EAP-PEAP-MSCHAPV2 won't finish
Hi. Yet another MSCHAPv2 thread. It's related to this one: http://lists.cistron.nl/pipermail/freeradius-users/2008-July/msg00156.html (I will post my output if needed, but I believe is almost the same) Ivan Kalik states "That's because it's doing EAP mschapv2 not plain mschap. It's normal to get a couple more Challenge-Requests before process is over." but neither Windows nor Ubuntu answer that challenge beyond that point. The thread ends with "Problem solved: ntlm_auth of Samba 3.2.0 seems not to work with Freeradius 2.0.5. After downgrading Samba to 3.0.29 everything is fine again." which contrasts with the " rlm_mschap: adding MS-CHAPv2 MPPE keys ++[mschap] returns ok MSCHAP Success " part. Also, I'd like to know a little more about the ntlm_auth issue before downgrading (I hate to do that). Thanks. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-PEAP-MSCHAPV2 won't finish
Alberto Martínez wrote: > Also, I'd like to know a little more about the ntlm_auth issue > before downgrading (I hate to do that). Upgrade to the latest stable release of Samba. It was a Samba bug. See eap.conf. Look for "Samba" Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-PEAP-MSCHAPV2 won't finish
Hi, > The thread ends with "Problem solved: ntlm_auth of Samba 3.2.0 seems > not to work with Freeradius 2.0.5. After downgrading Samba to 3.0.29 > everything is fine again." which contrasts with the > " > rlm_mschap: adding MS-CHAPv2 MPPE keys > ++[mschap] returns ok > MSCHAP Success > " > part. Also, I'd like to know a little more about the ntlm_auth issue > before downgrading (I hate to do that). use either 3.0.x or the latest 3.5.x or 3.6.x alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
building 2.1.12 Debian package: 'lt_dladvise' undeclared
According to http://wiki.freeradius.org/Build#Building+Debian+packages a debian package can be compiled from freeradius sources. On squeeze it fails. Mabe it has to do with libtool? Is there a known workaround? libtool: compile: gcc -g -O2 -O2 -Wall -D_GNU_SOURCE -D_REENTRANT -D_POSIX_PTHREAD_SEMANTICS -g -Wshadow -Wpointer-arith -Wcast-qual -Wcast-align -Wwrite-strings -Wstrict-prototypes -Wmissing-prototypes -Wmissing-declarations -Wnested-externs -W -Wredundant-decls -Wundef -I/root/radius/freeradius-server-2.1.12/src -DHOSTINFO=\"arm-unknown-linux-gnueabi\" -DRADIUSD_VERSION=\"2.1.12\" -DOPENSSL_NO_KRB5 -DRADIUSD_MAJOR_VERSION=2 -DRADIUSD_MINOR_VERSION=1.12 -c modules.c -fPIC -DPIC -o .libs/modules.o modules.c: In function 'fr_dlopenext': modules.c:216: error: 'lt_dladvise' undeclared (first use in this function) modules.c:216: error: (Each undeclared identifier is reported only once modules.c:216: error: for each function it appears in.) modules.c:216: error: expected ';' before 'advise' modules.c:218: warning: implicit declaration of function 'lt_dladvise_init' modules.c:218: warning: nested extern declaration of 'lt_dladvise_init' modules.c:218: error: 'advise' undeclared (first use in this function) modules.c:219: warning: implicit declaration of function 'lt_dladvise_ext' modules.c:219: warning: nested extern declaration of 'lt_dladvise_ext' modules.c:220: warning: implicit declaration of function 'lt_dladvise_global' modules.c:220: warning: nested extern declaration of 'lt_dladvise_global' modules.c:221: warning: implicit declaration of function 'lt_dlopenadvise' modules.c:221: warning: nested extern declaration of 'lt_dlopenadvise' modules.c:224: warning: implicit declaration of function 'lt_dladvise_destroy' modules.c:224: warning: nested extern declaration of 'lt_dladvise_destroy' modules.c: In function 'setup_modules': modules.c:1409: warning: nested extern declaration of 'lt_preloaded_symbols' make[5]: *** [modules.lo] Error 1 make[5]: Leaving directory `/root/radius/freeradius-server-2.1.12/src/main' make[4]: *** [main] Error 2 make[4]: Leaving directory `/root/radius/freeradius-server-2.1.12/src' make[3]: *** [all] Error 2 make[3]: Leaving directory `/root/radius/freeradius-server-2.1.12/src' make[2]: *** [src] Error 2 make[2]: Leaving directory `/root/radius/freeradius-server-2.1.12' make[1]: *** [all] Error 2 make[1]: Leaving directory `/root/radius/freeradius-server-2.1.12' make: *** [build-arch-stamp] Error 2 dpkg-buildpackage: error: debian/rules build gave error exit status 2 With best regards, Norbert Wegener Atos IT Solutions and Services AIS MS NC PSU SDC Bruchstraße 5 45883 Gelsenkirchen, Germany Tel.: +49 (209) 94565716 Fax: +49 (201) 8165581284 mailto:norbert.wege...@atos.net Atos IT Solutions and Services GmbH; Geschäftsführung: Winfried Holz, Christian Oecking, Rainer-Christian Koppitz; Vorsitzender des Aufsichtsrats: Charles Dehelly; Sitz der Gesellschaft: München, Deutschland; Registergericht: München, HRB 184933. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: building 2.1.12 Debian package: 'lt_dladvise' undeclared
Wegener, Norbert wrote: > According to > http://wiki.freeradius.org/Build#Building+Debian+packages > a debian package can be compiled from freeradius sources. > On squeeze it fails. Mabe it has to do with libtool? > Is there a known workaround? Arg... the system has lt_dladvise_init(), but not lt_dladvise(). What are the "configure" flags? You may need: --with-system-libtool \ --with-system-libltdl The latest git version of debian/rules has this change. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Only "string" can have "encrypt=2"
Hello,
I just stumbled across this which made me worry a bit:
commit f8f58e4bec03d832ad4480b90e7dd531ae0d787d
Author: Alan T. DeKok
Date: Wed Oct 19 17:20:37 2011 +0200
Only "string" can have "encrypt=2"
diff --git a/src/lib/dict.c b/src/lib/dict.c
index f613664..bdf8065 100644
--- a/src/lib/dict.c
+++ b/src/lib/dict.c
@@ -906,6 +906,13 @@ static int process_attribute(const char* fn, const int
line,
fn, line, key);
return -1;
}
+
+ if ((flags.encrypt ==
FLAG_ENCRYPT_ASCEND_SECRET) &&
+ (type != PW_TYPE_STRING)) {
+ fr_strerror_printf( "dict_init: %s[%d]
Only \"string\" types can have the \"encrypt=2\" flag set.",
+ fn, line);
+ return -1;
+ }
} else if (strncmp(key, "array", 8) == 0) {
flags.array = 1;
The reason I'm worrying is dictionary.erx, where I know there are other
types (integer, octets and ipaddress) with "encrypt=2" set. And these
are in fact in use, with encryption, by a number of Juniper JUNOS and
JUNOSe based devices.
And the second issue that made me worry: Why didn't I (and everybody
else) hit that by default in ictionary.erx? Well, it seems that
FLAG_ENCRYPT_ASCEND_SECRET isn't really 2 as the above made me believe.
It is 3. 2 is of course FLAG_ENCRYPT_TUNNEL_PASSWORD.
But if it's a typo, then why repeat it in the commit message as well?
Was this an attempt to disable other encryption types that
FLAG_ENCRYPT_TUNNEL_PASSWORD for other attribute types that strings? Or
what exactly was the above trying to fix?
Anyway: Please don't disable tunnel-password encryption of non-string
attributes. It works, and it *is* in use.
Bjørn (coloured confused)
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
AW: building 2.1.12 Debian package: 'lt_dladvise' undeclared
Unfortunately that has not been the solution. I grabbed the latest git version, verified --without-rlm_sql_unixodbc \ --with-system-libtool \ --with-system-libltdl but: /usr/bin/libtool --mode=compile gcc -I/root/git/freeradius-server -I/root/git/freeradius-server/src -g -O2 -O2 -Wall -D_GNU_SOURCE -D_REENTRANT -D_POSIX_PTHREAD_SEMANTICS -g -Wshadow -Wpointer-arith -Wcast-qual -Wcast-align -Wwrite-strings -Wstrict-prototypes -Wmissing-prototypes -Wmissing-declarations -Wnested-externs -W -Wredundant-decls -Wundef -I/root/git/freeradius-server/src -DHOSTINFO=\"arm-unknown-linux-gnueabi\" -DRADIUSD_VERSION=\"2.2.0\" -DOPENSSL_NO_KRB5 -DRADIUSD_MAJOR_VERSION=2 -DRADIUSD_MINOR_VERSION=2.0 -DWITH_SYSTEM_LTDL -c modules.c libtool: compile: gcc -I/root/git/freeradius-server -I/root/git/freeradius-server/src -g -O2 -O2 -Wall -D_GNU_SOURCE -D_REENTRANT -D_POSIX_PTHREAD_SEMANTICS -g -Wshadow -Wpointer-arith -Wcast-qual -Wcast-align -Wwrite-strings -Wstrict-prototypes -Wmissing-prototypes -Wmissing-declarations -Wnested-externs -W -Wredundant-decls -Wundef -I/root/git/freeradius-server/src -DHOSTINFO=\"arm-unknown-linux-gnueabi\" -DRADIUSD_VERSION=\"2.2.0\" -DOPENSSL_NO_KRB5 -DRADIUSD_MAJOR_VERSION=2 -DRADIUSD_MINOR_VERSION=2.0 -DWITH_SYSTEM_LTDL -c modules.c -fPIC -DPIC -o .libs/modules.o modules.c: In function 'fr_dlopenext': modules.c:216: error: 'lt_dladvise' undeclared (first use in this function) modules.c:216: error: (Each undeclared identifier is reported only once modules.c:216: error: for each function it appears in.) modules.c:216: error: expected ';' before 'advise' modules.c:218: warning: implicit declaration of function 'lt_dladvise_init' modules.c:218: warning: nested extern declaration of 'lt_dladvise_init' modules.c:218: error: 'advise' undeclared (first use in this function) modules.c:219: warning: implicit declaration of function 'lt_dladvise_ext' modules.c:219: warning: nested extern declaration of 'lt_dladvise_ext' modules.c:220: warning: implicit declaration of function 'lt_dladvise_global' modules.c:220: warning: nested extern declaration of 'lt_dladvise_global' modules.c:221: warning: implicit declaration of function 'lt_dlopenadvise' modules.c:221: warning: nested extern declaration of 'lt_dlopenadvise' modules.c:224: warning: implicit declaration of function 'lt_dladvise_destroy' modules.c:224: warning: nested extern declaration of 'lt_dladvise_destroy' modules.c: In function 'setup_modules': modules.c:1409: warning: nested extern declaration of 'lt_preloaded_symbols' make[5]: *** [modules.lo] Error 1 make[5]: Leaving directory `/root/git/freeradius-server/src/main' make[4]: *** [main] Error 2 make[4]: Leaving directory `/root/git/freeradius-server/src' make[3]: *** [all] Error 2 make[3]: Leaving directory `/root/git/freeradius-server/src' make[2]: *** [src] Error 2 make[2]: Leaving directory `/root/git/freeradius-server' make[1]: *** [all] Error 2 make[1]: Leaving directory `/root/git/freeradius-server' make: *** [build-arch-stamp] Error 2 dpkg-buildpackage: error: debian/rules build gave error exit status 2 With best regards, Norbert Wegener Atos IT Solutions and Services AIS MS NC PSU SDC Bruchstraße 5 45883 Gelsenkirchen, Germany Tel.: +49 (209) 94565716 Fax: +49 (201) 8165581284 mailto:norbert.wege...@atos.net Atos IT Solutions and Services GmbH; Geschäftsführung: Winfried Holz, Christian Oecking, Rainer-Christian Koppitz; Vorsitzender des Aufsichtsrats: Charles Dehelly; Sitz der Gesellschaft: München, Deutschland; Registergericht: München, HRB 184933. Von: freeradius-users-bounces+norbert.wegener=atos@lists.freeradius.org [freeradius-users-bounces+norbert.wegener=atos@lists.freeradius.org]" im Auftrag von "Alan DeKok [al...@deployingradius.com] Gesendet: Montag, 21. November 2011 13:38 Bis: FreeRadius users mailing list Betreff: Re: building 2.1.12 Debian package: 'lt_dladvise' undeclared Wegener, Norbert wrote: > According to > http://wiki.freeradius.org/Build#Building+Debian+packages > a debian package can be compiled from freeradius sources. > On squeeze it fails. Mabe it has to do with libtool? > Is there a known workaround? Arg... the system has lt_dladvise_init(), but not lt_dladvise(). What are the "configure" flags? You may need: --with-system-libtool \ --with-system-libltdl The latest git version of debian/rules has this change. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRADIUS EAP-TLS Lookup Client Cert From LDAP DIT
This does help greatly, thanks Phil.
On Oct 15, 2011, at 4:41 AM, Phil Mayers wrote:
> On 10/14/2011 10:43 PM, subcon wrote:
>> I've searched for this sort of posting, but found issues unrelated that
>> responded to my search string, so I decided to post it here.
>>
>> OK, currently I have Radius authenticating LDAP users via PAP. Works great.
>>
>> Imagine I want to store x509 certificate data (specifically a client
>> certificate) in an attribute in LDAP (perhaps as a binary attribute, etc).
>>
>> I would like FreeRADIUS, should it be passed a client certificate INSTEAD of
>> a user/pass, to take the DN of the cert and match it to some attribute which
>> contains said DN and cert-data.
>
> Ok. It's been a while since I looked at this, but IIRC there is some special
> search/attribute syntax support in (some) LDAP servers for X.509 certs in the
> DIT.
>
>>
>> The ultimate goal of all of this is to allow the continued use of LDAP and
>> store the certificates (to be compared against) in the tree and not on some
>> filesystem basis.
>>
>> Note that I want FreeRADIUS to continue supporting PAP user/pass auth, but
>> only as a secondary fall-back (e.g: customer doesn't have client cert
>> installed on machine, but has a user and password).
>>
>> Is this possible? Does this make sense to you? Let me know if I need to
>> re-explain anything.
>
> I think it should be possible.
>
> First, ensure you're running the most recent version of FreeRADIUS. When
> you've done that, you will have two options:
>
> 1. You can examing the "TLS-Client-Cert-Subject" variable in a FreeRADIUS
> unlang policy, and possibly use this to query your LDAP server via LDAP xlat.
> For example:
>
> authorize {
>...
>eap
>if (TLS-Client-Cert-Subject) {
> # we've done enough EAP-TLS to know the client cert
> update request {
>Tmp-String-0 :=
> "%{ldap:ldap:///basedn?cn?sub?certsubject=%{TLS-Client-Cert-Subject}}";
> }
> if (Tmp-String-0) {
># cert was found in LDAP
>ok
> }
> else {
>reject
> }
>}
> ]
>
> However, I'm not certain the TLS-* attributes (see sites-available/default in
> a recent version of the server) are available in the authorize section - I
> have a feeling they are only present in post-auth, by which time it's too
> late to reject them, so...
>
> 2. Use the "verify" config of the "tls" module under "eap", and use an
> external script to perform the check against LDAP. For example:
>
> eap {
>tls {
> verify {
>client = "/path/to/script %{TLS-Client-Cert-Filename}"
> }
>}
> }
>
> ...then your script can use the (temporary) file given in the 1st argument to
> query against LDAP.
>
> Hope this helps.
>
> Cheers,
> Phil
>
>>
>> Thank you,
>>
>> subcon
>>
>> --
>> View this message in context:
>> http://freeradius.1045715.n5.nabble.com/FreeRADIUS-EAP-TLS-Lookup-Client-Cert-From-LDAP-DIT-tp4904006p4904006.html
>> Sent from the FreeRadius - User mailing list archive at Nabble.com.
>> -
>> List info/subscribe/unsubscribe? See
>> http://www.freeradius.org/list/users.html
>>
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Logging to destination = files AND syslog?
Hello. I am running 2.1.10. Is it possible to log to files and syslog (both)? Regards Mika -- View this message in context: http://freeradius.1045715.n5.nabble.com/Logging-to-destination-files-AND-syslog-tp5010771p5010771.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRADIUS EAP-TLS Lookup Client Cert From LDAP DIT
On Oct 15, 2011, at 12:41 PM, Alan DeKok wrote: > subcon wrote: >> Imagine I want to store x509 certificate data (specifically a client >> certificate) in an attribute in LDAP (perhaps as a binary attribute, etc). > > That's outside of the scope of FreeRADIUS. Obviously. I had not actually said the word FreeRADIUS nor RADIUS at that time yet. > >> I would like FreeRADIUS, should it be passed a client certificate INSTEAD of >> a user/pass, to take the DN of the cert and match it to some attribute which >> contains said DN and cert-data. > > That's possible. See raddb/sites-available/default in recent > releases. Look for the "TLS-*" comments in the post-auth section. > >> The ultimate goal of all of this is to allow the continued use of LDAP and >> store the certificates (to be compared against) in the tree and not on some >> filesystem basis. > > That's thinking about it wrong. You don't "compare" certificates. > You verify certificates against a CA. You check certificates against a > revocation list. Lets assume I do. I never said this was going to be by the book. > >> Note that I want FreeRADIUS to continue supporting PAP user/pass auth, but >> only as a secondary fall-back (e.g: customer doesn't have client cert >> installed on machine, but has a user and password). > > For what kind of system? Wireless, or wired? This is for authentication for systems that already use Radius for these things (currently works via PAP -> LDAP). These are Linux servers people log into via one or more protocols, and do not involve wireless APs or anything like that. > >> Is this possible? Does this make sense to you? Let me know if I need to >> re-explain anything. > > You need to correct your thinking and your vocabulary. Certificates > don't work the way you seem to think. Certificates will work the way I tell them to. I have done things similar (without involving Radius) for some unusual systems I work on. I this case, perhaps I should have referred to them as pseudo-certificates, wherein its just a REALLY long password that is presented from the client-end via file instead of being entered like a "normal" password. I really liked Phil Mayers reply, gave me a few good ideas on where to start. Thanks to you both J > > Alan DeKok. > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Logging to destination = files AND syslog?
Mika wrote: > Hello. > I am running 2.1.10. Is it possible to log to files and syslog (both)? No. Use something like rsyslog to send logs to multiple destinations. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
AW: building 2.1.12 Debian package: 'lt_dladvise' undeclared
Removing --enable-developer \ in debian/rules solved that problem. With best regards, Norbert Wegener Atos IT Solutions and Services AIS MS NC PSU SDC Bruchstraße 5 45883 Gelsenkirchen, Germany Tel.: +49 (209) 94565716 Fax: +49 (201) 8165581284 mailto:norbert.wege...@atos.net Atos IT Solutions and Services GmbH; Geschäftsführung: Winfried Holz, Christian Oecking, Rainer-Christian Koppitz; Vorsitzender des Aufsichtsrats: Charles Dehelly; Sitz der Gesellschaft: München, Deutschland; Registergericht: München, HRB 184933. Von: freeradius-users-bounces+norbert.wegener=atos@lists.freeradius.org [freeradius-users-bounces+norbert.wegener=atos@lists.freeradius.org]" im Auftrag von "Wegener, Norbert [norbert.wege...@atos.net] Gesendet: Montag, 21. November 2011 14:59 Bis: FreeRadius users mailing list Betreff: AW: building 2.1.12 Debian package: 'lt_dladvise' undeclared Unfortunately that has not been the solution. I grabbed the latest git version, verified --without-rlm_sql_unixodbc \ --with-system-libtool \ --with-system-libltdl but: /usr/bin/libtool --mode=compile gcc -I/root/git/freeradius-server -I/root/git/freeradius-server/src -g -O2 -O2 -Wall -D_GNU_SOURCE -D_REENTRANT -D_POSIX_PTHREAD_SEMANTICS -g -Wshadow -Wpointer-arith -Wcast-qual -Wcast-align -Wwrite-strings -Wstrict-prototypes -Wmissing-prototypes -Wmissing-declarations -Wnested-externs -W -Wredundant-decls -Wundef -I/root/git/freeradius-server/src -DHOSTINFO=\"arm-unknown-linux-gnueabi\" -DRADIUSD_VERSION=\"2.2.0\" -DOPENSSL_NO_KRB5 -DRADIUSD_MAJOR_VERSION=2 -DRADIUSD_MINOR_VERSION=2.0 -DWITH_SYSTEM_LTDL -c modules.c libtool: compile: gcc -I/root/git/freeradius-server -I/root/git/freeradius-server/src -g -O2 -O2 -Wall -D_GNU_SOURCE -D_REENTRANT -D_POSIX_PTHREAD_SEMANTICS -g -Wshadow -Wpointer-arith -Wcast-qual -Wcast-align -Wwrite-strings -Wstrict-prototypes -Wmissing-prototypes -Wmissing-declarations -Wnested-externs -W -Wredundant-decls -Wundef -I/root/git/freeradius-server/src -DHOSTINFO=\"arm-unknown-linux-gnueabi\" -DRADIUSD_VERSION=\"2.2.0\" -DOPENSSL_NO_KRB5 -DRADIUSD_MAJOR_VERSION=2 -DRADIUSD_MINOR_VERSION=2.0 -DWITH_SYSTEM_LTDL -c modules.c -fPIC -DPIC -o .libs/modules.o modules.c: In function 'fr_dlopenext': modules.c:216: error: 'lt_dladvise' undeclared (first use in this function) modules.c:216: error: (Each undeclared identifier is reported only once modules.c:216: error: for each function it appears in.) modules.c:216: error: expected ';' before 'advise' modules.c:218: warning: implicit declaration of function 'lt_dladvise_init' modules.c:218: warning: nested extern declaration of 'lt_dladvise_init' modules.c:218: error: 'advise' undeclared (first use in this function) modules.c:219: warning: implicit declaration of function 'lt_dladvise_ext' modules.c:219: warning: nested extern declaration of 'lt_dladvise_ext' modules.c:220: warning: implicit declaration of function 'lt_dladvise_global' modules.c:220: warning: nested extern declaration of 'lt_dladvise_global' modules.c:221: warning: implicit declaration of function 'lt_dlopenadvise' modules.c:221: warning: nested extern declaration of 'lt_dlopenadvise' modules.c:224: warning: implicit declaration of function 'lt_dladvise_destroy' modules.c:224: warning: nested extern declaration of 'lt_dladvise_destroy' modules.c: In function 'setup_modules': modules.c:1409: warning: nested extern declaration of 'lt_preloaded_symbols' make[5]: *** [modules.lo] Error 1 make[5]: Leaving directory `/root/git/freeradius-server/src/main' make[4]: *** [main] Error 2 make[4]: Leaving directory `/root/git/freeradius-server/src' make[3]: *** [all] Error 2 make[3]: Leaving directory `/root/git/freeradius-server/src' make[2]: *** [src] Error 2 make[2]: Leaving directory `/root/git/freeradius-server' make[1]: *** [all] Error 2 make[1]: Leaving directory `/root/git/freeradius-server' make: *** [build-arch-stamp] Error 2 dpkg-buildpackage: error: debian/rules build gave error exit status 2 With best regards, Norbert Wegener Atos IT Solutions and Services AIS MS NC PSU SDC Bruchstraße 5 45883 Gelsenkirchen, Germany Tel.: +49 (209) 94565716 Fax: +49 (201) 8165581284 mailto:norbert.wege...@atos.net Atos IT Solutions and Services GmbH; Geschäftsführung: Winfried Holz, Christian Oecking, Rainer-Christian Koppitz; Vorsitzender des Aufsichtsrats: Charles Dehelly; Sitz der Gesellschaft: München, Deutschland; Registergericht: München, HRB 184933. Von: freeradius-users-bounces+norbert.wegener=atos@lists.freeradius.org [freeradius-users-bounces+norbert.wegener=atos@lists.freeradius.org]" im Auftrag von "Alan DeKok [al...@deployingradius.com] Gesendet: Montag, 21. November 2011 13:38 Bis: FreeRadius users mailing list Betreff: Re: building 2.1.12 Debian package:
Re: Only "string" can have "encrypt=2"
Bjørn Mork wrote: > I just stumbled across this which made me worry a bit: ... > The reason I'm worrying is dictionary.erx, where I know there are other > types (integer, octets and ipaddress) with "encrypt=2" set. Yes, but the commit has a typo. > And the second issue that made me worry: Why didn't I (and everybody > else) hit that by default in ictionary.erx? Well, it seems that > FLAG_ENCRYPT_ASCEND_SECRET isn't really 2 as the above made me believe. > It is 3. 2 is of course FLAG_ENCRYPT_TUNNEL_PASSWORD. Yes. > But if it's a typo, then why repeat it in the commit message as well? > Was this an attempt to disable other encryption types that > FLAG_ENCRYPT_TUNNEL_PASSWORD for other attribute types that strings? Or > what exactly was the above trying to fix? > > Anyway: Please don't disable tunnel-password encryption of non-string > attributes. It works, and it *is* in use. It's a typo. The real message is about "encrypt=3" Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: cisco WAP/FreeRadius/OpenLDAP
so it took me a while, but i finally tracked down a MAC to continue
troubleshooting...at this point windows machines can login with RAIDUS
auth... below is the output from an attempt with a MAC:
[root@ops2 raddb]# radiusd -X
FreeRADIUS Version 2.1.12, for host x86_64-redhat-linux-gnu, built on
Oct 3 2011 at 10:29:04
Copyright (C) 1999-2009 The FreeRADIUS server project and contributors.
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE.
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License v2.
Starting - reading configuration files ...
including configuration file /etc/raddb/radiusd.conf
including configuration file /etc/raddb/proxy.conf
including configuration file /etc/raddb/clients.conf
including files in directory /etc/raddb/modules/
including configuration file /etc/raddb/modules/pap
including configuration file /etc/raddb/modules/preprocess
including configuration file /etc/raddb/modules/perl
including configuration file /etc/raddb/modules/linelog
including configuration file /etc/raddb/modules/sql_log
including configuration file /etc/raddb/modules/cui
including configuration file /etc/raddb/modules/acct_unique
including configuration file /etc/raddb/modules/mac2ip
including configuration file /etc/raddb/modules/detail.example.com
including configuration file /etc/raddb/modules/replicate
including configuration file /etc/raddb/modules/dynamic_clients
including configuration file /etc/raddb/modules/passwd
including configuration file /etc/raddb/modules/wimax
including configuration file /etc/raddb/modules/inner-eap
including configuration file /etc/raddb/modules/logintime
including configuration file /etc/raddb/modules/chap
including configuration file /etc/raddb/modules/digest
including configuration file /etc/raddb/modules/ippool
including configuration file /etc/raddb/modules/mschap
including configuration file /etc/raddb/modules/pam
including configuration file /etc/raddb/modules/redis
including configuration file /etc/raddb/modules/detail.log
including configuration file /etc/raddb/modules/always
including configuration file /etc/raddb/modules/radutmp
including configuration file /etc/raddb/modules/ldap
including configuration file /etc/raddb/modules/ntlm_auth
including configuration file /etc/raddb/modules/ldap.new
including configuration file /etc/raddb/modules/mac2vlan
including configuration file /etc/raddb/modules/etc_group
including configuration file /etc/raddb/modules/sradutmp
including configuration file /etc/raddb/modules/counter
including configuration file /etc/raddb/modules/attr_filter
including configuration file /etc/raddb/modules/soh
including configuration file /etc/raddb/modules/policy
including configuration file /etc/raddb/modules/unix
including configuration file /etc/raddb/modules/opendirectory
including configuration file /etc/raddb/modules/sqlcounter_expire_on_login
including configuration file /etc/raddb/modules/otp
including configuration file /etc/raddb/modules/exec
including configuration file /etc/raddb/modules/realm
including configuration file /etc/raddb/modules/rediswho
including configuration file /etc/raddb/modules/expiration
including configuration file /etc/raddb/modules/checkval
including configuration file /etc/raddb/modules/echo
including configuration file /etc/raddb/modules/detail
including configuration file /etc/raddb/modules/attr_rewrite
including configuration file /etc/raddb/modules/smsotp
including configuration file /etc/raddb/modules/expr
including configuration file /etc/raddb/modules/smbpasswd
including configuration file /etc/raddb/modules/files
including configuration file /etc/raddb/eap.conf
including configuration file /etc/raddb/policy.conf
including files in directory /etc/raddb/sites-enabled/
including configuration file /etc/raddb/sites-enabled/inner-tunnel
including configuration file /etc/raddb/sites-enabled/default
including configuration file /etc/raddb/sites-enabled/control-socket
main {
user = "radiusd"
group = "radiusd"
allow_core_dumps = no
}
including dictionary file /etc/raddb/dictionary
main {
name = "radiusd"
prefix = "/usr"
localstatedir = "/var"
sbindir = "/usr/sbin"
logdir = "/var/log/radius"
run_dir = "/var/run/radiusd"
libdir = "/usr/lib64/freeradius"
radacctdir = "/var/log/radius/radacct"
hostname_lookups = no
max_request_time = 30
cleanup_delay = 5
max_requests = 1024
pidfile = "/var/run/radiusd/radiusd.pid"
checkrad = "/usr/sbin/checkrad"
debug_level = 0
proxy_requests = yes
log {
stripped_names = no
auth = no
auth_badpass = no
auth_goodpass = no
}
security {
max_attributes = 200
reject_delay = 1
status_server = yes
}
}
radiusd: Loading Realms and Home Servers
proxy server {
retry_delay = 5
retry_coun
Re: cisco WAP/FreeRadius/OpenLDAP
Matthew Arguin wrote: > so it took me a while, but i finally tracked down a MAC to continue > troubleshooting...at this point windows machines can login with RAIDUS > auth... below is the output from an attempt with a MAC: Can you READ the output? Or paste the output into the "debug tool" web page on networkradius.com, and then READ it? Honestly, it's not hard. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
users file
I'm a newby to freeradius2 (from cistron), and I have it starting up, and logging. However, it isn't attempting to load the "users" file. I do not see any line in the radiusd.conf file which references "users". I can remove the users file, and freeradius2 doesn't complain about it. Please, what am I missing? -- Jim Pazarenawork:250 559- Box 550 - 405 2nd Avenuefax: 866 279-3608 Queen Charlotte BC V0T 1S0mailto:j...@paz.bz - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: users file
Jim Pazarena wrote: > I'm a newby to freeradius2 (from cistron), Wow... you haven't upgraded in a while. > and I have it starting up, > and logging. However, it isn't attempting to load the "users" file. It loads it in the default configuration. > I do not see any line in the radiusd.conf file which references "users". It's not. It's in raddb/modules/files. > I can remove the users file, and freeradius2 doesn't complain about it. > Please, what am I missing? You seemed to have copied the Cistron configuration to FreeRADIUS. Or, done something similar to break the default configuration. Don't do that. The default configuration works. Use it. Make the *minimal* changes necessary to get your Cistron config working. It shouldn't be hard. Just copy the "users" file, and not much else. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: PEAP Inner-tunnel can't match a user in the "users" file with some check attributes
Absolutely no excuse... I should have read about it... Next time I will read more carefully. Anyway everything works now! Thank you very much Alan Dekok! Difan -Original Message- From: freeradius-users-bounces+difan.zhao=guest-tek@lists.freeradius.org [mailto:freeradius-users-bounces+difan.zhao=guest-tek@lists.freeradius.org] On Behalf Of Alan DeKok Sent: November-19-11 1:37 AM To: FreeRadius users mailing list Subject: Re: PEAP Inner-tunnel can't match a user in the "users" file with some check attributes Difan Zhao wrote: > I have an issue that whenever I have check attributes such as > NAS-IP-Address or NAS-Port-Type, my PEAP fails… Read raddb/eap.conf. Look for "copy_request_to_tunnel" > Everything works once I removed *NAS-IP-Address == "10.143.115.14"*. > However I do need to check against from which switch/NAS the request > is coming from… It seems that those attributes are outside of the “tunnel”. > How can I copy them in the “tunnel” (does this make sense to you guys)?? Read the configuration files. This is documented. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Only "string" can have "encrypt=2"
Alan DeKok writes: > It's a typo. The real message is about "encrypt=3" Thanks. I'm going to relax again then :-) Bjørn - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius 1.1.3 to 2.1.10 migration vlan assignment woes
Hi, > So I'm moving from an old 1.1.3 (running on rhel5) to 2.1.10 (rhel6). We use > EAP-TTLS > PAP which authenticates against openldap and > dynamically assigns vlans based on ldap group properties. I seem to have > gotten the authentication working, but the vlan assignment > doesn't appear to be happening. All of our users end up in the default vlan > (60). I'm getting a 'No "known good" password' error, > but the bind still seems to be succeeding. Output of radiusd -X is below. if you take the standard initial 2.1.10 config and then edit the bits you need, then you'll see that for this setup, the most important file for you to deal with is the inner-tunnel virtual serverthats what handles the EAP. so long as you've edited eap.conf correctly so that the certs are correct then things will work. your config suggests that your chosen method, EAP-TTLS isnt the default type in eap.conf you also need to 'copy_request_to_tunnel' for the eap-TTLS (in eap.conf) for the return attributes to work. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: freeradius 1.1.3 to 2.1.10 migration vlan assignment woes
> if you take the standard initial 2.1.10 config and then edit the bits you > need, then you'll see that for this setup, the most important file > for you to deal with is the inner-tunnel virtual serverthats what handles > the EAP. so long as you've edited eap.conf correctly so that > the certs are correct then things will work. > > your config suggests that your chosen method, EAP-TTLS isnt the default type > in eap.conf > > you also need to 'copy_request_to_tunnel' for the eap-TTLS (in eap.conf) for > the return attributes to work. > > alan Enabling the copy_request_to_tunnel was all it took. Thanks for your help! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: users file
On 2011-11-21 10:56 AM, Alan DeKok wrote:
Jim Pazarena wrote:
I'm a newby to freeradius2 (from cistron),
Wow... you haven't upgraded in a while.
correct. FreeBSD 7.0 i386 cistron 1.6.8
to FreebSD 8.2 amd64 freeradius 2.1.12
and cistron doesn't run on the 64-bit OS.
and I have it starting up,
and logging. However, it isn't attempting to load the "users" file.
It loads it in the default configuration.
I do not see any line in the radiusd.conf file which references "users".
It's not. It's in raddb/modules/files.
Ah. I had my users file in raddb
NOT in raddb/modules
So I moved it to modules,
and a debug start nags:
/raddb/modules/users[50]: Expecting section start brace '{' after "DEFAULT
Auth-Type"
The default users file does not have -any- open or closing curly brackets.
what am I missing? Thanks!
--
Jim Pazarenawork:250 559-
Box 550 - 405 2nd Avenuefax: 866 279-3608
Queen Charlotte BC V0T 1S0mailto:j...@paz.bz
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: users file
On Tue, Nov 22, 2011 at 4:31 AM, Jim Pazarena wrote:
>>> I do not see any line in the radiusd.conf file which references "users".
>>
>> It's not. It's in raddb/modules/files.
>
> Ah. I had my users file in raddb
> NOT in raddb/modules
>
> So I moved it to modules,
You shoulnd'nt.
/etc/raddb/modules/files is the configuration for "files" module. Open
it and you should see this line
usersfile = ${confdir}/users
... which means "the user file is /etc/raddb/users"
>
> and a debug start nags:
> /raddb/modules/users[50]: Expecting section start brace '{' after "DEFAULT
> Auth-Type"
... because you do something you shouldn't :)
Move it back
> The default users file does not have -any- open or closing curly brackets.
> what am I missing? Thanks!
It case you haven't figure it out already, there are many files it
raddb/modules. It's only processed when a section explictly refer to
it. So:
- move users file back to its original place
- make SURE you have "files" in authorize section of
/etc/raddb/sites-available/default
- start FR in debug mode
at that point it will refuse to start if users file is missing. The
debug log will show something like this
Module: Linked to module rlm_files
Module: Instantiating module "files" from file /etc/freeradius/modules/files
files {
usersfile = "/etc/freeradius/users"
acctusersfile = "/etc/freeradius/acct_users"
preproxy_usersfile = "/etc/freeradius/preproxy_users"
compat = "no"
}
Couldn't open /etc/freeradius/users for reading: No such file or directory
Errors reading /etc/freeradius/users
/etc/freeradius/modules/files[7]: Instantiation failed for module "files"
/etc/freeradius/sites-enabled/default[166]: Failed to load module "files".
/etc/freeradius/sites-enabled/default[62]: Errors parsing authorize section.
--
Fajar
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
LDAP Filter
I have a LDAP server performing authentication on FR clients where EAP-TLS is being used as the mechanism, but the LDAP module is not using TLS. Is there a way to use the client certificate common-name as the UID in the LDAP authentication. I'm thinking that I just need to modify the filter statement, but I'm unsure how the statement should be structured? I hope I'm making sense? Lester Houston 111 Boeing Research & Technology Electronics Prototyping and Integration Center (EPIC) lester.l.houston-...@boeing.com 314-234-0621 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
LDAP Attributes
Is there a way to truncate the UID used by the LDAP module? My system is using an UID structured like an email I would like to use everything in front of the '@' as the UID. Is this possible? Lester Houston 111 Boeing Research & Technology Electronics Prototyping and Integration Center (EPIC) lester.l.houston-...@boeing.com 314-234-0621 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE:please help me :Failed binding to authentication address 192.168.1.102 port 1812
Hello sir, while activating the free radius server with eap authentication via vmware virtual machine i got error like "Failed binding to authentication address 192.168.1.102 port 1812" and i attched the output file. output file.odt Description: application/vnd.oasis.opendocument.text - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: please help me :Failed binding to authentication address 192.168.1.102 port 1812
On Tue, Nov 22, 2011 at 12:05 PM, Harshavardhan Ch wrote: > Hello sir, > while activating the free radius server with eap > authentication via vmware virtual machine i got error like "Failed binding > to authentication address 192.168.1.102 port 1812" > and i attched the output file. (1) paste the debug log directly in your email. There's really no need put it inside odt (2) Make sure IP address 192.168.1.102 is REALLY active on your system (i.e. it's not some copy-paste error) (3) Look for any programs already using the port. Running "netstat -anup | grep 181" should help. -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE:please help me :Failed binding to authentication address 192.168.1.102 port 1812
Be sure that u run just 1 process of FR at one time . Just type "ps -A | grep radius" to see how many process of FR u are running Hope that helps Vào 12:06 Ngày 22 tháng 11 năm 2011, < freeradius-users-requ...@lists.freeradius.org> đã viết: > Send Freeradius-Users mailing list submissions to >freeradius-users@lists.freeradius.org > > To subscribe or unsubscribe via the World Wide Web, visit >http://lists.freeradius.org/mailman/listinfo/freeradius-users > or, via email, send a message with subject or body 'help' to >freeradius-users-requ...@lists.freeradius.org > > You can reach the person managing the list at >freeradius-users-ow...@lists.freeradius.org > > When replying, please edit your Subject line so it is more specific > than "Re: Contents of Freeradius-Users digest..." > > > Today's Topics: > > 1. RE:please help me :Failed binding to authentication address > 192.168.1.102 port 1812 (Harshavardhan Ch) > > > -- > > Message: 1 > Date: Mon, 21 Nov 2011 21:05:51 -0800 > From: Harshavardhan Ch > Subject: RE:please help me :Failed binding to authentication address >192.168.1.102 port 1812 > To: freeradius-users@lists.freeradius.org > Message-ID: > > > Content-Type: text/plain; charset="iso-8859-1" > > Hello sir, > while activating the free radius server with eap > authentication via vmware virtual machine i got error like "Failed > binding to authentication address 192.168.1.102 port 1812" > and i attched the output file. > -- next part -- > An HTML attachment was scrubbed... > URL: < > https://lists.freeradius.org/pipermail/freeradius-users/attachments/2021/f16dbfc8/attachment.html > > > -- next part -- > A non-text attachment was scrubbed... > Name: output file.odt > Type: application/vnd.oasis.opendocument.text > Size: 21020 bytes > Desc: not available > Url : < > https://lists.freeradius.org/pipermail/freeradius-users/attachments/2021/f16dbfc8/attachment.odt > > > > -- > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > > > End of Freeradius-Users Digest, Vol 79, Issue 78 > > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
