problem installing freeRadius Server
Hello Friends,I am trying to install free radius on a old linux machine. the configuration is as fillows [root@localhost freeradius-server-2.1.10]# uname -aLinux localhost.localdomain 2.4.20-8 #1 Thu Mar 13 17:54:28 EST 2003 i686 i686 i386 GNU/Linux[root@localhost freeradius-server-2.1.10]# whereis pythonpython: /usr/bin/python2.2 /usr/bin/python /usr/lib/python2.2 /usr/local/bin/python2.7 /usr/local/bin/python2.7-config /usr/local/bin/python /usr/local/lib/python2.7 /usr/include/python2.2 /usr/share/man/man1/python.1.gz[root@localhost freeradius-server-2.1.10]# While compiling the server i get following errorsroot/vijay/freeradius-server-2.1.10/src/freeradius-devel/modules.h:12: warning: `used' attribute ignoredrlm_python.c: In function `python_error':rlm_python.c:177: `PyGILState_STATE' undeclared (first use in this function)rlm_python.c:177: (Each undeclared identifier is reported only oncerlm_python.c:177: for each function it appears in.)rlm_python.c:177: parse error before __gstaterlm_python.c:195: warning: implicit declaration of function `PyGILState_Release'rlm_python.c:195: `__gstate' undeclared (first use in this function)rlm_python.c: In function `python_init':rlm_python.c:215: warning: passing arg 2 of `PyModule_AddIntConstant' discards qualifiers from pointer target typerlm_python.c: In function `python_function':rlm_python.c:352: `PyGILState_STATE' undeclared (first use in this function)rlm_python.c:352: parse error before gstate By default i had python2.2 installed in my linux PC under the path /usr/bin/python2.2, in the mailing list somebody replied that new version of python is required, so I installed Python2.7.1. but in /usr/bin i can't see python2.7.1nbsp; Please let me know how can i fix this error and install the Radius server successfully. Thank you in advance. Thanks and Regards,VIJAY S.- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: problem installing freeRadius Server
I'm not sure what version of python is required, but I'm fairly certain the development version is. Make sure you have the development python package installed. Also, it may by default got to /usr/local/bin From: freeradius-users-bounces+ggatten=waddell@lists.freeradius.org freeradius-users-bounces+ggatten=waddell@lists.freeradius.org To: freeradius-users@lists.freeradius.org freeradius-users@lists.freeradius.org Sent: Mon Jan 24 03:32:06 2011 Subject: problem installing freeRadius Server Hello Friends, I am trying to install free radius on a old linux machine. the configuration is as fillows [root@localhost freeradius-server-2.1.10]# uname -a Linux localhost.localdomain 2.4.20-8 #1 Thu Mar 13 17:54:28 EST 2003 i686 i686 i386 GNU/Linux [root@localhost freeradius-server-2.1.10]# whereis python python: /usr/bin/python2.2 /usr/bin/python /usr/lib/python2.2 /usr/local/bin/python2.7 /usr/local/bin/python2.7-config /usr/local/bin/python /usr/local/lib/python2.7 /usr/include/python2.2 /usr/share/man/man1/python.1.gz [root@localhost freeradius-server-2.1.10]# While compiling the server i get following errors root/vijay/freeradius-server-2.1.10/src/freeradius-devel/modules.h:12: warning: `used' attribute ignored rlm_python.c: In function `python_error': rlm_python.c:177: `PyGILState_STATE' undeclared (first use in this function) rlm_python.c:177: (Each undeclared identifier is reported only once rlm_python.c:177: for each function it appears in.) rlm_python.c:177: parse error before __gstate rlm_python.c:195: warning: implicit declaration of function `PyGILState_Release' rlm_python.c:195: `__gstate' undeclared (first use in this function) rlm_python.c: In function `python_init': rlm_python.c:215: warning: passing arg 2 of `PyModule_AddIntConstant' discards qualifiers from pointer target type rlm_python.c: In function `python_function': rlm_python.c:352: `PyGILState_STATE' undeclared (first use in this function) rlm_python.c:352: parse error before gstate By default i had python2.2 installed in my linux PC under the path /usr/bin/python2.2, in the mailing list somebody replied that new version of python is required, so I installed Python2.7.1. but in /usr/bin i can't see python2.7.1 Please let me know how can i fix this error and install the Radius server successfully. Thank you in advance. Thanks and Regards, VIJAY S. [http://sigads.rediff.com/RealMedia/ads/adstream_nx.ads/www.rediffmail.com/signatureline.htm@Middle]http://sigads.rediff.com/RealMedia/ads/click_nx.ads/www.rediffmail.com/signatureline.htm@Middle? font size=1 div style='border:none;border-bottom:double windowtext 2.25pt;padding:0in 0in 1.0pt 0in' /div This email is intended to be reviewed by only the intended recipient and may contain information that is privileged and/or confidential. If you are not the intended recipient, you are hereby notified that any review, use, dissemination, disclosure or copying of this email and its attachments, if any, is strictly prohibited. If you have received this email in error, please immediately notify the sender by return email and delete this email from your system. /font - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: SSH with Radius on one Server: no password match by authentication over sshd --- password match over NTRadPING
Thx - you make my day. I havn't seen the first entry in clients.conf for localhost with the lot of comments. Now it works fine. Am 24.01.2011 08:35, schrieb Johan Meiring: On 2011/01/24 02:00 AM, Marius.Meisner wrote: /etc/pam_radius_auth.conf:* # server[:port] shared_secret timeout (s) _127.0.0.1 secret 2_ ^ This does not match.. */etc/freeradius/clients.conf:* ... _client 110.110.110.0/24 { ^ this And therefore the shared secret is incorrect. Either fix pam to talk to the 110.110.110 address or fix Freeradius to have the correct shared secret under the 127.0.0.1 client Cheers, - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
how to do accounting with the inner identity
Hi I m trying to use freeradius 2.1.10 and to make authenticate my users with eap-ttls process and a ldap server for the backend All is running fine but i can't succeed to have the accounting done with the inned identity of the ttls tunnel. the outer identity is anonym...@it-sudparis.eu the inner identidy is doutrele. here is my config in the eap.conf file i have for the ttls section copy_request_to_tunnel = yes use_tunneled_reply = yes virtual_server = inner-tunnel in the inner-tunnel file i have post-auth { update outer.reply { User-Name := %{Stripped-User-Name} } I can see the Username updated in the the following debug log but in the accounting it s the outer identity that is used. Does someone know what i can do to make the accounting with the inner identity rad_recv: Access-Request packet from host 157.159.21.152 port 38145, id=0, length=156 User-Name = anonym...@it-sudparis.eu NAS-IP-Address = 127.0.0.1 Calling-Station-Id = 02-00-00-00-00-01 Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = CONNECT 11Mbps 802.11b EAP-Message = 0x021d01616e6f6e796d6f75734069742d73756470617269732e6575 Message-Authenticator = 0xc12e191df8f2ef431f22b16557a03c7b # Executing section authorize from file /etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++- entering policy rewrite_calling_station_id {...} +++? if (request:Calling-Station-Id =~ /([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})/i) ? Evaluating (request:Calling-Station-Id =~ /([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})/i) - TRUE +++? if (request:Calling-Station-Id =~ /([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})/i) - TRUE +++- entering if (request:Calling-Station-Id =~ /([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})/i) {...} expand: %{1}%{2}%{3}%{4}%{5}%{6} - 0201 [request] returns ok +++- if (request:Calling-Station-Id =~ /([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})/i) returns ok +++ ... skipping else for request 0: Preceding if was taken ++- policy rewrite_calling_station_id returns ok ++? if (User-Name =~ /^%{Calling-Station-ID}$/i) expand: ^%{Calling-Station-ID}$ - ^0201$ ? Evaluating (User-Name =~ /^%{Calling-Station-ID}$/i) - FALSE ++? if (User-Name =~ /^%{Calling-Station-ID}$/i) - FALSE [auth_log] expand: /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d - /var/log/radius/radacct/157.159.21.152/auth-detail-20110124 [auth_log] /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/radius/radacct/157.159.21.152/auth-detail-20110124 [auth_log] expand: %t - Mon Jan 24 13:32:42 2011 ++[auth_log] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] Looking up realm it-sudparis.eu for User-Name = anonym...@it-sudparis.eu [suffix] Found realm it-sudparis.eu [suffix] Adding Stripped-User-Name = anonymous [suffix] Adding Realm = it-sudparis.eu [suffix] Authentication realm is LOCAL. ++[suffix] returns ok [eap] EAP packet type response id 0 length 29 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated [files] users: Matched entry DEFAULT at line 8 [files] users: Matched entry DEFAULT at line 14 ++[files] returns ok ++? if (NAS-Identifier == Chillispot ) (Attribute NAS-Identifier was not found) ? Evaluating (NAS-Identifier == Chillispot ) - FALSE ++? if (NAS-Identifier == Chillispot ) - FALSE ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING! No known good password found for the user. Authentication may fail because of this. ++[pap] returns noop Found Auth-Type = EAP # Executing group from file /etc/raddb/sites-enabled/default +- entering group authenticate {...} [eap] EAP Identity [eap] processing type tls [tls] Initiate [tls] Start returned 1 ++[eap] returns handled Sending Access-Challenge of id 0 to 157.159.21.152 port 38145 Tunnel-Type:0 := VLAN Tunnel-Medium-Type:0 := IEEE-802 Tunnel-Private-Group-Id:1 = invites EAP-Message = 0x010100061920 Message-Authenticator = 0x State = 0xedc31135edc208ab4c1716af0bfa702b Finished request 0. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 157.159.21.152 port 38145, id=1, length=151 User-Name = anonym...@it-sudparis.eu NAS-IP-Address = 127.0.0.1 Calling-Station-Id = 02-00-00-00-00-01 Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = CONNECT 11Mbps 802.11b EAP-Message
EAP TTLS: Getting the EMSK key
Hi all, I am new to radius and am using it in for a wimax based EAP TLS/TTLS network. Right now, I have freeradius 1.1.7 already installed and working. What I need is to retrieve the calculated EMSK key (for testing purposes) from the radius server to the NAS. I have managed to get the MSK key, but for some reason I cannot retrieve the EMSK key. What do I need to do? Would upgrading to a newer version of freeradius help? Thanks, Daniel. -- View this message in context: http://freeradius.1045715.n5.nabble.com/EAP-TTLS-Getting-the-EMSK-key-tp3354606p3354606.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP TTLS: Getting the EMSK key?
Daniel wrote: I am new to radius and am using it in for a wimax based EAP TLS/TTLS network. Right now, I have freeradius 1.1.7 already installed and working. It won't really work for WiMAX. You'll need 2.1.10, or maybe even the most recent git master branch. What I need is to retrieve the calculated EMSK key (for testing purposes) from the radius server to the NAS. I have managed to get the MSK key, but for some reason I cannot retrieve the EMSK key. What do I need to do? Edit the source code to export the EMSK. It's not *supposed* to be exported for security reasons. Would upgrading to a newer version of freeradius help? No. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: how to do accounting with the inner identity
Eric Doutreleau wrote: All is running fine but i can't succeed to have the accounting done with the inned identity of the ttls tunnel. Blame the NAS. :( I can see the Username updated in the the following debug log but in the accounting it s the outer identity that is used. Does someone know what i can do to make the accounting with the inner identity Use a NAS that follows the RFCs. Or, use a DB to store the session information (Calling-Station-ID, etc.), along with the real User-Name. When the accounting request comes in, look up that data in order to re-write the User-Name. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Unknown CA error in FR Debug
@all: Firstly thank all of you who assisted me in trying to get a public cert working, regrettably since Microsoft apparently lost all intelligence in dealing with 802.1x wireless authentication it looks as though I will be using a private cert. That being said, I have generated the new private cert using the bootstrap script (I did, of course, change the parameters to suit my needs) and I now have my shiny new private cert...however, after I import the new cert into my clients I am still getting the unknown CA error in my FR debug. The client is obstinently silent, which makes me want to smash it with a hammer, but that is beside the point. What cert should I import into the client and in what cert store location should I put in? The clients are windows based BTW (usually Win 7) THANKS for all your help. Jake Sallee Godfather Of Bandwidth Network Engineer Fone: 254-295-4658 Phax: 254-295-4221 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: how to do accounting with the inner identity
Eric Doutreleau eric.doutrel...@it-sudparis.eu wrote: I m trying to use freeradius 2.1.10 and to make authenticate my users with eap-ttls process and a ldap server for the backend All is running fine but i can't succeed to have the accounting done with the inned identity of the ttls tunnel. It all looks fine at your end, as you pass the 'new' User-Name in the Access-Accept back to your NAS. RFC2865 says your NAS *should* then mark the Accounting packets appropriately with the new User-Name, this is *not* a must though and optional http://tools.ietf.org/html/rfc2865#section-5.1 I can see the Username updated in the the following debug log but in the accounting it s the outer identity that is used. Does someone know what i can do to make the accounting with the inner identity [snipped: freeradius -X] Your debug does not show *any* accounting traffic being sent to FreeRADIUS (none that I could see) after your Access-Accept. If your NAS does not send the new User-Name attribute in the Accounting Request, then I recommend you wave the RFC2865 link I gave above at your vendor. Cheers -- Alexander Clouter .sigmonster says: My weight is perfect for my height -- which varies. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
rlm_realm module, Realm attr value
G'day, FreeRADIUS rlm_realm module feeds the Realm attribute with a configured value that matched the realm as entered by the user. There is one exception. If the matched configured value is a regex, the realm as entered by the user is used to feed the Realm attribute value. There is one more case that could get this exception like treatment. If the configured realm value is DEFAULT, the realm as entered by the user could be used to feed the Realm attribute value. Attached diff file describes the code change. Alternatively, unlang can be employed to get the details into the Realm attribute. If placed within the authorize section after the realm module instance call (the suffix instance and delimiter = '@' is assumed to be in use in this case): if (Realm == DEFAULT User-Name =~ /@(.*)$/) { update request { Realm := %{1} } } Kind regards, Martin diff --git a/src/modules/rlm_realm/rlm_realm.c b/src/modules/rlm_realm/rlm_realm.c index 6006769..2da7211 100644 --- a/src/modules/rlm_realm/rlm_realm.c +++ b/src/modules/rlm_realm/rlm_realm.c @@ -197,13 +197,16 @@ static int check_for_realm(void *instance, REQUEST *request, REALM **returnrealm /* * Add the realm name to the request. -* If the realm is a regex, the use the realm as entered -* by the user. Otherwise, use the configured realm name, -* as realm name comparison is case insensitive. We want -* to use the configured name, rather than what the user +* If the realm is a regex or DEFAULT, then use the realm +* as entered by the user. Otherwise, use the configured +* realm name, as realm name comparison is case insensitive. +* We want to use the configured name, rather than what the user * entered. */ - if (realm-name[0] != '~') realmname = realm-name; + if (realm-name[0] != '~') { + if (strcmp(realm-name, DEFAULT) != 0) + realmname = realm-name; + } pairadd(request-packet-vps, pairmake(Realm, realmname, T_OP_EQ)); RDEBUG2(Adding Realm = \%s\, realmname); - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Unknown CA error in FR Debug
Sallee, Stephen (Jake) wrote: Firstly thank all of you who assisted me in trying to get a public cert working, regrettably since Microsoft apparently lost all intelligence in dealing with 802.1x wireless authentication it looks as though I will be using a private cert. That's easiest. That being said, I have generated the new private cert using the bootstrap script (I did, of course, change the parameters to suit my needs) and I now have my shiny new private cert…however, after I import the new cert into my clients I am still getting the unknown CA error in my FR debug. The client is obstinently silent, which makes me want to smash it with a hammer, but that is beside the point. The message is likely from the client, saying I don't know the CA cert. What cert should I import into the client and in what cert store location should I put in? The clients are windows based BTW (usually Win 7) THANKS for all your help. http://deployingradius.com/ See the EAP howto for *complete* instructions on getting this to work. It has step-by-step instructions, including which cert goes where. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: how to do accounting with the inner identity
Alan and alexander thanks for your answer. I will investigate furthermore about the respect of the RFC2865 from my NAS Le 24/01/2011 14:21, Alexander Clouter a écrit : Eric Doutreleaueric.doutrel...@it-sudparis.eu wrote: I m trying to use freeradius 2.1.10 and to make authenticate my users with eap-ttls process and a ldap server for the backend All is running fine but i can't succeed to have the accounting done with the inned identity of the ttls tunnel. It all looks fine at your end, as you pass the 'new' User-Name in the Access-Accept back to your NAS. RFC2865 says your NAS *should* then mark the Accounting packets appropriately with the new User-Name, this is *not* a must though and optional http://tools.ietf.org/html/rfc2865#section-5.1 I can see the Username updated in the the following debug log but in the accounting it s the outer identity that is used. Does someone know what i can do to make the accounting with the inner identity [snipped: freeradius -X] Your debug does not show *any* accounting traffic being sent to FreeRADIUS (none that I could see) after your Access-Accept. If your NAS does not send the new User-Name attribute in the Accounting Request, then I recommend you wave the RFC2865 link I gave above at your vendor. Cheers - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Unknown CA error in FR Debug
Hi, What cert should I import into the client and in what cert store location should I put in? The clients are windows based BTW (usually Win 7) THANKS for all your help. you should take the nice windows friendly server.der one win vista and 7 both handle these fine - for older XP systems you need to 'show physical stores' and put the CA into the trusted 3rd party root local store. use the MMC with the certificate snap-in to ensure you can see the CA happily known by the system. eg http://www.lboro.ac.uk/it/wireless/xp-certs.html eg http://www.lboro.ac.uk/it/wireless/win7.html alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_realm module, Realm attr value
On 01/24/2011 02:32 PM, Martin Stanislav wrote: There is one more case that could get this exception like treatment. If the configured realm value is DEFAULT, the realm as entered by the user could be used to feed the Realm attribute value. Attached diff file describes the code change. I don't think this is a good change. For example: authorize { suffix if (Realm == DEFAULT) { # not a local realm; do some stuff attr_filter.eduroam } } ...if you change the value of the Realm variable, it's never possible to compare against it. We rely on this in a number of places. Since as you point out, you can already accomplish this with unlang or regexp realms, I don't think it's necessary to change the behaviour of the existing module. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Unknown CA error in FR Debug
The typical way to look at certs on a Windows system is to open IE, pull down the Tools menu, select Internet Options On Vista, and Win7 there is a Control Panel selection Internet Options that gets you to the same place. Select the Content tab, Certificate is a button half-way down. Dave. Quoting Alan Buxey a.l.m.bu...@lboro.ac.uk: Hi, What cert should I import into the client and in what cert store location should I put in? The clients are windows based BTW (usually Win 7) THANKS for all your help. you should take the nice windows friendly server.der one win vista and 7 both handle these fine - for older XP systems you need to 'show physical stores' and put the CA into the trusted 3rd party root local store. use the MMC with the certificate snap-in to ensure you can see the CA happily known by the system. eg http://www.lboro.ac.uk/it/wireless/xp-certs.html eg http://www.lboro.ac.uk/it/wireless/win7.html alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Unknown CA error in FR Debug
I have imported the ca.der into BOTH the trusted root CA store and the Third-Party Root CA store, still I get the unknown CA error. I must be doing something wrong, as per Alan's advice I did visit deployingradius.com, I there it mentions that the validate server cert check box must be selected in the 802.1x supplicant config, however I cannot seem to find where to configure that option BEFORE the first successful connection. I know exactly how to do it once the profile is established, but before the client has successfully connected for the first time I cannot find where one would set this option. Any help would be appreciated. Also, I have used the bootstrap script to generate the certs, but I wanted to check that the certs it is generating are what I need. I mentioned that I changed the parameters, just to be clear the only options I changed are the name of the entity (changed it to the name of our university, for the CA and the name of the server for the server cert) and the expiry time (set it to a date way into the future) that's it. I have also experimented with using different keys in the eap.conf file ( using server.crt instead of server.pem, etc.) but each time the results are the same. Please see a copy of my eap.conf below: # -*- text -*- ## ## eap.conf -- Configuration for EAP types (PEAP, TTLS, etc.) ## ## $Id$ ### # # Whatever you do, do NOT set 'Auth-Type := EAP'. The server # is smart enough to figure this out on its own. The most # common side effect of setting 'Auth-Type := EAP' is that the # users then cannot use ANY other authentication method. # # EAP types NOT listed here may be supported via the eap2 module. # See experimental.conf for documentation. # eap { # Invoke the default supported EAP type when # EAP-Identity response is received. # # The incoming EAP messages DO NOT specify which EAP # type they will be using, so it MUST be set here. # # For now, only one default EAP type may be used at a time. # # If the EAP-Type attribute is set by another module, # then that EAP type takes precedence over the # default type configured here. # default_eap_type = peap # A list is maintained to correlate EAP-Response # packets with EAP-Request packets. After a # configurable length of time, entries in the list # expire, and are deleted. # timer_expire = 60 # There are many EAP types, but the server has support # for only a limited subset. If the server receives # a request for an EAP type it does not support, then # it normally rejects the request. By setting this # configuration to yes, you can tell the server to # instead keep processing the request. Another module # MUST then be configured to proxy the request to # another RADIUS server which supports that EAP type. # # If another module is NOT configured to handle the # request, then the request will still end up being # rejected. ignore_unknown_eap_types = no # Cisco AP1230B firmware 12.2(13)JA1 has a bug. When given # a User-Name attribute in an Access-Accept, it copies one # more byte than it should. # # We can work around it by configurably adding an extra # zero byte. cisco_accounting_username_bug = no # # Help prevent DoS attacks by limiting the number of # sessions that the server is tracking. Most systems # can handle ~30 EAP sessions/s, so the default limit # of 4096 should be OK. max_sessions = 4096 # Supported EAP-types # # We do NOT recommend using EAP-MD5 authentication # for wireless connections. It is insecure, and does # not provide for dynamic WEP keys. # md5 { } # Cisco LEAP # # We do not recommend using LEAP in new deployments. See: # http://www.securiteam.com/tools/5TP012ACKE.html # # Cisco LEAP uses the MS-CHAP algorithm (but not # the MS-CHAP attributes) to perform it's authentication. # # As a result, LEAP *requires* access to the plain-text # User-Password,
Re: EAP TTLS: Getting the EMSK key?
Alan DeKok-2 wrote: Daniel wrote: I am new to radius and am using it in for a wimax based EAP TLS/TTLS network. Right now, I have freeradius 1.1.7 already installed and working. It won't really work for WiMAX. You'll need 2.1.10, or maybe even the most recent git master branch. It’s already working. I am running a full wimax network, and it’s running smoothly. Alan DeKok-2 wrote: What I need is to retrieve the calculated EMSK key (for testing purposes) from the radius server to the NAS. I have managed to get the MSK key, but for some reason I cannot retrieve the EMSK key. What do I need to do? Edit the source code to export the EMSK. It's not *supposed* to be exported for security reasons. Can you please give me some kind of directions on how to do that? -- View this message in context: http://freeradius.1045715.n5.nabble.com/EAP-TTLS-Getting-the-EMSK-key-tp3354606p3355192.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP TTLS: Getting the EMSK key?
Daniel wrote: It’s already working. I am running a full wimax network, and it’s running smoothly. shrug If it works... Can you please give me some kind of directions on how to do that? Read the source code. src/modules/rlm_eap/libeap/* is a good start. Its an open source project, so developer documentation is rather limited. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: dynamic VLAN assignment w/ mschapv2 against AD and LDAP
Hi Alexander, I am trying to play with your configuration, basically I have a virtual server call auth as your example, and modified my eap.conf for peap to use auth. what's the config:local.MY.realm? My debug showed [suffix] Looking up realm foo.edu for User-Name = sd...@foo.edu^M [suffix] Found realm foo.edu^M [suffix] Adding Stripped-User-Name = sding^M [suffix] Adding Realm = foo.edu^M [suffix] Authentication realm is LOCAL.^M ++[suffix] returns ok^M ++? if (( outer.request:EAP-Message) Realm != %{config:local.MY.realm} )^M ?? Evaluating (outer.request:EAP-Message) - TRUE^M expand: local.MY.realm - local.MY.realm^M WARNING: No such configuration item local.MY.realm^M expand: %{config:local.MY.realm} - ^M ? Evaluating (Realm != %{config:local.MY.realm} ) - TRUE^M ++? if (( outer.request:EAP-Message) Realm != %{config:local.MY.realm} ) - TRUE^M ++- entering if (( outer.request:EAP-Message) Realm != %{config:local.MY.realm} ) {...}^M expand: Realm is '%{Realm}' on Inside - Realm is 'foo.edu' on Inside^M +++[outer.reply] returns ok^M +++[reject] returns reject^M ++- if (( outer.request:EAP-Message) Realm != %{config:local.MY.realm} ) returns reject^M } # server auth^M Thanks, Schilling On Fri, Jan 21, 2011 at 3:49 AM, Alexander Clouter a...@digriz.org.uk wrote: schilling schilling2...@gmail.com wrote: Where should I put the perl script? I already have a perl module for another virtual server to use radscript. I also tried unlang in post-auth, like if ( %{User-Name} =~ /\@/ fooEmployeeStatus =~ /active/i ) { update outer.reply { Service-Type = Framed-User Tunnel-Type = VLAN Tunnel-Medium-Type = IEEE-802 Tunnel-Private-Group-Id = facstaff } } I cannot recommend more *not* to do your authorisation in the inner tunnel, and instead to pass it back on out. There are a number of reasons, clarity including, but especially you then can make use of the reject path... Incase it helps, this is what we (a small-medium university in the UK) do. In our eap block we set (we use TTLS, however it should be the same for PEAP): eap { ... ttls { ... copy_request_to_tunnel = no use_tunneled_reply = yes virtual_server = auth } ... } Then we have a 'auth' virtual server: server auth { authorize { if ((outer.request:EAP-Message)) { update outer.request { User-Name := %{request:User-Name} } update reply { User-Name := %{request:User-Name} } } validate_username suffix if ((outer.request:EAP-Message) Realm != %{config:local.MY.realm}) { update outer.reply { Reply-Message := Realm is '%{Realm}' on Inside } reject } # if the password is passed to us use it, otherwise yank it from LDAP if ((outer.request:Cleartext-Password)) { update control { Cleartext-Password := %{outer.request:Cleartext-Password} } } else { ldap-login # some accounts are glitched and do not have a UP :( if (ok !(control:Cleartext-Password)) { update outer.reply { Reply-Message := No eDirectory UP } reject } } pap chap mschap update reply { Auth-Type := %{control:Auth-Type} } } authenticate { Auth-Type PAP { pap } Auth-Type CHAP { chap } Auth-Type MSCHAP { mschap } } } We are 'blessed' with Novhell, so 'ldap-login' populated Cleartext-Password from eDirectory if present, your approach would be different (the interesting bit is if you set 'request:Cleartext-Password' in your outer layer before calling 'eap', which is a handy hook for a NAGIOS RADIUS hook (letting you test authentication with eapol_test[1] and remove the AD component from the equation. Once the 'auth' virtual server finishes, you will find in the outer layer for *successful* authentications,
Re: dynamic VLAN assignment w/ mschapv2 against AD and LDAP
On 01/24/2011 08:35 PM, schilling wrote: Hi Alexander, I am trying to play with your configuration, basically I have a virtual server call auth as your example, and modified my eap.conf for peap to use auth. what's the config:local.MY.realm? My debug showed FreeRadius lets you write *any* config hierarchy object, and re-use it elsewhere; in radiusd.conf (or maybe an include) put: local { MY { realm = x.x } } - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Unknown CA error in FR Debug
Hi, I must be doing something wrong, as per Alan's advice I did visit deployingradius.com, I there it mentions that the validate server cert check box must be selected in the 802.1x supplicant config, however I cannot seem to find where to configure that option BEFORE the first successful connection. I know exactly how to do it once the profile is established, but before the client has successfully connected for the first time I cannot find where one would set this option. the system is a little dumb. you need to create a manual connection if you want to do it that way - the straight-connect method is too streamlined and doesnt let you play like that Also, I have used the bootstrap script to generate the certs, but I wanted to check that the certs it is generating are what I need. I mentioned that I changed the parameters, just to be clear the only options I changed are the name of the entity (changed it to the name of our university, for the CA and the name of the server for the server cert) and the expiry time (set it to a date way into the future) that's it. I have also experimented with using different keys in the eap.conf file ( using server.crt instead of server.pem, etc.) but each time the results are the same. Please see a copy of my eap.conf below: no need to 'play' with things...the default template is pretty fine - just change the paths if you want a 'Production' storage place...and check permissions are right! #CA_file = ${cadir}/ca.pem set this. it helps! for performance/less packets...you probably want to set the default PEAP and EAP-TTLS types to mschapv2 rather than the basic default of md5. ..and you really want to use that nice cache feature...oh yes. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: New to the lists
Thanks to everyone for your responses! I'm still trying to pick apart how it is configured though it is pretty standard IMO. radiusd.conf and clients.conf seem to be the only two modified files. I'll perform a mysqldump so I can test it out and see if the default config will run ok. Will let you know how everything turns out! Thanks in advance, -Tim -Original Message- From: freeradius-users-bounces+tim=velociter@lists.freeradius.org [mailto:freeradius-users-bounces+tim=velociter@lists.freeradius.org] On Behalf Of Alan DeKok Sent: Friday, January 21, 2011 11:57 PM To: FreeRadius users mailing list Subject: Re: New to the lists Tim McNabb wrote: I have a curious question though. Since the current version is substantially older than what we’re moving to, how will this affect the sql database? Will I be able to install the newest version of FreeRADIUS and just perform a mysql dump from the old server to the new one? Look at the schema. It should be pretty similar, IIRC. You might even be able to use the DB unchanged. The most you'll have to do is add an operator field. See the SQL docs examples. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Trying to strip the Windows Domain name from a login
Hi Alan, Thanks for info. Next question is what?? HeHe. I started looking at the files you suggested and I am confused. First you mention looking into the realm information, did that, it is looking like that may not be to hard to do, if I am using the FR server to access the LDAP server then I just need to set a realm of ntdomain and auth=LOCAL, correct? Then you go on to say strip the domain at the LDAP lookup, well if I do it there wouldn't that fix the problem regardless of changing the realm? You go on to explain that I should do the LDAP lookup in the inner-tunnel config, I have no problem with this, it makes sense, the problem I have is how do you specify the inner tunnel in the configuration? Remember, I am new to FreeRadius, been using Cisco ACS for a few years now so I know about Radius in general, just not how to configure FreeRadius and docs are a bit hard to come by. If you can specify the files I should look at to configure the inner tunnel authentication and where to specify stripping the domain name pre-ldap authentication that would help a lot. I was not sure if I should attempt stripping the domain in the realm portion or right before the ldap auth. Thanks again, I will continue and try to figure out where to do this until I hear back. Brett Littrell Network Manager MUSD CISSP, CCSP, CCVP, MCNE On Friday, January 21, 2011 at 11:56 PM, in message 4d3a8da0.7050...@deployingradius.com, Alan DeKok al...@deployingradius.com wrote: Brett Littrell wrote: I am trying to strip the domain name from a userid in the most efficient way possible, I am using version 2.1.1. See the realms module, and the realm definition in raddb/proxy.conf. I am using MSChapV2 Then stripping the realm isn't a good idea. The User-Name is used as part of the MS-CHAPv2 calculations, so changing it will make the authentication fail. I then found another reference to strip the domain from the LDAP module as shown below: filter = (cn=%{mschap:User-Name:-%{User-Name}} This is wrong. You're not closing the opening bracket: filter = (cn=%{mschap:User-Name:-%{User-Name}}) and it seems to pass the correct username to the LDAP server it looks like there is some other place I need to strip the domain besides the ldap lookup, that or the replies are using the stripped name and it is failing that way as well. Either way it still is not working. If I un-comment the stripped-user-name and use a supplicant that strips the domain prior to sending it, it does work so Radius is working, just now with standard windows supplicant on XP. If you're using EAP, you *really* don't want to strip the User-Name. It will make EAP fail. An yes I am pretty new to freeradius. What you want is to change the *ldap* lookup so that it uses only the name portion of the User-Name. *Don't* edit the User-Name. And move the LDAP lookup to the inner-tunnel configuration. That's what it's for. Don't do LDAP lookups in raddb/sites-available/default Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html attachment: Brett_Littrell.vcf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: dynamic VLAN assignment w/ mschapv2 against AD and LDAP
schilling schilling2...@gmail.com wrote: I am trying to play with your configuration, basically I have a virtual server call auth as your example, and modified my eap.conf for peap to use auth. what's the config:local.MY.realm? My debug showed Phil pretty much covered it (and in a neater manner I was not aware could be used, but it is obvious now seeing it...), I put all the 'local site' specific details into a single configuration file (including SQL/LDAP binding credentials) so that if I want to give someone a copy of my config, ll I have to really do is trim the 'local' file and know I have not leaked anything important. For example, just after '$INCLUDE clients.conf' in the main radiusd.conf file I add '$INCLUDE LOCAL/local.conf' and that LOCAL/local.conf file is: local.MY.hostname = iodine.it.soas.ac.uk local.MY.addr.v6= 2001:630:1b:6004:168c:9d91:127f:bb0c local.MY.addr.v4= 212.219.138.70 local.MY.realm = soas.ac.uk local.addr.v6 = 2001:630:1b:1001:624a::15bb local.addr.v4 = 193.63.73.37 local.test.username = test-username local.test.password = [ahem] local.ldap.server.1 = ldap1.soas.ac.uk local.ldap.server.2 = ldap2.soas.ac.uk local.ldap.username = cn=cheese,ou=is,o=tasty local.ldap.password = NOM local.sql.server= sql.soas.ac.uk local.sql.username = radius-username local.sql.password = oh-so-very-secret local.cert.password = omg-do-not-tell-anyones [snipped] $INCLUDE ${confdir}/LOCAL/templates.conf $INCLUDE ${confdir}/LOCAL/policy.conf $INCLUDE ${confdir}/LOCAL/proxy.conf $INCLUDE ${confdir}/LOCAL/clients/ Cheers -- Alexander Clouter .sigmonster says: Riches cover a multitude of woes. -- Menander - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Issue with local authentication of MS-ChapV2
Hi Jake, The only light I can shed on my issue is a tale of self-inflected aggravation. It seems I was using the wrong XP supplicant, hence the wrong root certificate, and this oversight prevented the TLS tunnel from coming up. I got a good FreeRadius log for PEAP-MS-Chapv2 on the internet a went through it line by line, comparing it to my log, until I noticed that the TLS tunnel never came up in my setup. It was then I realized my error and fixed. Regards, John -Original Message- From: freeradius-users-bounces+jhanavan=avaya@lists.freeradius.org [mailto:freeradius-users-bounces+jhanavan=avaya@lists.freeradius.org] On Behalf Of Sallee, Stephen (Jake) Sent: Wednesday, January 19, 2011 8:51 PM To: FreeRadius users mailing list Subject: RE: Issue with local authentication of MS-ChapV2 Glad to hear you solved it, care to share so we can all benefit ? Jake Sallee Godfather Of Bandwidth Network Engineer Fone: 254-295-4658 Phax: 254-295-4221 From: freeradius-users-bounces+jake.sallee=umhb@lists.freeradius.org [mailto:freeradius-users-bounces+jake.sallee=umhb@lists.freeradius.org] On Behalf Of Hanavan, John (John) Sent: Wednesday, January 19, 2011 6:18 PM To: 'FreeRadius users mailing list' Subject: RE: Issue with local authentication of MS-ChapV2 Hi All, We solved the issue in house. Regards, John -Original Message- From: freeradius-users-bounces+jhanavan=avaya@lists.freeradius.org [mailto:freeradius-users-bounces+jhanavan=avaya@lists.freeradius.org] On Behalf Of Hanavan, John (John) Sent: Wednesday, January 19, 2011 3:56 PM To: 'freeradius-users@lists.freeradius.org' Subject: Issue with local authentication of MS-ChapV2 I am trying to get PEAP/MS-ChapV2 working on my Radius Server. The version I am using is FreeRadius 2.1.8. I already have EAP-TLS working between a FreeRadius Server and an XP supplicant, so I am pretty sure that my certificates are configured correctly on the FreeRadius Server as well as the XP supplicant that I am trying to configure PEAP/MS-ChapV2 on. I have attached the FreeRadius debug log from one of my attempted connections. It appears that the EAP-TLS tunnel comes up but the MS-ChapV2 authentication fails. I did see this warning: Warning: Found 2 auth-types on request for user 'jsmith1' But I am uncertain what it means and how to correct it. As stated earlier, I am trying to use local authentication for the MS-ChapV2 and this seems to be the point of failure. I have a packet capture between the Radius Server and the authenticator showing Radius Access Challenges and Requests but no Access Accepts. Not sure what I have mis-configured, so any suggestions would be greatly appreciated. Regards, John - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: dynamic VLAN assignment w/ mschapv2 against AD and LDAP
Thanks a lot. More questions. If you want to lower the load (and authentication latency) on your AD servers then you might want to look at the following too: http://www.mail-archive.com/freeradius-users@lists.freeradius.org/msg65781.html I am trying to follow your comment on this. I now realized we used to run eDir and now converted to iplanet directory. Anyway, do I still need to enable the compilation --with-edir option as stated below? My guess is yes since otherwise, I could not call ldap in the post-auth section in auth virtual server for eap. ##etc/raddb/modules/ldap # Un-comment the following to disable Novell # eDirectory account policy check and intruder # detection. This will work *only if* FreeRADIUS is # configured to build with --with-edir option. # #edir_account_policy_check = no What I want to do is just to check some attribute in our ldap server, our structure is like the following: # extended LDIF # # LDAPv3 # base ou=people,dc=foo,dc=edu with scope subtree # filter: uid=sding # requesting: ALL # # sding, People, foo.edu dn: uid=sding,ou=People,dc=foo,dc=edu ntPassword: 123F0AE5D10B5CCD1A7366E8DEABCDE fooEduPSHRdeptName: Information Technology Service (ITS) fooEduPSHRDepartmentNumber: 123456 fooEduEmployeeStatus: Active employeeStatus: Active uid: sding I would like to cache the following attribut/value in your example cache_ldap-userdn.pm, so I can use these values as logic to assign user to different VLANs. Can I do that in your pm? fooEduPSHRdeptName: Information Technology Service (ITS) fooEduPSHRDepartmentNumber: 123456 fooEduEmployeeStatus: Active employeeStatus: Active Thanks, Schilling On Mon, Jan 24, 2011 at 4:38 PM, Alexander Clouter a...@digriz.org.uk wrote: schilling schilling2...@gmail.com wrote: I am trying to play with your configuration, basically I have a virtual server call auth as your example, and modified my eap.conf for peap to use auth. what's the config:local.MY.realm? My debug showed Phil pretty much covered it (and in a neater manner I was not aware could be used, but it is obvious now seeing it...), I put all the 'local site' specific details into a single configuration file (including SQL/LDAP binding credentials) so that if I want to give someone a copy of my config, ll I have to really do is trim the 'local' file and know I have not leaked anything important. For example, just after '$INCLUDE clients.conf' in the main radiusd.conf file I add '$INCLUDE LOCAL/local.conf' and that LOCAL/local.conf file is: local.MY.hostname = iodine.it.soas.ac.uk local.MY.addr.v6 = 2001:630:1b:6004:168c:9d91:127f:bb0c local.MY.addr.v4 = 212.219.138.70 local.MY.realm = soas.ac.uk local.addr.v6 = 2001:630:1b:1001:624a::15bb local.addr.v4 = 193.63.73.37 local.test.username = test-username local.test.password = [ahem] local.ldap.server.1 = ldap1.soas.ac.uk local.ldap.server.2 = ldap2.soas.ac.uk local.ldap.username = cn=cheese,ou=is,o=tasty local.ldap.password = NOM local.sql.server = sql.soas.ac.uk local.sql.username = radius-username local.sql.password = oh-so-very-secret local.cert.password = omg-do-not-tell-anyones [snipped] $INCLUDE ${confdir}/LOCAL/templates.conf $INCLUDE ${confdir}/LOCAL/policy.conf $INCLUDE ${confdir}/LOCAL/proxy.conf $INCLUDE ${confdir}/LOCAL/clients/ Cheers -- Alexander Clouter .sigmonster says: Riches cover a multitude of woes. -- Menander - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html