Re: MS-CHAP Auth fail, password cache ?
11.07.2011 15:18 пользователь "Alan DeKok" написал: > > Users have one password. You can't authenticate with any one of three > passwords. The authentication protocols just don't work that way. > Think Bastien means this: 1. Start server, user has password "password123". 2. Authentication successfull 3. Change password in MySQL to "blabla" without restarting the server. 4. Authentication failed. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MS-CHAP Auth fail, password cache ?
11.07.2011 15:06 пользователь "Alan DeKok"
написал:
>
> Bastien Semene wrote:
> > I'm currently - trying to - set up a radius server.
> > The backend used is MySQL. I'm using FreeRADIUS 2.1.11 on FreeBSD 8
> >
> > During my tests, for the same user I used "test" password, then "blabla"
> > password.
> > Now, I use "blabla" and it's not working. instead "test" is still
> > working ...
> > I tested with a third string ("ahaha") , there's a third error output...
>
> I have no idea what that means.
I think he mean that only first password is worked. The second and third
version of tye password for the same user aren't worked.
>
> > I tried restarting radiusd and the jail it's running into, this does
> > changes nothing.
> > All this commands/outputs are from the same running server (I mean no
> > reboot).
> >
> > How can this happen
>
> The server reads it's configuration files only when it starts. If you
> edit the configuration files, you will need to restart the server.
But is it apply for MYSQL too? Think I don't need to restart the server in
case MYSQL because each time tye server does SELECT from MySQL, doesn't it?
>
> Alan DeKok.
>
> List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Mac-Auth
I'm not sure about FreeRADIUS but for this scheme we use server with disable mac learning and static mac table. If you don't have the server support this try to do it in the switches, but static mac table limited to some value less than 3000 I think. If you have several suitable routers and you know that clients don't move between them you could set static mac table to the part of 3000 for every switch. At sum it may be 3000 and may meet static mac table limit requirement. 2011/7/8 Paulo Maia : > I dont want to enable 802.1x auth in the clients coz i have over 3000 > computers and i dont have AD to set a gpo to set in all clients But i > do have all mac-addresses . I dont know if im going the wrong way here . > > Thanks , > > On Thu, Jul 7, 2011 at 5:59 PM, Paulo Maia wrote: >> >> Ok guys thanks . >> One other question tough i have configured radius settings in the >> switch (c2960g) with aaa-newmodel dot1x port-control auto and the requests >> are getting to the radius server OK . But it keeps asking for user/pass auth >> and . Is there a way to authenticate the mac-address without enable 802.1x >> in the client computer ? >> >> >> On Thu, Jul 7, 2011 at 4:19 PM, Alan Buxey >> wrote: >>> >>> Hi, >>> > Hi Guys , >>> > Here is the thing , im trying to use Mac-Auth , I managed to get >>> > working >>> > using authorized-macs files , although i need to use a mysql table� >>> > witch >>> > i already have with the ssid and mac-address fields and i need to >>> > add an >>> > operator to expired macs , coz i work at a college campus and >>> > students >>> > mac-addresses need to expire acording to their course period . Any >>> > ideas ? >>> > Thanks in advance . >>> >>> put MAC address in the radcheck table and set an Expiration. should work >>> a treat >>> >>> 00-11-22-33-44-55 Expiration := "10 Jul 2011" >>> >>> >>> alan >>> - >>> List info/subscribe/unsubscribe? See >>> http://www.freeradius.org/list/users.html > > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > -- Best Regards, Shildyakov Alexey Vladimirovich - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Mac-Auth
> Believe me, collecting and managing MAC addresses is not something I > would wish on anyone. I don't think so. It's helpful for managing switches to use for on port mac-filtering -- Best Regards, Shildyakov Alexey Vladimirovich - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Make the server certificate from Thawte
> nope.
>
> for private key you need your private key - the one that you made before
> making the CSR for thawte
Yes. Thank you. I was confused because in default FreeRADIUS has
"${raddbdir}/certs/cert-srv.pem" value here.
>
>
> for certificate file you need the trialThawte file
>
> then for CA file you need a file that contains the Server Intermediate CA
> and Thawte Test CA Root
> concatenated together
>
> if you use passwords for the private key then you will
> have one
Yes. It's true.
Summing up, what the algorithm to configure certificate from Trusted CA:
1. cd /etc/raddb/certs
2. openssl genrsa –des3 –out server.key 2048. Remember the passphrase,
you have been entered.
3. openssl req –new –key server.key –out server.csr. Write suitable
X.509 attributes.
4. Upload server.csr to your CA (Thawte, Verisign, GeoTrust)
5. Receive SSL certificate, Secure Server Intermediate CA and CA Root
certificate from Trusted CA.
6. Write received SSL certificate to file "server.pem"
7. Write received Secure Server Intermediate CA and CA Root
certificates concatenated together to file "ca.pem"
8. Set the eap.conf tls section:
certdir = ${confdir}/certs
cadir = ${confdir}/certs
private_key_password = passphrase_you_entered_while_creating_server.key
private_key_file = ${certdir}/server.key
CA_file = ${cadir}/ca.pem
Is it possible to add this instruction to certs/README to avoid this
topic emerge again?
--
Best Regards, Shildyakov Alexey Vladimirovich
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Make the server certificate from Thawte
Hello.
I want to use the certificate from Thawte. First of all I tried to use
free SSL certificate from Thawte. I received 3 certificates in
PEM-format: my Thawte trial SSL certificate, Thawte Trial Secure
Server Intermediate CA and Thawte Test CA Root certificate in format:
-BEGIN CERTIFICATE-
text here
-END CERTIFICATE-
I made .pem files from them with no new line in end of file. The eap.conf is:
private_key_password = (is empty because no password in certificates)
private_key_file = ${certdir}/trialThawte.pem
certificate_file = ${certdir}/trialThawteCA.pem
radiusd -X
rlm_eap: SSL error error:0906D06C:PEM routines:PEM_read_bio:no start line
rlm_eap_tls: Error reading private key file /etc/raddb/certs/trialThawte.pem
rlm_eap: Failed to initialize type tls
Tried to make .pem by following commands (use server.key, server.csr
were inputted to make Thawte certificate; server.crt is received
Thawte certificate):
openssl pkcs12 -export -in server.crt -inkey server.key -out
server.p12 -passin pass:1234 -passout pass:1234
unable to load private key
139734217189032:error:06065064:digital envelope
routines:EVP_DecryptFinal_ex:bad decrypt:evp_enc.c:467:
139734217189032:error:0906A065:PEM routines:PEM_do_header:bad
decrypt:pem_lib.c:476:
openssl pkcs12 -in server.crt -out server.pem -passin pass:12345
-passout pass:12345
140259536533160:error:0D0680A8:asn1 encoding
routines:ASN1_CHECK_TLEN:wrong tag:tasn_dec.c:1319:
140259536533160:error:0D07803A:asn1 encoding
routines:ASN1_ITEM_EX_D2I:nested asn1 error:tasn_dec.c:381:Type=PKCS12
I confused that:
1. no passwords in received Thawte certificates
2. Root CA and Web Server CA
3. different pem format is used in RADIUS and is received from Thawte
What algorithm should be used to make valid to FreeRADIUS pem
certificate files from these Thawte certificates?
FreeRADIUS Version 2.1.7, for host x86_64-pc-linux-gnu
--
Best Regards, Shildyakov Alexey Vladimirovich
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
