Freeradius and client certificate support
Hi all, I would like to configure an access point to accept client certificates only, with no usernames and passwords. As a understand, what I am looking for is EAP-TLS, and I have attempted to configure it against a mikrotik routerboard. I see the radius packet entering the server, with the User-Name set to the MAC address of the incoming client (mikrotik default behaviour). My next step is to suitably configure freeradius to accept the login based on the attributes within the client certificate, and to accept any User-Name, however I can find no documentation how to do this. Ideally, I would like the effective freeradius login name to be the DN of the client certificate. Does anyone know whether this is possible, and if so, what I need to tell freeradius to make this happen? I am using freeradius-1.1.3-1.5.el5_4 (on an RHEL5 system). Regards, Graham -- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Proxy not working properly with PAP
We are using FreeRADIUS Version 0.9.3 (I know - it's old). We are authenticating users on a network of wireless access controllers and are trying to integrate a new type of access controller. This controller can only authenticate using PAP (I know - it's old and unsecure). We use MySQL for the user database. We have built a custom application to manage user passwords. If an authentication attempt is not successful (no user account, expired password, invalid password) then FreeRADIUS sends a proxy request to the customer application to deal with the situation. When we use PAP, FreeRADIUS is sending proxy requests to the custom application in the case of: User not in the MySQL database User is in the MySQL database but the password has expired The problem is that it is not (or at least does not appear to be) sending a proxy request in the case of: User is in the MySQL database, there is a non-expired password but the submitted password is incorrect. We have very detailed logging on the custom application starting with the reception of a message on the port - here is a sample: [10/08/29 16:26:54:567]C[PortThread ]Received message on UDP port 15000. However, in problem case we don't see anything - so it seems to me that FreeRADIUS is not proxying this authentication request to the custom application. I have searched radius.conf and proxy.conf for some setting that would manage this without luck. Also it is important to note that this problem does not occur when we are using MS-CHAPV2 which we do with other controllers we have integrated with - it seems to be associated with PAP. Also - in case you were wondering users can authenticate if they have a valid user name and password. Any suggestions would be appreciated. Regards, John - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Dealing with Incomplete Sessions
Hi, > Is it wise to just run a script every x days to append a manual > date/time to those sessions ? we have a script that runs just a little longer than our session-timeout to clean up and dangling entries. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
aaa authentication login and dot1x with one server
Hi all, I'm trying to set up freeradius to authenticate users logging in to our switches (Cisco IOS) and provide authentication for 802.1X. 1. SSH/Telnet access to our switches for admin users (aaa authentication login) - Every user who is able to login to the server running freeradius should be able to login to the switches (Linux server with libpam-ldapd (nslcd) and pam_access.so to limit access by netgroup) - Using PAM seems to be the right way (direct access to the LDAP database would allow all users and not only certain users with membership in the admin netgroup (pam_access with /etc/security/access.conf) 2. IEEE 802.1X with EAP-TTLS and dynamic VLAN assignment (aaa authentication dot1x) - Using the freeradius LDAP module (direct access to the LDAP database) - 802.1X users are in a separate subtree (ou=dot1x,dc=example,dc=com) How do I setup freeraius to use PAM for authenticating users? How do I combine both functions with different auth methods in one server? I found some howtos for #2, which doesn't seem to be the problem. I appreciate any help. Regards Sascha - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_perl multiple attributes in rad_reply was: Adding Multiple Cisco-AVPairs using rlm_perl
Alexander Kubatkin writes: > this is with $RAD_REPLY{'DHCP-Domain-Name-Server'} = ["$ns1","$ns2"] ; [..] > rlm_perl: Added pair DHCP-Domain-Name-Server = NS1_ip > rlm_perl: Added pair DHCP-Domain-Name-Server = NS2_ip So, this works as expected. > Sending DHCP-Ack of id ef3e6917 from DHCP-Server-IP:67 to Relay-ip:67 > DHCP-Subnet-Mask = MASK > DHCP-Router-Address = gateway_ip > DHCP-Domain-Name-Server = NS1_ip > DHCP-Domain-Name = "Domain1 Domain2" > DHCP-Broadcast-Address = BROADCAST > DHCP-NTP-Servers = NTP_Server_ip > DHCP-IP-Address-Lease-Time = 180 > DHCP-DHCP-Server-Identifier = DHCP-Server-ip > Finished request 3. And this does not. So you got a problem with the DHCP code, and not with rlm_perl. I'm afraid I don't know enough about that to help you, but I'm sure someone else can not that we know this hasn't anything to do with rlm_perl Bjørn - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Dealing with Incomplete Sessions
Hi Guys I was wondering how everyone was dealing with incomplete sessions ? I have some incomplete sessions that are quite old (sometimes days) where it seems like the Stop Accounting packet sever reached my server (or for reason unknown to me). Is it wise to just run a script every x days to append a manual date/time to those sessions ? Thanks, Gabriel - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
questions about RADIUS-LDAP integrations
Hello list, I'm using freeradius since 1 month. I'm running freeradius 2.1.9 on fedora 13 with EAP-TTLS and PAP inside the tunnel. The users are authenticated against OpenLDAP. Even if the password is cleartext (PAP), it should be protected by the crypted tunnel. Then the first question is: Is this mechanism quite secure or do you suggest using another mechanism? If I'm not wrong, there should be two different methods to get authentication with LDAP as backend. The first is just pass the credentials to the ldap server and try to authenticate. The second is freeradius obtain the password from ldap, strip the header (i.e {crypt} ), take the first two characters of the salt and use it to crypt the password sent by the . If the two hash are the same, the user is authenticated. In this case wich is the best method and how the relevant files have to be modified? Should I modify also ldap.attmap? Thanks a lot. Matteo This message was sent using IMP, the Internet Messaging Program. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Installation on debian with postgresql
Michele Petrazzo - Unipex wrote: > It's the "normal" procedure when install a new program. Install with > apt-get install and go with google for look at docs. > Normal I don't find complete docs and example directly on the program's > web pages. I suggest trying the documentation that comes with the project first. Third-party documentation is almost always wrong. > and on my server: > > srv:/etc/freeradius# grep -D skip -R authorise * Try looking in raddb/sites-enabled/* > srv:/etc/freeradius# echo $? > 1 > > Mean that, unless I'm completely wrong, that the word authorise have to > be authorize. No. If you read radiusd.conf, the comments near the bottom will tell you where the authorise section can be found. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius2 and juniper router
gahn wrote: > I got the freeradius server installed, configured but it is not working. > Basically it just doesn't respond. Have you tried running the server in debugging mode, as suggested in the FAQ, README, "man" page, web pages, and daily on this list? You've given a lot of information... most of which is useless. > for file "users": > > tester Auth-Type := Local >User-Passowrd = "password" >Juniper-Local-User-Name = "admin" Please read the documentation and the FAQ for how to create a "users" file entry. There are a number of mistakes here, including a mis-spelled attribute. > for "clients.conf": > > client 192.168.10.8 { > secret= easy-test ... > on juniper router: > > radius-server { > 192.168.10.10 secret "$9$g04ZjHkPTQnik.5TzAt"; ## SECRET-DATA You do realize that those secrets are different, right? And that they should be the same? And that if you ran the server in debugging mode, it would *tell* you this? > somehow juniper router just ignore the calls from the freeradius server: No. The router is sending a packet, and not receiving a response. > any ideas? You've done many things wrong. The main one is trying to debug the server by looking at everything *else* in the network. Why not debug the server by looking at the servers behavior? That's what all of the documentation says to do, and it seems rather more logical. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius2 and juniper router
First try adding 127.0.0.1 in your clients.conf file and try using radtest in the freeradius machine in order to see if the username/pass "tester" works and you can authenticate and receive the atrributes (Juniper-Local-User-Name). Then launch freeradius with the -X option (it will enable debug messages in your standard output) and try to access to your juniper device meanwhile radiusd is running with the -X option. Sure that an important info will be displayed in the log messages. Hope this helps Regards Hi all: I got the freeradius server installed, configured but it is not working. Basically it just doesn't respond. \\ for "clients.conf": client 192.168.10.8 { secret= easy-test shortname = lab-net } for file "users": tester Auth-Type := Local User-Passowrd = "password" Juniper-Local-User-Name = "admin" for file /usr/local/share/freeradius/dictionary.juniper: # VENDOR Juniper 2636 BEGIN-VENDORJuniper ATTRIBUTE Juniper-Local-User-Name 1 string admin END-VENDOR Juniper on juniper router: radius-server { 192.168.10.10 secret "$9$g04ZjHkPTQnik.5TzAt"; ## SECRET-DATA } somehow juniper router just ignore the calls from the freeradius server: tcpdump: listening on bge0, link-type EN10MB (Ethernet), capture size 96 bytes 21:02:56.043367 IP (tos 0x0, ttl 64, id 36292, offset 0, flags [none], proto UDP (17), length 85) 192.168.255.138.54420 > 192.168.255.128.radius: RADIUS, length: 57 Access Request (1), id: 0x3e, Authenticator: 16af4d9f0f21ace37e0a2d7b3c21d4c7 Username Attribute (1), length: 5, Value: glu 0x: 676c 75 Password Attribute (2), length: 18, Value: 0x: 8332 de31 d0a1 7ba9 e1f5 1d89 66e6 207b NAS ID Attribute (32), length: 8, Value: lab-r8 0x: 6c61 622d 7238 NAS IP Address Attribute (4), length: 6, Value: [|radius] 0x: 0a 21:02:59.045142 IP (tos 0x0, ttl 64, id 36294, offset 0, flags [none], proto UDP (17), length 85) 192.168.255.138.54420 > 192.168.255.128.radius: RADIUS, length: 57 Access Request (1), id: 0x3e, Authenticator: 16af4d9f0f21ace37e0a2d7b3c21d4c7 Username Attribute (1), length: 5, Value: glu 0x: 676c 75 Password Attribute (2), length: 18, Value: 0x: 8332 de31 d0a1 7ba9 e1f5 1d89 66e6 207b NAS ID Attribute (32), length: 8, Value: lab-r8 0x: 6c61 622d 7238 NAS IP Address Attribute (4), length: 6, Value: [|radius] 0x: 0a 21:03:02.045798 IP (tos 0x0, ttl 64, id 36299, offset 0, flags [none], proto UDP (17), length 85) 192.168.255.138.54420 > 192.168.255.128.radius: RADIUS, length: 57 Access Request (1), id: 0x3e, Authenticator: 16af4d9f0f21ace37e0a2d7b3c21d4c7 Username Attribute (1), length: 5, Value: glu 0x: 676c 75 Password Attribute (2), length: 18, Value: 0x: 8332 de31 d0a1 7ba9 e1f5 1d89 66e6 207b NAS ID Attribute (32), length: 8, Value: lab-r8 0x: 6c61 622d 7238 NAS IP Address Attribute (4), length: 6, Value: [|radius] 0x: 0a >From what i found on internet, freeradius2 suppose to support juniper routers. any ideas? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html