Re: Request for directions: WinXP + Samba + LDAP + 802.1x
Fabiano Caixeta Duarte wrote: The problem is: user don't get authorized on samba domain because the switch port is locked waiting for 802.1x auth. Then configure 802.1X. What I got so far? I have a freeradius daemon using LDAP as user database. The LDAP entries are shared by samba and freeradius. http://deployingradius.com/documents/configuration/active_directory.html Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Question on processing delayed proxy packets
Patric wrote: As you can see, the above query will set acct_input_octets = 5 on server B, so now server A has acct_input_octets = 7 and server B has acct_input_octets = 5. Yup. Most people solve this problem by doing post-processing of the tables. If a db entry exists, and the acct_input_octets in the db entry is more than the current packet we are processing, then the packet data is older than the db data in the record, so we want to ignore the packet and keep the db data. (Obviously we will need to apply the check to acct_output_octets and the gigaword fields as well...) I would suggest instead using time the packet was sent by the NAS. If a table entry has a time GREATER than the current packet, then the current packet can be safely discarded. So the very first problem we see is that checking the record before processing the new update is going to slow down the entire process. It shouldn't slow it down too much. It's the price you pay for strong consistency. And ideally, it should be done inside of a transaction, so that *multiple* packets received at the same time for the same user don't cause problems. But that race condition should be pretty rare. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Testing radius server
Alex Bahoor alexbah...@sbcglobal.net writes: Arrogant. http://catb.org/~esr/faqs/smart-questions.html#keepcool You probably should read the rest of this document as well, but it seems that this particular section was written specifically for you. Bjørn - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
sqlippool
Hello All, I have problems with ip pool. I use sqlippool on my configuration (postgresqlippool.conf included to radiusd.conf and sqlippool added to my default configuration file which in enabled-site directory) But i receive errors that server cannot define ip for client or [sqlippool] No Pool-Name defined. :( Here is my radiusd -X .. Listening on authentication address * port 1812 Listening on accounting address * port 1813 Listening on command file /var/run/radiusd/radiusd.sock Listening on proxy address * port 1814 Ready to process requests. rad_recv: Access-Request packet from host 10.10.1.1 port 1645, id=118, length=163 Cisco-AVPair = client-mac-address=0030.05e3.e538 Framed-Protocol = PPP User-Name = testuser CHAP-Password = 0x0161a6e63fa662b05f9e996a2bbd95fff7 NAS-Port-Type = Ethernet NAS-Port = 464 NAS-Port-Id = 0/0/0/500 Service-Type = Framed-User NAS-IP-Address = 10.10.1.1 Acct-Session-Id = 01D0 NAS-Identifier = my-cisco-bras +- entering group authorize {...} ++[preprocess] returns ok [chap] Setting 'Auth-Type := CHAP' ++[chap] returns ok [sql] expand: %{User-Name} - testuser [sql] sql_set_user escaped user -- 'testuser' rlm_sql (sql): Reserving sql socket id: 4 [sql] expand: SELECT * FROM check_user_with_mac('%{SQL-User-Name}', '%{Cisco-AVPair[0]}', '%{NAS-Port-Id}') AS foo(id int, UserName character varying, Attribute character varying, Value character varying, Op character varying) - SELECT * FROM check_user_with_mac('testuser', 'client-mac-address=3D0030.05e3.e538', '0/0/0/500') AS foo(id int, UserName character varying, Attribute character varying, Value character varying, Op character varying) rlm_sql_postgresql: query: SELECT * FROM check_user_with_mac('testuser', 'client-mac-address=3D0030.05e3.e538', '0/0/0/500') AS foo(id int, UserName character varying, Attribute character varying, Value character varying, Op character varying) rlm_sql_postgresql: Status: PGRES_TUPLES_OK rlm_sql_postgresql: query affected rows = 1 , fields = 5 WARNING: Found User-Password == WARNING: Are you sure you don't mean Cleartext-Password? WARNING: See man rlm_pap for more information. [sql] User found in radcheck table [sql] expand: select * from get_user_attributes('%{SQL-User-Name}') order by id - select * from get_user_attributes('testuser') order by id rlm_sql_postgresql: query: select * from get_user_attributes('testuser') order by id rlm_sql_postgresql: Status: PGRES_TUPLES_OK rlm_sql_postgresql: query affected rows = 4 , fields = 5 [sql] expand: SELECT GroupName FROM usergroup WHERE UserName='%{SQL-User-Name}' - SELECT GroupName FROM usergroup WHERE UserName='testuser' rlm_sql_postgresql: query: SELECT GroupName FROM usergroup WHERE UserName='testuser' rlm_sql_postgresql: Status: PGRES_TUPLES_OK rlm_sql_postgresql: query affected rows = 1 , fields = 1 [sql] expand: SELECT radgroupcheck.id, radgroupcheck.GroupName, radgroupcheck.Attribute, radgroupcheck.Value,radgroupcheck.Op FROM radgroupcheck, usergroup WHERE usergroup.Username = '%{SQL-User-Name}' AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id - SELECT radgroupcheck.id, radgroupcheck.GroupName, radgroupcheck.Attribute, radgroupcheck.Value,radgroupcheck.Op FROM radgroupcheck, usergroup WHERE usergroup.Username = 'testuser' AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id rlm_sql_postgresql: query: SELECT radgroupcheck.id, radgroupcheck.GroupName, radgroupcheck.Attribute, radgroupcheck.Value,radgroupcheck.Op FROM radgroupcheck, usergroup WHERE usergroup.Username = 'testuser' AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id rlm_sql_postgresql: Status: PGRES_TUPLES_OK rlm_sql_postgresql: query affected rows = 0 , fields = 5 [sql] User found in group ActiveUsers [sql] expand: SELECT radgroupreply.id, radgroupreply.GroupName, radgroupreply.Attribute, radgroupreply.Value, radgroupreply.Op FROM radgroupreply,usergroup WHERE usergroup.Username = '%{SQL-User-Name}' AND usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id - SELECT radgroupreply.id, radgroupreply.GroupName, radgroupreply.Attribute, radgroupreply.Value, radgroupreply.Op FROM radgroupreply,usergroup WHERE usergroup.Username = 'testuser' AND usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id rlm_sql_postgresql: query: SELECT radgroupreply.id, radgroupreply.GroupName, radgroupreply.Attribute, radgroupreply.Value, radgroupreply.Op FROM radgroupreply,usergroup WHERE usergroup.Username = 'testuser' AND usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id rlm_sql_postgresql: Status: PGRES_TUPLES_OK rlm_sql_postgresql: query affected rows = 0 , fields = 5 rlm_sql (sql): Released sql socket id: 4 ++[sql] returns ok Found Auth-Type = CHAP !!! !!! Replacing User-Password in config items with Cleartext-Password. !!!
(без темы)
Hello again =) How can i fix following warning errors? Thanks to all! =) 1. WARNING: Found User-Password == WARNING: Are you sure you don't mean Cleartext-Password? WARNING: See man rlm_pap for more information. 2. !!! !!! Replacing User-Password in config items with Cleartext-Password. !!! !!! !!! Please update your configuration so that the known good !!! !!! clear text password is in Cleartext-Password, and not in User-Password. !!! !!! 3. [sql] WARNING: Deprecated conditional expansion :-. See man unlang for details- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: (без темы)
On Fri, 2009-12-11 at 14:57 +0400, Nadir Aliyev wrote: Hello again =) How can i fix following warning errors? Thanks to all! =) 1. WARNING: Found User-Password == WARNING: Are you sure you don't mean Cleartext-Password? WARNING: See man rlm_pap for more information. 2. !!! !!!Replacing User-Password in config items with Cleartext-Password. !!! !!! !!! Please update your configuration so that the known good !!! !!! clear text password is in Cleartext-Password, and not in User-Password. !!! !!! Hi I only know the answer for the first two. You are using User-Password in your configs (or database) and you should be using Cleartext-Password instead. do grep -H in the config directory and find out where the user-password is used. Regards Paul - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: (без темы)
Hi, Hello again =) How can i fix following warning errors? follow the advice in the error message? Are you sure you don't mean Cleartext-Password? See man rlm_pap for more information. ie change User-Password to Cleartext-Password and change the operator from == to be := you've got another issue you need to look at too... [sql] WARNING: Deprecated conditional expansion :-. See man unlang for details check your SQL tables, somewhere possible group or groupreply? you've got an old version of syntax. :- compare is deprecated in many places... man unlang (ie read the unlang documentation) to see how these comparisons should be written) it'd be interesting to note if this is a defailt install and you havent played with anything because in that case theres still a default SQL config in the SQL section that needs fixing before 2.1.8 release alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
guest vlan and ip address in sql
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi, Im' using freeradius 2.0.4 with 3com 4500 switches. On switches is setting guest-vlan for dot1x. If user will be assigned to guest vlan, and receive a guest-IP address (eg. 192.168.253.10), then after authorization freeradius inputs this guest-ip into sql database (instead valid ip for his vlan, eg. 192.168.90.5). Of course, user receive vaild ip after authorization. Is there any idea how i can input valid ip address into database? - -- pozdrawiam Maciej Łukasz Wojszkun tel. +48698611234 -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQEcBAEBAgAGBQJLIi+gAAoJELZ0XRdrHMhcu44H/2f29r7QnC3L6GTgbxHdXGnA G/4lTk8iheF4uxMk5xnpgo84VlbqL+vVXBOFiM5P45UHo/RMQWU8A2rIfXSZh8Vd X/VmeAy4ifnWJMwUU6SpqNCUPXAIvQbRjaOek1g7ck6ZHlH6O4qXqvD4R8DbypYg KFmm957/r+pgdF1sKD06Y3Ls8q/FRdSG7V1I34xyQcW7bGRlh8Wayf2ADwld3A/Z g09zCYCZpuBYDFd9wQW+Ek1A8D5n4eJGnOW+6tVQ/0zFy1bRD/95lJvUtjfsRckZ gCB0yODUFnojDk0mfpZ24z1fF9Ws1HZH3/JyQ5YaOKV5kGibUpYl0jW5DKyCq7w= =YGKl -END PGP SIGNATURE- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Request for directions: WinXP + Samba + LDAP + 802.1x
Maybe I didn't make myself clear. I don't have AD and don't wanna. I did set clients to use 802.1x. Maybe I should ask: how do I set clients? PEAP? MS-CHAPv2? MD5? But it would depend on what you'd answer about my first question. I know I'm lacking of knowledge. That's why I'm looking for your guidance. I thank you again. 2009/12/11 Alan DeKok al...@deployingradius.com: Fabiano Caixeta Duarte wrote: The problem is: user don't get authorized on samba domain because the switch port is locked waiting for 802.1x auth. Then configure 802.1X. What I got so far? I have a freeradius daemon using LDAP as user database. The LDAP entries are shared by samba and freeradius. http://deployingradius.com/documents/configuration/active_directory.html Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Fabiano Caixeta Duarte Especialista em Redes de Computadores Linux User #195299 Ribeirão Preto - SP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Request for directions: WinXP + Samba + LDAP + 802.1x
On Friday 11 December 2009 11:59:33 Fabiano Caixeta Duarte wrote: Maybe I didn't make myself clear. I don't have AD and don't wanna. I did set clients to use 802.1x Maybe I should ask: how do I set clients? PEAP? MS-CHAPv2? MD5? But it would depend on what you'd answer about my first question. Set XP clients to use 802.1x PEAP and don't forget to add your nas client (switch) to the clients.conf file in radius. You should provide some more info about your current configuration (freeradius version, files modified by you, etc) and at least some debug (radiusd -X) from a client authentication request for people to understand were have you get so far. I know I'm lacking of knowledge. That's why I'm looking for your guidance. Bear in mind that you must try to ask the right questions to be guided into the correct path ;) I thank you again. 2009/12/11 Alan DeKok al...@deployingradius.com: Fabiano Caixeta Duarte wrote: The problem is: user don't get authorized on samba domain because the switch port is locked waiting for 802.1x auth. Then configure 802.1X. What I got so far? I have a freeradius daemon using LDAP as user database. The LDAP entries are shared by samba and freeradius. http://deployingradius.com/documents/configuration/active_directory.html Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Request for directions: WinXP + Samba + LDAP + 802.1x
Fabiano Caixeta Duarte wrote: Maybe I didn't make myself clear. I don't have AD and don't wanna. I did set clients to use 802.1x. Maybe I should ask: how do I set clients? PEAP? MS-CHAPv2? MD5? But it would depend on what you'd answer about my first question. No. The question how do I set clients is meaningless. I know I'm lacking of knowledge. That's why I'm looking for your guidance. If you are storing passwords in LDAP, then *you* know where the passwords are stored. Configure FreeRADIUS to use LDAP authentication. Configure it to do 802.1X. There is documentation and configuration examples for both. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: guest vlan and ip address in sql
Maciej Łukasz Wojszkun wrote: Hi, Im' using freeradius 2.0.4 with 3com 4500 switches. On switches is setting guest-vlan for dot1x. If user will be assigned to guest vlan, and receive a guest-IP address From a DHCP server. Not from the RADIUS server. (eg. 192.168.253.10), then after authorization freeradius inputs this guest-ip into sql database (instead valid ip for his vlan, eg. 192.168.90.5). Of course, user receive vaild ip after authorization. Is there any idea how i can input valid ip address into database? Use a DHCP server that talks to SQL. Allocating IPs from RADIUS will do *nothing*. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Freeradius 2.1.7 with IPPool + MySQL + Solaris 10 on sparc v490
Hello, I need you're help I can't compile the freeradius 2.1.7 on Solaris SunV490, I have the next messages when I try to compile the source of freeradius.2.1.7: I have the next configure opcion: bash-3.00# crle Configuration file [version 4]: /var/ld/ld.config Default Library Path (ELF): /lib:/usr/lib:/usr/local/lib:/opt/mysql/mysql/lib:/usr/local/ssl/lib:/usr/local/BerkeleyDB.4.2/lib:/usr/share/lib:/etc/lib:/etc/security/lib:/usr/ccs/lib:/usr/xpg4/lib:/usr/dt/lib:/usr/ucblib Trusted Directories (ELF):/lib/secure:/usr/lib/secure (system default) Command line: crle -c /var/ld/ld.config -l /lib:/usr/lib:/usr/local/lib:/opt/mysql/mysql/lib:/usr/local/ssl/lib:/usr/local/BerkeleyDB.4.2/lib:/usr/share/lib:/etc/lib:/etc/security/lib:/usr/ccs/lib:/usr/xpg4/lib:/usr/dt/lib:/usr/ucblib export CFLAGS=-m64 ./configure --prefix=/usr/local/radius --with-logdir=/var/log/radius --with-experimental-modules And I have the next error when I try to compile the freeradius 2.1.7 /data/instaladores/src/freeradius-server-2.1.7/libtool --mode=link gcc -release 2.1.7 \ -export-dynamic -o libfreeradius-radius.la -rpath /usr/local/radius/lib dict.lo filters.lo hash.lo hmac.lo hmacsha1.lo isaac.lo log.lo misc.lo missing.lo md4.lo md5.lo print.lo radius.lo rbtree.lo sha1.lo snprintf.lo strlcat.lo strlcpy.lo token.lo udpfromto.lo valuepair.lo fifo.lo packet.lo event.lo getaddrinfo.lo vqp.lo heap.lo dhcp.lo gcc -shared -Wl,-h -Wl,libfreeradius-radius-2.1.7.so -o .libs/ libfreeradius-radius-2.1.7.so .libs/dict.o .libs/filters.o .libs/hash.o .libs/hmac.o .libs/hmacsha1.o .libs/isaac.o .libs/log.o .libs/misc.o .libs/missing.o .libs/md4.o .libs/md5.o .libs/print.o .libs/radius.o .libs/rbtree.o .libs/sha1.o .libs/snprintf.o .libs/strlcat.o .libs/strlcpy.o .libs/token.o .libs/udpfromto.o .libs/valuepair.o .libs/fifo.o .libs/packet.o .libs/event.o .libs/getaddrinfo.o .libs/vqp.o .libs/heap.o .libs/dhcp.o -lc ld: fatal: file .libs/dict.o: wrong ELF class: ELFCLASS64 ld: fatal: File processing errors. No output written to .libs/ libfreeradius-radius-2.1.7.so collect2: ld returned 1 exit status make[4]: *** [libfreeradius-radius.la] Error 1 make[4]: Leaving directory `/data/instaladores/src/freeradius-server-2.1.7/src/lib' make[3]: *** [common] Error 2 make[3]: Leaving directory `/data/instaladores/src/freeradius-server-2.1.7/src' make[2]: *** [all] Error 2 make[2]: Leaving directory `/data/instaladores/src/freeradius-server-2.1.7/src' make[1]: *** [common] Error 2 make[1]: Leaving directory `/data/instaladores/src/freeradius-server-2.1.7' make: *** [all] Error 2 thanks in advance - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Testing radius server
Alex Bahoor alexbah...@sbcglobal.net writes: Arrogant. http://catb.org/~esr/faqs/smart-questions.html#keepcool You probably should read the rest of this document as well, but it seems that this particular section was written specifically for you. Bjørn [JK] Bjorn, thanks for the posting. Excellent write-up. It should be mandatory reading before joining this community. This message is confidential to Prodea Systems, Inc unless otherwise indicated or apparent from its nature. This message is directed to the intended recipient only, who may be readily determined by the sender of this message and its contents. If the reader of this message is not the intended recipient, or an employee or agent responsible for delivering this message to the intended recipient:(a)any dissemination or copying of this message is strictly prohibited; and(b)immediately notify the sender by return message and destroy any copies of this message in any form(electronic, paper or otherwise) that you have.The delivery of this message and its information is neither intended to be nor constitutes a disclosure or waiver of any trade secrets, intellectual property, attorney work product, or attorney-client communications. The authority of the individual sending this message to legally bind Prodea Systems is neither apparent nor implied,and must be independently verified. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: guest vlan and ip address in sql
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 W dniu 2009-12-11 13:35, Alan DeKok pisze: Maciej Łukasz Wojszkun wrote: Hi, Im' using freeradius 2.0.4 with 3com 4500 switches. On switches is setting guest-vlan for dot1x. If user will be assigned to guest vlan, and receive a guest-IP address From a DHCP server. Not from the RADIUS server. Yes. I see. Thanks Alan. So - another question - I want to insert to database name from inner session, even if outer-session name is set. How i can do it? - -- pozdrawiam Maciej Łukasz Wojszkun tel. +48698611234 -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQEcBAEBAgAGBQJLInnVAAoJELZ0XRdrHMhcxk4H/i1LC69nKffp4gHZGW6WjL71 BWzB3u6jyO27fWKwAxSkEWbkFHVX1r5JB8H2rpfltm9jZVh6vHzOyT3+9rdB1J0F WFzhgI8YgTzMloRjj3QIrhm3VQFR+04nguROFI7gRhfIKP3x6gmVRf5P5/DUqBvV E6FzcumHNXyv228EpRbktFi4OYlPqgQayishvCweXXXGYSuOyuJKNcHOT3rsZxlW ZNxJ4+A+k4DkK368GQ3hpcHhkofKwSxOPPuzyIyMZ4x3M9TKqWInR2mZX/PO5AXA NKx+HEKhTkFzIVfxx3uuR0zRYuSHbsTB1MP1rRlRwvwh3esQZOnfpejqq4K8a+0= =yqN2 -END PGP SIGNATURE- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: HOWTO WLAN Access Point authenticate user via kerberos
Hi Phil, Thank you for your prompt reply. I googled about the subject and found the following message :- http://lists.cistron.nl/pipermail/freeradius-devel/2006-January/009250.html Can any one tell me about what the module rlm_krb5 does? Does the module proxy the kerberos authentication to the KDC on behalf of the WLAN users, and grant access to the wired network upon successful authentication? WLAN client ---EAP--- Access Point ---kerberos--- KDC Thanks a lot. John Mok Phil Mayers wrote: John Mok wrote: Hi, I am new to FreeRADIUS. I would like to set up FreeRADIUS, such that access point authenticates WLAN users via Kerberos (or GSSAPI / Kerberos) and grant access to the wired network upon successful authentication. Is FreeRADIUS the right tool to use? If so, I hope someone could point to the documentation how to set it up. Is there any requirement on the access point, e.g. support for 802.1X is sufficient? Since there is no (deployed) EAP-GSS or EAP-Kerberos, this basically means taking the usernames plaintext password and doing a kinit with it. This means you will need to do EAP-TTLS/PAP, which requires installing software on Windows clients, because windows doesn't support TTLS. The common choice for windows clients ie EAP-PEAP/MSCHAPv2, with the MSCHAP checked against Active Directory using Samba in domain-member mode and the ntlm_auth helper. But yes - once you've got EAP-TTLS/PAP working, you can check the PAP request against Kerberos. For more info, see here: http://deployingradius.com/documents/protocols/compatibility.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Request for directions: WinXP + Samba + LDAP + 802.1x
2009/12/11 nf-vale nf-v...@critical-links.com: On Friday 11 December 2009 11:59:33 Fabiano Caixeta Duarte wrote: Maybe I didn't make myself clear. I don't have AD and don't wanna. I did set clients to use 802.1x Maybe I should ask: how do I set clients? PEAP? MS-CHAPv2? MD5? But it would depend on what you'd answer about my first question. Set XP clients to use 802.1x PEAP and don't forget to add your nas client (switch) to the clients.conf file in radius. You should provide some more info about your current configuration (freeradius version, files modified by you, etc) and at least some debug (radiusd -X) from a client authentication request for people to understand were have you get so far. Ok. Let's follow that path. The confs I touched: eap.conf: eap { default_eap_type = peap timer_expire = 60 ignore_unknown_eap_types = no cisco_accounting_username_bug = no max_sessions = 2048 md5 { } leap { } gtc { auth_type = PAP } tls { certdir = ${confdir}/certs cadir = ${confdir}/certs private_key_password = whatever private_key_file = ${certdir}/server.pem certificate_file = ${certdir}/server.pem CA_file = ${cadir}/ca.pem dh_file = ${certdir}/dh random_file = ${certdir}/random cipher_list = DEFAULT make_cert_command = ${certdir}/bootstrap cache { enable = no max_entries = 255 } } ttls { default_eap_type = md5 copy_request_to_tunnel = no use_tunneled_reply = no virtual_server = inner-tunnel } peap { default_eap_type = mschapv2 copy_request_to_tunnel = no use_tunneled_reply = no virtual_server = inner-tunnel } mschapv2 { } } modules/ldap: ldap { server = sti-teste.domain.br identity = cn=system,dc=domain,dc=br password = secret basedn = ou=Users,dc=domain,dc=br base_filter = (objectclass=radiusprofile) ldap_connections_number = 5 timeout = 4 timelimit = 3 net_timeout = 1 tls { start_tls = no } access_attr = radiusFilterId dictionary_mapping = ${confdir}/ldap.attrmap authtype = ldap edir_account_policy_check = no } sites-enabled/inner-tunnel: server inner-tunnel { authorize { chap mschap unix suffix update control { Proxy-To-Realm := LOCAL } eap { ok = return } files ldap expiration logintime pap } authenticate { Auth-Type PAP { pap } Auth-Type CHAP { chap } Auth-Type MS-CHAP { mschap } unix Auth-Type LDAP { ldap } eap } session { radutmp } post-auth { Post-Auth-Type REJECT { attr_filter.access_reject } } pre-proxy { } post-proxy { eap } clients.conf: client angelina { ipaddr = 192.168.205.6 secret = testing123 } client tplink { ipaddr = 192.168.205.29 secret = testing123 } # radtest teste secret angelina 1812 testing123 Sending Access-Request of id 48 to 192.168.205.6 port 1812 User-Name = teste User-Password = secret NAS-IP-Address = 192.168.205.6 NAS-Port = 1812 rad_recv: Access-Accept packet from host 192.168.205.6 port 1812, id=48, length=64 Filter-Id = Enterasys:version=1:policy=Enterprise User -- Fabiano Caixeta Duarte Especialista em Redes de Computadores Linux User #195299 Ribeirão Preto - SP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Request for directions: WinXP + Samba + LDAP + 802.1x
2009/12/11 Alan DeKok al...@deployingradius.com: Fabiano Caixeta Duarte wrote: Maybe I didn't make myself clear. I don't have AD and don't wanna. I did set clients to use 802.1x. Maybe I should ask: how do I set clients? PEAP? MS-CHAPv2? MD5? But it would depend on what you'd answer about my first question. No. The question how do I set clients is meaningless. I know I'm lacking of knowledge. That's why I'm looking for your guidance. If you are storing passwords in LDAP, then *you* know where the passwords are stored. Configure FreeRADIUS to use LDAP authentication. Configure it to do 802.1X. There is documentation and configuration examples for both. Mr. Alan, Somehow we started with the wrong foot. Sorry if I did something wrong. In my first post I told you that freeradius is set (with some mistakes thanks to my lack of knowledge) and working (tested with radtest). I'll try to improve on writing to make myself clear. Thank you all for your attention. PS: My last post shows what I've done so far. -- Fabiano Caixeta Duarte Especialista em Redes de Computadores Linux User #195299 Ribeirão Preto - SP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Request for directions: WinXP + Samba + LDAP + 802.1x
On Friday 11 December 2009 18:32:02 Fabiano Caixeta Duarte wrote: 2009/12/11 nf-vale nf-v...@critical-links.com: On Friday 11 December 2009 11:59:33 Fabiano Caixeta Duarte wrote: Maybe I didn't make myself clear. I don't have AD and don't wanna. I did set clients to use 802.1x Maybe I should ask: how do I set clients? PEAP? MS-CHAPv2? MD5? But it would depend on what you'd answer about my first question. Set XP clients to use 802.1x PEAP and don't forget to add your nas client (switch) to the clients.conf file in radius. You should provide some more info about your current configuration (freeradius version, files modified by you, etc) and at least some debug (radiusd -X) from a client authentication request for people to understand were have you get so far. Ok. Let's follow that path. The confs I touched: eap.conf: eap { default_eap_type = peap timer_expire = 60 ignore_unknown_eap_types = no cisco_accounting_username_bug = no max_sessions = 2048 md5 { } leap { } gtc { auth_type = PAP } tls { certdir = ${confdir}/certs cadir = ${confdir}/certs private_key_password = whatever private_key_file = ${certdir}/server.pem certificate_file = ${certdir}/server.pem CA_file = ${cadir}/ca.pem dh_file = ${certdir}/dh random_file = ${certdir}/random cipher_list = DEFAULT make_cert_command = ${certdir}/bootstrap cache { enable = no max_entries = 255 } } ttls { default_eap_type = md5 copy_request_to_tunnel = no use_tunneled_reply = no virtual_server = inner-tunnel } peap { default_eap_type = mschapv2 copy_request_to_tunnel = no use_tunneled_reply = no virtual_server = inner-tunnel } mschapv2 { } } modules/ldap: ldap { server = sti-teste.domain.br identity = cn=system,dc=domain,dc=br password = secret basedn = ou=Users,dc=domain,dc=br base_filter = (objectclass=radiusprofile) ldap_connections_number = 5 timeout = 4 timelimit = 3 net_timeout = 1 tls { start_tls = no } access_attr = radiusFilterId dictionary_mapping = ${confdir}/ldap.attrmap authtype = ldap edir_account_policy_check = no } sites-enabled/inner-tunnel: server inner-tunnel { authorize { chap mschap unix suffix update control { Proxy-To-Realm := LOCAL } eap { ok = return } files ldap expiration logintime pap } authenticate { Auth-Type PAP { pap } Auth-Type CHAP { chap } Auth-Type MS-CHAP { mschap } unix Auth-Type LDAP { ldap } eap } session { radutmp } post-auth { Post-Auth-Type REJECT { attr_filter.access_reject } } pre-proxy { } post-proxy { eap } clients.conf: client angelina { ipaddr = 192.168.205.6 secret = testing123 } client tplink { ipaddr = 192.168.205.29 secret = testing123 } # radtest teste secret angelina 1812 testing123 Sending Access-Request of id 48 to 192.168.205.6 port 1812 User-Name = teste User-Password = secret NAS-IP-Address = 192.168.205.6 NAS-Port = 1812 rad_recv: Access-Accept packet from host 192.168.205.6 port 1812, id=48, length=64 Filter-Id = Enterasys:version=1:policy=Enterprise User Ok, but what about a debug from a request made a XP client using PEAP connected to your switch? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: sqlippool
I have problems with ip pool. I use sqlippool on my configuration (postgresqlippool.conf included to radiusd.conf and sqlippool added to my default configuration file which in enabled-site directory) But i receive errors that server cannot define ip for client or [sqlippool] No Pool-Name defined. :( You haven' assigned pool to the user. Pool-Name is a check item (put it in radcheck or radgroupcheck table). Ivan Kalik - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Request for directions: WinXP + Samba + LDAP + 802.1x
Fabiano Caixeta Duarte wrote: In my first post I told you that freeradius is set (with some mistakes thanks to my lack of knowledge) and working (tested with radtest). I understand. However, saying I did LDAP is insufficient to know precisely what you did. That's what the FAQ, README, INSTALL, man page, etc. say to post the debug output. I'll try to improve on writing to make myself clear. Thank you all for your attention. PS: My last post shows what I've done so far. That satisfies what you did. We need to know what is happening, and why it is wrong. As for configuring ldap + peap... it's easy. If you have LDAP working, read the guides for configuring PEAP. Then... it should all work. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Testing radius server
Document problems: Here is an example excerpt from a page on the web: CLIENTS Make sure the clients (portmasters, Linux with portslave etc) are set up to use the host FreeRADIUS is running on as authentication and accounting host. Configure these clients to use a radius secret password. For every client, also enter this secret password into the file /etc/raddb/clients.conf Allow me to tell you where my confusion is: 1-The clients becomes confusing, when I see portmasters .etc. Is this meant the users who want to get access through a NAS or AP? Right, you are confusing clients of radius server with clients of the server that uses radius for authentication. Radius client is a device that uses radius server for authentication. That device is usually a network access server (NAS) which in turn has it's clients trying to use the network. These clients are in radius speak called users. 2-The host here meant to be the server? Why is it called host? It's a device on which freeradius is running ie it's hosting this program. 3-The radius secret password is defined again as secret password and shared secret, all these meant PSK (preshared key). Why is it not called so? Instead of adding many different words for the same definition. See I'm an engineer; definitions are critical to my understanding, and subtle differences can throw me off. May be I'm too meticulous. 4-I looked up the secret password in the clients.conf, it was defined as shared secret. All this confusion could have been eliminated by just using PSK (PreShared Key). Term preshared key is mostly associated with wireless. Shared secret is preferred term. 5-Please take a look at this paragraph from the same file: # # You can now specify one secret for a network of clients. # When a client request comes in, the BEST match is chosen. # i.e. The entry from the smallest possible network. # #client 192.168.0.0/24 { # secret = testing123-1 # shortname = private-network-1 #} 1-The above tells me, every user will have to be entered into Radius with a user and password, which is obvious, but why the IP address has to be as part of this context? A user would use DHCP so this cannot be used. See above. This is where you define radius clients. They have to have a fixed IP for radius server to accept radius requests from them. Security measure. You define users and passwords in users file. Or sql, ldap, use system passwords, Kerberos, PAM, Active Directory etc. Freeradius supports quite a range of options for passwords storage and validation Ivan Kalik - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Testing radius server
As simple as this: shared secret, clients, user and so on are all part of the link defined on the RFC2865 (where RADIUS is defined). So, for anyone who already read the RADIUS RFC, understanding how it's implemented on freeradius should be easy. If this is confusing for somebody, he should propose changes to the RFC. http://www.ietf.org/rfc/rfc2865.txt Greetings. On Fri, Dec 11, 2009 at 12:20 PM, t...@kalik.net wrote: Document problems: Here is an example excerpt from a page on the web: CLIENTS Make sure the clients (portmasters, Linux with portslave etc) are set up to use the host FreeRADIUS is running on as authentication and accounting host. Configure these clients to use a radius secret password. For every client, also enter this secret password into the file /etc/raddb/clients.conf Allow me to tell you where my confusion is: 1-The clients becomes confusing, when I see portmasters .etc. Is this meant the users who want to get access through a NAS or AP? Right, you are confusing clients of radius server with clients of the server that uses radius for authentication. Radius client is a device that uses radius server for authentication. That device is usually a network access server (NAS) which in turn has it's clients trying to use the network. These clients are in radius speak called users. 2-The host here meant to be the server? Why is it called host? It's a device on which freeradius is running ie it's hosting this program. 3-The radius secret password is defined again as secret password and shared secret, all these meant PSK (preshared key). Why is it not called so? Instead of adding many different words for the same definition. See I'm an engineer; definitions are critical to my understanding, and subtle differences can throw me off. May be I'm too meticulous. 4-I looked up the secret password in the clients.conf, it was defined as shared secret. All this confusion could have been eliminated by just using PSK (PreShared Key). Term preshared key is mostly associated with wireless. Shared secret is preferred term. 5-Please take a look at this paragraph from the same file: # # You can now specify one secret for a network of clients. # When a client request comes in, the BEST match is chosen. # i.e. The entry from the smallest possible network. # #client 192.168.0.0/24 { # secret = testing123-1 # shortname = private-network-1 #} 1-The above tells me, every user will have to be entered into Radius with a user and password, which is obvious, but why the IP address has to be as part of this context? A user would use DHCP so this cannot be used. See above. This is where you define radius clients. They have to have a fixed IP for radius server to accept radius requests from them. Security measure. You define users and passwords in users file. Or sql, ldap, use system passwords, Kerberos, PAM, Active Directory etc. Freeradius supports quite a range of options for passwords storage and validation Ivan Kalik - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Testing radius server
s/link/lingo/ On Fri, Dec 11, 2009 at 12:58 PM, gera g...@gera.me wrote: As simple as this: shared secret, clients, user and so on are all part of the link defined on the RFC2865 (where RADIUS is defined). So, for anyone who already read the RADIUS RFC, understanding how it's implemented on freeradius should be easy. If this is confusing for somebody, he should propose changes to the RFC. http://www.ietf.org/rfc/rfc2865.txt Greetings. On Fri, Dec 11, 2009 at 12:20 PM, t...@kalik.net wrote: Document problems: Here is an example excerpt from a page on the web: CLIENTS Make sure the clients (portmasters, Linux with portslave etc) are set up to use the host FreeRADIUS is running on as authentication and accounting host. Configure these clients to use a radius secret password. For every client, also enter this secret password into the file /etc/raddb/clients.conf Allow me to tell you where my confusion is: 1-The clients becomes confusing, when I see portmasters .etc. Is this meant the users who want to get access through a NAS or AP? Right, you are confusing clients of radius server with clients of the server that uses radius for authentication. Radius client is a device that uses radius server for authentication. That device is usually a network access server (NAS) which in turn has it's clients trying to use the network. These clients are in radius speak called users. 2-The host here meant to be the server? Why is it called host? It's a device on which freeradius is running ie it's hosting this program. 3-The radius secret password is defined again as secret password and shared secret, all these meant PSK (preshared key). Why is it not called so? Instead of adding many different words for the same definition. See I'm an engineer; definitions are critical to my understanding, and subtle differences can throw me off. May be I'm too meticulous. 4-I looked up the secret password in the clients.conf, it was defined as shared secret. All this confusion could have been eliminated by just using PSK (PreShared Key). Term preshared key is mostly associated with wireless. Shared secret is preferred term. 5-Please take a look at this paragraph from the same file: # # You can now specify one secret for a network of clients. # When a client request comes in, the BEST match is chosen. # i.e. The entry from the smallest possible network. # #client 192.168.0.0/24 { # secret = testing123-1 # shortname = private-network-1 #} 1-The above tells me, every user will have to be entered into Radius with a user and password, which is obvious, but why the IP address has to be as part of this context? A user would use DHCP so this cannot be used. See above. This is where you define radius clients. They have to have a fixed IP for radius server to accept radius requests from them. Security measure. You define users and passwords in users file. Or sql, ldap, use system passwords, Kerberos, PAM, Active Directory etc. Freeradius supports quite a range of options for passwords storage and validation Ivan Kalik - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Clients and users and confs, in mysql
Dear all: i managed to install a Debian Lenny with freeradius and i would like to use Mysql to clients and users data, because i think its better than radius plain text files; and i would like to use a webadmin to reporting and management too. but, i'm confused. my installation is zero, i mean, just make install and something like that. 1- i dont know if i have to configure manually the clients.conf file and it will be automatically written on mysql database or conversely, i would write my data on mysql manually and those data will be automatically writted on text files? maybe , i think there are independent of each. 2- I have a 3Com Total control making dial-up authorizations; now, i need to use radius to pppoe ,for aaa. i think i will use the HiperARC card, so i think my model in clients.conf isn't tc, it is usrhiper, right? 3- I'm very, very confused in this : who does bandwidth limitation for a user? i.e.: Joe must have 128Kbps of traffic limitation. pppoe server does (3Com)? or radius does somehow? or maybe freeradius send parameters to 3com hiper arc to set it ? Thanks in advance. Carlos. Note.- someone stated i had enough. I would like to say (in my poor english): documentation isn't better of world, but is better of freeradius, and FREEradius it's the better of all Free-Radius software. and its free. it is enough! Thanks for responding every time. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: guest vlan and ip address in sql
So - another question - I want to insert to database name from inner session, even if outer-session name is set. How i can do it? This is documented in inner-tunnel virtual server. At least in current version. Ivan Kalik - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Clients and users and confs, in mysql
1- i dont know if i have to configure manually the clients.conf file and it will be automatically written on mysql database or conversely, i would write my data on mysql manually and those data will be automatically writted on text files? No. maybe , i think there are independent of each. Yes. Just don't add same client to both. 2- I have a 3Com Total control making dial-up authorizations; now, i need to use radius to pppoe ,for aaa. i think i will use the HiperARC card, so i think my model in clients.conf isn't tc, it is usrhiper, right? Pass. Someone with equipment like yours will be able to help you. 3- I'm very, very confused in this : who does bandwidth limitation for a user? i.e.: Joe must have 128Kbps of traffic limitation. pppoe server does (3Com)? Yes. or radius does somehow? No. or maybe freeradius send parameters to 3com hiper arc to set it ? Yes, that can be done in many cases. Depends if NAS supports bandwidth limiting VSAs. Ivan Kalik - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html