Upgrade From 1 to 2 - problem with authorize
Hi,
I'm trying to upgrade my setup from freeradius 1 to freeradius 2.
I've been making little changes to the config as suggested in the doc and I
managed to get my setup connecting to my mssql backend. However, when I try
and authorize with a user/pass, I get an error - actually more of a warning.
I've Googled about but although others have had this error I haven't really
seen a good explanation of why it occurs let alone how to solve.
The warning is...
rad_recv: Access-Request packet from host 10.152.0.7 port 20001, id=16,
length=168
NAS-IP-Address = 10.152.0.7
User-Name = 9
User-Password = 9
Service-Type = Login-User
NAS-Port-Type = Async
Calling-Station-Id = 1002
Quintum-h323-conf-id = h323-conf-id=34616537 32353264 62350001
0008
Quintum-AVPair = h323-ivr-out=ACCESSCODE:990006
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
[suffix] No '@' in User-Name = 9, looking up realm NULL
[suffix] No such realm NULL
++[suffix] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
++[unix] returns notfound
++[files] returns noop
[sql] expand: %{User-Name} - 9
[sql] sql_set_user escaped user -- '9'
rlm_sql (sql): Reserving sql socket id: 4
[sql] expand: SELECT [id], UserName, Attribute, [Value], op FROM
dbo.Rad_Authorize_User_Check('%{SQL-User-Name}') - SELECT [id], UserName,
Attribute, [Value], op FROM dbo.Rad_Authorize_User_Check('9')
query: SELECT [id], UserName, Attribute, [Value], op FROM
dbo.Rad_Authorize_User_Check('9')
WARNING: Found User-Password ==
WARNING: Are you sure you don't mean Cleartext-Password?
WARNING: See man rlm_pap for more information.
[sql] User found in radcheck table
rlm_sql (sql): Released sql socket id: 4
++[sql] returns ok
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns updated
Found Auth-Type = PAP
!!!
!!!Replacing User-Password in config items with Cleartext-Password.
!!!
!!!
!!! Please update your configuration so that the known good
!!!
!!! clear text password is in Cleartext-Password, and not in User-Password.
!!!
!!!
+- entering group PAP {...}
[pap] login attempt with password 9
[pap] Using clear text password 9
[pap] User authenticated successfully
++[pap] returns ok
Login OK: [9] (from client 10.152.0.7 port 0 cli 1002)
+- entering group post-auth {...}
++[exec] returns noop
Sending Access-Accept of id 16 to 10.152.0.7 port 20001
Finished request 0.
Although the last line there says 'Sending Access-Accept', I do not get
authorized at the NAS end.
Here's how things play out on my old version 1 setup
rad_recv: Access-Request packet from host 10.152.0.7:20001, id=31,
length=168
NAS-IP-Address = 10.152.0.7
User-Name = 9
User-Password = 9
Service-Type = Login-User
NAS-Port-Type = Async
Calling-Station-Id = 1002
Quintum-h323-conf-id = h323-conf-id=34616537 32383034 62640001
0008
Quintum-AVPair = h323-ivr-out=ACCESSCODE:990006
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 0
modcall[authorize]: module preprocess returns ok for request 0
modcall[authorize]: module chap returns noop for request 0
modcall[authorize]: module mschap returns noop for request 0
rlm_realm: No '@' in User-Name = 9, looking up realm NULL
rlm_realm: No such realm NULL
modcall[authorize]: module suffix returns noop for request 0
rlm_eap: No EAP-Message, not doing EAP
modcall[authorize]: module eap returns noop for request 0
users: Matched entry DEFAULT at line 152
modcall[authorize]: module files returns ok for request 0
radius_xlat: '9'
rlm_sql (sql): sql_set_user escaped user -- '9'
radius_xlat: 'SELECT [id], UserName, Attribute, [Value], op FROM
dbo.Rad_Authorize_User_Check('9')'
rlm_sql (sql): Reserving sql socket id: 49
query: SELECT [id], UserName, Attribute, [Value], op FROM
dbo.Rad_Authorize_User_Check('9')
radius_xlat: 'SELECT * FROM dbo.Rad_Group_Check('9')'
query: SELECT * FROM dbo.Rad_Group_Check('9')
radius_xlat: ''
radius_xlat: 'EXEC Rad_Authenticate @username = '9',
@dialstring_from = '1002', @dialstring_to = '', @gw_session_id = '34616537
32383034 62640001 0008', @ivr_out = 'h323-ivr-out=ACCESSCODE:990006',
@gw_ip = '10.152.0.7', @call_origin = '', @gw_name = '' '
query: EXEC Rad_Authenticate @username = '9', @dialstring_from =
'1002', @dialstring_to = '', @gw_session_id = '34616537 32383034 62640001
0008', @ivr_out = 'h323-ivr-out=ACCESSCODE:990006', @gw_ip =
'10.152.0.7',
RE: radacct and db handles
The problem is 'Reply-Msg' attribute is not recognized by the radius server
becasuse it is a specific vendor attribute.
Try to find the specific dictionary.
From: adem...@netwizard.com.br
To: t...@kalik.net; freeradius-users@lists.freeradius.org
Subject: RE: radacct and db handles
Date: Fri, 23 Oct 2009 12:34:05 -0200
Hi Ivan,
I run Server with radiusd -X log and could'n found the same error in log.
The only sql fail I found is a Msg reply field:
[sql] expand: SELECT id, username, attribute, value, op FROM radrepl
y WHERE username = '%{SQL-User-Name}' ORDER BY id - SELECT
id, username, attribute, value, op FROM radreply WHERE usern
ame = 'alexandre' ORDER BY id
[sql] expand: SELECT groupname FROM radusergroup WHERE use
rname = '%{SQL-User-Name}' ORDER BY priority - SELECT groupname
FROM radusergroup WHERE username = 'alexandre' ORDER BY
priority
[sql] expand: SELECT id, groupname, attribute, Value, op F
ROM radgroupcheck WHERE groupname = '%{Sql-Group}' ORDER BY
id - SELECT id, groupname, attribute, Value, op FROM radgro
upcheck WHERE groupname = 'SUSPENSO' ORDER BY id
rlm_sql: Failed to create the pair: Invalid octet string Conta Suspensa.
Entre
em contato com o setor financeiro. for attribute name Reply-Msg
rlm_sql (sql): Error getting data from database
[sql] Error retrieving check pairs for group SUSPENSO
[sql] Error processing groups; rejecting user
rlm_sql (sql): Released sql socket id: 2
++[sql] returns fail
-Original Message-
From: Ivan Kalik [mailto:t...@kalik.net]
Sent: quinta-feira, 22 de outubro de 2009 21:22
To: adem...@netwizard.com.br; FreeRadius users mailing list
Subject: Re: radacct and db handles
I'm installed freeradius with daloradius in a FC11 box, everything new.
After some corrections everything is working, but in radius.log I receive
constantly the error message below:
Info: rlm_sql (sql): There are no DB handles to use! skipped 0, tried to
connect 0
I checked my radius db and radacct table and there are many indexed and
nothing I could found is the problem. It only append when I enable radius
accounting in SQL.
Run server in debug mode and see which queries are failing.
Ivan Kalik
Kalik Informatika ISP
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
_
Infórmate, mantente en contacto y encuéntralo todo, a la vez. Con la nueva
Toolbar de MSN nunca has tenido tantas ventajas en tan poco espacio.
http://toolbar.es.msn.com/-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: double realm problem
i was trying to reject those double realm.
but i cannot find the right syntax and/or where to put the lines.
i was trying to put this lines in the user file:
DEFAULT User-Name =~ /^...@company.com@.*/
Auth-Type := Reject
that did not work.
when putting:
if (User-Name ~= /^...@company.com@.*/) {
reject
}
in the server configuration in authorize section, i get a strange error..
i am quite new with configuring freeradius, it would be nice if someone
could give me some real hint how to and where
reject those double @ @
thanks in advance.
-euro
On Wed, Oct 7, 2009 at 5:36 PM, Alexander Clouter a...@digriz.org.ukwrote:
mr typo euroregist...@gmail.com wrote:
i do have a problem with our freeradius configuration and i have no idea
how
to solve it.
we do have one realm configured domainname.com which works perfectly.
every
user who wants to authenticate with a different realm is proxied to an
outside radius. server. the setup works fine.
we do have some mobile devices who send something like:
usern...@company.com@wlan.mnc003.mc
usern...@company.com@Verisign...
.
.
we send these requests to our proxy and the proxy sends it back to
us,
from my understanding i cant solve it with a regex in the proxy.conf,
right?
since the realm is just the string after the last @?
anyone has an idea how i can process such request in my company.comrealm?
inside the realm i strip everything out, so it should work then.
Use some unlang in 'authorize' *before* you call 'suffix' that looks
like:
if (User-Name ~= /^(@company.com)@.*/) {
User-Name := %{1}
}
As a side note, I currently have in proxy.conf:
# blackhole routing
realm myabc.com {
virtual_server = auth-reject
nostrip
}
realm ~\\.3gppnetwork\\.org$ {
virtual_server = auth-reject
nostrip
}
...and a virtual server:
server auth-reject {
authorize {
suffix
switch %{Realm} {
case NULL {
update reply {
Reply-Message := No Realm
}
}
# we should not get here
case DEFAULT {
update reply {
Reply-Message := ERROR
}
}
# we *really* should not get here
case %{config:local.MY.realm} {
update reply {
Reply-Message := BIG ERROR
}
}
case {
update reply {
Reply-Message := Realm Blackholed
}
}
}
reject
}
}
I would recommend you reject straight away any double realmed users as
you will only find yourself later on still having to deal with
misconfigured kit; pain now means a *lot* less pain later down the road
in my experience.
Cheers
--
Alexander Clouter
.sigmonster says: This Fortune Examined By INSPECTOR NO. 2-14
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Upgrade From 1 to 2 - problem with authorize
Hi,
managed to get my setup connecting to my mssql backend. However, when I try
and authorize with a user/pass, I get an error - actually more of a warning.
I've Googled about but although others have had this error I haven't really
seen a good explanation of why it occurs let alone how to solve.
The warning is...
the warning is fairly self-explanatory - you are using
User-Password
in your SQL
your should be using Cleartext-Password (with correct Operator)
I'm with Alan on this one - i dont know HOW the message could be any clearer!?!
as for not authenticating - once again - look at your debug... here is your new
server
Login OK: [9] (from client 10.152.0.7 port 0 cli 1002)
+- entering group post-auth {...}
++[exec] returns noop
Sending Access-Accept of id 16 to 10.152.0.7 port 20001
Finished request 0.
and here is the old server
Sending Access-Accept of id 31 to 10.152.0.7 port 20001
h323-return-code = h323-return-code=0
h323-billing-model = h323-billing-model=0
h323-credit-amount = h323-credit-amount=76.15
h323-currency = h323-currency=AUD
Finished request 0
spot the difference?
alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Upgrade From 1 to 2 - problem with authorize
Robert White rwh...@globalgossip.net writes: I'm trying to upgrade my setup from freeradius 1 to freeradius 2. I've been making little changes to the config as suggested in the doc and I managed to get my setup connecting to my mssql backend. However, when I try and authorize with a user/pass, I get an error - actually more of a warning. I've Googled about but although others have had this error I haven't really seen a good explanation of why it occurs let alone how to solve. I believe the rlm_pap(5) man page explains the different password attribute and their usage pretty well. The point the server is trying to make you aware of is that you can't really do an equality check on the User-Password. The attribute received from the other end is encrypted: http://freeradius.org/rfc/rfc2865.html#User-Password That's why luser User-Password == foo is wrong. Don't do it. When you configure a user account, you will instead *set* another server configuration attribute which may be used by the authentication modules to verify the received User-Password. So you'll do luser Cleartext-Password := foo and the rlm_pap module will see both the Cleartext-Password you set and the User-Password the NAS sent and do whatever it needs to verify that they match. This concept might be even clearer if you instead configure luser Crypt-Password := aaKNIEDOaueR6 The rlm_pap will still be able to verify the received password. Sending Access-Accept of id 16 to 10.152.0.7 port 20001 Looks like your 2.x config doesn't have any reply attributes. Sending Access-Accept of id 31 to 10.152.0.7 port 20001 h323-return-code = h323-return-code=0 h323-billing-model = h323-billing-model=0 h323-credit-amount = h323-credit-amount=76.15 h323-currency = h323-currency=AUD while the 1.x config sends a number of them. Maybe that's why your NAS doesn't do what you expect, even if it gets an accept in both cases? Bjørn - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Unexpected Exiting normally 2.1.8?
I'm running an unreleased 'development? version of freeradius (2.1.8?). So far it is working well, but it is terminating for reasons I cannot determine. The log contains the following, Mon Oct 26 15:48:57 2009 : Info: rlm_sql (sql): Driver rlm_sql_mysql (module rlm_sql_mysql) loaded and linked Mon Oct 26 15:48:57 2009 : Info: rlm_sql (sql): Attempting to connect to radi...@localhost:/radius Mon Oct 26 15:48:57 2009 : Info: rlm_sql_mysql: Starting connect to MySQL server for #0 Mon Oct 26 15:48:57 2009 : Info: rlm_sql_mysql: Starting connect to MySQL server for #1 Mon Oct 26 15:48:57 2009 : Info: rlm_sql_mysql: Starting connect to MySQL server for #2 Mon Oct 26 15:48:57 2009 : Info: rlm_sql_mysql: Starting connect to MySQL server for #3 Mon Oct 26 15:48:57 2009 : Info: rlm_sql_mysql: Starting connect to MySQL server for #4 Mon Oct 26 15:48:57 2009 : Info: Loaded virtual server inner-tunnel Mon Oct 26 15:48:57 2009 : Info: Loaded virtual server copy-acct-to-home-server Mon Oct 26 15:48:57 2009 : Info: Loaded virtual server copy-acct-to-radius-c Mon Oct 26 15:48:57 2009 : Info: Loaded virtual server default Mon Oct 26 15:48:57 2009 : Info: Ready to process requests. Mon Oct 26 17:57:33 2009 : Error: PROXY: Marking home server 192.168.1.226 port 1813 as zombie (it looks like it is dead). Mon Oct 26 17:58:13 2009 : Info: PROXY: Marking home server 192.168.1.226 port 1813 as dead. Mon Oct 26 20:05:36 2009 : Info: Exiting normally. The zombie messages are suspicious, since neither host is experiencing any significant load. (The zombie server is also 2.1.8. There is a 2.1.7 server as well NOT being zombied..) The exit message is much later, but no hint as to WHY it is exiting normally. Any hints would be greatly appreciated. Thanks, -craig Craig Campbell craig.campb...@ccraft.ca CampbellCraft Consulting Inc 2 Kenny Court Whitby, Ontario Canada L1R 2L8 905 922-2789 __ Information from ESET Smart Security, version of virus signature database 4546 (20091027) __ The message was checked by ESET Smart Security. http://www.eset.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: double realm problem
mr typo euroregist...@gmail.com wrote:
i was trying to reject those double realm.
but i cannot find the right syntax and/or where to put the lines.
i was trying to put this lines in the user file:
DEFAULT User-Name =~ /^...@company.com@.*/
Auth-Type := Reject
that did not work.
when putting:
if (User-Name ~= /^...@company.com@.*/) {
reject
}
in the server configuration in authorize section, i get a strange error..
i am quite new with configuring freeradius, it would be nice if someone
could give me some real hint how to and where
reject those double @ @
In addition to my blackholing I now have added to my policy.conf file:
# only needs to be close enough to catch unroutable guff
validate_username {
if (User-Name !~ /@/ \
|| ( \
User-Name !~ /@.*@/ \
User-Name =~
/^[[:graph:]]*@([-[:alnum:]]+\.)+[[:alpha:]]{2,}$/ \
) \
) {
ok
}
else {
update reply {
Reply-Message := Invalid User-Name Syntax
}
reject
}
}
Then in your authorize section you just place 'validate_username' and it
looks after everything for you.
What the above bumpf does is:
* permit realmless (usernames without an '@') through, these are
rejected later by matching against the NULL realm (*important*)
* if there is an '@' in there then it
* reject's if there are two or more '@'s
* reject if the *realm* is not valid, for example the realm *must*
be made up of at least two parts, and the end part must be at
least two characters long
Hope that helps
Cheers
--
Alexander Clouter
.sigmonster says: The best things in life are for a fee.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: radacct and db handles
OK,
This Reply-Msg doesnt matter, the real issue is the db handles message.
I could solve this, by setting the db sessions like the number of NAS (45).
From: freeradius-users-bounces+ademirk=netwizard.com...@lists.freeradius.org
[mailto:freeradius-users-bounces+ademirk=netwizard.com...@lists.freeradius.o
rg] On Behalf Of Santiago Balaguer García
Sent: terça-feira, 27 de outubro de 2009 06:08
To: Lista de correo RADIUS
Subject: RE: radacct and db handles
The problem is 'Reply-Msg' attribute is not recognized by the radius server
becasuse it is a specific vendor attribute.
Try to find the specific dictionary.
From: adem...@netwizard.com.br
To: t...@kalik.net; freeradius-users@lists.freeradius.org
Subject: RE: radacct and db handles
Date: Fri, 23 Oct 2009 12:34:05 -0200
Hi Ivan,
I run Server with radiusd -X log and could'n found the same error in
log. The only sql fail I found is a Msg reply field:
[sql] expand: SELECT id, username, attribute, value, op FROM radrepl
y WHERE username = '%{SQL-User-Name}' ORDER BY id - SELECT
id, username, attribute, value, op FROM radreply WHERE usern
ame = 'alexandre' ORDER BY id
[sql] expand: SELECT groupname FROM radusergroup WHERE use
rname = '%{SQL-User-Name}' ORDER BY priority - SELECT groupname
FROM radusergroup WHERE username = 'alexandre' ORDER BY
priority
[sql] expand: SELECT id, groupname, attribute, Value, op F
ROM radgroupcheck WHERE groupname = '%{Sql-Group}' ORDER BY
id - SELECT id, groupname, attribute, Value, op FROM radgro
upcheck WHERE groupname = 'SUSPENSO' ORDER BY id
rlm_sql: Failed to create the pair: Invalid octet string Conta Suspensa.
Entre
em contato com o setor financeiro. for attribute name Reply-Msg
rlm_sql (sql): Error getting data from database
[sql] Error retrieving check pairs for group SUSPENSO
[sql] Error processing groups; rejecting user
rlm_sql (sql): Released sql socket id: 2
++[sql] returns fail
-Original Message-
From: Ivan Kalik [mailto:t...@kalik.net]
Sent: quinta-feira, 22 de outubro de 2009 21:22
To: adem...@netwizard.com.br; FreeRadius users mailing list
Subject: Re: radacct and db handles
I'm installed freeradius with daloradius in a FC11 box, everything new.
After some corrections everything is working, but in radius.log I
receive
constantly the error message below:
Info: rlm_sql (sql): There are no DB handles to use! skipped 0, tried to
connect 0
I checked my radius db and radacct table and there are many indexed and
nothing I could found is the problem. It only append when I enable
radius
accounting in SQL.
Run server in debug mode and see which queries are failing.
Ivan Kalik
Kalik Informatika ISP
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
_
Todo el espacio y cuidado que merecen tus fotos digitales lo tienes en
Windows Live Fotos. ¡Pruébalo! http://www.vivelive.com/compartirfotos/
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: double realm problem
hello alexander,
thanks alot for this piece of code. but now i have a problem with getting
this to work.
in radiusd.conf i have an
$INCLUDE policy.conf
and in my authorize section i got the following:
authorize {
auth_log
validate_username
suffix
eap {
ok = return
}
}
upon restarting i get the following:
/etc/raddb/sites-enabled/eduroam[9]: Failed to find module
validate_username.
/etc/raddb/sites-enabled/eduroam[2]: Errors parsing authorize section.
any hints?
-euro
On Tue, Oct 27, 2009 at 11:09 AM, Alexander Clouter a...@digriz.org.ukwrote:
mr typo euroregist...@gmail.com wrote:
i was trying to reject those double realm.
but i cannot find the right syntax and/or where to put the lines.
i was trying to put this lines in the user file:
DEFAULT User-Name =~ /^...@company.com@.*/
Auth-Type := Reject
that did not work.
when putting:
if (User-Name ~= /^...@company.com@.*/) {
reject
}
in the server configuration in authorize section, i get a strange error..
i am quite new with configuring freeradius, it would be nice if someone
could give me some real hint how to and where
reject those double @ @
In addition to my blackholing I now have added to my policy.conf file:
# only needs to be close enough to catch unroutable guff
validate_username {
if (User-Name !~ /@/ \
|| ( \
User-Name !~ /@.*@/ \
User-Name =~
/^[[:graph:]]*@([-[:alnum:]]+\.)+[[:alpha:]]{2,}$/ \
) \
) {
ok
}
else {
update reply {
Reply-Message := Invalid User-Name Syntax
}
reject
}
}
Then in your authorize section you just place 'validate_username' and it
looks after everything for you.
What the above bumpf does is:
* permit realmless (usernames without an '@') through, these are
rejected later by matching against the NULL realm (*important*)
* if there is an '@' in there then it
* reject's if there are two or more '@'s
* reject if the *realm* is not valid, for example the realm *must*
be made up of at least two parts, and the end part must be at
least two characters long
Hope that helps
Cheers
--
Alexander Clouter
.sigmonster says: The best things in life are for a fee.
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Proxying requests with source port 1815?
Hi, Just experienced a bit of strange behaviour, or at least seems strange to me. One of our FR 2.1.7 boxes has been proxying access-requests with a source port of 1815, to which the authenticating server has replied to with an access-accept on port 1815, only there is no listener for port 1815 running on the box and hence fails. This was happening to ~50% of requests, but once one failed the FR box was marking the authenticator dead. It started yesterday following a FR restart for a small config change (added a client to client.conf), I restarted it about an hour ago and it seems to be behaving now. Is that as odd as it seems, or am I missing something? Thanks, Jezz. - Jezz Palmer Library Information Services Swansea University Singleton Park Swansea SA2 8PP - - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: double realm problem
Hi, /etc/raddb/sites-enabled/eduroam[9]: Failed to find module validate_username. /etc/raddb/sites-enabled/eduroam[2]: Errors parsing authorize section. hmm, interesting - this looks very much like a post i made here earlier this month where 3rd-party virtual servers dont seem to pick up details from main modules and include files - my case was that Autz-Type wasnt known if i called 'users' file in my virtual-server alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Proxying requests with source port 1815?
Palmer J.D.F. wrote: One of our FR 2.1.7 boxes has been proxying access-requests with a source port of 1815, to which the authenticating server has replied to with an access-accept on port 1815, only there is no listener for port 1815 running on the box and hence fails. This was happening to ~50% of requests, but once one failed the FR box was marking the authenticator dead. It started yesterday following a FR restart for a small config change (added a client to client.conf), I restarted it about an hour ago and it seems to be behaving now. Is that as odd as it seems, or am I missing something? I think it's a bug in 2.1.7. We should be releasing 2.1.8 to address this, and to have other minor enhancements. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
how to require client certificate with PEAP
Hi,
If I use EAP-TLS with a self-signed client certificate, I can connect my
Windows XP clients to a WLAN.
If I use PEAP alone, then my Windows XP clients connect to a WLAN with an
Active Directory username.
I'm trying to combine both EAP-TLS and PEAP but since I'm not a radius security
guru then I'll rephrase what my goal is:
I simply want to *require* that all wifi clients use PEAP *AND* have a
self-signed client certificate installed on their system.
That way, if I want to, I can revoke the certificates from the server.
The Windows native clients are configured to use:
Eap type: PEAP
and have both root and client certificates installed.
However, if I add the EAP-TLS-Require-Client-Cert = Yes option then I get
this message in the log:
rlm_eap: SSL error error:140890C7:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:peer
did not return a certificate
How should I configure Windows XP to send the client certificate?
Thanks,
Vieri
PS:
Here are the relevant config files and debug log:
FreeRADIUS Version 2.0.5, for host x86_64-pc-linux-gnu, built on Oct 1 2008 at
12:36:40
Copyright (C) 1999-2008 The FreeRADIUS server project and contributors.
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE.
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License v2.
Starting - reading configuration files ...
including configuration file /etc/raddb/radiusd.conf
including configuration file /etc/raddb/proxy.conf
including configuration file /etc/raddb/clients.conf
including configuration file /etc/raddb/snmp.conf
including files in directory /etc/raddb/modules/
including configuration file /etc/raddb/modules/pam
including configuration file /etc/raddb/modules/pap
including configuration file /etc/raddb/modules/chap
including configuration file /etc/raddb/modules/echo
including configuration file /etc/raddb/modules/exec
including configuration file /etc/raddb/modules/expr
including configuration file /etc/raddb/modules/ldap
including configuration file /etc/raddb/modules/krb5
including configuration file /etc/raddb/modules/unix
including configuration file /etc/raddb/modules/radutmp
including configuration file /etc/raddb/modules/counter
including configuration file /etc/raddb/modules/acct_unique
including configuration file /etc/raddb/modules/files
including configuration file /etc/raddb/modules/realm
including configuration file /etc/raddb/modules/mac2vlan
including configuration file /etc/raddb/modules/checkval
including configuration file /etc/raddb/modules/logintime
including configuration file /etc/raddb/modules/sql_log
including configuration file /etc/raddb/modules/sradutmp
including configuration file /etc/raddb/modules/always
including configuration file /etc/raddb/modules/attr_rewrite
including configuration file /etc/raddb/modules/detail
including configuration file /etc/raddb/modules/digest
including configuration file /etc/raddb/modules/ippool
including configuration file /etc/raddb/modules/mac2ip
including configuration file /etc/raddb/modules/mschap
including configuration file /etc/raddb/modules/smbpasswd
including configuration file /etc/raddb/modules/passwd
including configuration file /etc/raddb/modules/policy
including configuration file /etc/raddb/modules/etc_group
including configuration file /etc/raddb/modules/preprocess
including configuration file /etc/raddb/modules/attr_filter
including configuration file /etc/raddb/modules/detail.log
including configuration file /etc/raddb/modules/expiration
including configuration file /etc/raddb/eap.conf
including configuration file /etc/raddb/sql.conf
including configuration file /etc/raddb/sql/mysql/dialup.conf
including configuration file /etc/raddb/sql/mysql/counter.conf
including configuration file /etc/raddb/policy.conf
including files in directory /etc/raddb/sites-enabled/
including configuration file /etc/raddb/sites-enabled/default
including configuration file /etc/raddb/sites-enabled/inner-tunnel
including dictionary file /etc/raddb/dictionary
main {
prefix = /usr
localstatedir = /var
logdir = /var/log/radius
libdir = /usr/lib64
radacctdir = /var/log/radius/radacct
hostname_lookups = no
max_request_time = 30
cleanup_delay = 5
max_requests = 1024
allow_core_dumps = no
pidfile = /var/run/radiusd/radiusd.pid
checkrad = /usr/sbin/checkrad
debug_level = 0
proxy_requests = yes
log {
stripped_names = no
auth = yes
auth_badpass = yes
auth_goodpass = yes
}
}
client 10.215.146.83 {
require_message_authenticator = no
secret = F5jmE6xA
shortname = FHMWIFI
}
client 10.215.146.130 {
require_message_authenticator = no
secret = F5jmE6x2B1_002369E349C4
shortname = FHMWIFI_2B1
}
client 10.215.146.131 {
require_message_authenticator = no
secret = F5jmE6x2B2
Cisco AVpair(client-mac-address) and Calling-Station-Id attribute
Hello, I am using freeradius 1.1.8 with a Cisco7301 router as a NAS, but the NAS does not send the Calling-Station-Id attribute, insted it uses Cisco-AVPair = client-mac-address=000f.ea20.e1ad They have changed this attribute in modern IOS versions. I want to know if there is a possibility to rewrite the : Cisco-AVPair = client-mac-address=000f.ea20.e1ad to Calling-Station-Id = 000f.ea20.e1ad Also, i am using some other NASes that use the standart Calling-Station-Id, with the same radius. Thank You! Egi - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Proxying requests with source port 1815?
Ok, thanks Alan. :) Jezz. Palmer J.D.F. wrote: One of our FR 2.1.7 boxes has been proxying access-requests with a source port of 1815, to which the authenticating server has replied to with an access-accept on port 1815, only there is no listener for port 1815 running on the box and hence fails. This was happening to ~50% of requests, but once one failed the FR box was marking the authenticator dead. It started yesterday following a FR restart for a small config change (added a client to client.conf), I restarted it about an hour ago and it seems to be behaving now. Is that as odd as it seems, or am I missing something? I think it's a bug in 2.1.7. We should be releasing 2.1.8 to address this, and to have other minor enhancements. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Radacct isn´t registering FramedIpAdress (sometimes)!
Hello, It's my first time here and i'm trying to solve a big problem in my Radius server. Sometimes, and it's happening without reason, The RadAcct put 0.0.0.0 in FramedIpAdress field. I don't know why it's happening, i have others Radius servers with the same configuration, but this error occur just in this server. It's a 1.1.7 radius server. My clients are all Mikrotiks, with 3.13 version. Can anyone help me?? Thanks, Alexandre - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Radacct isn´t registering FramedIpAdress (sometimes)!
Sometimes, and it's happening without reason, The RadAcct put 0.0.0.0 in FramedIpAdress field. I don't know why it's happening, i have others Radius servers with the same configuration, but this error occur just in this server. It's a 1.1.7 radius server. My clients are all Mikrotiks, with 3.13 version. Post the debug of one accounting packet when such error happens. And don't use HTML email. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Cisco AVpair(client-mac-address) and Calling-Station-Id attribute
Egi Konomi wrote: I want to know if there is a possibility to rewrite the : Cisco-AVPair = client-mac-address=000f.ea20.e1ad to Calling-Station-Id = 000f.ea20.e1ad See the attr_filter module. Or, in 2.x, you can just use unlang to do the re-writing. Also, i am using some other NASes that use the standart Calling-Station-Id, with the same radius. So make the selection NAS-specific. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: how to require client certificate with PEAP
Vieri wrote: The Windows native clients are configured to use: Eap type: PEAP and have both root and client certificates installed. Are they configured to USE the client certificate? However, if I add the EAP-TLS-Require-Client-Cert = Yes option then I get this message in the log: rlm_eap: SSL error error:140890C7:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:peer did not return a certificate How should I configure Windows XP to send the client certificate? See the XP documentation. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Radacct isn´t registering FramedIpAdres s (sometimes)!
Maybe your IP pool in NAS config. is to small to accept all connection attempts ... t_rider wrote: Hello, It's my first time here and i'm trying to solve a big problem in my Radius server. Sometimes, and it's happening without reason, The RadAcct put 0.0.0.0 in FramedIpAdress field. I don't know why it's happening, i have others Radius servers with the same configuration, but this error occur just in this server. It's a 1.1.7 radius server. My clients are all Mikrotiks, with 3.13 version. Can anyone help me?? Thanks, Alexandre - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Running Multiple Freeradius Instances
Will there be any performance issues if I run multiple instances of freeradius in the same server? Thanks, Asin - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Running Multiple Freeradius Instances
Most likely not, depends if your doing a bunch of sql,perl,etc. Check out virtual servers in 2.x From: freeradius-users-bounces+ggatten=waddell@lists.freeradius.org To: freeradius-users@lists.freeradius.org Sent: Tue Oct 27 21:47:25 2009 Subject: Running Multiple Freeradius Instances Will there be any performance issues if I run multiple instances of freeradius in the same server? Thanks, Asin font size=1 div style='border:none;border-bottom:double windowtext 2.25pt;padding:0in 0in 1.0pt 0in' /div This email is intended to be reviewed by only the intended recipient and may contain information that is privileged and/or confidential. If you are not the intended recipient, you are hereby notified that any review, use, dissemination, disclosure or copying of this email and its attachments, if any, is strictly prohibited. If you have received this email in error, please immediately notify the sender by return email and delete this email from your system. /font - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
