Re: FR2.1.3+LDAP+802.1x+PEAP
Hi Ivan, my problem was that in LDAP i have the passwords save as SSHA, so i cant do 802.1x with EAP/PEAP/mschap as i dont wanna change my LDAP configuration to store the passwords in clear-text, or to use samba.scheme and to use NT hash. The only option remaining from my view point was to try and distinguish between normal authentication and 802.1x authentication thats why i came up with this realm stuff, to be able to authenticate 802.1x users in the users file (where i have user/passwords in clear-text) and normal users in LDAP (SSHA) thats why i was asking if, its possible, and if it functional, or maybe there is another solution then the one provided by Alan (to not use 802.1x) :D thank you again for you feedback Best Regards, Caius Pargar --- On Wed, 11/11/09, t...@kalik.net wrote: > From: t...@kalik.net > Subject: Re: FR2.1.3+LDAP+802.1x+PEAP > To: "FreeRadius users mailing list" > Date: Wednesday, November 11, 2009, 1:06 AM > > i was thinking at the > following: > > to do the normal user authentication in LDAP, based on > the provided realm, > > and if no realm present authenticate the users in > users file. > > Users which use 802.1x will be saved in clear-text in > users file > > and users used for authentication for other stuff, > will be checked in LDAP > > (@mydomain.com) > > > > > > or can i switch this around? a user: myu...@dot1x.com > will be based on the > > real authenticated in users file for 802.1x and a user > with no realm will > > be authenticated in LDAP? > > > > please tell me your opinion on this, is it possible? > > Use suffix and configure dot1x.com as local realm in > proxy.conf: > > realm dot1x.com { > } > > ... and you don't need multiple entries for the same user. > Both users file > and ldap module will use Stripped-User-Name for > authentication by defauly. > > > Ivan Kalik > Kalik Informatika ISP > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FR2.1.3+LDAP+802.1x+PEAP
Caius wrote: > regarding your tips: > a) i dont wanna do, maybe if i have no other choice, ill have 2 password > attributes SSHA+NTLM, but its a clear no to clear-text, and a maybe to NT hash NTLM is largely a version of MSCHAP for Active Directory. If you want to do PEAP authentication, you need clear-text passwords, or NT hashes. > b) need it, so not gonna happen > > so, as i need to proceed further with my investigation, what are my options > really? :D > > i was thinking at the following: > to do the normal user authentication in LDAP, based on the provided realm, > and if no realm present authenticate the users in users file. > Users which use 802.1x will be saved in clear-text in users file > and users used for authentication for other stuff, will be checked in LDAP > (@mydomain.com) > > > or can i switch this around? a user: myu...@dot1x.com will be based on the > real authenticated in users file for 802.1x and a user with no realm will be > authenticated in LDAP? I would suggest using email addresses for 802.1X authentication. Inventing fake realms is a bad idea. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
WiMAX-Capabilty proxy issue
Dear all; I'm having an issue when proxying an access-request message between two WiMAX networks. I recently downloaded FR 2.1.8 and I'm in the middle of the messaging path. The home network is using EAP-TLS but it should be transparent for the proxy right? The issue is with the AVP WiMAX-Capability(1) please see below the packets captured (shown as in WireShark) Sending network AVP before FR proxy as arrived: AVP: l=17 t=Vendor-Specific(26) v=WiMAX(24757) VSA: l=11 t=WiMAX-Capability(1) C=0x00: 2 TLV(s) inside TLV: l=5 t=WiMAX-Release(1): 1.4 WiMAX-Release: 1.4 TLV: l=3 t=WiMAX-Accounting-Capabilities(2): No-Accounting(0) WiMAX-Accounting-Capabilities: No-Accounting (0) After proxy from FR to the Home network AVP: l=17 t=Vendor-Specific(26) v=WiMAX(24757) VSA: l=11 t=WiMAX-Capability(1) C=0x00: TLV: l=7 t=WiMAX-Release(1): 1.4\002\005 WiMAX-Release: 1.4\002\005 [Not enough room in packet for TLV header] The home network AAA complains with the error message that can not decode the AVP WiMAX-Capabilty. Any ideas why and what can I do to fix it are very much appreciated Merci Thanks a lot Vielen Dank! Gracias Ramon- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius crashed on accounting load tests with 1000 concurrent?clients
Alan DeKok wrote: > >> If I can not find something wrong caused by us, I will fill a bug >> report. So far, nothing is found. > > All of the time you spend investigating things is WASTED. The ONLY > thing that will help is to follow the instructions in doc/bugs. > > Follow the instructions in doc/bugs, or stop posting messages on this > list. > For the love of God run it in GDB or leave us in peace! http://lists.freeradius.org/pipermail/freeradius-users/2009-November/msg00081.html Cheers -- Alexander Clouter .sigmonster says: Short people get rained on last. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius with 3COM
Yes, i used the guide. But it only informs to use vendor-specific attribute but don´t say the value of this attribute. I called to 3COM before sent this e-mail. But my switch has more than 3 mounths, so the support can´t help me, because the support guaranty already expired. So, if anyone have any idea to help me. Thanks 2009/11/10 > > thanks. Now the 3COM is authenticationing on freeradius. > > But i don´t know how to set diferent priorities to users; > > My 3COM is 4210 and have 3 levels of priority. > > > > Does anybody know how to send the level of priority by freeradius? > > Have you tried the guide? > > >> Configuration guide 3com switch 4210 family: > >> > >> > http://support.3com.com/documents/switches/4210/3Com_Switch4210_Configuration_Guide.pdf > > If it's not in there - ask 3Com. They should know how to configure their > equipment. Probably some VSA. > > Ivan Kalik > Kalik Informatika ISP > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius with 3COM
11/11/2009 01:42 PM, Rafael Fernandes: So, if anyone have any idea to help me. http://www.google.com/search?q=3com+forum -- Architecte Informatique chez Blueline/Gulfsat: Administration Systeme, Recherche & Developpement +261 33 11 207 36 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
OpenSSL + Freeradius
Hello everyone. I just wanted to thank you so much for your time. I found a solution without having to modify the control & rules files in the debian folder. So I got freeradius function with OpenSSL and PEAP now. Now I only need to find a "know how" for configuring Freeradius so it will accept authentication from Mac and Windows machines. Can anyone of you recommend a good site? :) Best regards/ Peter _ Windows Live: Friends get your Flickr, Yelp, and Digg updates when they e-mail you. http://www.microsoft.com/middleeast/windows/windowslive/see-it-in-action/social-network-basics.aspx?ocid=PID23461::T:WLMTAGL:ON:WL:en-xm:SI_SB_3:092010- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
I need some help with freeradius 2.0.4
Hi, guys. Please, could someone read this output from freeradius' debugging mode to help me? Thanks in advance. (I just omitted some informations such as IP, User-Password etc) My scenario is: - Server: Debian GNU/Linux lenny x86_64 kernel 2.6.26-2-amd64 - Freeradius 2.0.4 - MySQL 5.0.51a - Calling Station: Windows XP Professional 32 bits SP3 - Software client: SSH Secure Shell 3.2.9 - NAS client: Cisco6500 Catalyst - IOS versão 12.2(17r)S4 Going to the next request Waking up in 4.9 seconds. Cleaning up request 2 ID 121 with timestamp +17 Ready to process requests. rad_recv: Access-Request packet from host NAS-IP-Address port 21645, id=121, length=82 NAS-IP-Address = NAS-IP-Address NAS-Port = 1 NAS-Port-Type = Virtual User-Name = "User-Name" Calling-Station-Id = "Calling-Station-Id" User-Password = "User-Password" +- entering group authorize ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop rlm_realm: No '@' in User-Name = "User-Name", looking up realm NULL rlm_realm: Found realm "NULL" rlm_realm: Adding Stripped-User-Name = "User-Name" rlm_realm: Adding Realm = "NULL" rlm_realm: Authentication realm is LOCAL. ++[suffix] returns noop rlm_eap: No EAP-Message, not doing EAP ++[eap] returns noop ++[files] returns noop expand: %{User-Name} -> User-Name rlm_sql (sql): sql_set_user escaped user --> 'User-Name' rlm_sql (sql): Reserving sql socket id: 3 expand: SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'User-Name' ORDER BY id rlm_sql (sql): User found in radcheck table expand: SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radreply WHERE username = 'User-Name' ORDER BY id expand: SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority -> SELECT groupname FROM radusergroup WHERE username = 'User-Name' ORDER BY priority expand: SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = '%{Sql-Group}' ORDER BY id -> SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = 'pop-sp' ORDER BY id rlm_sql (sql): User found in group pop-sp expand: SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = '%{Sql-Group}' ORDER BY id -> SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = 'pop-sp' ORDER BY id rlm_sql (sql): Released sql socket id: 3 ++[sql] returns ok ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns updated rad_check_password: Found Auth-Type auth: type "PAP" +- entering group PAP rlm_pap: login attempt with password "User-Password" rlm_pap: Using CRYPT encryption. rlm_pap: User authenticated successfully ++[pap] returns ok Login OK: [User-Name/User-Password] (from client cisco6500 port 1 cli Calling-Station-Id) +- entering group post-auth rlm_sql (sql): Processing sql_postauth expand: %{User-Name} -> User-Name rlm_sql (sql): sql_set_user escaped user --> 'User-Name' expand: %{User-Password} -> User-Password expand: INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( '%{User-Name}', '%{%{User-Password}:-%{Chap-Password}}', '%{reply:Packet-Type}', '%S') -> INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( 'User-Name', 'User-Password', 'Access-Accept', '2009-11-11 11:33:27') rlm_sql (sql) in sql_postauth: query is INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( 'User-Name', 'User-Password', 'Access-Accept', '2009-11-11 11:33:27') rlm_sql (sql): Reserving sql socket id: 2 rlm_sql (sql): Released sql socket id: 2 ++[sql] returns ok ++[exec] returns noop Sending Access-Accept of id 121 to NAS-IP-Address port 21645 Framed-Compression := Van-Jacobson-TCP-IP Framed-Protocol := PPP Service-Type := Login-User Framed-MTU := 1500 Finished request 3. Going to the next request Waking up in 4.9 seconds. Cleaning up request 3 ID 121 with timestamp +23 Ready to process requests. --
Re: [Fwd: I need some help with freeradius 2.0.4]
Wagner Pereira wrote: > I think this output is more complete and useful. Thank you one more time. You haven't said what is going wrong, or what you want it to do. The debug log shows an Access-Accept. What's wrong with that? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: OpenSSL + Freeradius
Peter Carlstedt wrote: > Now I only need to find a "know how" for configuring Freeradius so it > will accept authentication from Mac and Windows machines. Can anyone of > you recommend a good site? :) http://deployingradius.com Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: OpenSSL + Freeradius
Hey, Alan. This is an interesting website! Will you intend to sell that DeployingRADIUS' book soon? If yes, through which website? How can it shipping to here, Brazil? -- Wagner Pereira PoP-SP/RNP - Ponto de Presença da RNP em São Paulo CCE/USP - Centro de Computação Eletrônica da Universidade de São Paulo http://www.pop-sp.rnp.br (11) 3091-8902 Alan DeKok escreveu: Peter Carlstedt wrote: Now I only need to find a "know how" for configuring Freeradius so it will accept authentication from Mac and Windows machines. Can anyone of you recommend a good site? :) http://deployingradius.com Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: [Fwd: I need some help with freeradius 2.0.4]
Alan, I've tried to authenticate an user (myself!) in a Cisco6500 router. Then, in this router, I configured the necessary lines to authenticate myself in other server, where the freeradius is. I set this freeradius up to "talk" with my mysql database. -- Wagner Pereira PoP-SP/RNP - Ponto de Presença da RNP em São Paulo CCE/USP - Centro de Computação Eletrônica da Universidade de São Paulo http://www.pop-sp.rnp.br (11) 3091-8902 Alan DeKok escreveu: Wagner Pereira wrote: I think this output is more complete and useful. Thank you one more time. You haven't said what is going wrong, or what you want it to do. The debug log shows an Access-Accept. What's wrong with that? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Send accounting packets to multiple proxy servers
Hi all, FreeRADIUS 2.1.7 I currently have a server A that proxies accounting packets to server B. I would like server A to proxy those same accounting packets to server C as well. Currently this is my setup: Server A clients.conf: - client server_B_ip { ipaddr = server_B_ip secret = server_B_secret require_message_authenticator = no virtual_server = requests_from_server_B } sites-enabled/default: -- ... accounting { detail detail-radrelay } ... server requests_from_server_B { authorize { files } preacct { preprocess acct_unique } accounting { detail sql } } So as I understand it, all incoming accounting requests are written to the detail and the detail-radrelay files, except if its from server B, in which case it only writes to the detail file so that it is not reproxied, correct? Then I have: proxy.conf: --- home_server copy-acct-to-home-server { type = acct ipaddr = server_B_ip port = 1813 secret = server_B_secret response_window = 10 zombie_period= 20 no_response_fail = yes } home_server_pool my_acct_failover { home_server = copy-acct-to-home-server } realm DEFAULT { acct_pool = my_acct_failover nostrip } sites-enabled/copy-acct-to-home-server: --- server copy-acct-to-home-server { listen { type = detail filename = ${radacctdir}/detail-combined load_factor = 10 retry_interval = 10 } preacct { suffix } accounting { ok } } What do I need to add to get the detail-combined entries sent to server C as well? Does my proxy.conf need to look like this?: home_server copy-acct-to-home-server { type = acct ipaddr = server_B_ip port = 1813 secret = server_B_secret response_window = 10 zombie_period= 20 no_response_fail = yes } home_server copy-acct-to-server-C { type = acct ipaddr = server_C_ip port = 1813 secret = server_C_secret response_window = 10 zombie_period= 20 no_response_fail = yes } home_server_pool my_acct_failover { home_server = copy-acct-to-home-server home_server = copy-acct-to-server-C } realm DEFAULT { acct_pool = my_acct_failover nostrip } Im not too sure where to go here, any help would be much appreciated as always! Many thanks, Patric - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Algum brasileiro nessa lista?
Boa tarde, Há algum brasileiro nessa lista querendo trocar experiência sobre freeradius+mysql? -- Wagner Pereira PoP-SP/RNP - Ponto de Presença da RNP em São Paulo CCE/USP - Centro de Computação Eletrônica da Universidade de São Paulo http://www.pop-sp.rnp.br (11) 3091-8902 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
[Fwd: Re: [Fwd: I need some help with freeradius 2.0.4]]
I think this picture can help YOU to help ME : ) This represents how my radgroupreply table, on my MySQL database, was set up. Mensagem original Assunto: Re: [Fwd: I need some help with freeradius 2.0.4] Data: Wed, 11 Nov 2009 12:48:31 -0200 De: Wagner Pereira Para: FreeRadius users mailing list Referências: <4afac98f.7070...@pop-sp.rnp.br> <4afaca9c.9050...@deployingradius.com> Alan, I've tried to authenticate an user (myself!) in a Cisco6500 router. Then, in this router, I configured the necessary lines to authenticate myself in other server, where the freeradius is. I set this freeradius up to "talk" with my mysql database. -- Wagner Pereira PoP-SP/RNP - Ponto de Presença da RNP em São Paulo CCE/USP - Centro de Computação Eletrônica da Universidade de São Paulo http://www.pop-sp.rnp.br (11) 3091-8902 Alan DeKok escreveu: Wagner Pereira wrote: I think this output is more complete and useful. Thank you one more time. You haven't said what is going wrong, or what you want it to do. The debug log shows an Access-Accept. What's wrong with that? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Wagner Pereira PoP-SP/RNP - Ponto de Presença da RNP em São Paulo CCE/USP - Centro de Computação Eletrônica da Universidade de São Paulo http://www.pop-sp.rnp.br (11) 3091-8902 <>- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: [Fwd: Re: [Fwd: I need some help with freeradius 2.0.4]]
On 11/11/2009 12:12 PM, Wagner Pereira wrote: I think this picture can help YOU to help ME : ) Please do not send images to the list. Please use text instead. -- John Dennis Looking to carve out IT costs? www.redhat.com/carveoutcosts/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Algum brasileiro nessa lista?
Sim eu sou brasileiro e ultilizo essa lista. Att. On Wed, 11 Nov 2009 14:50:09 -0200, Wagner Pereira wrote: > Boa tarde, > > Há algum brasileiro nessa lista querendo trocar experiência sobre > freeradius+mysql? > > -- "A entrada de seus negócios para o mundo virtual" Thiago Cesar Diretor TI MSN: thiago_rodrig...@hotmail.com Skype: thiago_ceor --- http://www.kionux.com.br Kionux Soluções em Internet LTDA. Av. Garibalde, 1114 - Sala 15 - Vila A CEP 85861-550 - Foz do Iguaçu - PR Telefone: +55 (45) 3572-5000 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Algum brasileiro nessa lista?
tbm sou 2009/11/11 Thiago Cesar > Sim eu sou brasileiro e ultilizo essa lista. > > Att. > > On Wed, 11 Nov 2009 14:50:09 -0200, Wagner Pereira > > wrote: > > Boa tarde, > > > > Há algum brasileiro nessa lista querendo trocar experiência sobre > > freeradius+mysql? > > > > > -- > "A entrada de seus negócios para o mundo virtual" > Thiago Cesar > Diretor TI > MSN: thiago_rodrig...@hotmail.com > Skype: thiago_ceor > --- > http://www.kionux.com.br > Kionux Soluções em Internet LTDA. > Av. Garibalde, 1114 - Sala 15 - Vila A CEP 85861-550 - Foz do Iguaçu - PR > Telefone: +55 (45) 3572-5000 > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > -- Att. Alisson F. Gonçalves Sistemas de Informação - UFGD - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: [Fwd: Re: [Fwd: I need some help with freeradius 2.0.4]]
11/11/2009 08:12 PM, Wagner Pereira:: I think this picture Uh??? Your computer doesnt let you copy/paste as text MySQL output??? -- Architecte Informatique chez Blueline/Gulfsat: Administration Systeme, Recherche & Developpement +261 33 11 207 36 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: [Fwd: Re: [Fwd: I need some help with freeradius 2.0.4]]
Ok, John. It's understood. -- Wagner Pereira PoP-SP/RNP - Ponto de Presença da RNP em São Paulo CCE/USP - Centro de Computação Eletrônica da Universidade de São Paulo http://www.pop-sp.rnp.br (11) 3091-8902 John Dennis escreveu: On 11/11/2009 12:12 PM, Wagner Pereira wrote: I think this picture can help YOU to help ME : ) Please do not send images to the list. Please use text instead. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: [Fwd: Re: [Fwd: I need some help with freeradius 2.0.4]]
Hi, Rakotomandimby. What you meant with "text MySQL output"? How should I do that? -- Wagner Pereira PoP-SP/RNP - Ponto de Presença da RNP em São Paulo CCE/USP - Centro de Computação Eletrônica da Universidade de São Paulo http://www.pop-sp.rnp.br (11) 3091-8902 Rakotomandimby Mihamina escreveu: 11/11/2009 08:12 PM, Wagner Pereira:: I think this picture Uh??? Your computer doesnt let you copy/paste as text MySQL output??? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Algum brasileiro nessa lista?
Parabéns >tbm sou > >2009/11/11 Thiago Cesar > >> Sim eu sou brasileiro e ultilizo essa lista. >> >> Att. >> >> On Wed, 11 Nov 2009 14:50:09 -0200, Wagner Pereira < wpere...@pop-sp.rnp.br >> > >> wrote: >> > Boa tarde, >> > >> > Há algum brasileiro nessa lista querendo trocar experiência sobre >> > freeradius+mysql? >> > >> > >> -- >> "A entrada de seus negócios para o mundo virtual" >> Thiago Cesar >> Diretor TI >> MSN: thiago_rodrig...@hotmail.com >> Skype: thiago_ceor >> --- >> http://www.kionux.com.br >> Kionux Soluções em Internet LTDA. >> Av. Garibalde, 1114 - Sala 15 - Vila A CEP 85861-550 - Foz do Iguaçu - PR >> Telefone: +55 (45) 3572-5000 >> >> - >> List info/subscribe/unsubscribe? See >> http://www.freeradius.org/list/users.html >> > > > >-- >Att. >Alisson F. Gonçalves >Sistemas de Informação - UFGD >- >List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Algum brasileiro nessa lista?
Olá, Thiago e Alisson. Um prazer conhecê-los. Estou em busca de colegas que queiram trocar experiências sobre implementação de freerasdius + mysql. Algum de vocês já conseguiu autenticar usando o cenário abaixo? MySQL database ^ | | | | | freeradius server - debian x86_64 | | | | | | ^ | | | | | NAS client - Cisco 6500 | | | | | | ^ | SSH connection- port 22 | | O /|\ user / \ -- Wagner Pereira PoP-SP/RNP - Ponto de Presença da RNP em São Paulo CCE/USP - Centro de Computação Eletrônica da Universidade de São Paulo http://www.pop-sp.rnp.br (11) 3091-8902 Alisson escreveu: tbm sou 2009/11/11 Thiago CesarSim eu sou brasileiro e ultilizo essa lista. Att. On Wed, 11 Nov 2009 14:50:09 -0200, Wagner Pereira wrote: > Boa tarde, > > Há algum brasileiro nessa lista querendo trocar experiência sobre > freeradius+mysql? > > -- "A entrada de seus negócios para o mundo virtual" Thiago Cesar Diretor TI MSN: thiago_rodrig...@hotmail.com Skype: thiago_ceor --- http://www.kionux.com.br Kionux Soluções em Internet LTDA. Av. Garibalde, 1114 - Sala 15 - Vila A CEP 85861-550 - Foz do Iguaçu - PR Telefone: +55 (45) 3572-5000 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Att. Alisson F. Gonçalves Sistemas de Informação - UFGD - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Algum brasileiro nessa lista?
wagner Nesse espoco seu desenhado não, eu tenho freeradius autenticando em ldap, tenho freeradius mysql sendo autenticado por nas não da Cisco. Att. "A entrada de seus negócios para o mundo virtual" Thiago Cesar Diretor TI MSN: thiago_rodrig...@hotmail.com Skype: thiago_ceor --- http://www.kionux.com.br Kionux Soluções em Internet LTDA. Av. Garibalde, 1114 - Sala 15 - Vila A CEP 85861-550 - Foz do Iguaçu - PR Telefone: +55 (45) 3572-5000 On Wed, 11 Nov 2009 16:19:21 -0200, Wagner Pereira wrote: Olá, Thiago e Alisson. Um prazer conhecê-los. Estou em busca de colegas que queiram trocar experiências sobre implementação de freerasdius + mysql. Algum de vocês já conseguiu autenticar usando o cenário abaixo? MySQL database ^ | | | | |freeradius server - debian x86_64 | | | | | | ^ | | | | | NAS client - Cisco 6500 | | | | | | ^ | SSH connection- port 22 | | O /|user / -- Wagner Pereira PoP-SP/RNP - Ponto de Presença da RNP em São Paulo CCE/USP - Centro de Computação Eletrônica da Universidade de São Paulo http://www.pop-sp.rnp.br [1] (11) 3091-8902 Alisson escreveu: tbm sou 2009/11/11 Thiago Cesar Sim eu sou brasileiro e ultilizo essa lista. Att. On Wed, 11 Nov 2009 14:50:09 -0200, Wagner Pereira wrote: > Boa tarde, > > Há algum brasileiro nessa lista querendo trocar experiência sobre > freeradius+mysql? > > -- "A entrada de seus negócios para o mundo virtual" Thiago Cesar Diretor TI MSN: thiago_rodrig...@hotmail.com [4] Skype: thiago_ceor --- http://www.kionux.com.br [5] Kionux Soluções em Internet LTDA. Av. Garibalde, 1114 - Sala 15 - Vila A CEP 85861-550 - Foz do Iguaçu - PR Telefone: +55 (45) 3572-5000 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html [6] -- Att. Alisson F. Gonçalves Sistemas de Informação - UFGD - - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html [6] Links: -- [1] http://www.pop-sp.rnp.br [2] mailto:thi...@kionux.com.br [3] mailto:wpere...@pop-sp.rnp.br [4] mailto:thiago_rodrig...@hotmail.com [5] http://www.kionux.com.br [6] http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: I need some help with freeradius 2.0.4
> Please, could someone read this output from freeradius' debugging mode to > help me? Thanks in advance. > > My scenario is: > - Server: Debian GNU/Linux lenny x86_64 kernel 2.6.26-2-amd64 > - Freeradius 2.0.4 > - MySQL 5.0.51a > - Calling Station: Windows XP Professional 32 bits SP3 > - Software client: SSH Secure Shell 3.2.9 > - NAS client: Cisco6500 Catalyst - IOS versão 12.2(17r)S4 > > Sending Access-Accept of id 121 to NAS-IP-Address port 21645 >Framed-Compression := Van-Jacobson-TCP-IP >Framed-Protocol := PPP >Service-Type := Login-User >Framed-MTU := 1500 Freeradius is set up well. Reply attributes you configured are wrong for ssh. You don't need any of those Framed attributes. And Service-Type should be NAS-Prompt-User most likely. Read Cisco dokument on the wiki: http://wiki.freeradius.org/Cisco#Shell_Access Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: [Fwd: Re: [Fwd: I need some help with freeradius 2.0.4]]
> What you meant with "text MySQL output"? How should I do that? > By the amazing technique od copy/paste. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Algum brasileiro nessa lista?
Ok, Thiago. Sem problema. Estou começando a achar que o problema está na configuração do IOS, pois o radtest me retorna um Access-Accept. Você concorda com isso? -- Wagner Pereira PoP-SP/RNP - Ponto de Presença da RNP em São Paulo CCE/USP - Centro de Computação Eletrônica da Universidade de São Paulo http://www.pop-sp.rnp.br (11) 3091-8902 Thiago Cesar escreveu: wagner Nesse espoco seu desenhado não, eu tenho freeradius autenticando em ldap, tenho freeradius mysql sendo autenticado por nas não da Cisco. Att. "A entrada de seus negócios para o mundo virtual" Thiago Cesar Diretor TI MSN: thiago_rodrig...@hotmail.com Skype: thiago_ceor --- http://www.kionux.com.br Kionux Soluções em Internet LTDA. Av. Garibalde, 1114 - Sala 15 - Vila A CEP 85861-550 - Foz do Iguaçu - PR Telefone: +55 (45) 3572-5000 On Wed, 11 Nov 2009 16:19:21 -0200, Wagner Pereira wrote: Olá, Thiago e Alisson. Um prazer conhecê-los. Estou em busca de colegas que queiram trocar experiências sobre implementação de freerasdius + mysql. Algum de vocês já conseguiu autenticar usando o cenário abaixo? MySQL database ^ | | | | | freeradius server - debian x86_64 | | | | | | ^ | | | | | NAS client - Cisco 6500 | | | | | | ^ | SSH connection- port 22 | | O /|\ user / \ -- Wagner Pereira PoP-SP/RNP - Ponto de Presença da RNP em São Paulo CCE/USP - Centro de Computação Eletrônica da Universidade de São Paulo http://www.pop-sp.rnp.br (11) 3091-8902 Alisson escreveu: tbm sou 2009/11/11 Thiago CesarSim eu sou brasileiro e ultilizo essa lista. Att. On Wed, 11 Nov 2009 14:50:09 -0200, Wagner Pereira wrote: > Boa tarde, > > Há algum brasileiro nessa lista querendo trocar experiência sobre > freeradius+mysql? > > -- "A entrada de seus negócios para o mundo virtual" Thiago Cesar Diretor TI MSN: thiago_rodrig...@hotmail.com Skype: thiago_ceor --- http://www.kionux.com.br Kionux Soluções em Internet LTDA. Av. Garibalde, 1114 - Sala 15 - Vila A CEP 85861-550 - Foz do Iguaçu - PR Telefone: +55 (45) 3572-5000 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Att. Alisson F. Gonçalves Sistemas de Informação - UFGD - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: [Fwd: Re: [Fwd: I need some help with freeradius 2.0.4]]
Funny! : ) but what output should I copy/paste here? from freeradius -X ? I already did that in my first message sent to freeradius-users. If necessary, I can paste it again. -- Wagner Pereira PoP-SP/RNP - Ponto de Presença da RNP em São Paulo CCE/USP - Centro de Computação Eletrônica da Universidade de São Paulo http://www.pop-sp.rnp.br (11) 3091-8902 t...@kalik.net escreveu: What you meant with "text MySQL output"? How should I do that? By the amazing technique od copy/paste. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FR2.1.3+LDAP+802.1x+PEAP
> my problem was that in LDAP i have the passwords save as SSHA, so i cant > do 802.1x with EAP/PEAP/mschap > > as i dont wanna change my LDAP configuration to store the passwords in > clear-text, or to use samba.scheme and to use NT hash. The only option > remaining from my view point was to try and distinguish between normal > authentication and 802.1x authentication > > thats why i came up with this realm stuff, to be able to authenticate > 802.1x users in the users file (where i have user/passwords in clear-text) > and normal users in LDAP (SSHA) Ugh, how does that make sense? Why don't you want nt or clear passwords in ldap? Security? But it's so much easier to read a plain text (users) file than break into ldap. > thats why i was asking if, its possible, and if it functional, or maybe > there is another solution then the one provided by Alan (to not use > 802.1x) :D There is only one solution if you want to use 802.1x: store passwords that peap can use. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: [Fwd: Re: [Fwd: I need some help with freeradius 2.0.4]]
> Funny! : ) but what output should I copy/paste here? from freeradius > -X ? I already did that in my first message sent to freeradius-users. > If necessary, I can paste it again. > -- > > Wagner Pereira For starters read this: http://freeradius.org/list/users.html particularly the bit "No HTML on the list." You should have copied/pasted the bit you posted as an image. Please don't post it again. We have seen what it is, and it is wrong. I have already told you how to fix reply items in mysql. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: I need some help with freeradius 2.0.4
Ivan, I did what you recommended (I guess). See below: mysql> select * from radgroupreply; ++---+++---+--+ | id | groupname | attribute | op | value | Prio | ++---+++---+--+ | 1 | pop-sp | Framed-Compression | := | Van-Jacobson-TCP-IP | | | 3 | pop-sp | Service-Type | := | NAS-Prompt | | | 5 | reject | reply-message | := | Autenticação recusada | NULL | ++---+++---+--+ 3 rows in set (0.00 sec) But I can't authenticate yet. -- Wagner Pereira PoP-SP/RNP - Ponto de Presença da RNP em São Paulo CCE/USP - Centro de Computação Eletrônica da Universidade de São Paulo http://www.pop-sp.rnp.br (11) 3091-8902 t...@kalik.net escreveu: Please, could someone read this output from freeradius' debugging mode to help me? Thanks in advance. My scenario is: - Server: Debian GNU/Linux lenny x86_64 kernel 2.6.26-2-amd64 - Freeradius 2.0.4 - MySQL 5.0.51a - Calling Station: Windows XP Professional 32 bits SP3 - Software client: SSH Secure Shell 3.2.9 - NAS client: Cisco6500 Catalyst - IOS versão 12.2(17r)S4 Sending Access-Accept of id 121 to NAS-IP-Address port 21645 Framed-Compression := Van-Jacobson-TCP-IP Framed-Protocol := PPP Service-Type := Login-User Framed-MTU := 1500 Freeradius is set up well. Reply attributes you configured are wrong for ssh. You don't need any of those Framed attributes. And Service-Type should be NAS-Prompt-User most likely. Read Cisco dokument on the wiki: http://wiki.freeradius.org/Cisco#Shell_Access Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Algum brasileiro nessa lista?
Se o Freeradius assinala via radtest o Accept, com certeza deve ser problema na config do seu IOS. Att. On Wed, 11 Nov 2009 16:42:59 -0200, Wagner Pereira wrote: Ok, Thiago. Sem problema. Estou começando a achar que o problema está na configuração do IOS, pois o radtest me retorna um Access-Accept. Você concorda com isso? -- Wagner Pereira PoP-SP/RNP - Ponto de Presença da RNP em São Paulo CCE/USP - Centro de Computação Eletrônica da Universidade de São Paulo http://www.pop-sp.rnp.br [1] (11) 3091-8902 Thiago Cesar escreveu: wagner Nesse espoco seu desenhado não, eu tenho freeradius autenticando em ldap, tenho freeradius mysql sendo autenticado por nas não da Cisco. Att. "A entrada de seus negócios para o mundo virtual" Thiago Cesar Diretor TI MSN: thiago_rodrig...@hotmail.com Skype: thiago_ceor --- http://www.kionux.com.br Kionux Soluções em Internet LTDA. Av. Garibalde, 1114 - Sala 15 - Vila A CEP 85861-550 - Foz do Iguaçu - PR Telefone: +55 (45) 3572-5000 On Wed, 11 Nov 2009 16:19:21 -0200, Wagner Pereira wrote: Olá, Thiago e Alisson. Um prazer conhecê-los. Estou em busca de colegas que queiram trocar experiências sobre implementação de freerasdius + mysql. Algum de vocês já conseguiu autenticar usando o cenário abaixo? MySQL database ^ | | | | |freeradius server - debian x86_64 | | | | | | ^ | | | | | NAS client - Cisco 6500 | | | | | | ^ | SSH connection- port 22 | | O /|user / -- Wagner Pereira PoP-SP/RNP - Ponto de Presença da RNP em São Paulo CCE/USP - Centro de Computação Eletrônica da Universidade de São Paulo http://www.pop-sp.rnp.br [1] (11) 3091-8902 Alisson escreveu: tbm sou 2009/11/11 Thiago Cesar Sim eu sou brasileiro e ultilizo essa lista. Att. On Wed, 11 Nov 2009 14:50:09 -0200, Wagner Pereira wrote: > Boa tarde, > > Há algum brasileiro nessa lista querendo trocar experiência sobre > freeradius+mysql? > > -- "A entrada de seus negócios para o mundo virtual" Thiago Cesar Diretor TI MSN: thiago_rodrig...@hotmail.com [4] Skype: thiago_ceor --- http://www.kionux.com.br [5] Kionux Soluções em Internet LTDA. Av. Garibalde, 1114 - Sala 15 - Vila A CEP 85861-550 - Foz do Iguaçu - PR Telefone: +55 (45) 3572-5000 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html [6] -- Att. Alisson F. Gonçalves Sistemas de Informação - UFGD - - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html [6] - - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html [6] Links: -- [1] http://www.pop-sp.rnp.br [2] mailto:thi...@kionux.com.br [3] mailto:wpere...@pop-sp.rnp.br [4] mailto:thiago_rodrig...@hotmail.com [5] http://www.kionux.com.br [6] http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: I need some help with freeradius 2.0.4
> Enough with that HTML It produces extraordinary ammount of crap as you can see: > I did what you recommended (I guess). See below: No, you didn't. But getting closer. > | 1 | pop-sp | Framed-Compression | := | > Van-Jacobson-TCP-IP Remove *all* Framed attributes. > | 3 | pop-sp | > Service-Type | := | > NAS-Prompt > | | That should be NAS-Prompt-User. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
[Fwd: Re: [Fwd: I need some help with freeradius 2.0.4]]
Dear colleagues, I am introducing now a new information. Below is what is declared into my IOS - Cisco 6500. Is this correct? aaa new-model aaa group server radius admin ! aaa authentication login default group radius local aaa authentication enable default line enable aaa authorization exec default none aaa accounting exec default start-stop group radius ip radius source-interface Loopback0 radius-server key 7 111D1C1603175A5E57 Mensagem original Assunto: Re: [Fwd: I need some help with freeradius 2.0.4] Data: Wed, 11 Nov 2009 12:48:31 -0200 De: Wagner Pereira Para: FreeRadius users mailing list Referências: <4afac98f.7070...@pop-sp.rnp.br> <4afaca9c.9050...@deployingradius.com> Alan, I've tried to authenticate an user (myself!) in a Cisco6500 router. Then, in this router, I configured the necessary lines to authenticate myself in other server, where the freeradius is. I set this freeradius up to "talk" with my mysql database. -- Wagner Pereira PoP-SP/RNP - Ponto de Presença da RNP em São Paulo CCE/USP - Centro de Computação Eletrônica da Universidade de São Paulo http://www.pop-sp.rnp.br (11) 3091-8902 Alan DeKok escreveu: Wagner Pereira wrote: I think this output is more complete and useful. Thank you one more time. You haven't said what is going wrong, or what you want it to do. The debug log shows an Access-Accept. What's wrong with that? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Wagner Pereira PoP-SP/RNP - Ponto de Presença da RNP em São Paulo CCE/USP - Centro de Computação Eletrônica da Universidade de São Paulo http://www.pop-sp.rnp.br (11) 3091-8902 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: [Fwd: Re: [Fwd: I need some help with freeradius 2.0.4]]
Wagner Pereira wrote: Dear colleagues, I am introducing now a new information. Below is what is declared into my IOS - Cisco 6500. Is this correct? Why don't you just read the cisco wiki page. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: I need some help with freeradius 2.0.4
Ok, Ivan. I guess I removed that HTML craps now : ) Below is my new radgroupreply: mysql> select * from radgroupreply; ++---+---++---+--+ | id | groupname | attribute | op | value | Prio | ++---+---++---+--+ | 3 | pop-sp| Service-Type | := | NAS-Prompt-User | | | 5 | reject| reply-message | := | Autenticação recusada | NULL | ++---+---++---+--+ 2 rows in set (0.00 sec) Hugs, -- Wagner Pereira PoP-SP/RNP - Ponto de Presença da RNP em São Paulo CCE/USP - Centro de Computação Eletrônica da Universidade de São Paulo http://www.pop-sp.rnp.br (11) 3091-8902 t...@kalik.net escreveu: Enough with that HTML It produces extraordinary ammount of crap as you can see: I did what you recommended (I guess). See below: No, you didn't. But getting closer. | 1 | pop-sp | Framed-Compression | := | Van-Jacobson-TCP-IP Remove *all* Framed attributes. | 3 | pop-sp | Service-Type | := | NAS-Prompt | | That should be NAS-Prompt-User. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: [Fwd: Re: [Fwd: I need some help with freeradius 2.0.4]]
Ivan, I already read the Cisco wiki page and I implemented what they recommend, but it's not working yet. -- Wagner Pereira PoP-SP/RNP - Ponto de Presença da RNP em São Paulo CCE/USP - Centro de Computação Eletrônica da Universidade de São Paulo http://www.pop-sp.rnp.br (11) 3091-8902 Ivan Kalik escreveu: Wagner Pereira wrote: Dear colleagues, I am introducing now a new information. Below is what is declared into my IOS - Cisco 6500. Is this correct? Why don't you just read the cisco wiki page. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: [Fwd: Re: [Fwd: I need some help with freeradius 2.0.4]]
> I already read the Cisco wiki page and I implemented what they > recommend, but it's not working yet. Does the debug now show Nas-Prompt-User in Access-Accept packet? If it does - it's some problem on the router - debug ip ssh. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
SSL renegotiation ?
Hi, I found a new man-in-the-middle attack with SSL. http://www.sslshopper.com/article-ssl-and-tls-renegotiation-vulnerability-discovered.html I am afraid if freeRADIUS use SSL renegotiation? The freeRADIUS version is 1.1.6. We use EAP-TLS and the backend OpenLDAP server with TLS connection. Does freeRADIUS use SSL renegotiation ? Thanks. John ___ 好玩贺卡等你发,邮箱贺卡全新上线! http://card.mail.cn.yahoo.com/- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius with 3COM
Hi All, thanks. Now the 3COM is authenticationing on freeradius. But i don?t know how to set diferent priorities to users; My 3COM is 4210 and have 3 levels of priority. Does anybody know how to send the level of priority by freeradius? Thanks. If I got it right you, you need access to the switch for a management: console, telnet, web. Then do the following: # local-user admin password simple YOUR_PASSWPRD service-type ssh telnet terminal level 3 # user-interface aux 0 7 authentication-mode password set authentication password simple YOUR_PASSWPRD user-interface vty 0 4 authentication-mode password user privilege level 3 set authentication password simple YOUR_PASSWPRD # - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Microsoft: SmardCard or Certificate Auth
Hi: I'm trying to configure a FreeRadius server to perform a certification authentication from a Windows Laptop. I have follow the steps at http://wiki.freeradius.org/WPA_HOWTO#HOWTO_Do_It:_An_Outline But when I try to do the connection, it never ends... and I get peridical messeges at the FreeRadius server ouput in this way... rad_recv: Access-Request packet from host 160.103.180.252:32769, id=0, length=176 User-Name = "radiusserv" Calling-Station-Id = "00-1d-e0-7f-c7-bd" Called-Station-Id = "00-26-cb-4c-f7-c0:Bidon" NAS-Port = 13 NAS-IP-Address = 160.103.180.252 NAS-Identifier = "wlc01" Airespace-Wlan-Id = 6 Service-Type = Framed-User Framed-MTU = 1300 NAS-Port-Type = Wireless-802.11 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "82" EAP-Message = 0x0202000f0172616469757373657276 Message-Authenticator = 0x978d232412c863306539d3ad92c9d6b8 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module "preprocess" returns ok for request 0 modcall[authorize]: module "chap" returns noop for request 0 modcall[authorize]: module "mschap" returns noop for request 0 rlm_realm: No '@' in User-Name = "radiusserv", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 0 users: Matched entry DEFAULT at line 179 modcall[authorize]: module "files" returns ok for request 0 modcall: leaving group authorize (returns ok) for request 0 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 0 rlm_eap: EAP Identity rlm_eap: processing type tls rlm_eap_tls: Requiring client certificate rlm_eap_tls: Initiate rlm_eap_tls: Start returned 1 modcall[authenticate]: module "eap" returns handled for request 0 modcall: leaving group authenticate (returns handled) for request 0 Sending Access-Challenge of id 0 to 160.103.180.252 port 32769 EAP-Message = 0x010300060d20 Message-Authenticator = 0x State = 0xc321c12ede0c59624273d465195058be Finished request 0 Going to the next request --- Walking the entire request list --- Waking up in 6 seconds... rad_recv: Access-Request packet from host 160.103.180.252:32769, id=1, length=300 User-Name = "radiusserv" Calling-Station-Id = "00-1d-e0-7f-c7-bd" Called-Station-Id = "00-26-cb-4c-f7-c0:Bidon" NAS-Port = 13 NAS-IP-Address = 160.103.180.252 NAS-Identifier = "wlc01" Airespace-Wlan-Id = 6 Service-Type = Framed-User Framed-MTU = 1300 NAS-Port-Type = Wireless-802.11 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "82" EAP-Message = 0x020300790d80006f160301006a016603014af93134b45308b2252422bb395d6ce641bfdc48695e46696178ab4d4b40744218002f00350005000ac009c00ac013c01400320038001300040125000f000d0a72616469757373657276000a00080006001700180019000b00020100 State = 0xc321c12ede0c59624273d465195058be Message-Authenticator = 0x209186e1eb149efd3ce2e8796100a977 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 1 modcall[authorize]: module "preprocess" returns ok for request 1 modcall[authorize]: module "chap" returns noop for request 1 modcall[authorize]: module "mschap" returns noop for request 1 rlm_realm: No '@' in User-Name = "radiusserv", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 1 users: Matched entry DEFAULT at line 179 modcall[authorize]: module "files" returns ok for request 1 modcall: leaving group authorize (returns ok) for request 1 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 1 rlm_eap: Request found, released from the list rlm_eap: EAP/tls rlm_eap: processing type tls rlm_eap_tls: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Length Included eaptls_verify returned 11 (other): before/accept initialization TLS_accept: before/accept initialization rlm_eap_tls: <<< TLS 1.0 Handshake [length 006a], ClientHello TLS_accept: SSLv3 read client hello A rlm_eap_tls: >>> TLS 1.0 Handshake [length 004a], ServerHello TLS_accept: SSLv3 write server hello A rlm_eap_tls: >>> TLS 1.0 Handshake [length 0283], Certificate TLS_accept: SSLv3 write certificate A rlm_eap_tls: >>> TLS 1.0 Handshake [length 0085], CertificateRequest TLS_accept: SSLv3 write certificate request A TLS_accept: SSLv3 flush data TLS_accept:error in SSLv3 read client certificate A
Re: SSL renegotiation ?
John wrote: > I found a new man-in-the-middle attack with SSL. > http://www.sslshopper.com/article-ssl-and-tls-renegotiation-vulnerability-discovered.html It's a nice attack on SSL. > I am afraid if freeRADIUS use SSL renegotiation? The freeRADIUS version > is 1.1.6. We use EAP-TLS and the backend OpenLDAP server with TLS > connection. > > Does freeRADIUS use SSL renegotiation ? Yes and no. Yes, it uses OpenSSL, with all of the functionality of OpenSSL. No, I don't see a way for SSL renegotiation to attack RADIUS. The attack involves a MITM who (mostly) terminates the SSL connection from the client, and opens a connection to the server. All RADIUS relationships require a shared secret, so MITM attacks aren't possible at the RADIUS layer. The only place this attack *might* occur is if the MITM spoofs an 802.1X enabled access point. But the attacker can't send RADIUS packets, because he doesn't know the shared secret. The attacker then has to do a MITM at the EAPoL layer. i.e. spoof an AP to the client, and then turn around, and copy those packets to a *real* AP. If this worries you, there is a new version of OpenSSL available that isn't subject to the attack. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FR2.1.3+LDAP+802.1x+PEAP
Hi Ivan, i know about the restrictions, but do you know how weak that NT hash is? from what i know its MD4 hashing, where is that use nowadays? not even MD5 is used anymore ... the MD4 algorithm was one of the earliest MD algorithms ... made in '90, and MD5 came as a improvement and is to this day the most popular. MD5 should be the most secure of the MD bunch but even so it has been shown to be abnormally susceptible to collisions, and its use is now actively discouraged so i cant afford to make all my user password hash weak... also i need to respect some security guidelines in my system. i could go to use only clear-text for 802.1x users, have a exception for this kid of users. thats why im thinking to try some filtering... based on the NAS-ID or NAS-IP i might authenticate the users in users file or LDAP, right? :D thank you again for your thoughts on this Best Regards, Caius Pargar --- On Wed, 11/11/09, t...@kalik.net wrote: > From: t...@kalik.net > Subject: Re: FR2.1.3+LDAP+802.1x+PEAP > To: "FreeRadius users mailing list" > Date: Wednesday, November 11, 2009, 8:53 PM > > my problem was that in LDAP i > have the passwords save as SSHA, so i cant > > do 802.1x with EAP/PEAP/mschap > > > > as i dont wanna change my LDAP configuration to store > the passwords in > > clear-text, or to use samba.scheme and to use NT hash. > The only option > > remaining from my view point was to try and > distinguish between normal > > authentication and 802.1x authentication > > > > thats why i came up with this realm stuff, to be able > to authenticate > > 802.1x users in the users file (where i have > user/passwords in clear-text) > > and normal users in LDAP (SSHA) > > Ugh, how does that make sense? Why don't you want nt or > clear passwords in > ldap? Security? But it's so much easier to read a plain > text (users) file > than break into ldap. > > > thats why i was asking if, its possible, and if it > functional, or maybe > > there is another solution then the one provided by > Alan (to not use > > 802.1x) :D > > There is only one solution if you want to use 802.1x: store > passwords that > peap can use. > > > Ivan Kalik > Kalik Informatika ISP > > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html