroup, radgroupcheck, radgroupreply, tables into Ldap to authorization-authentication step, with more options to check like Calling-Station-Id, Called-Station-Id, Hint, Groupnames, etc etc??? Place user into a group in ldap and use Ldap-Group to check membership. You need users file/unlang entry for checking and replying with group specific attributes. And in the schema of freeradius into Ldap, i load scheme but when i try to add new attribute to user like (option in the radiusd.conf) access_attr = dialupAccess what i type in the value?? true/false Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
radtest for accounting
Hi all, radtest alows me to bascally test account (login, pass,...). I would like to test the logout process now: what radtest friend is the one to use? Thank you. PS: I need it because at logout I have to process the remaining credit of the user. -- Architecte Informatique: Administration Systeme, Recherche Developpement + 261 32 11 401 65 Pensez a l'environnement avant d'imprimer ce message - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radtest for accounting
radtest alows me to bascally test account (login, pass,...). I would like to test the logout process now: what radtest friend is the one to use? Radclient. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radius.log permissions issue
On Jul 16, 2009, at 4:03 AM, a.l.m.bu...@lboro.ac.uk wrote: Hi, Is this a known bug? Is there a workaround other than creating the file by hand and setting its ownership before starting freeradius? ?? how are you starting this server - the file/directory should be radiusd:radiusd and when run it will do the 'correct thing' /usr/sbin/radiusd -d /etc/raddb as user root. As posted before, the config file has directives to switch to user radiusd and group radiusd The directory has the proper permissions, but the radius.log file doesn't exist. When the radiusd program starts up, it creates the radius.log file in the proper directory, but the file has 0640 permissions owned by user root, group radiusd. I know that it SHOULD BE radiusd:radiusd. It is not doing the correct thing. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to reject when a user logs in without realm?
At 08:00 PM 7/15/2009, you wrote:
Hope you are referring to
realm freescale.com {
type= radius
authhost= LOCAL
accthost= LOCAL
present in the radiusd.conf file. removed it. Restarted the freeradius
server.
The user file contains
na...@freescale.com Cleartext-Password := navin123
Even then when tested with radtest tool , the users navin
na...@freescale.com
are both getting authenticated. I would prefer only
na...@freescale.com get authenticated
and user navin should get rejected.
There is something else there then as well. Post the debug for navin. You
can probably safely disable suffix as well. But lets first see what is
stripping the username. There is nothing in the default configuration that
does that.
Navin wrote:
Thanks for suggesting the debug option. What probably happening was,
the users file by default is configured to look into unix password database
(/etc/passwd), And it so happens, that my machine has the same user and
userpasswd as the radius access request info.
Hence the login for navin as well as na...@freescale.com was getting
authenticated.
users file snippet of unix password database:
#
# First setup all accounts to be checked against the UNIX /etc/passwd.
# (Unless a password was already given earlier in this file).
#
DEFAULT Auth-Type = System
Fall-Through = 1
The debug option helped to see that i was hitting the above lines
when i logged in as navin.
Thanks.
have a nice day,
navin
Ivan Kalik
Kalik Informatika ISP
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to reject when a user logs in without realm?
users file snippet of unix password database: # # First setup all accounts to be checked against the UNIX /etc/passwd. # (Unless a password was already given earlier in this file). # DEFAULT Auth-Type = System Fall-Through = 1 The debug option helped to see that i was hitting the above lines when i logged in as navin. Yes, that is enabled by default in 1.x. It is commented out by default in 2.x. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radius.log permissions issue
On 07/16/2009 08:12 AM, Philip Molter wrote: On Jul 16, 2009, at 4:03 AM, a.l.m.bu...@lboro.ac.uk wrote: Hi, Is this a known bug? Is there a workaround other than creating the file by hand and setting its ownership before starting freeradius? ?? how are you starting this server - the file/directory should be radiusd:radiusd and when run it will do the 'correct thing' /usr/sbin/radiusd -d /etc/raddb as user root. As posted before, the config file has directives to switch to user radiusd and group radiusd The directory has the proper permissions, but the radius.log file doesn't exist. When the radiusd program starts up, it creates the radius.log file in the proper directory, but the file has 0640 permissions owned by user root, group radiusd. FWIW, in our RPM's we force the creation of the radius.log file with ownership radiusd:radiusd at installation time before the server even runs. If you don't force the creation of the file with the right ownership then I think the issue revolves around when a log message is first emitted. The log file gets created the first time a log message is emitted. The server starts as root. During it's initialization phase it raises and lowers it's operating permissions between the root and radiusd user identity via the fr_suid_up() and fr_suid_down() calls. When it gets ready to process events it settles down to radiusd via fr_suid_down_permanent(). If the first log message occurs when the server is in a fr_suid_up() mode (e.g. running as root instead of as radiusd) then you'll get the behavior you've seen. The code paths are way to complicated for static analysis to see if and when a log message might be emitted the server is in a high privilege mode. It does seem like it might happen if you start the server in debug mode because the server is much more verbose. There are various strategies to assure the newly created log file has the right ownership: * drop privileges prior to calling fopen() * call chown() after fclose() at the exit of the logging call. * pre-create the file if necessary very early during start up. I think the latter is preferable as it avoid the expense of setting or checking for the right ownership for every log message emitted (ouch). -- John Dennis jden...@redhat.com Looking to carve out IT costs? www.redhat.com/carveoutcosts/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radius.log permissions issue
John Dennis wrote: FWIW, in our RPM's we force the creation of the radius.log file with ownership radiusd:radiusd at installation time before the server even runs. If you don't force the creation of the file with the right ownership then I think the issue revolves around when a log message is first emitted. The log file gets created the first time a log message is emitted. The server starts as root. During it's initialization phase it raises and lowers it's operating permissions between the root and radiusd user identity via the fr_suid_up() and fr_suid_down() calls. When it gets ready to process events it settles down to radiusd via fr_suid_down_permanent(). The problem is commit 047fe5ca74e3de2c7f32f98154d6655c0cfd7181. Before this commit, in switch_users(), permissions were unconditionally dropped if a user setting was specified, and the 'did_setuid' boolean was set no matter what if setuid capability was even possible (ie. even if a user name wasn't specified, did_setuid was set to true). After this commit, the permission drop was abstracted into fr_suid_down(), which checks did_setuid before it does anything. Since did_setuid isn't set, fr_suid_down() doesn't do anything. After that call, did_setuid is set to TRUE, so future calls to fr_suid_down() work as expected, but all of the time spent between the code there and the code in listen.c is run as root, including a check to see if the directory is writable that immediately follows setuid in switch_users(). Previous to that commit, that wasn't the behavior. Basically, that code is the problem. I'll try to submit a patch later today that fixes the problem. Yes, if an error occurs, there are log messages that get generated before suid operations, but as far as I can tell, they're related to fatal errors or debug messages. There are various strategies to assure the newly created log file has the right ownership: * drop privileges prior to calling fopen() * call chown() after fclose() at the exit of the logging call. * pre-create the file if necessary very early during start up. I think the latter is preferable as it avoid the expense of setting or checking for the right ownership for every log message emitted (ouch). The latter is basically what happens, because in switch_users(), the daemon tries to make sure it can write to the file as the user it is. If the file exists, it's a simple append. If the file doesn't exist, it creates it. If it can't write, it bails. Like I said, it just isn't the user it thinks it is when this is called (mainconfig.c:629, version 2.1.6). Philip - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
radiusd start problem
i'm newbie to freeradius installed freeradius server 2.1 on opensuse 11.1 when i run radiusd -X i get the following error: unable to write 'random state' dh: Permission denied make: *** [dh] Error 1 Exec-Program output: openssl dhparam -out dh 1024 Exec-Program-Wait: plaintext: openssl dhparam -out dh 1024 Exec-Program: returned: 2 rlm_eap: Failed to initialize type tls /etc/raddb/eap.conf[17]: Instantiation failed for module eap /etc/raddb/sites-enabled/inner-tunnel[223]: Failed to find module eap. /etc/raddb/sites-enabled/inner-tunnel[176]: Errors parsing authenticate section. } } the rights for radiusd are as follows: drwxr-x--- 7 root radiusd 4096 Jul 16 18:10 . drwxr-xr-x 107 root root12288 Jul 16 18:18 .. -rw-r- 1 root radiusd 671 Dec 3 2008 acct_users -rw-r- 1 root radiusd 4174 Dec 3 2008 attrs -rw-r- 1 root radiusd 458 Dec 3 2008 attrs.access_reject -rw-r- 1 root radiusd 437 Dec 3 2008 attrs.accounting_response -rw-r- 1 root radiusd 2022 Dec 3 2008 attrs.pre-proxy drwxr-x--- 2 root radiusd 4096 Jul 16 18:10 certs -rw-r- 1 root radiusd 6462 Dec 3 2008 clients.conf -rw-r- 1 root radiusd 877 Dec 3 2008 dictionary -rw-r- 1 root radiusd 14903 Dec 3 2008 eap.conf -r-xr-xr-x 1 root radiusd 14898 Jul 16 17:38 eap.conf.rpmsave -rw-r- 1 root radiusd 4609 Dec 3 2008 example.pl -rw-r- 1 root radiusd 14479 Dec 3 2008 experimental.conf -rw-r- 1 root radiusd 2352 Dec 3 2008 hints -rw-r- 1 root radiusd 1604 Dec 3 2008 huntgroups -rw-r- 1 root radiusd 3017 Dec 3 2008 ldap.attrmap drwxr-x--- 2 root radiusd 4096 Jul 16 18:10 modules -rw-r- 1 root radiusd 3357 Dec 3 2008 otp.conf -rw-r- 1 root radiusd 1154 Dec 3 2008 policy.conf -rw-r- 1 root radiusd 4873 Dec 3 2008 policy.txt -rw-r- 1 root radiusd 984 Dec 3 2008 preproxy_users -rw-r- 1 root radiusd 22839 Dec 3 2008 proxy.conf -rw-r- 1 root radiusd 26077 Dec 3 2008 radiusd.conf drwxr-x--- 2 root radiusd 4096 Jul 16 18:10 sites-available drwxr-x--- 2 root radiusd 4096 Jul 16 18:10 sites-enabled drwxr-x--- 6 root radiusd 4096 Jul 16 18:10 sql -rw-r- 1 root radiusd 2499 Dec 3 2008 sql.conf -rw-r- 1 root radiusd 1933 Dec 3 2008 sqlippool.conf -rw-r- 1 root radiusd 3450 Dec 3 2008 templates.conf -rw-r- 1 root radiusd 6524 Dec 3 2008 users guidance appreciated - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radiusd start problem
Hi, i'm newbie to freeradius installed freeradius server 2.1 on opensuse 11.1 when i run radiusd -X i get the following error: ensure that your chosen radiusd user can write to your radius config directory. bluntly this would be eg chown -R radiusd:radiusd /etc/raddb(with a basic/standard install) alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radius.log permissions issue
John Dennis wrote:
There are various strategies to assure the newly created log file has
the right ownership:
* drop privileges prior to calling fopen()
* call chown() after fclose() at the exit of the logging call.
* pre-create the file if necessary very early during start up.
I think the latter is preferable as it avoid the expense of setting or
checking for the right ownership for every log message emitted (ouch).
Attached is a patch that fixes the issue. Given the way that freeradius
checks for the ability to write to the logfile, it should perform like
the latter (in my testing, it does exactly that).
The patch does a couple of things:
1) properly handles setuid changes in early configuration times
2) enables fr_suid_down/up/down_permanently noop calls so that compile
works when HAVE_SETUID is not defined
Philip
diff -urNp a/src/main/mainconfig.c b/src/main/mainconfig.c
--- a/src/main/mainconfig.c 2009-05-18 06:13:55.0 -0500
+++ b/src/main/mainconfig.c 2009-07-16 10:39:34.0 -0500
@@ -78,7 +78,7 @@ static cached_config_t*cs_cache = NULL;
/*
* Systems that have set/getresuid also have setuid.
*/
-uid_t server_uid;
+static uid_t server_uid;
static gid_t server_gid;
static const char *uid_name = NULL;
static const char *gid_name = NULL;
@@ -413,9 +413,9 @@ static int r_mkdir(const char *part)
#ifdef HAVE_SETUID
-int did_setuid = FALSE;
+static int has_setuid = FALSE;
-#if defined(HAVE_SETRESUID) defined (HAVE_GETRESUID)
+#if defined(HAVE_SETRESUID) defined(HAVE_GETRESUID)
void fr_suid_up(void)
{
uid_t ruid, euid, suid;
@@ -438,7 +438,7 @@ void fr_suid_up(void)
void fr_suid_down(void)
{
- if (!did_setuid) return;
+ if (!has_setuid) return;
if (setresuid(-1, server_uid, geteuid()) 0) {
fprintf(stderr, %s: Failed switching to uid %s: %s\n,
@@ -457,12 +457,7 @@ void fr_suid_down_permanent(void)
{
uid_t ruid, euid, suid;
- if (!did_setuid) return;
-
- if (getresuid(ruid, euid, suid) 0) {
- radlog(L_ERR, Failed getting saved uid's);
- _exit(1);
- }
+ if (!has_setuid) return;
if (setresuid(server_uid, server_uid, server_uid) 0) {
radlog(L_ERR, Failed in permanent switch to uid %s: %s,
@@ -474,13 +469,6 @@ void fr_suid_down_permanent(void)
radlog(L_ERR, Switched to unknown uid);
_exit(1);
}
-
-
- if (getresuid(ruid, euid, suid) 0) {
- radlog(L_ERR, Failed getting saved uid's: %s,
- strerror(errno));
- _exit(1);
- }
}
#else
/*
@@ -491,7 +479,7 @@ void fr_suid_up(void)
}
void fr_suid_down(void)
{
- if (!uid_name) return;
+ if (!has_setuid) return;
if (setuid(server_uid) 0) {
fprintf(stderr, %s: Failed switching to uid %s: %s\n,
@@ -502,8 +490,20 @@ void fr_suid_down(void)
void fr_suid_down_permanent(void)
{
}
-#endif
+#endif /* HAVE_SETRESUID HAVE_GETRESUID */
+#else
+void fr_suid_up(void)
+{
+}
+void fr_suid_down(void)
+{
+}
+void fr_suid_down_permanent(void)
+{
+}
+#endif /* HAVE_SETUID */
+#ifdef HAVE_SETUID
/*
* Do chroot, if requested.
*
@@ -609,13 +609,8 @@ static int switch_users(CONF_SECTION *cs
#ifdef HAVE_PWD_H
if (uid_name) {
+ has_setuid = TRUE;
fr_suid_down();
-
- /*
-* Now core dumps are disabled on most secure systems.
-*/
-
- did_setuid = TRUE;
}
#endif
@@ -657,7 +652,7 @@ static int switch_users(CONF_SECTION *cs
* Otherwise, disable core dumps for security.
*
*/
- if (!(debug_flag || allow_core_dumps || did_setuid)) {
+ if (!(debug_flag || allow_core_dumps || has_setuid)) {
#ifdef HAVE_SYS_RESOURCE_H
struct rlimit no_core;
@@ -676,7 +671,7 @@ static int switch_users(CONF_SECTION *cs
* running as a daemon, AND core dumps are
* allowed, AND we changed UID's.
*/
- } else if ((debug_flag == 0) allow_core_dumps did_setuid) {
+ } else if ((debug_flag == 0) allow_core_dumps has_setuid) {
/*
* Set the dumpable flag.
*/
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: HELP! EAP-TLS: how can I install a cert on a workstation so that it works for all users
Hi Guys, I think this is an excellent tutorial for what he is trying to achieve. http://www.howtoforge.com/wifi-authentication-accounting-with-freeradius-on-centos5 I've used this along with assistance from Ivan and have gotten everything I wanted to work successfully. Nik Quoting Nicolas Boullis nicolas.boul...@ecp.fr: Hi, DISCLAIMER: I'm no Windows specialist. john wrote: I am having a hard time figuring out how to make this work. Where/how does the cert get imported. Do I need to make a registry change in KEY_LOCAL_MACHINE\Software\Microsoft\EAPOL\Parameters\General\Global to make this work? I hope this is the part someone on the list will have done before and be able to guide me or point me at a howto. I had a hard time with this as well, and finally succeeded, using Windows XP. There are many points that matter: * You have to edit your registry to add a AuthMode dword key in KEY_LOCAL_MACHINE\Software\Microsoft\EAPOL\Parameters\General\Global with value 2. * You have to load your certificate and private key in the computer's personal store. I did that with mmc.exe. Note that loading the certificate and private key in a user's personal store and then moving them to the computer's store did not work for me. * Your certificate must have X509v3 Extended Key Usage: TLS Web Client Authentication or Windows won't use it. * The username Windows will use is the name in the certificate with host/ prepended. Note that things are quite different with Windows Vista. Hope this helps, -- Nicolas Boullis Ecole Centrale Paris - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Nik - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: wpa2-psk and radiusd possible?
Hi,... Am Donnerstag, den 16.07.2009, 08:27 +0200 schrieb Stefan Winter: Your bet is correct: WPAx-PSK does not consult a RADIUS server at all. One PSK is for the whole SSID, there is not usually a PSK-per-user. So Thanks, i wanted to get sure about that. how did you do that with hostap; have one SSID for every MAC, and one PSK associated to it? No, one (1) SSID and for every MAC a different PSK. For that, hostapd can read a file with pairs of $MAC $PSK. (option: wpa_psk_file=/path/to/hostapd.wpa_psk) If you want individual keys per client, WPAx-Enterprise with 802.1X authentication is the commodity way. If your users get confused with the certs, either create a pre-configured site deployment of your supplicant which sets stuff up for them (exists for many supplicants) Can you please provide some keywords or maybe links for that? Seems that i use wrong seach terms, because i found nothing real usable. Thanks! or educate your users until they get it. This is may be the hardest part. ;-) best regards -- Stefan Jensen sjen...@versanet.de signature.asc Description: Dies ist ein digital signierter Nachrichtenteil - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
(SOLVED) XP3 EAP-TLS was Re: HELP! EAP-TLS: how can I install a cert on a workstation so that it works for all users
On Thu, Jul 16, 2009 at 8:12 AM, Nicolas Boullisnicolas.boul...@ecp.fr wrote: Hi, DISCLAIMER: I'm no Windows specialist. john wrote: I am having a hard time figuring out how to make this work. Where/how does the cert get imported. Do I need to make a registry change in KEY_LOCAL_MACHINE\Software\Microsoft\EAPOL\Parameters\General\Global to make this work? I hope this is the part someone on the list will have done before and be able to guide me or point me at a howto. I had a hard time with this as well, and finally succeeded, using Windows XP. There are many points that matter: * You have to edit your registry to add a AuthMode dword key in KEY_LOCAL_MACHINE\Software\Microsoft\EAPOL\Parameters\General\Global with value 2. * You have to load your certificate and private key in the computer's personal store. I did that with mmc.exe. Note that loading the certificate and private key in a user's personal store and then moving them to the computer's store did not work for me. * Your certificate must have X509v3 Extended Key Usage: TLS Web Client Authentication or Windows won't use it. * The username Windows will use is the name in the certificate with host/ prepended. Note that things are quite different with Windows Vista. Hope this helps, -- Nicolas Boullis Ecole Centrale Paris Thanks for your very thorough answer Nicolas! The solution you outline works perfectly for wired clients running Windows XP SP2. However,more digging showed me that my problem was specific to Windows XP/SP3. Windows XP/SP3 doesn't use KEY_LOCAL_MACHINE\Software\Microsoft\EAPOL\Parameters\General\Global to store the value for the AuthMode parameter. Rather it uses an XML profile which you can export and edit and then re-import. For future reference for other folks this can be round here http://support.microsoft.com/kb/929847 I note that this was mentioned in an earlier post to the list http://lists.cistron.nl/pipermail/freeradius-users/2009-January/msg00723.html The author then had an identical problem, however he was trying to troubleshoot the wireless interface. Ivan or Alan, the information that Nicolas outlined, plus the caveat for XP3 clients would be REALLY HELPFUL to have on the wiki. It doesn't look like just anyone can edit it so would one of you be willing to add something? Thanks again to all for the help! John - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Error: Thread 1 failed waiting for semaphore: Invalid argument: Exiting
Hi, I've had a FreeRADIUS 2.1.3 server running on FreeBSD 7.1 for a few months now. I logged in today to add a new group to my users file, and then re-started the RADIUS daemon. After re-starting, I'm getting this in my error log: Info: Ready to process requests. Error: Thread 1 failed waiting for semaphore: Invalid argument: Exiting Error: Thread 2 failed waiting for semaphore: Invalid argument: Exiting Error: Thread 3 failed waiting for semaphore: Invalid argument: Exiting Error: Thread 4 failed waiting for semaphore: Invalid argument: Exiting Error: Thread 5 failed waiting for semaphore: Invalid argument: Exiting When a user tries to log in, the first packet seems to go nowhere, and then the second and subsequent packets emit the following error in the log: Error: Discarding duplicate request from client foo port 65259 - ID: 111 due to unfinished request 0 I rebooted the server, but am still getting the same errors. Any idea what might be causing this? I'm doing a ports rebuild on the FreeBSD box just in case, but I figured I'd ask around a bit. Tim Gustafson Baskin School of Engineering UC Santa Cruz t...@soe.ucsc.edu 831-459-5354 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
how to get connection with server
i installed freeradius 2.1.6 on solaris10. i am unable to start the server.when ever i type the radiusd -X it is saying command not found. plz help me -- View this message in context: http://www.nabble.com/how-to-get-connection-with-server-tp24528569p24528569.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
