EAP/TLS authentication in 2050
Hello
I have SLES 11 SP1(64bit), freeradius 2.1.12 and openssl 0.9.8r.
I set up authentication with EAP/TLS.
Server and client certificates are valid until 3011 year. Here they are:
Certificate Details:
Serial Number: 1 (0x1)
Validity
Not Before: Dec 5 07:05:02 2011 GMT
Not After : Apr 7 07:05:02 3011 GMT
Subject:
countryName = AU
stateOrProvinceName = Some-State
organizationName = Internet Widgits Pty Ltd
commonName = Root
X509v3 extensions:
X509v3 Extended Key Usage:
TLS Web Server Authentication
Certificate is to be certified until Apr 7 07:05:02 3011 GMT (365000 days)
Certificate Details:
Serial Number: 2 (0x2)
Validity
Not Before: Dec 5 07:06:57 2011 GMT
Not After : Apr 7 07:06:57 3011 GMT
Subject:
countryName = AU
stateOrProvinceName = Some-State
organizationName = Internet Widgits Pty Ltd
commonName = testuser
X509v3 extensions:
X509v3 Extended Key Usage:
TLS Web Client Authentication
Certificate is to be certified until Apr 7 07:06:57 3011 GMT (365000 days)
Now client like authentication is successful. About this show freeradius:
Login OK: [host/testuser] (from client private-network port 33566721 cli
0022-15ef-ab87)
# Executing section post-auth from file /etc/raddb/sites-enabled/default
+- entering group post-auth {...}
++[exec] returns noop
Sending Access-Accept of id 67 to 10.2.2.240 port 5002
Tunnel-Type:0 = VLAN
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Private-Group-Id:0 = 3
MS-MPPE-Recv-Key =
0xca7449798f0f957fe8e03542d1b9a5ef6291756644f4e392a60f078a3c858cba
MS-MPPE-Send-Key =
0xcfffb577e162ba2111b253f1f969e46e39521626f4669704e367502640f368a7
EAP-Message = 0x03050004
Message-Authenticator = 0x
User-Name = host/testuser
Finished request 3.
After that, I wanted to check as to be the case in 2050, as we recall
certificates are valid until 3011. Set the time on the server freeradius
August 1, 2050 (01/08/2050) and the same thing on a client running on
Windows XP SP3. Authentication fails (slightly below records cite the
radius).
I have a question for all who can help, this is the mistake of
freeradius, which can not correctly identify the validity of the
certificate. Or somewhere I made a mistake when setting up. Maybe this
one is already experienced. I'll be glad for your help.
test#radiusd -X
..
rad_recv: Access-Request packet from host 10.2.2.240 port 5002, id=68,
length=221
User-Name = host/testuser
EAP-Message = 0x0202001201686f73742f7465737475736572
Message-Authenticator = 0xe394bda2df7b6ff808bd0079cb5620cd
NAS-IP-Address = 10.2.2.240
NAS-Identifier = 001ac1d4d442
NAS-Port = 33566721
NAS-Port-Id = unit=2;subslot=0;port=3;vlanid=1
NAS-Port-Type = Ethernet
Service-Type = Framed-User
Framed-Protocol = PPP
Calling-Station-Id = 0022-15ef-ab87
H3C-Connect_Id = 18
H3C-Product-ID = 5500-EI
H3C-Ip-Host-Addr = 0.0.0.0 00:22:15:ef:ab:87
H3C-NAS-Startup-Timestamp = 954640520
# Executing section authorize from file /etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = host/testuser, looking up realm NULL
[suffix] No such realm NULL
++[suffix] returns noop
[eap] EAP packet type response id 2 length 18
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
[files] users: Matched entry DEFAULT at line 152
[files] users: Matched entry host/testuser at line 234
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No known good password found for the user.
Authentication may fail because of this.
++[pap] returns noop
Found Auth-Type = EAP
# Executing group from file /etc/raddb/sites-enabled/default
+- entering group authenticate {...}
[eap] EAP Identity
[eap] processing type tls
[tls] Requiring client certificate
[tls] Initiate
[tls] Start returned 1
++[eap] returns handled
Sending Access-Challenge of id 68 to 10.2.2.240 port 5002
Tunnel-Type:0 = VLAN
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Private-Group-Id:0 = 3
EAP-Message = 0x010300060d20
Message-Authenticator = 0x
State = 0x905a520890595f1e7244e69c58c3b630
Finished request 0.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.2.2.240 port 5002, id=69,
length=301
User-Name = host/testuser
EAP-Message =
0x020300500d8000461603010041013d030198387b2b15bc66925793a2b08aec38827730edb90a98238b1f8967ad5b0e5a301600040005000a000900640062000300060013001200630100
Message-Authenticator = 0x57f352efbff4566bed7422e481a95c1e
NAS-IP-Address = 10.2.2.240
NAS-Identifier = 001ac1d4d442
NAS-Port = 33566721
NAS-Port-Id = unit=2;subslot=0;port=3;vlanid=1
NAS-Port-Type = Ethernet
Service-Type = Framed-User
Framed-Protocol = PPP
Calling-Station-Id = 0022-15ef-ab87
State = 0x905a520890595f1e7244e69c58c3b630
H3C-Connect_Id = 18
H3C-Product-ID = 5500-EI
H3C-Ip-Host-Addr = 0.0.0.0 00:22:15:ef:ab:87
Re: MUTT + freeradius -X
On Mon, Dec 5, 2011 at 12:25 AM, Aceror aceror2...@yahoo.es wrote: This is what I did. Exec inside the post-auth. So you have libpam-radius-auth installed and configured correctly? If so, you should already have it working properly, right? what do you need mutt for? -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP/TLS authentication in 2050
On 12/05/2011 08:25 AM, Victor Guk wrote: [tls] TLS 1.0 Handshake [length 0249], Certificate -- verify error:num=9:certificate is not yet valid [tls] TLS 1.0 Alert [length 0002], fatal bad_certificate TLS Alert write:fatal:bad certificate This error comes from within OpenSSL. FreeRADIUS just does what OpenSSL tells it. Can you verify the cert with the openssl verify ... test command? e.g. try this: openssl verify -CAfile ca.pem -purpose sslserver server.pem If this fails as well, then it's either a problem in OpenSSL or your system libraries with dates 2050. If it succeeds (which I doubt) then FreeRADIUS should work too. I sort of admire your effort to future-proof your certs though! ;o) Cheers, Phil - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Set reply attributes based on LDAP attribute
Hi,
I am trying to configure freeradius 2.1.12 to set the
'Tunnel-Private-Group-Id' attribute based on a value retrieved from LDAP.
use unlang - either completely to do the work...or to populate
the packet so that other modules can use it e.g.
if (Person-OrgUnit) {
update request {
Person-OrgUnit := %{Person-OrgUnit}
}
}
or somesuch...in the authorize section straight after your LDAP
call. this would assume you've added such a local name to the dictionary...
there are a few local/non reserved variables you can use..
- I'd personally use unlang or PERL to just do the work directly
as then you dont need to play with dictionaries etc eg
if (%{Person-OrgUnit} == 1122) {
update reply {
Tunnel-Type = VLAN
Tunnel-Medium-Type = 802
Tunnel-Private-Group-ID =
}
}
do this in eg the post-auth section of the server
dont take my unlang as verbatim...its quickly typed out as a rough
pointer...your mileage and requirements may vary ;-)
alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP/TLS authentication in 2050
hi, why? really, why? wat purpose does testing these dates have - you really think your current infrastructure, and techologies such as 802.1X are going to be around in the same format in even 20 years time? anywayI'm guessing these are 32 bit server and client OS ? you may find, in that case, that your tests will work until you set the date beyond 2037 - 32bit OS have problems with dates after 2038 so, try this with KNOWN parameters - eg 2020 , within the 2038 timeframe and things should work. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP/TLS authentication in 2050
Hi, why? really, why? wat purpose does testing these dates have - you really think your current infrastructure, and techologies such as 802.1X are going to be around in the same format in even 20 years time? To be honest, I'm thinking of a similar thing. Given how painful a CA rollover can be, I'm planning to rollover to a CA with validity somewhere beyond Stefan's retirement date, which is unfortunately later than 2037. Given that the extra effort to extend the lifetime of a CA is *zero* (just enter a different date in openssl.cnf) and the pain to eventually stumble over an expiring CA is non-zero - I prefer to do the zero work. Of course things might change, my CA keys might get too short, and I might be forced to roll over anyway - there is at least a *chance* that I can prevent a need to rollover, and so I'll do it. 3011 is stretching it though, admitted. Stefan anywayI'm guessing these are 32 bit server and client OS ? you may find, in that case, that your tests will work until you set the date beyond 2037 - 32bit OS have problems with dates after 2038 so, try this with KNOWN parameters - eg 2020 , within the 2038 timeframe and things should work. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Stefan WINTER Ingenieur de Recherche Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg Tel: +352 424409 1 Fax: +352 422473 signature.asc Description: OpenPGP digital signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP/TLS authentication in 2050
This error comes from within OpenSSL. FreeRADIUS just does what OpenSSL tells it. Can you verify the cert with the openssl verify ... test command? e.g. try this: openssl verify -CAfile ca.pem -purpose sslserver server.pem freeradius:/usr/local/CA # openssl verify -CAfile cacert.pem -purpose sslserver cert-srv.pem cert-srv.pem: OK If this fails as well, then it's either a problem in OpenSSL or your system libraries with dates2050. If it succeeds (which I doubt) then FreeRADIUS should work too. I sort of admire your effort to future-proof your certs though! ;o) why? really, why? wat purpose does testing these dates have - you really think your current infrastructure, and techologies such as 802.1X are going to be around in the same format in even 20 years time? No, of course not :) This is my curiosity led me to test such date. anywayI'm guessing these are 32 bit server and client OS ? you may find, in that case, that your tests will work until you set the date beyond 2037 - 32bit OS have problems with dates after 2038 so, try this with KNOWN parameters - eg 2020 , within the 2038 timeframe and things should work. The server is running SLES 11 SP1 (x86_64), a workstation running Windows XP SP3 (32bit). Authentication is successful until February 1, 2050, ie for example if you logged in December 31, 2049, then the authentication is successful. A little later, try the client computer under the control of 64bit. the results announced later. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Freeradius 2 and sqlippools
Hi, I've set up freeradius 2, and want to get it working with sqlippools. Everything works fine, but i cannot get the sql ippool to overwrite a Framed-IP-Address (if a Framed-IP-Address attribute exists for a username). Previously i used freeradius 1.1.3 and i had my ippools in the radiusd.conf file. When declaring the pools, it had a option overwrite=yes which override a Framed-IP-Address if already set. The effect was that it would take preference of the pool over the Framed-IP-Address, which is exactly what i want to achieve now using freeradius 2 and sql ip pools. I cannot see to find how/where i can set this option. Anyone have a suggestion for me? -- View this message in context: http://freeradius.1045715.n5.nabble.com/Freeradius-2-and-sqlippools-tp5048835p5048835.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
access reject
Hi all,
i am connecting network-manager to freeradius server. It showing access
reject. I am using server.crt which is provided by freeradius it self.
Please check and reply.
error paste below
rad_recv: Access-Request packet from host 192.168.21.2 port 32768, id=0,
length=153
Cleaning up request 95 ID 0 with timestamp +543
User-Name = testing123
NAS-IP-Address = 192.168.21.2
Called-Station-Id = 30469a872e66
Calling-Station-Id = 1caff76ce38c
NAS-Identifier = 30469a872e66
NAS-Port = 3
Framed-MTU = 1400
State = 0x05139c0406178548b5e80cb0708716d1
NAS-Port-Type = Wireless-802.11
EAP-Message = 0x02040011198715030100020230
Message-Authenticator = 0xfd142706451c8cf676b90ad74a062ecb
# Executing section authorize from file
/usr/local/etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = testing123, looking up realm NULL
[suffix] No such realm NULL
++[suffix] returns noop
[eap] EAP packet type response id 4 length 17
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /usr/local/etc/raddb/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
TLS Length 7
[peap] Length Included
[peap] eaptls_verify returned 11
[peap] TLS 1.0 Alert [length 0002], fatal unknown_ca
TLS Alert read:fatal:unknown CA
TLS_accept: failed in SSLv3 read client certificate A
rlm_eap: SSL error error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert
unknown ca
SSL: SSL_read failed inside of TLS (-1), TLS session fails.
TLS receive handshake failed during operation
[peap] eaptls_process returned 4
[peap] EAPTLS_OTHERS
[eap] Handler failed in EAP/peap
[eap] Failed in EAP select
++[eap] returns invalid
Failed to authenticate the user.
Using Post-Auth-Type Reject
# Executing group from file /usr/local/etc/raddb/sites-enabled/default
+- entering group REJECT {...}
[attr_filter.access_reject] expand: %{User-Name} - testing123
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 96 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 96
Sending Access-Reject of id 0 to 192.168.21.2 port 32768
EAP-Message = 0x04040004
Message-Authenticator = 0x
Waking up in 4.9 seconds.
--
Warm Regards
Harish Mandowara
--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: access reject
Harish Mandowara wrote: i am connecting network-manager to freeradius server. It showing access reject. I am using server.crt which is provided by freeradius it self. Please check and reply. error paste below Read it. The CA cert isn't known. Follow the 4 steps on the front page of my web site: http://deployingradius.com It *will* work. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
FreeRadius, Active Directory, LDAP Authorization
Hi,
I have installed FreeRadius server 2.1.12, installed and configured
Kerberos, Samba; configured ntlm_auth program for FreeRadius Authentication
with Active Directory. Everything is successful and running smoothly till
this stage. Now, I am in the phase of configuration of Authorization in
FreeRadius. For Authorization process I want to use LDAP database which is
already up and running in another server (not in the server where FreeRadius
is installed). The authorization should be granted in such a way that some
users should be allowed/restricted VPN, some should be allowed/restricted
wifi, etc... I am not sure whether this is the best way to do
Authorization using LDAP or not because it is first time I am trying this in
FreeRadius. After changing the configuration as mentioned below and running
FreeRadius in debug mode, I get successful Ready to process requests but
while supplying user credentials I get rad_recv: *Access-Reject *packet from
host 127.0.0.1 port 1812, id=60, length=20.
What I have done so far is: I uncommented the LDAP in authorize section of
both files /usr/local/etc/raddb/sites-enabled/default and
/usr/local/etc/raddb/sites-enabled/inner-tunnel. I have changed the
configuration in /usr/local/etc/raddb/modules/ldap accordingly as: (Some
parts are left blank for privacy)
ldap {
server = *My ldap server name*
identity = cn= ,dc= ,dc=
password =
basedn = dc=,dc=
filter = (uid=%{%{Stripped-User-Name}:-%{User-Name}})
ldap_connections_number = 5
timeout = 4
timelimit = 3
net_timeout = 1
tls {
start_tls = no
}
dictionary_mapping = ${raddbdir}/ldap.attrmap
edir_account_policy_check = no
}
In /usr/local/etc/raddb/users file:
DEFAULT Auth-Type = ntlm_auth
bob Cleartext-Password := hello
I havn't done any change in Authenticate section of both
/usr/local/etc/raddb/sites-enabled/default and
/usr/local/etc/raddb/sites-enabled/inner-tunnel files related to LDAP. I
have listed authenticate section of ntlm_auth by following
deployingradius.com.
But while following *rlm_ldap* doc I have seen that it is mentioned:
LDAP and Active Directory
-
*You can only use PAP, and then only if you list ldap in the
authenticate section.*
Does this mean I need to list ldap in authenticate section also. If I list
it, what about ntlm_auth that is already enabled for authentication. I am
confused with this.
Should I need to install openldap openssl also in the machine where
freeradius is installed to make LDAP authorisation work properly?
Please suggest me whether the configuration process I am following related
to LDAP is the good way to do or not. If not what is the best way to achieve
it. Any documentation/site/thread suggestion regarding this would be
greately appreciated.
Thanks,
--
View this message in context:
http://freeradius.1045715.n5.nabble.com/FreeRadius-Active-Directory-LDAP-Authorization-tp5049129p5049129.html
Sent from the FreeRadius - User mailing list archive at Nabble.com.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius, Active Directory, LDAP Authorization
suggestme wrote: I have installed FreeRadius server 2.1.12, installed and configured Kerberos, Samba; configured ntlm_auth program for FreeRadius Authentication with Active Directory. Everything is successful and running smoothly till this stage. Now, I am in the phase of configuration of Authorization in FreeRadius. For Authorization process I want to use LDAP database which is already up and running in another server (not in the server where FreeRadius is installed). The authorization should be granted in such a way that some users should be allowed/restricted VPN, some should be allowed/restricted wifi, etc... What does that mean? i.e. HOW do you determine which users get what access? For most people, this means LDAP groups. Put users into groups, and give them permissions based on LDAP groups. You can check the groups at run time from FreeRADIUS. I am not sure whether this is the best way to do Authorization using LDAP or not because it is first time I am trying this in FreeRadius. After changing the configuration as mentioned below and running FreeRadius in debug mode, I get successful Ready to process requests but while supplying user credentials I get rad_recv: *Access-Reject *packet from host 127.0.0.1 port 1812, id=60, length=20. The debug log will tell you why the user was rejrected. Read it. What I have done so far is: Not post the debug log as suggested in the FAQ, README, man page, web site, and daily on this list. But while following *rlm_ldap* doc I have seen that it is mentioned: LDAP and Active Directory - *You can only use PAP, and then only if you list ldap in the authenticate section.* Does this mean I need to list ldap in authenticate section also. If I list it, what about ntlm_auth that is already enabled for authentication. I am confused with this. Read my web page on Active Directory integration It explains this/ Should I need to install openldap openssl also in the machine where freeradius is installed to make LDAP authorisation work properly? No. Please suggest me whether the configuration process I am following related to LDAP is the good way to do or not. If not what is the best way to achieve it. Any documentation/site/thread suggestion regarding this would be greately appreciated. My AD integration page (http://deployingradius.com) explains this in great detail. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius 2 and sqlippools
baddah wrote: I've set up freeradius 2, and want to get it working with sqlippools. Everything works fine, but i cannot get the sql ippool to overwrite a Framed-IP-Address (if a Framed-IP-Address attribute exists for a username). It doesn't over-write addresses. Previously i used freeradius 1.1.3 and i had my ippools in the radiusd.conf file. When declaring the pools, it had a option overwrite=yes which override a Framed-IP-Address if already set. The effect was that it would take preference of the pool over the Framed-IP-Address, which is exactly what i want to achieve now using freeradius 2 and sql ip pools. I cannot see to find how/where i can set this option. It doesn't exist. Anyone have a suggestion for me? Run sql IP pools first, THEN assign other addresses. It's bad practice to give a user permission, and then take them away in order to assign different permissions. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Having trouble with MSCHAP
Hi everybody.
I configured Freeradius 2.1.10 Debian 6.0.2 using EAP-TLS authentication. I
generated the client and server certificated with XP extention. I created my
certificated in the freeradius server, is that ok? or I have to create it in a
different machine? I am validating my client (Windows XP) with the server and
I get this error:
I wouls appreciate any help. I would Like to know if this is a certificated
error or a configuration error on my freeradius server.
[peap] TLS_accept: Need to read more data: SSLv3 read client
certificate A
In SSL Handshake Phase
In SSL Accept mode
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 178 to 129.90.74.5 port 1645
EAP-Message =
0x0104040019c0064f1603010031022d03014edce8c088d0ccb9d81d6bc20a71c020036346ce7536b0670cb3fc0b5ba5a2710405ff01000100160301060b0b0006070006040002a5308202a13082020aa003020102020900bc739ec037c017e3300d06092a864886f70d0101050500307b310b30090603550406130256453110300e060355040813074d6972616e646131163014060355040a130d504456534120496e7465766570310c300a060355040b13034149543111300f06035504031408776c616e5f696e743121301f06092a864886f70d0109011612726f6a61736561744070647673612e636f6d301e170d313131313233
EAP-Message =
0x3133343534395a170d3132313132323133343534395a308190310b30090603550406130256453110300e060355040813074d6972616e6461311330110603550407130a4c6f732054657175657331163014060355040a130d504456534120496e7465766570310c300a060355040b13034149543111300f06035504031408776c616e5f696e743121301f06092a864886f70d0109011612726f6a61736561744070647673612e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100b89ad76da34ead041ec970badbb7a7ca1ae79575e990334c8b07277382ee708fe979d9e81c68e3439b19550798765c9a2c8257bde11863
EAP-Message =
0xb692e457954e4b3a6f746de7062d880b3a00972ec949feb87186db83cfa36fd4642926fb5c7bafe39cc51992ae51522d364dcd7e81576ff13e5905de29db0dacd1e0c39ecf4cb595150203010001a317301530130603551d25040c300a06082b06010505070301300d06092a864886f70d010105050003818100510f0594c5466e9a995ef0cf85ff7195b9c726a530e5915ed8c1105822811dbd920599981a1cfd3940b06af9d315838ff2ddd10d12ba542c3c899ff699c1d177e4618d7e3782ba5782313eaca2488167865d8cd4d865b8fdd011ad56a8f3723d0f17a6aed65546b2cc622c3d3817e410dcb65f3eefaf45eb90288346602e5939000359
EAP-Message =
0x30820355308202bea003020102020900bc739ec037c017e2300d06092a864886f70d0101050500307b310b30090603550406130256453110300e060355040813074d6972616e646131163014060355040a130d504456534120496e7465766570310c300a060355040b13034149543111300f06035504031408776c616e5f696e743121301f06092a864886f70d0109011612726f6a61736561744070647673612e636f6d301e170d3131313132333133313431315a170d3134313132323133313431315a307b310b30090603550406130256453110300e060355040813074d6972616e646131163014060355040a130d504456534120496e7465766570
EAP-Message = 0x310c300a060355040b130341
Message-Authenticator = 0x
State = 0xf5ff3d38f4fb24f2be48500aba47bfca
Finished request 17.
Going to the next request
Waking up in 2.5 seconds.
rad_recv: Access-Request packet from host 129.90.74.5 port 1645, id=179,
length=164
User-Name = PDVSA2000\\torrealbaw
Framed-MTU = 1400
Called-Station-Id = 0011.92ea.0800
Calling-Station-Id = 0021.917e.09cd
Service-Type = Login-User
Message-Authenticator = 0x6961ce4663c1662815347ab4a19f4ef7
EAP-Message = 0x020400061900
NAS-Port-Type = Wireless-802.11
NAS-Port = 328
State = 0xf5ff3d38f4fb24f2be48500aba47bfca
NAS-IP-Address = 129.90.74.5
NAS-Identifier = mw-ltqN3-P2-01
# Executing section authorize from file /etc/freeradius/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = PDVSA2000\torrealbaw, looking up realm NULL
[suffix] No such realm NULL
++[suffix] returns noop
[eap] EAP packet type response id 4 length 6
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] Received TLS ACK
[peap] ACK handshake fragment handler
[peap] eaptls_verify returned 1
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 179 to 129.90.74.5 port 1645
EAP-Message =
Re: Having trouble with MSCHAP
Erick Rojas Bastidas wrote: I configured Freeradius 2.1.10 Debian 6.0.2 using EAP-TLS authentication. I generated the client and server certificated with XP extention. I created my certificated in the freeradius server, is that ok? or I have to create it in a different machine? I am validating my client (Windows XP) with the server and I get this error: You didn't tell FreeRADIUS the users known good password. Follow the instructions on my web page: http://deployingradius.com/ Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
traffic limiting QoS attributes (noob RADIUS question)
I'm looking up how RADIUS can limit / throttle various traffic, and I'm wondering what attributes there are that do this. The application would be for an ISP that wants to throttle users who attach to a certain access point. People who attach would then authenticate to RADIUS and then get assigned a certain profile (say, best effort and premium). I'm new to RADIUS, and I'm hoping to see what types of QoS is available at the RADIUS level so that I can see what other QoS stuff we might need to put in place. thx in advance! Rogelio - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: traffic limiting QoS attributes (noob RADIUS question)
On 05/12/11 17:27, Rogelio wrote: I'm looking up how RADIUS can limit / throttle various traffic, and I'm wondering what attributes there are that do this. These are specific to the NAS. You need to consult the NAS docs; there are no standard ones. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Having trouble with MSCHAP
Hi,
I configured Freeradius 2.1.10 Debian 6.0.2 using EAP-TLS authentication.
I generated the client and server certificated with XP extention. I
created my certificated in the freeradius server, is that ok? or I have to
create it in a different machine? I am validating my client (Windows XP)
with the server and I get this error:
the answers are in the debug output you posted.just go through
the 'PEAP ping/pong' until the inner-tunnel ahs been established
and the actual auth is doneits near the bottom..
[mschapv2] +- entering group MS-CHAP {...}
[mschap] No Cleartext-Password configured. Cannot create LM-Password.
[mschap] No Cleartext-Password configured. Cannot create NT-Password.
[mschap] NT Domain delimeter found, should we have enabled
with_ntdomain_hack?
[mschap] Creating challenge hash with username: PDVSA2000\TORREALBAW
[mschap] Told to do MS-CHAPv2 for PDVSA2000\TORREALBAW with NT-Password
[mschap] FAILED: No NT/LM-Password. Cannot perform authentication.
[mschap] FAILED: MS-CHAP2-Response is incorrect
have you set with_ntdomain_hack = yes ? have you configured the RADIUS
so that the realm PDVSA2000 is known (add it to proxy.conf like
realm PDVSA2000 {
}
alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: run radius in debug mode with screen
Hi, Alan
while using this verion
FreeRADIUS Version 2.1.3, for host i386-portbld-freebsd7.1, built on Jan 6
2009 at 10:52:08
I can run radius as
/usr/local/bin/screen -d -m /usr/bin/nice -n -20 /r/radiusd debug
What is /r/radiusd debug ?
radiusd - is rc script in freebsd.
actually it is /usr/local/etc/rc.d/radiusd debug
...
extra_commands=reload debug
radiusd_debug()
{
radiusd_flags=-X ${radiusd_flags}
run_rc_command start
}
# ps ax | grep radiusd
51082 1 S 14:17.69 /usr/local/sbin/radiusd -X
but with
FreeRADIUS Version 2.1.10, for host i386-portbld-freebsd9.0, built on Nov 28
2011 at 00:20:11
it exit without any messages.
Can you help me please to resolve this problem?
Use the documented command-line options.
problem is that that
'radiusd -X' is detached from stdout so now it is impossible to run it in
screen =(
radiusd: FreeRADIUS Version 2.1.10
uname -a
FreeBSD flux 9.0-CURRENT FreeBSD 9.0-CURRENT #4: Fri Jun 10 01:30:12 UTC 2011
:/usr/obj/usr/src/sys/PAE_KES i386
in this radiusd: FreeRADIUS Version 2.1.3 I can run radius in screen
--
С уважением,
Коньков mailto:kes-...@yandex.ru
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
wpa2 freeradius peap rlm_perl
Hi. I'm using freeradius-2.1.10-5.el6.x86_64 from RHEL 6. I'd like to use freeradius to accomplish a specific authentication goal, and haven't met with success yet. I'm assuming this is either because the configuration is difficult, or I'm trying to solve the problem the wrong way, or I don't understand the protocols, or a combination of all three. Essentially, I'd like to have an access point offer WPA2 Enterprise authentication to wireless devices of various makes and models. I'd like the user to submit for traditional username/password authentication to the radius server (without a client side certificate). I'm able to produce a yes/no answer with an rlm_perl script that functions as expected with a normal radius query. My problem is that I haven't been able to connect that rlm script properly when freeradius is contacted as part of an EAP message. From what I can tell, my choice of Windows compatible EAP types is fairly limited. I've used PEAP in the past, but only with the intended AD repository of passwords. With this application, I'd like to use the rlm_perl script instead of AD accounts as a source of usernames and passwords. Big picture-wise, am I on the right path, or is this fundamentally the wrong way? I'm imagining a PEAP - rlm_perl configuration. -- Ray Eads (re...@sno-isle.org) Network Engineer II - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: run radius in debug mode with screen
Hi, actually it is /usr/local/etc/rc.d/radiusd debug well just dont run it like that - run the daemon directly...eg radiusd -X and if you want to trap the outut, just pipe it through eg 'tee', or use screen to capture the session alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Expiration email
Hi, I am looking for how to send email before expiration of account. The value used for the expiration in radius is character format. So, I would like to know how to compare the expiration data and send email accordingly. Thanks in advance. John.- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Expiration email
If you're asking me, I wouldn't mess with freeradius. Maybe the better idea is to create a small cron script which can read the database and send email according to the date and the time diff you want (1, 2, 3 etc days before the expiration) On 12/6/2011 3:54 AM, john decot wrote: Hi, I am looking for how to send email before expiration of account. The value used for the expiration in radius is character format. So, I would like to know how to compare the expiration data and send email accordingly. Thanks in advance. John. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
