Re: Freeradius and winbind problem
Hi, No I haven't SELinux on this server. Jean-Hubert Monlord Alan Buxey a écrit : Hi, Thank you for your reply. I tested with two hardware (Acer and Dell) and I have reinstalled the OS. I work with the windows supplicant. I don't see what can do that. I think it is the server, maybe winbind/samba or freeradius, because I need to restart these two daemon for going to the end of the challenge. Anyone have an other idea? have you got eg SELinux running? (this could quite easily break daemon to daemon stuff) alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Request for opinion - central admin user server LDAP+FreeRADIUS
Hi, > Look at TACACS/TACACS+. Most devices support this. You will need a > TACACS server which authenticates off a RADIUS server. > > For others is upto the software to implement a TACACS or direct RADIUS. > Most gear supports direct RADIUS just fine. TACACS+ is a proprietary protocol and personally I have had the impression that it's dying a long death. The *only* merit it has is on Cisco devices (Cisco is the inventor of TACACS+): you can configure a feature called "command authorisation" in Cisco gear, so that the device checks back every single command a user enters in an interactive session. It could also be done with a RADIUS attribute, but Cisco decided to explicitly un-implement this single one feature to make TACACS+ superior over RADIUS for that one feature. If you never heard nor care about Cisco's command authorization, RADIUS should be the way to go. Stefan Winter > > > Andres Kaaber wrote: > >> Hello all >> I'm assigned with a project to make a central admin user database for all >> kind >> of servers / devices you can imagine (routers, switches, firewalls, linux >> servers, windows servers, databases, etc.). The point is that when a news >> employee arrives you just make him a user in this database, maybe check >> which >> type of devices he can and all the devices are configured to authenticate >> users >> against this db. We have over 200 switches alone in our company so making >> user >> accounts in every single one of them and when this dude leaves to disable >> all >> of them is huge (or impossible) work. >> So I thought a linux server LDAP+FreeRADIUS for authentication sounds quick, >> easy and good solution, or not? There is no problem with servers Linux and >> Windows servers can authenticate against radius. Most popular DB -s can do >> this also (Oracle, MySQL, PostgresSQL). I don't know about Cisco switches >> and >> roters but as far I found in google there should be no problems the same >> goes >> for juniper devices. >> So what do you think? Or maybe you know a free software solution for this >> kind >> of problem already? Sun identity management is one that i checked out but it >> seems too bloated and complicated. So what are your thoughts? >> > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > -- Stefan WINTER Ingenieur de Recherche Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg Tel: +352 424409 1 Fax: +352 422473 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Patch to update the default CA certificates to use SHA1 instead of MD5
Ah, I never considered that other people's gear (besides my own) wouldn't support SHA1. Would you consider then the following patch to the README file so that people can make an informed decision? --- README.orig2009-08-09 18:31:53.0 -0500 +++ README2009-08-09 18:42:06.0 -0500 @@ -200,3 +200,17 @@ - Someone needs to ask Microsoft to please stop making life hard for their customers. + +SECURITY CONSIDERATIONS + +The default certificate configuration files specify the use of the +MD5/RSA signature algorithm to maintain compatibility with network +equipment that only supports this algorithm. + +MD5/RSA has known weaknesses and is discouraged in favor of SHA1/RSA +(see http://www.kb.cert.org/vuls/id/836068 for details). If your +network equipment supports the SHA1/RSA signature algorithm, it is +recommended that you change the configuration files to specify the use +of SHA1/RSA for the certificates. To do this, change the 'default_md' +entry in the ca.cnf/server.cnf/client.cnf files from 'md5' to 'sha1'. + On Sun, Aug 9, 2009 at 8:47 AM, Alan T DeKok wrote: > Walter Goulet wrote: > > While I was building a version of FreeRADIUS 2.1.6 from source I was > > testing the certificates that are created using the certs makefile. I > > noticed that the CA certs (as well as server and client certs) use the > > default OpenSSL md5rsa signature algorithm. From the recently announced > > vulnerabilities against certs using this signature algorithm > > (http://www.kb.cert.org/vuls/id/836068), it would be better if these > > certificates used the sha1rsa signature algorithm instead. > > Except a lot of systems still don't support certificates with SHA1 > hashes. We had made that change a while ago, and it caused problems. > So we changed it back. > > It's easier to leave it as MD5. If people need SHA1 for security, > they can edit the files and create better certificates. > > Alan DeKok. > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: VMPS: Failed encoding packet: Failed to find VQP-Packet-Type in response packet
Michael Bryant wrote: > Attached is the debug output from a ubuntu package of 2.1.0, with the > default config (I didn't see a 2.1.0 tarball on the site) > > Also attached is the debug output from the 2.1.6 install (tarball from > site), again with the default config. > > As far as I can tell, in 2.1.0 it finds the vmps section, in 2.1.6 it > doesn't. Ok. I've pushed a fix into git. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: VMPS: Failed encoding packet: Failed to find VQP-Packet-Type in response packet
Attached is the debug output from a ubuntu package of 2.1.0, with the
default config (I didn't see a 2.1.0 tarball on the site)
Also attached is the debug output from the 2.1.6 install (tarball from
site), again with the default config.
As far as I can tell, in 2.1.0 it finds the vmps section, in 2.1.6 it
doesn't.
--Mike
On Sun, 2009-08-09 at 15:06 +0200, Alan DeKok wrote:
> Michael Bryant wrote:
> >> You get the same error in 2.1.0, or the configuration which worked in
> >> 2.1.0 doesn't work in 2.1.6?
> >
> > My customized vmps server section works in 2.1.0.
>
> Except that debug mode prints out what it is processing. And it's not
> printing out anything in 2.1.6. That may be the source of the problem.
>
> What does debug mode show for 2.1.0?
>
> > Output with 2.1.0:
> > Vlan: please_use_real_vlan_here
> > MAC Address: 123412341234
> > Status: ALLOW
>
> Is that the debug output... or something else?
>
> > With 2.1.6:
> > Ready to process requests.
>
> Which looks to be the debug output.
>
> Compare apples to apples.
>
> Alan DeKok.
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
FreeRADIUS Version 2.1.0, for host i486-pc-linux-gnu, built on Oct 9 2008 at 13:24:33
Copyright (C) 1999-2008 The FreeRADIUS server project and contributors.
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE.
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License v2.
Starting - reading configuration files ...
including configuration file /etc/freeradius/radiusd.conf
including configuration file /etc/freeradius/proxy.conf
including configuration file /etc/freeradius/clients.conf
including files in directory /etc/freeradius/modules/
including configuration file /etc/freeradius/modules/sql_log
including configuration file /etc/freeradius/modules/policy
including configuration file /etc/freeradius/modules/detail.example.com
including configuration file /etc/freeradius/modules/echo
including configuration file /etc/freeradius/modules/pam
including configuration file /etc/freeradius/modules/files
including configuration file /etc/freeradius/modules/ldap
including configuration file /etc/freeradius/modules/etc_group
including configuration file /etc/freeradius/modules/smbpasswd
including configuration file /etc/freeradius/modules/exec
including configuration file /etc/freeradius/modules/checkval
including configuration file /etc/freeradius/modules/wimax
including configuration file /etc/freeradius/modules/expiration
including configuration file /etc/freeradius/modules/linelog
including configuration file /etc/freeradius/modules/expr
including configuration file /etc/freeradius/modules/detail.log
including configuration file /etc/freeradius/modules/radutmp
including configuration file /etc/freeradius/modules/realm
including configuration file /etc/freeradius/modules/preprocess
including configuration file /etc/freeradius/modules/digest
including configuration file /etc/freeradius/modules/mschap
including configuration file /etc/freeradius/modules/counter
including configuration file /etc/freeradius/modules/unix
including configuration file /etc/freeradius/modules/acct_unique
including configuration file /etc/freeradius/modules/chap
including configuration file /etc/freeradius/modules/ippool
including configuration file /etc/freeradius/modules/detail
including configuration file /etc/freeradius/modules/inner-eap
including configuration file /etc/freeradius/modules/attr_rewrite
including configuration file /etc/freeradius/modules/attr_filter
including configuration file /etc/freeradius/modules/logintime
including configuration file /etc/freeradius/modules/passwd
including configuration file /etc/freeradius/modules/mac2ip
including configuration file /etc/freeradius/modules/mac2vlan
including configuration file /etc/freeradius/modules/pap
including configuration file /etc/freeradius/modules/always
including configuration file /etc/freeradius/modules/krb5
including configuration file /etc/freeradius/modules/sradutmp
including configuration file /etc/freeradius/eap.conf
including configuration file /etc/freeradius/policy.conf
including files in directory /etc/freeradius/sites-enabled/
including configuration file /etc/freeradius/sites-enabled/inner-tunnel
including configuration file /etc/freeradius/sites-enabled/default
including configuration file /etc/freeradius/sites-enabled/vmps
including dictionary file /etc/freeradius/dictionary
main {
prefix = "/usr"
localstatedir = "/var"
logdir = "/var/log/freeradius"
libdir = "/usr/lib/freeradius"
radacctdir = "/var/log/freeradius/radacct"
hostname_lookups = no
max_request_time = 30
cleanup_delay = 5
max_requests = 1024
allow_core_dumps = no
pidfile = "/var/run/radiusd/radiusd.pid"
checkrad = "/usr/sbin/checkrad"
debug_level = 0
proxy_requests = yes
log {
stripped_names = no
auth = no
auth_badpass = no
auth_goodpass = no
}
security {
Re: Patch to update the default CA certificates to use SHA1 instead of MD5
Walter Goulet wrote: > While I was building a version of FreeRADIUS 2.1.6 from source I was > testing the certificates that are created using the certs makefile. I > noticed that the CA certs (as well as server and client certs) use the > default OpenSSL md5rsa signature algorithm. From the recently announced > vulnerabilities against certs using this signature algorithm > (http://www.kb.cert.org/vuls/id/836068), it would be better if these > certificates used the sha1rsa signature algorithm instead. Except a lot of systems still don't support certificates with SHA1 hashes. We had made that change a while ago, and it caused problems. So we changed it back. It's easier to leave it as MD5. If people need SHA1 for security, they can edit the files and create better certificates. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: VMPS: Failed encoding packet: Failed to find VQP-Packet-Type in response packet
Michael Bryant wrote: >> You get the same error in 2.1.0, or the configuration which worked in >> 2.1.0 doesn't work in 2.1.6? > > My customized vmps server section works in 2.1.0. Except that debug mode prints out what it is processing. And it's not printing out anything in 2.1.6. That may be the source of the problem. What does debug mode show for 2.1.0? > Output with 2.1.0: > Vlan: please_use_real_vlan_here > MAC Address: 123412341234 > Status: ALLOW Is that the debug output... or something else? > With 2.1.6: > Ready to process requests. Which looks to be the debug output. Compare apples to apples. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Request for opinion - central admin user server LDAP+FreeRADIUS
Look at TACACS/TACACS+. Most devices support this. You will need a TACACS server which authenticates off a RADIUS server. For others is upto the software to implement a TACACS or direct RADIUS. Andres Kaaber wrote: > Hello all > I'm assigned with a project to make a central admin user database for all > kind > of servers / devices you can imagine (routers, switches, firewalls, linux > servers, windows servers, databases, etc.). The point is that when a news > employee arrives you just make him a user in this database, maybe check which > type of devices he can and all the devices are configured to authenticate > users > against this db. We have over 200 switches alone in our company so making > user > accounts in every single one of them and when this dude leaves to disable all > of them is huge (or impossible) work. > So I thought a linux server LDAP+FreeRADIUS for authentication sounds quick, > easy and good solution, or not? There is no problem with servers Linux and > Windows servers can authenticate against radius. Most popular DB -s can do > this also (Oracle, MySQL, PostgresSQL). I don't know about Cisco switches and > roters but as far I found in google there should be no problems the same goes > for juniper devices. > So what do you think? Or maybe you know a free software solution for this > kind > of problem already? Sun identity management is one that i checked out but it > seems too bloated and complicated. So what are your thoughts? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Request for opinion - central admin user server LDAP+FreeRADIUS
Hello all I'm assigned with a project to make a central admin user database for all kind of servers / devices you can imagine (routers, switches, firewalls, linux servers, windows servers, databases, etc.). The point is that when a news employee arrives you just make him a user in this database, maybe check which type of devices he can and all the devices are configured to authenticate users against this db. We have over 200 switches alone in our company so making user accounts in every single one of them and when this dude leaves to disable all of them is huge (or impossible) work. So I thought a linux server LDAP+FreeRADIUS for authentication sounds quick, easy and good solution, or not? There is no problem with servers Linux and Windows servers can authenticate against radius. Most popular DB -s can do this also (Oracle, MySQL, PostgresSQL). I don't know about Cisco switches and roters but as far I found in google there should be no problems the same goes for juniper devices. So what do you think? Or maybe you know a free software solution for this kind of problem already? Sun identity management is one that i checked out but it seems too bloated and complicated. So what are your thoughts? -- Andres Kaaber - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius-Users Digest, Vol 52, Issue 45
Thank you for your message. I am away until August 7th. I will respond to your message on my return . For urgent matters, please contact helpd...@stgeorges.bc.ca . Cheers, Gilbert Lo - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: VMPS: Failed encoding packet: Failed to find VQP-Packet-Type in response packet
> You get the same error in 2.1.0, or the configuration which worked in
> 2.1.0 doesn't work in 2.1.6?
My customized vmps server section works in 2.1.0.
Trying to use the same customized configuration in 2.1.6 gives the
error.
Using the default configuration - the
VMPS-VLAN-Name = "please_use_real_vlan_here"
one, works in 2.1.0
In 2.1.6, it returns the error.
> Which shows that absolutely nothing is happening in the VMPS server.
>
> Is there anything at all in the VMPS server?
Yes, the part to pull the mac address out of the ethernet frame, putting
it in the vmps-cookie, updating the reply with the vlan name /
packet-type - the default config.
On a clean machine I've just compiled 2.1.6, done minimal editing to
enable the vmps server (linked the vmps file into sites-enabled), and
i'm getting the same error.
Output with 2.1.0:
Vlan: please_use_real_vlan_here
MAC Address: 123412341234
Status: ALLOW
With 2.1.6:
Ready to process requests.
VMPS-Packet-Type = VMPS-Join-Request
VMPS-Error-Code = VMPS-No-Error
VMPS-Sequence-Number = 4660
VMPS-Client-IP-Address = 127.0.0.1
VMPS-Port-Name = "Fa0/1"
VMPS-VLAN-Name = ""
VMPS-Domain-Name = ""
VMPS-Unknown = 0x00
VMPS-MAC = 12:34:12:34:12:34
server vmps {
Doing VMPS
Done VMPS
} # server vmps
Failed encoding packet: Failed to find VQP-Packet-Type in response
packet
Finished request 0.
Full 2.1.6 log attached
Cheers
--Mike
FreeRADIUS Version 2.1.6, for host i486-pc-linux-gnu, built on Aug 9 2009 at
10:01:26
Copyright (C) 1999-2009 The FreeRADIUS server project and contributors.
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE.
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License v2.
Starting - reading configuration files ...
including configuration file /etc/freeradius/radiusd.conf
including configuration file /etc/freeradius/proxy.conf
including configuration file /etc/freeradius/clients.conf
including files in directory /etc/freeradius/modules/
including configuration file /etc/freeradius/modules/always
including configuration file /etc/freeradius/modules/attr_filter
including configuration file /etc/freeradius/modules/attr_rewrite
including configuration file /etc/freeradius/modules/chap
including configuration file /etc/freeradius/modules/checkval
including configuration file /etc/freeradius/modules/counter
including configuration file /etc/freeradius/modules/detail
including configuration file /etc/freeradius/modules/detail.example.com
including configuration file /etc/freeradius/modules/detail.log
including configuration file /etc/freeradius/modules/digest
including configuration file /etc/freeradius/modules/echo
including configuration file /etc/freeradius/modules/etc_group
including configuration file /etc/freeradius/modules/exec
including configuration file /etc/freeradius/modules/expiration
including configuration file /etc/freeradius/modules/expr
including configuration file /etc/freeradius/modules/files
including configuration file /etc/freeradius/modules/inner-eap
including configuration file /etc/freeradius/modules/ippool
including configuration file /etc/freeradius/modules/krb5
including configuration file /etc/freeradius/modules/ldap
including configuration file /etc/freeradius/modules/linelog
including configuration file /etc/freeradius/modules/logintime
including configuration file /etc/freeradius/modules/mac2ip
including configuration file /etc/freeradius/modules/mac2vlan
including configuration file /etc/freeradius/modules/mschap
including configuration file /etc/freeradius/modules/otp
including configuration file /etc/freeradius/modules/pam
including configuration file /etc/freeradius/modules/pap
including configuration file /etc/freeradius/modules/passwd
including configuration file /etc/freeradius/modules/perl
including configuration file /etc/freeradius/modules/policy
including configuration file /etc/freeradius/modules/preprocess
including configuration file /etc/freeradius/modules/radutmp
including configuration file /etc/freeradius/modules/realm
including configuration file /etc/freeradius/modules/smbpasswd
including configuration file /etc/freeradius/modules/smsotp
including configuration file /etc/freeradius/modules/sql_log
including configuration file /etc/freeradius/modules/sqlcounter_expire_on_login
including configuration file /etc/freeradius/modules/sradutmp
including configuration file /etc/freeradius/modules/unix
including configuration file /etc/freeradius/modules/wimax
including configuration file /etc/freeradius/modules/acct_unique
including configuration file /etc/freeradius/eap.conf
including configuration file /etc/freeradius/policy.conf
including files in directory /etc/freeradius/sites-enabled/
including configuration file /etc/freeradius/sites-enabled/inner-tunnel
including configuration file /etc/freeradius/sites-enabled/default
including configuration fi
Re: VMPS: Failed encoding packet: Failed to find VQP-Packet-Type in response packet
Michael Bryant wrote:
> Using a customised sites-enabled/vmps file, pulling data from postgresql,
> which
> was working in 2.1.0, I get the same error.
You get the same error in 2.1.0, or the configuration which worked in
2.1.0 doesn't work in 2.1.6?
...
> server vmps {
> Doing VMPS
> Done VMPS
> } # server vmps
Which shows that absolutely nothing is happening in the VMPS server.
Is there anything at all in the VMPS server?
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
