FreeRadius error LDAP Authentication

2013-07-19 Thread Marco Aresu 
Hi All,
i am new about FreeRadius. I am moving from Cisco ACS Tacacs to FreeRadius.
During LDAP configuration i am getting the follow error :

  [ldap] bind as cn="User",ou=people,dc="domain",dc=it/"Password" to
"ldapserver":636
  [ldap] waiting for bind result ...
  [ldap] cn="user",ou=people,dc="domain",dc=it bind to "ldapServer":636
failed No such object
  [ldap] (re)connection attempt failed

Any idea about the error?

Below the ldap configuration

server = "ldapserver"
port = 636
identity = "cn="user",ou=people,dc="domain",dc=it"
password = "password"
basedn = "dc="domain",dc=it"
filter = "(uid=%{Stripped-User-Name:-%{User-Name}})"
base_filter = "(objectclass=groupofuniquenames)"


Thanks

Marco Aresu
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: FreeRadius error LDAP Authentication

2013-07-19 Thread Peter Lambrechtsen 
You shouldn't have quotes around your username or domain. You should use

identity = "cn=user,ou=people,dc=domain,dc=it"
On 19/07/2013 7:05 PM, "Marco Aresu"  wrote:

> Hi All,
> i am new about FreeRadius. I am moving from Cisco ACS Tacacs to
> FreeRadius. During LDAP configuration i am getting the follow error :
>
>   [ldap] bind as cn="User",ou=people,dc="domain",dc=it/"Password" to
> "ldapserver":636
>   [ldap] waiting for bind result ...
>   [ldap] cn="user",ou=people,dc="domain",dc=it bind to "ldapServer":636
> failed No such object
>   [ldap] (re)connection attempt failed
>
> Any idea about the error?
>
> Below the ldap configuration
>
> server = "ldapserver"
> port = 636
> identity = "cn="user",ou=people,dc="domain",dc=it"
> password = "password"
> basedn = "dc="domain",dc=it"
> filter = "(uid=%{Stripped-User-Name:-%{User-Name}})"
> base_filter = "(objectclass=groupofuniquenames)"
>
>
> Thanks
>
> Marco Aresu
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Post Auth Configurations

2013-07-19 Thread Matthew Newton 
On Thu, Jul 18, 2013 at 11:34:56AM -0500, Matt Zagrabelny wrote:
> I've got a similar question that dovetails into this discussion.
> Suppose I wanted to reject certain users and wanted the Reply-Message
> to be customized per user authenticating, but I want to ensure that I
> am not leaking the customized message. Is there a way to test the
> user/pw combo first and *then* perform unlang logic?

That's what the post-auth section is for.

Matthew


-- 
Matthew Newton, Ph.D. 

Systems Specialist, Infrastructure Services,
I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom

For IT help contact helpdesk extn. 2253, 
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: certificate expiration proble

2013-07-19 Thread A . L . M . Buxey 
Hi,

>I am trying to configure eap with some customized certificates, I have
>configured eap.config correctly. 
>But I am getting the error of "certificate expired". Although i have the
>latest certificates.

certificate has expired. FreeRADIUS has no reason to lie.

check the startup output of 'radiusd -X' - look for when it loads the certs.
then use openssl to read those certs to see what the values are - server cert,
CA certor client cert. whatever you're using eg

openssl x509 -in server.pem -noout -text

alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: certificate expiration proble

2013-07-19 Thread Muhammad Nadeem 
thanx for you reply, but as i said certificates are ok. Please see this log

[tls] --> User-Name = 0026826172C4@test_cpe.com
[tls] --> BUF-Name = wi-tribe Pakistan Certification Authority
[tls] --> subject = /C=PK/ST=Fedral Capital/L=Islamabad/O=wi-tribe Pakistan
limited/OU=Network Operations/CN=wi-tribe Pakistan Certification
Authority/emailAddress=pkwi...@pk.wi-tribe.com
[tls] --> issuer  = /C=PK/ST=Fedral Capital/L=Islamabad/O=wi-tribe Pakistan
limited/OU=Network Operations/CN=wi-tribe Pakistan Certification
Authority/emailAddress=pkwi...@pk.wi-tribe.com
*[tls] --> verify return:1*
*--> verify error:num=10:certificate has expired *
*[tls] >>> TLS 1.0 Alert [length 0002], fatal certificate_expired  *
*TLS Alert write:fatal:certificate expired*
*TLS_accept: error in SSLv3 read client certificate B*
*rlm_eap: SSL error error:140890B2:SSL
routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned*
*
*
*thanks*


On Fri, Jul 19, 2013 at 2:58 PM,  wrote:

> Hi,
>
> >I am trying to configure eap with some customized certificates, I have
> >configured eap.config correctly.
> >But I am getting the error of "certificate expired". Although i have
> the
> >latest certificates.
>
> certificate has expired. FreeRADIUS has no reason to lie.
>
> check the startup output of 'radiusd -X' - look for when it loads the
> certs.
> then use openssl to read those certs to see what the values are - server
> cert,
> CA certor client cert. whatever you're using eg
>
> openssl x509 -in server.pem -noout -text
>
> alan
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>



-- 
Best Regards
Muhammad Nadeem
Muhammad Ali Jinnah University
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: certificate expiration proble

2013-07-19 Thread stefan.paetow 
Have you opened the certificates you believe to be the latest in something else 
(like Windows perhaps) and checked that the expiry dates of these certificates 
is correct?

And have you checked that your server's time is correct too?

Stefan


From: 
freeradius-users-bounces+stefan.paetow=diamond.ac...@lists.freeradius.org
 
[mailto:freeradius-users-bounces+stefan.paetow=diamond.ac...@lists.freeradius.org]
 On Behalf Of Muhammad Nadeem
Sent: 19 July 2013 11:24
To: FreeRadius users mailing list
Subject: Re: certificate expiration proble

thanx for you reply, but as i said certificates are ok. Please see this log

[tls] --> User-Name = 
0026826172C4@test_cpe.com
[tls] --> BUF-Name = wi-tribe Pakistan Certification Authority
[tls] --> subject = /C=PK/ST=Fedral Capital/L=Islamabad/O=wi-tribe Pakistan 
limited/OU=Network Operations/CN=wi-tribe Pakistan Certification 
Authority/emailAddress=pkwi...@pk.wi-tribe.com
[tls] --> issuer  = /C=PK/ST=Fedral Capital/L=Islamabad/O=wi-tribe Pakistan 
limited/OU=Network Operations/CN=wi-tribe Pakistan Certification 
Authority/emailAddress=pkwi...@pk.wi-tribe.com
[tls] --> verify return:1
--> verify error:num=10:certificate has expired
[tls] >>> TLS 1.0 Alert [length 0002], fatal certificate_expired
TLS Alert write:fatal:certificate expired
TLS_accept: error in SSLv3 read client certificate B
rlm_eap: SSL error error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no 
certificate returned

thanks

On Fri, Jul 19, 2013 at 2:58 PM, 
mailto:a.l.m.bu...@lboro.ac.uk>> wrote:
Hi,

>I am trying to configure eap with some customized certificates, I have
>configured eap.config correctly.
>But I am getting the error of "certificate expired". Although i have the
>latest certificates.
certificate has expired. FreeRADIUS has no reason to lie.

check the startup output of 'radiusd -X' - look for when it loads the certs.
then use openssl to read those certs to see what the values are - server cert,
CA certor client cert. whatever you're using eg

openssl x509 -in server.pem -noout -text

alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html



--
Best Regards
Muhammad Nadeem
Muhammad Ali Jinnah University



-- 

This e-mail and any attachments may contain confidential, copyright and or 
privileged material, and are for the use of the intended addressee only. If you 
are not the intended addressee or an authorised recipient of the addressee 
please notify us of receipt by returning the e-mail and do not use, copy, 
retain, distribute or disclose the information in or attached to the e-mail.

Any opinions expressed within this e-mail are those of the individual and not 
necessarily of Diamond Light Source Ltd. 

Diamond Light Source Ltd. cannot guarantee that this e-mail or any attachments 
are free from viruses and we cannot accept liability for any damage which you 
may sustain as a result of software viruses which may be transmitted in or with 
the message.

Diamond Light Source Limited (company no. 4375679). Registered in England and 
Wales with its registered office at Diamond House, Harwell Science and 
Innovation Campus, Didcot, Oxfordshire, OX11 0DE, United Kingdom

 







-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

2.2.0 - Shared Secret is incorrect

2013-07-19 Thread Anja Ruckdaeschel 
Hi, 

I´m wondering, if I miss something or why do Info-Messages about
Invalid-Message-Authenticator not appear
in the default radius.log anymore? Even can´t get it with

update control {
   Tmp-String-0 = "%{debug:7}"
}

in log section of radiusd.conf.

It´s only shown in debug mode with radiusd -X: 
 Info: Received packet from x.x.x.x with invalid Message-Authenticator! 
(Shared secret is incorrect.) Dropping packet without response.

Kind regards, Anja

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: 2.2.0 - Shared Secret is incorrect

2013-07-19 Thread A . L . M . Buxey 
Hi,

> I´m wondering, if I miss something or why do Info-Messages about
> Invalid-Message-Authenticator not appear
> in the default radius.log anymore? Even can´t get it with

such messages only appear in debug mode as logging to file could be a DoS

alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Re: 2.2.0 - Shared Secret is incorrect

2013-07-19 Thread Anja Ruckdaeschel 
But it DID appear in earlier versions of freeradius with default settings for
logging.

And I don´t see the difference to something logging Erros like

 Error: Ignoring request to authentication address * port 1812 from unknown
client x.x.x.x port 1092

regarding the mentioned DoS problem. 

We´re using a logfile monitoring for years in order to find misconfigured NAS
of ours.
Seems we cannot do this with freeradius 2.2.0 anymore?

Anja
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Dynamic vlan assignment

2013-07-19 Thread Dario Palmisano 
Hello Everybody,

I am configuring my freeradius to be integrated in the EDUROAM federation.
It works when the VLAN (as configured in the accesspoint) is statically 
assigned.

Now I would like to implement a "dynamic vlan assignment" on a per user basis;
in this case the Macintosh I am using for test gets authenticated but is not 
able to get the ip address frm DHCP (it shows as 169.254.120.248), so remaing 
isolated.

I carefully followed instructions (regarding the accesspoint and freeradius) 
and searched the web for a possible reason, but unsuccessfully.

I am not sure the problem is not in the accesspoint configuration (a CISCO 
AP1131AG), anyway the accesspoint receives the indication to use the specified 
vlan.

I will appreciate any suggestion you would like to provide

Thanks and regards

Dario

P.S.: I know the request is quite generic, but I am ready to provide radius 
log, or configuration files.





-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Re: 2.2.0 - Shared Secret is incorrect

2013-07-19 Thread A . L . M . Buxey 
Hi,
> But it DID appear in earlier versions of freeradius with default settings for
> logging.
> 
> And I don´t see the difference to something logging Erros like
> 
>  Error: Ignoring request to authentication address * port 1812 from unknown
> client x.x.x.x port 1092
> 
> regarding the mentioned DoS problem. 
> 
> We´re using a logfile monitoring for years in order to find misconfigured NAS
> of ours.
> Seems we cannot do this with freeradius 2.2.0 anymore?

if you dont like how it works and have a local use case, then just change
the code. its only a few lines to log in normal mode rather than only when in
debug.

alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Dynamic vlan assignment

2013-07-19 Thread Arran Cudbard-Bell 

On 19 Jul 2013, at 14:37, Dario Palmisano  wrote:

> Hello Everybody,
> 
> I am configuring my freeradius to be integrated in the EDUROAM federation.
> It works when the VLAN (as configured in the accesspoint) is statically 
> assigned.
> 
> Now I would like to implement a "dynamic vlan assignment" on a per user basis;
> in this case the Macintosh I am using for test gets authenticated but is not 
> able to get the ip address frm DHCP (it shows as 169.254.120.248), so remaing 
> isolated.
> 
> I carefully followed instructions (regarding the accesspoint and freeradius) 
> and searched the web for a possible reason, but unsuccessfully.
> 
> I am not sure the problem is not in the accesspoint configuration (a CISCO 
> AP1131AG), anyway the accesspoint receives the indication to use the 
> specified 
> vlan.

You want to post the contents of an Access-Accept so we can check you're 
sending the correct attributes

Arran Cudbard-Bell 
FreeRADIUS Development Team

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Dynamic vlan assignment

2013-07-19 Thread A . L . M . Buxey 
Hi,

> I am configuring my freeradius to be integrated in the EDUROAM federation.
> It works when the VLAN (as configured in the accesspoint) is statically 
> assigned.

there are hundreds of sites using this sort of configuration for eduroam - so
its perfectly possible and fine (and standard!) so you're going wrong somewhere.

so, thats the piece of mind part.  where has it gone wrong?   well,
firstly, is there DHCP etc on the VLAN this client is being dropped onto?
have you tested the network? what happens if the AP only handles that VLAN?

is this a 'fat/autonomous' AP? if so, then only latest firmware can handle 
multiple
VLANS per 802.1X SSID with multiple BSSIDs present. are you returning ALL the 
VLAN
attributes needed to assign VLAN on the AP?  not JUST the VLAN number..name 
ah yes,
are you sending NAME or VLAN int he VLAN tag? 

are you sending the replys from the tunnel = check eap.conf settings!

debug output helps a lot so yes, send it.

alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Dynamic vlan assignment

2013-07-19 Thread Dario Palmisano 
On Friday 19 July 2013 15:49:55 Arran Cudbard-Bell wrote:
> On 19 Jul 2013, at 14:37, Dario Palmisano  wrote:
> > Hello Everybody,
> >
> > I am configuring my freeradius to be integrated in the EDUROAM
> > federation. It works when the VLAN (as configured in the accesspoint) is
> > statically assigned.
> >
> > Now I would like to implement a "dynamic vlan assignment" on a per user
> > basis; in this case the Macintosh I am using for test gets authenticated
> > but is not able to get the ip address frm DHCP (it shows as
> > 169.254.120.248), so remaing isolated.
> >
> > I carefully followed instructions (regarding the accesspoint and
> > freeradius) and searched the web for a possible reason, but
> > unsuccessfully.
> >
> > I am not sure the problem is not in the accesspoint configuration (a
> > CISCO AP1131AG), anyway the accesspoint receives the indication to use
> > the specified vlan.
> 
> You want to post the contents of an Access-Accept so we can check you're
>  sending the correct attributes
> 
> Arran Cudbard-Bell 
> FreeRADIUS Development Team
> 
> -
> List info/subscribe/unsubscribe? See
>  http://www.freeradius.org/list/users.html
> 

Here you can download the (almost complete) debug log. Near the end I added a 
text to make evident when I disconnected.

http://webshare.icgeb.org//data/public/ce2e2ee9fbd84c362fd49b10805b36c8.php?lang=en

Thanks for your quick answer

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: 2.2.0 - Shared Secret is incorrect

2013-07-19 Thread Arran Cudbard-Bell 

On 19 Jul 2013, at 14:29, Anja Ruckdaeschel 
 wrote:

> But it DID appear in earlier versions of freeradius with default settings for
> logging.

Don't know. You're welcome to dig though the source to find out...

> 
> And I don´t see the difference to something logging Erros like
> 
> Error: Ignoring request to authentication address * port 1812 from unknown
> client x.x.x.x port 1092

Yep that shouldn't really be in there either. I believe the philosophy behind 
the main log is to only log server global errors and informational messages at 
the default level.

> regarding the mentioned DoS problem. 
> 
> We´re using a logfile monitoring for years in order to find misconfigured NAS
> of ours.

Not entirely sure how that's related to DoS. But ok... That's, um, interesting.

> Seems we cannot do this with freeradius 2.2.0 anymore?

You can however use the radmin socket to show invalid packet counters. If 
they're going up you've probably got a mis-configured NAS. The server also 
keeps stats on a per client basis too.

This is a much saner and more robust way of doing that. There's no guarantee 
that log message formats won't change, even between sub versions, and then your 
log monitoring system would be stuffed.

I'll talk to Alan D about it, I know triggers are rate limited in 3.0.0, I can 
actually see the utility in a client error trigger, there may even already be 
one. That'd be a much cleaner way to do what you want.

PS: The debug level only goes up to 4 :)

and you want "%{debug: 4}"
  ^ Note the space (I <3 monospaced fonts)
  
Arran Cudbard-Bell 
FreeRADIUS Development Team

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Dynamic vlan assignment

2013-07-19 Thread Dario Palmisano 
You are right, I know!
On Friday 19 July 2013 15:52:43 a.l.m.bu...@lboro.ac.uk wrote:
> Hi,
> 
> > I am configuring my freeradius to be integrated in the EDUROAM
> > federation. It works when the VLAN (as configured in the accesspoint) is
> > statically assigned.
> 
> there are hundreds of sites using this sort of configuration for eduroam -
>  so its perfectly possible and fine (and standard!) so you're going wrong
>  somewhere.
> 
> so, thats the piece of mind part.  where has it gone wrong?   well,
> firstly, is there DHCP etc on the VLAN this client is being dropped onto?
> have you tested the network? what happens if the AP only handles that VLAN?
> 
The specific configuration works fine I remove the following line from users 
file:
Tunnel-Type := VLAN, Tunnel-Medium-Type := IEEE-802, Tunnel-Private-
Group-ID := 218

In this case the user is placed in the vlan 220 (the statically configured in 
the accesspoint).

> is this a 'fat/autonomous' AP? if so, then only latest firmware can handle
>  multiple VLANS per 802.1X SSID with multiple BSSIDs present.

This could be the problem, I found something in the Cisco documentation but 
was unsure the problem could be this. The accesspoint is running

Cisco IOS Software, C1130 Software (C1130-K9W7-M), Version 12.4(10b)JDA3, 
RELEASE SOFTWARE (fc1)

I will try to verify what you say on the cisco site. My accesspoints are End 
Of Life, I do not know if any new IOS version has been developed to eventually 
correct the problem you say.

>  are you
>  returning ALL the VLAN attributes needed to assign VLAN on the AP?  not
>  JUST the VLAN number..name ah yes, are you sending NAME or VLAN int he
>  VLAN tag?

number
> 
> are you sending the replys from the tunnel = check eap.conf settings!

eap.conf (in peap stanza) says:

copy_request_to_tunnel = yes
use_tunneled_reply = yes


> 
> debug output helps a lot so yes, send it.
> 
> alan
> -
> List info/subscribe/unsubscribe? See
>  http://www.freeradius.org/list/users.html
> 

Thanks for your directions (many)

Dario
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Dynamic vlan assignment

2013-07-19 Thread Arran Cudbard-Bell 

On 19 Jul 2013, at 15:10, Dario Palmisano  wrote:

> On Friday 19 July 2013 15:49:55 Arran Cudbard-Bell wrote:
>> On 19 Jul 2013, at 14:37, Dario Palmisano  wrote:
>>> Hello Everybody,
>>> 
>>> I am configuring my freeradius to be integrated in the EDUROAM
>>> federation. It works when the VLAN (as configured in the accesspoint) is
>>> statically assigned.
>>> 
>>> Now I would like to implement a "dynamic vlan assignment" on a per user
>>> basis; in this case the Macintosh I am using for test gets authenticated
>>> but is not able to get the ip address frm DHCP (it shows as
>>> 169.254.120.248), so remaing isolated.
>>> 
>>> I carefully followed instructions (regarding the accesspoint and
>>> freeradius) and searched the web for a possible reason, but
>>> unsuccessfully.
>>> 
>>> I am not sure the problem is not in the accesspoint configuration (a
>>> CISCO AP1131AG), anyway the accesspoint receives the indication to use
>>> the specified vlan.
>> 
>> You want to post the contents of an Access-Accept so we can check you're
>> sending the correct attributes
>> 
>> Arran Cudbard-Bell 
>> FreeRADIUS Development Team
>> 
>> -
>> List info/subscribe/unsubscribe? See
>> http://www.freeradius.org/list/users.html
>> 
> 
> Here you can download the (almost complete) debug log. Near the end I added a 
> text to make evident when I disconnected.
> 
> http://webshare.icgeb.org//data/public/ce2e2ee9fbd84c362fd49b10805b36c8.php?lang=en

For everyone following along at home:

Sending Access-Accept of id 189 to 172.16.254.45 port 1645
Tunnel-Type:0 := VLAN
Tunnel-Medium-Type:0 := IEEE-802
Tunnel-Private-Group-Id:0 := "220"
User-Name = "palmi"
MS-MPPE-Recv-Key = 
0xf308f970d2507771e30d0f1cc87c6d35ab9a6c65b56dfec2141f50273d6045ff
MS-MPPE-Send-Key = 
0xa68961323bdf00916cf8ee1043d99477eeaf6a46de78f1101234e9a8a5faf8e2
EAP-Message = 0x030a0004
Message-Authenticator = 0x

Which looks ok to me. I'm guessing VLAN 220 is actually configured on the NAS? 
Some also require you to send back 'Service-Type = Framed-User'.

Arran Cudbard-Bell 
FreeRADIUS Development Team

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Re: Re: 2.2.0 - Shared Secret is incorrect

2013-07-19 Thread Anja Ruckdaeschel 
Sorry, but I only wanted to know why the behaviour has changed and if there is
any way to do it by configuration or access it with unlang...

BTW:
 If I remove the client completely, log in normal mode says):
Fri Jul 19 16:32:29 2013 : Error: Ignoring request to authentication address *
port 1812 from unknown client x.x.x.x port 45494
... which could be used for a DoS with a radius server running port 1812 open
for the world.

If I add the client  and use a wrong secret, log says: 
Fri Jul 19 16:33:09 2013 : Auth: Login incorrect: [radtestuser] (from client
 port 0)

It´s a kind of misleading information, because it has nothing do do with users
login, but with a wrong shared secret on the NAS.



-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Dynamic vlan assignment

2013-07-19 Thread A . L . M . Buxey 
Hi,

> The specific configuration works fine I remove the following line from users 
> file:
>   Tunnel-Type := VLAN, Tunnel-Medium-Type := IEEE-802, Tunnel-Private-
> Group-ID := 218

Tunnel-Type = VLAN, 
Tunnel-Medium-Type = IEEE-802,
Tunnel-Private-Group-ID = 218


alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Dynamic vlan assignment

2013-07-19 Thread A . L . M . Buxey 
Hi,

> Here you can download the (almost complete) debug log. Near the end I added a 
> text to make evident when I disconnected.
> 
> http://webshare.icgeb.org//data/public/ce2e2ee9fbd84c362fd49b10805b36c8.php?lang=en

please dont ask me to visit random web sites that require to to click on things 
etc.
just email the output to this list.

alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: 2.2.0 - Shared Secret is incorrect

2013-07-19 Thread Arran Cudbard-Bell 

> If I add the client  and use a wrong secret, log says: 
> Fri Jul 19 16:33:09 2013 : Auth: Login incorrect: [radtestuser] (from client
>  port 0)
> 
> It´s a kind of misleading information, because it has nothing do do with users
> login, but with a wrong shared secret on the NAS.

Did the request include a Message-Authenticator attribute?

Arran Cudbard-Bell 
FreeRADIUS Development Team

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Dynamic vlan assignment

2013-07-19 Thread Dario Palmisano 
On Friday 19 July 2013 16:29:57 Arran Cudbard-Bell wrote:
> On 19 Jul 2013, at 15:10, Dario Palmisano  wrote:
> > On Friday 19 July 2013 15:49:55 Arran Cudbard-Bell wrote:
> >> On 19 Jul 2013, at 14:37, Dario Palmisano  
wrote:
> >>> Hello Everybody,
> >>>
> >>> I am configuring my freeradius to be integrated in the EDUROAM
> >>> federation. It works when the VLAN (as configured in the accesspoint)
> >>> is statically assigned.
> >>>
> >>> Now I would like to implement a "dynamic vlan assignment" on a per user
> >>> basis; in this case the Macintosh I am using for test gets
> >>> authenticated but is not able to get the ip address frm DHCP (it shows
> >>> as
> >>> 169.254.120.248), so remaing isolated.
> >>>
> >>> I carefully followed instructions (regarding the accesspoint and
> >>> freeradius) and searched the web for a possible reason, but
> >>> unsuccessfully.
> >>>
> >>> I am not sure the problem is not in the accesspoint configuration (a
> >>> CISCO AP1131AG), anyway the accesspoint receives the indication to use
> >>> the specified vlan.
> >>
> >> You want to post the contents of an Access-Accept so we can check you're
> >> sending the correct attributes
> >>
> >> Arran Cudbard-Bell 
> >> FreeRADIUS Development Team
> >>
> >> -
> >> List info/subscribe/unsubscribe? See
> >> http://www.freeradius.org/list/users.html
> >
> > Here you can download the (almost complete) debug log. Near the end I
> > added a text to make evident when I disconnected.
> >
> > http://webshare.icgeb.org//data/public/ce2e2ee9fbd84c362fd49b10805b36c8.p
> >hp?lang=en
> 
> For everyone following along at home:
> 
> Sending Access-Accept of id 189 to 172.16.254.45 port 1645
>   Tunnel-Type:0 := VLAN
>   Tunnel-Medium-Type:0 := IEEE-802
>   Tunnel-Private-Group-Id:0 := "220"
>   User-Name = "palmi"
>   MS-MPPE-Recv-Key =
>  0xf308f970d2507771e30d0f1cc87c6d35ab9a6c65b56dfec2141f50273d6045ff
>  MS-MPPE-Send-Key =
>  0xa68961323bdf00916cf8ee1043d99477eeaf6a46de78f1101234e9a8a5faf8e2
>  EAP-Message = 0x030a0004
>   Message-Authenticator = 0x
> 
> Which looks ok to me. I'm guessing VLAN 220 is actually configured on the
>  NAS? Some also require you to send back 'Service-Type = Framed-User'.
Yes vlan 220 is assigned (statically) to "XXX-WPA" SSID.

If file users contains:

palmi   Huntgroup-Name == "WIFI", Simultaneous-Use := 5, ICGEB-
Eduroam-Enabled := Yes
Tunnel-Type := VLAN, Tunnel-Medium-Type := IEEE-802, Tunnel-Private-
Group-ID := 218

and I connect to SSID XXX-WPA (assigned in accesspoint to vlan 220), it does 
not work. If I connect to SSID XXX-ER (assigned in accesspoint to vlan 218) it 
works.

If file users contains:

palmi   Huntgroup-Name == "WIFI", Simultaneous-Use := 5, ICGEB-
Eduroam-Enabled := Yes
Tunnel-Type := VLAN, Tunnel-Medium-Type := IEEE-802, Tunnel-Private-
Group-ID := 220

if I connect to SSID XXX-ER (assigned in accesspoint to vlan 218), it does not 
work, if I connect to SSID XXX-WPA (assigned in accesspoint to vlan 220), it 
works.

Modifying users file as suggested:

palmi   Huntgroup-Name == "WIFI", Simultaneous-Use := 5, ICGEB-
Eduroam-Enabled := Yes
Service-Type := Framed-User, Tunnel-Type := VLAN, Tunnel-Medium-Type 
:= IEEE-802, Tunnel-Private-Group-ID := 220

did not change the result.




> 
> Arran Cudbard-Bell 
> FreeRADIUS Development Team
> 
> -
> List info/subscribe/unsubscribe? See
>  http://www.freeradius.org/list/users.html
> 

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Dynamic vlan assignment

2013-07-19 Thread Dario Palmisano 
On Friday 19 July 2013 16:54:13 a.l.m.bu...@lboro.ac.uk wrote:
> Hi,
> 
> > The specific configuration works fine I remove the following line from
> > users file:
> > Tunnel-Type := VLAN, Tunnel-Medium-Type := IEEE-802, Tunnel-Private-
> > Group-ID := 218
> 
>   Tunnel-Type = VLAN,
>   Tunnel-Medium-Type = IEEE-802,
>   Tunnel-Private-Group-ID = 218
> 

Same result, do not get the ip, it is isolated.
> 
> alan
> -
> List info/subscribe/unsubscribe? See
>  http://www.freeradius.org/list/users.html
> 

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Dynamic vlan assignment

2013-07-19 Thread Martin Kraus 
On Fri, Jul 19, 2013 at 04:20:51PM +0200, Dario Palmisano wrote:
> > is this a 'fat/autonomous' AP? if so, then only latest firmware can handle
> >  multiple VLANS per 802.1X SSID with multiple BSSIDs present.
> 
> This could be the problem, I found something in the Cisco documentation but 
> was unsure the problem could be this. The accesspoint is running

If you have mbssid configured on the AP then user cannot be switched to a
different vlan than the one bound to the ssid this user is connected to. 

Can you actually check if/how the users is associated on the AP?

show dot11 associations 

shows the associated clients and

show dot11 associations 

shows the specific client detail information including the vlan.

mk
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: 2.2.0 - Shared Secret is incorrect

2013-07-19 Thread Anja Ruckdaeschel 
Dear Arran,

Sorry, about the typo with debug

I looked at the invalid packet counters. Only shows the requests with wrong
shared secrets  in rejects-Counter ... Same thing

stats client auth x.x.x.x
requests5
responses   5
accepts 1
rejects 4
challenges  0
dup 0
invalid 0
malformed   0
bad_signature   0
dropped 0
unknown_types   0

But thanks for the tipp

I´m aware of that log "formats" change, but I couldn´t get A.L.M.s
explanation, because of the unknown-Error appearing and the shared secret-Info
not "because of DoS prevention".

If you have a lot of radius-servers running and a lot of switches, you are
glad to do some syslog-collection and an automated-search for
any string or character in a log line showing that x.x.x.x has a wrong secret
or is not known to radius, so the problem can be fixed immediatly.

The only two types of "NAS-Misconfiguratin" I´m interested in are:
- The client is unknown o the RADIUS-Server (which is still logged).
- The shared secret is wrong (which is not in the log anymore).

So, I think I´ll  change the code.

Thanks for your time...



-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: 2.2.0 - Shared Secret is incorrect

2013-07-19 Thread Anja Ruckdaeschel 
No. It didn´t inlcude a Message-Authneticator attrib...

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Dynamic vlan assignment

2013-07-19 Thread Dario Palmisano 
At the end, thanks to the list suggestions I found in the cisco docs the
sentence:

"Keep these guidelines in mind when configuring multiple BSSIDs:

•RADIUS-assigned VLANs are not supported when you enable multiple BSSIDs."


So it seems not to be related to the IOS version, is it?

Is there any way to overcome this somehow, if not...

Thanks everybody for the kind cooperation

Best regards

Dario



> On Fri, Jul 19, 2013 at 04:20:51PM +0200, Dario Palmisano wrote:
>> > is this a 'fat/autonomous' AP? if so, then only latest firmware can
>> handle
>> >  multiple VLANS per 802.1X SSID with multiple BSSIDs present.
>>
>> This could be the problem, I found something in the Cisco documentation
>> but
>> was unsure the problem could be this. The accesspoint is running
>
> If you have mbssid configured on the AP then user cannot be switched to a
> different vlan than the one bound to the ssid this user is connected to.
>

I have such configuration! Can you
> Can you actually check if/how the users is associated on the AP?
>
> show dot11 associations
>
> shows the associated clients and
>
> show dot11 associations 
>
> shows the specific client detail information including the vlan.
>
> mk
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
>
>


__

Dario Palmisano
ICGEB Computer System & Network Administrator

Tel:  +39 040 3757330
Fax:  +39 040 226555
E-Mail:   dario.palmis...@icgeb.org

International Centre for Genetic Engineering and Biotechnology
Area Science Park, Padriciano 99,  I-34149 Trieste, ITALY
__

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: 2.2.0 - Shared Secret is incorrect

2013-07-19 Thread Arran Cudbard-Bell 

On 19 Jul 2013, at 16:32, Anja Ruckdaeschel 
 wrote:

> Dear Arran,
> 
> Sorry, about the typo with debug
> 
> I looked at the invalid packet counters. Only shows the requests with wrong
> shared secrets  in rejects-Counter ... Same thing

The RADIUS server cannot determine whether the shared secret is correct for 
Access-Requests
without the Message-Authenticator attribute.  The User-Password field is 
decrypted incorrectly
and so comparison with the REFERENCE password fails which is why they're seen 
as a reject.

This isn't an issue with the server, it's an issue with the protocol. 
Accounting-Requests 
are validated using the Authenticator field and so you get the error message.

Arran Cudbard-Bell 
FreeRADIUS Development Team

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Dynamic vlan assignment

2013-07-19 Thread Alan Buxey 
I'm sure there was some late in the day ios updates for 1130 series AP this 
stuff works with capwap/lwapp 1131 anyway, if MBSSID is not supported with 
dynamic vlan assignment so don't use mbssid, use guest mode instead.

alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Fwd: radiusclient-ng in Debian

2013-07-19 Thread Daniel Pocock 


On 15/07/13 23:21, Daniel Pocock wrote:
> 
> 
> On 15/07/13 21:51, Alan DeKok wrote:
>> Daniel Pocock wrote:
>>> I just opened this report against radiusclient-ng in Debian (see below),
>>> can anybody else comment on the situation, in particular, for
>>> compatibility?  Is there any urgency for Debian to update to the new
>>> client code?
>>
>>   It has a number of bugs fixed.  The old radiusclient-ng code is no
>> longer maintained.
> 
> I'm in the pkg-voip group at Debian so I can potentially package this
> new version of the library
> 

I've uploaded this today, it is in Debian's approval queue now

For anybody who can't wait, packaging artifacts are here:

Vcs-Git: git://git.debian.org/pkg-voip/freeradius-client.git

Vcs-Browser:
http://git.debian.org/?p=pkg-voip/freeradius-client.git;a=summary

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: client code for long extended attributes?

2013-07-19 Thread Daniel Pocock 


On 15/07/13 21:53, Alan DeKok wrote:
> Daniel Pocock wrote:
>> Can anybody comment on which client code should be used for long
>> extended attributes?
>>
>> I see that the freeradius-client project predates RFC 6929.
> 
>   By a LONG ways.
> 
>   There's no client code for the extended attributes.  The RFC was just
> published.  So far as I know, FreeRADIUS is the only open source RADIUS
> system which supports it.
> 
>> Is there any module in the server project that provides a good example
>> of using these long values from requests?
> 
>   src/lib/radius.c is the RADIUS encoder / decoder.
> 

Should this code be shared with the client project freeradius-client?

Or is it preferred to build a new client (or shared library) from the
freeradius-server repository eventually?

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Simultaneous-Use oddness.

2013-07-19 Thread Matthew Schumacher 
List,

I'm bumping this odd issue with Simultaneous-Use:

When I have a session that didn't get expired in a SQL database, and the
user tries to connect then freeradius correctly checks the nas using the
checkrad script *UNLESS* the nas is no longer defined in the clients.
If the nas is missing, radius doesn't bother to call checkrad, and
rejects the login as a multiple login.

Perhaps this has something to do with the fact that my clients are
defined in SQL using the nas_query option.

So if I deprecate a nas, remove it from the db, then restart freeradius,
the next request comes in, free radius finds the session to be open, but
then neither checks checkrad or accepts the user.  The user is now
unable to authenticate until I close the session in the SQL database.

Shouldn't freeradius call checkrad anyway and pass it the
ip/session/user/port for the non-existent nas and let the checkrad
script return 0, then let the user on?  That's what I would have though
should have happened.

Thanks,
schu
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: [ANN] Version 3.0.0-rc0

2013-07-19 Thread Arran Cudbard-Bell 

On 19 Jul 2013, at 23:17, John Dennis  wrote:

> I've built on Fedora and the unreleased RHEL-7
> 
> On RHEL-7 I built on the following architectures:
> 
> ppc, s390, x86_64, ppc64, i686, s390x
> 
> All of those built successfully but when I run one of our analysis tools
> it reports some problems, mostly in the area of multilib (multilib is
> where you can have more than one set of libraries on a system, e.g.
> 32-bit and 64-bit). The main problem is the header files have a few
> 32-bit vs. 64-bit items in them. Header files are not supposed to be
> arch specific. Normally the header files get installed in a devel
> package so 3rd parties can built and link new modules if they want. But
> the header files aren't clean, which would prohibit us from producing a
> devel package. One possibility is for the spec file to delete the
> offending elements in the header files, but it would be better if the
> multilib issues were not present in the FR 3.0 release at all, that
> would be much cleaner.

radpaths.h is probably also a good candidate for imacroisation, meaning it 
won't 
be installed, and is not included directly.

It's still good to have the information accessible somehow though. We could 
introduce 
some small wrapper functions in the server library fr_default_libdir() et al 
which just  return the values defined in radpath.h at build time.

That'd mean if you were linking against the 64bit library you'd get the 64bit 
libpath,
and if you linked against the 32bit library you'd get the 32bit libpath.

Of course if you're linking against libfreeradius-server you probably already 
have
a pretty good idea of where the libraries are, but I guess it ensures 
consistency 
if you use the lib path value to search for the modules.

> Oddly there seems to be a multilib issue in one
> of the example python files.

Is it attempting to compile them or something, and then complaining there are 
differences?

> I have not dug into how to fix any of these
> yet, but I hope we can get the fixes in before 3.0 is frozen.
> 
> Also there were a few other issues reported in conjunction with IPv6. I
> have not had time yet to go through and see if these are red herrings or
> not.

OK.

> I've attached the output of the analysis tool for review.
> 

Thanks.

-Arran

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html