Re: radlogin works, mobile device not
On Tue, Sep 11, 2012 at 1:30 PM, Mihajlo Joksimovic wrote: > Personally i want freeradius just to work with IPhones or other devices. It should. If you don't break the configuration > > But the debug mode doesnt show any try to connect to LDAP. Have you upgrade? Have you configured sites-available/inner-tunnel? Do you have line that says "ldap" inside authorize section of sites-available/inner-tunnel? -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radlogin works, mobile device not
Personally i want freeradius just to work with IPhones or other devices. But the debug mode doesnt show any try to connect to LDAP. rad_recv: Access-Request packet from host 10.119.12.2 port 1313, id=19, length=197 Message-Authenticator = 0xb75eef411ae5dd032df4d51d75b5174e Service-Type = Framed-User User-Name = "nadine.bosshard" Framed-MTU = 1488 Called-Station-Id = "204E7FE98EF3:TCSVO-Intern" Calling-Station-Id = "9803D861E85C" NAS-Identifier = "aptcsvo02" NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 54Mbps 802.11g" EAP-Message = 0x0214016e6164696e652e626f737368617264 NAS-IP-Address = 10.119.12.2 NAS-Port = 1 NAS-Port-Id = "STA port # 1" +- entering group authorize ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop rlm_realm: No '@' in User-Name = "nadine.bosshard", looking up realm NULL rlm_realm: No such realm "NULL" ++[suffix] returns noop rlm_eap: EAP packet type response id 0 length 20 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated rlm_unix: [nadine.bosshard]: invalid shell [/bin/false] ++[unix] returns reject Invalid user: [nadine.bosshard/] (from client aptcsvo02 port 1 cli 9803D861E85C) Found Post-Auth-Type Reject +- entering group REJECT expand: %{User-Name} -> nadine.bosshard attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 1 for 1 seconds Going to the next request Waking up in 0.9 seconds. rad_recv: Access-Request packet from host 10.119.12.2 port 1313, id=19, length=197 Waiting to send Access-Reject to client aptcsvo02 port 1313 - ID: 19 Sending delayed reject for request 1 Sending Access-Reject of id 19 to 10.119.12.2 port 1313 Waking up in 4.9 seconds. Cleaning up request 1 ID 19 with timestamp +53655 Ready to process requests. rad_recv: Access-Request packet from host 10.119.12.2 port 1314, id=20, length=197 Message-Authenticator = 0x0893415ae4d24bc109a2109f68e2035b Service-Type = Framed-User User-Name = "nadine.bosshard" Framed-MTU = 1488 Called-Station-Id = "204E7FE98EF3:TCSVO-Intern" Calling-Station-Id = "9803D861E85C" NAS-Identifier = "aptcsvo02" NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 54Mbps 802.11g" EAP-Message = 0x0214016e6164696e652e626f737368617264 NAS-IP-Address = 10.119.12.2 NAS-Port = 1 NAS-Port-Id = "STA port # 1" +- entering group authorize ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop rlm_realm: No '@' in User-Name = "nadine.bosshard", looking up realm NULL rlm_realm: No such realm "NULL" ++[suffix] returns noop rlm_eap: EAP packet type response id 0 length 20 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated rlm_unix: [nadine.bosshard]: invalid shell [/bin/false] ++[unix] returns reject Invalid user: [nadine.bosshard/] (from client aptcsvo02 port 1 cli 9803D861E85C) Found Post-Auth-Type Reject +- entering group REJECT expand: %{User-Name} -> nadine.bosshard attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 2 for 1 seconds Going to the next request Waking up in 0.9 seconds. rad_recv: Access-Request packet from host 10.119.12.2 port 1314, id=20, length=197 Waiting to send Access-Reject to client aptcsvo02 port 1314 - ID: 20 Sending delayed reject for request 2 Sending Access-Reject of id 20 to 10.119.12.2 port 1314 Waking up in 4.9 seconds. Cleaning up request 2 ID 20 with timestamp +53680 Ready to process requests. I now configured the whole thing new. But I dont find any entries in logs, which give me a hint what my problem with LDAP is... Thanks for the help... Mihajlo Joksimovic Am 09/07/2012 04:41 PM, schrieb Fajar A. Nugraha: > On Fri, Sep 7, 2012 at 8:37 PM, Mihajlo Joksimovic > wrote: >> ii freeradius >> 2.0.4+dfsg-6.61.201011221519 a high-performance and highly >> configurable R >> >> it's version 2.0.4. > Upgrade. > >> well i deactivated inner tunnel and configured everything in default. is >> that wrong? > If you want to use EAP, it's VERY wrong. > -- Adfinis SyGroup AG Mihajlo Joksimovic, System Engineer Güterstrasse 86 | CH-4053 Basel Tel. 061 333 80 33 signature.asc Description: OpenPGP digital signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: LDAP module file using localhost instead of external?
On 09/10/2012 11:47 PM, Jennifer Mehl wrote: Here is the output of freeradius -X showing part of the file being read but then ignored?: It doesn't look to me like it's ignoring it, which in any event the server doesn't do. It looks like it's just a different file. It's not just the hostname that is different. For example: Module: Instantiating module "ucsbnetid" from file /etc/freeradius/modules/ldap server = "localhost" filter = "(uid=%u)" base_filter = "(objectclass=radiusprofile)" Here is my /etc/freeradius/modules/ldap file (password obfuscated): server = "directory.ucsb.edu" filter = "(uid=%{%{Stripped-User-Name}:-%{User-Name}})" base_filter = "(objectclass=ucsbperson)" #base_filter = "(objectclass=radiusprofile)" ...amongst (many) others. You *can't* be editing the same file. Do you have chroot or jails or similar in use, and if so are you editing the file inside the chroot/jail or outside? Are you sure you're not leaving backup "file~" from editors in the directory? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
LDAP module file using localhost instead of external?
Hello, I have an existing FreeRADIUS setup that is working quite well to authenticate/authorize users for WPA2 wireless to our smbpasswd file. This is 2.1.10+dfsg-2 on Debian Squeeze. I've recently acquired a "captive portal" network device that we are going to use for our guest wireless users. I'm in the process of setting FreeRADIUS for authentication to our campus' LDAP server. I've verified connectivity to the server using the OpenLDAP ldapsearch tools from the same host. However, when I define the server in the /etc/freeradius/modules/ldap files, it doesn't appear to be read properly by FreeRADIUS, which is defaulting instead to 'localhost' instead of our directory server, directory.ucsb.edu, which is defined in the module file. Here is the output of freeradius -X showing part of the file being read but then ignored?: Module: Linked to module rlm_ldap Module: Instantiating module "ucsbnetid" from file /etc/freeradius/modules/ldap ldap ucsbnetid { server = "localhost" port = 389 password = "" identity = "" net_timeout = 1 timeout = 4 timelimit = 3 tls_mode = no start_tls = no tls_require_cert = "allow" tls { start_tls = no require_cert = "allow" } basedn = "o=notexist" filter = "(uid=%u)" base_filter = "(objectclass=radiusprofile)" auto_header = no access_attr_used_for_allow = yes groupname_attribute = "cn" groupmembership_filter = "(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))" dictionary_mapping = "/etc/freeradius/ldap.attrmap" ldap_debug = 40 ldap_connections_number = 5 compare_check_items = no do_xlat = yes edir_account_policy_check = no set_auth_type = yes } Here is my /etc/freeradius/modules/ldap file (password obfuscated): ldap ucsbnetid { # # Note that this needs to match the name in the LDAP # server certificate, if you're using ldaps. server = "directory.ucsb.edu" identity = "uid=chemrad,o=ucsb" password = basedn = "o=ucsb" filter = "(uid=%{%{Stripped-User-Name}:-%{User-Name}})" base_filter = "(objectclass=ucsbperson)" #base_filter = "(objectclass=radiusprofile)" # How many connections to keep open to the LDAP server. # This saves time over opening a new LDAP socket for # every authentication request. ldap_connections_number = 5 # seconds to wait for LDAP query to finish. default: 20 timeout = 4 # seconds LDAP server has to process the query (server-side # time limit). default: 20 # # LDAP_OPT_TIMELIMIT is set to this value. timelimit = 3 # # This subsection configures the tls related items # that control how FreeRADIUS connects to an LDAP # server. It contains all of the "tls_*" configuration # entries used in older versions of FreeRADIUS. Those # configuration entries can still be used, but we recommend # using these. # tls { # Set this to 'yes' to use TLS encrypted connections # to the LDAP database by using the StartTLS extended # operation. # # The StartTLS operation is supposed to be # used with normal ldap connections instead of # using ldaps (port 689) connections start_tls = no # cacertfile= /path/to/cacert.pem # cacertdir = /path/to/ca/dir/ # certfile = /path/to/radius.crt # keyfile = /path/to/radius.key # randfile = /path/to/rnd # Certificate Verification requirements. Can be: #"never" (don't even bother trying) #"allow" (try, but don't fail if the cerificate # can't be verified) #"demand" (fail if the certificate doesn't verify.) # # The default is "allow" # require_cert = "demand" # # seconds to wait for response of the server. (network # failures) default: 10 # # LDAP_OPT_NETWORK_TIMEOUT is set to this value. net_timeout = 1 # } # default_profile = "cn=radprofile,ou=dialup,o=My Org,c=UA" # profile_attribute = "radiusProfileDn" # access_attr = "dialupAccess" # Mapping of RADIUS dictionary attributes to LDAP # directory attributes. dictionary_mapping = ${confdir}/ldap.attrmap # Set password_attribute = nspmPassword to get the # user
Version 2.2.0 is released: upgrade NOW
We're happy (and sad) to announce 2.2.0. It's been a year since the last release, so it's needed. However, this release announces an issue with unknown certificates in EAP-TLS, PEAP, and EAP-TTLS. Some certificates can overflow a field in the server, causing a crash. See: http://freeradius.org/security.html Everyone should upgrade to 2.2.0 immediately, or obtain a patched version from their vendor. Sorry for the issue. We'll take care to run Coverity more often in the future. FreeRADIUS 2.2.0 Mon 10 Sep 2012 12:00:00 CEST, urgency=medium Feature improvements * 100% configuration file compatible with 2.1.x. The only fix needed is to disallow "hashsize=0" for rlm_passwd * Update Aruba, Alcatel Lucent, APC, BT, PaloAlto, Pureware, Redback, and Mikrotik dictionaries * Switch to using SHA1 for certificate digests instead of MD5. See raddb/certs/*.cnf * Added copyright statements to the dictionaries, so that we know when people are using them. * Better documentation for radrelay and detail file writer. See raddb/modules/radrelay and raddb/radrelay.conf * Added TLS-Cert-Subject-Alt-Name-Email from patch by Luke Howard * Added -F to radwho * Added query timeouts to MySQL driver. Patch from Brian De Wolf. * Add /etc/default/freeradius to debian package. Patch from Matthew Newton * Finalize DHCP and DHCP relay code. It should now work everywhere. See raddb/sites-available/dhcp, src_ipaddr and src_interface. * DHCP capabilitiies are now compiled in by default. It runs as a DHCP server ONLY when manually enabled. * Added one letter expansions: %G - request minute and %I request ID. * Added script to convert ISC DHCP lease files to SQL pools. See scripts/isc2ippool.pl * Added rlm_cache to cache arbitrary attributes. * Added max_use to rlm_ldap to force connection to be re-established after a given number of queries. * Added configtest option to Debian init scripts, and automatic config test on restart. * Added cache config item to rlm_krb5. When set to "no" ticket caching is disabled which may increase performance. Bug fixes * Fix CVE-2012-3547. All users of 2.1.10, 2.1.11, 2.1.12, and 802.1X should upgrade immediately. * Fix typo in detail file writer, to skip writing if the packet was read from this detail file. * Free cached replies when closing resumed SSL sessions. * Fix a number of issues found by Coverity. * Fix memory leak and race condition in the EAP-TLS session cache. Thanks to Phil Mayers for tracking down OpenSSL APIs. * Restrict ATTRIBUTE names to character sets that make sense. * Fix EAP-TLS session Id length so that OpenSSL doesn't get excited. * Fix SQL IPPool logic for non-timer attributes. Closes bug #181 * Change some informational messages to DEBUG rather than error. * Portability fixes for FreeBSD. Closes bug #177 * A much better fix for the _lt__PROGRAM__LTX_preloaded_symbols nonsense. * Safely handle extremely long lines in conf file variable expansion * Fix for Debian bug #606450 * Mutex lock around rlm_perl Clone routines. Patch from Eike Dehling * The passwd module no longer permits "hashsize = 0". Setting that is pointless for a host of reasons. It will also break the server. * Fix proxied inner-tunnel packets sometimes having zero authentication vector. Found by Brian Julin. * Added $(EXEEXT) to Makefiles for portability. Closes bug #188. * Fix minor build issue which would cause rlm_eap to be built twice. * When using "status_check=request" for a home server, the username and password must be specified, or the server will not start. * EAP-SIM now calculates keys from the SIM identity, not from the EAP-Identity. Changing the EAP type via NAK may result in identities changing. Bug reported by Microsoft EAP team. * Use home server src_ipaddr when sending Status-Server packets * Decrypt encrypted ERX attributes in CoA packets. * Fix registration of internal xlat's so %{mschap:...} doesn't disappear after a HUP. * Can now reference tagged attributes in expansions. e.g. %{Tunnel-Type:1} and %{Tunnel-Type:1[0]} now work. * Correct calculation of Message-Authenticator for CoA and Disconnect replies. Patch from Jouni Malinen * Install rad_counter, for managing rlm_counter files. * Add unique index constraint to all SQL flavours so that alternate queries work correctly. * The TTLS diameter decoder is now more lenient. It ignores unknown attributes, instead of rejecting the TTLS session. * Use "globfree" in detail file reader. Prevents very slow leak. Closes bug #207. * Operator =~ shouldn't copy the attribute, like :=. It should instead behave more like ==. * Build main Debian package without SQL dependencies * Use max_queue_size in threading code * Update permissions in raddb/sql/postgresql/admin.sql * Added OpenSSL_add_all_algorithms() to fix issues where OpenSSL wouldn't use methods it knew about. * Add more sanity checks in dynamic_clients code so the server won't crash if it attempts to lo
Re: using gmail as openid for wiki access ?
On 10 Sep 2012, at 09:01, Fred wrote: > Hi freeradius-user, > > Is it possible to use my gmail account to authenticate on the wiki > using openid ? > If yes, howto do it ? > By consulting the google docs? Honestly I never got it to work properly either, but other people have used OpenID with their own servers. If you're having issues just create a GitHub account. -Arran - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
using gmail as openid for wiki access ?
Hi freeradius-user, Is it possible to use my gmail account to authenticate on the wiki using openid ? If yes, howto do it ? Best regards, Fred MAISON - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html