Re: Connect with different user but radius does not know that!
2012/3/14 ZhenJoey snan4l...@hotmail.com: Hello all: I got a problem again. I setup the freeradius+mysql system,it looks like work well,but today,i got a problem like this. I have two users User1 and User2(different Cleartext-Password). After turn on the radius server(in debug mode) and NAS,the first time i use User1 to login, it connected,great. and then,i broken the connection and try again as User2,it also connected,but at the debug information it said that the use expand:%{User-Name} - is still User1. It is weird for me. i restart the radius server, connect again with User2 information, still report as User1, but if i reboot the AP and connect as User2 (radius server does not need to restart here),it works, radius said know here is User2, but after that i use User1 to connect,samething happens, server said it still User2 not User1. It seems like the NAS's problem, i try two kind of NAS(compex wps 543 and Netgear WG103),the same situation? any one could help me here? Ask your NAS vendor. You said so yourself, rebooting the AP fixed the problem. Radius simply process what the NAS sends. -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Using freeRadius with OTP and gateway
Hi Cornelius and Tim, First I want to apologize for my response pending, lot of things to do. Then thank you so much for your advices, but for now we think that the OTP system is not good for our implementation. But with some research we made, we have an another question. We want to enable on free radius the Access Request -- Access Challenge -- Access Request -- Access Accept / Reject, with CHAP, but we don't know how to do this, and if you can help us it would be great. Because I read that usually with this kind of implementation the Access Challenge contain a message with which the client need to calculate the response. And for now that enough for us. Thanks in advance, best regards -- Mercier Valentin Le jeudi, 8 mars 2012 à 08:22, Cornelius Kölbel a écrit : Hello Mercier, the interesting part about your idea is, that the user sends the SMS to authenticate, this avoids that you will have to pay for the SMS. Most solutions send the SMS with the OTP to the user, so that you - the provider - will have to pay for the SMS sending. Nevertheless you might take a look at LinOTP, which does one time password authentication and come with a freeradius module, so that integration in your scenario could be rather simple. Also in this case the RADIUS server does not know the users, but the auth request (with user and OTP) is forwarded to the linotp daemon, which in turn is able to verify the username and the provided OTP. The users can be fetched from any flat file and/or LDAP and/or SQL database. Only drawback for your case is the thing with who sends the sms. Kind regards Cornelius Am 07.03.2012 13:56, schrieb Mercier Valentin: Hi everyone, I'm using Freeradius 2.1.12 on a server Debian. I have an another server Debian with Coovachilli (captive portal) and an Access Point based on Ruckus OS. When my users connected on the AP, a web page is coming with a formular to connect. Then the user enter is information (username and password) and Coovachilli made the authentication on the radius and this is working fine. Now I want to make something different, when the user connected on the AP, I want that he received a little formular, then he need to enter a username (not know on the radius) and i want the radius to create a One Time Password and send it to the user (on an another webpage). And the user send this OTP via SMS to a smsm gateway to finish the authentication, is that possible, and if yes, could someone explain to me how I can make it ? For the gateway sms I am using SMSLib (java library) on the same server as freeradius. Best regards and sorry for my bad english (from switzerland). -- Mercier Valentin - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Connect with different user but radius does not know that!
Things get more weired, after the first success connected,no matter what username i use(a invalid user),and no matter what password i use(a invalid password),it will connect successful by the first valid user account! both nas netgear and compex got the same situation. Joey Date: Wed, 14 Mar 2012 12:27:46 +0700 Subject: Re: Connect with different user but radius does not know that! From: l...@fajar.net To: freeradius-users@lists.freeradius.org 2012/3/14 ZhenJoey snan4l...@hotmail.com: Hello all: I got a problem again. I setup the freeradius+mysql system,it looks like work well,but today,i got a problem like this. I have two users User1 and User2(different Cleartext-Password). After turn on the radius server(in debug mode) and NAS,the first time i use User1 to login, it connected,great. and then,i broken the connection and try again as User2,it also connected,but at the debug information it said that the use expand:%{User-Name} - is still User1. It is weird for me. i restart the radius server, connect again with User2 information, still report as User1, but if i reboot the AP and connect as User2 (radius server does not need to restart here),it works, radius said know here is User2, but after that i use User1 to connect,samething happens, server said it still User2 not User1. It seems like the NAS's problem, i try two kind of NAS(compex wps 543 and Netgear WG103),the same situation? any one could help me here? Ask your NAS vendor. You said so yourself, rebooting the AP fixed the problem. Radius simply process what the NAS sends. -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to configure FreeRadius as Captive Portal
On 13/03/12 21:41, Fabricio Flores wrote: Hello... I Have a question... Which captive portal is the best? I tried to configure in CentOS coovachilli and is very hard to install and configuring... Grase Hotspot is easier? Grase Hotspot uses Coova Chilli internally, but does the work of setting everything up for you. It uses Debian/Ubuntu based distributions as it makes use of packaging features to do all the hard configuration work. The admin interface is (in my biased opinion) nice and easy to use. Tim - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: multiple NAS behind multiple NAT with one radius server.
Hi, You may want to look at this discussion that took place on the mailing list about the same issue and possible solutions to handle the problem: http://freeradius.1045715.n5.nabble.com/Authorising-Clients-by-Calling-Station-ID-Not-IP-tc4883866.html http://freeradius.1045715.n5.nabble.com/Authorising-Clients-by-Calling-Station-ID-Not-IP-tc4883866.html Regards -- View this message in context: http://freeradius.1045715.n5.nabble.com/multiple-NAS-behind-multiple-NAT-with-one-radius-server-tp5561001p5564209.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: multiple NAS behind multiple NAT with one radius server.
it is really helpful,thank you very much. Date: Wed, 14 Mar 2012 03:47:31 -0700 From: dirkvanderw...@gmail.com To: freeradius-users@lists.freeradius.org Subject: Re: multiple NAS behind multiple NAT with one radius server. Hi, You may want to look at this discussion that took place on the mailing list about the same issue and possible solutions to handle the problem: http://freeradius.1045715.n5.nabble.com/Authorising-Clients-by-Calling-Station-ID-Not-IP-tc4883866.html http://freeradius.1045715.n5.nabble.com/Authorising-Clients-by-Calling-Station-ID-Not-IP-tc4883866.html Regards -- View this message in context: http://freeradius.1045715.n5.nabble.com/multiple-NAS-behind-multiple-NAT-with-one-radius-server-tp5561001p5564209.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: multiple NAS behind multiple NAT with one radius server.
Hello Dirk: I read this article, it is really helpful, thank you very much. Before reading it, my solution is set a single client entry in clients.conf like this client allAP { ipaddr=0.0.0.0 netmask=0 sercet=something ... } right now ,it works fine for multiple NAS. I want to know,ignore the security issues, does all clients use the same single entry will effect the performance of the radius server? thank you very much. Joey Date: Wed, 14 Mar 2012 03:47:31 -0700 From: dirkvanderw...@gmail.com To: freeradius-users@lists.freeradius.org Subject: Re: multiple NAS behind multiple NAT with one radius server. Hi, You may want to look at this discussion that took place on the mailing list about the same issue and possible solutions to handle the problem: http://freeradius.1045715.n5.nabble.com/Authorising-Clients-by-Calling-Station-ID-Not-IP-tc4883866.html http://freeradius.1045715.n5.nabble.com/Authorising-Clients-by-Calling-Station-ID-Not-IP-tc4883866.html Regards -- View this message in context: http://freeradius.1045715.n5.nabble.com/multiple-NAS-behind-multiple-NAT-with-one-radius-server-tp5561001p5564209.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: multiple NAS behind multiple NAT with one radius server.
ZhenJoey wrote: I want to know,ignore the security issues, does all clients use the same single entry will effect the performance of the radius server? No. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Creating Certificates for EAP
Hi, I am trying to create certificates in Freeradius going inside /usr/local/etc/raddb/certs. I need these certificates for EAP-TTLS authentication for wireless access points. As suggested in deployingradius.com and README inside /usr/local/etc/raddb/certs; I tried to create Test Certificates for testing purpose at first. I tried the command make inside /usr/local/etc/raddb/certs, but it doesn't do anything, i.e. doesn't show any certificates building. Also I tried ./bootstrap going inside the same certs directory; it also doesn't do anything. I don't see any certificates like root CA that has been built after I run make or ./bootstrap command inside certs directory. I have already installed openssl in my machine with freebsd in which freeradius server is installed. Is there anything I am missing? Your suggestions would be greately appreciated. Thanks -- View this message in context: http://freeradius.1045715.n5.nabble.com/Creating-Certificates-for-EAP-tp5564660p5564660.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Creating Certificates for EAP
suggestme wrote: Also I tried ./bootstrap going inside the same certs directory; it also doesn't do anything. Running a shell script doesn't work? It doesn't generate errors? Your OS is completely broken. Or, *something* happened, and you ignored it. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: LDAP conns: Problem
Prateek Kumar wrote: When I am starting my freeradius in debug mode then I am getting this message rlm_ldap: LDAP radiusTunnelMediumType mapped to RADIUS Tunnel-Medium-Type rlm_ldap: LDAP radiusTunnelPrivateGroupId mapped to RADIUS Tunnel-Private-Group-Id conns: 0xb7897598 message So? Is this normal to see that message if not how can I remove this . Also what does this message conveys. It's a debug message. Do you understand every single other message that the server produces? If so, wonderful. If not why complain about this one? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Creating Certificates for EAP
Hi, Normally your bootstrap script runs make command first, if make is not supported then it runs the script. Script creates 1. random , 01.pem ca.pem server.pem other files in different format. If your opessl command is not working properly or you have some .cnf file missing in the directory then the script will exit with status 1. you first try , openssl dhparam -out dh 1024 see if dh file is created or not ,to check that you have openssl installed correctly. Regards, Prateek When you run you boots On Wed, Mar 14, 2012 at 6:49 PM, suggestme suggest...@hotmail.com wrote: Hi, I am trying to create certificates in Freeradius going inside /usr/local/etc/raddb/certs. I need these certificates for EAP-TTLS authentication for wireless access points. As suggested in deployingradius.com and README inside /usr/local/etc/raddb/certs; I tried to create Test Certificates for testing purpose at first. I tried the command make inside /usr/local/etc/raddb/certs, but it doesn't do anything, i.e. doesn't show any certificates building. Also I tried ./bootstrap going inside the same certs directory; it also doesn't do anything. I don't see any certificates like root CA that has been built after I run make or ./bootstrap command inside certs directory. I have already installed openssl in my machine with freebsd in which freeradius server is installed. Is there anything I am missing? Your suggestions would be greately appreciated. Thanks -- View this message in context: http://freeradius.1045715.n5.nabble.com/Creating-Certificates-for-EAP-tp5564660p5564660.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: LDAP conns: Problem
Thanks Alan On Wed, Mar 14, 2012 at 7:07 PM, Alan DeKok al...@deployingradius.comwrote: Prateek Kumar wrote: When I am starting my freeradius in debug mode then I am getting this message rlm_ldap: LDAP radiusTunnelMediumType mapped to RADIUS Tunnel-Medium-Type rlm_ldap: LDAP radiusTunnelPrivateGroupId mapped to RADIUS Tunnel-Private-Group-Id conns: 0xb7897598 message So? Is this normal to see that message if not how can I remove this . Also what does this message conveys. It's a debug message. Do you understand every single other message that the server produces? If so, wonderful. If not why complain about this one? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Creating Certificates for EAP
I tried: openssl dhparam -out dh 1024 as you suggested and dh file is created as below: #openssl dhparam -out dh 1024 Generating DH parameters, 1024 bit long safe prime, generator 2 This is going to take a long time ...+...++...+...+...+.+++...+..+..+.+.++*++*++* Inside Dh file I can see: -BEGIN DH PARAMETERS- MIGHAoGBAKUwai2pBXG3jEBbBRk08wDTE+l0m6USXQcq5AF1FMM/3RxFOZvfgotu qEqQJAYvUawmG2JScnPqPNeP2kHOCPyGrtCgAeXXKu0kbN8liniRLWpvUoy9LlJE XMr0RyuNUJFUvnBdGL8Hup5X7pqIezIKTpvrgGmnNze+tytw8ZkjAgEC -END DH PARAMETERS- *Does this mean my OpenSSL is ok?* I have used make install to install ports in freebsd and this command works and everything is working good till now. I have already configured Freeradius for the users in Active directory; everything is working perfect for other authentications method. Should I try make install command instead of make or ./bootstrap going inside /usr/local/etc/raddb/certs directory? Thanks -- View this message in context: http://freeradius.1045715.n5.nabble.com/Creating-Certificates-for-EAP-tp5564660p5564962.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
pam_radius_auth x86_64 password garbled RHEL/CENTOS 5.8
Hi Folks, I'm compiling my pam_radius_auth on x86_64 source and getting the following in my logs: Mar 14 12:57:29 app2 sshd[12858]: pam_radius_auth: Got user name jmaltin@ip_removed_by_poster Mar 14 12:57:29 app2 sshd[12858]: pam_radius_auth: Sending RADIUS request code 1 Mar 14 12:57:29 app2 sshd[12858]: pam_radius_auth: DEBUG: getservbyname(radius, udp) returned 1005286112. Mar 14 12:57:30 app2 sshd[12858]: pam_radius_auth: RADIUS server 127.0.0.1 failed to respond Mar 14 12:57:30 app2 sshd[12858]: pam_radius_auth: DEBUG: get_ipaddr(Add) returned 0. Mar 14 12:57:30 app2 sshd[12858]: pam_radius_auth: Failed looking up IP address for RADIUS server Add (errcode=9) Mar 14 12:57:30 app2 sshd[12858]: pam_radius_auth: DEBUG: getservbyname(radius, udp) returned 1005286112. Mar 14 12:57:30 app2 sshd[12858]: pam_radius_auth: Got RADIUS response code 3 Mar 14 12:57:30 app2 sshd[12858]: pam_radius_auth: authentication failed Mar 14 12:57:30 app2 sshd[12858]: pam_radius_auth: Got user name jmaltin@removed_by_poster Mar 14 12:57:30 app2 sshd[12858]: pam_radius_auth: Got password ^M^?INCORRECT Mar 14 12:57:30 app2 sshd[12858]: pam_radius_auth: Sending RADIUS request code 1 Mar 14 12:57:30 app2 sshd[12858]: pam_radius_auth: DEBUG: getservbyname(radius, udp) returned 1005286112. Mar 14 12:57:31 app2 sshd[12858]: pam_radius_auth: RADIUS server 127.0.0.1 failed to respond Mar 14 12:57:31 app2 sshd[12858]: pam_radius_auth: DEBUG: get_ipaddr(Add) returned 0. Mar 14 12:57:31 app2 sshd[12858]: pam_radius_auth: Failed looking up IP address for RADIUS server Add (errcode=9) Mar 14 12:57:31 app2 sshd[12858]: pam_radius_auth: DEBUG: getservbyname(radius, udp) returned 1005286112. Mar 14 12:57:31 app2 sshd[12858]: pam_radius_auth: Got RADIUS response code 3 Mar 14 12:57:31 app2 sshd[12858]: pam_radius_auth: authentication failed Mar 14 12:57:31 app2 sshd[12858]: Failed password for invalid user jmal...@voxel.net from ip_removed_by_poster port 44398 ssh2 What's the magic way to compile this for x86_64? Notice I added the -m64 to try to force 64 bit. [root@app2 pam_radius-1.3.17]# make cc -Wall -fPIC -m64 -c pam_radius_auth.c -o pam_radius_auth.o pam_radius_auth.c: In function ‘talk_radius’: pam_radius_auth.c:886: warning: pointer targets in passing argument 6 of ‘recvfrom’ differ in signedness pam_radius_auth.c: In function ‘pam_sm_authenticate’: pam_radius_auth.c:1102: warning: assignment from incompatible pointer type cc -Wall -fPIC -m64 -c -o md5.o md5.c ld -Bshareable pam_radius_auth.o md5.o -lpam -o pam_radius_auth.so [root@app2 pam_radius-1.3.17]# Thanks folks! -- Judd Maltin T: 917-882-1270 F: 501-694-7809 A loving heart is never wrong. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: pam_radius_auth x86_64 password garbled RHEL/CENTOS 5.8
Judd Maltin wrote: I'm compiling my pam_radius_auth on x86_64 source and getting the following in my logs: ... Mar 14 12:57:30 app2 sshd[12858]: pam_radius_auth: Got password ^M^?INCORRECT Another PAM module is butchering the password, before it is sent to pam_radius_auth. Go fix that. What's the magic way to compile this for x86_64? Nothing. This isn't a 64-bit issue. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
LDAP Search Questions
Hello All, I've got a question about the settings for limiting access/authenticating to a specific LDAP group. I have setup a group on my OpenLDAP called RADIUS and I want the users in there to be the only ones that have access. The problem I am having is with the filters. Below is my /etc/raddb/modules/ldap (given I cleaned up alot of the comments just for posting reasons) server = example.com port = 389 identity = cn=example,dc=company,dc=local password = x basedn = ou=People,dc=company,dc=local # access_attr = ? # filter = (uid=%{%{Stripped-User-Name}:-%{User-Name}}) # filter = (objectclass=ogranizationalPerson)(de # base_filter = (objectclass=organizationalPerson) ldap_connections_number = 5 timeout = 4 timelimit = 3 net_timeout = 1 tls { start_tls = no # cacertfile= /path/to/cacert.pem # cacertdir = /path/to/ca/dir/ # certfile = /path/to/radius.crt # keyfile = /path/to/radius.key # randfile = /path/to/rnd # require_cert = demand } # default_profile = cn=radprofile,ou=dialup,o=My Org,c=UA # profile_attribute = radiusProfileDn # access_attr = dialupAccess # Mapping of RADIUS dictionary attributes to LDAP # directory attributes. dictionary_mapping = ${confdir}/ldap.attrmap password_attribute = userPassword auto_header = yes # groupname_attribute = cn # groupmembership_filter = (|((objectClass=GroupOfNames)(member=%{control:Ldap-UserDn}))((objectClass=GroupOfUniqueNames)(uniquemember=%{control:Ldap-UserDn}))) # groupmembership_attribute = radiusGroupName # compare_check_items = yes # do_xlat = yes # chase_referrals = yes # set_auth_type = yes } -- View this message in context: http://freeradius.1045715.n5.nabble.com/LDAP-Search-Questions-tp5565845p5565845.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Mac Auth Rewrite SSID Issue
Hello All, I have had this setup (http://wiki.freeradius.org/Mac-Auth) for a long time and it has been working well. Now I am experiencing an issue with the rewrite of the called station id to extract the SSID from the wireless. Anyone know how I can update the rewrite called station id function to allow the SSID to have spaces? For example, called-station-id = 00-11-22-33-44-55:SSID WITH SPACE is just extracting the SSID as SSID I need it to show as SSID WITH SPACE but aswell be able to process others like SSID-NEW-SSID01 Any help is appreciated. I think I am overlooking this, but I could be wrong, so any help would be great. Thanks. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Question about certs and Microsoft
In the beginning of the cert documentation, it says: The Microsoft XP Extensions will be automatically included in the server certificate. Without those extensions Windows clients will refuse to authenticate to FreeRADIUS. But I use a certificate authority, so later on in the documentation, it says: If you have an existing certificate authority, and wish to create a certificate signing request for the server certificate, edit server.cnf as above, and type the following command. $ make server.csr You will have to ensure that the certificate contains the XP extensions needed by Microsoft clients. How do I go about ensuring this? Do I have to request them to be added from the CA? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Mac Auth Rewrite SSID Issue
On 14 Mar 2012, at 20:18, John Corps wrote: Hello All, I have had this setup (http://wiki.freeradius.org/Mac-Auth) for a long time and it has been working well. Now I am experiencing an issue with the rewrite of the called station id to extract the SSID from the wireless. Anyone know how I can update the rewrite called station id function to allow the SSID to have spaces? For example, called-station-id = 00-11-22-33-44-55:SSID WITH SPACE is just extracting the SSID as SSID I need it to show as SSID WITH SPACE but aswell be able to process others like SSID-NEW-SSID01 Just add a space in the char class for matching after the 6th octet. if(Called-Station-Id =~ /^([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([-a-z0-9_. ]*)?/i){ Updated the wiki... Really I guess it should be if(Called-Station-Id =~ /^([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?(.*)?/i){ But you're the first one who's complained ;) Arran Cudbard-Bell a.cudba...@freeradius.org Betelwiki, Betelwiki, Betelwiki http://wiki.freeradius.org/ ! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Mac Auth Rewrite SSID Issue
Excellent. Thanks Arran, works like a treat, I knew I was overlooking it. I need to brush up on regex :) On Wed, Mar 14, 2012 at 3:28 PM, Arran Cudbard-Bell a.cudba...@freeradius.org wrote: On 14 Mar 2012, at 20:18, John Corps wrote: Hello All, I have had this setup (http://wiki.freeradius.org/Mac-Auth) for a long time and it has been working well. Now I am experiencing an issue with the rewrite of the called station id to extract the SSID from the wireless. Anyone know how I can update the rewrite called station id function to allow the SSID to have spaces? For example, called-station-id = 00-11-22-33-44-55:SSID WITH SPACE is just extracting the SSID as SSID I need it to show as SSID WITH SPACE but aswell be able to process others like SSID-NEW-SSID01 Just add a space in the char class for matching after the 6th octet. if(Called-Station-Id =~ /^([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([-a-z0-9_. ]*)?/i){ Updated the wiki... Really I guess it should be if(Called-Station-Id =~ /^([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?(.*)?/i){ But you're the first one who's complained ;) Arran Cudbard-Bell a.cudba...@freeradius.org Betelwiki, Betelwiki, Betelwiki http://wiki.freeradius.org/ ! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Question about certs and Microsoft
Scott McLane Gardner wrote: But I use a certificate authority, so later on in the documentation, it says: If you have an existing certificate authority, and wish to create a certificate signing request for the server certificate, edit server.cnf as above, and type the following command. $ make server.csr You will have to ensure that the certificate contains the XP extensions needed by Microsoft clients. The default configuration includes the XP extensions. How do I go about ensuring this? Do I have to request them to be added from the CA? The default configuration does this. You shouldn't need to do anything. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: pam_radius_auth x86_64 password garbled RHEL/CENTOS 5.8
On Wed, Mar 14, 2012 at 2:24 PM, Alan DeKok al...@deployingradius.com wrote: Judd Maltin wrote: I'm compiling my pam_radius_auth on x86_64 source and getting the following in my logs: ... Mar 14 12:57:30 app2 sshd[12858]: pam_radius_auth: Got password ^M^?INCORRECT Another PAM module is butchering the password, before it is sent to pam_radius_auth. Go fix that. Fixed, thanks. nss_ldap wasn't finding my users to satisfy PAM account What's the magic way to compile this for x86_64? Nothing. This isn't a 64-bit issue. Thanks again. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Judd Maltin T: 917-882-1270 F: 501-694-7809 A loving heart is never wrong. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Using freeRadius with OTP and gateway
Mercier Valentin wrote: But with some research we made, we have an another question. We want to enable on free radius the Access Request -- Access Challenge -- Access Request -- Access Accept / Reject, with CHAP, but we don't know how to do this, and if you can help us it would be great. You don't enable it. The NAS is responsible for sending RADIUS packets, and originating CHAP requests. CHAP doesn't use a RADIUS challenge-response, despite it's name. Because I read that usually with this kind of implementation the Access Challenge contain a message with which the client need to calculate the response. And for now that enough for us. CHAP doesn't work that way. The NAS sends a challenge to the client, and receives a response. It then sends challenge and response to the RADIUS server. If you want challenge-response controlled by the RADIUS server, use EAP-MD5. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Question about certs and Microsoft
Excellent, thank you. The default configuration does this. You shouldn't need to do anything. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Certificates not working
Okay, I followed the instructions in the certs README, created the CSR and got a certificate from GeoTrust. When I install it and try to start the server, I get the following error messages: rlm_eap: SSL error error:06065064:digital envelope routines:EVP_DecryptFinal_ex:bad decrypt rlm_eap_tls: Error reading private key file /etc/freeradius/certs/server.key rlm_eap: Failed to initialize type tls I checked the permissions of the server.key file and it is the same as all the other stuff in that directory. Can anyone tell me what this error means? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Certificates not working
Just to get the server running, I tried moving all the things out of that directory, then doing the ./bootstrap thing and it still gives that error when trying to start the server. -Scott On 3/14/12 3:44 PM, Scott McLane Gardner sgar...@uark.edu wrote: Okay, I followed the instructions in the certs README, created the CSR and got a certificate from GeoTrust. When I install it and try to start the server, I get the following error messages: rlm_eap: SSL error error:06065064:digital envelope routines:EVP_DecryptFinal_ex:bad decrypt rlm_eap_tls: Error reading private key file /etc/freeradius/certs/server.key rlm_eap: Failed to initialize type tls I checked the permissions of the server.key file and it is the same as all the other stuff in that directory. Can anyone tell me what this error means? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Certificates not working
Scott McLane Gardner wrote: Okay, I followed the instructions in the certs README, created the CSR and got a certificate from GeoTrust. When I install it and try to start the server, I get the following error messages: rlm_eap: SSL error error:06065064:digital envelope routines:EVP_DecryptFinal_ex:bad decrypt rlm_eap_tls: Error reading private key file The password to the key file is wrong. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Certificates not working
On 3/14/12 4:05 PM, Alan DeKok al...@deployingradius.com wrote: Scott McLane Gardner wrote: Okay, I followed the instructions in the certs README, created the CSR and got a certificate from GeoTrust. When I install it and try to start the server, I get the following error messages: rlm_eap: SSL error error:06065064:digital envelope routines:EVP_DecryptFinal_ex:bad decrypt rlm_eap_tls: Error reading private key file The password to the key file is wrong. Alan DeKok. Doesn't it just use server.cnf to set the password for the key and the CSR? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Certificates not working
Scott McLane Gardner wrote: Doesn't it just use server.cnf to set the password for the key and the CSR? To *make* the certificates, yes. For EAP, you need to configure the passwords in eap.conf. This is documented. server.cnf is an OpenSSL configuration file. FreeRADIUS doesn't read OpenSSL configuration files. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Certificates not working
Hi, Doesn't it just use server.cnf to set the password for the key and the CSR? server.cnf is for openSSL - applications such as FreeRADIUS and Apache have their own configuration files for private certificate keys etc - eap.conf in your case alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Certificates not working
FreeRADIUS doesn't read OpenSSL configuration files. Alan DeKok. Gosh, I feel like a dummy. Thanks. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
radius.log rotation
Hi, How can we rotate radius.log file ? -Shreya. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Creating Certificates for EAP
check if u r having server.cnf, ca.cnf client.cnf in certs directory. If yes run bootstrap , to make client cert run make client. On Wed, Mar 14, 2012 at 8:09 PM, suggestme suggest...@hotmail.com wrote: I tried: openssl dhparam -out dh 1024 as you suggested and dh file is created as below: #openssl dhparam -out dh 1024 Generating DH parameters, 1024 bit long safe prime, generator 2 This is going to take a long time ...+...++...+...+...+.+++...+..+..+.+.++*++*++* Inside Dh file I can see: -BEGIN DH PARAMETERS- MIGHAoGBAKUwai2pBXG3jEBbBRk08wDTE+l0m6USXQcq5AF1FMM/3RxFOZvfgotu qEqQJAYvUawmG2JScnPqPNeP2kHOCPyGrtCgAeXXKu0kbN8liniRLWpvUoy9LlJE XMr0RyuNUJFUvnBdGL8Hup5X7pqIezIKTpvrgGmnNze+tytw8ZkjAgEC -END DH PARAMETERS- *Does this mean my OpenSSL is ok?* I have used make install to install ports in freebsd and this command works and everything is working good till now. I have already configured Freeradius for the users in Active directory; everything is working perfect for other authentications method. Should I try make install command instead of make or ./bootstrap going inside /usr/local/etc/raddb/certs directory? Thanks -- View this message in context: http://freeradius.1045715.n5.nabble.com/Creating-Certificates-for-EAP-tp5564660p5564962.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Help - ASN-GW throwing error - Validation of attributes failed
On Thu, Mar 15, 2012 at 12:21 PM, Rathod Subhashchandra rat...@tataelxsi.co.in wrote: Wireshark logs @ ASN-GW I could not attach wireshark pcap logs due to size constraint. I have took print screen of only ACCESS-ACCEPT message copied to MS word. While that information might be interesting for ASN support/list/forum, this list is not it. What are the mandatory fields in Access-Accept and their valid values? Service-Type attribute value is 2. ASN-GW is adding this attribute. Is this valid for EAP-TLS? I am guessing this should be 8. I don’t have control over ASN-GW parameters modification. Please let me know what fields are invalid in above ACCESS-ACCEPT. Did you try asking the NAS vendor? If you know what attributes are needed, you can configure FR to send it. If you don't know what they are, then you should ask the NAS vendor, or at least read its documentation. -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radius.log rotation
On Thu, Mar 15, 2012 at 11:21 AM, Shreya Shah shreya.ns...@gmail.com wrote: Hi, How can we rotate radius.log file ? Depends on how you installed it. Distro-bundled ones should already have a log rotate config setup on /etc/logrotate.d. If you install it from source, see the included examples on source tarball. For example, redhat/freeradius-logrotate -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html