Re: radlogin works, mobile device not
On Tue, Sep 11, 2012 at 1:30 PM, Mihajlo Joksimovic wrote: > Personally i want freeradius just to work with IPhones or other devices. It should. If you don't break the configuration > > But the debug mode doesnt show any try to connect to LDAP. Have you upgrade? Have you configured sites-available/inner-tunnel? Do you have line that says "ldap" inside authorize section of sites-available/inner-tunnel? -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radlogin works, mobile device not
Personally i want freeradius just to work with IPhones or other devices.
But the debug mode doesnt show any try to connect to LDAP.
rad_recv: Access-Request packet from host 10.119.12.2 port 1313, id=19,
length=197
Message-Authenticator = 0xb75eef411ae5dd032df4d51d75b5174e
Service-Type = Framed-User
User-Name = "nadine.bosshard"
Framed-MTU = 1488
Called-Station-Id = "204E7FE98EF3:TCSVO-Intern"
Calling-Station-Id = "9803D861E85C"
NAS-Identifier = "aptcsvo02"
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 54Mbps 802.11g"
EAP-Message = 0x0214016e6164696e652e626f737368617264
NAS-IP-Address = 10.119.12.2
NAS-Port = 1
NAS-Port-Id = "STA port # 1"
+- entering group authorize
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
rlm_realm: No '@' in User-Name = "nadine.bosshard", looking up realm
NULL
rlm_realm: No such realm "NULL"
++[suffix] returns noop
rlm_eap: EAP packet type response id 0 length 20
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
rlm_unix: [nadine.bosshard]: invalid shell [/bin/false]
++[unix] returns reject
Invalid user: [nadine.bosshard/] (from client
aptcsvo02 port 1 cli 9803D861E85C)
Found Post-Auth-Type Reject
+- entering group REJECT
expand: %{User-Name} -> nadine.bosshard
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 1 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
rad_recv: Access-Request packet from host 10.119.12.2 port 1313, id=19,
length=197
Waiting to send Access-Reject to client aptcsvo02 port 1313 - ID: 19
Sending delayed reject for request 1
Sending Access-Reject of id 19 to 10.119.12.2 port 1313
Waking up in 4.9 seconds.
Cleaning up request 1 ID 19 with timestamp +53655
Ready to process requests.
rad_recv: Access-Request packet from host 10.119.12.2 port 1314, id=20,
length=197
Message-Authenticator = 0x0893415ae4d24bc109a2109f68e2035b
Service-Type = Framed-User
User-Name = "nadine.bosshard"
Framed-MTU = 1488
Called-Station-Id = "204E7FE98EF3:TCSVO-Intern"
Calling-Station-Id = "9803D861E85C"
NAS-Identifier = "aptcsvo02"
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 54Mbps 802.11g"
EAP-Message = 0x0214016e6164696e652e626f737368617264
NAS-IP-Address = 10.119.12.2
NAS-Port = 1
NAS-Port-Id = "STA port # 1"
+- entering group authorize
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
rlm_realm: No '@' in User-Name = "nadine.bosshard", looking up realm
NULL
rlm_realm: No such realm "NULL"
++[suffix] returns noop
rlm_eap: EAP packet type response id 0 length 20
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
rlm_unix: [nadine.bosshard]: invalid shell [/bin/false]
++[unix] returns reject
Invalid user: [nadine.bosshard/] (from client
aptcsvo02 port 1 cli 9803D861E85C)
Found Post-Auth-Type Reject
+- entering group REJECT
expand: %{User-Name} -> nadine.bosshard
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 2 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
rad_recv: Access-Request packet from host 10.119.12.2 port 1314, id=20,
length=197
Waiting to send Access-Reject to client aptcsvo02 port 1314 - ID: 20
Sending delayed reject for request 2
Sending Access-Reject of id 20 to 10.119.12.2 port 1314
Waking up in 4.9 seconds.
Cleaning up request 2 ID 20 with timestamp +53680
Ready to process requests.
I now configured the whole thing new.
But I dont find any entries in logs, which give me a hint what my
problem with LDAP is...
Thanks for the help...
Mihajlo Joksimovic
Am 09/07/2012 04:41 PM, schrieb Fajar A. Nugraha:
> On Fri, Sep 7, 2012 at 8:37 PM, Mihajlo Joksimovic
> wrote:
>> ii freeradius
>> 2.0.4+dfsg-6.61.201011221519 a high-performance and highly
>> configurable R
>>
>> it's version 2.0.4.
> Upgrade.
>
>> well i deactivated inner tunnel and configured everything in default. is
>> that wrong?
> If you want to use EAP, it's VERY wrong.
>
--
Adfinis SyGroup AG
Mihajlo Joksimovic, System Engineer
Güterstrasse 86 | CH-4053 Basel
Tel. 061 333 80 33
signature.asc
Description: OpenPGP digital signature
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: LDAP module file using localhost instead of external?
On 09/10/2012 11:47 PM, Jennifer Mehl wrote:
Here is the output of freeradius -X showing part of the file being read but
then ignored?:
It doesn't look to me like it's ignoring it, which in any event the
server doesn't do. It looks like it's just a different file. It's not
just the hostname that is different. For example:
Module: Instantiating module "ucsbnetid" from file
/etc/freeradius/modules/ldap
server = "localhost"
filter = "(uid=%u)"
base_filter = "(objectclass=radiusprofile)"
Here is my /etc/freeradius/modules/ldap file (password obfuscated):
server = "directory.ucsb.edu"
filter = "(uid=%{%{Stripped-User-Name}:-%{User-Name}})"
base_filter = "(objectclass=ucsbperson)"
#base_filter = "(objectclass=radiusprofile)"
...amongst (many) others.
You *can't* be editing the same file. Do you have chroot or jails or
similar in use, and if so are you editing the file inside the
chroot/jail or outside? Are you sure you're not leaving backup "file~"
from editors in the directory?
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
LDAP module file using localhost instead of external?
Hello,
I have an existing FreeRADIUS setup that is working quite well to
authenticate/authorize users for WPA2 wireless to our smbpasswd file. This is
2.1.10+dfsg-2 on Debian Squeeze.
I've recently acquired a "captive portal" network device that we are going to
use for our guest wireless users. I'm in the process of setting FreeRADIUS for
authentication to our campus' LDAP server.
I've verified connectivity to the server using the OpenLDAP ldapsearch tools
from the same host. However, when I define the server in the
/etc/freeradius/modules/ldap files, it doesn't appear to be read properly by
FreeRADIUS, which is defaulting instead to 'localhost' instead of our directory
server, directory.ucsb.edu, which is defined in the module file.
Here is the output of freeradius -X showing part of the file being read but
then ignored?:
Module: Linked to module rlm_ldap
Module: Instantiating module "ucsbnetid" from file /etc/freeradius/modules/ldap
ldap ucsbnetid {
server = "localhost"
port = 389
password = ""
identity = ""
net_timeout = 1
timeout = 4
timelimit = 3
tls_mode = no
start_tls = no
tls_require_cert = "allow"
tls {
start_tls = no
require_cert = "allow"
}
basedn = "o=notexist"
filter = "(uid=%u)"
base_filter = "(objectclass=radiusprofile)"
auto_header = no
access_attr_used_for_allow = yes
groupname_attribute = "cn"
groupmembership_filter =
"(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))"
dictionary_mapping = "/etc/freeradius/ldap.attrmap"
ldap_debug = 40
ldap_connections_number = 5
compare_check_items = no
do_xlat = yes
edir_account_policy_check = no
set_auth_type = yes
}
Here is my /etc/freeradius/modules/ldap file (password obfuscated):
ldap ucsbnetid {
#
# Note that this needs to match the name in the LDAP
# server certificate, if you're using ldaps.
server = "directory.ucsb.edu"
identity = "uid=chemrad,o=ucsb"
password =
basedn = "o=ucsb"
filter = "(uid=%{%{Stripped-User-Name}:-%{User-Name}})"
base_filter = "(objectclass=ucsbperson)"
#base_filter = "(objectclass=radiusprofile)"
# How many connections to keep open to the LDAP server.
# This saves time over opening a new LDAP socket for
# every authentication request.
ldap_connections_number = 5
# seconds to wait for LDAP query to finish. default: 20
timeout = 4
# seconds LDAP server has to process the query (server-side
# time limit). default: 20
#
# LDAP_OPT_TIMELIMIT is set to this value.
timelimit = 3
#
# This subsection configures the tls related items
# that control how FreeRADIUS connects to an LDAP
# server. It contains all of the "tls_*" configuration
# entries used in older versions of FreeRADIUS. Those
# configuration entries can still be used, but we recommend
# using these.
#
tls {
# Set this to 'yes' to use TLS encrypted connections
# to the LDAP database by using the StartTLS extended
# operation.
#
# The StartTLS operation is supposed to be
# used with normal ldap connections instead of
# using ldaps (port 689) connections
start_tls = no
# cacertfile= /path/to/cacert.pem
# cacertdir = /path/to/ca/dir/
# certfile = /path/to/radius.crt
# keyfile = /path/to/radius.key
# randfile = /path/to/rnd
# Certificate Verification requirements. Can be:
#"never" (don't even bother trying)
#"allow" (try, but don't fail if the cerificate
# can't be verified)
#"demand" (fail if the certificate doesn't verify.)
#
# The default is "allow"
# require_cert = "demand"
#
# seconds to wait for response of the server. (network
# failures) default: 10
#
# LDAP_OPT_NETWORK_TIMEOUT is set to this value.
net_timeout = 1
#
}
# default_profile = "cn=radprofile,ou=dialup,o=My Org,c=UA"
# profile_attribute = "radiusProfileDn"
# access_attr = "dialupAccess"
# Mapping of RADIUS dictionary attributes to LDAP
# directory attributes.
dictionary_mapping = ${confdir}/ldap.attrmap
# Set password_attribute = nspmPassword to get the
# user
Version 2.2.0 is released: upgrade NOW
We're happy (and sad) to announce 2.2.0. It's been a year since the
last release, so it's needed.
However, this release announces an issue with unknown certificates in
EAP-TLS, PEAP, and EAP-TTLS. Some certificates can overflow a field in
the server, causing a crash. See:
http://freeradius.org/security.html
Everyone should upgrade to 2.2.0 immediately, or obtain a patched
version from their vendor.
Sorry for the issue. We'll take care to run Coverity more often in
the future.
FreeRADIUS 2.2.0 Mon 10 Sep 2012 12:00:00 CEST, urgency=medium
Feature improvements
* 100% configuration file compatible with 2.1.x.
The only fix needed is to disallow "hashsize=0" for rlm_passwd
* Update Aruba, Alcatel Lucent, APC, BT, PaloAlto, Pureware,
Redback, and Mikrotik dictionaries
* Switch to using SHA1 for certificate digests instead of MD5.
See raddb/certs/*.cnf
* Added copyright statements to the dictionaries, so that we know
when people are using them.
* Better documentation for radrelay and detail file writer.
See raddb/modules/radrelay and raddb/radrelay.conf
* Added TLS-Cert-Subject-Alt-Name-Email from patch by Luke Howard
* Added -F to radwho
* Added query timeouts to MySQL driver. Patch from Brian De Wolf.
* Add /etc/default/freeradius to debian package.
Patch from Matthew Newton
* Finalize DHCP and DHCP relay code. It should now work everywhere.
See raddb/sites-available/dhcp, src_ipaddr and src_interface.
* DHCP capabilitiies are now compiled in by default.
It runs as a DHCP server ONLY when manually enabled.
* Added one letter expansions: %G - request minute and %I request
ID.
* Added script to convert ISC DHCP lease files to SQL pools.
See scripts/isc2ippool.pl
* Added rlm_cache to cache arbitrary attributes.
* Added max_use to rlm_ldap to force connection to be re-established
after a given number of queries.
* Added configtest option to Debian init scripts, and automatic
config test on restart.
* Added cache config item to rlm_krb5. When set to "no" ticket
caching is disabled which may increase performance.
Bug fixes
* Fix CVE-2012-3547. All users of 2.1.10, 2.1.11, 2.1.12,
and 802.1X should upgrade immediately.
* Fix typo in detail file writer, to skip writing if the packet
was read from this detail file.
* Free cached replies when closing resumed SSL sessions.
* Fix a number of issues found by Coverity.
* Fix memory leak and race condition in the EAP-TLS session cache.
Thanks to Phil Mayers for tracking down OpenSSL APIs.
* Restrict ATTRIBUTE names to character sets that make sense.
* Fix EAP-TLS session Id length so that OpenSSL doesn't get
excited.
* Fix SQL IPPool logic for non-timer attributes. Closes bug #181
* Change some informational messages to DEBUG rather than error.
* Portability fixes for FreeBSD. Closes bug #177
* A much better fix for the _lt__PROGRAM__LTX_preloaded_symbols
nonsense.
* Safely handle extremely long lines in conf file variable expansion
* Fix for Debian bug #606450
* Mutex lock around rlm_perl Clone routines. Patch from Eike Dehling
* The passwd module no longer permits "hashsize = 0". Setting that
is pointless for a host of reasons. It will also break the server.
* Fix proxied inner-tunnel packets sometimes having zero authentication
vector. Found by Brian Julin.
* Added $(EXEEXT) to Makefiles for portability. Closes bug #188.
* Fix minor build issue which would cause rlm_eap to be built twice.
* When using "status_check=request" for a home server, the username
and password must be specified, or the server will not start.
* EAP-SIM now calculates keys from the SIM identity, not from the
EAP-Identity. Changing the EAP type via NAK may result in
identities changing. Bug reported by Microsoft EAP team.
* Use home server src_ipaddr when sending Status-Server packets
* Decrypt encrypted ERX attributes in CoA packets.
* Fix registration of internal xlat's so %{mschap:...} doesn't
disappear after a HUP.
* Can now reference tagged attributes in expansions.
e.g. %{Tunnel-Type:1} and %{Tunnel-Type:1[0]} now work.
* Correct calculation of Message-Authenticator for CoA and Disconnect
replies. Patch from Jouni Malinen
* Install rad_counter, for managing rlm_counter files.
* Add unique index constraint to all SQL flavours so that alternate
queries work correctly.
* The TTLS diameter decoder is now more lenient. It ignores
unknown attributes, instead of rejecting the TTLS session.
* Use "globfree" in detail file reader. Prevents very slow leak.
Closes bug #207.
* Operator =~ shouldn't copy the attribute, like :=. It should
instead behave more like ==.
* Build main Debian package without SQL dependencies
* Use max_queue_size in threading code
* Update permissions in raddb/sql/postgresql/admin.sql
* Added OpenSSL_add_all_algorithms() to fix issues where OpenSSL
wouldn't use methods it knew about.
* Add more sanity checks in dynamic_clients code so the server won't
crash if it attempts to lo
Re: using gmail as openid for wiki access ?
On 10 Sep 2012, at 09:01, Fred wrote: > Hi freeradius-user, > > Is it possible to use my gmail account to authenticate on the wiki > using openid ? > If yes, howto do it ? > By consulting the google docs? Honestly I never got it to work properly either, but other people have used OpenID with their own servers. If you're having issues just create a GitHub account. -Arran - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
using gmail as openid for wiki access ?
Hi freeradius-user, Is it possible to use my gmail account to authenticate on the wiki using openid ? If yes, howto do it ? Best regards, Fred MAISON - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
