Re: how to limit the repeating ldap lookups
On 28.08.2013 9:48, Olivier Beytrison wrote: On 28.08.2013 00:20, Martin Kraus wrote: Hi. I'm using groups to authorize users and pull radius profiles for the users. My config is similar to what the default freeradius configuration offers. Why not just call rlm_ldap from inner-tunnel post-auth section? This will ensure it called only once and only if inner-tunnel authentication succeeds. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
brocade dictionnary on freeradius 2-2.1.7
Hello, I recently upgraded my freeradius from 1.1.7 to 2-2.1.7 but i can't load my brocade dictionnary. I tried a new version of this file , like this : http://www.brocade.com/downloads/documents/html_product_manuals/NOS_AG_301/wwhelp/wwhimpl/js/html/wwhelp.htm#href=CH_AAAServerAuth.20.4.html But when i start radiusd, i have this error : including dictionary file /etc/raddb/dictionary Errors reading dictionary: dict_init: /usr/share/freeradius/dictionary.brocade[8]: unknown option Brocade Any idea ? Many thanks -- stephane BRANCHOUX Centre de Ressources Informatiques de l'Université de Perpignan. Systèmes/Réseaux mailto:stephane.branch...@univ-perp.fr 04 68 66 21 24 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP logging
Your reference is wrong/unknown which means that there's a noop. This means no operation which means no fticks output alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: how to limit the repeating ldap lookups
On Wed, Aug 28, 2013 at 10:10:32AM +0400, Iliya Peregoudov wrote: On 28.08.2013 9:48, Olivier Beytrison wrote: On 28.08.2013 00:20, Martin Kraus wrote: Hi. I'm using groups to authorize users and pull radius profiles for the users. My config is similar to what the default freeradius configuration offers. Why not just call rlm_ldap from inner-tunnel post-auth section? This will ensure it called only once and only if inner-tunnel authentication succeeds. I used to use mschapv2 for authentication so I had to lookup passwords in the authorize section. I'm not sure what would happen if I moved the lookups to post-auth so I'll need to setup some testing environment for it. mk - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: brocade dictionnary on freeradius 2-2.1.7
On 28 Aug 2013, at 07:41, Stephane Branchoux stephane.branch...@univ-perp.fr wrote: Hello, I recently upgraded my freeradius from 1.1.7 to 2-2.1.7 but i can't load my brocade dictionnary. I tried a new version of this file , like this : http://www.brocade.com/downloads/documents/html_product_manuals/NOS_AG_301/wwhelp/wwhimpl/js/html/wwhelp.htm#href=CH_AAAServerAuth.20.4.html But when i start radiusd, i have this error : including dictionary file /etc/raddb/dictionary Errors reading dictionary: dict_init: /usr/share/freeradius/dictionary.brocade[8]: unknown option Brocade I've added brocade dictionaries to v2.x.x and master branches. Use one of those and it'll probably work. Arran Cudbard-Bell a.cudba...@freeradius.org FreeRADIUS Development Team - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: how to limit the repeating ldap lookups
On Wed, Aug 28, 2013 at 12:20:12AM +0200, Martin Kraus wrote: I'm stuck with 2.1.10 on ubuntu:-( Without trying to come across as if I'm a stuck record... this is easy to solve. https://lists.freeradius.org/pipermail/freeradius-users/2013-August/067939.html Cheers, Matthew -- Matthew Newton, Ph.D. m...@le.ac.uk Systems Specialist, Infrastructure Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, ith...@le.ac.uk - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: how to limit the repeating ldap lookups
On Wed, Aug 28, 2013 at 07:48:38AM +0200, Olivier Beytrison wrote: server inner-tunnel { authorize { eap # stop processing authorize on eap identity or mschap success/fail if ((EAP-Type == 1) || (EAP-Message[0] =~ /^0x02..00061a..$/)) { noop } else { # rest of config goes here } } } The hack I'm currently using for EAP-TLS based on rfc 5216 # EAP-Message - byte 0 = 2 for EAP-Response # byte 1 = Identifier # byte 2-3 = EAP-Message Length including header (for EAP-TLS minimum 6 bytes) # byte 4 = EAP-Type, EAP-TLS = 0x0d (13) # byte 5 = FLAGS (L,M,[SR],R,R,R,R,R) # byte 6-9 = TLS message length (optional if Flag L set) # byte 10+ = TLS data # Empty EAP-Messages are used to acknowledge EAP-Request fragments or are the last message # the client sends at the end of TLS handshake signaling the server has been authenticated # # We would like to do ldap lookups only on the last empty EAP-Message - not really possible # But we can skip first few empty messages based on the Identifier field if the client # starts at 0x01. If not the we'll have to match all the empty EAP-Message ^0x02..00060d00$ # EAP-Response identifier is copied from the EAP-Request, so the starting point is determined # by NAS asking for EAP-Identity. # # usually 0x01 is the EAP-Identity, 0x02 is NACK to our offered PEAP, 0x03 is the client_hello, # 0x04-0x06 are the EAP-Response that ack server side of the handshake so we skip the first 6 # EAP-Response packets from the client. This is a heuristic, might not work if ( (EAP-Type == EAP-TLS) (EAP-Message !~ /^0x02([1-9a-f].|0[7-9a-f])00060d00$/) ) { default = return } mk - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: how to limit the repeating ldap lookups
On 28 Aug 2013, at 14:35, Martin Kraus lists...@wujiman.net wrote: On Wed, Aug 28, 2013 at 07:48:38AM +0200, Olivier Beytrison wrote: server inner-tunnel { authorize { eap # stop processing authorize on eap identity or mschap success/fail if ((EAP-Type == 1) || (EAP-Message[0] =~ /^0x02..00061a..$/)) { noop } else { # rest of config goes here } } } The hack I'm currently using for EAP-TLS based on rfc 5216 # EAP-Message - byte 0 = 2 for EAP-Response # byte 1 = Identifier # byte 2-3 = EAP-Message Length including header (for EAP-TLS minimum 6 bytes) # byte 4 = EAP-Type, EAP-TLS = 0x0d (13) # byte 5 = FLAGS (L,M,[SR],R,R,R,R,R) # byte 6-9 = TLS message length (optional if Flag L set) # byte 10+ = TLS data # Empty EAP-Messages are used to acknowledge EAP-Request fragments or are the last message # the client sends at the end of TLS handshake signaling the server has been authenticated # # We would like to do ldap lookups only on the last empty EAP-Message - not really possible # But we can skip first few empty messages based on the Identifier field if the client # starts at 0x01. If not the we'll have to match all the empty EAP-Message ^0x02..00060d00$ # EAP-Response identifier is copied from the EAP-Request, so the starting point is determined # by NAS asking for EAP-Identity. # # usually 0x01 is the EAP-Identity, 0x02 is NACK to our offered PEAP, 0x03 is the client_hello, # 0x04-0x06 are the EAP-Response that ack server side of the handshake so we skip the first 6 # EAP-Response packets from the client. This is a heuristic, might not work if ( (EAP-Type == EAP-TLS) (EAP-Message !~ /^0x02([1-9a-f].|0[7-9a-f])00060d00$/) ) { default = return } Does anyone have a configuration which gets it down to a single LDAP query for PEAP? Arran Cudbard-Bell a.cudba...@freeradius.org FreeRADIUS Development Team - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: how to limit the repeating ldap lookups
On 28/08/13 14:49, Arran Cudbard-Bell wrote: Does anyone have a configuration which gets it down to a single LDAP query for PEAP? What inner? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
CISCO ASA VPN3000 dictionary
Were trying to put together a dictionary for the Cisco ASA VPN3000 box. They have a list of attributes here: http://www.cisco.com/en/US/docs/security/asa/asa90/configuration/guide/ref_extserver.html#wp1802187 In that list they have type 'boolean', but RADIUS can't encode attributes smaller than a byte. For boolean does anyone know if they really mean a standard 32bit integer with the values 0/1, or if they're wanting a single byte with the values 0/1, or whether it's some other cisco craziness? -Arran Arran Cudbard-Bell a.cudba...@freeradius.org FreeRADIUS Development Team - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: how to limit the repeating ldap lookups
On 28 Aug 2013, at 15:01, Phil Mayers p.may...@imperial.ac.uk wrote: On 28/08/13 14:49, Arran Cudbard-Bell wrote: Does anyone have a configuration which gets it down to a single LDAP query for PEAP? What inner? MSHCAPv2 - I thought PEAPv0 was only MSCHAPv2? Arran Cudbard-Bell a.cudba...@freeradius.org FreeRADIUS Development Team - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: how to limit the repeating ldap lookups
On Wed, Aug 28, 2013 at 03:11:04PM +0100, Arran Cudbard-Bell wrote: On 28 Aug 2013, at 15:01, Phil Mayers p.may...@imperial.ac.uk wrote: On 28/08/13 14:49, Arran Cudbard-Bell wrote: Does anyone have a configuration which gets it down to a single LDAP query for PEAP? What inner? MSHCAPv2 - I thought PEAPv0 was only MSCHAPv2? and TLS. m. -- Matthew Newton, Ph.D. m...@le.ac.uk Systems Specialist, Infrastructure Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, ith...@le.ac.uk - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: how to limit the repeating ldap lookups
On 28/08/13 15:11, Arran Cudbard-Bell wrote: On 28 Aug 2013, at 15:01, Phil Mayers p.may...@imperial.ac.uk wrote: On 28/08/13 14:49, Arran Cudbard-Bell wrote: Does anyone have a configuration which gets it down to a single LDAP query for PEAP? What inner? MSHCAPv2 - I thought PEAPv0 was only MSCHAPv2? Apparently not; you can apparently run EAP-TLS inside PEAP, which is a new one on me. For PEAP/MSCHAP, under 2.x the link someone posted to my horrible hack works. Or under 3.x, eap { ok = return } in the inner-tunnel also works. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: how to limit the repeating ldap lookups
On 28 Aug 2013, at 15:26, Matthew Newton m...@leicester.ac.uk wrote: On Wed, Aug 28, 2013 at 03:11:04PM +0100, Arran Cudbard-Bell wrote: On 28 Aug 2013, at 15:01, Phil Mayers p.may...@imperial.ac.uk wrote: On 28/08/13 14:49, Arran Cudbard-Bell wrote: Does anyone have a configuration which gets it down to a single LDAP query for PEAP? What inner? MSHCAPv2 - I thought PEAPv0 was only MSCHAPv2? and TLS. Fine, yes, also TLS. But in the wonderful world of Microsoft supplicants PEAP usually specifies PEAP with and MSCHAPv2 inner? and wow did they get rid of the 802.1X profile configuration GUI interface in OSX 10.8? That sucks. -Arran Arran Cudbard-Bell a.cudba...@freeradius.org FreeRADIUS Development Team - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: how to limit the repeating ldap lookups
Yes, Alan B had some comments about that IIRC... I think Apple these days expect administrators to use the Apple iPhone Configuration Utility to create a network profile and import that into your 802.1X settings. Bizarre, but there you are. Stefan -Original Message- Fine, yes, also TLS. But in the wonderful world of Microsoft supplicants PEAP usually specifies PEAP with and MSCHAPv2 inner? and wow did they get rid of the 802.1X profile configuration GUI interface in OSX 10.8? That sucks. -- This e-mail and any attachments may contain confidential, copyright and or privileged material, and are for the use of the intended addressee only. If you are not the intended addressee or an authorised recipient of the addressee please notify us of receipt by returning the e-mail and do not use, copy, retain, distribute or disclose the information in or attached to the e-mail. Any opinions expressed within this e-mail are those of the individual and not necessarily of Diamond Light Source Ltd. Diamond Light Source Ltd. cannot guarantee that this e-mail or any attachments are free from viruses and we cannot accept liability for any damage which you may sustain as a result of software viruses which may be transmitted in or with the message. Diamond Light Source Limited (company no. 4375679). Registered in England and Wales with its registered office at Diamond House, Harwell Science and Innovation Campus, Didcot, Oxfordshire, OX11 0DE, United Kingdom - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: how to limit the repeating ldap lookups
On Wed, Aug 28, 2013 at 03:42:08PM +0100, Arran Cudbard-Bell wrote: Fine, yes, also TLS. But in the wonderful world of Microsoft supplicants PEAP usually specifies PEAP with and MSCHAPv2 inner? Windows 7 supports PEAP+TLS. Unline Network Manager on linux distributions. and wow did they get rid of the 802.1X profile configuration GUI interface in OSX 10.8? That sucks. Nope. that profile configuration is still required. mk - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: how to limit the repeating ldap lookups
On 28 Aug 2013, at 15:38, Phil Mayers p.may...@imperial.ac.uk wrote: On 28/08/13 15:11, Arran Cudbard-Bell wrote: On 28 Aug 2013, at 15:01, Phil Mayers p.may...@imperial.ac.uk wrote: On 28/08/13 14:49, Arran Cudbard-Bell wrote: Does anyone have a configuration which gets it down to a single LDAP query for PEAP? What inner? MSHCAPv2 - I thought PEAPv0 was only MSCHAPv2? Apparently not; you can apparently run EAP-TLS inside PEAP, which is a new one on me. For PEAP/MSCHAP, under 2.x the link someone posted to my horrible hack works. Or under 3.x, eap { ok = return } in the inner-tunnel also works. OK. Just wondering if you could really get it down to a single lookup, IIRC you needed the 'known good' NT-Password data for a couple of rounds of MSCHAPv2? -Arran Arran Cudbard-Bell a.cudba...@freeradius.org FreeRADIUS Development Team - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
(was) RE: how to limit the repeating ldap lookups
Arran wrote: and wow did they get rid of the 802.1X profile configuration GUI interface in OSX 10.8? That sucks. If you think that sucks, wait till you see the horrible things you have to do to generate a .mobileconfig without access to an OSX server license. -- Brian S. Julin - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: how to limit the repeating ldap lookups
On Wed, Aug 28, 2013 at 02:49:32PM +0100, Arran Cudbard-Bell wrote: Does anyone have a configuration which gets it down to a single LDAP query for PEAP? The following is for EAP-TTLS/EAP-TLS and PEAP/EAP-TLS on my setup. # When EAP-TLS runs in EAP-TTLS tunnel the id starts at 0x00 and we skip the NACK so we want # to skip only up to 0x04 # When EAP-TLS runs in PEAP the identifiers don't reset so we need to weed out more messages if ((EAP-Type == EAP-TLS) (outer.request:EAP-Type == EAP-TTLS) (EAP-Message !~ /^0x02([1-9a-f].|0[5-9a-f])00060d00$/)) { default = return } elsif ((EAP-Type == EAP-TLS) (outer.request:EAP-Type == PEAP) (EAP-Message !~ /^0x02([1-9a-f].|0[d-f])00060d00$/)) { default = return } I found that if I nest ifs then default = return won't skip the authorize section and putting the tests on multiple lines doesn't work so it is this ugly:-) However this really isn't foolproof. I think the identifier is first set by NAS as it sends eap request for identity so if that starts at something weird then this will be totaly off. I don't know if any rfc requires the identifier to start at 0. Then it depends on the size of the information that server is sending to the client. That depends on the number of certificates and MTU and fragment size and who know what else. In my setup with MTU 1500 it fits in 3 Access-Challenge packets and so far it holds. I've checked wpasupplicant and mac osx and there haven't been any problems so far though so I'm going to stick with it. I'll investigate the possibility of using ldap lookups in post-auth but that means no mschapv2 or any other password based auth. mk - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: how to limit the repeating ldap lookups
On 28/08/13 15:46, Arran Cudbard-Bell wrote: OK. Just wondering if you could really get it down to a single lookup, IIRC you needed the 'known good' NT-Password data for a couple of rounds of MSCHAPv2? Nope, just one. The MSCHAP challenge response arrive at you, you validate them and in turn generate the response2. You might be thinking of the first pass in EAP-MSCHAP, where the client sends EAP-identity and the server sends EAP-MSCHAP challenge, but that's stateless - just a random number. Likewise, the 3rd pass MSCHAP success/fail packet is stateless. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: how to limit the repeating ldap lookups
On 28/08/13 16:00, Martin Kraus wrote: I found that if I nest ifs then default = return won't skip the authorize section and putting the tests on multiple lines doesn't work so it is this ugly:-) Yeah, that's an annoyance of the configurable failover stuff. However this really isn't foolproof. I think the identifier is first set by NAS as it sends eap request for identity so if that starts at something weird then this will be totaly off. I don't know if any rfc requires the identifier to start at 0. It doesn't, and you will see cases where this doesn't happen, so I'm afraid it's not totally robust. If you were to upgrade, you could do this all a lot more cleanly; the TLS virtual server solves the problem. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: CISCO ASA VPN3000 dictionary
Hi Arran. The cisco asa v9.0 and vpn 3000 aren't the same appliance ( different S.O., functions, etc..) The correct guide with attributes: http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.1/user/A_RADAtr.html#wp148379 Bye -Mensaje original- De: Arran Cudbard-Bell a.cudba...@freeradius.org Enviado:Mier 28-08-2013 16:15 Asunto: CISCO ASA VPN3000 dictionary Para: FreeRadius users mailing list freeradius-users@lists.freeradius.org; Were trying to put together a dictionary for the Cisco ASA VPN3000 box. They have a list of attributes here: http://www.cisco.com/en/US/docs/security/asa/asa90/configuration/guide/ref_extse rver.html#wp1802187 In that list they have type 'boolean', but RADIUS can't encode attributes smaller than a byte. For boolean does anyone know if they really mean a standard 32bit integer with the values 0/1, or if they're wanting a single byte with the values 0/1, or whether it's some other cisco craziness? -Arran Arran Cudbard-Bell a.cudba...@freeradius.org FreeRADIUS Development Team - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: CISCO ASA VPN3000 dictionary
Arran Cudbard-Bell wrote: In that list they have type 'boolean', but RADIUS can't encode attributes smaller than a byte. For boolean does anyone know if they really mean a standard 32bit integer with the values 0/1, or if they're wanting a single byte with the values 0/1, or whether it's some other cisco craziness? My guess is that it's a single byte. In v2.2.x, that's byte type. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: how to limit the repeating ldap lookups
On Wed, Aug 28, 2013 at 03:46:53PM +0100, Arran Cudbard-Bell wrote: Apparently not; you can apparently run EAP-TLS inside PEAP, which is a new one on me. Has been running fine here for months. Only real benefit - SoH with EAP-TLS. For PEAP/MSCHAP, under 2.x the link someone posted to my horrible hack works. Or under 3.x, eap { ok = return } in the inner-tunnel also works. OK. Just wondering if you could really get it down to a single lookup, IIRC you needed the 'known good' NT-Password data for a couple of rounds of MSCHAPv2? Using PEAP/EAP-TLS, we put the LDAP lookup in the TLS virtual server, where we can lookup the certificate data in LDAP. It hits once, after the cert has verified, and allows other things to deny the auth. LDAP is in the example file. See the sites-available/check-eap-tls file in v3, and the mods-available/eap file, option virtual_server in the tls section. I backported the patch I wrote to do this to v2 (which is what we are running); I'm not sure if it made it into the released 2.x code (I doubt it). It's an easy patch it anyone wants to do it themselves. Matthew -- Matthew Newton, Ph.D. m...@le.ac.uk Systems Specialist, Infrastructure Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, ith...@le.ac.uk - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: (was) RE: how to limit the repeating ldap lookups
On Wed, Aug 28, 2013 at 03:13:12PM +, Brian Julin wrote: Arran wrote: and wow did they get rid of the 802.1X profile configuration GUI interface in OSX 10.8? That sucks. If you think that sucks, wait till you see the horrible things you have to do to generate a .mobileconfig without access to an OSX server license. http://support.apple.com/kb/DL1466 ? But this is getting a bit off-topic. m. -- Matthew Newton, Ph.D. m...@le.ac.uk Systems Specialist, Infrastructure Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, ith...@le.ac.uk - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: CISCO ASA VPN3000 dictionary
On 28.08.2013 17:48, Alan DeKok wrote: Arran Cudbard-Bell wrote: In that list they have type 'boolean', but RADIUS can't encode attributes smaller than a byte. For boolean does anyone know if they really mean a standard 32bit integer with the values 0/1, or if they're wanting a single byte with the values 0/1, or whether it's some other cisco craziness? My guess is that it's a single byte. In v2.2.x, that's byte type. Well not all attributes changed between the VPN3000 and the ASA. Those indicated as boolean in the ASA documentation were in fact integers in the VPN3000. With Arran we suppose they made a lazy copy-past from the LDAP part of the document. Olivier -- Olivier Beytrison Network Security Engineer, HES-SO Fribourg Mail: oliv...@heliosnet.org - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: how to limit the repeating ldap lookups
On Wed, Aug 28, 2013 at 03:46:53PM +0100, Arran Cudbard-Bell wrote: OK. Just wondering if you could really get it down to a single lookup, IIRC you needed the 'known good' NT-Password data for a couple of rounds of MSCHAPv2? with if ( (EAP-Type == Identity) || (EAP-Type == NAK) || (EAP-Message =~ /^0x02..00061a..$/) ) { default = return } The only lookup happens on the pass just above the ^EAP-TLS message. Each ^Authorize: line is one Access-Request. The others are Identity, NAK or empty EAP-Response 0x02..00061a.. Authorize: User=test EAP-Type=Identity Packet-Type=Access-Request Proxy= VIRT=default Authorize: User=test EAP-Type=Identity Packet-Type=Access-Request Proxy=LOCAL VIRT=inner-tunnel Authorize: User=test EAP-Type=NAK Packet-Type=Access-Request Proxy=LOCAL VIRT=inner-tunnel Authorize: User=test EAP-Type=MS-CHAP-V2 Packet-Type=Access-Request Proxy=LOCAL VIRT=inner-tunnel EAP-TLS: User=test EAP-Type=MS-CHAP-V2 outer.EAP-Type=PEAP EAP-Message=0x0209004... Packet-Type=Access-Request Proxy=LOCAL VIRT=inner-tunnel Authorize: User=test EAP-Type=MS-CHAP-V2 Packet-Type=Access-Request Proxy=LOCAL VIRT=inner-tunnel Post-Auth: User=test EAP-Type=MS-CHAP-V2 EAP-Message=0x030a0004 Packet-Type=Access-Accept, VIRT=inner-tunnel Post-Auth: User=test EAP-Type=PEAP EAP-Message=0x030b0004 Packet-Type=Access-Accept, VIRT=default Post-Auth: User=test EAP-Type=PEAP EAP-Message=0x030b0004 Packet-Type=Access-Accept, VIRT=default mk - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: how to limit the repeating ldap lookups
On Wed, Aug 28, 2013 at 04:49:42PM +0100, Matthew Newton wrote: See the sites-available/check-eap-tls file in v3, and the mods-available/eap file, option virtual_server in the tls section. I backported the patch I wrote to do this to v2 (which is what we are running); I'm not sure if it made it into the released 2.x code (I doubt it). It's an easy patch it anyone wants to do it themselves. I just checked - it's in v2 HEAD. See tls section of eap.conf. Matthew -- Matthew Newton, Ph.D. m...@le.ac.uk Systems Specialist, Infrastructure Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, ith...@le.ac.uk - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: (was) RE: how to limit the repeating ldap lookups
Its been a while since I'Ve used it, but doesn't the iPhone Config Utility generate mobileconfigs that work on OS X? http://support.apple.com/kb/DL1465 Dave Aldwinckle On 2013-08-28 11:13 AM, Brian Julin bju...@clarku.edu wrote: Arran wrote: and wow did they get rid of the 802.1X profile configuration GUI interface in OSX 10.8? That sucks. If you think that sucks, wait till you see the horrible things you have to do to generate a .mobileconfig without access to an OSX server license. -- Brian S. Julin - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: (was) RE: how to limit the repeating ldap lookups
Hi, If you think that sucks, wait till you see the horrible things you have to do to generate a .mobileconfig without access to an OSX server license. what, download the iPhone Configuration Utility? yes, quite horrible ;-) alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: (was) RE: how to limit the repeating ldap lookups
OK, fine since everyone seems to have done this more recently than me, thanks all three of you for the update :-) This is an improvement. Back when I was messing with it IIRC this was only available for server 10.7. The instructions for signing it are easier than I remember them being as well: http://www.rootmanager.com/iphone-ota-configuration/iphone-ota-setup-with-signed-mobileconfig.html -Original Message- From: freeradius-users-bounces+bjulin=clarku@lists.freeradius.org [mailto:freeradius-users-bounces+bjulin=clarku@lists.freeradius.org] On Behalf Of David Aldwinckle Sent: Wednesday, August 28, 2013 2:32 PM To: FreeRadius users mailing list Subject: Re: (was) RE: how to limit the repeating ldap lookups Its been a while since I'Ve used it, but doesn't the iPhone Config Utility generate mobileconfigs that work on OS X? http://support.apple.com/kb/DL1465 Dave Aldwinckle On 2013-08-28 11:13 AM, Brian Julin bju...@clarku.edu wrote: Arran wrote: and wow did they get rid of the 802.1X profile configuration GUI interface in OSX 10.8? That sucks. If you think that sucks, wait till you see the horrible things you have to do to generate a .mobileconfig without access to an OSX server license. -- Brian S. Julin - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP logging
On 28 August 2013 18:49, Alan Buxey a.l.m.bu...@lboro.ac.uk wrote: Thanks Alan, Your reference is wrong/unknown which means that there's a noop. This means no operation which means no fticks output This brings me back to my earlier question: what values are available where, and when, via which mechanism? I think I still don't fully understand how modules hang together, how I pass information from e.g. an EAP request into line-log, or, looking at sites-enabled/eap-inner-tunnel, how I tell f_ticks (or linelog, or any other modules for that matter) which values I'd like to work with. I would like f_ticks to write out a single line into syslog that contains the inner and outer identity of an authentication request, the station ID and MAC address. In case of a successful authentication or rejection I'd like to have the inner identity and a status on a line, Can anyone point me at a walk-through or how-to? I've now spent days flicking from one wiki-page to the next, and reading mailing list archives w/o find anything that helps me understand. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP logging
On Thu, Aug 29, 2013 at 10:39:50AM +1200, Andrej wrote: On 28 August 2013 18:49, Alan Buxey a.l.m.bu...@lboro.ac.uk wrote: Thanks Alan, Your reference is wrong/unknown which means that there's a noop. This means no operation which means no fticks output This brings me back to my earlier question: what values are available where, and when, via which mechanism? I think I still don't fully understand how modules hang together, how I pass information from e.g. an EAP request into line-log, or, looking at sites-enabled/eap-inner-tunnel, how I tell f_ticks (or linelog, or any other modules for that matter) which values I'd like to work with. Everything becomes an attribute or a variable and the definitions are mostly at /usr/share/freeradius/dictionary.freeradius.internal and you can also define your own attributes in /etc/freeradius/dictionary. I use this to get time in a format similar to syslog by having a variable My-Local-Time and calling an exec module with date command and assigning the result to this variable which I can then reference in my linelog. the only way I found how to get what I need is to define a linelog, write there the variables I hope will have what I'm looking for and call that linelog from some part of the server configuration and just run my clients against it and see what happens. for the username you can use outer.request:User-Name in the inner-tunnel which should reference the outer tunnel User-Name. User-Name in the inner-tunnel should be the inner EAP username. Also the attribute named Inner-Tunnel-User-Name might have the inner EAP username but that might be defined only in the post-auth section of the default server. mk - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html