Re: mac authentication, log rejected device in radius.log
On 10/18/2013 11:00 AM, Alan DeKok wrote:
Bertalan Voros wrote:
I have one question, I would like to log a message in radius.log when a
device is rejected based on its mac address.
I would like to put a message saying that the device was unauthorised
and the Calling-Station-Id into the radius.log logfile.
See the radiusd.conf, the log subsection. There are limited
possibilities for customizing the log messages.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
I use a modified module for syslog based off exec for this type of
thing (on a UNIX system):
exec syslog-portauth {
wait = no
program = /usr/bin/logger -p local3.info -t portauth switch
%{NAS-IP-Address} port %{NAS-Port-Id} %{NAS-Port} - User %{sql_start2:
select determineUserFromMac('%{User-Name}')} on MAC %{User-Name}
assigned to %{reply:Tunnel-Private-Group-Id}
input_pairs = request
packet_type = Access-Accept
shell_escape = no
}
Granted, you might need to execute this on an Access-Reject but you can
log anything you want with that. I even grab some values from my
database (MySQL functions actually) to include in the log line.
- JohnD
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius 2.2.0 on Fedora and oracle module
On 10/10/2013 08:39 AM, Puzzel wrote: I've made configure at top level ./configure --with-oracle-lib-dir=/usr/lib/oracle/11.2/client64/lib --with-oracle-include-dir=/usr/include/oracle/11.2/client64 Then i made make, but i still can't find rlm_sql_oracle.so file. :/ Try reading the output of the build process, it will tell you what went wrong. Hint: Redirection: do_something 21 | tee -a some_file -- John - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Version 3.0.0 has been released
On 10/07/2013 04:18 PM, Alan DeKok wrote: After many years of development, the FreeRADIUS team is happy to announce Version 3 of the world's most popular server. The release was delayed from June in order to track down and solve a number of last-minute issues. We'd like to thank all of the beta testers for helping with that process. The release announcement is available on the web site: http://freeradius.org/press/index.html#3.0.0 3.0 is not on the download page http://freeradius.org/download.html nor is there a download link on the above announcement page. BTW, I do know I can get it directly from ftp://ftp.freeradius.org/pub/freeradius/ but there should be links. -- John - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: What does FR 2.2.2 fix?
On 10/04/2013 06:53 AM, a.l.m.bu...@lboro.ac.uk wrote: a couple of logic issues that meant case/switch and if() worked different to 2.x - thats been fixed. I need a clarification. Do you mean worked differently ONLY IN 2.2.1? But 2.2.2 is 100% logic consistent with all 2.x, except 2.2.1? -- John - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
No EAP session matching the State variable (and other various messages)
What exactly do error messages like: Sep 30 12:56:36 newdvlanb radiusd[10152]: rlm_eap: No EAP session matching the State variable. Sep 30 12:00:21 dvlanc radiusd[16053]: WARNING: Child is hung for request 782076 in component authenticate module peap. Sep 30 12:57:08 newdvlanb radiusd[10152]: Discarding duplicate request from client resnet1-WiSM-A port 32770 - ID: 126 due to unfinished request 187554 Sep 30 12:58:24 newdvlanb radiusd[10152]: Discarding conflicting packet from client Rich-core-WiSM-E port 32769 - ID: 155 due to recent request 207181. mean? I have attmpted to rectify by seeing if modifying the following configuration options within eap.conf get rid of these. # A list is maintained to correlate EAP-Response # packets with EAP-Request packets. After a # configurable length of time, entries in the list # expire, and are deleted. # timer_expire = 120 # # Help prevent DoS attacks by limiting the number of # sessions that the server is tracking. Most systems # can handle ~30 EAP sessions/s, so the default limit # of 4096 should be OK. max_sessions = 16384 I have even gotten EAP caching (using the Cached-Session-Policy) to two hours now. These error messages especially appear to occur en masse at or near the hour and then seem to abruptly stop: Sep 30 12:59:30 newdvlana radiusd[18407]: rlm_eap: No EAP session matching the State variable. Sep 30 12:59:30 newdvlana radiusd[18407]: rlm_eap: No EAP session matching the State variable. Sep 30 12:59:30 newdvlana radiusd[18407]: rlm_eap: No EAP session matching the State variable. Sep 30 12:59:30 newdvlana radiusd[18407]: rlm_eap: No EAP session matching the State variable. Sep 30 12:59:30 newdvlana radiusd[18407]: rlm_eap: No EAP session matching the State variable. Sep 30 12:59:30 newdvlana radiusd[18407]: rlm_eap: No EAP session matching the State variable. Sep 30 12:59:30 newdvlana radiusd[18407]: rlm_eap: No EAP session matching the State variable. Sep 30 12:59:30 newdvlana radiusd[18407]: rlm_eap: No EAP session matching the State variable. Sep 30 12:59:30 newdvlana radiusd[18407]: rlm_eap: No EAP session matching the State variable. [ SNIPPED ] Sep 30 13:01:37 newdvlana radiusd[18407]: rlm_eap: No EAP session matching the State variable. Sep 30 13:01:37 newdvlana radiusd[18407]: rlm_eap: No EAP session matching the State variable. Sep 30 13:01:37 newdvlana radiusd[18407]: rlm_eap: No EAP session matching the State variable. Sep 30 13:01:38 newdvlana radiusd[18407]: rlm_eap: No EAP session matching the State variable. Sep 30 13:01:38 newdvlana radiusd[18407]: rlm_eap: No EAP session matching the State variable. Sep 30 13:01:38 newdvlana radiusd[18407]: rlm_eap: No EAP session matching the State variable. Sep 30 13:01:38 newdvlana radiusd[18407]: rlm_eap: No EAP session matching the State variable. Which appear in conjunction with: Sep 30 12:57:08 newdvlanb radiusd[10152]: Discarding duplicate request from client resnet1-WiSM-A port 32770 - ID: 126 due to unfinished request 187554 Sep 30 12:58:24 newdvlanb radiusd[10152]: Discarding conflicting packet from client Rich-core-WiSM-E port 32769 - ID: 155 due to recent request 207181. Sep 30 12:58:52 newdvlanb radiusd[10152]: Discarding conflicting packet from client Rich-core-WiSM-E port 32769 - ID: 234 due to recent request 213661. As well as sometimes: Sep 30 12:00:21 dvlanc radiusd[16053]: WARNING: Child is hung for request 782076 in component authenticate module peap. Sep 30 12:01:04 dvlanc radiusd[16053]: WARNING: Child is hung for request 789836 in component authenticate module peap. Sep 30 12:01:07 dvlanc radiusd[16053]: WARNING: Child is hung for request 789836 in component authenticate module peap. An oddity is that the issues appear cross server at about the same times: Sep 30 11:57:25 dvlanc radiusd[16053]: WARNING: Child is hung for request 754502 in component authenticate module peap. Sep 30 11:57:36 newdvlanb radiusd[11924]: WARNING: Child is hung for request 828962 in component authenticate module peap. Any one have any similar battle scars that I can learn from (server performance tweaks, optimizations, etc?). I've optimized as best I can the SQL component. This all seems related to the samba/winbind/ntlm_auth. - John Douglass, Sr. Systems IT/Architect, Georgia Institute of Technology - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: LDAP password in log files
On 09/30/2013 02:45 PM, Matthew Ceroni wrote: Is there any way to prevent FreeRadius from showing the password in logs (debug logs) when authentication is done via LDAP? Current I see : rad_recv: Access-Request packet from host 192.168.100.2 port 31011, id=13, length=129 User-Name = username User-Password = XX NAS-IP-Address = 192.168.100.2 NAS-Port = 268 NAS-Port-Type = Virtual Cisco-AVPair = ip:source-ip=192.168.21.145 Calling-Station-Id = ip:source-ip=192.168.21.145 Plus it will show it in other spots as well (accounting section, etc). Please try to search the list archives before asking questions. This has been answered multiple times. Short answer is no, the debug output is meant for debugging ONLY and during debugging it's vital to be able to see the actual data in use. -- John - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Active Directory authentication question
On 09/24/2013 10:16 AM, Roberto Carna wrote: Dear, I'm advancing in the Freeradius + AD authenticationjust a short question: when I want to make the eapol_test tool, I get this error: # make eapol_test /usr/bin/ld: cannot find -lnl collect2: error: ld returned 1 exit status make: *** [eapol_test] Error 1 Basic software development isn't really a topic for this list. You should really look elsewhere for information on how to build and install on your chosen platform. You also need to understand error messages. But just to get you going cannot find -lnl means the linker cannot find the libnl library, therefore you need to install the libnl-devel package for your distribution. The devel package because includes the files you need during development as opposed to runtime. -- John - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: pap always returns noop for windows dialup authentication
On 09/23/2013 01:19 PM, paul trader wrote: eOn Mon, 23 Sep 2013 at 17:52, Phil Mayers opined: PM:It's difficult to say, because the debug you sent has all the useful PM:bits trimmed out - like the original packet, and the full module PM:processing chain. You still haven't sent the full debug. hi phil - ok, here's the full debug for a successful request: [files] users: Matched entry test at line 1 and here's the full output of a failed request: [files] users: Matched entry DEFAULT at line 172 So there's your answer, in the successful case it matched the entry for text on line 1, on the failed case it didn't match. So either you're not using the same users file (a full debug would have told us that) or you've got some criteria set for the test entry which isn't being matched. Also, you said you were moving from v1 to v2, you can't just copy v1 configs over, they're different, hope you weren't doing that. -- John - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: pap always returns noop for windows dialup authentication
On 09/23/2013 02:07 PM, paul trader wrote: On Mon, 23 Sep 2013 at 13:31, John Dennis opined: JD:You still haven't sent the full debug. hi john - thanks for your reply. i sent the output from running radiusd -X, are you saying i need to run -Xxx and send that instead? No. It means all the output from radiusd -X. Yes, that might seem like a lot but it contains useful information. But before you do send it to this list see below. or are you looking for the startup output as well? i only included the output for the particular requests. That's not the full debug is it? :-) JD:Also, you said you were moving from v1 to v2, you can't just copy v1 JD:configs over, they're different, hope you weren't doing that. i used a default v2 install and only changed the users and clients.conf files. everything else was left alone. You have all the information you need to debug your problem. It does require reading the debug output carefully. But you should really try to do that yourself first. As a said earlier, verify you're reading the exact same users file in both cases (the debug output will tell you what files are being read), If they are then look at your users file and determine why the user name is not matching, there is nothing magic about it, it should be straight forward. Still stumped? Then come back to the list for help. -- John - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: ipad ssl error in free radius
John, The IPhone Configuration Utility can do remote debugging with iPads, it helped me diagnose some EAP-TLS issues. John. From: freeradius-users-bounces+jcarter=identitynetworks@lists.freeradius.org [mailto:freeradius-users-bounces+jcarter=identitynetworks.com@lists.freeradi us.org] On Behalf Of val john Sent: 19 September 2013 05:28 To: FreeRadius users mailing list Subject: ipad ssl error in free radius hi guys we are getting follwong error in our radius log when ipad trying to connect to our WIFI network , our WIFI network using EAP-TTLS + LDAP authentication , All other devices (linux , windows, mac os 10.8 , Suse , android ) are working fine apart from ipads .. Error === Tue Sep 17 13:36:25 2013 : Error: TLS Alert read:warning:close notify Tue Sep 17 13:36:25 2013 : Error: TLS_accept: failed in SSLv3 read client certificate A Tue Sep 17 13:36:25 2013 : Error: rlm_eap: SSL error error:140940E5:SSL routines:SSL3_READ_BYTES:ssl handshake failure Tue Sep 17 13:36:25 2013 : Error: SSL: SSL_read failed in a system call (-1), TLS session fails. Tue Sep 17 13:36:25 2013 : Auth: Login incorrect (TLS Alert read:warning:close notify): [u...@ihk.com] (from client ManagementAPs port 1 cli 00-88-65-42-50-88) Do you guys any idea what cause this issue Thank you John - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Active Directory authentication question
On 09/18/2013 11:01 AM, Roberto Carna wrote: Arran, I have a private CA and I've created the server and client certs of course...and I've generated the .p12 cert (includind the CA cert) to install in my Windows 7 clientsit works OK. What I mean is that EAP-TLS is easier to me than AD authentication at this point, because I've just put it to work...and if I want to use AD auth I have to take EAP-TLS out and start again with NTLM / AD authenticationis it OK ??? I think you have a misconception. The client decides what type of authentication mechanism it's going to use. The radius server should be able to handle a wide variety of authentication mechanisms supplied by a diverse range of clients. So in your case you've got one mechanism working, great, now add support for another, when you're done your radius server can handle 2 mechanisms. Keep iterating on this basic cycle until your server supports the range of clients you need to support. -- John - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
ipad ssl error in free radius
hi guys we are getting follwong error in our radius log when ipad trying to connect to our WIFI network , our WIFI network using EAP-TTLS + LDAP authentication , All other devices (linux , windows, mac os 10.8 , Suse , android ) are working fine apart from ipads .. Error === Tue Sep 17 13:36:25 2013 : Error: TLS Alert read:warning:close notify Tue Sep 17 13:36:25 2013 : Error: TLS_accept: failed in SSLv3 read client certificate A Tue Sep 17 13:36:25 2013 : Error: rlm_eap: SSL error error:140940E5:SSL routines:SSL3_READ_BYTES:ssl handshake failure Tue Sep 17 13:36:25 2013 : Error: SSL: SSL_read failed in a system call (-1), TLS session fails. Tue Sep 17 13:36:25 2013 : Auth: Login incorrect (TLS Alert read:warning:close notify): [u...@ihk.com] (from client ManagementAPs port 1 cli 00-88-65-42-50-88) Do you guys any idea what cause this issue Thank you John - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
EAP-TLS works but not PEAP/EAP-TLS
Hi, I've got a Windows 7 machine attempting to connect to FreeRADIUS 2.2.0. EAP-TLS with a client certificate works fine, but with PEAP/EAP-TLS it doesn't. Is there anything I'm missing? The problem appears to be that the client doesn't send over the client cert. I know Windows is very fussy with what it accepts as a cert for EAP-TLS, but I'm confused as to why it works for one and not the other. Mon Sep 16 12:56:55 2013 : Info: [tls] Length Included Mon Sep 16 12:56:55 2013 : Info: [tls] eaptls_verify returned 11 Mon Sep 16 12:56:55 2013 : Info: [tls] (other): before/accept initialization Mon Sep 16 12:56:55 2013 : Info: [tls] TLS_accept: before/accept initialization Mon Sep 16 12:56:55 2013 : Info: [tls] TLS 1.0 Handshake [length 005a], ClientHello Mon Sep 16 12:56:55 2013 : Info: [tls] TLS_accept: SSLv3 read client hello A Mon Sep 16 12:56:55 2013 : Info: [tls] TLS 1.0 Handshake [length 0031], ServerHello Mon Sep 16 12:56:55 2013 : Info: [tls] TLS_accept: SSLv3 write server hello A Mon Sep 16 12:56:55 2013 : Info: [tls] TLS 1.0 Handshake [length 053e], Certificate Mon Sep 16 12:56:55 2013 : Info: [tls] TLS_accept: SSLv3 write certificate A Mon Sep 16 12:56:55 2013 : Info: [tls] TLS 1.0 Handshake [length 000d], CertificateRequest Mon Sep 16 12:56:55 2013 : Info: [tls] TLS_accept: SSLv3 write certificate request A Mon Sep 16 12:56:55 2013 : Info: [tls] TLS_accept: SSLv3 flush data Mon Sep 16 12:56:55 2013 : Info: [tls] TLS_accept: Need to read more data: SSLv3 read client certificate A Mon Sep 16 12:56:55 2013 : Debug: In SSL Handshake Phase ... Mon Sep 16 12:57:00 2013 : Debug: WARNING: !! Mon Sep 16 12:57:00 2013 : Debug: WARNING: !! EAP session for state 0x7c569f3d755a860c did not finish! Mon Sep 16 12:57:00 2013 : Debug: WARNING: !! Please read http://wiki.freeradius.org/Certificate_Compatibility Mon Sep 16 12:57:00 2013 : Debug: WARNING: !! Mon Sep 16 12:57:00 2013 : Info: Ready to process requests. radius.log: http://pastebin.com/9fBdxfYt eap.conf: http://pastebin.com/7dL69pmQ inner-tunnel: http://pastebin.com/BGzJSKz0 Thanks, John. -- John Carter Identity Networks jcar...@identitynetworks.com skype:jcartermeru - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-TLS works but not PEAP/EAP-TLS
Thanks Martin, I had already changed this in the config, but it lead me to the real issue which was that I'd added a eap inner-eap section to my eap.conf, but I also had a modules/inner-eap file from the default config. When I removed modules/inner-eap file it all works fine. Thanks again, John. On 17 September 2013 08:46, Martin Kraus lists...@wujiman.net wrote: On Tue, Sep 17, 2013 at 07:54:12AM +0100, John Carter wrote: I've got a Windows 7 machine attempting to connect to FreeRADIUS 2.2.0. EAP-TLS with a client certificate works fine, but with PEAP/EAP-TLS it doesn't. Hi. make fragment_size in modules/inner-eap smaller then fragment_size in eap.conf I've got 1200 in inner-eap and 1400 in eap.conf cheers mk - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- John Carter Identity Networks jcar...@identitynetworks.com skype:jcartermeru - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Debugging No EAP session matching the State variable
40:a6:d9:9a:9a:53) Sep 16 09:57:56 newdvlanb radiusd[15211]: rlm_eap: No EAP session matching the State variable. Sep 16 09:57:56 newdvlanb radiusd[15211]: Login incorrect: [cparker31] (from client Rich-core-WiSM-E port 29 cli 88:53:95:79:ea:0c) Sep 16 09:57:56 newdvlanb radiusd[15211]: rlm_eap: No EAP session matching the State variable. Sep 16 09:57:56 newdvlanb radiusd[15211]: Login incorrect: [djohnson77] (from client Rich-core-WiSM-E port 29 cli 60:45:bd:f2:7e:a8) Sep 16 09:57:56 newdvlanb radiusd[15211]: rlm_eap: No EAP session matching the State variable. Sep 16 09:57:56 newdvlanb radiusd[15211]: Login incorrect: [lnichols3] (from client Rich-core-WiSM-E port 29 cli e0:75:7d:4e:97:bb) Sep 16 09:57:56 newdvlanb radiusd[15211]: rlm_eap: No EAP session matching the State variable. Sep 16 09:57:56 newdvlanb radiusd[15211]: Login incorrect: [oanachebe3] (from client Rich-core-WiSM-E port 29 cli 98:d6:f7:5f:aa:cf) Sep 16 09:57:56 newdvlanb radiusd[15211]: rlm_eap: No EAP session matching the State variable. Sep 16 09:57:56 newdvlanb radiusd[15211]: Login incorrect: [bmcgowan6] (from client Rich-core-WiSM-E port 29 cli c8:aa:21:39:7e:32) Sep 16 09:57:56 newdvlanb radiusd[15211]: rlm_eap: No EAP session matching the State variable. Sep 16 09:57:56 newdvlanb radiusd[15211]: Login incorrect: [yyu98] (from client Rich-core-WiSM-E port 29 cli 9c:3a:af:60:ed:bc) Sep 16 09:57:56 newdvlanb radiusd[15211]: rlm_eap: No EAP session matching the State variable. I need some guidance on what to enable, what to look for, etc. to fix this. I will be glad to post a full debug log (this server is very busy, but it's beefy beefy so should be handling things). I'll gladly post the multi megabyte debug log somewhere with a date/time of when things are occurring. Within the debug mode, I didn't see a way for me to follow a given thread of authentication. It looks like (forgive me if I am misreading) the debug messages are interleaved. There appears to be a process ID (5357?) but that same guide number style doesn't appear in the debug (allowing me to focus in on that one authentication session). It appears to be doing ok, but these failed auth's may appear to the end user as a wireless session drop so I am very concerned. [root@newdvlana 2013]# /services/snacks/lawn/util/radius-server-status.sh Received response ID 28, code 2, length = 140 FreeRADIUS-Total-Access-Requests = 14103212 FreeRADIUS-Total-Access-Accepts = 2072612 FreeRADIUS-Total-Access-Rejects = 132162 FreeRADIUS-Total-Access-Challenges = 11896299 FreeRADIUS-Total-Auth-Responses = 14101073 FreeRADIUS-Total-Auth-Duplicate-Requests = 430 FreeRADIUS-Total-Auth-Malformed-Requests = 0 FreeRADIUS-Total-Auth-Invalid-Requests = 0 FreeRADIUS-Total-Auth-Dropped-Requests = 1824 FreeRADIUS-Total-Auth-Unknown-Types = 0 After finding some messages on the devel list, I saw some reference to memory clean up but that was a while ago so not sure how valid that comment/problem is in the 2.2.0 version. How should I approach this problem? - John Douglass, Sr. Systems IT/Architect - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: free radius setup
On 09/10/2013 02:15 PM, Swenson, Chris wrote: I understand a bit more why people were bring up plain text passwords now. My radius server is being presented with peap ms-chapV2 credentials and I want it to receive authentication from my openldap server. It seems that the credentials in this format cannot be digested by openldap and acknowledged. The passwords in my openldap are encrypted as SHA Do I have this right? Is there an alternative. Maybe that FreeRadius 3.0.0 rc1 mentioned in one of the emails the other day? Before you go any further you need to read and understand the material on this page: http://deployingradius.com/documents/protocols/compatibility.html -- John - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: free radius setup
On 09/10/2013 06:54 PM, Arran Cudbard-Bell wrote: On the registration page you use to 'activate' users accounts for the service, you get them to login. Once their password is verified against OpenLDAP you do an LDAP modify and store the plaintext version. This is exactly what we did at University of Sussex when we rolled out the service six years ago. We opted to store NT-Password hashes. These are not really any more secure than cleartext, but at least you don't accidentally see the user's output in any directory dumps or debug output. And be sure to set ACL's (Access Control Lists) on the password attributes so that only the admin and the radius process can read them. -- John - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: problem with initial setup
On 09/09/2013 12:18 PM, Swenson, Chris wrote: Hi all, I have not used radius in about 15 years and found a need recently. I have set up the rpm on a red hat 5.6 server and when I run radius -X the system starts fine with the expected info. On RHEL5 make sure you install the freeradius2 set of packages, not the freeradius packages. RHEL5 initially shipped with freeradius 1.x, but you want to be running 2.x. In RHEL we can't remove a previously shipped major version of a package so we had to add freeradius2 in order to make version 2.x available. -- John - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: problem with initial setup
On 09/09/2013 12:52 PM, Swenson, Chris wrote: Thanks for the replies: Ok, uninstalled #1 and updated to freeradius2 radiusd started without a hitch with testing Cleartext-Password := password in users file. When I ran radtest testing password localhost 0 testing123 Received -bash: /usr/bin/radtest: No such file or directory It's in the freeradius2-utils package. % yum install /usr/bin/radtest or % yum install freeradius2-utils or read how to use the yum package manager. -- John - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: my Radius goal radius and openldap.
On 09/09/2013 08:46 PM, Swenson, Chris wrote: Yeah, bit the goal is that it is passed to the server via a secure web page. The end goal here is getting authenticated users the right to connect to the secure ssid's. The Aruba wireless controllers are supposed to do that. If I am way over my head I have a consultant on contract. RHIP. Unless I'm missing something here this is a very simple configuration. You've got passwords stored in LDAP using an MD5 hash. You receive a username/password pair from your web app. The password will be cleartext. This is just straight forward PAP. Lookup the username in ldap in the authorize section, set the password in the request to the md5 hash you looked up and let pap handle it. - Reply message - From: Arran Cudbard-Bell a.cudba...@freeradius.org To: FreeRadius users mailing list freeradius-users@lists.freeradius.org Subject: my Radius goal radius and openldap. Date: Mon, Sep 9, 2013 7:34 pm On 10 Sep 2013, at 00:19, Swenson, Chris cswen...@curry.edu wrote: No, they are encrypted in the ldap database in md5 hash. Right, but you have the plaintext version from the user? I might be too old to do bleeding edge stuff like 3.0 RC1 I will take a look and a poke at it though. Fair enough. Arran Cudbard-Bell a.cudba...@freeradius.org FreeRADIUS Development Team - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- John - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: [ANN] Version 3.0.0-rc1
On 09/06/2013 04:31 PM, stefan.pae...@diamond.ac.uk wrote: I shall try a RHEL6/CentOS6 compatible build tomorrow or Monday. Shouldn't be a problem. John D, I'll update my tag, you guys will probably do the same. FYI: rc1 is packaged and built for Fedora in rawhide (unreleased latest). At the moment the Fedora spec file is identical to what is being used to prepare for RHEL-7. The Fedora rawhide build is freeradius-3.0.0-0.4.rc1.fc21 and can be found in Koji here: http://koji.fedoraproject.org/koji/buildinfo?buildID=462883 -- John - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Auth by NAS-Identifier using unlang
On 08/06/2013 02:31 AM, Alan Buxey wrote: I assume that's the freeradius2 package rather than freeradius as 1.x doesn't have unlang The OP said Fedora. Fedora has never had a freeradius2 package (only ever existed in RHEL 5.x). Fedora has had 2.x for many years. So either the OP is using an extremely old version, doesn't know what OS they're on, or is trying to blame the package for a failure to read the doc. -- John - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Auth by NAS-Identifier using unlang
On 08/05/2013 08:49 PM, Joseph Perrin wrote: Thank you. I now understand. A stock install of freeRadius in Fedora, (i.e. via yum), does not provide a man page for unlang. Had you not helped me, I'd simply not know. Nonsense, the freeradius rpm installs the unlang man page. Please provide the exact installed rpm if you think otherwise. -- John - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: TLS-Client-Cert-Expiration date format
On 07/25/2013 04:50 AM, George Ross wrote: Just wondering if anyone knew what the expiration date format was back from eap-tls transactions? I have a cert here that expires 23/07/2015 and FR gives back 150723132302Z. That's a Z on the end..? http://en.wikipedia.org/wiki/ISO_8601. Sorry, but 150723132302Z is not 8601. https://en.wikipedia.org/wiki/ISO_8601 150723132302Z is universaTime a subset of ASN.1 GeneralizedTime http://www.obj-sys.com/asn1tutorial/node14.html http://luca.ntop.org/Teaching/Appunti/asn1.html (see section 5.17) universalTime is being used because certs are encoded in ASN.1, specifically they require the use of GeneralizedTime. The GeneralizedTime form was standardized before RFC 8601. The use of GeneralizedTime is an artifact of the certificate binary encoding format. I'm not sure that's the best presentation these days. I'd rather see GeneralizedTime values presented in 8601 format to be consistent with modern standards. To properly parse the universalTime format being used one has to understand the nuances of X509 certificate encoding which is expecting too much. I wonder if the OpenSSL library has an option or function to convert to 8601. -- John - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Free radius version 3.0.0 rco
On 07/23/2013 05:28 AM, manjunath uthappa ponnachana wrote: Hi, I want to download free radius version 3.0.0 rco. Please let me know the downlaod link. The tarball is available here: https://github.com/FreeRADIUS/freeradius-server/archive/release_3_0_0_beta1.tar.gz Also wanted to know whether free radius version 3.0.0 rco is officially released or not. No. The rc0 in the name means Release Candidate Zero, in other words it's the first trial of version 3.0, they may be other trials before it's declared stable. No official release will have a release candidate notation in it's name. Release candidates are for testing. You can help out by building and testing it. If not when it will be ready for official release. I'll let the development team answer that one. -- John - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Free radius version 3.0.0 rco
On 07/23/2013 08:29 AM, John Dennis wrote: On 07/23/2013 05:28 AM, manjunath uthappa ponnachana wrote: Hi, I want to download free radius version 3.0.0 rco. Please let me know the downlaod link. The tarball is available here: https://github.com/FreeRADIUS/freeradius-server/archive/release_3_0_0_beta1.tar.gz Argh sorry, cut-n-paste mistake, the real URL is: https://github.com/FreeRADIUS/freeradius-server/archive/release_3_0_0_rc0.tar.gz Also wanted to know whether free radius version 3.0.0 rco is officially released or not. No. The rc0 in the name means Release Candidate Zero, in other words it's the first trial of version 3.0, they may be other trials before it's declared stable. No official release will have a release candidate notation in it's name. Release candidates are for testing. You can help out by building and testing it. If not when it will be ready for official release. I'll let the development team answer that one. -- John - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: [ANN] Version 3.0.0-rc0
On 07/23/2013 05:18 AM, stefan.pae...@diamond.ac.uk wrote: Thanks, John. I'll use that SPEC as base for CentOS 6.x packages :-) I'm will be making some tweaks to the spec file over the near term. For instance I just realized I make a mistake with the release field in the N-V-R, the package release increment number must precede the upstream pre-release string rc0, I just fixed that. [1] You can track the any changes to the fedora master branch (i.e. rawhide) by cloning this git repo. git clone git://pkgs.fedoraproject.org/freeradius I'm also contemplating splitting the doc into it's own subpackage, the doc is 4.6MB, no reason to install that much data on minimal install production servers. Anyway, the point is the spec file is not frozen yet, anticipate some changes. [1] If you're interested in the details see this: https://fedoraproject.org/wiki/Packaging:NamingGuidelines?rd=Packaging/NamingGuidelines#Pre-Release_packages -- John - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: [ANN] Version 3.0.0-rc0
I've built on Fedora and the unreleased RHEL-7
On RHEL-7 I built on the following architectures:
ppc, s390, x86_64, ppc64, i686, s390x
All of those built successfully but when I run one of our analysis tools
it reports some problems, mostly in the area of multilib (multilib is
where you can have more than one set of libraries on a system, e.g.
32-bit and 64-bit). The main problem is the header files have a few
32-bit vs. 64-bit items in them. Header files are not supposed to be
arch specific. Normally the header files get installed in a devel
package so 3rd parties can built and link new modules if they want. But
the header files aren't clean, which would prohibit us from producing a
devel package. One possibility is for the spec file to delete the
offending elements in the header files, but it would be better if the
multilib issues were not present in the FR 3.0 release at all, that
would be much cleaner. Oddly there seems to be a multilib issue in one
of the example python files. I have not dug into how to fix any of these
yet, but I hope we can get the fixes in before 3.0 is frozen.
Also there were a few other issues reported in conjunction with IPv6. I
have not had time yet to go through and see if these are red herrings or
not.
I've attached the output of the analysis tool for review.
--
John
$ rpmdiff-cli local-analyse scratch:6062804
Setting up before packages
Setting up after packages
[rpmdiff-cli]$ ./rpmdiff-checker --xml-output=test-work-dir/output.xml
--nocompare test-work-dir
[BAD] [freeradius] Subpackage freeradius is not multilib-clean for x86_64 vs
i686: 1 file has non-equal 32/64bit content:
/etc/raddb/radiusd.conf
[INFO] [freeradius] Multilib difference for etc/raddb/radiusd.conf on x86_64 vs
i686:
--- /etc/raddb/radiusd.conf on x86_64 2013-07-19 05:16:18.829224089 -0400
+++ /etc/raddb/radiusd.conf on i686 2013-07-19 05:18:36.53887 -0400
@@ -106,7 +106,7 @@ db_dir = ${raddbdir}
# make
# make install
#
-libdir = /usr/lib64/freeradius
+libdir = /usr/lib/freeradius
# pidfile: Where to place the PID of the RADIUS server.
#
[BAD] [freeradius-devel] Subpackage freeradius-devel is not multilib-clean for
x86_64 vs i686: 1 file has non-equal 32/64bit content:
/usr/include/freeradius/radpaths.h
[INFO] [freeradius-devel] Multilib difference for
usr/include/freeradius/radpaths.h on x86_64 vs i686:
--- /usr/include/freeradius/radpaths.h on x86_642013-07-19
05:16:36.042228062 -0400
+++ /usr/include/freeradius/radpaths.h on i686 2013-07-19 05:18:53.607225676
-0400
@@ -1,6 +1,6 @@
/* Automatically generated by build-radpaths-h */
#define LOGDIR /var/log/radius
-#define LIBDIR /usr/lib64/freeradius
+#define LIBDIR /usr/lib/freeradius
#define RADDBDIR /etc/raddb
#define RUNDIR /var/run
#define SBINDIR/usr/sbin
[BAD] [freeradius-python] Subpackage freeradius-python is not multilib-clean
for x86_64 vs i686: 2 files have non-equal 32/64bit content:
/etc/raddb/mods-config/python/example.pyo
/etc/raddb/mods-config/python/example.pyc
[INFO] [freeradius-python] Multilib difference for
etc/raddb/mods-config/python/example.pyo on x86_64 vs i686:
Binary files /etc/raddb/mods-config/python/example.pyo on x86_64 and
/etc/raddb/mods-config/python/example.pyo on i686 differ
[BAD] [freeradius] Subpackage freeradius is not multilib-clean for ppc64 vs
ppc: 1 file has non-equal 32/64bit content:
/etc/raddb/radiusd.conf
[INFO] [freeradius] Multilib difference for etc/raddb/radiusd.conf on ppc64 vs
ppc:
--- /etc/raddb/radiusd.conf on ppc642013-07-19 05:17:46.229223508 -0400
+++ /etc/raddb/radiusd.conf on ppc 2013-07-19 05:15:27.709224515 -0400
@@ -106,7 +106,7 @@ db_dir = ${raddbdir}
# make
# make install
#
-libdir = /usr/lib64/freeradius
+libdir = /usr/lib/freeradius
# pidfile: Where to place the PID of the RADIUS server.
#
[BAD] [freeradius-devel] Subpackage freeradius-devel is not multilib-clean for
ppc64 vs ppc: 1 file has non-equal 32/64bit content:
/usr/include/freeradius/radpaths.h
[INFO] [freeradius-devel] Multilib difference for
usr/include/freeradius/radpaths.h on ppc64 vs ppc:
--- /usr/include/freeradius/radpaths.h on ppc64 2013-07-19 05:17:46.098223868
-0400
+++ /usr/include/freeradius/radpaths.h on ppc 2013-07-19 05:15:10.402224137
-0400
@@ -1,6 +1,6 @@
/* Automatically generated by build-radpaths-h */
#define LOGDIR /var/log/radius
-#define LIBDIR /usr/lib64/freeradius
+#define LIBDIR /usr/lib/freeradius
#define RADDBDIR /etc/raddb
#define RUNDIR /var/run
#define SBINDIR/usr/sbin
[BAD] [freeradius-python] Subpackage freeradius-python is not multilib-clean
for ppc64 vs ppc: 2 files have non-equal 32/64bit content:
/etc/raddb/mods-config/python/example.pyo
/etc/raddb/mods-config/python/example.pyc
[INFO] [freeradius-python] Multilib difference for
etc/raddb/mods-config/python
Re: [ANN] Version 3.0.0-rc0
FYI I've packaged this for Fedora and built it for rawhide (rawhide is current development which spawns the next Fedora release). You can download the rawhide packages and/or the SRPM from the Koji build: http://koji.fedoraproject.org/koji/buildinfo?buildID=436791 You probably will not be able to simply install the rawhide packages on a current Fedora release due to dependencies/conflicts (not something I've tried). But you can always rebuild the SRPM using rpmbuild. The first Fedora release 3.0 will appear in will be F20 because we don't introduce major new versions of packages in existing releases (especially if they are not configuration compatible). FWIW the F19 train just pulled away from the station so unfortunately it's too late for F19. HTH, John -- John - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
logout error
Hi guys when users logout from the wireless network , i can see following error in the log Error Error: rlm_radutmp: Logout for NAS Wlan1 port 0, but no Login record IS there any reason for that, how can fix it Thank You John - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: [ANN] Version 3.0.0-rc0
autotools configure script issue/question: Why is udpfromto disabled by default? I thought udpfromto was necessary for correct operation in some configurations and benign otherwise. I thought the udpfromto option was added to 2.x because the issue was discovered in the middle of the 2.x release stream and we didnt' want to introduce potential incompatibility. If udpfromto is sometimes necessary and benign otherwise is there a reason for this to be a configuration option at all in 3.0? John -- jden...@redhat.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: [ANN] Version 3.0.0-rc0
I've been going through the packaging effort for 3.0 for Fedora/RHEL. BTW, many thanks to Stefan Paetow who did an initial spec file, Stefan's work has been a big help. I'm coming up with a list of issues as I find them, more to come later, but for now ... 1) The redhat directory is populated with the old 2.x spec file, no sense in updating this until we have a good 3.x spec file, but it should be updated prior to the official 3.0 release. 2) Man pages installed for non-existent features. rlm_policy radwatch These man pages are installed but both features are not part of 3.0 as far as I can tell. 3) Man pages missing. The following are installed in either /bin or /usr/sbin but there are no corresponding man pages. Every command installed needs to have a man page. dhcpclient radattr rad_counter rc.radiusd [1] [1] Debatable as to how necessary a man page is for rc.radiusd, it's use is subsumed by initscript documentation for SysV, plus many systems won't install it all. I only include it in the list for completeness. John - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: [ANN] Version 3.0.0-rc0
On 07/17/2013 12:26 PM, Alan DeKok wrote: John Dennis wrote: The following are installed in either /bin or /usr/sbin but there are no corresponding man pages. Every command installed needs to have a man page. dhcpclient radattr Hmm... those two probably shouldn't be installed. They're really only for testing. Can the spec file just ignore them? Sure it's no problem for the spec file to ignore them but I'm wondering if they are valuable for testing won't others find them useful too? If so shouldn't we keep them and add a man page? Right now we don't have a tools subpackage, this is common for other large packages. A tools subpackage contains useful commands for admins and developers which are not necessary for running the basic package. Perhaps 3.0 is a good time to introduce a tools package and move some of this stuff into tools making it an optional install. This would also bring freeradius in line with other packages. Comments? John - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: [ANN] Version 3.0.0-rc0
On 07/17/2013 04:16 PM, Alan Buxey wrote: Hi Don't you have freeradius-utils already. .. which contains radtest etc which is very useful for admins Yes, my bad, sorry, not enough coffee. John -- jden...@redhat.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Dynamic vlan assignment with ldap groups
Hi guys I had to also set the *use_tunneled_reply=yes* in the eap.conf to get the Dynamic vlan assignment to work On 12 July 2013 19:42, val john valjohn1...@gmail.com wrote: Hi guys , Small question , do i need to import radius ldap schema ( items like radiusprofiles ) to our ldap server to get this VLAN assignment work Thank You john On 12 July 2013 18:39, Arran Cudbard-Bell a.cudba...@freeradius.orgwrote: On 12 Jul 2013, at 13:57, val john valjohn1...@gmail.com wrote: Hi guys , i have a freeradius setup that works with ldap group authentication ,i also need to configure the dynamic VLAN assignment , so i configured the users file as fallows , DEFAULT Ldap-Group == cn=staff,ou=groups,dc=ldap,dc=example,dc=com Tunnel-Type = VLAN, Tunnel-Medium-Type = IEEE-802, Tunnel-Private-Group-Id = 100, Reply-Message = You are Accepted DEFAULT Ldap-Group == cn=nonstaff,ou=groups,dc=ldap,dc=example,dc=com Tunnel-Type = VLAN, Tunnel-Medium-Type = IEEE-802, Tunnel-Private-Group-Id = 200, Reply-Message = You are Accepted DEFAULT Auth-Type := Reject ,Do i need any other configuration file to be edited to get VALN assignment to work ..? or juts users file is enough Just users file is fine. Arran Cudbard-Bell a.cudba...@freeradius.org FreeRADIUS Development Team - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Dynamic vlan assignment with ldap groups
Hi guys , i have a freeradius setup that works with ldap group authentication ,i also need to configure the dynamic VLAN assignment , so i configured the users file as fallows , DEFAULT Ldap-Group == cn=staff,ou=groups,dc=ldap,dc=example,dc=com Tunnel-Type = VLAN, Tunnel-Medium-Type = IEEE-802, Tunnel-Private-Group-Id = 100, Reply-Message = You are Accepted DEFAULT Ldap-Group == cn=nonstaff,ou=groups,dc=ldap,dc=example,dc=com Tunnel-Type = VLAN, Tunnel-Medium-Type = IEEE-802, Tunnel-Private-Group-Id = 200, Reply-Message = You are Accepted DEFAULT Auth-Type := Reject ,Do i need any other configuration file to be edited to get VALN assignment to work ..? or juts users file is enough Please advice Thank You John - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Dynamic vlan assignment with ldap groups
Hi guys , Small question , do i need to import radius ldap schema ( items like radiusprofiles ) to our ldap server to get this VLAN assignment work Thank You john On 12 July 2013 18:39, Arran Cudbard-Bell a.cudba...@freeradius.org wrote: On 12 Jul 2013, at 13:57, val john valjohn1...@gmail.com wrote: Hi guys , i have a freeradius setup that works with ldap group authentication ,i also need to configure the dynamic VLAN assignment , so i configured the users file as fallows , DEFAULT Ldap-Group == cn=staff,ou=groups,dc=ldap,dc=example,dc=com Tunnel-Type = VLAN, Tunnel-Medium-Type = IEEE-802, Tunnel-Private-Group-Id = 100, Reply-Message = You are Accepted DEFAULT Ldap-Group == cn=nonstaff,ou=groups,dc=ldap,dc=example,dc=com Tunnel-Type = VLAN, Tunnel-Medium-Type = IEEE-802, Tunnel-Private-Group-Id = 200, Reply-Message = You are Accepted DEFAULT Auth-Type := Reject ,Do i need any other configuration file to be edited to get VALN assignment to work ..? or juts users file is enough Just users file is fine. Arran Cudbard-Bell a.cudba...@freeradius.org FreeRADIUS Development Team - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
freeradius outer identity
Hi guys , i have freeradius server that authenticate with LDAP and set up was working fine , but when the client specifies the outer identity (some dummy user name ) Radius server taking that dummy user name as actual username , because of that LDAP authentication fails . (Authentication proceeds working file if the client not specifying any outer identity) Can you guys please advice , how to fix this issue Thank You John - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ldap
On 06/24/2013 12:18 PM, Julian Macassey wrote:
I added in /etc/freeradius/clients.conf:
client plumgrid-ldap1 {
# # secret and password are mapped through the secrets
# file.
secret = MYSECRET
shortname = ldap
# # the following three fields are optional, but may be
# used by
# # checkrad.pl for simultaneous usage checks
ipaddr = 192.168.10.14
nastype = other
## login = !root
# password= someadminpas
}
radiusd: Loading Clients
client plumgrid-ldap1 {
ipaddr = 192.168.10.14
require_message_authenticator = no
secret = d1sc0verplum
shortname = ldap
nastype = other
}
-
I still get:
Sending Access-Request of id 94 to 192.168.10.14 port 1812
User-Name = evergr...@plumgrid.com
User-Password = evergreen's password
NAS-IP-Address = 127.0.1.1
NAS-Port = 0
I don't follow what you're doing. Is your radius server on
192.168.10.14, the same as your client? Because it looks like your
sending your access-request to the client, not the server (unless
they're both the same box). If they are the same box then make sure port
1812 is open. Also your NAS-IP-Address in your request is not your
client address of 192.168.10.14.
Also, 127.0.1.1 seems like an odd address, localhost is normally
127.0.0.1, what's in your /etc/hosts file?
Also I don't see what this has to do with ldap, nothing as far as I can
tell.
Also, be careful with making configuration files backups in the config
directory, the sever reads everything it finds in the config directory,
do you really mean to load /etc/freeradius/modules/off-ldap-orig?
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ldap
On 06/24/2013 02:01 PM, Julian Macassey wrote:
I don't follow what you're doing. Is your radius server on
192.168.10.14, the same as your client?
My radius server is: 192.168.10.16
My ldap server is: 192.168.10.14
Because it looks like your
sending your access-request to the client, not the server (unless
they're both the same box). If they are the same box then make sure port
1812 is open.
I don't know what to say, you've got a lot of misconceptions going on
and as far as I can figure you you haven't tried to read the
documentation. For starters:
You need to send radius requests to the radius server but you're sending
them to your ldap server (huh???)
radius client != ldap, radius client == nas
You need to configure radius to work with ldap, but you haven't done
that. You have to uncomment the ldap module from
/etc/raddb/sites-enabled/default in the authorize section and also
configure your ldap values in /etc/raddb/modules/ldap. You haven't done
either of those.
I'm afraid I can't help anymore, you need to start helping yourself
first, pay attention to what you're doing, don't fail about, start with
a vanilla configuration, put it under source control so you can revert,
make only one change at a time, change only what you understand, and
read the doc, most of it is inside the config files themselves.
Also your NAS-IP-Address in your request is not your
client address of 192.168.10.14.
I note that. But I have that in my
/etc/freeradius/clients.conf file:
client plumgrid-ldap1 {
# # secret and password are mapped through the secrets
# file.
secret = d1sc0verplum
shortname = ldap
# # the following three fields are optional, but may be
# used by
# # checkrad.pl for simultaneous usage checks
ipaddr = 192.168.10.14
nastype = other
## login = !root
# password= someadminpas
}
-
Also, 127.0.1.1 seems like an odd address, localhost is normally
127.0.0.1, what's in your /etc/hosts file?
This seems to be an ubuntu oddity.
I have modified it
127.0.0.1 localhost plumgrid-radius1.plumgrid.com plumgrid-radius1
#127.0.1.1plumgrid-radius1.plumgrid.com plumgrid-radius1
Yet, I still get 127.0.1.1 in my freeradius radtest.
I can still ping 127.0.1.1
--
plumgrid-radius1:freeradius root# ping 127.0.1.1
PING 127.0.1.1 (127.0.1.1) 56(84) bytes of data.
64 bytes from 127.0.1.1: icmp_req=1 ttl=64 time=0.032 ms
64 bytes from 127.0.1.1: icmp_req=2 ttl=64 time=0.035 ms
-
Also I don't see what this has to do with ldap, nothing as far as I can
tell.
Well, I have a a radius server that I would like to use
the ldap server to authenticate. It works using localhost and the
users file.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ldap
On 06/24/2013 03:15 PM, Julian Macassey wrote:
On 2013-06-24 at 14:32, John Dennis (jden...@redhat.com) wrote:
You need to configure radius to work with ldap, but you haven't done
that. You have to uncomment the ldap module from
/etc/raddb/sites-enabled/default in the authorize section and also
configure your ldap values in /etc/raddb/modules/ldap. You haven't done
either of those.
Actually I have:
If you had then there would have been rlm_ldap module configuration in
the debug log you sent, but there isn't, you did try reading the debug
right?
ldap {
#
# Note that this needs to match the name in the LDAP
# server certificate, if you're using ldaps.
server = plumgrid-ldap1
#identity = cn=admin,o=My Org,c=UA
#password = mypass
basedn = o=PLUMGRID,c=UA
filter = (uid=%{%{Stripped-User-Name}:-%{User-Name}})
#base_filter = (objectclass=radiu
I'm afraid I can't help anymore, you need to start helping yourself
first, pay attention to what you're doing, don't fail about, start with
a vanilla configuration, put it under source control so you can revert,
make only one change at a time, change only what you understand, and
read the doc, most of it is inside the config files themselves.
Done all of what you suggest.
No you haven't.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ldap
On 06/21/2013 04:21 PM, Julian Macassey wrote:
I am tring to get freeradius working with ldap.
The ldap server is on the same LAN as the RADIUS server.
The local user test works.
I have configured all files I can think are pertinent.
In debug mode, I get:
root# freeradius -X
}
listen {
type = auth
ipaddr = 127.0.0.1
port = 18120
}
Listening on authentication address * port 1812
Listening on accounting address * port 1813
Listening on authentication address 127.0.0.1 port 18120 as
server inner-tunnel
Listening on proxy address * port 1814
Ready to process requests.
-
In another terminal window I enter:
root# radtest usern...@mydomain.com PASSWORD 192.168.10.14
0 sharedsecret
ending Access-Request of id 231 to 192.168.10.14 port 1812
User-Name = usern...@domain.com
User-Password = PASSWORD
NAS-IP-Address = 127.0.1.1
NAS-Port = 0
Sending Access-Request of id 231 to 192.168.10.14 port 1812
User-Name = usern...@domain.com
User-Password = PASSWORD
NAS-IP-Address = 127.0.1.1
NAS-Port = 0
Sending Access-Request of id 231 to 192.168.10.14 port 1812
User-Name = usern...@domain.com
User-Password = PASSWORD
NAS-IP-Address = 127.0.1.1
NAS-Port = 0
radclient: no response from server for ID 231 socket 3
-
I get no output in the freeradius -X terminal window. I get no
info in /var/log/freeradius.
What am I missing? It won't complain and it won't work.
You've failed to provide the complete debug output, something which is
stated as being required nearly every day on this list. This means we
can't see how you've configured things, all that is in the debug output
which you failed to provide.
But I'll go out on a limb assume you configured the ldap module
correctly and suggest you look at your firewall and make sure your ldap
ports are open on both nodes.
John
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ldap
On 06/21/2013 04:34 PM, John Dennis wrote:
On 06/21/2013 04:21 PM, Julian Macassey wrote:
I am tring to get freeradius working with ldap.
The ldap server is on the same LAN as the RADIUS server.
The local user test works.
I have configured all files I can think are pertinent.
In debug mode, I get:
root# freeradius -X
}
listen {
type = auth
ipaddr = 127.0.0.1
port = 18120
}
Listening on authentication address * port 1812
Listening on accounting address * port 1813
Listening on authentication address 127.0.0.1 port 18120 as
server inner-tunnel
Listening on proxy address * port 1814
Ready to process requests.
-
In another terminal window I enter:
root# radtest usern...@mydomain.com PASSWORD 192.168.10.14
0 sharedsecret
ending Access-Request of id 231 to 192.168.10.14 port 1812
User-Name = usern...@domain.com
User-Password = PASSWORD
NAS-IP-Address = 127.0.1.1
NAS-Port = 0
Sending Access-Request of id 231 to 192.168.10.14 port 1812
User-Name = usern...@domain.com
User-Password = PASSWORD
NAS-IP-Address = 127.0.1.1
NAS-Port = 0
Sending Access-Request of id 231 to 192.168.10.14 port 1812
User-Name = usern...@domain.com
User-Password = PASSWORD
NAS-IP-Address = 127.0.1.1
NAS-Port = 0
radclient: no response from server for ID 231 socket 3
-
I get no output in the freeradius -X terminal window. I get no
info in /var/log/freeradius.
What am I missing? It won't complain and it won't work.
You've failed to provide the complete debug output, something which is
stated as being required nearly every day on this list. This means we
can't see how you've configured things, all that is in the debug output
which you failed to provide.
But I'll go out on a limb assume you configured the ldap module
correctly and suggest you look at your firewall and make sure your ldap
ports are open on both nodes.
Looking at this more carefully also make sure port 1812 is open
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ldap
The radius server is not seeing any client requests and your client is not getting a response from the server, either you've got the wrong address for the radius server or more likely your firewall is block their communication, this has nothing to do with ldap. Also, I don't see the rlm_ldap module being configured in the output you sent. John - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRADIUS 3.0 : mschap module fails to execute ntlm_auth
On 06/07/2013 10:46 AM, Bjarni Hardarson wrote: I am sure that the ntlm_auth file is at /usr/bin/ntlm_auth and if i run it manually with the expanded attributes i get the NT_KEY. root@freelab:/#/usr/bin/ntlm_auth --request-nt-key --username=vpntest --challenge=d9a8b4d1c188ae1b --nt-response=090bacad01a113dd74007ed5845d5b0c7c8017bac80821dd NT_KEY: 2066656E05C22F3A995AD9ECFED913D6 Any ideas? Please don't send more that one email, we heard you the first time. This sounds like a permission problem. Make sure when you run your test manually you do so as the same user and group radiusd is running as, you'll find those values in your radiusd.cong file. Also if your system is running SELinux check for the presence of AVC's - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Service Provisioning Using AAA (FreeRadius)
On 06/05/2013 05:29 AM, Prabhpal S. Mavi wrote: Am Dienstag, 4. Juni 2013, 10:45:01 schrieb Russell Mike: Hi List After googling for few days still not so much clear. Therefore, i have decided to implement three *A* in three different steps. For now, i only want to use Authorize function of FR. i do not want authentication Accounting BUT authorization. No. How can you authorize somebody without beeing sure who that user is. Only authentication provides that information. So you need authentication and authorization. Hello MS. I do not agree to your response. Authorization is a process where information in a request is evaluated. This information may be used to validate against information about the user that was obtained from file, database, or LDAP directory. Authorization happens before authentication and does not involve the checking of a password. We can use various logic and comparisons to determine if a user is authorized to connect to a network. i look forward be hear back You're both right, now shake hands and make up :-) The problem with the term authorization in radius is used in a non-standard way that leads to confusion. The normal use of the term authorization (authz) indicates what a principal is permitted to do and a principal must be validated via authentication (authn) first. In radius authorization means collecting information necessary to perform the authentication operation. It's an unfortunate semantic difference that leads to a fair amount of confusion (myself included), but after a while you get used to it. John - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius | shared secret is incorrect | unprintable characters in the password
On 06/02/2013 10:00 AM, a.l.m.bu...@lboro.ac.uk wrote: Hi, check the shared secret you have defined in clients.conf on the server. check the shared secret you are using on the client check the server debug logs etc to see WHAT IP the client is coming through - if you are using a localhost address or nameif using the name it might be using another IP socket connection which may be matching one of the other default values present in clients.conf Also, pay careful attention to the file pathnames in the debug output and make sure you're editing the same file. A common problem is editing files in /etc/raddb but the server is reading files some other location. For example your debug log shows this: /usr/local/freeradius-server-2.2.0/etc/raddb/clients.conf Is that the file you're editing? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Having problems authenticating client computers onto the wireless network using a Cisco AP1252 via FreeRadius 2.1.10 on Ubuntu 12.04.2 serves
Elizabeth, We have had mixed results with Ubuntu's default network manager from 12.04 until the current. Have you tried an alternative wireless manager like WICD? http://www.lawn.gatech.edu/help/gtwifi/ubuntu_troubleshooting.html - John Douglass, Sr. Systems IT/Architect, Georgia Institute of Technology On 05/23/2013 12:47 AM, Elizabeth Fife wrote: HI I am having problems authenticating client computers onto the wireless network using a Cisco AP1252 via FreeRadius 2.1.10 on Ubuntu 12.04.2 serves Setup: I have a Cisco AP1252 wireless Access Point connected to a Cisco ASA5510 on subnet X.X.5.ZThe access point ip address is X.X.5.101 The ASA on another port is also connected to the wired network on a different subnet X.X.0.Z On the wired network are two radius servers - Ubuntus servers running FreeRadius 2.1.10 which are running fine and reliably authenticate wired users for ssh connections to the ASA and importantly to the AP1252 as well (The radius servers ip addresses are X.X.0.191 and X.X.0.192) Problem: When a wireless user tries to connect to the wireless network via the AP1252 after being disconnected form it for a while (or after waking from a long sleep) they are never authenticated. They just try over and over and never obtain an IP Interestingly in such a case neither Ubuntu server shows any sign of receiving an authentication request from the AP - Both ubuntu servers are running in debug mode so they show any activity - there is none Oddly: If i try to authenticate a user wirelessly to the AP and leave it in the usual state of trying over and over (with no visible activity on the ubuntu servers) BUT then go to a wired machine and attempt to authenticate an ssh connection to the AP1252 using a terminal command ssh user1@X.X.5.101 THEN as soon as I hit enter on that request (and before I enter a password for the ssh connection) THE WAITING WIRELESS USER IS IMMEDIATELY AUTHENTICATED and assigned an IP address (and the ubuntu server shows the authentication activity for the wireless user) Please help me understand what might be causing this behavior - it seems like the AP sleeping and the wired ssh request wakes it up so that it sees the pending wireless user waiting and then acts on that completing the wireless user authentication request Help Elizabeth - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius Ceritificate Migration
On 05/14/2013 12:01 PM, Mitch Yackobeck wrote: Good morning John, I appologize for making myself look like a moron. The original message had actually been sent to someone who was helping me to potentially work thru some issues that we were seeing and trying to work out. I attempted to modify the message in haste and get some input from the group and it appears that I severely bungled that one up. I've learned my lesson in humility as I actually went back and read what I had done and like yourself could not make true heads or tails of that first paragraph. The ultimate goal we are trying to achieve here is this; we are potentially going to be changing our certificate structure in our classroom networks. We are looking to have a way to have clients that have not been converted to the new certificate structure as well as those that have been converted able to authenticate simultaneously using the same wireless SSID and FreeRadius server. We use Novell eDir for the backend services on the classroom side with FreeRadius authenticating our wireless users at the root of the tree. For authentication purposes we have moved from passing the username and password via 802.1X on the Novell Client to an EAP-TLS user certificate installed in the computer certificate store so that the system is already authenticated to the network prior to a user attempting to login and remains connected even after login. What I was trying to convey is that I've spent some time over the last couple of weeks upgrading my test environment from an older version of FreeRadius to the latest available. On that test server, I have both its test certificates and our production server certificates loaded up using a single file. Using the certs specific to the test server, everything works as expected, when I attempt to use the certs from the production server, thats when things go a little pear shaped. Initially it appears that the server is able to read the client certificate enough to recognize that the information is available, but when it requests further details, it fails to find the CA applicaple to the client cert and bombs out a reject. See below for a capture of the client authentication attempt. I'm wondering if this type of setup is actually possible or if there is some switch that someone knows of somewhere in the config that perhaps I have missed. Any help would be appreciated. Thank you Mitch, this is much more lucid. I'll try to help as best I can but you're still making it difficult. We ask for the output of radiusd -X in plain text format for a reason (not edited snippets). Why? Well for starters it contains all sorts of essential information that you've deleted. At the very most basic level what FreeRADIUS version are you using? But it also tells us other things, such as how the server is configured, what files it's reading, etc. But in any event what you want to accomplish should work. Let me give you some basic information and things to look at. First of all I notice you're reading your configuration from /usr/local/etc/raddb, some people get confused because /etc/raddb is a common location and they edit the wrong files. Make sure you're editing the files the server is loading. Also, make sure the location of the cert directory in the config is what you expect and is where you've installed your CA root certs (had the full debug been posting we could have verified this). Cert verification may involve a chain of CA certs, each of which must validate, until a trusted root is reached. Every CA cert in the chain must be available, either because the client passes it or because you've installed it. Therefore it would be good to verify whether the client cert issuer is the only cert necessary or not and if not have you installed the intermediaries. But since you said you were able to manually verify the client cert via the openssl command line tool that's probably not the issue. But did you verify you've configured FreeRADIUS to use the same CA as the command line tool? OpenSSL has two basic ways it can access multiple CA certs, you either concatenate them in a bundle file and set the CA_file to that, or you set the CA_path and OpenSSL will look for certs in the directory. Sounds like you decided to populate the CA_path with individual certs. Do they have file extensions? Did you set the CA_path variable correctly? (the debug log would have helped answer this). It's a shame the cbtls_verify function in rlm_eap_tls.c does not print the certificate (via X509_print_ex()) when verification fails, being able to see the contents of the cert can be immensely helpful. Looking at your error messages my best guess is that OpenSSL cannot locate one or more of the issuer certs, the most likely cause of this is misconfiguration of either the CA_file or CA_path variable, or the contents found at those locations. See the man page for SSL_CTX_load_verify_locations for details on what
Re: FreeRadius Ceritificate Migration
Thank you for including the full debug. Here is the section from the
rlm_eap_tls initialization.
Module: Instantiating eap-tls
tls {
rsa_key_exchange = no
dh_key_exchange = yes
rsa_key_length = 512
dh_key_length = 512
verify_depth = 0
CA_path = /usr/local/etc/raddb/certs/roots
pem_file_type = yes
private_key_file = /usr/local/etc/raddb/certs/servercert.pem
certificate_file = /usr/local/etc/raddb/certs/servercert.pem
private_key_password =
dh_file = /usr/local/etc/raddb/certs/dh
random_file = /usr/local/etc/raddb/certs/random
fragment_size = 1024
include_length = yes
check_crl = no
cipher_list = DEFAULT
make_cert_command = /usr/local/etc/raddb/certs/bootstrap
ecdh_curve = prime256v1
cache {
enable = no
lifetime = 24
max_entries = 255
}
verify {
}
ocsp {
enable = no
override_cert_url = yes
url = http://127.0.0.1/ocsp/;
use_nonce = yes
timeout = 0
softfail = no
}
}
A couple of things immediately jump out at me. This is not the default
configuration. First of all there is no CA_file configured (only
CA_path). You must have commented that out or deleted it. That means you
can't use a bundled CA file. Secondly the CA_path is not the default
either, you've got /usr/local/etc/raddb/certs/roots. Does that directory
exist? But more importantly can radiusd execute the directory and read
it's contents? These are file/directory permission issues. In
radiusd.conf are user and group variables, these are the user and group
respectively that radiusd runs as *after* it initializes. I'm not sure
if OpenSSL reads the CA files before or after radiusd drops privileges
from root to the user/group specified in radiusd.conf. But at the time
OpenSSL reads the files it has to have permission to traverse into the
directory (execute permission) and have read permission on the files to
read their contents.
If you're not sure if radiusd is reading the CA files or not it's easy
to verify by running radiusd under strace (hint: use -o to direct the
output to a file and then search for your CA_path) you should see the
directory being opened and files being read. If there are permission
problems you'll see error information in the strace output.
HTH,
John
--
John Dennis jden...@redhat.com
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius Ceritificate Migration
On 05/13/2013 01:46 PM, Mitch Yackobeck wrote: Good afternoon All, I've taken some time over the last couple little while to work with my test environment in getting it upto date and trying out some issues with regards authenticating against multiple certificates on a single SSID for the purpose of migration to a new root certificate while still continuing to function with the old in the transition phase. What I'm finding tho is that when I try to authenticate against that particular server, which now has both its own certs applied and the root cert from my production server as well to replicate the instance of a new root being installed, is that I can authenticate a user with the specific certs for the test server, but not a client using certs for the production server. I've taken a few captures of the server coming online using -X, an attempted connection with the production certs and also the configuration of my eap.conf file. I can see in initial stages that the EAP-TLS actually reads a bit of what the client is passing, enough to say that it has a valid client cert. But when it comes back to dive deeper into the cert, it appears that it does not recognize the CA as being there and bottoms out the request with a reject. I've got both roots in a single file in the directory specified and when I do an openssl verify on the roots, it does come back :ok. I found some articles on how to link up the new certificate in openssl so that it can at least read it properly as trusted. But the FR server appears not to recognize it on the second pass. Perhaps I'm missing something, but is it even possible to authenticate using both root CA's at one time? Thank you in advance for any assistance / guidance anyone can provide with this. A couple of hints: Do write comprehensible prose where you state the goal, what you've done, and your analysis. Do not send jpg images! Do send the output of radiusd -X. Since you live and work in Ontario I can only assume you're a native English speaker. Reread your first paragraph, it's incomprehensible gibberish. In order to communicate with others it would behoove you to learn sentence and paragraph structure. Do you really work for a school system? Sorry, I don't mean to be snarky but I read your email 3 times and although I can approximate the problem you're encountering it's so lost amid the poor writing I for one am not inclined to help. Writing still matters and pictures will never be a substitute. Would you like to try this again but with something comprehensible and which follows the rules of the list (i.e. include the output of radiusd -X). - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Need help with making RPM from v2.x.x branch
On 05/10/2013 12:05 PM, Divyesh Raithatha wrote: It appears that the created RPM doesn't include the TLV update that were made to the 2.x.x branch last week. Why wouldn't this be inlcuded in the RPM even though I am building the RPM with the current 2.x.x. source? Use the source Luke :-) I assume you built from git, therefore you've got every piece of information you need to figure this out. git log will give you exact information. -- John Dennis jden...@redhat.com Looking to carve out IT costs? www.redhat.com/carveoutcosts/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Need help with making RPM from v2.x.x branch
On 05/08/2013 03:19 AM, Fajar A. Nugraha wrote:
On Wed, May 8, 2013 at 1:50 PM, Raithatha, Divyesh
divyesh.raitha...@gmail.com wrote:
Thanks, I got past the README but now I am getting the following file not found
errors. They do exist, however, it looks like the build is looking for version
2.2.0 of the library files yet they are listed as 2.2.1.
error: File not found:
/home/test/rpmbuild/BUILDROOT/freeradius-2.2.0-1.el6.x86_64/etc/raddb/certs/README.rst
That's kinda tricky. Look at %files section in the spec file.
The cleanest solution right now would probably be changing Version:
2.2.0 in the top of the make file to 2.2.1, AND rename your source
bz2 file to freeradius-server-2.2.1.tar.bz2.
The version macro in the spec file, the version embedded in tar file
name, and the contents of tar file all *MUST* match. You have to be
precise with what version you're building.
I assumed that was obvious as opposed to being tricky ;-)
Another way would be changing the files section, from (e.g.)
%{_libdir}/freeradius/rlm_acct_unique-%{version}.so
to
%{_libdir}/freeradius/rlm_acct_unique-*.so
... or even try deleting all rlm_* lines and replace them with a one-liner
%{_libdir}/freeradius/rlm_*.so*
--
John Dennis jden...@redhat.com
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Need help with making RPM from v2.x.x branch
On 05/07/2013 04:46 AM, Fajar A. Nugraha wrote: On Tue, May 7, 2013 at 4:28 AM, John Dennis jden...@redhat.com mailto:jden...@redhat.com wrote: These project maintained build configurations are best thought of as bleeding edge developer stuff. Make some change and you want to test on Fedora or Debian and need packages, then these build directories are the goto place, Or for those cases where a distribution has not caught up with upstream yet, then this can serve a useful purpose as well (as long as they stay generic, see below), another variant of the this is only for the latest and greatest. You've pretty much covered it. My suggestion is for upstream FreeRADIUS to maintain a generic Red Hat RPM spec file which is vanilla as possible without any patches whatsoever. In theory current upstream shouldn't need patches. Also any customization we might do really should come from us, not upstream. If one is building an RPM from the current FreeRADIUS version using the FreeRADIUS RPM spec file then one should get a vanilla FreeRADIUS build whose only customization extends to assuring the same file locations, package names, etc. are used. You pretty much get this for free. I would take an existing spec file strip out all the patches, changelog, etc. and then one only needs to take a look at the options passed to configure (I'm thinking about options which control which modules are built). IMHO some of it (e.g. changelog, patches for cert config) is/was necessary. Yes, this is sensible. My suggestion was mostly aimed at simplifying the task with the hope it would then be more robust and easier to maintain. My use case was that I wanted the build to be as much drop-in as possible, so I can (for example) upgrade to 2.2.1 as soon as possible when it comes out, but switch to Red Hat's official RPM when it's available, without having to change my config. Without some of the patches, I'd need to modify my config file as well. I think the only thing of consequence we customize is the bootstrap cert creation which is done via RPM during the install step (plus tweaking some of the cert parameters to tighten up security). Any other patches are bug fixes found either by our QA team or customers. Those are usually break down into one of two categories. Fixes upstream has made post release and we've 'backported' or fixes we've made and have submitted to the project. The lifetime of these patches is short because in almost every instance the next upstream release has addressed the issue. Kudos to the team for that. So my thought was if you didn't try to mirror that patch set it would be much easier and little would be lost. Would we like to maintain the ./redhat subdirectory? No, for two reasons. 1. It's impossible, as pointed out above there is no single spec file, each spec file is tied to a specific release. We maintain *independent* spec files for *every* distribution version we support, at the moment that numbers in the dozens :-( Yeah. Before 2.2.0 was out, I made sure that I can build RPMs for RHEL5 and 6 (because that's what I use), and submit the necessary changes upstream. It seems to be enough (i.e. those two versions made up for most who need to build a Red Hat RPM), because IIRC there hasn't been a mail to the list about I need to build FR 2.2.0 RPM for X flavor or Red Hat but the included spec file doesn't work. Currently the biggest pain point is the transition from SysV initscripts to systemd. How daemons are installed and configured is different between Fedora and RHEL at the moment and because systemd is still in a bit of flux things can be different even between Fedora releases. Differences in BuildRequires occur less often, but do occur. There is a everlasting debate as to whether it's best to maintain one spec file thats common across distributions and parameterize so that it behaves differently in different targets or whether it's best to maintain completely different spec files and merge changes across them. Those who argue for merging cite the complexity of parameterized spec files complaining all that conditional logic is difficult to work with and fragile making it difficult to maintain. Those who argue for parameterizing cite how merging is fragile and is difficult to maintain. So obviously there isn't one right way. But because we're so constrained as to what can appear in RHEL (every change has to have numerous approvals) I gave up on trying to use Fedora spec files in RHEL and instead merge the leading edge Fedora into RHEL. 2. We already maintain them and they are publicly available for anyone to download. Trying to maintain multiple copies in multiple repositories and assuring they all stay in sync doesn't seem justified. Thanks for the effort. If no one else does this first, I'd probably submit patches to make FR
Re: redundant-load-balance for AD ntlmauth
On 5/6/2013 9:24 AM, Phil Mayers wrote:
On 04/29/2013 11:03 PM, FreeRadius List wrote:
Thank you I'll check with the samba people and get a better
understanding of how ntlm_auth works.#
(Sorry for the late reply)
The short version here is: badly.
ntlm_auth talks to winbind. Winbind maintains a single long-lived
connection to a single AD controller.
It can take anything up to 60 seconds for winbind to realise this
connection has gone down, during which time all ntlm_auth will hang or
fail. This has caused us problems on a number of occasions.
So in fact, your approach is interesting to me; have you tested it
e.g. by using iptables/ipfw to block access to an AD controller and
seeing if it fails over?
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
I wrote a script that does an eapol_test every minute. If it fails, it
immediately tries twice more. If THAT fails, then I restart winbind,
restart radius, and things continue on their happy way.
Imperfect, yes. But for us it works well enough for us. You'll have to
tweak out the parts that aren't included but it should be a quick and
dirty hack up if you want to use something similar.
#!/usr/local/bin/php
?
require_once(Syslog.class);
require_once(LAWN_Config.class);
require_once('SNACKS_Notify.php');
$log = new Syslog(checkWpaRadius);
$config = new LAWN_Config();
$pid_file = /var/run/radiusd.pid;
$pid = @file_get_contents($pid_file);
function radiusRespondingToEap()
{
$config = new LAWN_Config();
// Radius is running, but now we need to determine if it is
responding to queries
$c = $config-eapol;
$eapTestCmd = {$c-bin} -c {$c-config} -a {$c-server} -p
{$c-port} -s {$c-secret} -t {$c-timeout};
$output = `$eapTestCmd`;
$stuff = explode(\n,trim($output));
$result = array_pop($stuff);
if($result == SUCCESS)
return TRUE;
else
return FALSE;
exit();
}
if (($pid !== FALSE) posix_kill(trim($pid),0))
{
$i = 0;
while(1)
{
$i++;
if(radiusRespondingToEap())
{
$message = Radius is responding to EAP requests.;
$log-log($message,INFO);
break;
}
else
{
$message = Radius is not responding to EAP requests! Attempt:
$i;
$log-log($message,ERR);
if($i = $config-eapol-retries)
{
$message = Reached maximum number of retries
({$config-eapol-retries}). Attempting to restart radius!;
$log-log($message,CRIT);
print($message\n);
SNACKS_Notify::sendErrorMail(LAWN: WPA Radius not
responding, $message.\n\n);
`/etc/init.d/winbind stop`;
`/etc/init.d/radiusd stop`;
sleep(3);
`/etc/init.d/winbind start`;
sleep(1);
`/etc/init.d/radiusd start`;
break;
}
else
{
sleep(5);
}
}
}
}
else
{
$log-log(Radius is NOT running. Restarting!,CRIT);
SNACKS_Notify::sendErrorMail(LAWN: WPA Radius not running,
'Restarting radius!');
`/etc/init.d/radiusd restart`;
}
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: redundant-load-balance for AD ntlmauth
I don't just call ntlm_auth Because I want to simulate the entire EAP request (as if it is another of my wireless controllers) and get regular logs from radius that the server is responding. If some (although it hasn't happened!) piece of my radius stack has a problem (say, the mysql connections break for some reason) I want a full restart of the service. Just testing authentication doesn't give me a full radius stack picture. - John Douglass Georgia Institute of Technology Sr. Systems Architect On 05/06/2013 12:25 PM, Phil Mayers wrote: On 06/05/2013 14:40, John Douglass wrote: ntlm_auth talks to winbind. Winbind maintains a single long-lived connection to a single AD controller. It can take anything up to 60 seconds for winbind to realise this connection has gone down, during which time all ntlm_auth will hang or fail. This has caused us problems on a number of occasions. So in fact, your approach is interesting to me; have you tested it e.g. by using iptables/ipfw to block access to an AD controller and seeing if it fails over? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html I wrote a script that does an eapol_test every minute. If it fails, it immediately tries twice more. If THAT fails, then I restart winbind, restart radius, and things continue on their happy way. That'll work too, although I wonder why you're not just calling ntlm_auth? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Need help with making RPM from v2.x.x branch
On 05/06/2013 02:57 PM, Divyesh Raithatha wrote:
Hello all, has anyone had success in building an RPM from the v2.x.x
branch from http://git.freeradius.org?
I am following the information from
http://wiki.freeradius.org/guide/Red-Hat-FAQ
On a CentOS 6.4 x64 system I was able to build an RPM from 2.2.0 source
successfully but I want to get all of the recent patches from the v2.x.x
branch. However, when I tried to build the RPM from v2.x.x I get the
following message:
Hunk #1 FAILED at 121.
1 out of 1 hunk FAILED -- saving rejects to file src/main/radtest.in.rej
error: Bad exit status from /var/tmp/rpm-tmp.uETav5 (%prep)
RPM build errors:
Bad exit status from /var/tmp/rpm-tmp.uETav5 (%prep)
Here is the radtest.in.rej file contents:
--- src/main/radtest.in http://radtest.in 2011-09-30
10:12:07.0 -0400
+++ src/main/radtest.in http://radtest.in 2012-01-05
15:51:56.877585514 -0500
@@ -121,7 +121,7 @@
echo EAP-Code = Response
echo EAP-Type-Identity = \$1\
fi
- if [ $6 ]
+ if [ ! -z $6 ] [[ $6 =~ ^[0-9]+$ ]] [ $6 -gt 0 ]
then
echo Framed-Protocol = PPP
fi
Here is the contents of /var/tmp/rpm-tmp.uETav5
#!/bin/sh
RPM_SOURCE_DIR=/home/test/rpmbuild/SOURCES
RPM_BUILD_DIR=/home/test/rpmbuild/BUILD
RPM_OPT_FLAGS=-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2
-fexceptions -fstack-protector --param=ssp-buffer-size=4 -m64
-mtune=generic
RPM_ARCH=x86_64
RPM_OS=linux
export RPM_SOURCE_DIR RPM_BUILD_DIR RPM_OPT_FLAGS RPM_ARCH RPM_OS
RPM_DOC_DIR=/usr/share/doc
export RPM_DOC_DIR
RPM_PACKAGE_NAME=freeradius
RPM_PACKAGE_VERSION=2.2.0
RPM_PACKAGE_RELEASE=1.el6
export RPM_PACKAGE_NAME RPM_PACKAGE_VERSION RPM_PACKAGE_RELEASE
LANG=C
export LANG
unset CDPATH DISPLAY ||:
RPM_BUILD_ROOT=/home/test/rpmbuild/BUILDROOT/freeradius-2.2.0-1.el6.x86_64
export RPM_BUILD_ROOT
PKG_CONFIG_PATH=/usr/lib64/pkgconfig:/usr/share/pkgconfig
export PKG_CONFIG_PATH
set -x
umask 022
cd /home/test/rpmbuild/BUILD
LANG=C
export LANG
unset DISPLAY
cd '/home/test/rpmbuild/BUILD'
rm -rf 'freeradius-server-2.2.0'
/usr/bin/bzip2 -dc
'/home/test/rpmbuild/SOURCES/freeradius-server-2.2.0.tar.bz2' |
/bin/tar -xf -
STATUS=$?
if [ $STATUS -ne 0 ]; then
exit $STATUS
fi
cd 'freeradius-server-2.2.0'
/bin/chmod -Rf a+rX,u+w,g-w,o-w .
echo Patch #1 (freeradius-cert-config.patch):
/bin/cat /home/test/rpmbuild/SOURCES/freeradius-cert-config.patch |
/usr/bin/patch -p1 -b --suffix .cert-config --fuzz=0
echo Patch #2 (freeradius-radtest.patch):
/bin/cat /home/test/rpmbuild/SOURCES/freeradius-radtest.patch |
/usr/bin/patch -p1 -b --suffix .radtest --fuzz=0
#%patch3 -p1 -b .man
#%patch4 -p1 -b .unix-passwd-expire
echo Patch #5 (freeradius-radeapclient-ipv6.patch):
/bin/cat
/home/test/rpmbuild/SOURCES/freeradius-radeapclient-ipv6.patch |
/usr/bin/patch -p1 -b --suffix .radeapclient-ipv6 --fuzz=0
#%patch6 -p1
#%patch7 -p1 -b perl
echo Patch #8 (freeradius-dhcp_sqlippool.patch):
/bin/cat /home/test/rpmbuild/SOURCES/freeradius-dhcp_sqlippool.patch
| /usr/bin/patch -p1 --fuzz=0
# Some source files mistakenly have execute permissions set
find $RPM_BUILD_DIR/freeradius-server-2.2.0 \( -name '*.c' -o -name
'*.h' \) -a -perm /0111 -exec chmod a-x {} +
exit 0
Any Ideas?
The patch set is targeted at a *specific* freeradius version. You're
trying to apply patches from one version against another version.
Sometimes that works, sometimes it doesn't. A patch may not succeed for
several reasons, the code may have shifted position in the file (fuzz
0), RPM disallows this because it's evidence of not keeping the spec
file current against the version being built. You can override this with
%global _default_patch_fuzz 2
at the top of the spec file (2 in this case is an old default before it
was changed to 0). Overriding the patch fuzz factor is not recommended,
instead it's recommended you fix the patch to make it 100% correct for
the current version.
Another reason a patch might not succeed is because the problem was
already reported upstream and upstream fixed it. If they took the patch
verbatim then the error you'll see is something akin to Previously
applied patch or reverse patch. If upstream fixed the issue in some
other way the patch simply won't apply. Figuring exactly which lines of
code changed and why is the work of a package maintainer. In this case
you're assuming that role and you'll have to do that work.
--
John Dennis jden...@redhat.com
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Need help with making RPM from v2.x.x branch
On 05/06/2013 04:09 PM, Alan DeKok wrote: Divyesh Raithatha wrote: Hello all, has anyone had success in building an RPM from the v2.x.x branch from http://git.freeradius.org? That should work I am following the information from http://wiki.freeradius.org/guide/Red-Hat-FAQ On a CentOS 6.4 x64 system I was able to build an RPM from 2.2.0 source successfully but I want to get all of the recent patches from the v2.x.x branch. Go to redhat/freeradius.spec, and delete the following line: Patch2: freeradius-radtest.patch That should cause it to build. Alan DeKok. Why does FreeRADIUS maintain build configurations for Red Hat and Debian? I suppose it makes sense for the person who wants to build an RPM or Deb package from the latest repo. It does not make sense for someone who just wants an RPM package. These project maintained build configurations are best thought of as bleeding edge developer stuff. Make some change and you want to test on Fedora or Debian and need packages, then these build directories are the goto place, Or for those cases where a distribution has not caught up with upstream yet, then this can serve a useful purpose as well (as long as they stay generic, see below), another variant of the this is only for the latest and greatest. I can't speak for Debian, I'm not a Deb package maintainer, but at least in the Red Hat world there isn't just one Red Hat distribution, there are many and each can have different build requirements build configurations. Another problem is the spec file under ./redhat is forever getting out of sync (as evidenced by the OP). Patch sets are a superb example of this (compounded by the problem there is no single rpm spec file for all Red Hat versions). My suggestion is for upstream FreeRADIUS to maintain a generic Red Hat RPM spec file which is vanilla as possible without any patches whatsoever. In theory current upstream shouldn't need patches. Also any customization we might do really should come from us, not upstream. If one is building an RPM from the current FreeRADIUS version using the FreeRADIUS RPM spec file then one should get a vanilla FreeRADIUS build whose only customization extends to assuring the same file locations, package names, etc. are used. You pretty much get this for free. I would take an existing spec file strip out all the patches, changelog, etc. and then one only needs to take a look at the options passed to configure (I'm thinking about options which control which modules are built). The generic RPM spec file that upstream maintains should be exercised on regular basis. Far too often we've seen upstream changes that required spec file changes but which were never done (e.g. add/removing modules and/or other files). Would we like to maintain the ./redhat subdirectory? No, for two reasons. 1. It's impossible, as pointed out above there is no single spec file, each spec file is tied to a specific release. We maintain *independent* spec files for *every* distribution version we support, at the moment that numbers in the dozens :-( 2. We already maintain them and they are publicly available for anyone to download. Trying to maintain multiple copies in multiple repositories and assuring they all stay in sync doesn't seem justified. -- John Dennis jden...@redhat.com Looking to carve out IT costs? www.redhat.com/carveoutcosts/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: segfault error
On 05/01/2013 01:36 PM, Chris Taylor wrote: I have tried a few times but I can't get a core dump. After radius dies I run gdb /usr/sbin/radiusd /tmp/core_dump/test.dump but I get the following output. # [root@on-radius01 core_dump]# gdb /usr/sbin/radiusd /tmp/core_dump/test.dump GNU gdb (GDB) CentOS (7.0.1-45.el5.centos) Copyright (C) 2009 Free Software Foundation, Inc. License GPLv3+: GNU GPL version 3 or later http://gnu.org/licenses/gpl.html This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Type show copying and show warranty for details. This GDB was configured as x86_64-redhat-linux-gnu. For bug reporting instructions, please see: http://www.gnu.org/software/gdb/bugs/... Reading symbols from /usr/sbin/radiusd...done. /tmp/core_dump/test.dump is not a core dump: File format not recognized # I have ulimit set to unlimited. [root@on-radius01 core_dump]# ulimit -a core file size (blocks, -c) unlimited data seg size (kbytes, -d) unlimited scheduling priority (-e) 0 file size (blocks, -f) unlimited What am I doing wrong on this? There is information in this bz you may find useful https://bugzilla.redhat.com/show_bug.cgi?id=602567 -- John Dennis jden...@redhat.com Looking to carve out IT costs? www.redhat.com/carveoutcosts/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: pptpd+freeradius+ldap: which password encryption can I use?
On 04/30/2013 06:11 AM, Alberto Aldrigo wrote: Hi Everybody, I'm trying to setup a PPTPD server which would authenticate users using my openLDAP user database, in doing so I need freeradius. By now the only setup that actually works is: users in LDAP with clear text password. Obviously I want to use some kind of encryption for passwords and I don't like the solution of using cleartext passwords and the use of a specific user allowed to access to the password attribute, so my question is: which other possibilities I have? Looking to this table http://deployingradius.com/documents/protocols/compatibility.html I understand that I can use pap + sha1 but I can't understand how. Can anyone help me understand what is possible and what not? Many thanks cleartext passwords should work for most everything as shown in the compatibility table, if it's not you've broken something. You other option is to hash your passwords, refer to the table for what will work, you'll probably need to prefix your password values with a scheme prefix. However hashing is *not* encryption nor is hashing secure. Do not depend on hashing to provide protection! Most hashes can be broken easily, This is especially true if they can be retrieved for offline cracking which is the gift you're giving your attacker if you don't lock down your password attributes. Bottom line, there is no short-cut or excuse not to lock down password attributes with ACL's such that only a select subset of users can see them (e.g. radiusd, root). -- John Dennis jden...@redhat.com Looking to carve out IT costs? www.redhat.com/carveoutcosts/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Procautions on upgrading FR from 2.1.10 to 2.2.0
On 04/23/2013 11:38 AM, Wang, Yu wrote: Thanks for the advice. I'll make a backup copy as we do have some customized scripts. As has been stated numerous times on this list you should keep any FR config file you modify or any file you add under source code control. Your repository located somewhere outside the raddb directory so you don't accidentally remove it during an upgrade and the repository should be backed up. This is a much better solution than keeping backup copies. Yu Wang Network Architect Core Networking, FSU -Original Message- From: freeradius-users-bounces+ywang10=fsu@lists.freeradius.org [mailto:freeradius-users-bounces+ywang10=fsu@lists.freeradius.org] On Behalf Of Alan DeKok Sent: Tuesday, April 23, 2013 10:15 AM To: FreeRadius users mailing list Subject: Re: Procautions on upgrading FR from 2.1.10 to 2.2.0 Wang, Yu wrote: I am planning to upgrade our FR from 2.1.10 to 2.2.0 to address increasing NTLM authentication failures using EAP-MSCHAPv2 in our wireless systems. I would welcome and appreciate advice on precautions I should take before, during, and after upgrade. Any issue did you run into in your upgrade, what impacts it had, and how did you resolve it? You should be able to upgrade without any issues. Version 2.2.0 is backwards compatible with version 2.1.10. It wouldn't hurt to keep a backup just in case. It's 2013... disk space is pretty much free. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- John Dennis jden...@redhat.com Looking to carve out IT costs? www.redhat.com/carveoutcosts/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Profile-Name attribute
Hi Alan, On 04/17/2013 05:50 PM, Alan DeKok wrote: John Center wrote: I see this isn't defined in the v2.2 FreeRADIUS internal dictionary, though there is a gap in the numbering where it would be. If I understand it correctly, it looks like one could have a profiles file with individual named profiles defined containing NAS-specific text that would be sent back to the NAS as is upon successful authentication. Is anything like this still supported? Can the User-Profile attribute be used in a similar way? I'm not sure what Merit meant by profiles. So no, FreeRADIUS doesn't do that. It looks like it was just a way to pass back a relatively large block of text that had some significance to the NAS, but was opaque to the RADIUS server. There are FreeRADIUS ways of defining profiles. You *can* do NAS-specific rules. See recent messages on this list. Thanks for the pointer, I guess my timing was good. :-) -John -- John Center Villanova University - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Profile-Name attribute
Hi Matthew,
On 04/17/2013 05:53 PM, Matthew Newton wrote:
On Wed, Apr 17, 2013 at 05:04:11PM -0400, John Center wrote:
it correctly, it looks like one could have a profiles file with
individual named profiles defined containing NAS-specific text that
would be sent back to the NAS as is upon successful authentication.
Is anything like this still supported? Can the User-Profile
There are many ways of sending attributes back based on incoming
attributes (such as which NAS the request came from). One way
would be to just use an instantiation of the files module that
keys off the NAS-IP-Address:
files nasprofile {
key = %{NAS-IP-Address}
usersfile = ${confdir}/nas-profile
...
}
in the nas-profile file:
10.0.0.1
Reply-Message := Welcome to NAS 1
10.0.0.2
Reply-Message := Welcome to NAS 2
then call nasprofile in your sites-enabled/default authorize
section.
...or use one of the other multitude of methods just discussed in
the Idle-Timeout thread :-)
Matthew
It was just serendipity that I asked this question at the right time!
I'll check this out the Idle-timeout thread. Seems like a good topic
for the Wiki...
Thanks.
-John
--
John Center
Villanova University
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Setting different IDLE-TIMEOUTS based on IP Address
Good morning,
Thanks to everyone for their interesting suggestions.
The one that I found the most intuitive was to define some logical groups for
our NAS's in huntgroups and then reference those in the users file.
Something is missing though as IDLE-TIMEOUT is not being handed out as I would
expect it to be (as per the setting in the huntgroups files).
Perhaps somebody can help us get across the finish line here.
So in huntgroups I have:
### RADIUS HUNTGROUP TEST - jg ###
MSP7345 NAS-IP-Address =~ /^10\.99\.3\./
SNJ7000 NAS-IP-Address =~ /^10\.3\.99\./
LAB7000 NAS-IP-Address =~ /^192\.168\.0./
-
Then in the users file right at the top I added:
### Testing FreeRADIUS IDLE-TIMEOUT Tweak -jg ###
DEFAULT Huntgroup-Name == SNJ7000
Idle-Timeout := 1,
Fall-Through := yes
DEFAULT Huntgroup-Name == MSP7345
Idle-Timeout := 1800,
Fall-Through := yes
DEFAULT Huntgroup-Name == LAB7000
Idle-Timeout := 1,
Fall-Through := yes
--
I wasn't timing out so I then stopped radiusd and kicked it into debug mode
with a radiusd -X
STDOUT shows that I am being handed the IDLE-TIMEOUT of 1800 even though I am
coming from the LAB Node with IP of 192.168.0.15
The user (me) does have an IDLE-TIMEOUT set in my user section of 1800 but I
thought the above lines would set it and because the IDLE-TIMEOUT in my user
section is using the = operator.
Here is my User Section:
Cleartext-Password := XXX
Idle-Timeout = 1800,
Tellabs-UAP-CLI := A8,
Callback-Id := Admin,
Reply-Message += superuser,
Reply-Message += Administrator
Here are the debug logs. If anybody has any insights I sure would appreciate
it!
Thanks,
Jg
SNIP
Listening on authentication address 127.0.0.1 port 18120 as server inner-tunnel
Listening on proxy address * port 1814
Ready to process requests.
rad_recv: Access-Request packet from host 192.168.0.15 port 65496, id=182,
length=80
User-Name =
User-Password =
Service-Type = Login-User
NAS-Identifier = dot5
Called-Station-Id = BTI:7000
NAS-Port = 0
NAS-IP-Address = 192.168.0.15
# Executing section authorize from file
/usr/local/etc/raddb/sites-enabled/default
+- entering group authorize {...}
[preprocess]expand: %{NAS-IP-Address} - 192.168.0.15
[preprocess]expand: %{NAS-IP-Address} - 192.168.0.15 --- Does
this mean that the huntgroups file is being checked? Perhaps a regex thing?
[preprocess]expand: %{NAS-IP-Address} - 192.168.0.15
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = x, looking up realm NULL
[suffix] No such realm NULL
++[suffix] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
[files] users: Matched entry at line 23
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns updated
Found Auth-Type = PAP
# Executing group from file /usr/local/etc/raddb/sites-enabled/default
+- entering group PAP {...}
[pap] login attempt with password
[pap] Using clear text password
[pap] User authenticated successfully
++[pap] returns ok
Login OK: [xx] (from client Seattle port 0)
# Executing section post-auth from file
/usr/local/etc/raddb/sites-enabled/default
+- entering group post-auth {...}
++[exec] returns noop
Sending Access-Accept of id 182 to 192.168.0.15 port 65496
Idle-Timeout = 1800
Tellabs-UAP-CLI := A8
Callback-Id := Admin
Reply-Message += superuser
Reply-Message += Administrator
Finished request 0.
Going to the next request
Waking up in 4.9 seconds.
Cleaning up request 0 ID 182 with timestamp +41
Ready to process requests.
/SNIP
-Original Message-
From: freeradius-users-bounces+john.giordano=ttmi...@lists.freeradius.org
[mailto:freeradius-users-bounces+john.giordano=ttmi...@lists.freeradius.org] On
Behalf Of Matthew Newton
Sent: Tuesday, April 16, 2013 1:47 PM
To: FreeRadius users mailing list
Subject: Re: Setting different IDLE-TIMEOUTS based on IP Address
Hi,
On Tue, Apr 16, 2013 at 02:05:45PM -0500, John Giordano wrote:
So I man’ed unlang and then did some more reading on huntgroups and
the users file. If at all possible I think we would opt for a combo
of the huntgroups/users file approach. I am still not clear as to how
we would do this though….
Could you please speak to the interrelationship between the clients
file and the huntgroups file?
The clients file lists clients (NASes) that can talk the the server.
The huntgroups file (read by the preprocess module, not the files module as in
the comments at the top of the file) is used to match incoming request
attributes to set the Huntgroup-Name attribute, which can be further used to
set other attributes in the reply (for example, in the users file
RE: Setting different IDLE-TIMEOUTS based on IP Address
Ok... I feel as though I am trying to solve a riddle here. I thought that may be the case but! I removed the IDLE-TIMEOUT entry from my user stanza and the NAS then rejected me I think that was because no IDLE-TIMEOUT was being sent at all from the server to the client ?! -Original Message- From: freeradius-users-bounces+john.giordano=ttmi...@lists.freeradius.org [mailto:freeradius-users-bounces+john.giordano=ttmi...@lists.freeradius.org] On Behalf Of a.l.m.bu...@lboro.ac.uk Sent: Wednesday, April 17, 2013 10:49 AM To: FreeRadius users mailing list Subject: Re: Setting different IDLE-TIMEOUTS based on IP Address Hi, STDOUT shows that I am being handed the IDLE-TIMEOUT of 1800 even though I am coming from the LAB Node with IP of 192.168.0.15 The user (me) does have an IDLE-TIMEOUT set in my user section of 1800 but I thought the above lines would set it and because the IDLE-TIMEOUT in my user section is using the = operator. yes...AFTER the huntgroup stuff you've added..as you say, you added that new stuff at the top of the users file... what comes later overrides alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Setting different IDLE-TIMEOUTS based on IP Address
More pieces to the puzzle... so I have been staring at the output from radiusd
-X.
I don't see the huntgroups config file being loaded... is this, perhaps, part
of the problem? The permissions on the disk look good to me.
[root@gofish raddb]# radiusd -X
FreeRADIUS Version 2.1.12, for host x86_64-unknown-linux-gnu, built on Jul 18
2012 at 16:53:37
Copyright (C) 1999-2009 The FreeRADIUS server project and contributors.
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE.
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License v2.
Starting - reading configuration files ...
including configuration file /usr/local/etc/raddb/radiusd.conf
including configuration file /usr/local/etc/raddb/proxy.conf
including configuration file /usr/local/etc/raddb/clients.conf
including files in directory /usr/local/etc/raddb/modules/
including configuration file /usr/local/etc/raddb/modules/mac2ip
including configuration file /usr/local/etc/raddb/modules/chap
including configuration file /usr/local/etc/raddb/modules/etc_group
including configuration file /usr/local/etc/raddb/modules/policy
including configuration file /usr/local/etc/raddb/modules/rediswho
including configuration file /usr/local/etc/raddb/modules/files
including configuration file /usr/local/etc/raddb/modules/detail.log
including configuration file /usr/local/etc/raddb/modules/linelog
including configuration file /usr/local/etc/raddb/modules/digest
including configuration file /usr/local/etc/raddb/modules/soh
including configuration file /usr/local/etc/raddb/modules/mac2vlan
including configuration file /usr/local/etc/raddb/modules/expiration
including configuration file /usr/local/etc/raddb/modules/dynamic_clients
including configuration file /usr/local/etc/raddb/modules/sql_log
including configuration file /usr/local/etc/raddb/modules/krb5
including configuration file /usr/local/etc/raddb/modules/perl
including configuration file /usr/local/etc/raddb/modules/mschap
including configuration file /usr/local/etc/raddb/modules/smbpasswd
including configuration file /usr/local/etc/raddb/modules/exec
including configuration file /usr/local/etc/raddb/modules/counter
including configuration file /usr/local/etc/raddb/modules/always
including configuration file /usr/local/etc/raddb/modules/ldap
including configuration file
/usr/local/etc/raddb/modules/sqlcounter_expire_on_login
including configuration file /usr/local/etc/raddb/modules/sradutmp
including configuration file /usr/local/etc/raddb/modules/ntlm_auth
including configuration file /usr/local/etc/raddb/modules/wimax
including configuration file /usr/local/etc/raddb/modules/expr
including configuration file /usr/local/etc/raddb/modules/cui
including configuration file /usr/local/etc/raddb/modules/replicate
including configuration file /usr/local/etc/raddb/modules/radutmp
including configuration file /usr/local/etc/raddb/modules/pap
including configuration file /usr/local/etc/raddb/modules/inner-eap
including configuration file /usr/local/etc/raddb/modules/detail
including configuration file /usr/local/etc/raddb/modules/redis
including configuration file /usr/local/etc/raddb/modules/echo
including configuration file /usr/local/etc/raddb/modules/logintime
including configuration file /usr/local/etc/raddb/modules/checkval
including configuration file /usr/local/etc/raddb/modules/attr_filter
including configuration file /usr/local/etc/raddb/modules/preprocess
including configuration file /usr/local/etc/raddb/modules/attr_rewrite
including configuration file /usr/local/etc/raddb/modules/opendirectory
including configuration file /usr/local/etc/raddb/modules/realm
including configuration file /usr/local/etc/raddb/modules/detail.example.com
including configuration file /usr/local/etc/raddb/modules/unix
including configuration file /usr/local/etc/raddb/modules/pam
including configuration file /usr/local/etc/raddb/modules/acct_unique
including configuration file /usr/local/etc/raddb/modules/otp
including configuration file /usr/local/etc/raddb/modules/passwd
including configuration file /usr/local/etc/raddb/modules/smsotp
including configuration file /usr/local/etc/raddb/modules/ippool
including configuration file /usr/local/etc/raddb/eap.conf
including configuration file /usr/local/etc/raddb/policy.conf
including files in directory /usr/local/etc/raddb/sites-enabled/
including configuration file /usr/local/etc/raddb/sites-enabled/default
including configuration file /usr/local/etc/raddb/sites-enabled/control-socket
including configuration file /usr/local/etc/raddb/sites-enabled/inner-tunnel
main {
-Original Message-
From: freeradius-users-bounces+john.giordano=ttmi...@lists.freeradius.org
[mailto:freeradius-users-bounces+john.giordano=ttmi...@lists.freeradius.org] On
Behalf Of John Giordano
Sent: Wednesday, April 17, 2013 11:02 AM
To: 'FreeRadius users mailing list'
Subject: RE: Setting different IDLE-TIMEOUTS based on IP Address
RE: Setting different IDLE-TIMEOUTS based on IP Address
Hi all,
We are very appreciative of the community's support of FreeRADIUS.
So Michael, I did add the line to sites-enabled/default as u suggested
And now the debug output is showing:
++[preprocess] returns ok
++? if (%{Huntgroup-Name})
expand: %{Huntgroup-Name} - LAB7000
? Evaluating (%{Huntgroup-Name}) - TRUE
++? if (%{Huntgroup-Name}) - TRUE
++- entering if (%{Huntgroup-Name}) {...}
+++- if (%{Huntgroup-Name}) returns notfound
++- group authorize returns notfound
When I use the regexp of LAB 7000 == 192.168.0.15
AND!!! The right IDLE-TIMEOUT is being handed out! Woohoo! Thanks to
everyone's help on this list.
I will do some more testing and report back when we tweak the regexp to make it
match the whole /24.
-jg
-Original Message-
From: freeradius-users-bounces+john.giordano=ttmi...@lists.freeradius.org
[mailto:freeradius-users-bounces+john.giordano=ttmi...@lists.freeradius.org] On
Behalf Of Matthew Newton
Sent: Wednesday, April 17, 2013 1:24 PM
To: FreeRadius users mailing list
Subject: Re: Setting different IDLE-TIMEOUTS based on IP Address
Hi,
On Wed, Apr 17, 2013 at 08:38:36PM +0100, Matthew Newton wrote:
On Wed, Apr 17, 2013 at 12:32:32PM -0500, John Giordano wrote:
So in huntgroups I have:
### RADIUS HUNTGROUP TEST - jg ###
MSP7345 NAS-IP-Address =~ /^10\.99\.3\./
SNJ7000 NAS-IP-Address =~ /^10\.3\.99\./
LAB7000 NAS-IP-Address =~ /^192\.168\.0./
Testing it here, I'm not convinced that =~ is working in the
huntgroups file, which slightly surprises me.
OK, this is rather inconsistent behaviour compared to unlang, but after digging
in the code, the syntax you want is this:
MSP7345 NAS-IP-Address =~ ^10\.99\.3\.
SNJ7000 NAS-IP-Address =~ ^10\.3\.99\.
LAB7000 NAS-IP-Address =~ ^192\.168\.0.
i.e. don't put the usual /'s around the regex.
Matthew
--
Matthew Newton, Ph.D. m...@le.ac.uk
Systems Specialist, Infrastructure Services, I.T. Services, University of
Leicester, Leicester LE1 7RH, United Kingdom
For IT help contact helpdesk extn. 2253, ith...@le.ac.uk
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Setting different IDLE-TIMEOUTS based on IP Address
Yeehaw!
And *Matthew* (sorry about getting your name wrong in the last email):
The new REGEXP is working as such:
Login OK: [xx] (from client Seattle port 0)
# Executing section post-auth from file
/usr/local/etc/raddb/sites-enabled/default
+- entering group post-auth {...}
++[exec] returns noop
Sending Access-Accept of id 134 to 192.168.0.15 port 65460
Idle-Timeout = 7
Tellabs-UAP-CLI := A8
Callback-Id := Admin
Reply-Message += superuser
Reply-Message += Administrator
Finished request 1.
Going to the next request
Waking up in 4.9 seconds.
Cleaning up request 1 ID 134 with timestamp +14
Ready to process requests.
So I am thankful I can avoid putting a whole bunch of entries in huntgroups...
either manually or through a Perl script. :)
Cheers!
-jg
-Original Message-
From: freeradius-users-bounces+john.giordano=ttmi...@lists.freeradius.org
[mailto:freeradius-users-bounces+john.giordano=ttmi...@lists.freeradius.org] On
Behalf Of John Giordano
Sent: Wednesday, April 17, 2013 1:47 PM
To: FreeRadius users mailing list
Subject: RE: Setting different IDLE-TIMEOUTS based on IP Address
Hi all,
We are very appreciative of the community's support of FreeRADIUS.
So Michael, I did add the line to sites-enabled/default as u suggested
And now the debug output is showing:
++[preprocess] returns ok
++? if (%{Huntgroup-Name})
expand: %{Huntgroup-Name} - LAB7000 ? Evaluating (%{Huntgroup-Name})
- TRUE
++? if (%{Huntgroup-Name}) - TRUE
++- entering if (%{Huntgroup-Name}) {...}
+++- if (%{Huntgroup-Name}) returns notfound
++- group authorize returns notfound
When I use the regexp of LAB 7000 == 192.168.0.15
AND!!! The right IDLE-TIMEOUT is being handed out! Woohoo! Thanks to
everyone's help on this list.
I will do some more testing and report back when we tweak the regexp to make it
match the whole /24.
-jg
-Original Message-
From: freeradius-users-bounces+john.giordano=ttmi...@lists.freeradius.org
[mailto:freeradius-users-bounces+john.giordano=ttmi...@lists.freeradius.org] On
Behalf Of Matthew Newton
Sent: Wednesday, April 17, 2013 1:24 PM
To: FreeRadius users mailing list
Subject: Re: Setting different IDLE-TIMEOUTS based on IP Address
Hi,
On Wed, Apr 17, 2013 at 08:38:36PM +0100, Matthew Newton wrote:
On Wed, Apr 17, 2013 at 12:32:32PM -0500, John Giordano wrote:
So in huntgroups I have:
### RADIUS HUNTGROUP TEST - jg ###
MSP7345 NAS-IP-Address =~ /^10\.99\.3\./
SNJ7000 NAS-IP-Address =~ /^10\.3\.99\./
LAB7000 NAS-IP-Address =~ /^192\.168\.0./
Testing it here, I'm not convinced that =~ is working in the
huntgroups file, which slightly surprises me.
OK, this is rather inconsistent behaviour compared to unlang, but after digging
in the code, the syntax you want is this:
MSP7345 NAS-IP-Address =~ ^10\.99\.3\.
SNJ7000 NAS-IP-Address =~ ^10\.3\.99\.
LAB7000 NAS-IP-Address =~ ^192\.168\.0.
i.e. don't put the usual /'s around the regex.
Matthew
--
Matthew Newton, Ph.D. m...@le.ac.uk
Systems Specialist, Infrastructure Services, I.T. Services, University of
Leicester, Leicester LE1 7RH, United Kingdom
For IT help contact helpdesk extn. 2253, ith...@le.ac.uk
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Profile-Name attribute
Hi, I came across an attribute called Profile-Name, with an encoding of 1039 (string), from an old Merit RADIUS dictionary. I see this isn't defined in the v2.2 FreeRADIUS internal dictionary, though there is a gap in the numbering where it would be. If I understand it correctly, it looks like one could have a profiles file with individual named profiles defined containing NAS-specific text that would be sent back to the NAS as is upon successful authentication. Is anything like this still supported? Can the User-Profile attribute be used in a similar way? Thanks. -John -- John Center Villanova University - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Setting different IDLE-TIMEOUTS based on IP Address
Hi, So I have done a fair amount of RTFM'ing and search engining but am stumped. Perhaps someone on this list has successfully done what we are trying to do: Have our FreeRADIUS Server assign a different IDLE-TIMEOUT Value based on what IP Address is contacting the RADIUS server. OS: CentOS 5.8 FreeRADIUS Version: 2-2.1.12-4.el5_8 We have FreeRADIUS working fine (it has been a rock in fact and is running under Daniel Bernstein's daemontools). We just need to add this functionality as some of our network gear needs to have a different IDLE TIMEOUT than others. Is this possible? Thanks much, Jg - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Setting different IDLE-TIMEOUTS based on IP Address
Alan,
Interesting…
So I man’ed unlang and then did some more reading on huntgroups and the users
file. If at all possible I think we would opt for a combo of the
huntgroups/users file approach. I am still not clear as to how we would do
this though….
Could you please speak to the interrelationship between the clients file and
the huntgroups file?
For examples this is what we have in our clients config file now (with our
internal IP’s changed for obfuscation’s sake):
client 10.99.3.0/24 {
secret =XXX
shortname = MSP 7345’s
}
client 10.3.99.0/24 {
secret = XX
shortname = SNJ 7000 Switches
}
These are the two different equipment types we would like to have different
IDLE-TIMEOUTs for.
My first question is that every huntgroups file example I have seen on the Net
uses a per NAS definition:
raleighNAS-IP-Address == 192.168.1.101
raleighNAS-IP-Address == 192.168.1.102
raleighNAS-IP-Address == 192.168.1.103
premiumNAS-IP-Address == 192.168.1.101, NAS-Port-Id == 0-4
Group = premium,
Group = staff
I would rather not have to define 254 different entries in our huntgroups file
(254 hosts in a Class C obviously). Can I use a netmask somehow in the
huntgroups file?
In pseudo parlance this is what I am trying to accomplish in huntgroups:
MSP 7345’s NAS-IP-Address == 10.99.3.0/24
IDLE-TIMEOUT = 1800
SNJ 7000 NAS-IP-Address == 10.3.99.0/24
IDLE-TIMEOUT = 60
Thanks!
-jg
From: Alan Buxey [mailto:a.l.m.bu...@lboro.ac.uk]
Sent: Tuesday, April 16, 2013 10:45 AM
To: John Giordano; freeradius-users@lists.freeradius.org
Subject: Re: Setting different IDLE-TIMEOUTS based on IP Address
If your NAS can take such a value then it can be assigned. Either via eg users
file and huntgroup or via eg unlang
if(%{NAS-Ip-Address} == 192.168.1.1) {
update reply {
Attribute = XYZ
}
}
..'man unlang' for more info
alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius +LDAP + Samba integrates to Active Derectory
Thanks. Alan --- 13年4月12日,周五, Alan DeKok al...@deployingradius.com 写道: 发件人: Alan DeKok al...@deployingradius.com 主题: Re: Freeradius +LDAP + Samba integrates to Active Derectory 收件人: FreeRadius users mailing list freeradius-users@lists.freeradius.org 日期: 2013年4月12日,周五,下午9:48 John wrote: We deploy freeradius integrated to Active Directory, but the AD enabled Require signing option (see the attachement). That's really an AD question. net join is OK after we set LDAP SASL wrapping to 'sign'. But LDAP search failed. Is there a way to let LDAP search work? Can someone show me some reference or guide? Look in Microsoft support forums. Once you get LDAP search working, FreeRADIUS will work, too. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Freeradius +LDAP + Samba integrates to Active Derectory
Hi all, We deploy freeradius integrated to Active Directory, but the AD enabled Require signing option (see the attachement). net join is OK after we set LDAP SASL wrapping to 'sign'. But LDAP search failed. Is there a way to let LDAP search work? Can someone show me some reference or guide? Thanks, Johnattachment: LDAP SASL wrapping.JPG- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: compile with ldap support
On 04/10/2013 10:24 PM, Alan DeKok wrote: Chris Taylor wrote: How do I check that I have them installed I have the openldap rpm installed. This is really a question for your OS vendor. How about man rpm? Or google? If you're working on a Fedora/RHEL/CentOS etc. type system then yum-builddep is your friend. I know you're trying to build from source and not build an RPM but if you have a srpm or spec file you can use yum-builddep to get your build dependencies installed. Or you can look at a spec file and find all the BuildRequires and install those. Think of a rpm spec file as a recipe for building. If you're not sure what ingredients you need then consult the recipe. -- John Dennis jden...@redhat.com Looking to carve out IT costs? www.redhat.com/carveoutcosts/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Fwd: How to configure RADIUS +LDAP using SASL/Certificate based binding instead of usernames and passwords
On 04/10/2013 12:03 AM, pramod kulkarni wrote: Thanks John for the reply. can I use EAP-TLS method of authentication with LDAP as backend datastore to check usernames and passwords. It would be like I bind to RADIUS server with EAP-TLS method using certificate and check usernames and passwords from LDAP server if yes on EAP-TLS can you please tell me how to configure EAP-TLS with LDAP as backend datastore. This is a nonsensical question, EAP-TLS uses certificates. You do not yet understand some of the basics. You need to invest some time in learning the what the authentication mechanisms are and how they operate, this is a good starting place. http://deployingradius.com/documents/protocols/ Basically I want to avoid harcoded usernames and passwords in raddb of RADIUS server for authenticating users which I am doing currently . What the configuration block in modules/ldap is setting up is how the radius server can communicate with the LDAP server in a peer-to-peer relationship. The LDAP server has to know who the radius server is and if it has permission to access other users passwords and password hashes. Therefore radiusd must authenticate to LDAP. This process is completely *independent* of any of the authentication protocols, it's merely establishing if radius can view certain data. The way rlm_ldap is currently coded only simple binds (i.e. password based) are supported, therefore you must store a password in raddb. You are correct this is a security issue, however only root and the radius process should be able to read the file. On our systems we make sure the permissions and identities the processes run under assure this, if you've installed via some other mechanism it behooves you to assure the radius user and group are properly configured as well as the file permissions on the config files. Any by the way no I won't tell you how to do this, it's system admin 101. I'm pretty sure the defaults assure this as well, but I haven't verified. There are other ways to establish the trust between radiusd and LDAP beside simple binds which do not involve passwords. All of these use SASL in some form. Unfortunately rlm_ldap does not support them. I know Alan rewrote rlm_ldap recently for the upcoming 3.0 version, I don't know if SASL support was added or not. In any event this is an open source project and if you want this functionality then the usual mantra Patches Welcome applies. Oh, and by the way just in case you're confused as to the TLS parameters in the ldap config, they have nothing to do with binding (i.e. authenticating radiusd to LDAP), their purpose is to establish a secure tunnel between radiusd and LDAP. You can request the tunnel only be established if certificate based authentication succeeds but a simple bind will still be performed inside the tunnel. HTH, John -- John Dennis jden...@redhat.com Looking to carve out IT costs? www.redhat.com/carveoutcosts/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Fwd: How to configure RADIUS +LDAP using SASL/Certificate based binding instead of usernames and passwords
On 04/09/2013 03:44 AM, pramod kulkarni wrote: Hi, I am working on RADIUS with LDAP as backend for authenticating users. I configured rlm_ldap on RADIUS server with username and plaintext password and I am able to authenticate RADIUS client using LDAP. There is a difference between using LDAP as a backend datastore (lookup passwords and password hashes after binding as a service) and using LDAP as a authentication oracle (binding as the user to determine if the user is authenticated depending on the bind result). From above it sounds like you've configured LDAP as a backend datastore. But I want to configure RADIUS server with certificates instead of using usernames and passwords. Please guide me how to achieve this,is there any help/doc how to configure LDAP SASL bind for RADIUS Server. Waiting for your inputs. Thanks and Regards, You can't with the current rlm_ldap module bind to the LDAP server with anything other than a (username, password) pair, either for lookups or for authentication testing (only ldap_connect and ldap_simple_bind are supported). However, rlm_ldap does support SSL/TLS connections to the LDAP server and you can specify that you want the LDAP server to request a client cert when establishing the connection. But ultimately you're still doing a simple bind albeit in a secure tunnel. If you specify you want the LDAP server to require a client cert then you effectively have two simultaneous authtication mechanisms in play (TLS for the tunnel and simple auth inside the tunnel). Setting up TLS auth is straight forward (see the options in raddb/modules/ldap) *except* for the fact the ldap library routines to set the require cert option are buggy (rlm_ldap uses the wrong entry point which may not be supported and the openldap library also has bugs, I think we've now got all these fixed and patches sent upstream to openldap, but you should be aware there is an reasonable chance it won't work on your distribution unless you've got patched libraries). Even if SASL binds were supported you wouldn't want to use SASL binds for user authentication (if that was what you were asking, it's not clear from your original post). For user authentication based on certificates you would use EAP-TLS. A long time ago I had a patch for using SASL binds, but it was against the old 1.1.7 version of rlm_ldap and it only supported GSSAPI. HTH, John -- John Dennis jden...@redhat.com Looking to carve out IT costs? www.redhat.com/carveoutcosts/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Server dosn't detect any requests except from localhost
On 04/09/2013 05:21 AM, Saeed Zanderahimi wrote: Hello, I have a student project that I need a RADIUS server in it. I have access to two servers that I have to remotely connect to them (VPN required, of course two servers are on the same network and can see each other always), one is having windows server on it and another one has CentOS 64bit on it. Both are virtual in a company using VMWare tools I believe. I installed freeRadius on CentOS and I performed first tests from the server itself and it's working allright. I added the clients and users that I needed to the configuration files. Here is the problem: Whenever I send a request from a radius client (I tried some testers, and even radtest) to my freeRadius server I get time out, freeRadius is running in dubuging mode and I can see that it doesn't receive any request whether to accept or reject. I tried the windows server on that LAN and my computer which is connected to VPN and can see the freeRadius server. (successful pinging) I used -netstat to see what IPs and ports are listening, the result was 0.0.0.0:1812(udp) so I assume that it is listening to all IPs on 1812. whenever I try to start the server with -i and -p I get the message that server cannot bind on the address that I want because it is already listening to them on another thing. I can start the server with -i 172.16.150.*** which is its own address and -p 1812. I am stocked on this problem for two days, I read all the config files of freeRadius and I tried to make some changes (I revert them later) but none helped cause I think the problem is not there. I assume that server should see all the requests and then decide what to do with them. Any ideas where the problem is? I suspect a firewall is blocking your port. FWIW listening on a port is completely independent of whether the port is blocked, you have to check both. -- John Dennis jden...@redhat.com Looking to carve out IT costs? www.redhat.com/carveoutcosts/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
New/updated dictionary files for Meru and Trapeze
Hi, Please find attached a brand-new Meru dictionary file and an updated Trapeze dictionary file (updated based on 2.2.0). Do you want diffs? Regards, John. dictionary.trapeze Description: Binary data dictionary.meru Description: Binary data - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: New/updated dictionary files for Meru and Trapeze
Sorry, never used Git. Is it essential? -Original Message- From: freeradius-users-bounces+jcarter=identitynetworks@lists.freeradius.org [mailto:freeradius-users-bounces+jcarter=identitynetworks.com@lists.freeradi us.org] On Behalf Of Arran Cudbard-Bell Sent: 28 March 2013 14:42 To: FreeRadius users mailing list Subject: Re: New/updated dictionary files for Meru and Trapeze On 28 Mar 2013, at 10:35, John Carter jcar...@identitynetworks.com wrote: Hi, Please find attached a brand-new Meru dictionary file and an updated Trapeze dictionary file (updated based on 2.2.0). Do you want diffs? No... a pull request on GitHub would be nice though :) -Arran - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
How can I change proxy based on username?
Hello,
Using Freeradius 2.1.10 I have been trying to see if I can proxy a
request to a remote server but using a different User-Name attribute
based on the original request User-Name attribute.
For example so that:
Request 'j.blo...@plymouth.ac.uk' gets proxied to remote server with
User-Name=j.blo...@plymouth.ac.uk in the proxy request.
Request 'jblo...@plymouth.ac.uk' gets proxied to the same remote server
but uses the User-Name=jbloggs attribute (so no realm) in the proxy
request.
So basically if a username contains a dot, then proxy on the whole thing
(username and realm). But if the username does not contain a dot, then
only proxy on the username, no realm.
I have been trying in the authorize section to use:
=
if (Realm !~ /^(NULL|DEFAULT|LOCAL)$/) {
if (User-Name =~ /^([^.]+)@/) {
update control {
Proxy-To-Realm := NULL
}
}
}
=
The NULL realm will 'strip' the username, and proxy the request to the
remote server. However, testing shows that the User-Name being sent is
the original one still with the realm:
=
Tue Mar 26 12:31:07 2013 : Debug: ++? if (Realm !~ /^(NULL|DEFAULT|
LOCAL)$/)
Tue Mar 26 12:31:07 2013 : Debug: ? Evaluating (Realm !~ /^(NULL|
DEFAULT|LOCAL)$/) - TRUE
Tue Mar 26 12:31:07 2013 : Debug: ++? if (Realm !~ /^(NULL|DEFAULT|
LOCAL)$/) - TRUE
Tue Mar 26 12:31:07 2013 : Debug: ++- entering if (Realm !~ /^(NULL|
DEFAULT|LOCAL)$/) {...}
Tue Mar 26 12:31:07 2013 : Debug: +++? if (User-Name =~ /^([^.]+)@/)
Tue Mar 26 12:31:07 2013 : Debug: ? Evaluating (User-Name
=~ /^([^.]+)@/) - TRUE
Tue Mar 26 12:31:07 2013 : Debug: +++? if (User-Name =~ /^([^.]+)@/) -
TRUE
Tue Mar 26 12:31:07 2013 : Debug: +++- entering if (User-Name
=~ /^([^.]+)@/) {...}
Tue Mar 26 12:31:07 2013 : Debug: [control] returns updated
Tue Mar 26 12:31:07 2013 : Debug: +++- if (User-Name =~ /^([^.]+)@/)
returns updated
Tue Mar 26 12:31:07 2013 : Debug: ++- if (Realm !~ /^(NULL|DEFAULT|
LOCAL)$/) returns updated
Tue Mar 26 12:31:07 2013 : Debug: ++[local_mschap] returns noop
Tue Mar 26 12:31:07 2013 : Debug: [eap] Request is supposed to be
proxied to Realm NULL. Not doing EAP.
Tue Mar 26 12:31:07 2013 : Debug: ++[eap] returns noop
Tue Mar 26 12:31:07 2013 : Debug: ++[files] returns noop
Tue Mar 26 12:31:07 2013 : Debug: ++[expiration] returns noop
Tue Mar 26 12:31:07 2013 : Debug: ++[logintime] returns noop
Tue Mar 26 12:31:07 2013 : Debug: ++[pap] returns noop
...
Tue Mar 26 12:31:07 2013 : Debug: Sending Access-Request packet to host
141.163.1.180 port 1812, id=140, length=191
Tue Mar 26 12:31:07 2013 : Debug: User-Name =
jblo...@plymouth.ac.uk
Tue Mar 26 12:31:07 2013 : Debug: NAS-IP-Address = 127.0.0.1
Tue Mar 26 12:31:07 2013 : Debug: Calling-Station-Id =
02-00-00-00-00-01
Tue Mar 26 12:31:07 2013 : Debug: Framed-MTU = 1400
Tue Mar 26 12:31:07 2013 : Debug: NAS-Port-Type = Wireless-802.11
Tue Mar 26 12:31:07 2013 : Debug: Connect-Info = CONNECT 11Mbps
802.11b
Tue Mar 26 12:31:07 2013 : Debug: EAP-Message =
0x020c00261900170301001b3fb7e62a2e47d33ede49271ebc0c70dc92c4a82ac889c9b1867ddc
Tue Mar 26 12:31:07 2013 : Debug: State =
0x28af050f013700018da3c9b400035b2fcad100
Tue Mar 26 12:31:07 2013 : Debug: Message-Authenticator =
0x
Tue Mar 26 12:31:07 2013 : Debug: Realm = plymouth.ac.uk
Tue Mar 26 12:31:07 2013 : Debug: EAP-Type = PEAP
Tue Mar 26 12:31:07 2013 : Debug: Proxy-State = 0x3132
=
As the output shows 'Request is supposed to be proxied to Realm NULL',
so the authorize bit seems to be working, but the realm is not being
stripped from the username.
The proxy.conf file simply has:
=
realm NULL {
auth_pool = local_proxies
}
=
So the realm should be stripped from the username.
Anyone any ideas about this?
Thanks,
John.
--
John Horne Tel: +44 (0)1752 587287
Plymouth University, UK Fax: +44 (0)1752 587001
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How can I change proxy based on username?
On Tue, 2013-03-26 at 14:13 +, Phil Mayers wrote:
On 26/03/2013 12:50, John Horne wrote:
Hello,
Using Freeradius 2.1.10 I have been trying to see if I can proxy a
request to a remote server but using a different User-Name attribute
based on the original request User-Name attribute.
You can do this, but it might break things because you're using EAP.
Yes, it seems that just changing the 'User-Name' attribute results in
authentication failures (no doubt due to EAP breaking).
What is the upstream proxy?
Microsoft domain controller (DC).
Can you explain why you want to do this? Obviously it's possible to
manipulate the packet in many ways, but your goal may be best
accomplished via a different route.
-
The DC will recognise a users userid (e.g. 'jbloggs') provided it has no
realm. It will also recognise (what I think is the UPN?) which is of the
form 'j.blo...@plymouth.ac.uk'.
However, we have to cater for a mixed format of
'jblo...@plymouth.ac.uk', which is currently used by some users and
working. To do this we need to strip off the realm so that the DC will
recognise just the userid part ('jbloggs'). (For completeness, the
format 'j.bloggs' with no realm is not allowed by us and rejected.)
John.
--
John Horne, Plymouth University, UK
Tel: +44 (0)1752 587287Fax: +44 (0)1752 587001
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How can I change proxy based on username?
On Tue, 2013-03-26 at 15:35 +, Phil Mayers wrote:
On 26/03/2013 15:12, John Horne wrote:
What is the upstream proxy?
Microsoft domain controller (DC).
As in, Microsoft NPS running on a DC?
As far as I know, yes. I don't deal with the Microsoft side of this.
Just to check I understand you - you currently have an NPS instance that
will successfully authenticate:
jbloggs
j.bloggs@domain
...but fails on:
jbloggs@domain
Correct?
No. At present it will authenticate 'jbloggs' and 'jbloggs@domain'. We
want to have it authenticate 'jbloggs' and 'j.bloggs@domain', but
because 'jbloggs@domain' currently works, we need to cater for it but
have to do this by stripping the realm (so it becomes just 'jbloggs').
Don't ask me 'why', I gather that the DC can recognise a userid (such as
'jbloggs') and the UPN ('j.bloggs@domain'), but it cannot recognise
three formats. So we need to change 'jbloggs@domain' to just 'jbloggs'.
Trying to change 'jbloggs@domain' to 'j.bloggs@domain' may be possible,
but we would have to start doing LDAP lookups to dig out the info.
Secondly, of course, is that we would be changing the 'User-Name' sent
to the DC, so I assume EAP would break again.
However, we have to cater for a mixed format of
'jblo...@plymouth.ac.uk', which is currently used by some users and
working. To do this we need to strip off the realm so that the DC will
recognise just the userid part ('jbloggs').
But as you say, this ought to cause EAP failures, so it's useless?
If I can't get 'jbloggs@domain' stripped of the domain, then yes it
could all be useless.
John.
--
John Horne, Plymouth University, UK
Tel: +44 (0)1752 587287Fax: +44 (0)1752 587001
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How can I change proxy based on username?
On Tue, 2013-03-26 at 14:08 +0100, Olivier Beytrison wrote: You could also use the preproxy_users which allow you to rewrite the request before it is proxied. It contains the exact example for your case. Hello, Many thanks for that, I had overlooked that file. I am pleased to say that enabling the DEFAULT example in the file (and correcting it slightly), it worked fine :-) Debug output from radiusd showed that the format 'jblo...@plymouth.ac.uk' was proxied with the realm NULL and using the Stripped-User-Name attribute (which we set in the policy.conf file). This is exactly what we wanted, and it didn't break EAP. I also checked the other formats that we wanted to allow, and they all worked fine too. I'll do further testing tomorrow, but it looks good. John. -- John Horne, Plymouth University, UK Tel: +44 (0)1752 587287Fax: +44 (0)1752 587001 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Trying to integrate with LDAP
On 03/14/2013 01:20 PM, fernando@gmail.com wrote: i put on LDAP (/module) password_attribute = userPassword and now works fine... almost :S he only works with plaintext password, how i change that to use MD5 passwords? You need to understand the information found here: http://deployingradius.com/documents/protocols/ You also need to understand the difference between using LDAP as an authentication data store (credential storage) and as an authentication oracle (i.e. authentication proxy). You also need to understand that the authorize step passes the incoming request to each module in the authorize section where the module is given a chance to examine the request and decide if it's capable of handling it, this is how the Auth-Type is set. Which modules are defined and their order is significant. This is documented in the raddb/sites-enabled/default config which is a recommended configuration. Until you have these concepts firmly under your grasp you'll likely be frustrated trying to modify the configuration. -- John Dennis jden...@redhat.com Looking to carve out IT costs? www.redhat.com/carveoutcosts/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Release of Version 2.2.1
On 03/07/2013 12:22 PM, Alan DeKok wrote: It's been a while since Version 2.2 was released, so it's time for the next release. I'd like to fix the reported memory leak issue, and then release it later next week. The changes are minor, and mostly cleanups and bug fixes. Please let me know if there are any issues. Yes, one just came up. We've never been able to ship a devel package that installs the header files because of multilib conflicts. A multilib conflict occurs when arch specific packages (i.e. i686 vs. x86-64) contain arch independent files which differ between arches (i.e. header files). In other words the header files can't differ between i686 and x86-64. My recollection is there was just one or two issues that arose because configure generates a header file with a few defines specifying the size of an int or some such. This wiki page explains some of the issues. http://fedoraproject.org/wiki/PackagingDrafts/MultilibTricks Anyway, I just got a request to start shipping a -devel package, but it's much easier to make the necessary minor tweaks upstream to get rid of the conflicts. So it would be great if we could get this into the git repo before 2.2.1 goes out the door. I think the fix is fairly minor. Since this just came up about 5 minutes ago I don't have all the details at hand or a patch yet, but I'll do that soon. -- John Dennis jden...@redhat.com Looking to carve out IT costs? www.redhat.com/carveoutcosts/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
eap-fast on freeradius 2
Hi, I found freeRADIUS support eap-fast. Can I use eap-fast in eap2, meanwhile use other eap types in eap? Does EAP fragmentation issue fixed in eap2? Best, -John - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-TLS certificate problem
On 02/19/2013 09:16 AM, Muhammad Nadeem wrote:
On 2/19/13, Phil Mayers p.may...@imperial.ac.uk wrote:
On 19/02/13 09:11, Muhammad Nadeem wrote:
Hi, everybody
I have used pre-shipped certificates of Freeradius for testing
purpose. This testing was succeed with a test user 'bob', with files
authentication.
Now in the next step I wanna authenticate a user from my Database with
Digital certificates. When i authenticate the user, server side
confirm and send Access-Accept packet, but at client, following
error occurs.
No Message-Authenticator attribute found
Incoming RADIUS packet did not have correct Message-Authenticator -
dropped
STA 02:00:00:00:00:01: No RADIUS RX handler found (type=0 code=2 id=0)
- dropping packet
I googled this problem and found a solution that the user Auth-type is
set to Accept (I manually checked the user in Database , and its
Auth-Type was Accept) and this type prevent further process.
Yes
Now my question is that , could I continue EAP-TLS authentication,
regardless of Auth-Type is set to Accept???
No. Don't set Auth-Type unless you know what you're doing.
Doesn't look like you actually heeded this advice does it? Hint, look at
your select statement. You're setting the Auth-Type.
Ok thanx,
I suucceed to authenticate the users from a database.
But when i setup the same setup on another machine, I was failed :(
The following output is the debug output of the freeradius server. (I
think EAP NAK,, is creating problems).
[sql] expand: SELECT '1' AS RC_ID,'%{SQL-USER-NAME}' AS
USERNAME,'Auth-Type' AS Attribute,
AAA_GETVALUETOCHECKWITRIBE('%{SQL-User-Name}') AS Value,':=' AS op
FROM dual ORDER BY RC_ID - SELECT '1' AS RC_ID,'001AAD3F8165' AS
USERNAME,'Auth-Type' AS Attribute,
AAA_GETVALUETOCHECKWITRIBE('001AAD3F8165') AS Value,':=' AS op FROM
dual ORDER BY RC_ID
[sql] User found in radcheck table
Found Auth-Type = Accept
Found Auth-Type = EAP
Warning: Found 2 auth-types on request for user '001AAD3F8165'
--
John Dennis jden...@redhat.com
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radiusd starts but rejects test user
On 02/15/2013 12:30 PM, temp sha wrote: thanks Alan/RM it is working now after addingtesting Cleartext-Password := password but now i trying to test the same using NTRadPing Test utility which is installing in my windows Gee, why is folks have such trouble reading debug/error messages. It says no response from server (timed out) over and over. Clearly this has nothing to do with Radius and is a networking problem. Fix your network. (Hint: the firewall on one of your boxes is blocking port 1812, probably the box with your Radius server). -- John Dennis jden...@redhat.com Looking to carve out IT costs? www.redhat.com/carveoutcosts/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: git question
On 02/14/2013 08:26 AM, David Peterson wrote: Are we still using git fetch origin v2.1.x:v2.1.x to get v2.2? $ git branch -r origin/HEAD - origin/master origin/master origin/v1.1.x origin/v2.1.x-apple origin/v2.x.x According to the above there is no v2.1.x branch. BTW, git remote is can be very useful for setting up your .git/config so you don't have to deal with verbose syntax. -- John Dennis jden...@redhat.com Looking to carve out IT costs? www.redhat.com/carveoutcosts/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Upgrading from FR 2.1.10 to 2.2.x
On 02/13/2013 04:03 AM, Jamie Lee wrote: Hello, I’ve just completed the configuration of a 2.1.10 free radius server on CentOS 6.2 and want to upgrade to FR 2.2.x to remove the vulnerability. Does anyone have a guide or any advice on what I need to do and back up in order to ensure that I don’t lose any of my site specific settings. I have configured it to work with AD using NTLM_Auth and Samba. Red Hat has shipped the 2.1.12-4 RPM with the CVE fix applied, not sure if CentOS has kept up. We have not shipped 2.2 for RHEL 6. You'll either have to build an RPM (see http://wiki.freeradius.org/guide/Red-Hat-FAQ for how to do that) or build from the tarball. All the configuration is under /etc/raddb, make sure that's backed up. As a general rule it's good practice to put your configuration files under source code control anyway. If you use an RPM to update configuration files you've modified will be moved to .rpmsave, look for those after the install completes and adjust accordingly. If memory serves me correctly 2.2.x has logic in it to that ignores .rpmnew,, .rpmsave, .bak, ~, apt files, etc. so their presence won't cause problems like they used to. Running rpm freeradius -qV before installing will verify the installed files and tell you any you've modified. If you install via make install nothing will be preserved. Any other data stored in your backends (e.g. SQL, LDAP) shouldn't be affected and you're on your own to back that up anyway. HTH, John -- John Dennis jden...@redhat.com Looking to carve out IT costs? www.redhat.com/carveoutcosts/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Load Balancing Issue
On 02/12/2013 06:12 AM, Muhammad Nadeem wrote: thanks alan Actually I am using load balancing for rapid authentication of users. let suppose i have one prosy server that is proxying incoming requests to these five servers. Theoratically the speed of authentication should be fast. But in case of mine it is too slow. I have changed 'max_requests' in radiusd.config. And also remove unnecessary processing on radius server (that is proxying requests). Now tell me what else can I do?? :( For starters try reading Alan's response he so graciously provided to you. -- John Dennis jden...@redhat.com Looking to carve out IT costs? www.redhat.com/carveoutcosts/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius and EAP_TLS Problem:
On 01/23/2013 04:32 AM, Armin Maier wrote:
Hello!
I have been using Windows 7, Freeradius 2.1.10 from Debian Squeeze, HP
MSM710 WLAN controller and EAP_TLS Computer Certificate Authentication
for a log time and worked perfect. I used Certificates created on the
Debian server by openssl including the extensions for Client
Authentication and Server Authentication.
Now we want to activate port security on our physical switches and use
the same radius server, so we installed a Windows Enterprise Root CA for
autoenrollment of the Client and server certificates. I also created an
RAS IAS Certificate for the Radius Server and installed them, they are
loaded without any problems, but authentication of the Windows 7 client
do not work anymore.
I searched the internet for a compareable setup but i cannot find any
hints for using Microsoft Enterprise CA with freeradius server, may
everywhere else it works like a charm :) , but cannot believe it!
So my first question, does someone use Microsoft Enterprise CA
Certificates with freeradius in a working environment, and o i have to
regard something special?
Running freeradius -X gives me the following errors:
...
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/tls
[eap] processing type tls
[tls] Authenticate
[tls] processing EAP-TLS
TLS Length 95
[tls] Length Included
[tls] eaptls_verify returned 11
[tls] (other): before/accept initialization
[tls] TLS_accept: before/accept initialization
[tls] TLS 1.0 Handshake [length 005a], ClientHello
[tls] TLS_accept: SSLv3 read client hello A
[tls] TLS 1.0 Handshake [length 0031], ServerHello
[tls] TLS_accept: SSLv3 write server hello A
[tls] TLS 1.0 Handshake [length 08d7], Certificate
[tls] TLS_accept: SSLv3 write certificate A
[tls] TLS 1.0 Handshake [length 0062], CertificateRequest
[tls] TLS_accept: SSLv3 write certificate request A
[tls] TLS_accept: SSLv3 flush data
[tls] TLS_accept: Need to read more data: SSLv3 read client
certificate A
In SSL Handshake Phase
In SSL Accept mode
[tls] eaptls_process returned 13
++[eap] returns handled
...
I updated to Debian wheezy to get a newer freeradius version, but
nothing changed.
It's not likely related to FreeRADIUS, the FreeRADIUS server for the
most part hands off the SSL processing to the openssl library.
The Radius Server Certificate include the following Attribute (output of
openssl x509 -text -in cert -noout):
It's not likely related to the server cert either, the debug shows the
problem is occurring reading the client cert during the ssl handshake.
The Client Certificates include the following Attributes:
Key usage:Digital Signature, Key Encipherment (a0)
Enhanded Key Usage:Client Authentication (1.3.6.1.5.5.7.3.2)
The client attributes also include
- Authority Information Access
- CRL Distribution Points
- Certificate Template Information
which have very long values with special caracters like _%/=:?, may this
be a problem?
Here is what I think is going on. First observe that openssl is
complaining it needs to read more data from the client cert. That means
it's confused about the contents of the client cert. It appears as if
you had trouble dumping the contents of the client cert using the
openssl x509 command as well. That suggests there are two possibilities.
Recall that certs are binary encoded data (ASN.1 DER), that encoding
includes information about the length of the data items in the binary
data stream. The first possibility is that openssl is not decoding the
cert correctly and is getting confused over length of items in the cert
and what they represent. This is supported by the fact it was expecting
more data and your attempt at dumping the cert seemed to produce
garbage. The second possibility is that the cert itself is corrupt.
Did you upgrade your openssl library recently?
I would try using an alternate crypto implementation to dump the cleint
cert and see if you get more reasonable output. The two other popular
crypto implementations are NSS and GnuTLS. If those implementations
correctly decode the cert then your problem is almost certainly your
openssl version. If those other tools can not decode the cert then it's
likely the cert is corrupt. Note also the problem seems to be decoding
an cert extension and extension decoders get less testing so it wouldn't
surprise me if there was a decoding bug.
I have the tools readily available if you don't and would like me try
reading the cert if you send it to me privately (without the matching CA
cert used to sign it it's of no value to me so as long as it's not a
public CA it's a safe thing to do)
--
John Dennis jden...@redhat.com
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius and EAP_TLS Problem:
On 01/23/2013 12:24 PM, John Dennis wrote:
On 01/23/2013 04:32 AM, Armin Maier wrote:
Hello!
I have been using Windows 7, Freeradius 2.1.10 from Debian Squeeze, HP
MSM710 WLAN controller and EAP_TLS Computer Certificate Authentication
for a log time and worked perfect. I used Certificates created on the
Debian server by openssl including the extensions for Client
Authentication and Server Authentication.
Now we want to activate port security on our physical switches and use
the same radius server, so we installed a Windows Enterprise Root CA for
autoenrollment of the Client and server certificates. I also created an
RAS IAS Certificate for the Radius Server and installed them, they are
loaded without any problems, but authentication of the Windows 7 client
do not work anymore.
I searched the internet for a compareable setup but i cannot find any
hints for using Microsoft Enterprise CA with freeradius server, may
everywhere else it works like a charm :) , but cannot believe it!
So my first question, does someone use Microsoft Enterprise CA
Certificates with freeradius in a working environment, and o i have to
regard something special?
Running freeradius -X gives me the following errors:
...
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/tls
[eap] processing type tls
[tls] Authenticate
[tls] processing EAP-TLS
TLS Length 95
[tls] Length Included
[tls] eaptls_verify returned 11
[tls] (other): before/accept initialization
[tls] TLS_accept: before/accept initialization
[tls] TLS 1.0 Handshake [length 005a], ClientHello
[tls] TLS_accept: SSLv3 read client hello A
[tls] TLS 1.0 Handshake [length 0031], ServerHello
[tls] TLS_accept: SSLv3 write server hello A
[tls] TLS 1.0 Handshake [length 08d7], Certificate
[tls] TLS_accept: SSLv3 write certificate A
[tls] TLS 1.0 Handshake [length 0062], CertificateRequest
[tls] TLS_accept: SSLv3 write certificate request A
[tls] TLS_accept: SSLv3 flush data
[tls] TLS_accept: Need to read more data: SSLv3 read client
certificate A
In SSL Handshake Phase
In SSL Accept mode
[tls] eaptls_process returned 13
++[eap] returns handled
...
I updated to Debian wheezy to get a newer freeradius version, but
nothing changed.
It's not likely related to FreeRADIUS, the FreeRADIUS server for the
most part hands off the SSL processing to the openssl library.
The Radius Server Certificate include the following Attribute (output of
openssl x509 -text -in cert -noout):
It's not likely related to the server cert either, the debug shows the
problem is occurring reading the client cert during the ssl handshake.
The Client Certificates include the following Attributes:
Key usage:Digital Signature, Key Encipherment (a0)
Enhanded Key Usage:Client Authentication (1.3.6.1.5.5.7.3.2)
The client attributes also include
- Authority Information Access
- CRL Distribution Points
- Certificate Template Information
which have very long values with special caracters like _%/=:?, may this
be a problem?
Here is what I think is going on. First observe that openssl is
complaining it needs to read more data from the client cert. That means
it's confused about the contents of the client cert. It appears as if
you had trouble dumping the contents of the client cert using the
openssl x509 command as well. That suggests there are two possibilities.
Recall that certs are binary encoded data (ASN.1 DER), that encoding
includes information about the length of the data items in the binary
data stream. The first possibility is that openssl is not decoding the
cert correctly and is getting confused over length of items in the cert
and what they represent. This is supported by the fact it was expecting
more data and your attempt at dumping the cert seemed to produce
garbage. The second possibility is that the cert itself is corrupt.
Did you upgrade your openssl library recently?
I would try using an alternate crypto implementation to dump the cleint
cert and see if you get more reasonable output. The two other popular
crypto implementations are NSS and GnuTLS. If those implementations
correctly decode the cert then your problem is almost certainly your
openssl version. If those other tools can not decode the cert then it's
likely the cert is corrupt. Note also the problem seems to be decoding
an cert extension and extension decoders get less testing so it wouldn't
surprise me if there was a decoding bug.
I have the tools readily available if you don't and would like me try
reading the cert if you send it to me privately (without the matching CA
cert used to sign it it's of no value to me so as long as it's not a
public CA it's a safe thing to do)
Just to follow up, I received the cert privately and decoded it with
NSS, it looks fine. It had two Microsoft extensions
Certificate template extension (v2
Re: suddenly problem with certificates / error in SSLv3 read client certificate B
On 01/23/2013 01:53 PM, Stephan Manske wrote: IMHO these patch https://github.com/FreeRADIUS/freeradius-server/commit/2d3f119cd8d9e99028f968db1ee108eb6f05db09#raddb/certs/Makefile with +ca.key ca.pem: ca.cnf index.txt serial makes ca.key dependant to the date of index.txt and serial Both files are updated every time a new client cert is build. IMHO. Good catch! Yes, every time you generate a client cert both the database (index.txt) and the serial number file are updated. The database file keeps a record of every cert issued by the CA. The serial file is used so the CA knows the next serial number to use. The cert generation only works once, the next client cert issue causes a new CA key/cert to be generated. But there is another problem as well. The client.cnf file embeds the cert subject name. Apparently the openssl ca command will not update the database if there already is a cert with the same subject, which there will be unless you edit the client.cnf file. This causes the ca command to fail. It doesn't matter if the cert with the duplicate subject has a different serial number. As for why in different circumstances you've seen openssl emit the error about incomplete data my best guess is the client files might have be corrupted when the ca command failed. If it were only a CA key change issue you should have just gotten a bad signature verification failure. HTH, John -- John Dennis jden...@redhat.com Looking to carve out IT costs? www.redhat.com/carveoutcosts/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: AD Authentication Permissions
On 01/09/2013 02:00 PM, Tyler Brady wrote:
Can someone give more details on setting up LDAP groups? So far I have
attempted to modify the users file and the ldap module. I can't seem to get the
ldap module configured properly, but I'm sure that's just one of many issues.
ldap {
#
# Note that this needs to match the name in the LDAP
# server certificate, if you're using ldaps.
server = ldap.your.domain
#identity = cn=admin,o=My Org,c=UA
#password = mypass
basedn = o=My Org,c=UA
filter = (uid=%{%{Stripped-User-Name}:-%{User-Name}})
#base_filter = (objectclass=radiusprofile)
cn = username (is this correct)
o= domain (is this correct)
c= ? (what does this field mean)
identity is the bind dn, it's an ldap concept, refer to ldap literature
to learn what a bind dn is. The bind dn you should be using is specific
to your deployment, ask whoever is managing your ldap server what to
use. Remember this represents a server-to-server binding, not a
user-to-server binding, in other words the radius server is binding to
your ldap server to perform lookup's related to users and groups thus
the identity you bind as will need permission to view that portion of
the ldap tree.
--
John Dennis jden...@redhat.com
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: AD Authentication Permissions
On 01/09/2013 05:10 PM, Tyler Brady wrote:
I think my bind is working fine now, but my basedn = o=My Org,c=UA field is
still wrong. I'm still not sure of the syntax. Any suggestions?
I don't see a basedn of o=My Org,c=UA anywhere, however I do see a
basedn of ou=Phoenix_Users,dc=company,dc=stc
Hint, rlm_ldap is simply doing what the ldapsearch command does. Try
using ldapsearch giving it the parameters you expect to be correct,
iterate until the search succeeds, then use those same parameters in
your radius ldap config.
BTW, your ldap password Sup3rS3cret is no longer super secret ;-)
[ldap] ldap_get_conn: Checking Id: 0
[ldap] ldap_get_conn: Got Id: 0
[ldap] attempting LDAP reconnection
[ldap] (re)connect to office.company.stc:389, authentication 0
[ldap] bind as cn=user name,ou=Phoenix_Users,dc=company,dc=stc/Sup3rS3cret
to office.company.stc:389
[ldap] waiting for bind result ...
[ldap] Bind was successful
[ldap] performing search in ou=Phoenix_Users,dc=company,dc=stc, with filter
(uid=tbrady)
[ldap] object not found
rlm_ldap::ldap_groupcmp: search failed
[ldap] ldap_release_conn: Release Id: 0
++[files] returns noop
[ldap] performing user authorization for tbrady
[ldap] expand: %{Stripped-User-Name} -
[ldap] ... expanding second conditional
[ldap] expand: %{User-Name} - tbrady
[ldap] expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) - (uid=tbrady)
[ldap] expand: ou=Phoenix_Users,dc=company,dc=stc -
ou=Phoenix_Users,dc=company,dc=stc
[ldap] ldap_get_conn: Checking Id: 0
[ldap] ldap_get_conn: Got Id: 0
[ldap] performing search in ou=Phoenix_Users,dc=company,dc=stc, with filter
(uid=tbrady)
[ldap] object not found
[ldap] search failed
[ldap] ldap_release_conn: Release Id: 0
++[ldap] returns notfound
--
John Dennis jden...@redhat.com
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Failure with TLS authentication and Freeradius on Fefora-17
On 01/08/2013 05:10 AM, Ajay Garg wrote: Could you please specify the order of scripts to be run, so that proper certificates may be generated - both for the server, and the client? :P You were given the answer. It's not just a matter of running the scripts it also requires knowing what the scripts output and how to configure *both* the client and the server with the script output. You've never explained what you're doing in any detail, especially with regard to where you're generating the client cert. In a previous email I explained what the server needs and what the client needs. Now you're going to have to put that information to use. You really do have to invest the energy into learning how the pieces fit together. -- John Dennis jden...@redhat.com Looking to carve out IT costs? www.redhat.com/carveoutcosts/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Failure with TLS authentication and Freeradius on Fefora-17
On 01/08/2013 03:53 PM, Ajay Garg wrote: On Tue, Jan 8, 2013 at 6:45 PM, John Dennis jden...@redhat.com mailto:jden...@redhat.com wrote: On 01/08/2013 05:10 AM, Ajay Garg wrote: Could you please specify the order of scripts to be run, so that proper certificates may be generated - both for the server, and the client? :P You were given the answer. It's not just a matter of running the scripts it also requires knowing what the scripts output and how to configure *both* the client and the server with the script output. You've never explained what you're doing in any detail, especially with regard to where you're generating the client cert. In a previous email I explained what the server needs and what the client needs. Now you're going to have to put that information to use. You really do have to invest the energy into learning how the pieces fit together. Ok.. so here goes what I have been wanting to accomplish :P ROUTER-SIDE :: === a) Configure the router to do WPA/WPA2-Enterprise authentication. b) The authentication is to be done via a freeradius-server. c) I connect a wired-cable between the router and the freeradius-server-machine, to have a physical medium via which the router and the server may talk. SERVER-SIDE :: === a) Freeradius-server is running on Fedora-17 (freeradius-2.2.0-0.fc17.i686) b) After installing freeradius, the certificates are generated via (on Fedora-17 machine) :: su - rm /etc/raddb/modules/dhcp_sqlippool cd /etc/raddb/certs make destroycerts make make client chmod 0644 client.p12 chmod 0644 ca.pem c) Now, the freeradius is started on the Fedora-17 machine as :: sudo /usr/sbin/radiusd -X Server runs fine. CLIENT-SIDE :: === a) THE SAME FEDORA-17 MACHINE ACTS AS THE CLIENT TOO :) b) Now, from the gnome-panel applet, I try connecting to the WPA/WPA-2 Enterprise network, by setting the following settings :: Wireless Security : WPA/WPA2-Enterprise Authentication : TLS Identity : Anonymous User Certificate : /etc/raddb/certs/client.p12 CA Certificate :/etc/raddb/certs/ca.pem Private Key : /etc/raddb/certs/client.p12 Private Key Password : whatever c) I click the Connect button. and then the dreaded logs happen :( Thank you, that is a much clearer explanation. The first thing I notice is you're pointing the client to files in a directory owned by the server. Everything from /etc/raddb and below is readable only by root:radiusd for security reasons (you don't want to expose the configuration of an authentication server to the world). I suspect the code which reads the client cert files is running under your uid and is not a process with root privileges thus it can't read the cert files. I would try copying the client cert files to an alternate location, reset their permissions and try again. -- John Dennis jden...@redhat.com Looking to carve out IT costs? www.redhat.com/carveoutcosts/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Failure with TLS authentication and Freeradius on Fefora-17
On 01/07/2013 12:18 PM, Ajay Garg wrote: Thanks Alan, and A.L.M. I too thought the same looking at the decrypt failure messages. As I told in my startup-mail on this thread, the procedure :: su - cd /etc/raddb/certs make clean make client.pem makes TLS-authentication works perfectly fine for Fedora-14-freeradius, but not for Fedora-17-freeradius (and I am talking of the vanilla gnome-way of connecting, as is evident from the snapshot). First of all there is no such version as Fedora-XX-freeradius, there is however the version of freeradius which happens to be installed. At different points in time Fedora releases will have had different versions of freeradius available. You can find out which version you have installed via either rpm -q freeradius or yum innfo freeradius It's a little hard to tell from you're series of steps but I suspect you're not using a client cert signed by the CA you've configured. Or the issuing signer (the CA) cert has expired. We deliberately set the validity period to a very short value (60 days) on the *temporary* certs which get created during the freeradius server install to force you to pay attention to the fact these are temporary certs created during install to play around with and are not appropriate for deployment (at least not without editing the configuration files to set the values to your organization). Thus I would check the following: 1) Is the CA cert still valid? 2) Is the CA cert used to sign the client cert the same one in the CA cert bundle the server is using. You could go back to square one if the above does not help you. 1) Clean all the certs in /etc/raddb/certs by cd'ing to that directory and running make destroycerts 2) Then run make client, that should recreate the *both* the CA cert and the server cert first, then it will create the client cert signed by the new CA. 3) restart the server and and redeploy the client cert. Do certs need to be generated differently in Fedora-17 freeradius? -- John Dennis jden...@redhat.com Looking to carve out IT costs? www.redhat.com/carveoutcosts/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Failure with TLS authentication and Freeradius on Fefora-17
On 01/07/2013 02:41 PM, Ajay Garg wrote: Upon restarting, it shows a missing server.pem error. I reckon that we need to run make server too at some point of time (so that server.pem gets generated after make destroycerts). make destroycerts should have removed all the pem files and keys. After running make again it will generate all new files. client has a dependency on ca and server files so it should have created a new ca, new server key and cert, a new client cert. Did it? Just to be clear, your client needs to trust the CA that signed your server cert and the server needs to trust the CA that signed your client cert. Typically those are located on two different machines. Make sure those line up or you're doomed. It's not clear to me which machines you're running these commands on and where you're copying the resulting files, but that's critical to get right. You can use the same CA to sign both the server cert and the client cert, but that's not a requirement, it just helps simplify the deployment a tad bit. HOWEVER, I am now confused which ca.pem to consider, the one generated via make server, or the one generated via make client? Argh... you really need to be much more clear with what you're doing. If you're running the cert creation commands on different machines and leaving the results on that machine this will never work. Make sure you understand the RELATIONSHIP BETWEEN A CERTIFICATE AND IT'S SIGNER (issuing CA) and how that translates to the configuration parameters for each software component (see above). -- John Dennis jden...@redhat.com Looking to carve out IT costs? www.redhat.com/carveoutcosts/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
