Re: Problem with mysql-user
On 28-12-11 14:12, Fajar A. Nugraha wrote: On Wed, Dec 28, 2011 at 7:22 PM, Koenraad Lelong wrote: ... /etc/freeradius/sites-enabled/inner-tunnel see that config file? ... sql module is not configure on authorize section in that file. Fix it. Thanks, That fixed it. Regards, Koenraad Lelong. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: GUID based Authentication on FreeRadius
rlm_passwd looks like the way to go... Thanks. Joseph R. McSparin Network Administrator Hill Country Memorial Hospital 830 990 6638 phone 830 990 6623 fax jmcspa...@hillcountrymemorial.org -Original Message- From: freeradius-users-bounces+jmcsparin=hillcountrymemorial.org@lists.freerad ius.org [mailto:freeradius-users-bounces+jmcsparin=hillcountrymemorial.org@lists .freeradius.org] On Behalf Of Alan DeKok Sent: Wednesday, December 28, 2011 9:57 AM To: FreeRadius users mailing list Subject: Re: GUID based Authentication on FreeRadius McSparin, Joe wrote: > My goal is, I have users that will connect wirelessly using their NT > domain username and password on the hospitals wireless devices. > I also however have doctors that will bring in their own laptops and > connect. When they connect with their laptops though I do not want them > to have the same privileges as when they connect on the hospital > wireless devices. That should be easy. You need to put the hospitals devices into a group (see "man rlm_passwd"). Those devices get VLAN X, other devices get VLAN Y. You should be able to use Calling-Station-Id, which is normally the MAC of the device. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- This email message and any attachments are for the sole use of the intended recipient(s) and contain confidential and/or privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply email and destroy all copies of the original message and any attachments. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: GUID based Authentication on FreeRadius
We have two different SSIDs - one with EAP-TLS for company-owned mobile devices (which will automatically receive a machine certificate to validate that) and a second one with PEAP and local users stored in a radius userfile. Both SSIDs correspond to separate VLANs on the wireless controllers - would that be a solution for your scenario? The second SSID/VLAN offers only limited access to company ressources. I guess it would be no great deal to switch the PEAP authentication backend from the local userfile to LDAP/Active Directory, if that is required. Am 28.12.2011 16:13, schrieb McSparin, Joe: Well that answers that then. My goal is, I have users that will connect wirelessly using their NT domain username and password on the hospitals wireless devices. I also however have doctors that will bring in their own laptops and connect. When they connect with their laptops though I do not want them to have the same privileges as when they connect on the hospital wireless devices. If they are connecting with their home laptops even though they use their Ntdomain user name and password which the radius server will accept I want to restrict them to a public vlan. If they connect using a hospital device then I want it to assign them to a vlan based on their NTDomain User Group. Since this is a hospital I have to have pretty strict security regulations with users. Thanks, Joseph R. McSparin Network Administrator Hill Country Memorial Hospital 830 990 6638 phone 830 990 6623 fax jmcspa...@hillcountrymemorial.org -Original Message- From: freeradius-users-bounces+jmcsparin=hillcountrymemorial.org@lists.freerad ius.org [mailto:freeradius-users-bounces+jmcsparin=hillcountrymemorial.org@lists .freeradius.org] On Behalf Of Alan DeKok Sent: Wednesday, December 28, 2011 8:25 AM To: FreeRadius users mailing list Subject: Re: GUID based Authentication on FreeRadius McSparin, Joe wrote: Anyone know if this is possible. I have found information on MAC Based Authentication but nothing on GUID. What does that mean? The GUID isn't sent in a RADIUS packet. So doing GUID authentication makes no sense. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Mit freundlichen Grüßen / With kind regards Rudolph Bott - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ppp and eap-tls
Frank wrote: > This statement is confusing! I'm using freeradius for EAP-TLS auth and set up > the client for WPA2 enterprise with EAP-TLS. If this is not using > certificates for authentication, then what is it using? WPA != "WPA2 enterprise" You're confused because you're confusing two different things. > MS Windows Vista, build-in L2TP/IPSEC client, ppp authentication set to > EAP-TLS. >> Alan DeKok. Well, that should work. And no, it's not a FreeRADIUS issue. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: GUID based Authentication on FreeRadius
McSparin, Joe wrote: > My goal is, I have users that will connect wirelessly using their NT > domain username and password on the hospitals wireless devices. > I also however have doctors that will bring in their own laptops and > connect. When they connect with their laptops though I do not want them > to have the same privileges as when they connect on the hospital > wireless devices. That should be easy. You need to put the hospitals devices into a group (see "man rlm_passwd"). Those devices get VLAN X, other devices get VLAN Y. You should be able to use Calling-Station-Id, which is normally the MAC of the device. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Logging User Accounts
Yes, look at the linelog module alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: GUID based Authentication on FreeRadius
Well that answers that then. My goal is, I have users that will connect wirelessly using their NT domain username and password on the hospitals wireless devices. I also however have doctors that will bring in their own laptops and connect. When they connect with their laptops though I do not want them to have the same privileges as when they connect on the hospital wireless devices. If they are connecting with their home laptops even though they use their Ntdomain user name and password which the radius server will accept I want to restrict them to a public vlan. If they connect using a hospital device then I want it to assign them to a vlan based on their NTDomain User Group. Since this is a hospital I have to have pretty strict security regulations with users. Thanks, Joseph R. McSparin Network Administrator Hill Country Memorial Hospital 830 990 6638 phone 830 990 6623 fax jmcspa...@hillcountrymemorial.org -Original Message- From: freeradius-users-bounces+jmcsparin=hillcountrymemorial.org@lists.freerad ius.org [mailto:freeradius-users-bounces+jmcsparin=hillcountrymemorial.org@lists .freeradius.org] On Behalf Of Alan DeKok Sent: Wednesday, December 28, 2011 8:25 AM To: FreeRadius users mailing list Subject: Re: GUID based Authentication on FreeRadius McSparin, Joe wrote: > Anyone know if this is possible. I have found information on MAC Based > Authentication but nothing on GUID. What does that mean? The GUID isn't sent in a RADIUS packet. So doing GUID authentication makes no sense. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- This email message and any attachments are for the sole use of the intended recipient(s) and contain confidential and/or privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply email and destroy all copies of the original message and any attachments. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: ppp and eap-tls
Hi, > -Original Message- > From: Alan DeKok [mailto:al...@deployingradius.com] > Sent: Wednesday, December 28, 2011 15:40 > To: FreeRadius users mailing list > [mailto:freeradius-users@lists.freeradius.org] > Subject: Re: ppp and eap-tls > > Alan wrote: > > I now get the following error in my radius log on an auth attempt: > > > > Error: TLS Alert write:fatal:decrypt error > > Error: TLS_accept: failed in SSLv3 read certificate verify B > > Error: rlm_eap: SSL error error:0407006A:rsa > routines:RSA_padding_check_PKCS1_type_1:block type is not 01 > > Error: SSL: SSL_read failed inside of TLS (-1), TLS session fails. > > The client is broken. Ok. The client is the build-in L2TP/IPSEC VPN client in MS Windows Vista > > > Now there's several issues: > > - I don't know what I changed which caused this behaviour (maybe an > openssl update in Squeeze? Something changes in Windows Vista?) > > No. It used to work fine with this client (MS Windows Vista L2TP/IPsec client) > > > - the client certificates are valid (tested with openssl cli), and > work fine when using for WPA auth > > - I don't really know what this error means > > - I can't find a solution for it. I've tried: 2048 bit (vs. 4096 bit) > RSA certs and the extensions for XP for both the server and client > certs > > > > Again, the same certificates work fine for WPA auth > > Which doesn't use certificates. This statement is confusing! I'm using freeradius for EAP-TLS auth and set up the client for WPA2 enterprise with EAP-TLS. If this is not using certificates for authentication, then what is it using? > > > I hope someone can shed some light onto this issue, or how to pin > down the exact cause of the 'rsa > routines:RSA_padding_check_PKCS1_type_1:block type is not 01' error. > > Find out which client it is. Mac? Windows? MS Windows Vista, build-in L2TP/IPSEC client, ppp authentication set to EAP-TLS. > > Alan DeKok. Regards, Frank - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: GUID based Authentication on FreeRadius
McSparin, Joe wrote: > Anyone know if this is possible. I have found information on MAC Based > Authentication but nothing on GUID. What does that mean? The GUID isn't sent in a RADIUS packet. So doing GUID authentication makes no sense. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ppp and eap-tls
Frank wrote: > I now get the following error in my radius log on an auth attempt: > > Error: TLS Alert write:fatal:decrypt error > Error: TLS_accept: failed in SSLv3 read certificate verify B > Error: rlm_eap: SSL error error:0407006A:rsa > routines:RSA_padding_check_PKCS1_type_1:block type is not 01 > Error: SSL: SSL_read failed inside of TLS (-1), TLS session fails. The client is broken. > Now there's several issues: > - I don't know what I changed which caused this behaviour (maybe an openssl > update in Squeeze? Something changes in Windows Vista?) No. > - the client certificates are valid (tested with openssl cli), and work fine > when using for WPA auth > - I don't really know what this error means > - I can't find a solution for it. I've tried: 2048 bit (vs. 4096 bit) RSA > certs and the extensions for XP for both the server and client certs > > Again, the same certificates work fine for WPA auth Which doesn't use certificates. > I hope someone can shed some light onto this issue, or how to pin down the > exact cause of the 'rsa routines:RSA_padding_check_PKCS1_type_1:block type is > not 01' error. Find out which client it is. Mac? Windows? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to access 3GPP2 Attributes in rlm module
Ratnesh Sinha wrote: > Pl. let me know how to access for example 3GPP2 attribute in the module. What does that mean? Learn how to ask *good* questions. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: eap/tls questions with freeradius
On 12/26/2011 02:44 PM, vazoumana fofana wrote:
sorry, i ve got persistents problems :
- i filter client certificate under authenticate section (under eap)
with : Auth-Type eap {
if ( "%{TLS-Client-Cert-Subject}" =~ /OU=x/ ) {
reject
}
}.
Firstly, it s' written on "default" file :
/Please do not put "unlang" configurations into the "authenticate"
# section. Put them in the "post-auth" section instead. That's what
# the post-auth section is for./
But, according to me , it's not right because i don't want to enter into
post-auth. It must be rejected before.
This is not easy at the moment I'm afraid.
Basically, the problem is that the "authorize" part of the "eap" module
doesn't do much. All the work is done inside the "authenticate" section.
This means that TLS-* attributes may not be present in "authorize".
You are correct that performing a "reject" in "post-auth" is not the
right thing to do.
It might be an idea in future to add an "inner-tunnel" feature for
EAP-TLS which sends a plain PAP packet with the TLS-* attributes, which
allows this kind of checking.
You need to use the "verify { }" option under the "tls { }" config to
run an external script. Like so:
eap {
tls {
verify {
client = "/path/to/my/script ..."
}
}
}
This is documented with examples in eap.conf
But really, you're doing it wrong.
If you don't want a particular cert to authenticate, revoke it and use
CRLs or OSCP.
Why do you think you want to check the cert subject?
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
ppp and eap-tls
Hi, I'm using freeradius for EAP-TLS authentication with my WPA NAS, with MS-CHAPv2 for ppp auth (in a L2TP/IPSEC VPN) and for a while for EAP-TLS for ppp auth (about half a year ago). However, without me consciously changing anything in my setup (running Debian Squeeze, connecting clients run MS Windows Vista), EAP-TLS for ppp auth no longer works since I've tested it again recently. I now get the following error in my radius log on an auth attempt: Error: TLS Alert write:fatal:decrypt error Error: TLS_accept: failed in SSLv3 read certificate verify B Error: rlm_eap: SSL error error:0407006A:rsa routines:RSA_padding_check_PKCS1_type_1:block type is not 01 Error: SSL: SSL_read failed inside of TLS (-1), TLS session fails. Now there's several issues: - I don't know what I changed which caused this behaviour (maybe an openssl update in Squeeze? Something changes in Windows Vista?) - the client certificates are valid (tested with openssl cli), and work fine when using for WPA auth - I don't really know what this error means - I can't find a solution for it. I've tried: 2048 bit (vs. 4096 bit) RSA certs and the extensions for XP for both the server and client certs Again, the same certificates work fine for WPA auth I hope someone can shed some light onto this issue, or how to pin down the exact cause of the 'rsa routines:RSA_padding_check_PKCS1_type_1:block type is not 01' error. Regards, Frank - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem with mysql-user
On Wed, Dec 28, 2011 at 7:22 PM, Koenraad Lelong
wrote:
> When I try via wifi using a user in the users-file, that user is accepted, a
> user in the mysql database is rejected.
>
> When I try the "mysql-user" with radtest, the user is authenticated :
> # radtest mtester1 mtester1 localhost 0 testing123
> Sending Access-Request of id 56 to 127.0.0.1 port 1812
> User-Name = "mtester1"
> User-Password = "mtester1"
> NAS-IP-Address = 127.0.1.1
> NAS-Port = 0
> Message-Authenticator = 0x
> rad_recv: Access-Accept packet from host 127.0.0.1 port 1812, id=56,
> length=20
with default settings, radtest will use pap
> rad_recv: Access-Request packet from host 192.168.185.14 port 1027, id=0,
> length=156
> User-Name = "mtester1"
> NAS-IP-Address = 192.168.185.14
> NAS-Port = 0
> Called-Station-Id = "06-18-E7-D4-37-D0:Isengard"
> Calling-Station-Id = "18-87-96-5A-25-C6"
> Framed-MTU = 1400
> NAS-Port-Type = Wireless-802.11
> Connect-Info = "CONNECT 0Mbps 802.11"
> EAP-Message = 0x020d016d74657374657231
... while your wifi user uses EAP.
> server inner-tunnel {
> # Executing section authorize from file
> /etc/freeradius/sites-enabled/inner-tunnel
see that config file?
> +- entering group authorize {...}
> ++[chap] returns noop
> ++[mschap] returns noop
> [suffix] No '@' in User-Name = "mtester1", looking up realm NULL
> [suffix] No such realm "NULL"
> ++[suffix] returns noop
> ++[control] returns noop
> [eap] EAP packet type response id 6 length 67
> [eap] No EAP Start, assuming it's an on-going EAP conversation
> ++[eap] returns updated
> ++[files] returns noop
> ++[expiration] returns noop
> ++[logintime] returns noop
> ++[pap] returns noop
sql module is not configure on authorize section in that file. Fix it.
--
Fajar
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Problem with mysql-user
Hi, I'm new to freeradius, I'm trying to setup freeradius to authenticate wifi-users using mysql. I'm running freeradius 2.1.12 from Fajar A. Nugraha (see post on 20 Dec 2011 11:16:27) on ubuntu 10.04. I'm using the daloradius-gui to create users. When I try via wifi using a user in the users-file, that user is accepted, a user in the mysql database is rejected. When I try the "mysql-user" with radtest, the user is authenticated : # radtest mtester1 mtester1 localhost 0 testing123 Sending Access-Request of id 56 to 127.0.0.1 port 1812 User-Name = "mtester1" User-Password = "mtester1" NAS-IP-Address = 127.0.1.1 NAS-Port = 0 Message-Authenticator = 0x rad_recv: Access-Accept packet from host 127.0.0.1 port 1812, id=56, length=20 What am I doing wrong ? Thanks, Koenraad Lelong. This is the log when trying the mysql-user via wifi : FreeRADIUS Version 2.1.12, for host x86_64-pc-linux-gnu, built on Oct 7 2011 at 10:59:41 Copyright (C) 1999-2009 The FreeRADIUS server project and contributors. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License v2. Starting - reading configuration files ... including configuration file /etc/freeradius/radiusd.conf including configuration file /etc/freeradius/proxy.conf including configuration file /etc/freeradius/clients.conf including files in directory /etc/freeradius/modules/ including configuration file /etc/freeradius/modules/policy including configuration file /etc/freeradius/modules/ippool including configuration file /etc/freeradius/modules/realm including configuration file /etc/freeradius/modules/sql_log including configuration file /etc/freeradius/modules/acct_unique including configuration file /etc/freeradius/modules/ldap including configuration file /etc/freeradius/modules/checkval including configuration file /etc/freeradius/modules/detail.log including configuration file /etc/freeradius/modules/unix including configuration file /etc/freeradius/modules/mac2ip including configuration file /etc/freeradius/modules/opendirectory including configuration file /etc/freeradius/modules/smsotp including configuration file /etc/freeradius/modules/dynamic_clients including configuration file /etc/freeradius/modules/mschap including configuration file /etc/freeradius/modules/digest including configuration file /etc/freeradius/modules/replicate including configuration file /etc/freeradius/modules/radutmp including configuration file /etc/freeradius/modules/counter including configuration file /etc/freeradius/modules/exec including configuration file /etc/freeradius/modules/expr including configuration file /etc/freeradius/modules/attr_rewrite including configuration file /etc/freeradius/modules/sradutmp including configuration file /etc/freeradius/modules/pam including configuration file /etc/freeradius/modules/expiration including configuration file /etc/freeradius/modules/detail.example.com including configuration file /etc/freeradius/modules/perl including configuration file /etc/freeradius/modules/etc_group including configuration file /etc/freeradius/modules/smbpasswd including configuration file /etc/freeradius/modules/mac2vlan including configuration file /etc/freeradius/modules/inner-eap including configuration file /etc/freeradius/modules/echo including configuration file /etc/freeradius/modules/soh including configuration file /etc/freeradius/modules/always including configuration file /etc/freeradius/modules/attr_filter including configuration file /etc/freeradius/modules/redis including configuration file /etc/freeradius/modules/chap including configuration file /etc/freeradius/modules/rediswho including configuration file /etc/freeradius/modules/pap including configuration file /etc/freeradius/modules/otp including configuration file /etc/freeradius/modules/krb5 including configuration file /etc/freeradius/modules/logintime including configuration file /etc/freeradius/modules/passwd including configuration file /etc/freeradius/modules/preprocess including configuration file /etc/freeradius/modules/sqlcounter_expire_on_login including configuration file /etc/freeradius/modules/detail including configuration file /etc/freeradius/modules/wimax including configuration file /etc/freeradius/modules/linelog including configuration file /etc/freeradius/modules/files including configuration file /etc/freeradius/modules/cui including configuration file /etc/freeradius/modules/ntlm_auth including configuration file /etc/freeradius/eap.conf including configuration file /etc/freeradius/sql.conf including configuration file /etc/freeradius/sql/mysql/dialup.conf including configuration file /etc/freeradius/policy.conf including files in directory /etc/freeradius/sites-enabled/ including configuration file /etc/freeradius/sites-enabled/default including configuration
How to access 3GPP2 Attributes in rlm module
Hi, Pl. let me know how to access for example 3GPP2 attribute in the module. Regards, Ratnesh - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
