Re: Freeradius and winbind problem
Hi, No I haven't SELinux on this server. Jean-Hubert Monlord Alan Buxey a écrit : Hi, Thank you for your reply. I tested with two hardware (Acer and Dell) and I have reinstalled the OS. I work with the windows supplicant. I don't see what can do that. I think it is the server, maybe winbind/samba or freeradius, because I need to restart these two daemon for going to the end of the challenge. Anyone have an other idea? have you got eg SELinux running? (this could quite easily break daemon to daemon stuff) alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Request for opinion - central admin user server LDAP+FreeRADIUS
Hi, > Look at TACACS/TACACS+. Most devices support this. You will need a > TACACS server which authenticates off a RADIUS server. > > For others is upto the software to implement a TACACS or direct RADIUS. > Most gear supports direct RADIUS just fine. TACACS+ is a proprietary protocol and personally I have had the impression that it's dying a long death. The *only* merit it has is on Cisco devices (Cisco is the inventor of TACACS+): you can configure a feature called "command authorisation" in Cisco gear, so that the device checks back every single command a user enters in an interactive session. It could also be done with a RADIUS attribute, but Cisco decided to explicitly un-implement this single one feature to make TACACS+ superior over RADIUS for that one feature. If you never heard nor care about Cisco's command authorization, RADIUS should be the way to go. Stefan Winter > > > Andres Kaaber wrote: > >> Hello all >> I'm assigned with a project to make a central admin user database for all >> kind >> of servers / devices you can imagine (routers, switches, firewalls, linux >> servers, windows servers, databases, etc.). The point is that when a news >> employee arrives you just make him a user in this database, maybe check >> which >> type of devices he can and all the devices are configured to authenticate >> users >> against this db. We have over 200 switches alone in our company so making >> user >> accounts in every single one of them and when this dude leaves to disable >> all >> of them is huge (or impossible) work. >> So I thought a linux server LDAP+FreeRADIUS for authentication sounds quick, >> easy and good solution, or not? There is no problem with servers Linux and >> Windows servers can authenticate against radius. Most popular DB -s can do >> this also (Oracle, MySQL, PostgresSQL). I don't know about Cisco switches >> and >> roters but as far I found in google there should be no problems the same >> goes >> for juniper devices. >> So what do you think? Or maybe you know a free software solution for this >> kind >> of problem already? Sun identity management is one that i checked out but it >> seems too bloated and complicated. So what are your thoughts? >> > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > -- Stefan WINTER Ingenieur de Recherche Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg Tel: +352 424409 1 Fax: +352 422473 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Patch to update the default CA certificates to use SHA1 instead of MD5
Ah, I never considered that other people's gear (besides my own) wouldn't support SHA1. Would you consider then the following patch to the README file so that people can make an informed decision? --- README.orig2009-08-09 18:31:53.0 -0500 +++ README2009-08-09 18:42:06.0 -0500 @@ -200,3 +200,17 @@ - Someone needs to ask Microsoft to please stop making life hard for their customers. + +SECURITY CONSIDERATIONS + +The default certificate configuration files specify the use of the +MD5/RSA signature algorithm to maintain compatibility with network +equipment that only supports this algorithm. + +MD5/RSA has known weaknesses and is discouraged in favor of SHA1/RSA +(see http://www.kb.cert.org/vuls/id/836068 for details). If your +network equipment supports the SHA1/RSA signature algorithm, it is +recommended that you change the configuration files to specify the use +of SHA1/RSA for the certificates. To do this, change the 'default_md' +entry in the ca.cnf/server.cnf/client.cnf files from 'md5' to 'sha1'. + On Sun, Aug 9, 2009 at 8:47 AM, Alan T DeKok wrote: > Walter Goulet wrote: > > While I was building a version of FreeRADIUS 2.1.6 from source I was > > testing the certificates that are created using the certs makefile. I > > noticed that the CA certs (as well as server and client certs) use the > > default OpenSSL md5rsa signature algorithm. From the recently announced > > vulnerabilities against certs using this signature algorithm > > (http://www.kb.cert.org/vuls/id/836068), it would be better if these > > certificates used the sha1rsa signature algorithm instead. > > Except a lot of systems still don't support certificates with SHA1 > hashes. We had made that change a while ago, and it caused problems. > So we changed it back. > > It's easier to leave it as MD5. If people need SHA1 for security, > they can edit the files and create better certificates. > > Alan DeKok. > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: VMPS: Failed encoding packet: Failed to find VQP-Packet-Type in response packet
Michael Bryant wrote: > Attached is the debug output from a ubuntu package of 2.1.0, with the > default config (I didn't see a 2.1.0 tarball on the site) > > Also attached is the debug output from the 2.1.6 install (tarball from > site), again with the default config. > > As far as I can tell, in 2.1.0 it finds the vmps section, in 2.1.6 it > doesn't. Ok. I've pushed a fix into git. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: VMPS: Failed encoding packet: Failed to find VQP-Packet-Type in response packet
Attached is the debug output from a ubuntu package of 2.1.0, with the default config (I didn't see a 2.1.0 tarball on the site) Also attached is the debug output from the 2.1.6 install (tarball from site), again with the default config. As far as I can tell, in 2.1.0 it finds the vmps section, in 2.1.6 it doesn't. --Mike On Sun, 2009-08-09 at 15:06 +0200, Alan DeKok wrote: > Michael Bryant wrote: > >> You get the same error in 2.1.0, or the configuration which worked in > >> 2.1.0 doesn't work in 2.1.6? > > > > My customized vmps server section works in 2.1.0. > > Except that debug mode prints out what it is processing. And it's not > printing out anything in 2.1.6. That may be the source of the problem. > > What does debug mode show for 2.1.0? > > > Output with 2.1.0: > > Vlan: please_use_real_vlan_here > > MAC Address: 123412341234 > > Status: ALLOW > > Is that the debug output... or something else? > > > With 2.1.6: > > Ready to process requests. > > Which looks to be the debug output. > > Compare apples to apples. > > Alan DeKok. > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html FreeRADIUS Version 2.1.0, for host i486-pc-linux-gnu, built on Oct 9 2008 at 13:24:33 Copyright (C) 1999-2008 The FreeRADIUS server project and contributors. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License v2. Starting - reading configuration files ... including configuration file /etc/freeradius/radiusd.conf including configuration file /etc/freeradius/proxy.conf including configuration file /etc/freeradius/clients.conf including files in directory /etc/freeradius/modules/ including configuration file /etc/freeradius/modules/sql_log including configuration file /etc/freeradius/modules/policy including configuration file /etc/freeradius/modules/detail.example.com including configuration file /etc/freeradius/modules/echo including configuration file /etc/freeradius/modules/pam including configuration file /etc/freeradius/modules/files including configuration file /etc/freeradius/modules/ldap including configuration file /etc/freeradius/modules/etc_group including configuration file /etc/freeradius/modules/smbpasswd including configuration file /etc/freeradius/modules/exec including configuration file /etc/freeradius/modules/checkval including configuration file /etc/freeradius/modules/wimax including configuration file /etc/freeradius/modules/expiration including configuration file /etc/freeradius/modules/linelog including configuration file /etc/freeradius/modules/expr including configuration file /etc/freeradius/modules/detail.log including configuration file /etc/freeradius/modules/radutmp including configuration file /etc/freeradius/modules/realm including configuration file /etc/freeradius/modules/preprocess including configuration file /etc/freeradius/modules/digest including configuration file /etc/freeradius/modules/mschap including configuration file /etc/freeradius/modules/counter including configuration file /etc/freeradius/modules/unix including configuration file /etc/freeradius/modules/acct_unique including configuration file /etc/freeradius/modules/chap including configuration file /etc/freeradius/modules/ippool including configuration file /etc/freeradius/modules/detail including configuration file /etc/freeradius/modules/inner-eap including configuration file /etc/freeradius/modules/attr_rewrite including configuration file /etc/freeradius/modules/attr_filter including configuration file /etc/freeradius/modules/logintime including configuration file /etc/freeradius/modules/passwd including configuration file /etc/freeradius/modules/mac2ip including configuration file /etc/freeradius/modules/mac2vlan including configuration file /etc/freeradius/modules/pap including configuration file /etc/freeradius/modules/always including configuration file /etc/freeradius/modules/krb5 including configuration file /etc/freeradius/modules/sradutmp including configuration file /etc/freeradius/eap.conf including configuration file /etc/freeradius/policy.conf including files in directory /etc/freeradius/sites-enabled/ including configuration file /etc/freeradius/sites-enabled/inner-tunnel including configuration file /etc/freeradius/sites-enabled/default including configuration file /etc/freeradius/sites-enabled/vmps including dictionary file /etc/freeradius/dictionary main { prefix = "/usr" localstatedir = "/var" logdir = "/var/log/freeradius" libdir = "/usr/lib/freeradius" radacctdir = "/var/log/freeradius/radacct" hostname_lookups = no max_request_time = 30 cleanup_delay = 5 max_requests = 1024 allow_core_dumps = no pidfile = "/var/run/radiusd/radiusd.pid" checkrad = "/usr/sbin/checkrad" debug_level = 0 proxy_requests = yes log { stripped_names = no auth = no auth_badpass = no auth_goodpass = no } security {
Re: Patch to update the default CA certificates to use SHA1 instead of MD5
Walter Goulet wrote: > While I was building a version of FreeRADIUS 2.1.6 from source I was > testing the certificates that are created using the certs makefile. I > noticed that the CA certs (as well as server and client certs) use the > default OpenSSL md5rsa signature algorithm. From the recently announced > vulnerabilities against certs using this signature algorithm > (http://www.kb.cert.org/vuls/id/836068), it would be better if these > certificates used the sha1rsa signature algorithm instead. Except a lot of systems still don't support certificates with SHA1 hashes. We had made that change a while ago, and it caused problems. So we changed it back. It's easier to leave it as MD5. If people need SHA1 for security, they can edit the files and create better certificates. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: VMPS: Failed encoding packet: Failed to find VQP-Packet-Type in response packet
Michael Bryant wrote: >> You get the same error in 2.1.0, or the configuration which worked in >> 2.1.0 doesn't work in 2.1.6? > > My customized vmps server section works in 2.1.0. Except that debug mode prints out what it is processing. And it's not printing out anything in 2.1.6. That may be the source of the problem. What does debug mode show for 2.1.0? > Output with 2.1.0: > Vlan: please_use_real_vlan_here > MAC Address: 123412341234 > Status: ALLOW Is that the debug output... or something else? > With 2.1.6: > Ready to process requests. Which looks to be the debug output. Compare apples to apples. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Request for opinion - central admin user server LDAP+FreeRADIUS
Look at TACACS/TACACS+. Most devices support this. You will need a TACACS server which authenticates off a RADIUS server. For others is upto the software to implement a TACACS or direct RADIUS. Andres Kaaber wrote: > Hello all > I'm assigned with a project to make a central admin user database for all > kind > of servers / devices you can imagine (routers, switches, firewalls, linux > servers, windows servers, databases, etc.). The point is that when a news > employee arrives you just make him a user in this database, maybe check which > type of devices he can and all the devices are configured to authenticate > users > against this db. We have over 200 switches alone in our company so making > user > accounts in every single one of them and when this dude leaves to disable all > of them is huge (or impossible) work. > So I thought a linux server LDAP+FreeRADIUS for authentication sounds quick, > easy and good solution, or not? There is no problem with servers Linux and > Windows servers can authenticate against radius. Most popular DB -s can do > this also (Oracle, MySQL, PostgresSQL). I don't know about Cisco switches and > roters but as far I found in google there should be no problems the same goes > for juniper devices. > So what do you think? Or maybe you know a free software solution for this > kind > of problem already? Sun identity management is one that i checked out but it > seems too bloated and complicated. So what are your thoughts? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Request for opinion - central admin user server LDAP+FreeRADIUS
Hello all I'm assigned with a project to make a central admin user database for all kind of servers / devices you can imagine (routers, switches, firewalls, linux servers, windows servers, databases, etc.). The point is that when a news employee arrives you just make him a user in this database, maybe check which type of devices he can and all the devices are configured to authenticate users against this db. We have over 200 switches alone in our company so making user accounts in every single one of them and when this dude leaves to disable all of them is huge (or impossible) work. So I thought a linux server LDAP+FreeRADIUS for authentication sounds quick, easy and good solution, or not? There is no problem with servers Linux and Windows servers can authenticate against radius. Most popular DB -s can do this also (Oracle, MySQL, PostgresSQL). I don't know about Cisco switches and roters but as far I found in google there should be no problems the same goes for juniper devices. So what do you think? Or maybe you know a free software solution for this kind of problem already? Sun identity management is one that i checked out but it seems too bloated and complicated. So what are your thoughts? -- Andres Kaaber - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius-Users Digest, Vol 52, Issue 45
Thank you for your message. I am away until August 7th. I will respond to your message on my return . For urgent matters, please contact helpd...@stgeorges.bc.ca . Cheers, Gilbert Lo - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: VMPS: Failed encoding packet: Failed to find VQP-Packet-Type in response packet
> You get the same error in 2.1.0, or the configuration which worked in > 2.1.0 doesn't work in 2.1.6? My customized vmps server section works in 2.1.0. Trying to use the same customized configuration in 2.1.6 gives the error. Using the default configuration - the VMPS-VLAN-Name = "please_use_real_vlan_here" one, works in 2.1.0 In 2.1.6, it returns the error. > Which shows that absolutely nothing is happening in the VMPS server. > > Is there anything at all in the VMPS server? Yes, the part to pull the mac address out of the ethernet frame, putting it in the vmps-cookie, updating the reply with the vlan name / packet-type - the default config. On a clean machine I've just compiled 2.1.6, done minimal editing to enable the vmps server (linked the vmps file into sites-enabled), and i'm getting the same error. Output with 2.1.0: Vlan: please_use_real_vlan_here MAC Address: 123412341234 Status: ALLOW With 2.1.6: Ready to process requests. VMPS-Packet-Type = VMPS-Join-Request VMPS-Error-Code = VMPS-No-Error VMPS-Sequence-Number = 4660 VMPS-Client-IP-Address = 127.0.0.1 VMPS-Port-Name = "Fa0/1" VMPS-VLAN-Name = "" VMPS-Domain-Name = "" VMPS-Unknown = 0x00 VMPS-MAC = 12:34:12:34:12:34 server vmps { Doing VMPS Done VMPS } # server vmps Failed encoding packet: Failed to find VQP-Packet-Type in response packet Finished request 0. Full 2.1.6 log attached Cheers --Mike FreeRADIUS Version 2.1.6, for host i486-pc-linux-gnu, built on Aug 9 2009 at 10:01:26 Copyright (C) 1999-2009 The FreeRADIUS server project and contributors. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License v2. Starting - reading configuration files ... including configuration file /etc/freeradius/radiusd.conf including configuration file /etc/freeradius/proxy.conf including configuration file /etc/freeradius/clients.conf including files in directory /etc/freeradius/modules/ including configuration file /etc/freeradius/modules/always including configuration file /etc/freeradius/modules/attr_filter including configuration file /etc/freeradius/modules/attr_rewrite including configuration file /etc/freeradius/modules/chap including configuration file /etc/freeradius/modules/checkval including configuration file /etc/freeradius/modules/counter including configuration file /etc/freeradius/modules/detail including configuration file /etc/freeradius/modules/detail.example.com including configuration file /etc/freeradius/modules/detail.log including configuration file /etc/freeradius/modules/digest including configuration file /etc/freeradius/modules/echo including configuration file /etc/freeradius/modules/etc_group including configuration file /etc/freeradius/modules/exec including configuration file /etc/freeradius/modules/expiration including configuration file /etc/freeradius/modules/expr including configuration file /etc/freeradius/modules/files including configuration file /etc/freeradius/modules/inner-eap including configuration file /etc/freeradius/modules/ippool including configuration file /etc/freeradius/modules/krb5 including configuration file /etc/freeradius/modules/ldap including configuration file /etc/freeradius/modules/linelog including configuration file /etc/freeradius/modules/logintime including configuration file /etc/freeradius/modules/mac2ip including configuration file /etc/freeradius/modules/mac2vlan including configuration file /etc/freeradius/modules/mschap including configuration file /etc/freeradius/modules/otp including configuration file /etc/freeradius/modules/pam including configuration file /etc/freeradius/modules/pap including configuration file /etc/freeradius/modules/passwd including configuration file /etc/freeradius/modules/perl including configuration file /etc/freeradius/modules/policy including configuration file /etc/freeradius/modules/preprocess including configuration file /etc/freeradius/modules/radutmp including configuration file /etc/freeradius/modules/realm including configuration file /etc/freeradius/modules/smbpasswd including configuration file /etc/freeradius/modules/smsotp including configuration file /etc/freeradius/modules/sql_log including configuration file /etc/freeradius/modules/sqlcounter_expire_on_login including configuration file /etc/freeradius/modules/sradutmp including configuration file /etc/freeradius/modules/unix including configuration file /etc/freeradius/modules/wimax including configuration file /etc/freeradius/modules/acct_unique including configuration file /etc/freeradius/eap.conf including configuration file /etc/freeradius/policy.conf including files in directory /etc/freeradius/sites-enabled/ including configuration file /etc/freeradius/sites-enabled/inner-tunnel including configuration file /etc/freeradius/sites-enabled/default including configuration fi
Re: VMPS: Failed encoding packet: Failed to find VQP-Packet-Type in response packet
Michael Bryant wrote: > Using a customised sites-enabled/vmps file, pulling data from postgresql, > which > was working in 2.1.0, I get the same error. You get the same error in 2.1.0, or the configuration which worked in 2.1.0 doesn't work in 2.1.6? ... > server vmps { > Doing VMPS > Done VMPS > } # server vmps Which shows that absolutely nothing is happening in the VMPS server. Is there anything at all in the VMPS server? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html