Re: Freeradius + EAP_TLS + Cisco AP
Thanks Hi After multiple issues I found a partial solution, but not the best. I unselect "validate server certificate" in the XP client. After doing that, the client authenticates. I know that this is a very dangerous practice. Is mandatory for an XP machine to authenticate the server certificate to a valid CA? I copied only the client certificate on XP machine. Copying server`s certificate or my homemade CA certs into XP client will works? Gracias, Merci, thanks On Wed, Sep 29, 2010 at 2:27 AM, Matija Levec wrote: > You say you are trying to setup eap-tls and you have client certs - so you > probably also want to set client to eap-tls (smart card or other certificate > in windows world). > Check you installed proper CA certs on both client and server if you are > checking them (which I guess you should). 'PEAP or EAP-TLS Doesn't Work > with a Windows machine' part of faq really includes useful info. > > Bye, > M. > > > >>> Esteban TALAVERA 28.9.2010 16:40 >>> > I tried to apply the hotfix but it was included in SP3. The laptop has > Windows XP SP3. > > xpextensions is added to the certificate. > > What's mean [tls] eaptls_process returned 13? > > > default_eap_type = peapmust be set tp peap or tls? > > Thanks > > > > > > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > -- *Esteban Talavera* * * *Proyectos ITW* Tel.+(58)212 7623035 +(58)212 7620504 Cel. +(58)412 2892006 Fax +(58)212 7615965 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: choose proxy based on AD
>> In other words, if I proxy to the old radius server, the username
>> needs to be realm\user again.
>
> Set "nostrip" in the realm configuration.
I finally have a solution. I wanted to keep strip enabled because I
have to perform the LDAP query on the stripped username. So, I added
the following logic to pre-proxy {}:
# non-migrated old child domain user
if ("%{control:Proxy-To-Realm}" != "newrealm" && Realm) {
update proxy-request {
User-Name := "%{stripped-user-na...@%{realm}"
}
}
This allows me to authenticate all child domain users from a single
old parent domain controller instead of having IAS servers installed
in every child domain.
I just had to re-read the unlang man page enough times to get all the pieces.
Thanks for all your help!
David
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Radius+Ldap:Allow the same host in multiple vlans
On 2010/09/30 05:05 PM, Ramon Escriba wrote: Hi Alan, Then does it possible to do a general match rule in huntgroups to lets say "the 35 first ports belong to a vlan A" and the rest "36 to 48" to vlan B,or not? It sounds like you need some custom logic. Have you looked at rlm_perl? -- Johan Meiring Cape PC Services CC Tel: (021) 883-8271 Fax: (021) 886-7782 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Radius+Ldap:Allow the same host in multiple vlans
Hi Alan, Then does it possible to do a general match rule in huntgroups to lets say "the 35 first ports belong to a vlan A" and the rest "36 to 48" to vlan B,or not? business NAS-IP-Address == 192.168.2.5, NAS-Port-Id == 1-35 IT NAS-IP-Address == 192.168.2.5, NAS-Port-Id == 36-48 Do I have to manually insert one by one? I've +2000 ports active, I hope do not have to ;-) I did a little change in huntgroups to check that: XXX NAS-IP-Address == aaa.bbb.ccc.ddd, NAS-Port == 33-50 But without success. /etc/raddb/huntgroups[77]: Parse error (check) for entry XXX: Unknown value 33-50 for attribute NAS-Port Do I need some "ulang/whatever scripting" to make the "NAS-Port" matching possible? I saw "#business NAS-IP-Address == 192.168.2.5, NAS-Port-Id == 0-7" and the like in many huntgroups examples (including the freeradius hungroups file templates examples). Are they wrong? Thanks. -Original Message- From: freeradius-users-bounces+escriba=cells...@lists.freeradius.org [mailto:freeradius-users-bounces+escriba=cells...@lists.freeradius.org] On Behalf Of Alan DeKok Sent: jueves, 30 de septiembre de 2010 15:53 To: FreeRadius users mailing list Subject: Re: Radius+Ldap:Allow the same host in multiple vlans Ramon Escriba wrote: > By the way, in some of the cases the switch-ip, even switch+port, is > the key, so huntgroups does the job but only partially. > > This works (original huntgroups example): > #business NAS-IP-Address == 192.168.2.5, NAS-Port-Id == 1 > > But not this: > #business NAS-IP-Address == 192.168.2.5, NAS-Port-Id == 1-7 > > Why? NAS-Port-Id is a string, not an integer. NAS-Port is an integer. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Question about rlm-unix authentication
James S. Smith wrote:
> I'm trying to get FreeRadius to authenticate against the local server's
> usernames and passwords. I have a fresh installation and I've confirmed that
> authentication is working with a test entry in the /etc/raddb/users file.
> I've also tested authentication from another system and it works too.I
> then try to authentication against a unix account I have on the system
> ("testrad"). It comes back as "Access-Reject", which seems to suggest it
> tried to look for the user account and felt it wasn't there and in the
> radiusd -X the unix module reports "notfound". I've confirmed I can log in
> via Unix with this account, so it definitely works. I also made a test
> program that makes the same calls as rlm_unix and it was able to successfully
> lookup the user account.
Well.. if the user isn't found in /etc/passwd, then it isn't found.
There aren't too many reasons why a passwd lookup won't work.
What about file/user permissions?
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Default ldap fallthrough but no Auth-Type set
Hi All,
I'm running freeradius 2.1.8 on a Redhat 5.x box. We're setup to
authenticate against LDAP and AD using the how-tos and wiki on the
freeradius website. Users might be in LDAP, or AD, or both.
I've stuck with the default config and enabled both ldap and ntlm_auth
(after making sure that both sources can authenticate per the docs).
Both sources of authentication work.
It seems that when enabling the ldap module, it become the default if
nothing else sets the Auth-Type.
Now I'm trying to walk through the exercise of getting AD auth to work
if a user is present in AD, or getting LDAP auth to work if the user is
present in LDAP.
In the authorize { ... } section of sites-enabled/default I have the
following:
ntlm_auth
ldap {
notfound = return
}
In the authenticate { ... } section of sites-enabled/default I have the
following Auth-Type:
# ntlm_auth authentication.
Auth-Type ntlm_auth {
ntlm_auth
}
Auth-Type LDAP {
group{
ldap{
reject = 1
ok = return
}
ntlm_auth{
reject = 1
ok = return
}
}
}
If the user has a entry in the LDAP database then the Auth-Type is set
to LDAP and the authorization jumps to Auth-Type LDAP and goes through
the groups stanza trying to authenticate to ldap or ntlm_auth.
However if the user is not in LDAP then it seems as though Auth-Type is
never set so the default authentication is attempted via ldap, which
fails. I don't understand why it doesn't try the Auth-Type LDAP
definition.
Everywhere I read, the docs say not to specifically set Auth-Type but to
let the server figure it out. So, how do I let the server figure out
that the Auth-Type should be ntlm_auth when the authorize { ... }
section matches ntlm_auth?
rad_recv: Access-Request packet from host 127.0.0.1 port 55874, id=200,
length=63
User-Name = "admin"
User-Password = "password"
NAS-IP-Address = 192.168.1.1
NAS-Port = 0
+- entering group authorize {...}
++[preprocess] returns ok
[auth_log]
expand: /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d
-> /var/log/radius/radacct/127.0.0.1/auth-detail-20100930
[auth_log] /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m
%d expands to /var/log/radius/radacct/127.0.0.1/auth-detail-20100930
[auth_log] expand: %t -> Thu Sep 30 10:32:05 2010
++[auth_log] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "admin", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[ntdomain] No '\' in User-Name = "admin", looking up realm NULL
[ntdomain] No such realm "NULL"
++[ntdomain] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
++[files] returns noop
[ntlm_auth] expand: --username=%{mschap:User-Name} -> --username=admin
[ntlm_auth] expand: --password=%{User-Password} -> --password=password
Exec-Program output: NT_STATUS_OK: Success (0x0)
Exec-Program-Wait: plaintext: NT_STATUS_OK: Success (0x0)
Exec-Program: returned: 0
++[ntlm_auth] returns ok
[ldap] performing user authorization for admin
[ldap] expand: %{Stripped-User-Name} ->
[ldap] ... expanding second conditional
[ldap] expand: %{User-Name} -> admin
[ldap] expand: (&(uid=
%{%{Stripped-User-Name}:-%{User-Name}})(!(inetCOS=802.1x_disabled))) ->
(&(uid=admin)(!(inetCOS=802.1x_disabled)))
[ldap] expand: ou=People,dc=ip-solutions,dc=net,o=internet ->
ou=People,dc=ip-solutions,dc=net,o=internet
[ldap] ldap_get_conn: Checking Id: 0
[ldap] ldap_get_conn: Got Id: 0
[ldap] attempting LDAP reconnection
[ldap] (re)connect to ldap.ip-solutions.net:389, authentication 0
[ldap] starting TLS
[ldap] bind as / to ldap.ip-solutions.net:389
[ldap] waiting for bind result ...
[ldap] Bind was successful
[ldap] performing search in
ou=People,dc=ip-solutions,dc=net,o=internet, with filter
(&(uid=admin)(!(inetCOS=802.1x_disabled)))
[ldap] object not found
[ldap] search failed
[ldap] ldap_release_conn: Release Id: 0
++[ldap] returns notfound
No authenticate method (Auth-Type) configuration found for the request:
Rejecting the user
Failed to authenticate the user.
Login incorrect ( [ldap] User not found): [admin] (from client
localhost port 0)
Using Post-Auth-Type Reject
+- entering group REJECT {...}
[attr_filter.access_reject] expand: %{User-Name} -> admin
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 0 for 1 seconds
Going to the next request
Waking up in 0.7 seconds.
Sending delayed reject for request 0
Sending Access-Reject
Question about rlm-unix authentication
I'm trying to get FreeRadius to authenticate against the local server's
usernames and passwords. I have a fresh installation and I've confirmed that
authentication is working with a test entry in the /etc/raddb/users file. I've
also tested authentication from another system and it works too.I then try
to authentication against a unix account I have on the system ("testrad"). It
comes back as "Access-Reject", which seems to suggest it tried to look for the
user account and felt it wasn't there and in the radiusd -X the unix module
reports "notfound". I've confirmed I can log in via Unix with this account,
so it definitely works. I also made a test program that makes the same calls
as rlm_unix and it was able to successfully lookup the user account.
Could this be a problem with the CentOS package of FreeRadius? Anyone else had
this problem?
[r...@todcsvnm01 ~]# radtest testing password 127.0.0.1 0 testing123
Sending Access-Request of id 232 to 127.0.0.1 port 1812
User-Name = "testing"
User-Password = "password"
NAS-IP-Address = 127.0.0.1
NAS-Port = 0
rad_recv: Access-Accept packet from host 127.0.0.1 port 1812, id=232, length=20
[r...@todcsvnm01 ~]# radtest testrad 74828752 127.0.0.1 0 testing123
Sending Access-Request of id 176 to 127.0.0.1 port 1812
User-Name = "testrad"
User-Password = "74828752"
NAS-IP-Address = 127.0.0.1
NAS-Port = 0
rad_recv: Access-Reject packet from host 127.0.0.1 port 1812, id=176, length=20
[r...@todcsvnm01 ~]# radiusd -X
FreeRADIUS Version 2.1.7, for host x86_64-redhat-linux-gnu, built on Mar 31
2010 at 00:14:28
Copyright (C) 1999-2009 The FreeRADIUS server project and contributors.
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE.
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License v2.
Starting - reading configuration files ...
including configuration file /etc/raddb/radiusd.conf
including configuration file /etc/raddb/proxy.conf
including configuration file /etc/raddb/clients.conf
including files in directory /etc/raddb/modules/
including configuration file /etc/raddb/modules/ippool
including configuration file /etc/raddb/modules/sqlcounter_expire_on_login
including configuration file /etc/raddb/modules/unix
including configuration file /etc/raddb/modules/pam
including configuration file /etc/raddb/modules/otp
including configuration file /etc/raddb/modules/exec
including configuration file /etc/raddb/modules/passwd.rpmsave
including configuration file /etc/raddb/modules/smbpasswd
including configuration file /etc/raddb/modules/detail
including configuration file /etc/raddb/modules/linelog
including configuration file /etc/raddb/modules/wimax
including configuration file /etc/raddb/modules/mschap
including configuration file /etc/raddb/modules/logintime
including configuration file /etc/raddb/modules/attr_rewrite
including configuration file /etc/raddb/modules/realm
including configuration file /etc/raddb/modules/echo
including configuration file /etc/raddb/modules/expiration
including configuration file /etc/raddb/modules/acct_unique
including configuration file /etc/raddb/modules/pap
including configuration file /etc/raddb/modules/attr_filter
including configuration file /etc/raddb/modules/expr
including configuration file /etc/raddb/modules/passwd
including configuration file /etc/raddb/modules/etc_group
including configuration file /etc/raddb/modules/policy
including configuration file /etc/raddb/modules/detail.example.com
including configuration file /etc/raddb/modules/checkval
including configuration file /etc/raddb/modules/preprocess
including configuration file /etc/raddb/modules/counter
including configuration file /etc/raddb/modules/mac2ip
including configuration file /etc/raddb/modules/inner-eap
including configuration file /etc/raddb/modules/sradutmp
including configuration file /etc/raddb/modules/always
including configuration file /etc/raddb/modules/smsotp
including configuration file /etc/raddb/modules/radutmp
including configuration file /etc/raddb/modules/perl
including configuration file /etc/raddb/modules/sql_log
including configuration file /etc/raddb/modules/mac2vlan
including configuration file /etc/raddb/modules/files
including configuration file /etc/raddb/modules/detail.log
including configuration file /etc/raddb/modules/digest
including configuration file /etc/raddb/modules/chap
including configuration file /etc/raddb/modules/cui
including configuration file /etc/raddb/eap.conf
including configuration file /etc/raddb/policy.conf
including files in directory /etc/raddb/sites-enabled/
including configuration file /etc/raddb/sites-enabled/default
including configuration file /etc/raddb/sites-enabled/inner-tunnel
including configuration file /etc/raddb/sites-enabled/control-socket
group = radiusd
user = radiusd
including dictionary file /etc/raddb/dictionary
main {
prefix = "/usr"
Re: Radius+Ldap:Allow the same host in multiple vlans
Ramon Escriba wrote: > By the way, in some of the cases the switch-ip, even switch+port, is the > key, so huntgroups does the job but only partially. > > This works (original huntgroups example): > #business NAS-IP-Address == 192.168.2.5, NAS-Port-Id == 1 > > But not this: > #business NAS-IP-Address == 192.168.2.5, NAS-Port-Id == 1-7 > > Why? NAS-Port-Id is a string, not an integer. NAS-Port is an integer. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: choose proxy based on AD
David McPike wrote: > Excellent! Thanks, Alan. I have all my test cases working now except > for one. I still need to retain the original realm information in the > supplied User-Name. The old radius server needs it as part of the > username to know which child domain controller to contact for > authentication, otherwise auth fails. > > In other words, if I proxy to the old radius server, the username > needs to be realm\user again. Set "nostrip" in the realm configuration. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Radius+Ldap:Allow the same host in multiple vlans
Hi Alan, Well, touche. We're also trying to use the ldap db to store dhcp info, so using the same structure to keep all host related data, radius+dhcp+dns. The problem is we've a big number of vlans, and multiple devices may connect in some vlans. I'll try to simplify, I shall keep thinking on it. By the way, in some of the cases the switch-ip, even switch+port, is the key, so huntgroups does the job but only partially. This works (original huntgroups example): #business NAS-IP-Address == 192.168.2.5, NAS-Port-Id == 1 But not this: #business NAS-IP-Address == 192.168.2.5, NAS-Port-Id == 1-7 Why? It's normal?? If this feature work, it'll keep things a bit more simple. I'm missing something,isn't it? Thanks for your fast answer. -Original Message- From: freeradius-users-bounces+escriba=cells...@lists.freeradius.org [mailto:freeradius-users-bounces+escriba=cells...@lists.freeradius.org] On Behalf Of Alan DeKok Sent: jueves, 30 de septiembre de 2010 9:34 To: FreeRadius users mailing list Subject: Re: Radius+Ldap:Allow the same host in multiple vlans Ramon Escriba wrote: > Is that aproach, try the "next vlan" if exists @ ldap, possible, how? You've tried a lot of different things and are lost in the complexity of the solution. The problem isn't that hard. Find a "key" which determines which VLAN to use. This key can be switch IP, location, etc. Then, use that key to select the correct VLAN. What you're doing right now is trying to grab *all* VLANs, and then filter out the ones which aren't relevant. That's more complicated, and is less likely to work. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Fwd: FreeRadius + VSA
Noura Kossentini wrote: > So I want to install a radius server. The documentation maked me > confused to use free radius with Jradius. I don't know why. They are two independent projects, with different web sites. > I want to connect to the > radius server (Jradius or freeradius or the two at the same time I don't > know) using TinyRadius Library. That's nice. > So I must know the secret key used by the server to use it side the > client No. You must *create* the secret. That's why it's in a configuration file: so you can edit it. > Also I want to add a VSA role attribute to know the role of the > user (Viewer, admin ...) > > > Is there a good documentation helping me how can I proceed?? The server comes with a *lot* of documentation. It explains how to add attributes to the files. See the FAQ for examples, the comments in the configuration files, the Wiki, or the "doc" link on the main web page. If your work isn't important enough for you to read the existing documentation, it's not important enough for us to answer your questions. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Fwd: FreeRadius + VSA
Hi Thank you Alexander for clarification and I'm sorry to ask such questions; So I want to install a radius server. The documentation maked me confused to use free radius with Jradius. I want to connect to the radius server (Jradius or freeradius or the two at the same time I don't know) using TinyRadius Library. So I must know the secret key used by the server to use it side the client Also I want to add a VSA role attribute to know the role of the user (Viewer, admin ...) Is there a good documentation helping me how can I proceed?? Thanks in advance 2010/9/30 Alexander Clouter > Noura Kossentini wrote: > > > > *VSA: Vendor*-*Specific Attributes* > > > I think telling the core/solo developer and author of FreeRADIUS what > 'VSA' stands for is unlikely to be quite the 'what' he was hoping you > would answer. > > Your question is 'meaningless', I think it might be a language barrier > at work here. > > If we assume language barrier then the only interpretation left to us is > that you do not read documentation? I guess typing into Google > 'FreeRADIUS VSA' is just too damn hard when instead you could find > (probably using Google), subscribe, post and wait for a response on a > mailing list. > > http://lmgtfy.com/?q=freeradius+vsa > > *sigh* > > ...and yes, the very *first* hit is what you want. Once slight > annoyance is the broken link on the page to the dictionary manpage: > > http://freeradius.org/radiusd/man/dictionary.html > > In future (this is what I tell our helpdesk and users) you must > always provide answers to: > * what is it that you are trying to do? > * how is it that you are going about doing it? > * what are you expecting to happen? > * what is actually happening? > > Answering those simple *four* questions as fully as you can (full > debug output if necessary) when confronted with a problem in > computing will supply us with what we need to know to help you. > > Cheers > > -- > Alexander Clouter > .sigmonster says: I always have fun because I'm out of my mind!!! > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Fwd: FreeRadius + VSA
Noura Kossentini wrote: > > *VSA: Vendor*-*Specific Attributes* > I think telling the core/solo developer and author of FreeRADIUS what 'VSA' stands for is unlikely to be quite the 'what' he was hoping you would answer. Your question is 'meaningless', I think it might be a language barrier at work here. If we assume language barrier then the only interpretation left to us is that you do not read documentation? I guess typing into Google 'FreeRADIUS VSA' is just too damn hard when instead you could find (probably using Google), subscribe, post and wait for a response on a mailing list. http://lmgtfy.com/?q=freeradius+vsa *sigh* ...and yes, the very *first* hit is what you want. Once slight annoyance is the broken link on the page to the dictionary manpage: http://freeradius.org/radiusd/man/dictionary.html In future (this is what I tell our helpdesk and users) you must always provide answers to: * what is it that you are trying to do? * how is it that you are going about doing it? * what are you expecting to happen? * what is actually happening? Answering those simple *four* questions as fully as you can (full debug output if necessary) when confronted with a problem in computing will supply us with what we need to know to help you. Cheers -- Alexander Clouter .sigmonster says: I always have fun because I'm out of my mind!!! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Fwd: FreeRadius + VSA
*VSA: Vendor*-*Specific Attributes* 2010/9/29 Alan DeKok > Noura Kossentini wrote: > > how can I add a VSA to freeRadius server?? > > What does that mean? > > Alan DeKok. > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Radius+Ldap:Allow the same host in multiple vlans
Ramon Escriba wrote: > Is that aproach, try the "next vlan" if exists @ ldap, possible, how? You've tried a lot of different things and are lost in the complexity of the solution. The problem isn't that hard. Find a "key" which determines which VLAN to use. This key can be switch IP, location, etc. Then, use that key to select the correct VLAN. What you're doing right now is trying to grab *all* VLANs, and then filter out the ones which aren't relevant. That's more complicated, and is less likely to work. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: New Install Problems
Scott Miller wrote: > ./configure --disable-libltdl-install --with-system-libtool ... > /home/scott/freeradius-server-2.1.10/src/main/modules.c:1372: undefined > reference to `lt_preloaded_symbols' The previous link line shows it's using the local libltdl, which provides that symbol. Honestly, I have no idea. It shouldn't be that hard to compile && link a program, but libtool/libltdl make is nearly impossible. I think for version 2.2 I'll be removing libtool && libltdl from the build. They're causing more problems than they're solving at this point. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
