Re: Configuration trouble (2.1.8 for use with WiMAX)

2010-05-12 Thread sunhualing
It seems that it could not generate EAP-MSK first,maybe you can check that.

On Thu, May 13, 2010 at 2:49 AM, Sumedh Sathaye  wrote:

> Dear all,
>
> I am trying to use FreeRadius 2.1.8 for AAA in a wimax network. The problem
> I am facing is that the WiMAX-MSK keys are not generated by FreeRadius. Can
> someone help me figure out what I am not doing OR doing incorrectly?
>
> I have configured the "raddb/sites-available/default" and
> "raddb/modules/wimax" files per instructions included in the files
> themselves. For reference, here are the configuration stanzas in the
> post-auth section of "default":
>
> update request {
>WiMAX-MN-NAI = "%{User-Name}"
> }
> update reply {
> WiMAX-FA-RK-Key = 0x00
> WiMAX-MSK = "%{EAP-MSK}"
> }
> wimax
>
> Run-log from "radiusd -X" is also included at the end of this message. Here
> is the message that indicates that EAP is not computing MSK and EMSK:
> [wimax] No EAP-MSK or EAP-EMSK.  Cannot create WiMAX keys.
>
> Thank you in advance, and I apologize if this question has been answered
> before -- I did not find answers/pointers in the FAQ or the Wiki.
>
> Best Regards,
> Sumedh
>
> --
> FreeRADIUS Version 2.1.8, for host x86_64-unknown-linux-gnu, built on May
> 11 2010 at 23:50:30
> Copyright (C) 1999-2009 The FreeRADIUS server project and contributors.
> There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
> PARTICULAR PURPOSE.
> You may redistribute copies of FreeRADIUS under the terms of the
> GNU General Public License v2.
> Starting - reading configuration files ...
> including configuration file /usr/local/etc/raddb/radiusd.conf
> including configuration file /usr/local/etc/raddb/proxy.conf
> including configuration file /usr/local/etc/raddb/clients.conf
> including files in directory /usr/local/etc/raddb/modules/
> including configuration file /usr/local/etc/raddb/modules/acct_unique
> including configuration file /usr/local/etc/raddb/modules/always
> including configuration file /usr/local/etc/raddb/modules/attr_filter
> including configuration file /usr/local/etc/raddb/modules/attr_rewrite
> including configuration file /usr/local/etc/raddb/modules/chap
> including configuration file /usr/local/etc/raddb/modules/checkval
> including configuration file /usr/local/etc/raddb/modules/counter
> including configuration file /usr/local/etc/raddb/modules/cui
> including configuration file /usr/local/etc/raddb/modules/detail
> including configuration file /usr/local/etc/raddb/modules/
> detail.example.com
> including configuration file /usr/local/etc/raddb/modules/detail.log
> including configuration file /usr/local/etc/raddb/modules/digest
> including configuration file /usr/local/etc/raddb/modules/echo
> including configuration file /usr/local/etc/raddb/modules/etc_group
> including configuration file /usr/local/etc/raddb/modules/exec
> including configuration file /usr/local/etc/raddb/modules/expiration
> including configuration file /usr/local/etc/raddb/modules/expr
> including configuration file /usr/local/etc/raddb/modules/files
> including configuration file /usr/local/etc/raddb/modules/inner-eap
> including configuration file /usr/local/etc/raddb/modules/ippool
> including configuration file /usr/local/etc/raddb/modules/krb5
> including configuration file /usr/local/etc/raddb/modules/ldap
> including configuration file /usr/local/etc/raddb/modules/linelog
> including configuration file /usr/local/etc/raddb/modules/logintime
> including configuration file /usr/local/etc/raddb/modules/mac2ip
> including configuration file /usr/local/etc/raddb/modules/mac2vlan
> including configuration file /usr/local/etc/raddb/modules/mschap
> including configuration file /usr/local/etc/raddb/modules/ntlm_auth
> including configuration file /usr/local/etc/raddb/modules/otp
> including configuration file /usr/local/etc/raddb/modules/pam
> including configuration file /usr/local/etc/raddb/modules/pap
> including configuration file /usr/local/etc/raddb/modules/passwd
> including configuration file /usr/local/etc/raddb/modules/perl
> including configuration file /usr/local/etc/raddb/modules/policy
> including configuration file /usr/local/etc/raddb/modules/preprocess
> including configuration file /usr/local/etc/raddb/modules/radutmp
> including configuration file /usr/local/etc/raddb/modules/realm
> including configuration file /usr/local/etc/raddb/modules/smbpasswd
> including configuration file /usr/local/etc/raddb/modules/smsotp
> including configuration file /usr/local/etc/raddb/modules/sql_log
> including configuration file
> /usr/local/etc/raddb/modules/sqlcounter_expire_on_login
> including configuration file /usr/local/etc/raddb/modules/sradutmp
> including configuration file /usr/local/etc/raddb/modules/unix
> including configuration file /usr/local/etc/raddb/modules/wimax
> including configuration file /usr/local/etc/raddb/eap.conf
> including configuration file /usr/local/etc/raddb/policy.conf
> including 

Re: Configuration trouble (2.1.8 for use with WiMAX)

2010-05-12 Thread Alan DeKok
Sumedh Sathaye wrote:
> Run-log from "radiusd -X" is also included at the end of this message.
> Here is the message that indicates that EAP is not computing MSK and EMSK:
> [wimax] No EAP-MSK or EAP-EMSK.  Cannot create WiMAX keys.

  You're using an EAP method that doesn't provide the MSK.  Use
something mandated by the WiMAX spec instead of EAP-MD5.

  e.g. EAP-TLS, PEAP, or TTLS.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


Re: When to ldap?

2010-05-12 Thread Alan DeKok
Dean, Barry wrote:
> I am working on a new radius config and have been trying to avoid the lookup 
> in LDAP I have been seeing for the outer identity.
> 
> I have moved to 2.1.8 with the inner-tunnel virtual host enabled.
> 
> I have an authorise section for the relevant virtual server that has:

  *which* virtual server?

> The "if(!EAP-Message)" works a treat at preventing an LDAP lookup for the 
> outer identity, but if I want to send a basic User-Name/User-Password type 
> auth request after checking with LDAP and returning "Remote access is 
> permitted", I then see:
> 
> No authenticate method (Auth-Type) configuration found for the request: 
> Rejecting the user

  And the *rest* of the debug log says ?

> I presume:
> 
>if (!EAP-Message) {
> ldap
> }
> 
> Fails to set Auth-Type LDAP?

  Yes.  It *shouldn't*, either.  That was a mistake from 1.x.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


Re: Clark Wang has invited you to Dropbox

2010-05-12 Thread sunhualing
Dropbox has been defeated by the GreatFireWall, we are so sorry

On Wed, May 5, 2010 at 1:39 PM, Dropbox  wrote:

>We're excited to let you know that Clark Wang has invited you
> to Dropbox!
>
> Clark Wang has been using Dropbox to sync and share files online and across
> computers, and thought you might want it too.
>
> Visit 
> www.dropbox.comto 
> get started.
>
> - The Dropbox Team
>   To stop receiving invites from Dropbox, click 
> here
> © 2010 Dropbox
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: How to implement EAP-TLS with freeradius and wpa_supplicant?

2010-05-12 Thread sunhualing
检查一下时间系统,要求在证书的有效期内
CA的事情有点难说,你再检查下配置

On Thu, May 13, 2010 at 10:53 AM, Zheng, Jiajia wrote:

> Alan DeKok wrote:
> > Zheng, Jiajia wrote:
> >>> 11. EAP-TLS failed, see the attached tls.log for the output of
> >>> radiusd Could you help me out on this issue?
> >
> >   Paste the debug output into the "self-help" form at:
> >
> > http://networkradius.com/freeradius.html
> >
> >   Look for red text.
> >
> >>> Is there anything I did wrong? Let me know if you need more
> >>> debugging info.
> >
> >   The debug log already shows everything you need to know.
> >
> >   The CA used by the client is *not* the same as the CA used by the
> > server.
> >
> Yes, from the debug log, we can tell that the CA is wrong.
> But as I mentioned that the same CA works fine with EAP-TTLS. Why it goes
> wrong with EAP-TLS?
> Here is my configure file for EAP-TTLS which works.
> WPA_EAP_TTLS_CHAP.conf
> ctrl_interface=/var/run/wpa_supplicant
> ctrl_interface_group=wheel
> network={
> ssid="ASUS-2.4G"
> scan_ssid=1
> key_mgmt=WPA-EAP
> eap=TTLS
> identity="root"
> password="wireless"
> ca_cert="./ca.pem"
> phase2="auth=CHAP"
> }
> Here is my configure file for EAP-TLS which fails authentication.
> WPA_EAP_TLS.conf
> ctrl_interface=/var/run/wpa_supplicant
> ctrl_interface_group=wheel
> network={
> ssid="ASUS-2.4G"
> scan_ssid=1
> key_mgmt=WPA-EAP
> eap=TLS
> identity="root"
> ca_cert="./ca.pem"
> client_cert="./client.pem"
> private_key="./client.pem"
> private_key_passwd="whatever"
> }
>
> The client.pem used by client was also copied from server.
> Is there anything wrong with my configure file? I also attached the *.pem.
>
> Thanks,
> jiajia
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: sending Access-request, Access-Reject

2010-05-12 Thread John Dennis

On 05/12/2010 08:01 PM, dorra aa wrote:

hi can someone help me in that
i add a users :
abc cleartext-password:="123"


It's right there in the debug output


users: Matched entry DEFAULT at line 153
users: Matched entry abc at line 216
modcall[authorize]: module "files" returns ok for request 0
modcall: leaving group authorize (returns ok) for request 0

> rlm_pap: Found existing Auth-Type, not changing it.

rad_check_password: Found Auth-Type System

> modcall[authenticate]: module "unix" returns notfound for request 0

It shouldn't be using an auth-type of "System", that means to lookup the 
user in the /etc/passwd (/etc/shadow) file. But you don't have a user on 
your system named "abc" so the not found result makes sense, right?


Why is it trying to find "abc" amongst the unix users on your system? 
The answer is right above, look at the lines labeled "users:", that's 
your users file, also look at the line that says "Found Auth-Type, not 
changing it". So somthing in your users file forced the user "abc" to 
have an Auth-Type of "system" or "unix", it also tells you which lines 
in the users files it matched. Go fix your users file so it doesn't do that.


I'm guessing in your attempts to get things working you may have mangled 
the example users file, you might want to start with the unaltered users 
file and just add your test user.


All this is documented in the link I sent you a week ago:
http://deployingradius.com/documents/configuration/pap.html

--
John Dennis 

Looking to carve out IT costs?
www.redhat.com/carveoutcosts/
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


sending Access-request, Access-Reject

2010-05-12 Thread dorra aa

hi can someone help me in that 
i add a users :
abc cleartext-password:="123"

and i run freeradius -X
after that i do:
r...@pfe-laptop:/home/pfe# radtest abc 123 localhost 1812 testing123
Sending Access-Request of id 48 to 127.0.0.1 port 1812
User-Name = "abc"
User-Password = "123"
NAS-IP-Address = 255.255.255.255
NAS-Port = 1812
rad_recv: Access-Reject packet from host 127.0.0.1:1812, id=48, length=20

and this is the output of deamon:
Ready to process requests.
rad_recv: Access-Request packet from host 127.0.0.1:41804, id=48, length=55
User-Name = "abc"
User-Password = "123"
NAS-IP-Address = 255.255.255.255
NAS-Port = 1812
  Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 0
  modcall[authorize]: module "preprocess" returns ok for request 0
  modcall[authorize]: module "chap" returns noop for request 0
  modcall[authorize]: module "mschap" returns noop for request 0
rlm_realm: No '@' in User-Name = "abc", looking up realm NULL
rlm_realm: No such realm "NULL"
  modcall[authorize]: module "suffix" returns noop for request 0
  rlm_eap: No EAP-Message, not doing EAP
  modcall[authorize]: module "eap" returns noop for request 0
users: Matched entry DEFAULT at line 153
users: Matched entry abc at line 216
  modcall[authorize]: module "files" returns ok for request 0
rlm_pap: Found existing Auth-Type, not changing it.
  modcall[authorize]: module "pap" returns noop for request 0
modcall: leaving group authorize (returns ok) for request 0
  rad_check_password:  Found Auth-Type System
auth: type "System"
  Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 0
  modcall[authenticate]: module "unix" returns notfound for request 0
modcall: leaving group authenticate (returns notfound) for request 0
auth: Failed to validate the user.
Delaying request 0 for 1 seconds
Finished request 0
Going to the next request
--- Walking the entire request list ---
Waking up in 1 seconds...
--- Walking the entire request list ---
Waking up in 1 seconds...
--- Walking the entire request list ---
Sending Access-Reject of id 48 to 127.0.0.1 port 41804
Waking up in 4 seconds...
--- Walking the entire request list ---
Cleaning up request 0 ID 48 with timestamp 4beb3ff9
Nothing to do.  Sleeping until we see a request.


  
_
Hotmail: Free, trusted and rich email service.
https://signup.live.com/signup.aspx?id=60969-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: Configuration trouble (2.1.8 for use with WiMAX)

2010-05-12 Thread David Peterson
I have looked into BOC-WIMAX and it looks interesting but fairly incomplete.
I have not tried to get it working 100% so I have only a little experience.


 

Some of the NAS simply want to talk to FR via EAP-TTLS and receive only a
Framed-Filter-Id response.  Is there a manufacturer you are looking to work
with in particular or is this an attempt to get BOC-WiMax working as your
ASN?  

 

David

 

From:
freeradius-users-bounces+david.peterson=acc-corp@lists.freeradius.org
[mailto:freeradius-users-bounces+david.peterson=acc-corp@lists.freeradiu
s.org] On Behalf Of Sumedh Sathaye
Sent: Wednesday, May 12, 2010 3:43 PM
To: David Peterson-WirelessConnections; FreeRadius users mailing list
Subject: RE: Configuration trouble (2.1.8 for use with WiMAX)

 

David, thanks for your reply. I am using a simulated WIMAX ASN gateway from
the BOC-WiMAX distribution. It's available at:

http://opensource.bolloretelecom.eu/projects/boc-wimax/

Sounds like you have insights into keys that NAS equipment does not send to
FreeRadius. Can you share that information with me?

Best Regards,
Sumedh


Inactive hide details for "David Peterson" ---05/12/2010 03:23:47 PM---Which
product are you using? Some WiMax NAS do not send"David Peterson"
---05/12/2010 03:23:47 PM---Which product are you using? Some WiMax NAS do
not send the proper keys to Freeradius. I have gott



From:


"David Peterson" 



To:


"'FreeRadius users mailing list'" 



Date:


05/12/2010 03:23 PM



Subject:


RE: Configuration trouble (2.1.8 for use with WiMAX)



Sent by:


freeradius-users-bounces+sathaye=us.ibm@lists.freeradius.org

  _  




Which product are you using? Some WiMax NAS do not send the proper keys to
Freeradius. I have gotten FR to work with pretty much all of the major
brands of WiMax we sell.

David


From:
freeradius-users-bounces+david.peterson=acc-corp@lists.freeradius.org
[mailto:freeradius-users-bounces+david.peterson=acc-corp@lists.freeradiu
s.org] On Behalf Of Sumedh Sathaye
Sent: Wednesday, May 12, 2010 2:50 PM
To: FreeRadius users mailing list
Subject: Configuration trouble (2.1.8 for use with WiMAX)

Dear all,

I am trying to use FreeRadius 2.1.8 for AAA in a wimax network. The problem
I am facing is that the WiMAX-MSK keys are not generated by FreeRadius. Can
someone help me figure out what I am not doing OR doing incorrectly?

I have configured the "raddb/sites-available/default" and
"raddb/modules/wimax" files per instructions included in the files
themselves. For reference, here are the configuration stanzas in the
post-auth section of "default":

update request {
WiMAX-MN-NAI = "%{User-Name}"
}
update reply {
WiMAX-FA-RK-Key = 0x00
WiMAX-MSK = "%{EAP-MSK}"
}
wimax

Run-log from "radiusd -X" is also included at the end of this message. Here
is the message that indicates that EAP is not computing MSK and EMSK:
[wimax] No EAP-MSK or EAP-EMSK. Cannot create WiMAX keys.

Thank you in advance, and I apologize if this question has been answered
before -- I did not find answers/pointers in the FAQ or the Wiki.

Best Regards,
Sumedh

--
FreeRADIUS Version 2.1.8, for host x86_64-unknown-linux-gnu, built on May 11
2010 at 23:50:30
Copyright (C) 1999-2009 The FreeRADIUS server project and contributors. 
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A 
PARTICULAR PURPOSE. 
You may redistribute copies of FreeRADIUS under the terms of the 
GNU General Public License v2. 
Starting - reading configuration files ...
including configuration file /usr/local/etc/raddb/radiusd.conf
including configuration file /usr/local/etc/raddb/proxy.conf
including configuration file /usr/local/etc/raddb/clients.conf
including files in directory /usr/local/etc/raddb/modules/
including configuration file /usr/local/etc/raddb/modules/acct_unique
including configuration file /usr/local/etc/raddb/modules/always
including configuration file /usr/local/etc/raddb/modules/attr_filter
including configuration file /usr/local/etc/raddb/modules/attr_rewrite
including configuration file /usr/local/etc/raddb/modules/chap
including configuration file /usr/local/etc/raddb/modules/checkval
including configuration file /usr/local/etc/raddb/modules/counter
including configuration file /usr/local/etc/raddb/modules/cui
including configuration file /usr/local/etc/raddb/modules/detail
including configuration file /usr/local/etc/raddb/modules/detail.example.com
including configuration file /usr/local/etc/raddb/modules/detail.log
including configuration file /usr/local/etc/raddb/modules/digest
including configuration file /usr/local/etc/raddb/modules/echo
including configuration file /usr/local/etc/raddb/modules/etc_group
including configuration file /usr/local/etc/raddb/modules/exec
including configuration file /usr/local/etc/raddb/modules/expiration
including configuration file /usr/local/etc/raddb/modules/expr
including configuration file /usr/local/etc/raddb/modules/files
including configurat

RE: Configuration trouble (2.1.8 for use with WiMAX)

2010-05-12 Thread Sumedh Sathaye

David, thanks for your reply. I am using a simulated WIMAX ASN gateway from
the BOC-WiMAX distribution. It's available at:

http://opensource.bolloretelecom.eu/projects/boc-wimax/

Sounds like you have insights into keys that NAS equipment does not send to
FreeRadius. Can you share that information with me?

Best Regards,
Sumedh



|>
| From:  |
|>
  
>--|
  |"David Peterson" 
 |
  
>--|
|>
| To:|
|>
  
>--|
  |"'FreeRadius users mailing list'" 
 |
  
>--|
|>
| Date:  |
|>
  
>--|
  |05/12/2010 03:23 PM  
 |
  
>--|
|>
| Subject:   |
|>
  
>--|
  |RE: Configuration trouble (2.1.8 for use with WiMAX) 
 |
  
>--|
|>
| Sent by:   |
|>
  
>--|
  |freeradius-users-bounces+sathaye=us.ibm@lists.freeradius.org 
 |
  
>--|





Which product are you using?  Some WiMax NAS do not send the proper keys to
Freeradius.  I have gotten FR to work with pretty much all of the major
brands of WiMax we sell.

David


From: freeradius-users-bounces
+david.peterson=acc-corp@lists.freeradius.org [
mailto:freeradius-users-bounces
+david.peterson=acc-corp@lists.freeradius.org] On Behalf Of Sumedh
Sathaye
Sent: Wednesday, May 12, 2010 2:50 PM
To: FreeRadius users mailing list
Subject: Configuration trouble (2.1.8 for use with WiMAX)



Dear all,

I am trying to use FreeRadius 2.1.8 for AAA in a wimax network. The problem
I am facing is that the WiMAX-MSK keys are not generated by FreeRadius. Can
someone help me figure out what I am not doing OR doing incorrectly?

I have configured the "raddb/sites-available/default" and
"raddb/modules/wimax" files per instructions included in the files
themselves. For reference, here are the configuration stanzas in the
post-auth section of "default":

update request {
   WiMAX-MN-NAI = "%{User-Name}"
}
update reply {
WiMAX-FA-RK-Key = 0x00
WiMAX-MSK = "%{EAP-MSK}"
}
wimax

Run-log from "radiusd -X" is also included at the end of this message. Here
is the message that indicates that EAP is not computing MSK and EMSK:
[wimax] No EAP-MSK or EAP-EMSK.  Cannot create WiMAX keys.

Thank you in advance, and I apologize if this question has been answered
before -- I did not find answers/pointers in the FAQ or the Wiki.

Best Regards,
Sumedh

--
FreeRADIUS Version 2.1.8, for host x86_64-unknown-linux-gnu, built on May
11 2010 at 23:50:30
Copyright (C) 1999-2009 The FreeRADIUS server project and contributors.
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE.
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License v2.
Starting - reading configuration files ...
including configuration file /usr/local/etc/raddb/radiusd.conf
including configuration file /usr/local/etc/raddb/proxy.conf
including configuration file /usr/local/etc/raddb/clients.conf
including files in directory /usr/local/etc/raddb/modules/
including configuration file /usr/local/etc/raddb/modules/acct_unique
incl

RE: Configuration trouble (2.1.8 for use with WiMAX)

2010-05-12 Thread David Peterson
Which product are you using?  Some WiMax NAS do not send the proper keys to
Freeradius.  I have gotten FR to work with pretty much all of the major
brands of WiMax we sell.

 

David

 

 

From:
freeradius-users-bounces+david.peterson=acc-corp@lists.freeradius.org
[mailto:freeradius-users-bounces+david.peterson=acc-corp@lists.freeradiu
s.org] On Behalf Of Sumedh Sathaye
Sent: Wednesday, May 12, 2010 2:50 PM
To: FreeRadius users mailing list
Subject: Configuration trouble (2.1.8 for use with WiMAX)

 

Dear all,

I am trying to use FreeRadius 2.1.8 for AAA in a wimax network. The problem
I am facing is that the WiMAX-MSK keys are not generated by FreeRadius. Can
someone help me figure out what I am not doing OR doing incorrectly?

I have configured the "raddb/sites-available/default" and
"raddb/modules/wimax" files per instructions included in the files
themselves. For reference, here are the configuration stanzas in the
post-auth section of "default":

update request {
   WiMAX-MN-NAI = "%{User-Name}"
}
update reply {
WiMAX-FA-RK-Key = 0x00
WiMAX-MSK = "%{EAP-MSK}"
}
wimax

Run-log from "radiusd -X" is also included at the end of this message. Here
is the message that indicates that EAP is not computing MSK and EMSK:
[wimax] No EAP-MSK or EAP-EMSK.  Cannot create WiMAX keys.

Thank you in advance, and I apologize if this question has been answered
before -- I did not find answers/pointers in the FAQ or the Wiki.

Best Regards,
Sumedh

--
FreeRADIUS Version 2.1.8, for host x86_64-unknown-linux-gnu, built on May 11
2010 at 23:50:30
Copyright (C) 1999-2009 The FreeRADIUS server project and contributors. 
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A 
PARTICULAR PURPOSE. 
You may redistribute copies of FreeRADIUS under the terms of the 
GNU General Public License v2. 
Starting - reading configuration files ...
including configuration file /usr/local/etc/raddb/radiusd.conf
including configuration file /usr/local/etc/raddb/proxy.conf
including configuration file /usr/local/etc/raddb/clients.conf
including files in directory /usr/local/etc/raddb/modules/
including configuration file /usr/local/etc/raddb/modules/acct_unique
including configuration file /usr/local/etc/raddb/modules/always
including configuration file /usr/local/etc/raddb/modules/attr_filter
including configuration file /usr/local/etc/raddb/modules/attr_rewrite
including configuration file /usr/local/etc/raddb/modules/chap
including configuration file /usr/local/etc/raddb/modules/checkval
including configuration file /usr/local/etc/raddb/modules/counter
including configuration file /usr/local/etc/raddb/modules/cui
including configuration file /usr/local/etc/raddb/modules/detail
including configuration file /usr/local/etc/raddb/modules/detail.example.com
including configuration file /usr/local/etc/raddb/modules/detail.log
including configuration file /usr/local/etc/raddb/modules/digest
including configuration file /usr/local/etc/raddb/modules/echo
including configuration file /usr/local/etc/raddb/modules/etc_group
including configuration file /usr/local/etc/raddb/modules/exec
including configuration file /usr/local/etc/raddb/modules/expiration
including configuration file /usr/local/etc/raddb/modules/expr
including configuration file /usr/local/etc/raddb/modules/files
including configuration file /usr/local/etc/raddb/modules/inner-eap
including configuration file /usr/local/etc/raddb/modules/ippool
including configuration file /usr/local/etc/raddb/modules/krb5
including configuration file /usr/local/etc/raddb/modules/ldap
including configuration file /usr/local/etc/raddb/modules/linelog
including configuration file /usr/local/etc/raddb/modules/logintime
including configuration file /usr/local/etc/raddb/modules/mac2ip
including configuration file /usr/local/etc/raddb/modules/mac2vlan
including configuration file /usr/local/etc/raddb/modules/mschap
including configuration file /usr/local/etc/raddb/modules/ntlm_auth
including configuration file /usr/local/etc/raddb/modules/otp
including configuration file /usr/local/etc/raddb/modules/pam
including configuration file /usr/local/etc/raddb/modules/pap
including configuration file /usr/local/etc/raddb/modules/passwd
including configuration file /usr/local/etc/raddb/modules/perl
including configuration file /usr/local/etc/raddb/modules/policy
including configuration file /usr/local/etc/raddb/modules/preprocess
including configuration file /usr/local/etc/raddb/modules/radutmp
including configuration file /usr/local/etc/raddb/modules/realm
including configuration file /usr/local/etc/raddb/modules/smbpasswd
including configuration file /usr/local/etc/raddb/modules/smsotp
including configuration file /usr/local/etc/raddb/modules/sql_log
including configuration file
/usr/local/etc/raddb/modules/sqlcounter_expire_on_login
including configuration file /usr/local/etc/raddb/modules/sradutmp
including configuration file /usr/local/etc/raddb

Configuration trouble (2.1.8 for use with WiMAX)

2010-05-12 Thread Sumedh Sathaye


Dear all,

I am trying to use FreeRadius 2.1.8 for AAA in a wimax network. The problem
I am facing is that the WiMAX-MSK keys are not generated by FreeRadius. Can
someone help me figure out what I am not doing OR doing incorrectly?

I have configured the "raddb/sites-available/default" and
"raddb/modules/wimax" files per instructions included in the files
themselves. For reference, here are the configuration stanzas in the
post-auth section of "default":

update request {
WiMAX-MN-NAI = "%{User-Name}"
}
update reply {
 WiMAX-FA-RK-Key = 0x00
 WiMAX-MSK = "%{EAP-MSK}"
}
wimax

Run-log from "radiusd -X" is also included at the end of this message. Here
is the message that indicates that EAP is not computing MSK and EMSK:
[wimax] No EAP-MSK or EAP-EMSK.  Cannot create WiMAX keys.

Thank you in advance, and I apologize if this question has been answered
before -- I did not find answers/pointers in the FAQ or the Wiki.

Best Regards,
Sumedh

--
FreeRADIUS Version 2.1.8, for host x86_64-unknown-linux-gnu, built on May
11 2010 at 23:50:30
Copyright (C) 1999-2009 The FreeRADIUS server project and contributors.
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE.
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License v2.
Starting - reading configuration files ...
including configuration file /usr/local/etc/raddb/radiusd.conf
including configuration file /usr/local/etc/raddb/proxy.conf
including configuration file /usr/local/etc/raddb/clients.conf
including files in directory /usr/local/etc/raddb/modules/
including configuration file /usr/local/etc/raddb/modules/acct_unique
including configuration file /usr/local/etc/raddb/modules/always
including configuration file /usr/local/etc/raddb/modules/attr_filter
including configuration file /usr/local/etc/raddb/modules/attr_rewrite
including configuration file /usr/local/etc/raddb/modules/chap
including configuration file /usr/local/etc/raddb/modules/checkval
including configuration file /usr/local/etc/raddb/modules/counter
including configuration file /usr/local/etc/raddb/modules/cui
including configuration file /usr/local/etc/raddb/modules/detail
including configuration
file /usr/local/etc/raddb/modules/detail.example.com
including configuration file /usr/local/etc/raddb/modules/detail.log
including configuration file /usr/local/etc/raddb/modules/digest
including configuration file /usr/local/etc/raddb/modules/echo
including configuration file /usr/local/etc/raddb/modules/etc_group
including configuration file /usr/local/etc/raddb/modules/exec
including configuration file /usr/local/etc/raddb/modules/expiration
including configuration file /usr/local/etc/raddb/modules/expr
including configuration file /usr/local/etc/raddb/modules/files
including configuration file /usr/local/etc/raddb/modules/inner-eap
including configuration file /usr/local/etc/raddb/modules/ippool
including configuration file /usr/local/etc/raddb/modules/krb5
including configuration file /usr/local/etc/raddb/modules/ldap
including configuration file /usr/local/etc/raddb/modules/linelog
including configuration file /usr/local/etc/raddb/modules/logintime
including configuration file /usr/local/etc/raddb/modules/mac2ip
including configuration file /usr/local/etc/raddb/modules/mac2vlan
including configuration file /usr/local/etc/raddb/modules/mschap
including configuration file /usr/local/etc/raddb/modules/ntlm_auth
including configuration file /usr/local/etc/raddb/modules/otp
including configuration file /usr/local/etc/raddb/modules/pam
including configuration file /usr/local/etc/raddb/modules/pap
including configuration file /usr/local/etc/raddb/modules/passwd
including configuration file /usr/local/etc/raddb/modules/perl
including configuration file /usr/local/etc/raddb/modules/policy
including configuration file /usr/local/etc/raddb/modules/preprocess
including configuration file /usr/local/etc/raddb/modules/radutmp
including configuration file /usr/local/etc/raddb/modules/realm
including configuration file /usr/local/etc/raddb/modules/smbpasswd
including configuration file /usr/local/etc/raddb/modules/smsotp
including configuration file /usr/local/etc/raddb/modules/sql_log
including configuration
file /usr/local/etc/raddb/modules/sqlcounter_expire_on_login
including configuration file /usr/local/etc/raddb/modules/sradutmp
including configuration file /usr/local/etc/raddb/modules/unix
including configuration file /usr/local/etc/raddb/modules/wimax
including configuration file /usr/local/etc/raddb/eap.conf
including configuration file /usr/local/etc/raddb/policy.conf
including files in directory /usr/local/etc/raddb/sites-enabled/
including configuration file /usr/local/etc/raddb/sites-enabled/default
including configuration
file /usr/local/etc/raddb/sites-enabled/inner-tunnel
including configuration
file /usr/local/etc/raddb/sites-enabled/control-socket
main {
 

Can proxy packet be configured to be resent in case no response from the home server

2010-05-12 Thread Zhang, Ge (Gina)
 
Hi,

Do anyone know whether we can configure to resend proxy packet in case no 
response is received?

Thanks,
Gina Zhang
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


When to ldap?

2010-05-12 Thread Dean, Barry
I am working on a new radius config and have been trying to avoid the lookup in 
LDAP I have been seeing for the outer identity.

I have moved to 2.1.8 with the inner-tunnel virtual host enabled.

I have an authorise section for the relevant virtual server that has:

authorize {
preprocess
auth_log
chap
mschap
suffix
eap {
ok = return
}
files
if (!EAP-Message) {
ldap
}
expiration
logintime
pap
}

The "if(!EAP-Message)" works a treat at preventing an LDAP lookup for the outer 
identity, but if I want to send a basic User-Name/User-Password type auth 
request after checking with LDAP and returning "Remote access is permitted", I 
then see:

No authenticate method (Auth-Type) configuration found for the request: 
Rejecting the user

What am I missing to tell the "authenticate" section below what I want to do 
next?

authenticate {
Auth-Type PAP {
pap
}
Auth-Type CHAP {
chap
}
Auth-Type MS-CHAP {
mschap
}
unix
Auth-Type LDAP {
ldap
}
Auth-Type EAP {
eap
}
eap
}

I presume:

   if (!EAP-Message) {
ldap
}

Fails to set Auth-Type LDAP?


--
Barry Dean
Principal Programmer/Analyst
Networks Group
Computing Services Department
Tel: 0151 795 9540


<>

---
Nice boy, but about as sharp as a sack of wet mice.
   -- Foghorn Leghorn

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: How to implement EAP-TLS with freeradius and wpa_supplicant?

2010-05-12 Thread Alan DeKok
Zheng, Jiajia wrote:
>> 11. EAP-TLS failed, see the attached tls.log for the output of radiusd
>> Could you help me out on this issue?

  Paste the debug output into the "self-help" form at:

http://networkradius.com/freeradius.html

  Look for red text.

>> Is there anything I did wrong? Let me know if you need more debugging
>> info. 

  The debug log already shows everything you need to know.

  The CA used by the client is *not* the same as the CA used by the server.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


Re: framedipaddress

2010-05-12 Thread Bruce Nunn
I manage a large Meru instalation. If you want to get an IP address logged with 
a user name or Mac address like Aruba does you can't do it unless you use the 
captive portal. And the captive portal only sends this info via syslog as 
u...@1.2.3.4. For the auditors at our site, we send the auth response and 
end-station identifier from radius via syslog and DHCP log to a Splunk box and 
then they are happy and can block MAC addresses.

Meru is OK, but hoastapd on a RedHat appliance as a NAS can be annoying at 
times.
Sent via Verizon Wireless

-Original Message-
From: Alan Buxey 
Date: Wed, 12 May 2010 11:33:46 
To: FreeRadius users mailing list
Subject: Re: framedipaddress

Hi,
> Listen we've already bought complete meru sytem to eduroam project and
> there is no turning back. There are many great feature which only meru
> have.  Right now i must find solution for this sytem.

I'm uncertain to your tone here - but fundamentally, if the hardware
doesnt send an attribute then theres nothing that ANY RADIUS server
can do about it!

ask your vendor why they dont support it perhaps? ask for a feature improvement?
they might have an alternative attribute or VSA that you can use or rewrite...

alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


Re: framedipaddress

2010-05-12 Thread Chris Knipe
What are you authenticating? Where is the radius debug logs?

Chances are you are more than likely authenticating a Wireless Association
to the Access Point - not a PPP type of service where IP addresses are
involved.

Debug your radius logs a bit and perhaps post a bit more detail



2010/5/12 Paweł Pogorzelski 

> Listen we've already bought complete meru sytem to eduroam project and
> there is no turning back. There are many great feature which only meru
> have.  Right now i must find solution for this sytem.
>
> --
> Pozdrawiam/Best regards
> Paweł Pogorzelski
> e-mail: ppogorzel...@gmail.com
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>



-- 

Regards,
Chris Knipe
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: framedipaddress

2010-05-12 Thread Alan Buxey
Hi,
> Listen we've already bought complete meru sytem to eduroam project and
> there is no turning back. There are many great feature which only meru
> have.  Right now i must find solution for this sytem.

I'm uncertain to your tone here - but fundamentally, if the hardware
doesnt send an attribute then theres nothing that ANY RADIUS server
can do about it!

ask your vendor why they dont support it perhaps? ask for a feature improvement?
they might have an alternative attribute or VSA that you can use or rewrite...

alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


RE: framedipaddress

2010-05-12 Thread Paweł Pogorzelski
Listen we've already bought complete meru sytem to eduroam project and
there is no turning back. There are many great feature which only meru
have.  Right now i must find solution for this sytem.

-- 
Pozdrawiam/Best regards
Paweł Pogorzelski
e-mail: ppogorzel...@gmail.com

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


Re: freeradius-server-2.1.8

2010-05-12 Thread Alan Buxey
Hi,

> and ther is nothing ! in the output of radiusd -X

nothing at all?  or do you mean its quiet after the 'ready to process requests'
line?

if so, check your firewall on the servermake sure UDP 1812-1824 are
allowed in to the daemon!

alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


Re: framedipaddress

2010-05-12 Thread Alan Buxey
Hi,
> We worked with Meru as Access Point, but not as NAS.

but an Access Point IS a NAS

alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


RE: How to implement EAP-TLS with freeradius and wpa_supplicant?

2010-05-12 Thread Zheng, Jiajia
Sorry, I forgot the subject. 

Zheng, Jiajia wrote:
> Hi,
> I hope it is the right place to ask questions about EAP-TLS with
> radius server. 
> I installed freeradius-2.1.6 rpm package on my Fedora 10 system.
> EAP_PEAP, EAP_TTLS_CHAP, TTLS_MD5, TTLS_MSCHAP, etc. work fine.
> However, EAP-TLS handshake failed. Here are my steps to implement
> EAT-TLS with radius server.  
> 1. on server: yum install freeradius
> 2. on server: cd /etc/raddb
> 3. on server: edit users and clients.conf (see attachments)
> 4. on server: radiusd -X
> 5. I configured the AP which is wired connected to the server using
> WPA-TKIP 
> 6. copy ca.pem from server to my wireless machine.
> 6. I tried EAP_PEAP, EAP_TTLS_CHAP, TTLS_MD5, TTLS_MSCHAP on my
> wireless machine, which all worked fine. 
> 7. on server: cd /etc/raddb/certs
> 8. on server: make client.pem
> 9. copy client.pem from server to my wireless machine
> 10. run wpa_supplicant on my wireless machine: wpa_supplicant -Dwext
>  -iwlan0 -c WPA_EAP_TLS.conf WPA_EAP_TLS.conf as below,
> ctrl_interface=/var/run/wpa_supplicant
> ctrl_interface_group=wheel
> network={
> ssid="ASUS-2.4G"
> scan_ssid=1
> key_mgmt=WPA-EAP
> eap=TLS
> identity="root"
> ca_cert="./ca.pem"
> client_cert="./client.pem"
> private_key="./client.pem"
> private_key_passwd="whatever"
> }
> 11. EAP-TLS failed, see the attached tls.log for the output of radiusd
> Could you help me out on this issue?
> Is there anything I did wrong? Let me know if you need more debugging
> info. 
> 
> Thanks,
> jiajia



-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html