Segmentation fault when use Odyssey Client
If I select EAP-TTLS + use only my certificate for auth will cause segmentation fault. Others seems OK. Debug info: rad_recv: Access-Request packet from host 192.168.200.57:32785, id=95, length=325 User-Name = "bbb" NAS-IP-Address = 192.168.200.57 NAS-Identifier = "auth_test" NAS-Port = 0 Called-Station-Id = "00-19-77-02-E6-90:auth-wpa2-tkip-8021x" Calling-Station-Id = "00-1D-7E-03-2B-CF" Framed-MTU = 1500 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 11Mbps 802.11b" EAP-Message = 0x02150090158000861603010046104200400d423029041904e4b654b0384c78b56d7490853af607b909c2f54fc376bebac512ebfb7663e9ee2fc7320d175037da31f09e90ad986d539d519d6ef6c39f577914030100010116030100302027f914730434165f520dc31734211631a5c96402b0ddabaf4d815209d07bb6c0f2817ed3a2233822587288715beab6 State = 0x4f6739def5f0e9f45fd60479253cc3cd Message-Authenticator = 0xe06aac6aeeefc91f7920fd60b05ea9ab Processing the authorize section of radiusd.conf modcall: entering group authorize for request 9 modcall[authorize]: module "preprocess" returns ok for request 9 modcall[authorize]: module "chap" returns noop for request 9 modcall[authorize]: module "mschap" returns noop for request 9 rlm_realm: No '@' in User-Name = "bbb", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 9 rlm_eap: EAP packet type response id 21 length 144 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 9 rlm_ldap: - authorize rlm_ldap: performing user authorization for bbb radius_xlat: '(uid=bbb)' radius_xlat: 'ou=radius,dc=bestgo,dc=aero' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in ou=radius,dc=bestgo,dc=aero, with filter (uid=bbb) rlm_ldap: checking if remote access for bbb is allowed by uid rlm_ldap: No default NMAS login sequence rlm_ldap: looking for check items in directory... rlm_ldap: Adding userPassword as User-Password == "1234" rlm_ldap: looking for reply items in directory... rlm_ldap: Adding radiusTunnelPrivateGroupId as Tunnel-Private-Group-Id:0 = "1" rlm_ldap: Adding radiusTunnelMediumType as Tunnel-Medium-Type:0 = IPv4 rlm_ldap: Adding radiusTunnelType as Tunnel-Type:0 = GRE rlm_ldap: user bbb authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldap" returns ok for request 9 rlm_pap: Found existing Auth-Type, not changing it. modcall[authorize]: module "pap" returns noop for request 9 modcall: leaving group authorize (returns updated) for request 9 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 9 rlm_eap: Request found, released from the list rlm_eap: EAP/ttls rlm_eap: processing type ttls rlm_eap_ttls: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Length Included eaptls_verify returned 11 rlm_eap_tls: <<< TLS 1.0 Handshake [length 0046], ClientKeyExchange TLS_accept: SSLv3 read client key exchange A rlm_eap_tls: <<< TLS 1.0 ChangeCipherSpec [length 0001] rlm_eap_tls: <<< TLS 1.0 Handshake [length 0010], Finished TLS_accept: SSLv3 read finished A rlm_eap_tls: >>> TLS 1.0 ChangeCipherSpec [length 0001] TLS_accept: SSLv3 write change cipher spec A rlm_eap_tls: >>> TLS 1.0 Handshake [length 0010], Finished TLS_accept: SSLv3 write finished A TLS_accept: SSLv3 flush data (other): SSL negotiation finished successfully SSL Connection Established eaptls_process returned 13 modcall[authenticate]: module "eap" returns handled for request 9 modcall: leaving group authenticate (returns handled) for request 9 Sending Access-Challenge of id 95 to 192.168.200.57 port 32785 Tunnel-Private-Group-Id:0 = "1" Tunnel-Medium-Type:0 = IPv4 Tunnel-Type:0 = GRE EAP-Message = 0x011600451580003b1403010001011603010030b081e94e6f9087f3c237216ab3fd9d65fc8311b18e37e66208369fb451d373695f16b167d85e80c870295da3d2f21cf4 Message-Authenticator = 0x State = 0x10aabdcc7ef9ba295475b0706b6e070c Finished request 9 Going to the next request Waking up in 6 seconds... rad_recv: Access-Request packet from host 192.168.200.57:32785, id=96, length=187 User-Name = "bbb" NAS-IP-Address = 192.168.200.57 NAS-Identifier = "auth_test" NAS-Port = 0 Called-Station-Id = "00-19-77-02-E6-90:auth-wpa2-tkip-8021x" Calling-Station-Id = "00-1D-7E-03-2B-CF" Framed-MTU = 1500 NAS-Port-Type = Wireless-802.11
RE: freeRADIUS+samba3.0.1+AD(multiple domains)
Great news! We are using krb5-1.3.2 and samba-3.0.1. These 2 version support multiple domains? Can you give me some example about how to configure krb5.conf and smb.comf? Thanks. John Joe Vieira <[EMAIL PROTECTED]> 写道: >> But there are multiple domains in active-directory. How to configure >> freeRADIUS or samba can let it support multiple domains? > FreeRADIUS just used Samba to do authentication with AD. The winbind >&& ntlm_auth API used in Samba cannot authenticate to multiple domains. that's not entirely true, you can (and i do) get samba to auth to multiple domains. the domains either need to be in the same forest,and or have full trusts back and forth. (i also found that adding them each to your kerberos config helps) basically you join to one of them and you should be able to enumerate all the users from both thru winbind or getent... Joe - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - 雅虎邮箱传递新年祝福,个性贺卡送亲朋! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
freeRADIUS+samba3.0.1+AD(multiple domains)
Hi, We are using freeRADIUS 1.1.6. and samba 3.0.1 talk to active-directory. Followed by: http://wiki.freeradius.org/FreeRADIUS_Active_Directory_Integration_HOWTO Now it can work. But there are multiple domains in active-directory. How to configure freeRADIUS or samba can let it support multiple domains? Thanks. John - 雅虎邮箱传递新年祝福,个性贺卡送亲朋! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
回复: Re: rlm_dbm can not work?
It works. Thanks. There is another question: How to delete a user from rlm_dbm? I delete the user from the users file. and do "rlm_dbm_parser -i users -o xxx.db", But the deleted user does not disspear from xxx.db. John. [EMAIL PROTECTED] 写道: Hi, > [EMAIL PROTECTED] raddb]# rlm_dbm_cat -f users.db > "hhe4" Cleartext-Password := "hhe123" > Reply-Message = "Hello" > > "hhe123" Cleartext-Password := "hhe123" > Reply-Message = "Hello" i have a theory of the entries - remove the quotes from around your userid's in that database file. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - 雅虎邮箱传递新年祝福,个性贺卡送亲朋! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
rlm_dbm can not work?
Hi, I am using freeRADIUS 1.1.6. I can not let rlm_dbm work. Result of rlm_dbm_cat: [EMAIL PROTECTED] raddb]# pwd /usr/local/etc/raddb [EMAIL PROTECTED] raddb]# rlm_dbm_cat -f users.db "hhe4" Cleartext-Password := "hhe123" Reply-Message = "Hello" "hhe123"Cleartext-Password := "hhe123" Reply-Message = "Hello" [EMAIL PROTECTED] raddb]# [EMAIL PROTECTED] raddb]# ls users.* users.db.dir users.db.pag [EMAIL PROTECTED] raddb]# Debug message: Module: Loaded dbm dbm: usersfile = "/usr/local/etc/raddb/users.db" Module: Instantiated dbm (dbm) Listening on authentication *:1812 Listening on accounting *:1813 ready to process requests. rad_recv: Access-Request packet from host 127.0.0.1:1033, id=26, length=58 User-Name = "hhe123" User-Password = "hhe123" NAS-IP-Address = 255.255.255.255 NAS-Port = 0 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module "mschap" returns noop for request 0 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module "eap" returns noop for request 0 rlm_dbm: try open database file: /usr/local/etc/raddb/users.db rlm_dbm: Call parse_user: sm_parse_user.c: check for loops Add hhe123 to user list rlm_dbm: User not foud in database Remove hhe123 from user list sm_parse_user.c: check for loops Add DEFAULT to user list rlm_dbm: User not foud in database Remove DEFAULT from user list modcall[authorize]: module "dbm" returns notfound for request 0 modcall: leaving group authorize (returns noop) for request 0 auth: No authenticate method (Auth-Type) configuration found for the request: Rejecting the user auth: Failed to validate the user. Sending Access-Reject of id 26 to 127.0.0.1 port 1033 Finished request 0 Going to the next request --- Walking the entire request list --- Waking up in 6 seconds... --- Walking the entire request list --- Cleaning up request 0 ID 26 with timestamp 47c220be Nothing to do. Sleeping until we see a request. John. - 雅虎邮箱传递新年祝福,个性贺卡送亲朋! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
vocera(with Peap)+AP+freeRADIUS
Hi, I am using freeRADIUS 1.1.7. Notebook with odyssey client (peap mschap-v2) can talk to freeRADUS well. But when I use Vocera client, which can support peap + mschap-v2, It does not work. debug message (see more debug message in attachment): ... rad_recv: Access-Request packet from host 10.50.1.38:1034, id=55, length=233 User-Name = "lwang" NAS-IP-Address = 10.50.1.38 NAS-Identifier = "QA-AP1-21f0" NAS-Port = 0 Called-Station-Id = "00-19-77-00-21-F5:vocera_test" Calling-Station-Id = "00-16-41-F7-F7-75" Framed-MTU = 1500 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 11Mbps 802.11b" EAP-Message = 0x020a00391980002f14030100010116030100248393f1d6391a86ab0605df998e0336f7c651a560328bf621b1ddebbfad332d8ea8796c49 State = 0xfd6f3b2761e20233acdc5d29ec63d11f Message-Authenticator = 0xc4ee170f5d47ee55bead80b4a36580cb Processing the authorize section of radiusd.conf modcall: entering group authorize for request 40 modcall[authorize]: module "preprocess" returns ok for request 40 radius_xlat: '/usr/local/var/log/radius/radacct/auth-detail-20080212' rlm_detail: /usr/local/var/log/radius/radacct/auth-detail-%Y%m%d expands to /usr/local/var/log/radius/radacct/auth-detail-20080212 modcall[authorize]: module "auth_log" returns ok for request 40 modcall[authorize]: module "chap" returns noop for request 40 modcall[authorize]: module "mschap" returns noop for request 40 rlm_realm: No '@' in User-Name = "lwang", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 40 rlm_realm: No '\' in User-Name = "lwang", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "ntdomain" returns noop for request 40 rlm_eap: EAP packet type response id 10 length 57 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 40 users: Matched entry lwang at line 95 modcall[authorize]: module "files" returns ok for request 40 modcall: leaving group authorize (returns updated) for request 40 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 40 rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Length Included eaptls_verify returned 11 rlm_eap_tls: <<< TLS 1.0 ChangeCipherSpec [length 0001] rlm_eap_tls: <<< TLS 1.0 Handshake [length 0010], Finished TLS_accept: SSLv3 read finished A (other): SSL negotiation finished successfully SSL Connection Established eaptls_process returned 13 rlm_eap_peap: EAPTLS_HANDLED rlm_eap: Freeing handler modcall[authenticate]: module "eap" returns reject for request 40 modcall: leaving group authenticate (returns reject) for request 40 auth: Failed to validate the user. Delaying request 40 for 1 seconds Finished request 40 Going to the next request Waking up in 5 seconds... rad_recv: Access-Request packet from host 10.50.1.38:1034, id=56, length=156 User-Name = "lwang" NAS-IP-Address = 10.50.1.38 NAS-Identifier = "QA-AP1-21f0" NAS-Port = 0 Called-Station-Id = "00-19-77-00-21-F5:vocera_test" Calling-Station-Id = "00-16-41-F7-F7-75" Framed-MTU = 1500 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 11Mbps 802.11b" Message-Authenticator = 0x834864649ecf9fba4cbd71673b5bb042 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 41 modcall[authorize]: module "preprocess" returns ok for request 41 radius_xlat: '/usr/local/var/log/radius/radacct/auth-detail-20080212' rlm_detail: /usr/local/var/log/radius/radacct/auth-detail-%Y%m%d expands to /usr/local/var/log/radius/radacct/auth-detail-20080212 modcall[authorize]: module "auth_log" returns ok for request 41 modcall[authorize]: module "chap" returns noop for request 41 modcall[authorize]: module "mschap" returns noop for request 41 rlm_realm: No '@' in User-Name = "lwang", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 41 rlm_realm: No '\' in User-Name = "lwang", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "ntdomain" returns noop for request 41 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module "eap" returns noop for request 41 users: Matched entry lwang at line 95 modcall[authorize]: module "files" returns ok for request 41 modcall: leaving group authorize (returns ok) for request 41 auth: type Local auth: No User-Password or CHAP-Password attribute in the request auth: Failed to validate the user.
Peap(inner eap-GTC)//: Re: Peap (inner eap-popt ) issue
7030100200dae6db09d400aff4db8b832bdc308e58f32d44878802cb305b8245cbafe2b56 State = 0x917adbb2a47421f8a387e5b7dfa5d3e7 Message-Authenticator = 0x9c0d713729c522b7cce89c4b6af3ba26 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 28 modcall[authorize]: module "mschap" returns noop for request 28 rlm_eap: EAP packet type response id 17 length 43 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 28 users: Matched entry hhe123 at line 95 modcall[authorize]: module "files" returns ok for request 28 modcall: leaving group authorize (returns updated) for request 28 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 28 rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS eaptls_verify returned 7 rlm_eap_tls: Done initial handshake eaptls_process returned 7 rlm_eap_peap: EAPTLS_OK rlm_eap_peap: Session established. Decoding tunneled attributes. rlm_eap_peap: Received EAP-TLV response. rlm_eap_peap: Tunneled data is valid. rlm_eap_peap: Had sent TLV failure. User was rejcted rejected earlier in this session. rlm_eap: Handler failed in EAP/peap rlm_eap: Failed in EAP select modcall[authenticate]: module "eap" returns invalid for request 28 modcall: leaving group authenticate (returns invalid) for request 28 auth: Failed to validate the user. Sending Access-Reject of id 28 to 10.155.20.84 port 1040 EAP-Message = 0x04110004 Message-Authenticator = 0x Reply-Message = "Hello" Finished request 28 Going to the next request Waking up in 6 seconds... John Alan DeKok <[EMAIL PROTECTED]> 写道: Hangjun He wrote: > hi, > I am using Odyssey Client Manager and freeRADIUS 1.1.6. > When I set peap with inner eap-mschap-v2, It works well.When I change > inner eap type to eap-popt, seems can not work. Why do you think FreeRADIUS supports EAP-POPT? ... > rlm_eap: NAK asked for bad type 32 > rlm_eap: Failed in EAP select FreeRADIUS doesn't support that EAP type. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - 雅虎邮箱传递新年祝福,个性贺卡送亲朋! eap.conf Description: 1198961258-eap.conf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Peap (inner eap-popt) issue
hi, I am using Odyssey Client Manager and freeRADIUS 1.1.6. When I set peap with inner eap-mschap-v2, It works well.When I change inner eap type to eap-popt, seems can not work. eap.conf: eap { default_eap_type = md5 timer_expire = 60 ignore_unknown_eap_types = no cisco_accounting_username_bug = no md5 { } leap { } gtc { auth_type = PAP } tls { private_key_password = whatever private_key_file = ${raddbdir}/certs/server_keycert.pem certificate_file = ${raddbdir}/certs/server_keycert.pem CA_file = ${raddbdir}/certs/demoCA/cacert.pem dh_file = ${raddbdir}/certs/dh random_file = ${raddbdir}/certs/random fragment_size = 1024 include_length = yes cipher_list = "DEFAULT" } peap { default_eap_type = mschapv2 copy_request_to_tunnel = no use_tunneled_reply = no proxy_tunneled_request_as_eap = yes } mschapv2 { } } debug message: rad_recv: Access-Request packet from host 10.155.20.84:1028, id=97, length=310 User-Name = "hhe123" NAS-IP-Address = 10.155.20.84 NAS-Identifier = "AH-30" NAS-Port = 0 Called-Station-Id = "00-19-77-00-00-31:hhe" Calling-Station-Id = "00-19-E0-80-A5-5A" Framed-MTU = 1500 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 11Mbps 802.11b" EAP-Message = 0x0204008f1980008516030100451041003f90e19f0e9099ace6ec05fb17123a18280ef2aaabf14d2a6c632e502133afefc99bf3c3e8216dd91489e6c3e58622bacd148a5c4cd3dfecff8fe172ac0d0a19140301000101160301003095d558aeea1c6a30113c21922745a4584a82f81ed2aec13d206481d23805d67e8760d4b1cdca811a54e5ed9819fefc52 State = 0xe364c386672736607a0f8f7ce0f2896a Message-Authenticator = 0x0743c8bc02356a840f048e55b5b87143 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 4 modcall[authorize]: module "mschap" returns noop for request 4 rlm_eap: EAP packet type response id 4 length 143 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 4 users: Matched entry hhe123 at line 95 modcall[authorize]: module "files" returns ok for request 4 modcall: leaving group authorize (returns updated) for request 4 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 4 rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Length Included eaptls_verify returned 11 rlm_eap_tls: <<< TLS 1.0 Handshake [length 0045], ClientKeyExchange TLS_accept: SSLv3 read client key exchange A rlm_eap_tls: <<< TLS 1.0 ChangeCipherSpec [length 0001] rlm_eap_tls: <<< TLS 1.0 Handshake [length 0010], Finished TLS_accept: SSLv3 read finished A rlm_eap_tls: >>> TLS 1.0 ChangeCipherSpec [length 0001] TLS_accept: SSLv3 write change cipher spec A rlm_eap_tls: >>> TLS 1.0 Handshake [length 0010], Finished TLS_accept: SSLv3 write finished A TLS_accept: SSLv3 flush data (other): SSL negotiation finished successfully SSL Connection Established eaptls_process returned 13 rlm_eap_peap: EAPTLS_HANDLED modcall[authenticate]: module "eap" returns handled for request 4 modcall: leaving group authenticate (returns handled) for request 4 Sending Access-Challenge of id 97 to 10.155.20.84 port 1028 Reply-Message = "Hello" EAP-Message = 0x0105004119001403010001011603010030972d13c7c42d04d1e4749ae66d2232830dd90327e820cab5cd8d2733712e71315b05c41c9c6b934cae84a1b7f75804e1 Message-Authenticator = 0x State = 0x218ad259b8a94329f3d37b7ee6d7afad Finished request 4 Going to the next request Waking up in 6 seconds... rad_recv: Access-Request packet from host 10.155.20.84:1028, id=98, length=173 User-Name = "hhe123" NAS-IP-Address = 10.155.20.84 NAS-Identifier = "AH-30" NAS-Port = 0 Called-Station-Id = "00-19-77-00-00-31:hhe" Calling-Station-Id = "00-19-E0-80-A5-5A" Framed-MTU = 1500 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 11Mbps 802.11b" EAP-Message = 0x020500061900 State = 0x218ad259b8a94329f3d37b7ee6d7afad Message-Authenticator = 0x95efe7dde77c253e487f9cfd6065f838 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 5 modcall[authorize]: module "mschap" returns noop for request 5 rlm_eap: EAP packet type response id 5 length 6 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 5 users: Matched entry hhe123 at line 95 modcall[authorize]: module "files" returns ok for request 5 modcall: leaving group authorize (returns
rlm_dbm question?
I use rlm_dbm_parser to add 2 users in file users_output. Debug info shows added successfully. But why I can not find file users_output? Where to find this file? rlm_dbm_cat shows 2 users added, right? [EMAIL PROTECTED] rlm_dbm]# ./rlm_dbm_parser -c -i users -o users_output -x Use dictionary in: /usr/local/etc/raddb Found user: "hhe123" Found user: DEFAULT Record loaded: 2 Lines parsed: 230 Record skiped: 0 Warnings: 0 Errors: 0 [EMAIL PROTECTED] /]# find -name users_output [EMAIL PROTECTED] rlm_dbm]# ./rlm_dbm_cat DEFAULT Hint == "SLIP" Framed-Protocol = SLIP "hhe123"Cleartext-Password := "hhe123" Reply-Message = "Hello" - 雅虎邮箱传递新年祝福,个性贺卡送亲朋! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
User with ntdomain authenticate with freeRADIUS + AD
Hi, freeRADIUS version 1.1.6. When I use DOMAIN\user format, Can work. When I use [EMAIL PROTECTED] format, Can not work. Why? Thanks! John - 雅虎邮箱传递新年祝福,个性贺卡送亲朋! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Can I get group-name from Active-directory? [sec=unclassified]
I add group parameters in rlm_ldap section. Seems freeradius not do group search. groupname_attribute = memberOf groupmembership_filter = "(cn=%{Stripped-User-Name:-%{User-Name}})" Anything else I need to configure in radiusd.conf? Waking up in 4 seconds... rad_recv: Access-Request packet from host 10.155.20.84:1107, id=76, length=207 User-Name = "hhe" NAS-IP-Address = 10.155.20.84 NAS-Identifier = "AH-30" NAS-Port = 0 Called-Station-Id = "00-19-77-00-00-34:hhe" Calling-Station-Id = "00-19-E0-80-A5-5A" Framed-MTU = 1500 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 11Mbps 802.11b" EAP-Message = 0x0209002b1900170301002040c3edccfa02df3abe7e25e10b19562d21e7cb9ae131741e2072d61ea88ada83 State = 0xaa50cdb6191621d7112990ba865f4031 Message-Authenticator = 0xb16d6265031bcb1157450cdbef3d80b4 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 9 modcall[authorize]: module "preprocess" returns ok for request 9 modcall[authorize]: module "mschap" returns noop for request 9 rlm_realm: No '@' in User-Name = "hhe", looking up realm NULL rlm_realm: Found realm "NULL" rlm_realm: Proxying request from user hhe to realm NULL rlm_realm: Adding Realm = "NULL" rlm_realm: Authentication realm is LOCAL. modcall[authorize]: module "suffix" returns noop for request 9 rlm_eap: EAP packet type response id 9 length 43 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 9 rlm_ldap: - authorize rlm_ldap: performing user authorization for hhe radius_xlat: '(sAMAccountName=hhe)' radius_xlat: 'cn=users,dc=aerohive, dc=com' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in cn=users,dc=aerohive, dc=com, with filter (sAMAccountName=hhe) rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... rlm_ldap: user hhe authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldap" returns ok for request 9 modcall: leaving group authorize (returns updated) for request 9 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 9 rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS eaptls_verify returned 7 rlm_eap_tls: Done initial handshake eaptls_process returned 7 rlm_eap_peap: EAPTLS_OK rlm_eap_peap: Session established. Decoding tunneled attributes. rlm_eap_peap: Received EAP-TLV response. rlm_eap_peap: Tunneled data is valid. rlm_eap_peap: Success rlm_eap: Freeing handler modcall[authenticate]: module "eap" returns ok for request 9 modcall: leaving group authenticate (returns ok) for request 9 Sending Access-Accept of id 76 to 10.155.20.84 port 1107 MS-MPPE-Recv-Key = 0x03ee0b3dcbfc176840b2fd59f80ea717e985f078073c8aec6443244ff871091d MS-MPPE-Send-Key = 0x55a504ccb0cb76ee9bda1bd4e5ec48cf4c27fe94c9e086bc990ed0f0f1650f92 EAP-Message = 0x03090004 Message-Authenticator = 0x00000000 User-Name = "hhe" Finished request 9 "Ranner, Frank MR" <[EMAIL PROTECTED]> 写道: From: [EMAIL PROTECTED] g [mailto:[EMAIL PROTECTED] adius.org] On Behalf Of Hangjun He Sent: Monday, 17 December 2007 18:32 To: FreeRadius users mailing list Subject: Can I get group-name from Active-directory? FreeRADIUS 1.1.6 + samba-tools + active-directory. Can I get user's group-name by rlm_ldap? How? Following is result of ldap-search.(Using ldap client) # Paul Le, Users, test.com dn: CN=Paul Le,CN=Users,DC=test,DC=com objectClass: top objectClass: person objectClass: organizationalPerson objectClass: user cn: Paul Le sn: Levasseur distinguishedName: CN=Paul Le,CN=Users,DC=test,DC=com instanceType: 4 whenCreated: 20061118204047.0Z whenChanged: 20061120041505.0Z displayName: Paul Levasseur uSNCreated: 53309 memberOf: CN=WirelessUsers,CN=Users,DC=test,DC=com uSNChanged: 61454 name: Paul Levasseur objectGUID:: TWcfmIP0S0KptrqNYMartA== In radiusd.conf set the ldap group parameters: groupname_attribute = memberOf groupmembership_filter = "(cn=%{Stripped-User-Name:-%{User-Name}})" If you prefer you can use sAMAccountName instead of cn, or even both: groupmembership_filter = "(|(sAMAccountName=%{Stripped-User-Name:-%{User-Name}})(cn=%{Stripped-Us er-Name:-%{User-Name}}))" Regards, Frank Ranner - Lis
Can I get group-name from Active-directory?
FreeRADIUS 1.1.6 + samba-tools + active-directory. Can I get user's group-name by rlm_ldap? How? Following is result of ldap-search.(Using ldap client) # Paul Le, Users, test.com dn: CN=Paul Le,CN=Users,DC=test,DC=com objectClass: top objectClass: person objectClass: organizationalPerson objectClass: user cn: Paul Le sn: Levasseur distinguishedName: CN=Paul Le,CN=Users,DC=test,DC=com instanceType: 4 whenCreated: 20061118204047.0Z whenChanged: 20061120041505.0Z displayName: Paul Levasseur uSNCreated: 53309 memberOf: CN=WirelessUsers,CN=Users,DC=test,DC=com uSNChanged: 61454 name: Paul Levasseur objectGUID:: TWcfmIP0S0KptrqNYMartA== userAccountControl: 512 badPwdCount: 1 codePage: 0 countryCode: 0 badPasswordTime: 12808359315171 lastLogoff: 0 lastLogon: 0 pwdLastSet: 128084630849843750 primaryGroupID: 513 userParameters:: bTogICAgICAgICAgICAgICAgICAgIGQJICAgICAgICAgICAgICAgICAgICAgI CAg objectSid:: AQUAAAUVFhovX/CrURQfMAbsYQQAAA== accountExpires: 9223372036854775807 logonCount: 0 sAMAccountName: paull sAMAccountType: 805306368 msNPAllowDialin: TRUE - 天生购物狂,狂抢购物券,你还等什么! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Question about nt-domain.
Hi, FreeRADIUS 1.1.6. Use users file as user store. When I use username/password, It can work. When I user username/password/domain, It not work. I try to set preprocess module with_ntdomain_hack = yes. I get "rlm_eap: Identity does not match User-Name, setting from EAP Identity." I try to add with_ntdomain_hack = yes in mschap module, It does not work. Ready to process requests. rad_recv: Access-Request packet from host 10.155.20.84:1030, id=1, length=166 User-Name = "HH\\hhe123" NAS-IP-Address = 10.155.20.84 NAS-Identifier = "AH-30" NAS-Port = 0 Called-Station-Id = "00-19-77-00-00-34:hhe" Calling-Station-Id = "00-19-E0-80-A5-5A" Framed-MTU = 1500 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 11Mbps 802.11b" EAP-Message = 0x0224000e0148485c686865313233 Message-Authenticator = 0xe02bcaa4c6065250f6dcd3ccd60386f6 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module "preprocess" returns ok for request 0 modcall[authorize]: module "mschap" returns noop for request 0 rlm_realm: No '@' in User-Name = "hhe123", looking up realm NULL rlm_realm: Found realm "NULL" rlm_realm: Proxying request from user hhe123 to realm NULL rlm_realm: Adding Realm = "NULL" rlm_realm: Authentication realm is LOCAL. modcall[authorize]: module "suffix" returns noop for request 0 rlm_eap: EAP packet type response id 36 length 14 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 0 users: Matched entry hhe123 at line 95 modcall[authorize]: module "files" returns ok for request 0 modcall: leaving group authorize (returns updated) for request 0 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 0 rlm_eap: Identity does not match User-Name, setting from EAP Identity. rlm_eap: Failed in handler modcall[authenticate]: module "eap" returns invalid for request 0 modcall: leaving group authenticate (returns invalid) for request 0 auth: Failed to validate the user. Sending Access-Reject of id 1 to 10.155.20.84 port 1030 Reply-Message = "Hello" Finished request 0 Going to the next request --- Walking the entire request list --- Waking up in 6 seconds... John - 天生购物狂,狂抢购物券,你还等什么! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Question about windowsXP(Odessey Client) + EAP-TLS with freeRADIUS
Yes. It sounds good. Check common name in the certificate with databases(users or others). John [EMAIL PROTECTED] 写道: > Hangjun He wrote: > > And I use EAP-TLS and with correct certs. Even if I set wrong > > username in Odessey Client, freeRADIUS will return > > success.(check_cert_cn not set). > > EAP-TLS authenticates users based on certificates. It ignores the > user name. i think, thats not completely correct. when you use eap-tls, the username in the radius-packet is the common name of your certificate. so you can check in the users file against the common name, and reject specific common names... if you set check_cert_cn to "yes", then the server will compare the common name of the certicate with the user-name in the radius packet (as i said, this is normally also the common name). > > > Can I let freeRADIUS to check if username in the users file or other > > database? If not, reject user. > > Yes. Configure that: > > bob Auth-Type := Reject > > Alan DeKok. > Sebastian -- Der GMX SmartSurfer hilft bis zu 70% Ihrer Onlinekosten zu sparen! Ideal für Modem und ISDN: http://www.gmx.net/de/go/smartsurfer - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - 天生购物狂,狂抢购物券,你还等什么! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Question about windowsXP(Odessey Client) + EAP-TLS with freeRADIUS
Hi, I am using freeRADIUS 1.1.6. And I use EAP-TLS and with correct certs. Even if I set wrong username in Odessey Client, freeRADIUS will return success.(check_cert_cn not set). Can I let freeRADIUS to check if username in the users file or other database? If not, reject user. Thanks! John - 天生购物狂,狂抢购物券,你还等什么! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Which RADIUS server can support RFC3576?
I know freeRADIUS can't suport RFC3576 (Dynamic Authorization Extensions to RADIUS). Do you know which one can support it? - 雅虎邮箱,终生伙伴! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
freeradius support eap-fast?
Hi, Eap-fast introduction from cisco said freeradius support eap-fast. Is it right? http://www.t11.org/ftp/t11/pub/fc/sp-2/07-595v0.pdf John - 雅虎邮箱,终生伙伴! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
SIGHUP works in 2.0.0?
SIGHUP works in 2.0.0? Thanks. John - 雅虎邮箱,终生伙伴! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
回复: Re: freeRADIUS with 2 Active-dire cotory
Yes. Redundancy DC. When set up freeRADIUS talk to AD. I need to set primary DC's hostname/IP in smb.conf. "password server = WIN2003-SERVER1 " . Also set primary DC's hostname in krb5.conf realms section. " kdc = WIN2003-SERVER1:88" When primary DC down, samba contack WIN2003-SERVER1 too. And can not switch to backup DC(win2003-server2). right? John [EMAIL PROTECTED] 写道: You probably want to set up primary and backup domain controllers. Redundancy is built into AD - when primary DC goes down backup DC will take over authentication. Nothing to do with freeradius/samba. Ivan Kalik Kalik Informatika ISP Dana 6/11/2007, "Hangjun He" pi�e: >Hi, > I use freeRADIUS1.1.6 and samba3 to talk with Active-directory. It can work > well. Followed by wiki: > http://wiki.freeradius.org/FreeRADIUS_Active_Directory_Integration_HOWTO > > Now we want to set up 2 active-directory, One is primary, The other is > backup. If primary AD down, freeRADIUS can switch to backup AD to do > authenticate. > > Can freeRADIUS or samba support 2 ADs? And how to do? > Any comment is appreciated. > > John > > > > >- > @yahoo.cn 新域名、无限量,快来抢注! > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - 雅虎邮箱,终生伙伴! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
回复: Re: freeRADIUS + Openldap with TLS
I seems it need LDAP lib support. Alan DeKok <[EMAIL PROTECTED]> 写道: Hangjun He wrote: > I use freeradius 1.1.6 and Openldap 2.3.32. And now It can authenticate > success( freeRADIUS + Openldap with TLS TLS encrypt.) > > My question is how to set private-key password in radiusd.conf? Is there > a related variable to set, just like "private_key_password" in eap.conf . No. As always, patches are welcome. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - @yahoo.cn 新域名、无限量,快来抢注!- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
freeRADIUS with 2 Active-direcotory
Hi, I use freeRADIUS1.1.6 and samba3 to talk with Active-directory. It can work well. Followed by wiki: http://wiki.freeradius.org/FreeRADIUS_Active_Directory_Integration_HOWTO Now we want to set up 2 active-directory, One is primary, The other is backup. If primary AD down, freeRADIUS can switch to backup AD to do authenticate. Can freeRADIUS or samba support 2 ADs? And how to do? Any comment is appreciated. John - @yahoo.cn 新域名、无限量,快来抢注!- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
freeRADIUS with Active-derectory
Hi, I have configured ntlm_auth in freeRADIUS talk to AD(user store). And It works well. Now I want to use ldap to get attribute from AD, It failed. It seems ldapsearch will search user's display name. And ntlm_auth will search user's user logon name. If I set display name same with user logon name, It can work. Is there a way let ldapsearch to search user logon name too?? relate configure in radiusd.conf: authorize { mschap suffix eap files ldap } authenticate { Auth-Type MS-CHAP { mschap } eap ldap } - 雅虎邮箱,终生伙伴! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
回复: Re: freeRADIUS + Openldap with TLS [sec=unclassified]
Thanks. So key-file-password do not set in radiusd.conf/rlm_ldap section. I still donot know how to configure key-password in Openldap, Where I can get any document or Wiki ? Thanks. John. "Ranner, Frank MR" <[EMAIL PROTECTED]> 写道: Yes. eap.conf is part of radiusd.conf. But I can not find a variable to set key-file-password in rlm_ldap section. # Lightweight Directory Access Protocol (LDAP) ldap { server = "ldap.your.domain" # identity = "cn=admin,o=My Org,c=UA" # password = mypass basedn = "o=My Org,c=UA" filter = "(uid=%{Stripped-User-Name:-%{User-Name}})" # base_filter = "(objectclass=radiusprofile)" # set this to 'yes' to use TLS encrypted connections # to the LDAP database by using the StartTLS extended # operation. # The StartTLS operation is supposed to be used with normal # ldap connections instead of using ldaps (port 689) connections start_tls = no # tls_cacertfile = /path/to/cacert.pem # tls_cacertdir = /path/to/ca/dir/ # tls_certfile = /path/to/radius.crt # tls_keyfile = /path/to/radius.key # tls_randfile = /path/to/rnd # tls_require_cert = "demand" # default_profile = "cn=radprofile,ou=dialup,o=My Org,c=UA" # profile_attribute = "radiusProfileDn" access_attr = "dialupAccess" So use openssl to remove the password from the key and put the key in a secure directory. The key itself should have 400 permissions and be owned by the ldap user. What's the problem? Regards, Frank Ranner - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - 雅虎邮箱,终生伙伴! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
回复: Re: freeRADIUS + Openldap with TLS
Hi, Yes. eap.conf is part of radiusd.conf. But I can not find a variable to set key-file-password in rlm_ldap section. # Lightweight Directory Access Protocol (LDAP) ldap { server = "ldap.your.domain" # identity = "cn=admin,o=My Org,c=UA" # password = mypass basedn = "o=My Org,c=UA" filter = "(uid=%{Stripped-User-Name:-%{User-Name}})" # base_filter = "(objectclass=radiusprofile)" # set this to 'yes' to use TLS encrypted connections # to the LDAP database by using the StartTLS extended # operation. # The StartTLS operation is supposed to be used with normal # ldap connections instead of using ldaps (port 689) connections start_tls = no # tls_cacertfile = /path/to/cacert.pem # tls_cacertdir = /path/to/ca/dir/ # tls_certfile = /path/to/radius.crt # tls_keyfile = /path/to/radius.key # tls_randfile = /path/to/rnd # tls_require_cert = "demand" # default_profile = "cn=radprofile,ou=dialup,o=My Org,c=UA" # profile_attribute = "radiusProfileDn" access_attr = "dialupAccess" [EMAIL PROTECTED] 写道: You already have. eap.conf is a part of radiusd.conf. Ivan Kalik Kalik Informatika ISP Dana 29/10/2007, "Hangjun He" pi�e: >Hi, > > I use freeradius 1.1.6 and Openldap 2.3.32. And now It can authenticate > success( freeRADIUS + Openldap with TLS TLS encrypt.) > > My question is how to set private-key password in radiusd.conf? Is there a > related variable to set, just like "private_key_password" in eap.conf . > > Thanks. > John > > >- >雅虎邮箱,终生伙伴! > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - 雅虎邮箱,终生伙伴! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
freeRADIUS + Openldap with TLS
Hi, I use freeradius 1.1.6 and Openldap 2.3.32. And now It can authenticate success( freeRADIUS + Openldap with TLS TLS encrypt.) My question is how to set private-key password in radiusd.conf? Is there a related variable to set, just like "private_key_password" in eap.conf . Thanks. John - 雅虎邮箱,终生伙伴! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Authentication question: Eap/peap + Switch + freeRADIUS + Lutos LDAP server
Hi, Eap/peap + Switch + freeRADIUS(1.1.6) + Lutos LDAP server. Can this architecture work well? Can anyone give me some advice? Thanks a lot. John. - 雅虎邮箱,以安全著称,是值得信赖的邮箱专家! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
After signal HUP freeRADIUS Segmentation fault
freeRADIUS version is 1.1.6.. I saw same question in mail-list(freeRADIUS 0.8), Did this problem fix?? Thanks. Nothing to do. Sleeping until we see a request. Reloading configuration files. reread_config: reading radiusd.conf Config: including file: /usr/local/etc/raddb/clients.conf Config: including file: /usr/local/etc/raddb/eap.conf Config: including file: /usr/local/etc/raddb/ldap.conf main: prefix = "/usr/local" main: localstatedir = "/usr/local/var" main: logdir = "/usr/local/var/log/radius" main: libdir = "/usr/local/lib" main: radacctdir = "/usr/local/var/log/radius/radacct" main: hostname_lookups = no main: max_request_time = 45 main: cleanup_delay = 5 main: max_requests = 256 main: delete_blocked_requests = 0 main: port = 0 main: allow_core_dumps = no main: log_stripped_names = no main: log_file = "/usr/local/var/log/radius/radius.log" main: log_auth = no main: log_auth_badpass = no main: log_auth_goodpass = no main: pidfile = "/usr/local/var/run/radiusd/radiusd.pid" main: user = "(null)" main: group = "(null)" main: usercollide = no main: lower_user = "no" main: lower_pass = "no" main: nospace_user = "no" main: nospace_pass = "no" main: checkrad = "/usr/local/sbin/checkrad" main: proxy_requests = no main: debug_level = 0 read_config_files: reading dictionary Mon Aug 13 06:55:25 2007 : Info: rlm_exec: Wait=yes but no output defined. Did you mean output=none? Mon Aug 13 06:55:25 2007 : Error: radiusd.conf[84] Auth-Type MS-CHAP already configured - skipping Mon Aug 13 06:55:25 2007 : Info: rlm_eap_tls: Loading the certificate file as a chain Mon Aug 13 06:55:25 2007 : Info: radiusd.conf Auth-Type eap already configured - skipping Mon Aug 13 06:55:25 2007 : Info: Ready to process requests. Segmentation fault - 雅虎免费邮箱3.5G容量,20M附件!- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Help: How to set VLAN by Tunnel-Private-Group-Id for user or group?
I just follow the steps. Create group, add users to the group. and create Remote Access Policy in IAS(Internet Authenticate Service).Does it in right place??? ,edit policy and apply policy to this group. But freeradius can not get the VLAN information from AD. Thanks. [EMAIL PROTECTED] 写道: Since you are using AD to store user profile this is an AD, not freeradius question. Create a (vlan) group; add users/groups to the group; create Remote Access Policy; apply policy to this group; edit the policy to include those Tunnel attributes in dial-in profile; do the same for every VLAN. Ivan Kalik Kalik Informatika ISP Dana 2/8/2007, "Hangjun He" pi�e: >Hi, > We use peap + AP + fr + AD to authenticate user. Now It can work. But I > need to get VLAN from freeradius for different user or group. > How should I do?? Please give me some advice, Thanks. > > I saw below debug info from maillist, from these info I guess freeradius can > set VLAN for user or group. > > > Ready to process requests. >rad_recv: Access-Request packet from host 192.168.1.1:1645, id=38, length=149 > User-Name = "DOMAIN\\testuser" > Service-Type = Framed-User > Framed-MTU = 1500 > Called-Station-Id = "00-19-AA-2C-8F-03" > Calling-Station-Id = "00-08-74-46-2A-A5" > EAP-Message = 0x0202001601434f5250524f4f545c7467646f72686531 > Message-Authenticator = 0x9bc11b6f6182f53f6428ad12c48d8f10 > NAS-Port = 50001 > NAS-Port-Type = Ethernet > NAS-IP-Address = 192.168.1.1 > Processing the authorize section of radiusd.conf >modcall: entering group authorize for request 0 > rlm_eap: EAP packet type response id 2 length 22 > rlm_eap: No EAP Start, assuming it's an on-going EAP conversation > modcall[authorize]: module "eap" returns updated for request 0 > users: Matched entry DEFAULT at line 1 > modcall[authorize]: module "files" returns ok for request 0 >modcall: leaving group authorize (returns updated) for request 0 > rad_check_password: Found Auth-Type EAP >auth: type "EAP" > Processing the authenticate section of radiusd.conf >modcall: entering group authenticate for request 0 > rlm_eap: EAP Identity > rlm_eap: processing type tls > rlm_eap_tls: Initiate > rlm_eap_tls: Start returned 1 > modcall[authenticate]: module "eap" returns handled for request 0 >modcall: leaving group authenticate (returns handled) for request 0 >Sending Access-Challenge of id 38 to 192.168.1.1 port 1645 > Tunnel-Type:0 = VLAN > Tunnel-Medium-Type:0 = IEEE-802 > Tunnel-Private-Group-Id:0 = "vlanX" > EAP-Message = 0x010300061920 > Message-Authenticator = 0x > State = 0x67c75e29c6b4d8d32c662ce2d154d277 >Finished request 0 >Going to the next request >--- Walking the entire request list --- >Waking up in 6 seconds... > > > > > >- > 雅虎免费邮箱3.5G容量,20M附件! > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - 雅虎免费邮箱3.5G容量,20M附件!- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
回复: Re: Help: How to set VLAN by Tunnel-Private-Group-Id for user or group?
Thanks. I still have a question. Can freeradius get VLAN from AD? And forward it to client?? Special configure needed? I use samba's ntlm_auth. Hangjun [EMAIL PROTECTED] 写道: Since you are using AD to store user profile this is an AD, not freeradius question. Create a (vlan) group; add users/groups to the group; create Remote Access Policy; apply policy to this group; edit the policy to include those Tunnel attributes in dial-in profile; do the same for every VLAN. Ivan Kalik Kalik Informatika ISP Dana 2/8/2007, "Hangjun He" pi�e: >Hi, > We use peap + AP + fr + AD to authenticate user. Now It can work. But I > need to get VLAN from freeradius for different user or group. > How should I do?? Please give me some advice, Thanks. > > I saw below debug info from maillist, from these info I guess freeradius can > set VLAN for user or group. > > > Ready to process requests. >rad_recv: Access-Request packet from host 192.168.1.1:1645, id=38, length=149 > User-Name = "DOMAIN\\testuser" > Service-Type = Framed-User > Framed-MTU = 1500 > Called-Station-Id = "00-19-AA-2C-8F-03" > Calling-Station-Id = "00-08-74-46-2A-A5" > EAP-Message = 0x0202001601434f5250524f4f545c7467646f72686531 > Message-Authenticator = 0x9bc11b6f6182f53f6428ad12c48d8f10 > NAS-Port = 50001 > NAS-Port-Type = Ethernet > NAS-IP-Address = 192.168.1.1 > Processing the authorize section of radiusd.conf >modcall: entering group authorize for request 0 > rlm_eap: EAP packet type response id 2 length 22 > rlm_eap: No EAP Start, assuming it's an on-going EAP conversation > modcall[authorize]: module "eap" returns updated for request 0 > users: Matched entry DEFAULT at line 1 > modcall[authorize]: module "files" returns ok for request 0 >modcall: leaving group authorize (returns updated) for request 0 > rad_check_password: Found Auth-Type EAP >auth: type "EAP" > Processing the authenticate section of radiusd.conf >modcall: entering group authenticate for request 0 > rlm_eap: EAP Identity > rlm_eap: processing type tls > rlm_eap_tls: Initiate > rlm_eap_tls: Start returned 1 > modcall[authenticate]: module "eap" returns handled for request 0 >modcall: leaving group authenticate (returns handled) for request 0 >Sending Access-Challenge of id 38 to 192.168.1.1 port 1645 > Tunnel-Type:0 = VLAN > Tunnel-Medium-Type:0 = IEEE-802 > Tunnel-Private-Group-Id:0 = "vlanX" > EAP-Message = 0x010300061920 > Message-Authenticator = 0x > State = 0x67c75e29c6b4d8d32c662ce2d154d277 >Finished request 0 >Going to the next request >--- Walking the entire request list --- >Waking up in 6 seconds... > > > > > >- > 雅虎免费邮箱3.5G容量,20M附件! > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - 雅虎免费邮箱3.5G容量,20M附件!- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
回复: Linux RADIUS and Active Directory =20?=
Just follow this http://wiki.freeradius.org/FreeRADIUS_Active_Directory_Integration_HOWTO inelec communication <[EMAIL PROTECTED]> 写道: I am trying to setup a Fedora Linux server to authenticate wireless users. I would like to use my AD server to get user information and use the RADIUS just for authentication on the wireless part of our network. Any suggestions or any documment that guide me to do that? best regards - Ne gardez plus qu'une seule adresse mail ! Copiez vos mails vers Yahoo! Mail - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - 抢注雅虎免费邮箱3.5G容量,20M附件! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Help: How to set VLAN by Tunnel-Private-Group-Id for user or group?
Hi, We use peap + AP + fr + AD to authenticate user. Now It can work. But I need to get VLAN from freeradius for different user or group. How should I do?? Please give me some advice, Thanks. I saw below debug info from maillist, from these info I guess freeradius can set VLAN for user or group. Ready to process requests. rad_recv: Access-Request packet from host 192.168.1.1:1645, id=38, length=149 User-Name = "DOMAIN\\testuser" Service-Type = Framed-User Framed-MTU = 1500 Called-Station-Id = "00-19-AA-2C-8F-03" Calling-Station-Id = "00-08-74-46-2A-A5" EAP-Message = 0x0202001601434f5250524f4f545c7467646f72686531 Message-Authenticator = 0x9bc11b6f6182f53f6428ad12c48d8f10 NAS-Port = 50001 NAS-Port-Type = Ethernet NAS-IP-Address = 192.168.1.1 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 rlm_eap: EAP packet type response id 2 length 22 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 0 users: Matched entry DEFAULT at line 1 modcall[authorize]: module "files" returns ok for request 0 modcall: leaving group authorize (returns updated) for request 0 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 0 rlm_eap: EAP Identity rlm_eap: processing type tls rlm_eap_tls: Initiate rlm_eap_tls: Start returned 1 modcall[authenticate]: module "eap" returns handled for request 0 modcall: leaving group authenticate (returns handled) for request 0 Sending Access-Challenge of id 38 to 192.168.1.1 port 1645 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "vlanX" EAP-Message = 0x010300061920 Message-Authenticator = 0x State = 0x67c75e29c6b4d8d32c662ce2d154d277 Finished request 0 Going to the next request --- Walking the entire request list --- Waking up in 6 seconds... - 雅虎免费邮箱3.5G容量,20M附件!- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
=?gb2312?q?=BB=D8=B8=B4=A3=BA=20Re:=20PEAP, =20switch, =20FR=20=20and=20MS-?= AD as user profile and vlan storage
Thanks. I want to get user's user-profile and vlan from AD after user authenticate successfully. Now I can authenticate OK from AD. But I donot if I can get user-profile and vlan information. Hangjun Martin Gadbois <[EMAIL PROTECTED]> 写道: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hangjun He wrote: > Hi, > > > I would like to know if I can use FreeRADIUS for: > > PEAP, switch, FR and MS-Active Directory as user profile and vlan storage > PEAP: Yes MS-AD: Yes See several post in this mailing list, and the FreeRadius Wiki: it is all in there. http://wiki.freeradius.org/FreeRADIUS_Active_Directory_Integration_HOWTO - -- == +-+ Martin Gadbois | "Please answer by yes or no. | Sr. SW Designer | Uncooperative user waste precious CPU time" | Colubris Networks Inc. | -- The Andromeda Strain, M. Crichton, 1969 | -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.5 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFGsHfp9Y3/iTTCEDkRAqk1AJ4usaKN1+WwuhVzPaMxS0GMDcGWhACgo922 OFTaDLAzb6/2gOoVBR3QYew= =KXBf -END PGP SIGNATURE- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - 抢注雅虎免费邮箱3.5G容量,20M附件! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
PEAP, switch, FR and MS-AD as user profile and vlan storage
Hi, I would like to know if I can use FreeRADIUS for: PEAP, switch, FR and MS-Active Directory as user profile and vlan storage If so, can someone please shed some light/pointers ? Any info is highly appreciated. Thank you. - 抢注雅虎免费邮箱3.5G容量,20M附件! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
About eap-peap/switch/FR/openldap
hi, I am use freeradius1.1.6 . And It can work. But there is a question: why freeradius recieve username=anonymous many time? and than receive real username hwang?? Listening on authentication *:1812 Listening on accounting *:1813 Ready to process requests. rad_recv: Access-Request packet from host 10.155.20.84:1030, id=27, length=162 User-Name = "anonymous" // My username is hwang??? NAS-IP-Address = 10.155.20.84 NAS-Identifier = "hello" NAS-Port = 0 Called-Station-Id = "00-19-77-00-00-34:hhe" Calling-Station-Id = "00-19-E0-80-A5-5A" Framed-MTU = 1500 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 11Mbps 802.11b" EAP-Message = 0x020e01616e6f6e796d6f7573 Message-Authenticator = 0x892d753593e189cd36612f7fa07e459f Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module "mschap" returns noop for request 0 rlm_realm: No '@' in User-Name = "anonymous", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 0 rlm_eap: EAP packet type response id 0 length 14 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 0 rlm_ldap: - authorize rlm_ldap: performing user authorization for anonymous radius_xlat: '(cn=anonymous)' radius_xlat: 'dc=company,dc=com' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to 127.0.0.1:389, authentication 0 rlm_ldap: setting TLS CACert File to /usr/local/etc/openldap/ssl/cacert.pem rlm_ldap: setting TLS Require Cert to never rlm_ldap: bind as / to 127.0.0.1:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: performing search in dc=company,dc=com, with filter (cn=anonymous) rlm_ldap: object not found or got ambiguous search result rlm_ldap: search failed rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldap" returns notfound for request 0 modcall: leaving group authorize (returns updated) for request 0 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 0 rlm_eap: EAP Identity rlm_eap: processing type md5 rlm_eap_md5: Issuing Challenge modcall[authenticate]: module "eap" returns handled for request 0 modcall: leaving group authenticate (returns handled) for request 0 Sending Access-Challenge of id 27 to 10.155.20.84 port 1030 EAP-Message = 0x01010016041061094fc60ca2cd662178a3d6eea822cc Message-Authenticator = 0x State = 0x3a5eacc7a46269daed6e2e83bf27092c Finished request 0 Going to the next request --- Walking the entire request list --- Waking up in 6 seconds... rad_recv: Access-Request packet from host 10.155.20.84:1030, id=28, length=172 User-Name = "anonymous" NAS-IP-Address = 10.155.20.84 NAS-Identifier = "hello" NAS-Port = 0 Called-Station-Id = "00-19-77-00-00-34:hhe" Calling-Station-Id = "00-19-E0-80-A5-5A" Framed-MTU = 1500 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 11Mbps 802.11b" EAP-Message = 0x020100060319 State = 0x3a5eacc7a46269daed6e2e83bf27092c Message-Authenticator = 0x3429d0e18b932a327161388ce7e0bdc4 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 1 modcall[authorize]: module "mschap" returns noop for request 1 rlm_realm: No '@' in User-Name = "anonymous", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 1 rlm_eap: EAP packet type response id 1 length 6 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 1 rlm_ldap: - authorize rlm_ldap: performing user authorization for anonymous radius_xlat: '(cn=anonymous)' radius_xlat: 'dc=company,dc=com' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in dc=company,dc=com, with filter (cn=anonymous) rlm_ldap: object not found or got ambiguous search result rlm_ldap: search failed rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldap" returns notfound for request 1 modcall: leaving group authorize (returns updated) for request 1 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 1 rlm_eap: Request found, released from the list rlm_eap: EAP NAK rlm_eap: EAP-NAK asked for EAP-Type/peap rlm_eap: processing type tls rlm_eap_tls: Initiate rlm_eap_tls: Start returned 1 modcall[authenticate]: module "eap" returns handled for request 1 modcall: leaving group authenticate (returns handled) for request 1 Sending Access-Challenge of id 28 to 10.155.20.84 port
回复: Re: Help: eap/peap + 8021x + freeradius + Win2k3/AD
Can I start ldap-auth after eap authenticate failed..just like radclient. Hangjun He <[EMAIL PROTECTED]> 写道: Thanks Alan DeKok. But there are no enough memory on my linux system to install samba. What should I do? John Alan DeKok <[EMAIL PROTECTED]> 写道: Hangjun He wrote: > * I have no samba installed in my linux.* Then you won't get PEAP to work with AD. There's a reason the howto's say to use Samba: it's needed. > *3.eap/peap + 8021x + freeradius + Win2k3/AD* > * When I auth the Winxp user access to switch. It failed. Even if I > set Authenticate type to ldap or not, why?? * Because AD is not an LDAP server. Install Samba. Follow the howto's. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - 抢注雅虎免费邮箱3.5G容量,20M附件! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - 抢注雅虎免费邮箱3.5G容量,20M附件! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
回复: Re: Help: eap/peap + 8021x + freeradius + Win2k3/AD
Thanks Alan DeKok. But there are no enough memory on my linux system to install samba. What should I do? John Alan DeKok <[EMAIL PROTECTED]> 写道: Hangjun He wrote: > * I have no samba installed in my linux.* Then you won't get PEAP to work with AD. There's a reason the howto's say to use Samba: it's needed. > *3.eap/peap + 8021x + freeradius + Win2k3/AD* > * When I auth the Winxp user access to switch. It failed. Even if I > set Authenticate type to ldap or not, why?? * Because AD is not an LDAP server. Install Samba. Follow the howto's. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - 抢注雅虎免费邮箱3.5G容量,20M附件! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Help: eap/peap + 8021x + freeradius + Win2k3/AD
Hi, list I have no samba installed in my linux. 1.freeradius + AD : When I user radtest tool to test user/password on Win2k3/AD, I can get correct answer when I set authenticate type to ldap too. 2.eap/peap + 8021x + freeradius + openldap: Success. 3.eap/peap + 8021x + freeradius + Win2k3/AD When I auth the Winxp user access to switch. It failed. Even if I set Authenticate type to ldap or not, why?? rad_recv: Access-Request packet from host 10.155.20.84:1077, id=179, length=206 User-Name = "hwang" NAS-IP-Address = 10.155.20.84 NAS-Identifier = "hiveos" NAS-Port = 0 Called-Station-Id = "00-19-77-00-00-34:hhe" Calling-Station-Id = "00-19-E0-80-A5-5A" Framed-MTU = 1500 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 11Mbps 802.11b" EAP-Message = 0x0237002b19001703010020ee2ceed58c0ee38c2943f392498a1d0ce71f57156ed1e81ea1ae15ad61a5f53b State = 0x00bebc716634b88b8ea1ecd2216ccf25 Message-Authenticator = 0xec79f9c13e33bd20c35a6a6a7d6f291d Processing the authorize section of radiusd.conf modcall: entering group authorize for request 65 modcall[authorize]: module "mschap" returns noop for request 65 rlm_realm: No '@' in User-Name = "hwang", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 65 rlm_eap: EAP packet type response id 55 length 43 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 65 rlm_ldap: - authorize rlm_ldap: performing user authorization for hwang radius_xlat: '(cn=hwang)' radius_xlat: 'cn=users,dc=aehve,dc=com' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in cn=users,dc=aehve,dc=com, with filter (cn=hwang) rlm_ldap: checking if remote access for hwang is allowed by cn rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... rlm_ldap: user hwang authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldap" returns ok for request 65 modcall: leaving group authorize (returns updated) for request 65 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 65 rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS eaptls_verify returned 7 rlm_eap_tls: Done initial handshake eaptls_process returned 7 rlm_eap_peap: EAPTLS_OK rlm_eap_peap: Session established. Decoding tunneled attributes. rlm_eap_peap: Received EAP-TLV response. rlm_eap_peap: Tunneled data is valid. rlm_eap_peap: Had sent TLV failure. User was rejcted rejected earlier in this session. rlm_eap: Handler failed in EAP/peap rlm_eap: Failed in EAP select modcall[authenticate]: module "eap" returns invalid for request 65 modcall: leaving group authenticate (returns invalid) for request 65 auth: Failed to validate the user. Sending Access-Reject of id 179 to 10.155.20.84 port 1077 EAP-Message = 0x04370004 Thanks! John - 抢注雅虎免费邮箱3.5G容量,20M附件! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
re: Problem on freeradius+openldap+tls
when I use ldapsearch -H ldaps://localhost/..I can get correct record. debug info: connection_get(11): got connid=12 connection_read(11): checking for input on id=12 TLS trace: SSL_accept:before/accept initialization TLS trace: SSL_accept:SSLv3 read client hello A TLS trace: SSL_accept:SSLv3 write server hello A TLS trace: SSL_accept:SSLv3 write certificate A TLS trace: SSL_accept:SSLv3 write server done A TLS trace: SSL_accept:SSLv3 flush data TLS trace: SSL_accept:error in SSLv3 read client certificate A TLS trace: SSL_accept:error in SSLv3 read client certificate A connection_get(11): got connid=12 connection_read(11): checking for input on id=12 TLS trace: SSL_accept:SSLv3 read client key exchange A TLS trace: SSL_accept:SSLv3 read finished A TLS trace: SSL_accept:SSLv3 write change cipher spec A TLS trace: SSL_accept:SSLv3 write finished A TLS trace: SSL_accept:SSLv3 flush data connection_read(11): unable to get TLS client DN, error=49 id=12 connection_get(11): got connid=12 connection_read(11): checking for input on id=12 ber_get_next ber_get_next: tag 0x30 len 45 contents: ber_get_next do_bind ber_scanf fmt ({imt) ber: ber_scanf fmt (m}) ber: >>> dnPrettyNormal: <<< dnPrettyNormal: , do_bind: version=3 dn="cn=admin,dc=aehve,dc=com" method=128 do_bind: v3 bind: "cn=admin,dc=aehve,dc=com" to "cn=admin,dc=aehve,dc=com"send_ldap_result: conn=12 op=0 p=3 send_ldap_response: msgid=1 tag=97 err=0 ber_flush: 14 bytes to sd 11 connection_get(11): got connid=12 connection_read(11): checking for input on id=12 ber_get_next ber_get_next: tag 0x30 len 73 contents: ber_get_next do_search ber_scanf fmt ({mb) ber: >>> dnPrettyNormal: <<< dnPrettyNormal: , ber_scanf fmt (m) ber: ber_scanf fmt ({M}}) ber: => bdb_search bdb_dn2entry("cn=hlin,ou=people,dc=aehve,dc=com") search_candidates: base="cn=hlin,ou=people,dc=aehve,dc=com" (0x000b) scope=2 => bdb_dn2idl("cn=hlin,ou=people,dc=aehve,dc=com") <= bdb_dn2idl: id=1 first=11 last=11 => bdb_presence_candidates (objectClass) bdb_search_candidates: id=1 first=11 last=11 => send_search_entry: conn 12 dn="cn=hlin,ou=People,dc=aehve,dc=com" ber_flush: 188 bytes to sd 11 <= send_search_entry: conn 12 exit. send_ldap_result: conn=12 op=1 p=3 send_ldap_response: msgid=2 tag=101 err=0 ber_flush: 14 bytes to sd 11 connection_get(11): got connid=12 connection_read(11): checking for input on id=12 ber_get_next ber_get_next: tag 0x30 len 5 contents: ber_get_next do_unbind connection_closing: readying conn=12 sd=11 for close connection_resched: attempting closing conn=12 sd=11 connection_close: conn=12 sd=11 TLS trace: SSL3 alert write:warning:close notify when I use freeradius in the same host: do_extended ber_scanf fmt ({m) ber: send_ldap_extended: err=0 oid= len=0 send_ldap_response: msgid=1 tag=120 err=0 ber_flush: 14 bytes to sd 11 connection_get(11): got connid=11 connection_read(11): checking for input on id=11 TLS trace: SSL_accept:before/accept initialization TLS trace: SSL_accept:SSLv3 read client hello A TLS trace: SSL_accept:SSLv3 write server hello A TLS trace: SSL_accept:SSLv3 write certificate A TLS trace: SSL_accept:SSLv3 write server done A TLS trace: SSL_accept:SSLv3 flush data TLS trace: SSL_accept:error in SSLv3 read client certificate A TLS trace: SSL_accept:error in SSLv3 read client certificate A connection_get(11): got connid=11 connection_read(11): checking for input on id=11 TLS trace: SSL_accept:SSLv3 read client key exchange A TLS trace: SSL_accept:SSLv3 read finished A TLS trace: SSL_accept:SSLv3 write change cipher spec A TLS trace: SSL_accept:SSLv3 write finished A TLS trace: SSL_accept:SSLv3 flush data connection_read(11): unable to get TLS client DN, error=49 id=11 connection_get(11): got connid=11 connection_read(11): checking for input on id=11 ber_get_next ber_get_next: tag 0x30 len 5 contents: ber_get_next TLS trace: SSL3 alert read:warning:close notify ber_get_next on fd 11 failed errno=0 (Success) connection_closing: readying conn=11 sd=11 for close connection_close: deferring conn=11 sd=11 do_unbind connection_resched: attempting closing conn=11 sd=11 connection_close: conn=11 sd=11 TLS trace: SSL3 alert write:warning:close notify Hangjun He <[EMAIL PROTECTED]> 写道: freeradius version 1.1.6 openldap version 2.3.23 opensll verson 0.9.7g Hangjun He <[EMAIL PROTECTED]> 写道: hi, freeradis with openldap is OK when use cleartext communication. Now I want to use tls. openssl s_client -connect 127.0.0.1:636 -showcerts -state -CAfile /usr/local/etc/openldap/ssl/cacert.pem show the cacert /cert/key is correct. But when I use freeradis with tls, errors pup up: freeradius error: rlm_ldap: - authorize rlm_ldap: performing user authorization for hwang radius_xlat: '(uid=hwang)' radius_xlat: 'ou=Peo
re: Problem on freeradius+openldap+tls
freeradius version 1.1.6 openldap version 2.3.23 opensll verson 0.9.7g Hangjun He <[EMAIL PROTECTED]> 写道: hi, freeradis with openldap is OK when use cleartext communication. Now I want to use tls. openssl s_client -connect 127.0.0.1:636 -showcerts -state -CAfile /usr/local/etc/openldap/ssl/cacert.pem show the cacert /cert/key is correct. But when I use freeradis with tls, errors pup up: freeradius error: rlm_ldap: - authorize rlm_ldap: performing user authorization for hwang radius_xlat: '(uid=hwang)' radius_xlat: 'ou=People,dc=aerohive,dc=com' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to 127.0.0.1:389, authentication 0 rlm_ldap: setting TLS CACert File to /usr/local/etc/openldap/ssl/cacert.pem rlm_ldap: setting TLS Require Cert to demand rlm_ldap: starting TLS rlm_ldap: ldap_start_tls_s() rlm_ldap: could not start TLS Connect error rlm_ldap: (re)connection attempt failed rlm_ldap: search failed rlm_ldap: ldap_release_conn: Release Id: 0 openldap error: TLS trace: SSL_accept:SSLv3 read client hello A TLS trace: SSL_accept:SSLv3 write server hello A TLS trace: SSL_accept:SSLv3 write certificate A TLS trace: SSL_accept:SSLv3 write server done A tls_write: want=902, written=902 .. TLS trace: SSL_accept:SSLv3 flush data tls_read: want=5, got=5 : 15 03 01 00 02 . tls_read: want=2, got=2 : 02 2a .* TLS trace: SSL3 alert read:fatal:bad certificate TLS trace: SSL_accept:failed in SSLv3 read client certificate A TLS: can't accept. TLS: error:14094412:SSL routines:SSL3_READ_BYTES:sslv3 alert bad certificate s3_pkt.c:1052 connection_read(11): TLS accept failure error=-1 id=5, closing connection_closing: readying conn=5 sd=11 for close connection_close: conn=5 sd=11 daemon: removing 11 When I use freeradius in the same host with openldap, There are other errors: connection_get(10) connection_get(10): got connid=11 connection_read(10): checking for input on id=11 TLS trace: SSL_accept:before/accept initialization TLS trace: SSL_accept:SSLv3 read client hello A TLS trace: SSL_accept:SSLv3 write server hello A TLS trace: SSL_accept:SSLv3 write certificate A TLS trace: SSL_accept:SSLv3 write certificate request A TLS trace: SSL_accept:SSLv3 flush data TLS trace: SSL_accept:error in SSLv3 read client certificate A TLS trace: SSL_accept:error in SSLv3 read client certificate A connection_get(10) connection_get(10): got connid=11 connection_read(10): checking for input on id=11 TLS trace: SSL_accept:SSLv3 read client certificate A TLS trace: SSL_accept:SSLv3 read client key exchange A TLS trace: SSL_accept:SSLv3 read finished A TLS trace: SSL_accept:SSLv3 write change cipher spec A TLS trace: SSL_accept:SSLv3 write finished A TLS trace: SSL_accept:SSLv3 flush data connection_read(10): unable to get TLS client DN, error=49 id=11 connection_get(10) connection_get(10): got connid=11 connection_read(10): checking for input on id=11 ber_get_next ber_get_next: tag 0x30 len 5 contents: ber_get_next TLS trace: SSL3 alert read:warning:close notify partly configuration in slapd.conf: TLSCipherSuite HIGH:MEDIUM:+SSLv2 TLSCACertificateFile /usr/local/etc/openldap/ssl/cacert.pem TLSCertificateFile /usr/local/etc/openldap/ssl/servercrt.pem TLSCertificateKeyFile /usr/local/etc/openldap/ssl/serverkey.pem TLSVerifyClient try Can anyone tell me why it is? Anything wrong with my configure file. Thanks! John - 抢注雅虎免费邮箱3.5G容量,20M附件! - 抢注雅虎免费邮箱-3.5G容量,20M附件! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Problem on freeradius+openldap+tls
hi, freeradis with openldap is OK when use cleartext communication. Now I want to use tls. openssl s_client -connect 127.0.0.1:636 -showcerts -state -CAfile /usr/local/etc/openldap/ssl/cacert.pem show the cacert /cert/key is correct. But when I use freeradis with tls, errors pup up: freeradius error: rlm_ldap: - authorize rlm_ldap: performing user authorization for hwang radius_xlat: '(uid=hwang)' radius_xlat: 'ou=People,dc=aerohive,dc=com' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to 127.0.0.1:389, authentication 0 rlm_ldap: setting TLS CACert File to /usr/local/etc/openldap/ssl/cacert.pem rlm_ldap: setting TLS Require Cert to demand rlm_ldap: starting TLS rlm_ldap: ldap_start_tls_s() rlm_ldap: could not start TLS Connect error rlm_ldap: (re)connection attempt failed rlm_ldap: search failed rlm_ldap: ldap_release_conn: Release Id: 0 openldap error: TLS trace: SSL_accept:SSLv3 read client hello A TLS trace: SSL_accept:SSLv3 write server hello A TLS trace: SSL_accept:SSLv3 write certificate A TLS trace: SSL_accept:SSLv3 write server done A tls_write: want=902, written=902 .. TLS trace: SSL_accept:SSLv3 flush data tls_read: want=5, got=5 : 15 03 01 00 02 . tls_read: want=2, got=2 : 02 2a .* TLS trace: SSL3 alert read:fatal:bad certificate TLS trace: SSL_accept:failed in SSLv3 read client certificate A TLS: can't accept. TLS: error:14094412:SSL routines:SSL3_READ_BYTES:sslv3 alert bad certificate s3_pkt.c:1052 connection_read(11): TLS accept failure error=-1 id=5, closing connection_closing: readying conn=5 sd=11 for close connection_close: conn=5 sd=11 daemon: removing 11 When I use freeradius in the same host with openldap, There are other errors: connection_get(10) connection_get(10): got connid=11 connection_read(10): checking for input on id=11 TLS trace: SSL_accept:before/accept initialization TLS trace: SSL_accept:SSLv3 read client hello A TLS trace: SSL_accept:SSLv3 write server hello A TLS trace: SSL_accept:SSLv3 write certificate A TLS trace: SSL_accept:SSLv3 write certificate request A TLS trace: SSL_accept:SSLv3 flush data TLS trace: SSL_accept:error in SSLv3 read client certificate A TLS trace: SSL_accept:error in SSLv3 read client certificate A connection_get(10) connection_get(10): got connid=11 connection_read(10): checking for input on id=11 TLS trace: SSL_accept:SSLv3 read client certificate A TLS trace: SSL_accept:SSLv3 read client key exchange A TLS trace: SSL_accept:SSLv3 read finished A TLS trace: SSL_accept:SSLv3 write change cipher spec A TLS trace: SSL_accept:SSLv3 write finished A TLS trace: SSL_accept:SSLv3 flush data connection_read(10): unable to get TLS client DN, error=49 id=11 connection_get(10) connection_get(10): got connid=11 connection_read(10): checking for input on id=11 ber_get_next ber_get_next: tag 0x30 len 5 contents: ber_get_next TLS trace: SSL3 alert read:warning:close notify partly configuration in slapd.conf: TLSCipherSuite HIGH:MEDIUM:+SSLv2 TLSCACertificateFile /usr/local/etc/openldap/ssl/cacert.pem TLSCertificateFile /usr/local/etc/openldap/ssl/servercrt.pem TLSCertificateKeyFile /usr/local/etc/openldap/ssl/serverkey.pem TLSVerifyClient try Can anyone tell me why it is? Anything wrong with my configure file. Thanks! John - 抢注雅虎免费邮箱3.5G容量,20M附件! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html