[no subject]
Hello all, I'm trying to figure out how to access vendor specific attributes from JRADIUS via my FreeRADIUS server. I have defined the dictionary file and have included them in FreeRADIUS and JRADIUS. Using wireshark I can verify that the attributes that I've defined are included in the access-request packet that is sent to my FreeRADIUS server. There are no errors shown in the output, but I don't see an attribute of type 26, which I believe is the type used for VSA, being passed to JRADIUS. There doesn't appear to be an option in the jradius module file where you can specify what attributes should be included the exchange between FreeRADIUS and JRADIUS. Is there some configuration or code change that I need to make to get these attributes included in the packet that's sent to JRADIUS? Lester Houston 111 Boeing Research Technology Electronics Prototyping and Integration Center (EPIC) lester.l.houston-...@boeing.com 314-234-0621 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Forced Reauthentication
Hello, I'm trying to force reauthentication of my strongswan IPSec clients where EAP-TLS is being used, but nothing seems to work. Now, this is something that I would like to do on a per-client basis, so I'm modifying the session-timeout attribute of the access-accept packet to include my new session time. This insertion is performed from JRADIUS, where it is called in the post-auth stage. All of this appears to be working since the FreeRADIUS output prints out the new session-timeout value along with the other access-accept data when it sends the access-accept packet. I have also tried to globally set the session-timeout by including it in the FreeRADIUS users file, but none of these methods seem to work. Is anyone aware of a way to force a connecting client to reauthenticate? Am I missing something with the methods I've tried thus far? Lester Houston 111 Boeing Research Technology Electronics Prototyping and Integration Center (EPIC) lester.l.houston-...@boeing.com 314-234-0621 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Forced Reauthentication
I will ask the strongswan folks. JRADIUS is used for some other post
authentication processing that determines whether the user truly granted or
denied access to the system.
-Original Message-
From:
freeradius-users-bounces+lester.l.houston-iii=boeing@lists.freeradius.org
[mailto:freeradius-users-bounces+lester.l.houston-iii=boeing@lists.freeradius.org]
On Behalf Of Fajar A. Nugraha
Sent: Tuesday, December 06, 2011 6:40 PM
To: FreeRadius users mailing list
Subject: Re: Forced Reauthentication
On Wed, Dec 7, 2011 at 5:31 AM, Houston-III, Lester L
lester.l.houston-...@boeing.com wrote:
Hello,
I'm trying to force reauthentication of my strongswan IPSec clients where
EAP-TLS is being used, but nothing seems to work. Now, this is something
that I would like to do on a per-client basis, so I'm modifying the
session-timeout attribute of the access-accept packet to include my new
session time.
Does the NAS (strongswan?) support session-timeout?
If you don't know, ask its support/forum/list. It's unlikely that
you'll find the answer here.
This insertion is performed from JRADIUS, where it is called
in the post-auth stage.
Why would you need jradius? why not just use an unlang block in freeradius?
update reply {
...
}
--
Fajar
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
LDAP Filter
I have a LDAP server performing authentication on FR clients where EAP-TLS is being used as the mechanism, but the LDAP module is not using TLS. Is there a way to use the client certificate common-name as the UID in the LDAP authentication. I'm thinking that I just need to modify the filter statement, but I'm unsure how the statement should be structured? I hope I'm making sense? Lester Houston 111 Boeing Research Technology Electronics Prototyping and Integration Center (EPIC) lester.l.houston-...@boeing.com 314-234-0621 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
LDAP Attributes
Is there a way to truncate the UID used by the LDAP module? My system is using an UID structured like an email I would like to use everything in front of the '@' as the UID. Is this possible? Lester Houston 111 Boeing Research Technology Electronics Prototyping and Integration Center (EPIC) lester.l.houston-...@boeing.com 314-234-0621 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: EAP-TLS Attributes
Thanks for the responses. I see that I need to devise a different way of getting the data across. At the very least I have the ground work done with EAP and maybe I can implement a VSA sometime later. -Original Message- From: freeradius-users-bounces+lester.l.houston-iii=boeing@lists.freeradius.org [mailto:freeradius-users-bounces+lester.l.houston-iii=boeing@lists.freeradius.org] On Behalf Of Alan DeKok Sent: Thursday, November 17, 2011 5:15 AM To: FreeRadius users mailing list Subject: Re: EAP-TLS Attributes Houston-III, Lester L wrote: Basically, I want to provide some data that's obtained from an external source to my VPN client that is made available to JRADIUS via FreeRADIUS. I need this data to be available for the authorization phase because it will be used by JRADIUS for determining whether a user is authorized for access. I haven't gotten much information about the data that needs to be transmitted, but I was told that its 20-30 bytes EAP doesn't work like that. :( It's not a generic transport mechanism for sending data from point A to point B. The data sent in EAP is defined by the protocol. Nothing else is sent, and nothing else *can* be sent. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
EAP Attributes
Does the EAP plugin support Vendor Specific Attributes (VSA)? Can any of the EAP attributes be modified to contain my own set of data? How can I inject custom data into my EAP message? lester.l.houston-...@boeing.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: EAP Attributes
Can you elaborate a little more or point me to some documentation. How do you modify the EAP-Message attribute? Can any of the EAP attributes be modified to contain my own set of data? How can I inject custom data into my EAP message? Yes. Modify the EAP-Message attribute. -Arran Arran Cudbard-Bell a.cudba...@freeradius.orgmailto:a.cudba...@freeradius.org Betelwiki, Betelwiki, Betelwiki http://wiki.freeradius.org/ ! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
EAP-TLS Attributes
I'm trying to clear some confusion I'm experiencing. This is probably not the right place to ask this question, but I haven't been having much luck finding any answers on the web. I have a FreeRADIUS server running that is acting as a backend authenticator for my VPN server, which is StrongSwan. FreeRADIUS is using LDAP for authorization and I have JRADIUS connected for performing post authorization. Currently, I'm using EAP-TLS for connectivity from the StrongSwan VPN client down to JRADIUS and this is working well. What I want to do now is have the StrongSwan VPN client inject some custom data into the EAP message so that data can be propagated through to JRADIUS for use in the post authorization method. Maybe something like creating my own attribute or something. Is this possible? If so, how can I do this? If not, is there a way to modify an existing FreeRADIUS attribute that can be modified by the StrongSwan VPN client? Lester Houston III lester.l.houston-...@boeing.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: EAP Attributes
Well, I'm trying to use information included in the EAP message for post authorization using JRADIUS. I was hoping that I could somehow inject some custom data that would be propagated to JRADIUS from FreeRADIUS then I could perform some processing on this data during the post authorization phase. What are you trying to accomplish? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: EAP-TLS Attributes
Basically, I want to provide some data that's obtained from an external source to my VPN client that is made available to JRADIUS via FreeRADIUS. I need this data to be available for the authorization phase because it will be used by JRADIUS for determining whether a user is authorized for access. I haven't gotten much information about the data that needs to be transmitted, but I was told that its 20-30 bytes What data do you want to communicate from client to server? Instead of saying how you want to do something, state what you want to do. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Issues with EAP-TLS and OpenSSL
I have installed the openssl-dev package, but FR stills thinks openssl is not installed. You need to install the openssl-dev package. It includes the OpenSSL header files. This is probably on the Wiki, under building it yourself. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Issues with EAP-TLS and OpenSSL
I finally got FR to recognize the openssl install. Not sure what I did to fix it, but I installed some additional packages that required openssl such as Kerberos and that seemed to fix things. -Original Message- From: freeradius-users-bounces+lester.l.houston-iii=boeing@lists.freeradius.org [mailto:freeradius-users-bounces+lester.l.houston-iii=boeing@lists.freeradius.org] On Behalf Of Alan DeKok Sent: Tuesday, November 15, 2011 3:25 AM To: FreeRadius users mailing list Subject: Re: Issues with EAP-TLS and OpenSSL Houston-III, Lester L wrote: I’m trying to configure my FreeRADIUS server to support EAP-TLS but it keeps reporting that there is no OpenSSL support. You need to install the openssl-dev package. It includes the OpenSSL header files. This is probably on the Wiki, under building it yourself. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Issues with EAP-TLS and OpenSSL
The rlm_eap_tls was built and I think it was installed, but I'm still getting the following errors when running the server. The last line is probably shown because the tls section of eap.conf is ignored, but I'm not sure why I'm getting the other lines when I run configure and it states that OpenSSL is supported. Ignoring EAP-Type/tls because we do not have OpenSSL support. Ignoring EAP-Type/ttls because we do not have OpenSSL support. rlm_eap: No EAP type configured, module cannot do anything. -Original Message- From: freeradius-users-bounces+lester.l.houston-iii=boeing@lists.freeradius.org [mailto:freeradius-users-bounces+lester.l.houston-iii=boeing@lists.freeradius.org] On Behalf Of Alan DeKok Sent: Tuesday, November 15, 2011 11:44 AM To: FreeRadius users mailing list Subject: Re: Issues with EAP-TLS and OpenSSL Houston-III, Lester L wrote: I finally got FR to recognize the openssl install. Not sure what I did to fix it, but I installed some additional packages that required openssl such as Kerberos and that seemed to fix things. For the record, installing Kerberos won't fix OpenSSL issues. Something else happened. The configure log will show it. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Issues with EAP-TLS and OpenSSL
I'm trying to configure my FreeRADIUS server to support EAP-TLS but it keeps reporting that there is no OpenSSL support. I'm currently using FreeRADIUS version 2.1.12 on Centos 6. I built the server from source because I needed to include the JRADIUS plugin. I have been able to get things working with the JRADIUS and PAP, but now I'm trying to use EAP-TLS. I have already installed OpenSSL core, static and development packages using yum. Issuing the configure commands always results in a statement that OpenSSL is not supported, (Checking for OpenSSL support .. no) What I'm I missing? Does another package needs to be installed? Lester Houston 111 Boeing Research Technology Electronics Prototyping and Integration Center (EPIC) lester.l.houston-...@boeing.com 314-234-0621 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
