Re: 802.1X HOWTO (draft)
On Fri, 23 Jul 2004, Troy Davis wrote: Just from a very newbie's put of view why do you briefly touch on setting up a UNIX client and not a windows client Since this is going to be a Linux HOWTO, and since I'm only using Linux :^) If I'll get the time, I might add a Windows-supplicant section.. But not at this point.. If you need it, There's ever a lot of HOWTO to use 802.1x with FreeRADIUS vs WinXP/2k supplicant and differents EAP methods. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Basic ?
Before I go jumping off the deep end, what OS would be the best and easiest to use for Free Radius? Fedora Core 2 FreeBSD Debian Mandrake Or ??? I'm a linux and Freeradius newbie and I'm using Freeradius for two month on a mandrake 9.2, it's not to hard to congigure and it works very well...(802.1x, EAP/MD5/TLS). Fred.Evrard - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius 1.0.0 pre1 segmentation fault with tls
Hello ! I've been trying to make freeradius working with EAP-TLS but I have a segmentation fault. I'm using : - freeradius 1.0.0 pre1 - openssl-SNAP20040613 when I radiusd is launched with the script radiusd.sh, here is what I get : Module: Loaded eap eap: default_eap_type = tls eap: timer_expire = 60 eap: ignore_unknown_eap_types = yes eap: cisco_accounting_username_bug = no Segmentation fault I'd be very greatfull if anyone could help me. Look in configure log if all is ok about link with opennssl lib Thanks - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: An Enterasys - Freeradius Question Again
Hi, Hi We played with the Enterasys E1 Switch and Freeradius to get 802.1x to work. Now, whenever someone wants to login on a Switchport, the Switch sends a Request to the Freeradius-Server. We tried diffrent Auth-Types (Local, EAP, CHAP) but none of them worked. When a user has Auth-Type = Local and the password matches, the Radius-Server returns a authenication success message back to the switch, but the switch refuses login anyway. Could you send the 802.1x conf of your switch ?( I have the same pb but only for monitoring connection). With Auth-Type = EAP, and the Radius-Server configured for EAP-MD5 (default freeradius config file), even authentication fails with a message like User-Password not expected with EAP-MD5 or something like that. I suppose, that the switch doesn't like the answer of the radius server with the successful authentication in the Auth-Type = Local-case. Send the radiusd -X log plz? Fred.EVRARD - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: An Enterasys - Freeradius Question Again
On Wednesday 09 June 2004 07:18, Zoltan A. Ori wrote: The Auth-Type is dependent on the supplicant not the switch. I take that back. The switch is using EAP except for management. Management access can be set in the users file. Hi, If you don't want to use radius auth for management access, how are you doing ?? Thx Fred.EVRARD - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: segmentation fault for eap/tls
How to restrict that to one version. Seems to be I have old OPENSSL on my Linux. But I have installed latest openssl. Everything went well in configure, make, install and running too. It is working fine for EAP/MD5 too. But for EAP/TLS core dump is happening. I had the same pb and Alan is right, you can use FREEradius with EAP/MD5 because it doesn't use openssl, to be sure look log after ./configure, you will see if there's a problem linking openssl. (Error message is lost in the middle of log, it doesn't appear at end) Fred.EVRARD Thank you, Sathish Challa. GRIC Software India Pvt. Ltd., www.GoRemote.com Mobile: +91-98451-90676 Office [Direct]: +91-80 513 80 882 Server Group's Mission: Innovative, open and scalable solutions pioneered proactively with a methodical approach and engineering agility to deliver quality solutions to the Customers and prudent responses to Product Management and other decision making bodies -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alan DeKok Sent: Tuesday, June 08, 2004 6:59 PM To: [EMAIL PROTECTED] Subject: Re: segmentation fault for eap/tls Sergio Sagliocco [EMAIL PROTECTED] wrote: try to recompile freeradius with the --noshared option in the configure. In my case the problem was solved Most likely because you tried to link the server against a different version of OpenSSL than you used to build it. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Help adding users
Frédéric EVRARD wrote: Hi group Is there a guide somewhere on how to add users on FreeRADIUS ?? Im new to linux, and radius, and need a complete HOWTO on how to add users. Here's many howto for 802.1x/EAP-TLS with WinXP FreeRADIUS, maybe you will want to use an other EAP method, but I hope that can help you. http://www.freeradius.org/doc/EAPTLS.pdf http://www.impossiblereflex.com/8021x/eap-tls-HOWTO.htm http://www.missl.cs.umd.edu/wireless/eaptls/ Do you any howto for 802.1x/EAP-TLS with MAC OS FreeRADIUS? No sorry - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP/TLS win2000
hi Artur, hi Frederic What do you want to say is that win2K is going to take EAP-Identity value in client certificate, before EAP-TLS challenge start ?? I don't think so, it doesn't work like that with Xsupplicant/FreeRADIUS and it's not describe like this in RFC. no. what i want to say is that you force Windows to use EAP/TLS and it gets now the EAP Request Identity message. it has to reply to this message and it does need at least one identity for that. Ok Unless you tell it to use some other identity (there is a check box you can mark) I've tryed that, but nothing happened. it will automatically take the CN out of the installed certificate. Then I would be able to see the answer EAP-Identity packet with protocol viewer, enven if value of CN client certificate isn't the same as identity in /raddb/users file ? If there is no certificate (or it is not where it should be, or it is in the machine repository but the machine identification is not on, or the certificate is invalidated by something like expiration or not available root certificate or or or or), well then Windows simply does not have any idea what to reply to the Authenticator, does it? I think client and root cert are valids, then I'm going to contrôl the place where they have to be ciao artur Thx very much for your help. fred - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Help adding users
Hi group Is there a guide somewhere on how to add users on FreeRADIUS ?? Im new to linux, and radius, and need a complete HOWTO on how to add users. Here's many howto for 802.1x/EAP-TLS with WinXP FreeRADIUS, maybe you will want to use an other EAP method, but I hope that can help you. http://www.freeradius.org/doc/EAPTLS.pdf http://www.impossiblereflex.com/8021x/eap-tls-HOWTO.htm http://www.missl.cs.umd.edu/wireless/eaptls/ Sorry for the basic question in this forum, but im kind of stuck ! Because so far i discovered its not only in the etc/raddb/users that one would have to add info regarding users, but in several other libs. Hope someone can help this student finishing his final paper on userauthentication Jacob - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Help in using EAP
Hi, I am using EAP authentication protocol. When I send an access request from the NAS to the Radius Server, the server rejects the request. Please let me know how to resolve this problem. The log messages of the radius server are as follows: Log Messages: rad_recv: Access-Request packet from host 192.168.112.90:32810, id=0, length=69 Received packet from 192.168.112.90 with invalid Message-Authenticator! (Shared secret is incorrect.) you have to configure the same shared-secret on authenticator/access point and freeRADIUS /etc/raddb/clients.conf file. Fred. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP/TLS win2000
Hi Artur, hi Thx for your help Artur, but I forgot to say my authenticator is a Cisco switch 3550, then not a wireless access-point. There's something I don't understand, with PEAP or EAP-MD5, the windows 2000 supplicant answer to identity request send by the switch but with EAP-TLS, it stay sleeping without doing anything... Maybe someone can confirm me that there's no bug beetween windows 2000 and EAP-TLS. Thx again. that would be quite strange, except of course you did not have the client certificates installed at the right place etc. verify that they are in the right repository. I think, they are well installed, like it's explained in most HOWTOs, but.. windows can't ask you anything if you don't have any user certificate. What do you want to say is that win2K is going to take EAP-Identity value in client certificate, before EAP-TLS challenge start ?? I don't think so, it doesn't work like that with Xsupplicant/FreeRADIUS and it's not describe like this in RFC. ciao artur Thx for your help. Fred - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: how to change xp client using peap
I'm having problems to change the user in windows xp. I tried peap the first time with a correct user and everything was fine but now I want to do a prove with another user but I'm not prompted anymore to intro a new one and it uses the previous one all the time(and I have reconfigured the connection with peap again) any idea of how to solve this? thaks a lot There's a chekbox in bottom of PEAP properties page with Activate rapid re-connection(I have it in french, I guess it's the good translation), maybe that can help you. Fred bfr - Mensaje original - De: Basile Mathieu [EMAIL PROTECTED] Fecha: Viernes, Mayo 28, 2004 12:07 pm Asunto: peap and xp client - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius + Mysql Issues!
Hi, I was sorry but i really do not know what u trying to say. Can expain in more detail. apprrciate you can do that. Use a usual unix login/password to authenticate on Radius, and this password is in /etc/passwd. Fred Alexander Alan DeKok [EMAIL PROTECTED] wrote: Alexander Khoo wrote: auth: type System modcall: entering group authenticate for request 0 modcall[authenticate]: module unix returns notfound for request 0 What part of that message is unclear? The user wasn't found in /etc/passwd. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - Do you Yahoo!? Friends. Fun. Try the all-new Yahoo! Messenger - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: clients.conf
Hi,
How should I configure the clients.conf if I would like that each nas,
which want to connect to my Radius can do it.
Beacuse they have dinamic ip address, so I can't set this in the
clients.conf.
Maybe you can use hostname and dns resover..
client 0.0.0.0{
secret= mysecret } any other attributes?
Thanks,
David
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: xp/2000 does not send the machine certificate
Hi, Sorry, I can't help you, but maybe you can help me, what answer your windows 2k send to the A.P EAP request Identity packet ? Thx Fred hi all, i'm using freeradius with EAP-TLS and windows clients ( xp/2000). with the user certificates i have no problem but with the machine certificate there is no tls-handshake. i installed the certificate in the local computer store and the certificate CN match the FQDN . i think the reason is the missing line :Login OK: [. , in my log . can somebody tell me why this line is missing? thanks in advance, jens see the log capture below rad_recv: Access-Request packet from host 192.168.0.10:1812, id=174, length=144 NAS-IP-Address = 192.168.0.10 NAS-Port = 50007 NAS-Port-Type = Ethernet User-Name = host/client.radius.local Calling-Station-Id = 00-E0-18-62-33-1F Service-Type = Framed-User Framed-MTU = 1000 EAP-Message = 0x0201001d01686f73742f636c69656e742e7261646975732e6c6f63616c Message-Authenticator = 0x23cdc59ef3c2670e9fd368b1afb9206c Processing the authorize section of radiusd.conf modcall: entering group authorize for request 34 modcall[authorize]: module preprocess returns ok for request 34 modcall[authorize]: module chap returns noop for request 34 modcall[authorize]: module mschap returns noop for request 34 rlm_realm: No '@' in User-Name = host/client.radius.local, looking up realm NULL rlm_realm: No such realm NULL modcall[authorize]: module suffix returns noop for request 34 rlm_eap: EAP packet type response id 1 length 29 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module eap returns updated for request 34 users: Matched DEFAULT at 178 modcall[authorize]: module files returns ok for request 34 modcall: group authorize returns updated for request 34 rad_check_password: Found Auth-Type EAP auth: type EAP Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 34 rlm_eap: EAP Identity rlm_eap: processing type tls rlm_eap_tls: Requiring client certificate rlm_eap_tls: Initiate rlm_eap_tls: Start returned 1 modcall[authenticate]: module eap returns handled for request 34 modcall: group authenticate returns handled for request 34 Sending Access-Challenge of id 174 to 192.168.0.10:1812 EAP-Message = 0x010200060d20 Message-Authenticator = 0x State = 0x21fd96264794667b3baceda3fb8dcdf7 Finished request 34 Going to the next request --- Walking the entire request list --- Waking up in 6 seconds... --- Walking the entire request list --- Cleaning up request 34 ID 174 with timestamp 40b73242 Nothing to do. Sleeping until we see a request - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Help to a student on final exam paper
Hi group Im new to linux and RADIUS and have a few questions regarding configuring my radius server I have installed Cistron Radius 1.6.6 on my redhat 9.0 machine. My goal is to authenticate all users on a wireless 802.1x network, and here are the specs. Router: 10.10.0.1 Gateway(Clark Connect)/ Cistron radius server: ExternalEth0 10.10.0.101 DHCP Lan Eth1192.168.1.1 Static Accecpoint ( Zyxel Zyair - Not transparent) Wan: 192.168.1.2 Lan: 192.168.2.1 Users on the LAN side of the accespoint is given a static IP adress, and my soul aim is to authenticate these users when they log on to the internet. I have installed the radius server, almost succesfull, but no prompt appears when logging on to the internet ?? The clients simply log on to the internet, without being promted for a user/pass. Here are som tests, configs from the radius server: Raddb/users file : Sumsar Password=Beatles, Simultaneous-Use =1, Expiration_Jan 01 2020 Service-Type = Framed-User, Framed-Protocol = PPP, Framed-IP-Address = 255.255.255.254, Framed-Routing = None DEFAULT Auth-Type = System Fall-Through = 1 Radtest radtest sumsar Beatles localhost 0 testing123 radrecv: Packet from host 127.0.0.1 code=2, id=106, length=44 What is wrong, I urgently need help resolving this, PLZ comment if u need further information regarding the configs on the radius server, but plz keep in mind that im new to linux and radius. Will I need to install anything on the clients to make radius authentication work ? Don't forget supplicant, Xsupplicant on Linux or native in winXP. In 802.1x you need three elements : supplicant, authenticator and Radius SERVER. Look at RFC 3580. A guide to where i need to reconfigure is high on my wishlist ! Hope u can help me Jacob Clausen Denmark - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius - Enterasys E1 802.1x Authentication HOWTO
Hi I'm a student in computer sciences. In our network security class we are trying to get the 802.1x (dot1x) features of an Enterasys E1 Switch running with a freeradius server. Hi, I'm using 802.1x on Enterasys switch, it works, then look : http://www.enterasys.com/support/manuals/hardware/3755_12.pdf, and go to chapter Security Configuration. BE CAREFULL when enabling 802.1x/EAPOL, it activate by default and without confirmation on ALL SWITCH PORTS. Before enabling 802.1x, you have to setup all port whith FORCED AUTHORIZED MODE, and just set AUTO mode on port you need once you are sure that you can connect to manage your switch. By default, It activate RADIUS authentication on the serial port too but it works not well, and I don't find yet how to use or change that, my switch is in production I can't do what I want. Then if you can't connect on serial port, you have to stop your Freeradius server, or cut connection beetween. Then there's a timeout wich allow classical password authentication. I don't want troll but I think 802.1x on Enterasys is not well designit's very easy to do very big mistake. In hope that can help you, I will be interested by return about your work,thx. Fred Unfortunately Enterasys is not very talkative about this on their webpage. Does anyone know of an HOWTO or tutorial about this issue? Any help is kindly appreciated. Thanks Manuel Stadelmann - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
EAP/TLS win2000
Hi all, I'm using 802.1x/EAP-TLS on FreeRADIUS, it works fine with linux Xsupplicant but not with Win2000 supplicant, when supplicant receives EAP request Identity packet, it doesn't answer anything and nothing happens...There's no logs or I don't know to find them. I've read several HOWTO but nothing help me.If someone has the solution. THX. Fred - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PEAP vs EAP/TLS
One doubt, basically the operation between server and AP is the same in EAP/TLS and PEAP but for the fact that in the former the user has a cert and in the latter a screen should be prompted for the user to introduce its login and passw so the RADIUS must check them in the users file? I don't know for PEAP but with EAP-TLS, you just need the password for the key of the client-certificate on supplicant, and the password for the key of the server-certificate on the FreeRADIUS server. But this passwords don't go trough the network. (And you need the root/CA certificate on each side of course). Then on linux xsupplicant you can put the pass in your TLS config file, then the connexion is automatic. On windows maybe you have a prompt for password at each connexions, I'm working on it actually I hope I haven't say a mistake and that can help you. Fred sorry for the basic question but I'm not able to get the prompt for my user and I'm trying to discard any basic mistake in concepts thanks bfr isn't it? - Mensaje original - De: BLANCA FERRERO RODRIGUEZ [EMAIL PROTECTED] Fecha: Martes, Mayo 25, 2004 8:45 am Asunto: Re: peap user I'm configuring PEAP. I think the freeradius config is Ok. ... modcall: group authorize returns updated for request 0 rad_check_password: Found Auth-Type Reject rad_check_password: Auth-Type = Reject, rejecting user Nope, it's not. Alan DeKok. I think that message comes because the user sent by my AP to the radius is not in my users file, and it matches a default user I added with Auth-Type = reject... but it makes sense doesn't it? bfr - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Enabling EAP-MD5 authentication
Hi, How can I enable EAP-MD5 authentication in the free radius server. You have to configure .../raddb/users file with Auth-Type = EAP. Try to be more precise. Fred Regards, Barath Kumar. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: eap.cnf
usually it's called 'eap.conf' and it is in the raddb dir. I have already searched in tha dir but I find no eap.conf!! I'm using freeradius 0.9.3 does it support PEAP? Download the last CVS snapshot to have EAP config separately in eap.conf and no more in radiusd.conf. Fred thanks bfr - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: libssl problems
Hello, I am triying to compile SNAPSHOT-20040113 and SNAPSHOT-2004507 to work with EAP-PEAP. I have installed openssl with the argument --prefix=/usr/local. Then, i try to configure freeradius: #configure --with-openssl-includes=/usr/local/include/openssl --with-openssl-libraries=/usr/local/openssl/lib I have also tried with the option --disable-shared , but i have the same result. The configure process tell me that the modules that uses libssl aren´t going to be built, because it doesn´t find libssl. Where is the error? I' had almost the same problem, and after installing openssl I'have to install openssl-devel to use libssl. Hope it helps you. Fred Thanks you. Omar. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: openssl
I'm newbie too and I use Mdk9.2 and freeradius snapshot 22-004- 2004, then I use slocate command to find files I need . I install all soft neededfrom /usr/local/ and I add /usr/local/bin and /usr/local/sbin to my $PATH then it works...maybe it can help you Sorry Fred but in which $PATh do you include those directories? which version are you using of openssl. I'm trying with openssl0.9.7beta3 and it gives errors while compiling. thanks Bfr As I have said before, I'm newbie, but I'm using opensll0.9.7d because it's needed by 802.1x supplicant, and like you I had linux classical dependencies instalation problems, I sugest you can use package istalation utilities, like apt-get or rpm. Can you give exact error messages system return while compiling, but I think the best for you is to post on linux or Openssl mailling list, and come back on radius list when this first step will be pass. Good luck Fred Fred. thanks a lot, I'm not LINUX administrator so I'm a bit lost with these issues. bfr - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
EAP-TLS
Hello all, I'm working on 802.1x with EAP-MD5 to start, it works very fine. Now I need to use EAP-TLS. Then I let default config to test and I just change default_eap_type = MD5 to default_eap_type = tls, I uncomment tls attributes in eap.conf file. When I start radiusd -X I've no radius error but a segmentation fault and core dump. Maybe is there something to do with rlm_eap_tls before compiling ? I'm using snapshot 20040422. If someone has an idea to help me ... Thx a lot. Fred. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Vendor Specific Problem
Hello, i want to create a new dictionary to handle new attributes. First of all i create a new file called dictionary.mine containing the following lines: VENDOR Mine 4113 ATTRIBUTE VLANid 22 string Mine Why do you need this new attribute, there's ever standard attributes to assign VLAN : Tunnel-Type = VLAN Tunnel-Medium-Type = 802 (6) Tunnel-Private-Group-ID = VLAN NAME Maybe that can help you. Fred then i added in the users file the line: user Auth-Type := EAP Reply-Message = Hi, VLANid = student My problem is that when i capture the radius packet with ethereal i read Vendor:Undefined(4113) t:Unknown Type(22) Value:Unknown Value Type So... what am i doing wrong? Thank you! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-TLS
Thanks Htin and Giulio for your answers, with your advices, I look in configure.log, and I see an error with openssl, I don't have openssl-devel. After install it and compil freeradius again, segmentation fault error disappear. Thx again. Fred Hello all, I'm working on 802.1x with EAP-MD5 to start, it works very fine. Now I need to use EAP-TLS. Then I let default config to test and I just change default_eap_type = MD5 to default_eap_type = tls, I uncomment tls attributes in eap.conf file. When I start radiusd -X I've no radius error but a segmentation fault and core dump. segfault are tipically openssl problem. Maybe you have recompiled openssl (and installed in, say, /usr/local/openssl), but freeradius pick libraries in other places (i.e. /usr/lib). My hint is: compile freeradius with these options: --with-openssl-includes=/path/to/openssl/include --with-openssl-libraries=/path/to/openssl/lib --disable-shared In this way freeradius link openssl libraries once (during compilation). Hope this helps. gc -- Giulio Casella [EMAIL PROTECTED] System and network manager Computer Science Dept. - University of Milano - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: one issue
Hi, I run supplicant against freeradius with authentication type MD5. After that I wanted to run supplicant against freeradius for authentication type TLS. but for TLS I am getting the following error: I used the following command: # radiusd -X rlm_eap: Failed to link EAP-Type/tls: file not found radiusd.conf[66]: eap: Module instantiation failed. If you are using a snapshot of freeradius don't forget to config /raddb/eap.conf file. There are defaults certificates in /raddb/certs/ wich are usefull for testing. Fred - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: openssl
I'm using this HOWTO http://www.impossiblereflex.com/8021x/eap-tls-HOWTO.htm to configure eap/tls over freeradius. I'm trying to install openssl as it's explained there but when I have to verify the sym link between some files I'm not very sure about how to do this. Should the linked files be in the lib directory where I've installed openssl (/usr/local/...)?if that is the case they're not there, or should I check the Makefile to see that there is a line with the link? I'm newbie too and I use Mdk9.2 and freeradius snapshot 22-004-2004, then I use slocate command to find files I need . I install all soft needed from /usr/local/ and I add /usr/local/bin and /usr/local/sbin to my $PATH then it works...maybe it can help you Fred. thanks a lot, I'm not LINUX administrator so I'm a bit lost with these issues. bfr - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Filter-Id attribute
Hello all, In 802.1x configuration, I need to use Vlan assignment on Enterasys switch from Freeradius server, and Enterasys doesn't accept standarts attributes like Tunnel-type etc... Then I have to use Filter-Id attribute in users file: Filter-ID = Enterasys:Version=1:policy=nameofpolicy Have I a VALUE to add in a dictionnary file for ATTRIBUTE Filter-Id ?? Thx for your help. Fred. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Log problems
Anyone have any idea why authentication info would not be going into the radius.log file? put ../raddb/radiusd.conf parameters log_auth=yes, log_auth_badpass=yes, log_auth_goodpass=yes if you need them. This three parameters are no by default. This logs are in ../var/log/radius/radact/auth-detail-[date].log Each time the server starts it logs each server starting but after that no authentication info gets logged and it was working prior to a restart of the system now it does not. I have double checked the logs to make sure it was set to write authentication info to the radius log file and even restored a valid backup of the radius.conf file that was working. I have run check-radius-config to check the radius.conf file stops saying there is another server running on port 3726... but there is no other server running that i can find using ps. Don't forget to clean ../var/run/radiusd/radiusd.pid Any other ways of checking whats running on a specific port? This is a linux system. look in /etc/services.. maybe it can help you ... Would be glad to post any other info needed. Thanks. P.S. I am not asking anyone to do any of the work for me just point me in a direction that I have not already checked. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Open ports over firewall
Hi everybody, I'm running Freeradius on my RedHat server. Which OUTPUT ports sholud I leave open for freeradius? For accounting i leave udp 1812-13 open in INPUT and OUTPUT, I receive authentication requests but then my auth replies are blocked by firewall. Any help on this? thx Gabriele Hello, Maybe your nas listen on old 1645 port, but if radius receive request from it, radius has to know on what destination port to send answer packets...?? Fred - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Ports mismatch between config and debug messages
Hi, Running freeradius -x, we get the following: ... Listening on authentication x.x.x.x:1812 Listening on accounting x.x.x.x:1813 Ready to process requests. rad_recv: Accounting-Request packet from host y.y.y.y:1646, id=84, length=461 ... Sending Accounting-Response of id 84 to y.y.y.y:1646 In radiusd.conf: port = 1812 In /etc/services: datametrics 1645/tcpold-radius datametrics 1645/udpold-radius sa-msg-port 1646/tcpold-radacct sa-msg-port 1646/udpold-radacct radius 1812/tcp radius 1812/udp radius-acct 1813/tcpradacct # Radius Accounting radius-acct 1813/udpradacct What's wrong, our config or is it just the output? Regards, Pascal If I have understand doc about radiusd.conf, if you write port=1812, freeradius doens't use /etc/services, try to let default value port=0, then Freeradius will read /etc/services. Maybe that could help you. Fred - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Ports mismatch between config and debug messages
Hi, Running freeradius -x, we get the following: ... Listening on authentication x.x.x.x:1812 Listening on accounting x.x.x.x:1813 Ready to process requests. rad_recv: Accounting-Request packet from host y.y.y.y:1646, id=84, length=461 ... Sending Accounting-Response of id 84 to y.y.y.y:1646 In radiusd.conf: port = 1812 In /etc/services: datametrics 1645/tcpold-radius datametrics 1645/udpold-radius sa-msg-port 1646/tcpold-radacct sa-msg-port 1646/udpold-radacct radius 1812/tcp radius 1812/udp radius-acct 1813/tcpradacct # Radius Accounting radius-acct 1813/udpradacct What's wrong, our config or is it just the output? Regards, Pascal If I have understand doc about radiusd.conf, if you write port=1812, freeradius doens't use /etc/services, try to let default value port=0, then Freeradius will read /etc/services. Maybe that could help you. Fred I add something to my answer, your NAS uses old port to talk to radius(1645), and your radius use new one(1812). Configure your radius and your NAS to talk on the same port. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: eap output?
hi all,
i am trying to authenticate users via eap md5 for just testing purposes. i
use winxp supplicant (i know that after sp1 they dont support md5).
i ran the radius server in the debug mode. here is the output.
rad_recv: Access-Request packet from host 193.140.193.133:1084, id=43,
length=176
User-Name = onur
Cisco-AVPair = ssid=deneme1
NAS-IP-Address = 193.140.193.133
Called-Station-Id = 00409658c568
Calling-Station-Id = 00601d23ac50
NAS-Identifier = mobile1.mast.boun.edu.tr
NAS-Port = 37
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Service-Type = Authenticate-Only
EAP-Message =
0x0276001a04105039fc16b3f07964ed389fdcb541b3d86f6e7572
Message-Authenticator = 0x331a683c47109fa7665f3af45a3b83ff
modcall: entering group authorize
modcall[authorize]: module preprocess returns ok
rlm_eap: EAP packet type notification id 118 length 26
rlm_eap: EAP Start not found
modcall[authorize]: module eap returns updated
users: Matched onur at 9
modcall[authorize]: module files returns ok
modcall: group authorize returns updated
rad_check_password: Found Auth-Type EAP
auth: type EAP
modcall: entering group authenticate
rlm_eap: EAP packet type notification id 118 length 26
rlm_eap: EAP Start not found
rlm_eap: NO State Attribute found: Cannot match EAP packet to any
existing
conversation.
modcall[authenticate]: module eap returns invalid
modcall: group authenticate returns invalid
auth: Failed to validate the user.
Delaying request 54 for 1 seconds
Finished request 54
Going to the next request
Waking up in 6 seconds...
rad_recv: Access-Request packet from host 193.140.193.133:1084, id=43,
length=176
Sending Access-Reject of id 43 to 193.140.193.133:1084
Reply-Message = boo-3
--- Walking the entire request list ---
Waking up in 1 seconds...
--- Walking the entire request list ---
Cleaning up request 52 ID 41 with timestamp 407f0c20
Cleaning up request 53 ID 42 with timestamp 407f0c20
Cleaning up request 54 ID 43 with timestamp 407f0c20
Nothing to do. Sleeping until we see a request.
i am using cisco ap 350 and wavelan cards. the user is defined but i
connot
figure out where the problem is. in the users file i set the reply message
to boo-3 so i think it figures correctly the username password. and i
have
no idea what
rlm_eap: EAP Start not found
rlm_eap: NO State Attribute found: Cannot match EAP packet to any
existing
conversation.
means...
thanks in advance
onur simsek
ps: the config file
V
*
##
## radiusd.conf -- FreeRADIUS server configuration file.
##
prefix = /usr
exec_prefix = /usr
sysconfdir = /etc
localstatedir = /var
sbindir = /usr/sbin
logdir = ${localstatedir}/log/radius
raddbdir = ${sysconfdir}/raddb
radacctdir = ${logdir}/radacct
# Location of config and logfiles.
confdir = ${raddbdir}
run_dir = ${localstatedir}/run/radiusd
log_file = ${logdir}/radius.log
libdir = /usr/lib
pidfile = ${run_dir}/radiusd.pid
user = radiusd
group = radiusd
max_request_time = 30
delete_blocked_requests = no
cleanup_delay = 5
max_requests = 1024
bind_address = *
port = 0
hostname_lookups = no
allow_core_dumps = no
regular_expressions = yes
extended_expressions = yes
log_stripped_names = no
log_auth = no
log_auth_badpass = yes
log_auth_goodpass = yes
usercollide = no
lower_user = no
lower_pass = no
nospace_user = no
nospace_pass = no
checkrad = ${sbindir}/checkrad
security {
max_attributes = 200
reject_delay = 1
status_server = no
}
proxy_requests = yes
$INCLUDE ${confdir}/proxy.conf
$INCLUDE ${confdir}/clients.conf
snmp = no
$INCLUDE ${confdir}/snmp.conf
thread pool {
start_servers = 5
max_servers = 32
min_spare_servers = 3
max_spare_servers = 10
max_requests_per_server = 0
}
modules {
pap {
encryption_scheme = crypt
}
chap {
authtype = CHAP
}
pam {
pam_auth = radiusd
}
unix {
cache = no
cache_reload = 600
shadow = /etc/shadow
radwtmp = ${logdir}/radwtmp
}
eap {
md5 {
}
}
mschap {
authtype = MS-CHAP
}
ldap {
server = ldap.your.domain
basedn = o=My Org,c=UA
filter = (uid=%{Stripped-User-Name:-%{User-Name}})
start_tls = no
access_attr = dialupAccess
dictionary_mapping = ${raddbdir}/ldap.attrmap
ldap_connections_number = 5
(|((objectClass=GroupOfNames)(member=%{Ldap-UserDn}))((objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))
