date:20130828

On Wed, Aug 28, 2013 at 10:10:32AM +0400, Iliya Peregoudov wrote:
 On 28.08.2013 9:48, Olivier Beytrison wrote:
 On 28.08.2013 00:20, Martin Kraus wrote:
 Hi. I'm using groups to authorize users and pull radius profiles for the 
 users.
 My config is similar to what the default freeradius configuration offers.
 
 Why not just call rlm_ldap from inner-tunnel post-auth section? This
 will ensure it called only once and only if inner-tunnel
 authentication succeeds.

I used to use mschapv2 for authentication so I had to lookup passwords in the
authorize section. I'm not sure what would happen if I moved the lookups to
post-auth so I'll need to setup some testing environment for it. 

mk
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: brocade dictionnary on freeradius 2-2.1.7


On 28 Aug 2013, at 07:41, Stephane Branchoux stephane.branch...@univ-perp.fr 
wrote:

 Hello,
 
 I recently upgraded my freeradius from 1.1.7 to 2-2.1.7 but i can't load
 my brocade dictionnary.
 
 I tried a new version of this file , like this :
 
 http://www.brocade.com/downloads/documents/html_product_manuals/NOS_AG_301/wwhelp/wwhimpl/js/html/wwhelp.htm#href=CH_AAAServerAuth.20.4.html
 
 But when i start radiusd, i have this error :
 
 including dictionary file /etc/raddb/dictionary
 Errors reading dictionary: dict_init:
 /usr/share/freeradius/dictionary.brocade[8]: unknown option Brocade

I've added brocade dictionaries to v2.x.x and master branches.

Use one of those and it'll probably work.

Arran Cudbard-Bell a.cudba...@freeradius.org
FreeRADIUS Development Team

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: how to limit the repeating ldap lookups

On Wed, Aug 28, 2013 at 12:20:12AM +0200, Martin Kraus wrote:
 I'm stuck with 2.1.10 on ubuntu:-(

Without trying to come across as if I'm a stuck record... this is
easy to solve.

https://lists.freeradius.org/pipermail/freeradius-users/2013-August/067939.html

Cheers,

Matthew


-- 
Matthew Newton, Ph.D. m...@le.ac.uk

Systems Specialist, Infrastructure Services,
I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom

For IT help contact helpdesk extn. 2253, ith...@le.ac.uk
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: how to limit the repeating ldap lookups

On Wed, Aug 28, 2013 at 07:48:38AM +0200, Olivier Beytrison wrote:
 server inner-tunnel {
   authorize {
 eap
 
 # stop processing authorize on eap identity or mschap success/fail
 if ((EAP-Type == 1) || (EAP-Message[0] =~ /^0x02..00061a..$/)) {
   noop
 }
 else {
   # rest of config goes here
 }
   }
 }

The hack I'm currently using for EAP-TLS based on rfc 5216

# EAP-Message - byte 0   = 2 for EAP-Response
#   byte 1   = Identifier
#   byte 2-3 = EAP-Message Length including header (for EAP-TLS 
minimum 6 bytes)
#   byte 4   = EAP-Type, EAP-TLS = 0x0d (13)
#   byte 5   = FLAGS (L,M,[SR],R,R,R,R,R)
#   byte 6-9 = TLS message length (optional if Flag L set)
#   byte 10+ = TLS data
# Empty EAP-Messages are used to acknowledge EAP-Request fragments or are 
the last message
# the client sends at the end of TLS handshake signaling the server has 
been authenticated
#
# We would like to do ldap lookups only on the last empty EAP-Message - 
not really possible
# But we can skip first few empty messages based on the Identifier field if 
the client
# starts at 0x01. If not the we'll have to match all the empty EAP-Message 
^0x02..00060d00$
# EAP-Response identifier is copied from the EAP-Request, so the starting 
point is determined
# by NAS asking for EAP-Identity.
#
# usually 0x01 is the EAP-Identity, 0x02 is NACK to our offered PEAP, 0x03 
is the client_hello,
# 0x04-0x06 are the EAP-Response that ack server side of the handshake so 
we skip the first 6
# EAP-Response packets from the client. This is a heuristic, might not work
if ( (EAP-Type == EAP-TLS)  (EAP-Message !~ 
/^0x02([1-9a-f].|0[7-9a-f])00060d00$/) ) {
default = return
}


mk
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: how to limit the repeating ldap lookups


On 28 Aug 2013, at 14:35, Martin Kraus lists...@wujiman.net wrote:

 On Wed, Aug 28, 2013 at 07:48:38AM +0200, Olivier Beytrison wrote:
 server inner-tunnel {
  authorize {
eap
 
# stop processing authorize on eap identity or mschap success/fail
if ((EAP-Type == 1) || (EAP-Message[0] =~ /^0x02..00061a..$/)) {
  noop
}
else {
  # rest of config goes here
}
  }
 }
 
 The hack I'm currently using for EAP-TLS based on rfc 5216
 
# EAP-Message - byte 0   = 2 for EAP-Response
#   byte 1   = Identifier
#   byte 2-3 = EAP-Message Length including header (for 
 EAP-TLS minimum 6 bytes)
#   byte 4   = EAP-Type, EAP-TLS = 0x0d (13)
#   byte 5   = FLAGS (L,M,[SR],R,R,R,R,R)
#   byte 6-9 = TLS message length (optional if Flag L set)
#   byte 10+ = TLS data
# Empty EAP-Messages are used to acknowledge EAP-Request fragments or are 
 the last message
# the client sends at the end of TLS handshake signaling the server has 
 been authenticated
#
# We would like to do ldap lookups only on the last empty EAP-Message - 
 not really possible
# But we can skip first few empty messages based on the Identifier field 
 if the client
# starts at 0x01. If not the we'll have to match all the empty EAP-Message 
 ^0x02..00060d00$
# EAP-Response identifier is copied from the EAP-Request, so the starting 
 point is determined
# by NAS asking for EAP-Identity.
#
# usually 0x01 is the EAP-Identity, 0x02 is NACK to our offered PEAP, 0x03 
 is the client_hello,
# 0x04-0x06 are the EAP-Response that ack server side of the handshake so 
 we skip the first 6
# EAP-Response packets from the client. This is a heuristic, might not work
if ( (EAP-Type == EAP-TLS)  (EAP-Message !~ 
 /^0x02([1-9a-f].|0[7-9a-f])00060d00$/) ) {
default = return
}


Does anyone have a configuration which gets it down to a single LDAP query for 
PEAP?

Arran Cudbard-Bell a.cudba...@freeradius.org
FreeRADIUS Development Team

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: how to limit the repeating ldap lookups


On 28/08/13 14:49, Arran Cudbard-Bell wrote:


Does anyone have a configuration which gets it down to a single LDAP query for 
PEAP?


What inner?
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

CISCO ASA VPN3000 dictionary

Were trying to put together a dictionary for the Cisco ASA VPN3000 box.

They have a list of attributes here:
http://www.cisco.com/en/US/docs/security/asa/asa90/configuration/guide/ref_extserver.html#wp1802187

In that list they have type 'boolean', but RADIUS can't encode attributes 
smaller than a byte.

For boolean does anyone know if they really mean a standard 32bit integer with 
the values 0/1, or
if they're wanting a single byte with the values 0/1, or whether it's some 
other cisco craziness?

-Arran

Arran Cudbard-Bell a.cudba...@freeradius.org
FreeRADIUS Development Team

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: how to limit the repeating ldap lookups


On 28 Aug 2013, at 15:01, Phil Mayers p.may...@imperial.ac.uk wrote:

 On 28/08/13 14:49, Arran Cudbard-Bell wrote:
 
 Does anyone have a configuration which gets it down to a single LDAP query 
 for PEAP?
 
 What inner?

MSHCAPv2 - I thought PEAPv0 was only MSCHAPv2?

Arran Cudbard-Bell a.cudba...@freeradius.org
FreeRADIUS Development Team

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: how to limit the repeating ldap lookups

On Wed, Aug 28, 2013 at 03:11:04PM +0100, Arran Cudbard-Bell wrote:
 
 On 28 Aug 2013, at 15:01, Phil Mayers p.may...@imperial.ac.uk wrote:
 
  On 28/08/13 14:49, Arran Cudbard-Bell wrote:
  
  Does anyone have a configuration which gets it down to a single LDAP query 
  for PEAP?
  
  What inner?
 
 MSHCAPv2 - I thought PEAPv0 was only MSCHAPv2?

and TLS.

m.


-- 
Matthew Newton, Ph.D. m...@le.ac.uk

Systems Specialist, Infrastructure Services,
I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom

For IT help contact helpdesk extn. 2253, ith...@le.ac.uk
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: how to limit the repeating ldap lookups


On 28/08/13 15:11, Arran Cudbard-Bell wrote:


On 28 Aug 2013, at 15:01, Phil Mayers p.may...@imperial.ac.uk wrote:


On 28/08/13 14:49, Arran Cudbard-Bell wrote:


Does anyone have a configuration which gets it down to a single LDAP query for 
PEAP?


What inner?


MSHCAPv2 - I thought PEAPv0 was only MSCHAPv2?


Apparently not; you can apparently run EAP-TLS inside PEAP, which is a 
new one on me.


For PEAP/MSCHAP, under 2.x the link someone posted to my horrible hack 
works. Or under 3.x, eap { ok = return } in the inner-tunnel also works.

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: how to limit the repeating ldap lookups


On 28 Aug 2013, at 15:26, Matthew Newton m...@leicester.ac.uk wrote:

 On Wed, Aug 28, 2013 at 03:11:04PM +0100, Arran Cudbard-Bell wrote:
 
 On 28 Aug 2013, at 15:01, Phil Mayers p.may...@imperial.ac.uk wrote:
 
 On 28/08/13 14:49, Arran Cudbard-Bell wrote:
 
 Does anyone have a configuration which gets it down to a single LDAP query 
 for PEAP?
 
 What inner?
 
 MSHCAPv2 - I thought PEAPv0 was only MSCHAPv2?
 
 and TLS.

Fine, yes, also TLS. But in the wonderful world of Microsoft supplicants PEAP 
usually specifies PEAP with and MSCHAPv2 inner?

and wow did they get rid of the 802.1X profile configuration GUI interface in 
OSX 10.8? That sucks.

-Arran

Arran Cudbard-Bell a.cudba...@freeradius.org
FreeRADIUS Development Team

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: how to limit the repeating ldap lookups

2013-08-28 Thread stefan.paetow

Yes, Alan B had some comments about that IIRC... 

I think Apple these days expect administrators to use the Apple iPhone 
Configuration Utility to create a network profile and import that into your 
802.1X settings. 

Bizarre, but there you are.

Stefan

 -Original Message-
 Fine, yes, also TLS. But in the wonderful world of Microsoft
 supplicants PEAP usually specifies PEAP with and MSCHAPv2 inner?
 
 and wow did they get rid of the 802.1X profile configuration GUI
 interface in OSX 10.8? That sucks.

-- 
This e-mail and any attachments may contain confidential, copyright and or 
privileged material, and are for the use of the intended addressee only. If you 
are not the intended addressee or an authorised recipient of the addressee 
please notify us of receipt by returning the e-mail and do not use, copy, 
retain, distribute or disclose the information in or attached to the e-mail.
Any opinions expressed within this e-mail are those of the individual and not 
necessarily of Diamond Light Source Ltd. 
Diamond Light Source Ltd. cannot guarantee that this e-mail or any attachments 
are free from viruses and we cannot accept liability for any damage which you 
may sustain as a result of software viruses which may be transmitted in or with 
the message.
Diamond Light Source Limited (company no. 4375679). Registered in England and 
Wales with its registered office at Diamond House, Harwell Science and 
Innovation Campus, Didcot, Oxfordshire, OX11 0DE, United Kingdom
 



-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: how to limit the repeating ldap lookups

On Wed, Aug 28, 2013 at 03:42:08PM +0100, Arran Cudbard-Bell wrote:
 Fine, yes, also TLS. But in the wonderful world of Microsoft supplicants PEAP 
 usually specifies PEAP with and MSCHAPv2 inner?

Windows 7 supports PEAP+TLS. Unline Network Manager on linux distributions. 
 
 and wow did they get rid of the 802.1X profile configuration GUI interface in 
 OSX 10.8? That sucks.

Nope. that profile configuration is still required.

mk
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: how to limit the repeating ldap lookups


On 28 Aug 2013, at 15:38, Phil Mayers p.may...@imperial.ac.uk wrote:

 On 28/08/13 15:11, Arran Cudbard-Bell wrote:
 
 On 28 Aug 2013, at 15:01, Phil Mayers p.may...@imperial.ac.uk wrote:
 
 On 28/08/13 14:49, Arran Cudbard-Bell wrote:
 
 Does anyone have a configuration which gets it down to a single LDAP query 
 for PEAP?
 
 What inner?
 
 MSHCAPv2 - I thought PEAPv0 was only MSCHAPv2?
 
 Apparently not; you can apparently run EAP-TLS inside PEAP, which is a new 
 one on me.
 
 For PEAP/MSCHAP, under 2.x the link someone posted to my horrible hack works. 
 Or under 3.x, eap { ok = return } in the inner-tunnel also works.

OK. Just wondering if you could really get it down to a single lookup, IIRC you 
needed the 'known good' NT-Password data for a couple of rounds of MSCHAPv2?

-Arran

Arran Cudbard-Bell a.cudba...@freeradius.org
FreeRADIUS Development Team

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

(was) RE: how to limit the repeating ldap lookups

2013-08-28 Thread Brian Julin

Arran wrote: 
 and wow did they get rid of the 802.1X profile configuration GUI interface in
 OSX 10.8? That sucks.

If you think that sucks, wait till you see the horrible things you have to do
to generate a .mobileconfig without access to an OSX server license.

--
Brian S. Julin
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: how to limit the repeating ldap lookups

On Wed, Aug 28, 2013 at 02:49:32PM +0100, Arran Cudbard-Bell wrote:
 Does anyone have a configuration which gets it down to a single LDAP query 
 for PEAP?

The following is for EAP-TTLS/EAP-TLS and PEAP/EAP-TLS on my setup. 

# When EAP-TLS runs in EAP-TTLS tunnel the id starts at 0x00 and we skip the 
NACK so we want
# to skip only up to 0x04 
# When EAP-TLS runs in PEAP the identifiers don't reset so we need to weed out 
more messages
if ((EAP-Type == EAP-TLS)  (outer.request:EAP-Type == EAP-TTLS)  
(EAP-Message !~ /^0x02([1-9a-f].|0[5-9a-f])00060d00$/)) {
 default = return
}
elsif ((EAP-Type == EAP-TLS)  (outer.request:EAP-Type == PEAP)  
(EAP-Message !~ /^0x02([1-9a-f].|0[d-f])00060d00$/)) {
 default = return
}

I found that if I nest ifs then default = return won't skip the authorize
section and putting the tests on multiple lines doesn't work so it is this
ugly:-)

However this really isn't foolproof. I think the identifier is first set by
NAS as it sends eap request for identity so if that starts at something weird
then this will be totaly off. I don't know if any rfc requires the identifier
to start at 0.

Then it depends on the size of the information that server is sending to the
client. That depends on the number of certificates and MTU and fragment size
and who know what else. In my setup with MTU 1500 it fits in 3
Access-Challenge packets and so far it holds. 

I've checked wpasupplicant and mac osx and there haven't been any problems so
far though so I'm going to stick with it.

I'll investigate the possibility of using ldap lookups in post-auth but that
means no mschapv2 or any other password based auth.

mk
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: how to limit the repeating ldap lookups


On 28/08/13 15:46, Arran Cudbard-Bell wrote:


OK. Just wondering if you could really get it down to a single
lookup, IIRC you needed the 'known good' NT-Password data for a
couple of rounds of MSCHAPv2?


Nope, just one. The MSCHAP challenge  response arrive at you, you
validate them and in turn generate the response2.

You might be thinking of the first pass in EAP-MSCHAP, where the client 
sends EAP-identity and the server sends EAP-MSCHAP challenge, but that's 
stateless - just a random number. Likewise, the 3rd pass MSCHAP 
success/fail packet is stateless.

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: how to limit the repeating ldap lookups


On 28/08/13 16:00, Martin Kraus wrote:


I found that if I nest ifs then default = return won't skip the authorize
section and putting the tests on multiple lines doesn't work so it is this
ugly:-)


Yeah, that's an annoyance of the configurable failover stuff.


However this really isn't foolproof. I think the identifier is first set by
NAS as it sends eap request for identity so if that starts at something weird
then this will be totaly off. I don't know if any rfc requires the identifier
to start at 0.


It doesn't, and you will see cases where this doesn't happen, so I'm 
afraid it's not totally robust.


If you were to upgrade, you could do this all a lot more cleanly; the 
TLS virtual server solves the problem.

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: CISCO ASA VPN3000 dictionary

2013-08-28 Thread Angel Elena

Hi Arran.

The cisco asa v9.0 and vpn 3000 aren't the same appliance ( different S.O., 
functions, etc..)

The correct guide with attributes:

http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.1/user/A_RADAtr.html#wp148379

Bye



-Mensaje original-
De: Arran Cudbard-Bell a.cudba...@freeradius.org
Enviado:Mier 28-08-2013 16:15
Asunto: CISCO ASA VPN3000 dictionary
Para:   FreeRadius users mailing list freeradius-users@lists.freeradius.org; 
 Were trying to put together a dictionary for the Cisco ASA VPN3000 box.
 
 They have a list of attributes here:
 http://www.cisco.com/en/US/docs/security/asa/asa90/configuration/guide/ref_extse
 rver.html#wp1802187
 
 In that list they have type 'boolean', but RADIUS can't encode attributes 
 smaller than a byte.
 
 For boolean does anyone know if they really mean a standard 32bit integer 
 with 
 the values 0/1, or
 if they're wanting a single byte with the values 0/1, or whether it's some 
 other cisco craziness?
 
 -Arran
 
 Arran Cudbard-Bell a.cudba...@freeradius.org
 FreeRADIUS Development Team
 
 -
 List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: CISCO ASA VPN3000 dictionary

2013-08-28 Thread Alan DeKok

Arran Cudbard-Bell wrote:
 In that list they have type 'boolean', but RADIUS can't encode attributes 
 smaller than a byte.
 
 For boolean does anyone know if they really mean a standard 32bit integer 
 with the values 0/1, or
 if they're wanting a single byte with the values 0/1, or whether it's some 
 other cisco craziness?

  My guess is that it's a single byte.  In v2.2.x, that's byte type.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: how to limit the repeating ldap lookups

On Wed, Aug 28, 2013 at 03:46:53PM +0100, Arran Cudbard-Bell wrote:
  Apparently not; you can apparently run EAP-TLS inside PEAP,
  which is a new one on me.

Has been running fine here for months. Only real benefit - SoH with
EAP-TLS.

  For PEAP/MSCHAP, under 2.x the link someone posted to my
  horrible hack works. Or under 3.x, eap { ok = return } in
  the inner-tunnel also works.
 
 OK. Just wondering if you could really get it down to a single
 lookup, IIRC you needed the 'known good' NT-Password data for a
 couple of rounds of MSCHAPv2?

Using PEAP/EAP-TLS, we put the LDAP lookup in the TLS virtual
server, where we can lookup the certificate data in LDAP. It hits
once, after the cert has verified, and allows other things to deny
the auth. LDAP is in the example file.

See the sites-available/check-eap-tls file in v3, and the
mods-available/eap file, option virtual_server in the tls
section.

I backported the patch I wrote to do this to v2 (which is what we
are running); I'm not sure if it made it into the released 2.x
code (I doubt it). It's an easy patch it anyone wants to do it
themselves.

Matthew


-- 
Matthew Newton, Ph.D. m...@le.ac.uk

Systems Specialist, Infrastructure Services,
I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom

For IT help contact helpdesk extn. 2253, ith...@le.ac.uk
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: (was) RE: how to limit the repeating ldap lookups

On Wed, Aug 28, 2013 at 03:13:12PM +, Brian Julin wrote:
 Arran wrote: 
  and wow did they get rid of the 802.1X profile configuration GUI interface 
  in
  OSX 10.8? That sucks.
 
 If you think that sucks, wait till you see the horrible things you have to do
 to generate a .mobileconfig without access to an OSX server license.

http://support.apple.com/kb/DL1466

?

But this is getting a bit off-topic.

m.


-- 
Matthew Newton, Ph.D. m...@le.ac.uk

Systems Specialist, Infrastructure Services,
I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom

For IT help contact helpdesk extn. 2253, ith...@le.ac.uk
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: CISCO ASA VPN3000 dictionary

2013-08-28 Thread Olivier Beytrison

On 28.08.2013 17:48, Alan DeKok wrote:
 Arran Cudbard-Bell wrote:
 In that list they have type 'boolean', but RADIUS can't encode attributes 
 smaller than a byte.

 For boolean does anyone know if they really mean a standard 32bit integer 
 with the values 0/1, or
 if they're wanting a single byte with the values 0/1, or whether it's some 
 other cisco craziness?
 
   My guess is that it's a single byte.  In v2.2.x, that's byte type.
Well not all attributes changed between the VPN3000 and the ASA. Those
indicated as boolean in the ASA documentation were in fact integers in
the VPN3000.

With Arran we suppose they made a lazy copy-past from the LDAP part of
the document.

Olivier
-- 

 Olivier Beytrison
 Network  Security Engineer, HES-SO Fribourg
 Mail: oliv...@heliosnet.org
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: how to limit the repeating ldap lookups

On Wed, Aug 28, 2013 at 03:46:53PM +0100, Arran Cudbard-Bell wrote:
 OK. Just wondering if you could really get it down to a single lookup, IIRC 
 you needed the 'known good' NT-Password data for a couple of rounds of 
 MSCHAPv2?

with

if ( (EAP-Type == Identity) || (EAP-Type == NAK) || (EAP-Message =~ 
/^0x02..00061a..$/) ) {
default = return
}

The only lookup happens on the pass just above the ^EAP-TLS message. Each
^Authorize: line is one Access-Request. The others are Identity, NAK or empty
EAP-Response 0x02..00061a..

Authorize: User=test EAP-Type=Identity Packet-Type=Access-Request Proxy= 
VIRT=default
Authorize: User=test EAP-Type=Identity Packet-Type=Access-Request Proxy=LOCAL 
VIRT=inner-tunnel
Authorize: User=test EAP-Type=NAK Packet-Type=Access-Request Proxy=LOCAL 
VIRT=inner-tunnel
Authorize: User=test EAP-Type=MS-CHAP-V2 Packet-Type=Access-Request Proxy=LOCAL 
VIRT=inner-tunnel
EAP-TLS: User=test EAP-Type=MS-CHAP-V2 outer.EAP-Type=PEAP 
EAP-Message=0x0209004... Packet-Type=Access-Request Proxy=LOCAL 
VIRT=inner-tunnel
Authorize: User=test EAP-Type=MS-CHAP-V2 Packet-Type=Access-Request Proxy=LOCAL 
VIRT=inner-tunnel
Post-Auth: User=test EAP-Type=MS-CHAP-V2 EAP-Message=0x030a0004 
Packet-Type=Access-Accept, VIRT=inner-tunnel
Post-Auth: User=test EAP-Type=PEAP EAP-Message=0x030b0004 
Packet-Type=Access-Accept, VIRT=default
Post-Auth: User=test EAP-Type=PEAP EAP-Message=0x030b0004 
Packet-Type=Access-Accept, VIRT=default

mk
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: how to limit the repeating ldap lookups

On Wed, Aug 28, 2013 at 04:49:42PM +0100, Matthew Newton wrote:
 See the sites-available/check-eap-tls file in v3, and the
 mods-available/eap file, option virtual_server in the tls
 section.
 
 I backported the patch I wrote to do this to v2 (which is what we
 are running); I'm not sure if it made it into the released 2.x
 code (I doubt it). It's an easy patch it anyone wants to do it
 themselves.

I just checked - it's in v2 HEAD. See tls section of eap.conf.

Matthew


-- 
Matthew Newton, Ph.D. m...@le.ac.uk

Systems Specialist, Infrastructure Services,
I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom

For IT help contact helpdesk extn. 2253, ith...@le.ac.uk
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: (was) RE: how to limit the repeating ldap lookups

2013-08-28 Thread David Aldwinckle

Its been a while since I'Ve used it, but doesn't the iPhone Config Utility
generate mobileconfigs that work on OS X?

http://support.apple.com/kb/DL1465


Dave Aldwinckle


On 2013-08-28 11:13 AM, Brian Julin bju...@clarku.edu wrote:

Arran wrote: 
 and wow did they get rid of the 802.1X profile configuration GUI
interface in
 OSX 10.8? That sucks.

If you think that sucks, wait till you see the horrible things you have
to do
to generate a .mobileconfig without access to an OSX server license.

--
Brian S. Julin
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: (was) RE: how to limit the repeating ldap lookups

2013-08-28 Thread A . L . M . Buxey

Hi,

 If you think that sucks, wait till you see the horrible things you have to do
 to generate a .mobileconfig without access to an OSX server license.

what, download the iPhone Configuration Utility?  yes, quite horrible ;-)

alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: (was) RE: how to limit the repeating ldap lookups

2013-08-28 Thread Brian Julin

OK, fine since everyone seems to have done this more recently than
me, thanks all three of you for the update :-)

This is an improvement. Back when I was messing with it IIRC this was
only available for server 10.7.

The instructions for signing it are easier than I remember them being as well:

http://www.rootmanager.com/iphone-ota-configuration/iphone-ota-setup-with-signed-mobileconfig.html

-Original Message-
From: freeradius-users-bounces+bjulin=clarku@lists.freeradius.org
[mailto:freeradius-users-bounces+bjulin=clarku@lists.freeradius.org]
On Behalf Of David Aldwinckle
Sent: Wednesday, August 28, 2013 2:32 PM
To: FreeRadius users mailing list
Subject: Re: (was) RE: how to limit the repeating ldap lookups

Its been a while since I'Ve used it, but doesn't the iPhone Config Utility
generate mobileconfigs that work on OS X?

http://support.apple.com/kb/DL1465

Dave Aldwinckle

On 2013-08-28 11:13 AM, Brian Julin bju...@clarku.edu wrote:

Arran wrote:
and wow did they get rid of the 802.1X profile configuration GUI
interface in
OSX 10.8? That sucks.

If you think that sucks, wait till you see the horrible things you have
to do
to generate a .mobileconfig without access to an OSX server license.

--
Brian S. Julin
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html

-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: EAP logging

2013-08-28 Thread Andrej

On 28 August 2013 18:49, Alan Buxey a.l.m.bu...@lboro.ac.uk wrote:
Thanks Alan,

 Your reference is wrong/unknown which means that there's a noop. This means
 no operation which means no fticks output

This brings me back to my earlier question: what values are available
where, and when,
via which mechanism?

I think I still don't fully understand how modules hang together, how
I pass information
from e.g. an EAP request into line-log, or, looking at
sites-enabled/eap-inner-tunnel, how
I tell f_ticks (or linelog, or any other modules for that matter)
which values I'd like to work
with.

I would like f_ticks to write out a single line into syslog that
contains the inner and outer
identity of an authentication request, the station ID and MAC address.

In case of a successful authentication or rejection I'd like to have
the inner identity and a status on a line,


Can anyone point me at a walk-through or how-to?  I've now spent days
flicking from one wiki-page to
the next, and reading mailing list archives w/o find anything that
helps me understand.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: EAP logging