Re: Freeradius-mysql and freeradius 1.1.5
On 3/19/07, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: Hi, i have installed freeradius 1.1.5 on debian machine now how i can install freeradius-mysql package? freeradius-mysql Depends: freeradius(= 1.0.2-4sarge3) but 1.1.3 is to be installed E: Broken packages That is a distribution-specific problem of debian not a general freeradius one. So just as few hints: Current version in stable is 1.0.2-4sarge3. So wherever you got 1.1.5 from, would be the place to search for the pertinent freeradius-mysql (it would/should stem from the same source package). Under normal circumstances you cannot/should not mix interdependent packages from different sources. That leads to conflicting dependencies as you are told by apt-get. Those are there for a reason. hth K. Hoercher - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_eap: SSL error
Hi, please mark the difference between those two errors: Wed Jan 17 08:00:11 2007 : Error: TLS_accept:error in SSLv3 read client certificate A (other): SSL negotiation finished successfully rlm_eap: SSL error error::lib(0):func(0):reason(0) The first one, which looks a bit scarier, has already been explained. The second one happens later in time with respect to the ongoing conversation between freeradius and your supplicant, when freeradius has eventually recieved your client certificate. So you just get to see the error message meaning that no error occured. hth K. Hoercher - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: One question about Access-Request packet
Hi!
On 1/18/07, Rafał Kamiński [EMAIL PROTECTED] wrote:
Hi again,
I set EAP-TLS with cert. - i use that text
http://www.fredprod.com/affiche_howtos.php
Sorry, URL seems broken.
i set in radius.conf
authorize {
files
}
Put in at least eap. Better start with the shipped default file an
change (step by step) to meet your needs. Read the comment there above
the eap stanza.
and in users file
username-the same what in cert Auth-Type := EAP
Don't set it. As noted with hilarious regularity on this list. (If you
got that from the maybe then working URL you mentioned, forget it.)
Auth-Type gets perfectly well handled by the eap module in authorize.
http://deployingradius.com/documents/configuration/auth_type.html
And
How i must set authentication and authorize if i will use that in future
with ldap?
That's to general a question to give an useful answer. Keep in mind
that authenticating against ldap by binding the user's dn, will not
work for EAP(-PEAP)
Regards
K. Hoercher
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_eap: Failed to link EAP-Type/peap: rlm_eap_peap.so:
Hi, On 1/19/07, Rafa? Kamin'ski [EMAIL PROTECTED] wrote: apt-get source freeradius build package: http://channel.debian.de/faq/ch-dpkgundco.html debian/rules - --without-rlm_eap_tls... change to --with-rlm_eap_tls There is a _complete_ description of what to do/change in lines 21-28 of said rules file. apt-get install libssl-dev dpkg-buildpackage -us -us -rfakeroot -d dpkg -i Before ./configure set --with-rlm_eap_tls in makefile. i think As you don't call ./configure manually there is no business of that. Anyway you should not mess around in makefiles. Regards K. Hoercher - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-TLS certificate question
On 1/17/07, kemas [EMAIL PROTECTED] wrote: I still confuse about certificate, is all client certificate created under 1 root ca, can be authenticated against freeradius that started with different server certificate? is it possible to set things like this root ca / | \ / |\ / | \ server1 server2 server3 --- --- --- | | | | | | client1 client2 client3 I don't want client1 to be authenticated against server2 or server3. 1. client certificates that are under 1 root ca are are accepted with respect to the SSL/TLS side of things (other restrictions you implement/configure notwithstanding). The 1 root ca would be the one you tell the server to trust in CA_file. There might be even more as one, which should then reside in a place referenced in CA_path. 2. the servers' certficates are accepted by the supplicant if _they_ trust the pertinent root ca. 3. All those root cas being identical is in no way mandatory, while they might (often) be. 4. I'm not sure how to interpret your schema above. If construed to mean that client certifcates have to be in some way issued from the servers' certificates, that is wrong (as in don't need to be) and while perhaps technically possible, ill advised from the SSL/TLS point of view. Good starting points for further reading would be RFCs 2716 and 2246, maybe documentation of openssl. Regards K. Hoercher - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Mac OS X EAP-TLS with wrong usename kills freeradius when check_cert_cn is set
Hi, while trying to reproduce the segfault and eventually looking into the diagnostic patch Alan provided I came across something which might be contributing (also freeradius should not segfault nevertheless). When feeding a freeradius-1.1.3 (linux) an forged Acces-Request with bogus user name and ask it to check_cert_cn it detects the mismatch, etc. just like in your example and sends out a fatal tls alert. My test client wpa_supplicant (also linux) picks that up, recognizes the failure and essentially stops that run to authenticate and sends an tls alert ACK inside the next Access-Request. freeradius recognizes it and only then sends an Access-Reject without much further processing. After some timeout the supplicant tries anew. That would be the first Access-Request freeradius sees again from it. As its still wrongly configured the above repeats...no segfault (see attached debug log, a bit bloated as I use basically that setup for other tests too) Whereas I noticed in your debug log that immediately after the tls alert message from freeradius your client sends (keeping on with authentication?) an EAP-Message containing a CertificateVerify tls message (sort of manually decoding) EAP-Message = 0x0205002f0d80002515030100207a7bc8a6c68c3a5c5770c8b46fdd7b8848b6850dc4ea57d1d0e0434ae4c8 for reasons I do not understand. It's that message that leads to the segfault in cbtls_verify. As said above some strangely (wrongfully?) behaving client shouldn't be able to crash the authentication server but it looks curious. Perhaps someone might find that information helpful. regards K. Hoercher radius_debug.log Description: Binary data - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: configuration problem in Freeradius.
Hi! Assuming you don't have a user/passwd johndoe/hello in your /etc/passwd (see comment in lines above the matching DEFAULT l. 157) your debug output shows a correctly working freeradius. Speculating further: if you like to have an Access-Accept on that test without creating a system user johndoe you should add something like: johndoe User-Password:=hello to the users file (preferably before l. 157, see man users and the comments in the file itself) Anything else would require your telling us so. (What do you want to achieve, by which means, what is the behaviour of the server?) regards K. Hoercher - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: distinction between users on different AP (talking to the same radius server)
On 11/19/06, liran tal [EMAIL PROTECTED] wrote: I want to spread several access points in different locations (they all talk to a central radius) and then i want to distinct one location from another for example user foo can login from either location but id like to make the distinction from which ap he got connected from... whats the best way to do that? I won't assert something about the following being the best way, but I would normally think of some rules in hints and/or users file matching on pertinent combinations of User-Name, NAS-IP-Address, Called-Station-Id etc. depending on the setup you actually want to implement. I was thinking of one method which is to configure in each AP a different subnet mask for the DHCP allocations and then make the distinction based on that but I'm looking for a more elegant way. As a side note to that: while I don't have a clear understanding of what the meaning of different subnet masks in that context could possibly be, under sort of normal circumstances dhcp would happen after users' machines associate/authenticate on an ap. regards K. Hoercher - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: distinction between users on different AP (talking to the same radius server)
On 11/19/06, liran tal [EMAIL PROTECTED] wrote: I'll try to elaborate on this... There are two access points deployed in two different locations, they both speak to a central radius sever, it looks like this: AP1 - DHCP Address Pool 172.19.1.0/24 AP2 - DHCP Address Pool 172.19.2.0/24 ah ok. (nitpick: so the subnet mask /24 is not different, the subnets are *g*) Now, say user foo got connected to AP1, in the logs I will see he received FramedIPAddress 172.19.1.250 so I will know for a fact that the user is conneccting from AP1 rather than AP2. Which log? Again, as the issueing of dhcp leases would happen after the associating/authenticating of the user's machine I would not expect Framed-IP-Address to be tranmitted in an Access-Request from an ap to be acted on by freeradius. Actually the other way round would be more common, freeradius sending that attribute to the ap. Maybe it could be part of an accounting message sent by the ap, but that would also be to late to base authentication decisions on in any sane way. If you happen to have such setup nevertheless, could you show the freeradius debug output? So I'm asking if there's a better way to do this rather than by configuring different subnets on the dhcp server of the APs. A NASIPAddress is actually a good solution but I'm not going with that cause I can't be sure that it's a static one (some APs receive their wan interface address by DHCP which may vary all the time). Not freeradius related: Does every AP use/have its own dhcpd for the users? If so, they should ensure that no confliciting leases get out by means of relaying to a central server, coordinating between themselves, assigning different ranges of ips or just keeping the leases on different subnets (the last beeing not the best approach, I think, and would also not be needed for freeradius as I tried to explain already and will do, hopefully more completely, below). Ok, so the mentioned combinations would include NAS-IP-Address to be not part of them. I was talking in general about possible already existing choices you could watch out for. To do that even more: As to your wish to distinct, what are your needs related to that distinction: authentication/authorization/accounting? As long as your aps send anything as part of the radius protocol, which is specific to them (which is quite probable) and known a priori (which might rule out NAS-IP-Address, (but why not dhcping fixed addresses, or at least different ranges to them? etc. as completely dynamic ips for aps look a bit awkward to me, not only for the problem at hand)) in the different messages to freeradius, that entitiy can be used (where/how depends on the purpose) to decide between different alternatives. So any other ideas... Not really, I would still uphold my statement previously made. To perhaps clarify it a bit: Yes, of course you can configure freeradius to act differently on different inputs. Any more specific suggestions could only arise from you telling what the aps do (other than putting users on different subnets, which is possible too, but not desireable I think) ; more to the point: what (which attributes) do they send in which situations, and what reaction you want in those situations. regards K. Hoercher - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-TTLS problem at phase 1
Hi, as mentioned in various places in the documentation and countless times on this list: On 10/21/06, Rafiqul Ahsan [EMAIL PROTECTED] wrote: Here is my users file : testuser Auth-Type := EAP, User-Password := testuser DEFAULT Auth-Type := EAP Dont't set Auth-Type Here is the radius log (only shown the failed part) rlm_fastusers: checking defaults^M fastusers: Matched DEFAULT at 6^M modcall[authorize]: module fastusers returns updated for request 1^M modcall: leaving group authorize (returns updated) for request 1^M rad_check_password: Found Auth-Type EAP^M auth: type EAP^M Processing the authenticate section of radiusd.conf^M modcall: entering group authenticate for request 1^M rlm_eap: Either EAP-request timed out OR EAP-response to an unknown EAP-request^M rlm_eap: Failed in handler^M modcall[authenticate]: module eap returns invalid for request 1^M modcall: leaving group authenticate (returns invalid) for request 1^M Thats pretty much non-informative. In case, the above fix does not yet yield the desired results, provide the full debug output. regards K. Hoercher - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-TTLS problem at phase 1
Hi, ok, i played around a bit and found EAP-TTLS working with no particular problems. On 10/21/06, Rafiqul Ahsan [EMAIL PROTECTED] wrote: testuser User-Password := testuser looks ok, but I'm not absolutely sure about the quotation marks for the username, they are not needed in any case. the error was about no matching anonymous_identity, and thats why I had to have a DEFAULT entry after this with Auth-Type :=EAP. As you didn't show that error one cannot check for it's real cause. Everything else correctly configured you don't need that setting (and it might be actually wrong depending on circumstances). Do you suggest any particular format of my users file ? Please note, the phase 1 user identity is anonymous_identity, and phase 2 user/passwd is testuser/testuser. I did take note. So, take an unaltered users file and just add your line as mentioned above. Something I found in your previous post led to an failure here. Use phase2=autheap=MSCHAPV2 instead of phase2=auth=MSCHAPV2 modcall: entering group authenticate for request 1^M rlm_eap: Either EAP-request timed out OR EAP-response to an unknown EAP-request^M That does look strange (and might indicate your real problem), if it still persists with the suggested changes it might be useful to dig further into that. Perhaps you could add another -x to the freeradius invocation to get timestamps on the logfile. regards K. Hoercher - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Cisco AP, FreeRADIUS and Fedora Directory Server
On 10/16/06, Mustafa Şenay [EMAIL PROTECTED] wrote: Same password works when binding to LDAP server from different client applications, sucha as GQ. So I'm pretty sure that password is correct. That doesn't mean it works for PEAP too (probably not). See below. I'm not sure that how will RADIUS server know to check password against LDAP server while EAP is in place? It's not so much EAP in general, but the PEAP (i.e. MSCHAPv2 part). However search this list's archive, see documentation etc. and the pertinent parts of the server's debug output you still chose not to provide here. regards K. Hoercher - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Cisco AP, FreeRADIUS and Fedora Directory Server
Hi, On 10/15/06, Mustafa Şenay [EMAIL PROTECTED] wrote: according to ldap_howto found in freeradius documentation. I managed to authorize users but authentication doesn't work. Here is the log of Hm, well, sort of, as you get: rlm_eap_peap: Session established. Decoding tunneled attributes. rlm_eap_peap: Received EAP-TLV response. rlm_eap_peap: Tunneled data is valid. rlm_eap_peap: Had sent TLV failure. User was rejcted rejected earlier in this session. Probably wrong password. One cannot really be sure as you left out those earlier in this session parts of the _full_ debug output. regards K. Hoercher - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: WPA authentication works but take very log time
Hi, On 10/13/06, Giuseppina Venezia [EMAIL PROTECTED] wrote: Hi all, I'm using freeradius 1.1.3 with PEAP and EAP-TTLS,the authentication using MacOS works but the time spent from when the client insert username and password until the moment when the user is authenticated Sorry, I don't understand ...when the client insert... fully. Do you mean the time the user actually enters those to some dialog? Maybe it would be helpful if you added another -x to the invocation of freeradius to obtain time stamps in the debug log. I attach the log of the first 6 request reveiced by radius server: As I told you in another thread, those first 6 requests are part of the ongoing EAP negotiation. To sort out any timing problems it would be helpful to show the log at least up to the point when the server sends either Access-Accept or Access-Reject. regards K. Hoercher - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: mysql and Auth-Type:=Reject Problem
Hi, On 10/12/06, Norbert Wegener [EMAIL PROTECTED] wrote: What do I have to change to make that work? Sorry, that's a bit too much at the moment. But for starters: setting Auth-Type (assuming that this is one of the cases it actually makes sense) as a reply item (i.e. by virtue of coming from radreply table) won't work. See doc/processing_users_file, doc/aaa.txt, man users etc. hth K. Hoercher - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: TLS handshaking problem
Hi, maybe a few helpful notes: On 10/12/06, Giuseppina Venezia [EMAIL PROTECTED] wrote: I've seen that in the firts request, TLS give an error ( TLS_accept:error in SSLv3 read client certificate A ) but in the third request (whit the same login) it works. What's wrong? TLS_accept:error isn't really an error here, just an error message not to worry about (see the list archives). The different reuqests/challenges are part of the ongoing EAP mechanism (normally consisting of approx. 5-15 in either direction). So after the third one: SSL Connection Established means just that, it's not a successful auth yet. If configured/working correctly, the next challenge sent by freeradius would be the requiring the client (meaning supplicant) to provide the users's credentials inside the now established SSL layer (inside EAP transmitted inside RADIUS protocol from the client (here meaning nas, i.e. apparently chillispot)). Apparently you cut the freeradius debug here, as the chillispot claims: Received access reject from radius server which doesn't show up in freeradius debug output as being sent. So, whatever (really) fails, is further down the line. You should check that. regards K. Hoercher - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Multiple instances of the exec module
On 10/13/06, Les Brinkworth [EMAIL PROTECTED] wrote: I am lost as to where or maybe how this definition is done. If I duplicate the exec module in the actual section, RadiusD complains about 'wait' not being defined. Just a guess (as you didn't provide any output): The error (more of a warning) is something like ...Wait=yes but no output defined...? So check for the subsequent comment in the definition of an exec instance called echo. Which should also serve as an example how to define different instances, which would then be called in the actual section by their name. regards K. Hoercher - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Mobile Phones Radius Authentications
Hi, On 10/13/06, nsuralullec [EMAIL PROTECTED] wrote: Is there any similar cases thats being resolved? Probably. If you are interested in answers with a little more content you should provide more data than the equivalent of It doesn't work as mentioned in the FAQ, INSTALL (provided you even talk about freeradius) etc. and almost daily on this list. Even if someone would know anything more specific than me, I think (s)he would consider it too burdensome to reply to such a broad question. regards K. Hoercher - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Multiple instances of the exec module
On 10/13/06, Les Brinkworth [EMAIL PROTECTED] wrote:
How does one define two instances of exec with different names that can
be called from other sections?
Aaah, now it gets a bit more clear to me. You should take into account
the comments at the beginning of the modules{} section. That would
lead to something like:
Code snippet from Modules section of radiusd.conf...
exec doacctfoo {
wait = yes
program = handlebillingrequests.exe ACCR:%Z
input_pairs = request
output_pairs = reply
packet_type = Accounting-Request
}
...This executes for an accounting request
If I then add the same code to the authorize section...
ah no, that won't work. you just put it into the modules{} too with
analogous change:
exec dorequestfoo {
wait = yes
program = handlebillingrequests.exe AUTR:%Z
input_pairs = request
output_pairs = reply
packet_type = Access-Request
}
...it results in the following when I run debug
radiusd.conf[1527] Unknown module rcode 'wait'.
radiusd.conf[1513] Failed to parse authorize section.
Ok, that confuses freeradius way to much, as that is not the place to
define module instances (see above), especially when another one (the
unnamed one) already is present.
But you can now put the named defined ones in the appropriate section e.g.
authorize {
...
dorequestfoo
...
}
accounting {
...
doacctfoo
...
}
There might be other ways of doing it, (using the same module, but
changing the called program, so it can cope with both tasks
accordingly) but keeping it simple at first and following the
recommendations in the comments looks preferable, at least until you
get some working config.
regards
K. Hoercher
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: logs: invalid Message-Authenticator! (Shared secret is incorrect.)
Hi, On 10/13/06, YvesDM [EMAIL PROTECTED] wrote: Looks pretty obvious, though, I'm sure the shared secret is correct in my clients.conf and in the chillispot configuration. Any hints? Well, as you said yourself, it looks pretty obvious. But as it would be extremely unlikely for both statements to be true, I'd suggest (in no particular order): Check clients.conf for eventual more specific entries overriding those for subnets. Does some sql reading of nas's set another secret? Do the alleged correct config files get actually used by freeradius (been there, done that *g*). Something to those effects regarding chilli.conf. Some of that might have been ruled out/in already, had you provided the full debug output and pertinent snippets from your config. Sniff the radius traffic, and check validity manually. See src/lib/hmac.c hth K. Hoercher - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Windows Vista doing PEAP
Hi On 10/10/06, King, Michael [EMAIL PROTECTED] wrote: I'm assuming it built it that way. Anways, here's what I got following those direcitons (Which is what leads me to think the symbols go stripped) If you look at or around line 188, there should be dh_strip, which normally does live up to its name, i.e. stripping binaries off what it considers unneeded symbols. For building a debugging package let DEB_BUILD_OPTIONS contain nostrip. Uh, on a side note the ifeq/endif construct around seems unneeded to me, as dh_strip should honor nostrip internally. regards K. Hoercher - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Decisionmaking in FreeRADIUS Check/Reply Items
On 10/11/06, Jan Mulders [EMAIL PROTECTED] wrote:
Hello list,
I am trying to use the 'files' module of Freeradius to do
decisionmaking, based on information pulled in from the sql module,
and the sqlcounter thing.
I'm not really knowing much about that. But a quick glance over the
provided bits leads to a few internal huh?s
You don't seem to actually use files anywhere. Where do you use
monthlybytecounter? And those references to the (allegedly)
Pool-Names in post-auth{} and accounting {} look strange too.
Putting that aside for the moment, (as it doesn't even get that far).
First off, is this the right way of doing this? I want to assign users
a different Pool-Name for each assigned speed, and send
Max-Download-Speed and Max-Upload-Speed vendor-specific variables to
the client on each request.
My actual problem relates to the following errors, pulled from radiusd -X:
But... but... the bottom 3 attributes *aren't* check attributes! I
want to *set* them! Or am I getting entirely the wrong end of the
stick here?
hm, well, they _are_! You might not want them to be so, but...
1. Pool-Name is in freeradius.internal dictionary, so you shouldn't
mess with that.
2. The other ones produce the same message from lines 195ff in
rlm_files.c. I don't find them in the provided dictionaries. Where\how
do you define them? Obviously they are encoded to a range reserved for
non-reply items and the exception for VSA doesn't kick in.
finally:
radiusd.conf: files modules aren't allowed in 'post-auth' sections
-- they have no such method.
radiusd.conf[327] Failed to parse post-auth section.
is quite clear.
Can somebody point out how these rules are meant to be arranged, and
perhaps how I could do this in sql? It's all quite confusing.
Uh, as much as I could infer, you should get rid of this Pool-Name.
Afaik it is unneeded for the purpose of sending back reply attributes
in general as it has to do with ippools.
Provide a sane dictionary for the other two attributes.
Please check man 5 users, the comments in radius.conf at the top of
sqlcounter stanza. Roughly put, you should append monthlybytecounter
and files to authenticate {}, get rid of files 512* etc and
probably sql in post-auth{} and minus sql in accounting{}. Make
small changes and check how they work by looking at debug output.
Then you could contemplate putting the logic in users file to sql tables.
regards
K. Hoercher
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Decisionmaking in FreeRADIUS Check/Reply Items
On 10/11/06, K. Hoercher [EMAIL PROTECTED] wrote:
and files to authenticate {}, get rid of files 512* etc and
to authorize{} of course.
Sorry for that.
K. Hoercher
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius + OpenLDAP - user password problem
Hi, On 9/22/06, Tilen [EMAIL PROTECTED] wrote: Hello, it's me again, did you miss me? :) Thing is, i tried to make 2nd freeradius server (eap-peap,mschapv2,openldap), with same setup and i configured it exact same way, but i get this when i try to connect: Welcome back to our regular program *g*, Well, while your supplicant keeps sending EAP Type Identity requests, radius keeps answering them with EAP (Type PEAP) START messages. Why they don't get answered properly (TLS Client Helo inside EAP) by your supplicant is not really a freeradius problem. You might check (again) the usual suspects: oid's in certs on supplicant, reception of Access-Request there, time, MS foo (they sound familiar somehow *g*) regards K. Hoercher - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius + OpenLDAP - user password problem
On 9/22/06, K. Hoercher [EMAIL PROTECTED] wrote: the usual suspects: oid's in certs on supplicant, reception of ah, for peap, of course you only need a proper root ca cert there. Anyways it doesn't look like that gets even relevant. regards K .Hoercher - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem configuration eap-tls
Hi, hm, the _full_ debugging output (-X as has been time and time again been mentioned here, faq, etc.) would show, where exactly freeradius wants to read that file. No such file or directory does point pretty strong into the direction of the problem one would think. regards K. Hoercher - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-Problem
Hi, hm digging around in the source I'm not able to really isolate a cause for that behaviour with certainity. Would you care to provide (in order of descending helpfulness): - full debug output (all ongoing requests and challenges) - including the EAP-Message contents - users file, eap.conf - debug log of supplicant - some beer (should be further up *g*) regards K. Hoercher - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius stops with hostapd
Hi, uh not sure, but you seem to have mixed up the installation by using the .deb (most prominent change: uses /etc/freeradius as configuration place) and having some libraries lying around in main: libdir = /usr/local/lib probably from building and installing from the tarball. I'm not sure if that contributes to the problem, but it would be easier (at least for me) to spot something if you talk about/show logs from a clean and consistent environment. On 9/21/06, Michał Prochaczek [EMAIL PROTECTED] wrote: Ready to process requests. rad_recv: Accounting-Request packet from host 127.0.0.1:1036, id=1, length=79 Acct-Status-Type = Accounting-Off Acct-Authentic = RADIUS NAS-IP-Address = 127.0.0.1 NAS-Identifier = localhost Called-Station-Id = 00-04-47-50-1A-1F:test Acct-Terminate-Cause = NAS-Reboot Processing the preacct section of radiusd.conf modcall: entering group preacct for request 0 Which version of hostapd is that? Perhaps it might me useful to forego the accounting (comment out the lines auth_server_* in hostapd.conf) for the moment and check if the remaining parts work. hth K. Hoercher - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-Problem
On 9/20/06, Florian Prester [EMAIL PROTECTED] wrote: Also I have some questions about eap at all. How should it work correctly. because I see up to 10 Authentication-Requests until the client is authenticated correctly. For example the client wants to do EAP-PEAP (Windows-client), but the radius says EAP-NAK: rlm_eap: Request found, released from the list rlm_eap: EAP NAK rlm_eap: EAP-NAK asked for EAP-Type/peap rlm_eap: processing type tls rlm_eap_tls: Initiate rlm_eap_tls: Start returned 1 modcall[authenticate]: module eap returns handled for request 231 modcall: leaving group authenticate (returns handled) for request 231 Sending Access-Challenge ... Finished request 231 What does it mean? Can I tune the process? My guess would be, that your default_eap_type in eap.conf is not set to peap. So your supplicant (XP) is sending the NAK (not the server, it just logs that it got the NAK) to get the server to use peap. Depending on your needs you could change it. That's a normal part of EAP. As is the sending back and forth of Access-Requests and Access-Challenges to negotiate the details inherent to EAP. Log: rad_recv: Access-Request packet from host 131.188.4.190:2, id=35, length=202 NAS-Port-Id = 2059/1 Calling-Station-Id = 00-15-00-01-C0-D1 Called-Station-Id = 00-0B-0E-15-3D-80:FAU-STAFF Service-Type = Framed-User User-Name = unrz06 State = 0x... EAP-Message = 0x... NAS-Port-Type = Wireless-802.11 NAS-Identifier = Trapeze NAS-IP-Address = 131.188.4.190 Message-Authenticator = 0x... The username looks like a machine name for .uni-erlangen.de. Do you intend to use machine authentication? If so, what does a succesful request look like? Note, that it seems to only find matching DEFAULT entries, so peap would be impossible, as no User-Password is known to freeradius. Otherwise, you should check your XP setup to use the intended username/password credentials combo. regards K. Hoercher - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: XT Radius to Free Radius
Hi, I just looked at it in 1.1.3. I found the same behaviour you noted, when the script had not the execute permission. If you put the equivalent into an exec stanza in the main config file, that does loudly complain about not being able to run the script and then denies access therefore. After fixing that, I retried with users file again and then it behaved as wanted, allowing on exit code 0, denying on other codes (ok, just tested -1). hth K. Hoercher - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: WPA/RADIUS Problems
Hi, I won't comment on the relative merits of I don't know how, but it works for me in my little universe vs Lots of reading, complex, perhaps trial-and-error-prone configuration but immensly versatile styles different people obiously think differently about., On 9/6/06, Alexandros Gougousoudis [EMAIL PROTECTED] wrote: The server includes a debian directory, whixch is used to build debian packages. I tried that with source-install of the deb, but compilation fails on sarge and unstable, bug list is full on debian.org, so I'am not the only one who had this problem. I think at least the eap module relies on some lib which is not GPL and not included into Debian and they try to move around it. But FR without EAP is at least for me useless. I did not try the debian dir of the official tar of freeradius.org, I But that is going just too far, let me set the record straight: 1. Building packages with eap on pre-sarge and later on for released sarge used to be a bit awkward but doable and has improved much over time. 2. debian maintainers of freeradius imho do a great job in providing working and policy conformant packages. 3. debian source package builds on unstable without problem here. And it provides a minimal intrusive way of enabling ssl and postgres related stuff. 4. Although not the way intended by debian in general, the upstream tarball contains a debian dir (as noted), which, at least, leads to compiling, package building with the proper tools (just tested). Sorry, I didn't check functionality , but I suppose there won't be any problerms until shown otherwise. And you suggested compilation errors, which doesn't hold true. 5. http://bugs.debian.org/cgi-bin/pkgreport.cgi?pkg=freeradius does only list 1 minor bug (which might be considered whishlist) and 4 wishlist bugs, ancient or left there for reference purposes. 6. Technically, the needed libssl-dev is part of debian, but because of alleged license problems (which this list and many other searchable places contain lots of information about) freeradius in debian is not linked against it. Ok, enough defend-debian-mode for now. :) regards K. Hoercher - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problems getting eap-mschapv2 working.
On 9/4/06, Ian Walker [EMAIL PROTECTED] wrote:
however, there is no default/sample config that tells me how mschapv2 should
hmhm. the very default eap.conf says inter alia:
#
# This takes no configuration.
#
[...]
mschapv2 {
}
Do you still encounter problems? If so, would you please follow the
various FAQ, hints in doc etc. and provide a debug output.
Oh, and btw a quick test with 1.1.3 shows that at least with that, the
statement about the (unconditional) need for configuration of the main
mschap module doesn't hold.
regards
K. Hoercher
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Everything lookslike it works, but PC is not authentified
On 9/4/06, Alexandros Gougousoudis [EMAIL PROTECTED] wrote: I read that again and again, but I already have these OID in the certs. Here a dump of my server-cert: No, you don't. from Alan's post: # 1.3.6.1.4.1.311.17.2 while TLS Web Server Authentication is 1.3.6.1.5.5.7.3.1 and TLS Web Client Authentication is 1.3.6.1.5.5.7.3.2 What else could be a problem? How do you guys handle the host/netbiosname problem? Could that brake the cert? Currently that doesn't even get considered, as according to your log you don't check for the CN. Afaik you might strip it by using the with_ntdomain_hack directive. Further changes changes depend on the eap type you want to use. I have already asked about that. regards K. Hoercher - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problems getting eap-mschapv2 working.
Hi, just to avoid confusion: On 9/4/06, K. Hoercher [EMAIL PROTECTED] wrote: Oh, and btw a quick test with 1.1.3 shows that at least with that, the statement about the (unconditional) need for configuration of the main mschap module doesn't hold. That's nonsense, I just messed up different test setups. It looked strange, but I was in a hurry and so didn't check carefully, sorry for that. regards K. Hoercher - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Everything lookslike it works, but PC is not authentified
Hi, On 9/1/06, Alexandros Gougousoudis [EMAIL PROTECTED] wrote: My users files contains that: testuserUser-Password == test2 host/vinfo-t1 Auth-Type:= EAP vinfo-t1 Auth-Type:= EAP # On no match, the user is denied access. DEFAULT Auth-Type := Reject Reply-Message = Bye 1. Don't set Auth-Type. See http://deployingradius.com/documents/configuration/auth_type.html 2. Further action depends on what you want (eap-tls or eap-peap/mschapv2), eventually the CN in your client's certificates and finally what the supplicant sends. What is host/vinfo-t1 supposed to be? regards K. Hoercher - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-TLS multi clients
Hi, Well, as I have already told you, you should look for information regarding ssl (so, openssl.org is a most prominent starting point), which isn't a freeradius issue and as such is off topic here. In any event, even if it were, to keep pounding this list, because nobody did serve immediately to your needs, is considered not very nice. hth K. Hoercher - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Difference between Auth-type=System and Auth type=Local
On 8/31/06, ys.hsia [EMAIL PROTECTED] wrote: Why ? any \one can help ? Had you followed the advice in the FAQ, http://wiki.freeradius.org/index.php/FAQ#It_still_doesn.27t_work.21 you and perhaps even the readers would perhaps have been able to answer the question. Furthermore the contents of users file do contain information as to those Auth-Types. And to forestall further problems, please keep in mind: http://deployingradius.com/documents/configuration/auth_type.html regards K. Hoercher - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: certificate issue
On 8/31/06, Kartthik [EMAIL PROTECTED] wrote: I ran the CA.all script, before it issues the 2nd certificate i get this error message. Surely i know someone should have faced this issue, could [...] Using configuration from /usr/local/openssl/ssl/openssl.cnf [...] failed to update database TXT_DB error number 2 I suspect the index.txt for the generated CA being not writeable/not present. On rechecking the CA.all script I find it a bit fragile with respect to local environments. As ist would be nice (judging from numerous reports about problems users encounter due to certificate issues) to provide a known (almost always) working set of generation tools, I'm contemplating a few improvements just now. regards K. Hoercher - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: why radacctid is the primary key of radacct table instead of acctuniqueid ?
On 8/31/06, Santiago Balaguer García [EMAIL PROTECTED] wrote: why radacctid is the primary key of radacct table instead of acctuniqueid ? accuniqueid is a configurable item (as in might not be present). Furthermore depending on the configuration (see radiusd.conf) it tries to be unique but isn't guaranteed to be so (at least in default setup). regards K. Hoercher - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRADIUS crashes after EAP/PEAP authentication
Well, the *full* output would have been helpful (including the startup messages). And a backtrace from the coredump. HTH K. Hoercher - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius + OpenLDAP - user password problem
On 8/30/06, Tilen [EMAIL PROTECTED] wrote: Ok i really don't get it. I made all certificates myself using only openssl (no scripts) and entered path to them in TLS part of the eap.conf file. CA, server cert.., everything is there in the same directory (in my case - CERTS, with big letters) (how would i sign certificate if i wouldn't create CA first?). And i don't have CA.all file at all :\ Files i'm using: cacert.pem-- this is my CA cakey.pem newcert.pem -- and this is my server cert newcert.req Your supplicant is sending an TLS Alert Message, because _it_ cannot find a CA certificate. What you are talking about is the freeradius side of things which looks alright at first glance. And if you don't get it to work, please first check with demo certficates to be generated by the CA.all script. hth K. Hoercher - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-TLS multi clients
On 8/29/06, Lazzarini Matteo [EMAIL PROTECTED] wrote: I have used three scripts to generate certs root, server and client (with xpextension). They exist of the certs for multi clients to use for eap-tls? Hi, Which scripts? I'm not sure what your last sentence means. Afaik you should give out one (client) certificate per user. Whats the debugging output? Supposing it's the *same* problem as with your previous tests regarding eap-peap/mschapv2 did you check for the hint Alan gave? Furthermore the whole range suggested in [EMAIL PROTECTED] might be useful. (regarding #1, please see http://lists.shmoo.com/pipermail/hostap/2006-July/013673.html ). While perhaps being the most cumbersome, a full capture like suggested might be also most instructive. The nas log you showed in [EMAIL PROTECTED] sadly isn't very concise. But as it somehow mentiones an EAP-Response with your desired username, it would be good to know if/when/how it sends those out to freeradius, as they seem to get lost. So capturing the traffic between nas and freeradius would be a good idea also. If that doesn't give yourself any clues, I'd suggest providing url's where to download those informations. Please don't try to put some digested information into an line mangling mua or an eventually similar way of making it unnecessary hard to look into it for those trying to help. regards K. Hoercher - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius + OpenLDAP - user password problem
On 8/29/06, Tilen [EMAIL PROTECTED] wrote: So here comes something really weird: Waking up in 6 seconds... rad_recv: Access-Request packet from host 192.168.1.1:3072, id=0, length=147 User-Name = test NAS-IP-Address = 192.168.1.1 Called-Station-Id = 00401013 Calling-Station-Id = 000e3557c74e NAS-Identifier = 00401013 NAS-Port = 30 Framed-MTU = 1400 State = 0x123b5c7e213692f7121dbe4052274024 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x02020011198715030100020230 Message-Authenticator = 0xd65ea4a0e55f28c1e76a6b51f9ec9467 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 2 That's a tls1.0 Alert message the part 1503 Therefore the openssl lib bails out of further processing as specified in RFC2246. Thats (arguably somewhat hard to understand) also mentioned int the output: 3447:error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca:s3_pkt.c:1052:SSL alert number 48 3447:error:140940E5:SSL routines:SSL3_READ_BYTES:ssl handshake failure:s3_pkt.c:837: So your client wasn't able to fiind a correct CA certificate for the cert freeradius had sent before. Please see to provide those. If in doubt, check with dummy ones to be created by CA.all script. regards K. Hoercher - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: sqlcounter
On 8/29/06, Fabiano Martins [EMAIL PROTECTED] wrote: I've benn searching with no sucess about this... It's frustrating... there is no documents about. Perhaps the looking into the very obscure doc/rlm_sqlcounter file helps, although it' not DOC for some strange reason. regards K. Hoercher - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PEAP/MSCHAPv2 authentication problems
Hi, Uh, hm, looks like this weird Either EAP-request timed out OR EAP-response to an unknown... isn't happening here. Even if it were, it would be much easier, if you provided the pcap capture file either as attachment or downloadable file somewhere else. If that doesn't reoccur, would you please check for the OID's in your certificates windows thinks are the proper ones. And something Alan mentioned about a ms knowledgebase hint concerning xp sp2 having problems with non-MS radius servers. (I'm looking for it myself atm) HTH K. Hoercher - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP PEAP, unable to load certificate
On 8/25/06, Nick Larsen [EMAIL PROTECTED] wrote: tls: certificate_file = (null) You have to fill in this information. See the comment in eap.conf above the pertinent line. regards K. Hoercher - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PEAP/MSCHAPv2 authentication problems
On 8/22/06, sheng [EMAIL PROTECTED] wrote: There's a strange problem: each time the client send a request, the server tries to read the client certificate on the supplicant. I think it's very strange considering that no client certificate is needed for peap/mschapv2. This event is recorded in the handshake phase on the radius logfile(I've listed it in the below). It seems the handshake phase fails because the server cann't read the client certificate. [...] TLS_accept:error in SSLv3 read client certificate A rlm_eap: SSL error error::lib(0):func(0):reason(0) In SSL Handshake Phase In SSL Accept mode eaptls_process returned 13 rlm_eap_peap: EAPTLS_HANDLED Hi, if you are referring to the quoted part, that' not a problem. Roughly put: openssl just mentiones that it wasn't able to check the client cert (which is possible, but unneeded for eap-peap). Finished request 3 Going to the next request Waking up in 6 seconds... --- Walking the entire request list --- Cleaning up request 2 ID 19 with timestamp 44e9e42f Cleaning up request 3 ID 138 with timestamp 44e9e42f Nothing to do. Sleeping until we see a request. rad_recv: Access-Request packet from host 172.24.26.144:1025, id=137, length=249 Acct-Session-Id = 67671438 NAS-Port = 1 NAS-Port-Type = Wireless-802.11 User-Name = alcatel Calling-Station-Id = 00-0E-35-89-71-E0 Called-Station-Id = 00-03-52-01-84-7D EAP-Message = 0x02800050198000461603010041013d030144e9e54ee8bf5c390cecf9fa8b659b32ac0a7eb623919876fa26dd9dc220d7581600040005000a000900640062000300060013001200630100 State = 0x091ad12235d4b0c91ca834c803d04ee0 [...] modcall: entering group authenticate for request 4 rlm_eap: Request not found in the list rlm_eap: Either EAP-request timed out OR EAP-response to an unknown EAP-request rlm_eap: Failed in handler Which of the two cases mentioned in the debug output to your further requests might be happening I'm not sure of. There seems to elapse quite some time, before they come in after the challenge was sent out. That looks curious. As your included data got truncated on the list you might consider resending it as attachment or use a pastebot and provide the link. Maybe you could provide some sniffing on the wireless part (via wireshark et al). That might be instructive in sorting out when who did send what. regards K. Hoercher (Hopefully gmail really could not send this out, as it keept telling me. Otherwise this must be the 5th reply, if so please excuse me.) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius + OpenLDAP - user password problem
On 8/22/06, Stuckzor [EMAIL PROTECTED] wrote: try to login from XP client via Linksys wireless router i get error reading client certificate messege from freeRadius. Since i don't need client Hi, thats probably the linked in openssl complaining about not being able to read the client certificate (which is unneeded as you already noted). If so, it' s not an error with respect to freeradius eap etc. As you didn't provide meaningful output one cannot be sure of course... regards K. Hoercher - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius + OpenLDAP - user password problem
On 8/22/06, Stuckzor [EMAIL PROTECTED] wrote: try to login from XP client via Linksys wireless router i get error reading client certificate messege from freeRadius. Since i don't need client Hi, thats probably the linked in openssl complaining about not being able to read the client certificate (which is possible but unneeded as you already noted). If so, it' s not an error with respect to freeradius eap etc. As you didn't provide meaningful output one cannot be sure of course... regards K. Hoercher - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Missing Attributes
On 8/7/06, Graham Beneke [EMAIL PROTECTED] wrote: See the users file. Correct me if I am wrong - but 'users' is not parsed when i'm using a MySQL backend? Pretty sure I disabled it in my setup. Well, yes. But you have to put the equivalent in the pertinent tables, wherefore you should contemplate the information contained in the default users file. Actually, Alan didn't say you have to use it. *g* HTH K. Hoercher - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius + OpenLDAP - user password problem
On 8/3/06, Stuckzor [EMAIL PROTECTED] wrote:
1.)I have ldap in authenticate section
2.)AUTH-TYPE set ot LDAP in users fileand
3.)MUST NOT have ldap under authorize section of radiusd.conf.
Only with this config i get access-accept with radtest (i tried all possible
combinations of those 3). I get this message otherwise:
rlm_ldap: no dialupAccess attribute - access denied by default
And with my working config i get already mentioned userPassword attribute
error. So, i'm afraid i don't even get so far, to have problems with
password encription.
Hi,
OK, I'll give it a try.
1. Going far back in this thread, you said something about using
EAP-PEAP/MSCHAP. Therefore you are _required_ to have the cleartext
password in LDAP or in the alternative an equivalent hash (nt/lm) if
you want to use that.
If so, configure your ldap instance in radius.conf accordingly AND
include it in authorize{}. This was pointed out often enough one might
think (and from people who really know, because they wrote the
software you are trying to use). Then there will be no need for
explicit setting of Auth-Type. It has been said.
2. Even if you tried something else (EAP-TTLS for example) you were
already told how to proceed and how that relates to the need for
cleartext passwords. Even then there is no need for setting Auth-Type
manually.
3. If you insist on setting Auth-Type nevertheless, you will break
other things you obviously don't know about. There is plenty of
(perhaps even a bit too overwhelming) documentation on freeradius.org,
in the tarball, in the example configuration, this very list, etctetc.
Believe its contents. If you think their is a fault and you are wiser
show that precisely (NOT by reasoning in generalities stemming from
false assumptions on your side).
4. Whatever you test with radtest does not relate to EAP-PEAP/MSCHAP.
Please restart your efforts with unchanged default configuration
files. Alter them step-by-step according to the information you were
already given. And, sorry, don't whip a dead horse, again, by setting
Auth-Type.
regards
K. Hoercher
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: help
Hi, you must be kidding or maybe you confounded the pertinent mailing lists or... Provided there really is a problem with freeradius, please enlighten us as to the debugging output of _it_ not just the nice but offtopic one from hostapd. regards K. Hoercher - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: issues with peap + tlv part 1
On 7/27/06, Damon McDougald [EMAIL PROTECTED] wrote: I have gotten this to work with ntradping and radtest...just not windows ce client. It is an issue with mschapv2 and ntlmv2. As radtest doesn't know anything about peap (and a quick glance at Novell's left me with the impression that ntradping doesn't so neither) you checked for something different, when that worked. If you wish to enable EAP/PEAP you should follow the advice Alan gave you (and as is documented). Otherwise try duplicating the setup for your tests to your environment (_not_ using EAP/PEAP) for whatever purpose that fits. But please stop throwing allegations about issues whith mschapv2 and ntlmv2 (whatever that might be, at least it's not part of freeradius). regards K. Hoercher - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Droping clients from radius (they are connected into radius but they are not connected in their houses)
There is no such thing as user remains connected into my radius server. It's the client's (here PPPoE Server?) responsibility to act accordingly. In particular it should eventually update the accounting if a client/user is MIA. That might be near to the problem you are refering to. Best regards K .Hoercher - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Droping clients from radius (they are connected into radius but they are not connected in their houses)
On 7/21/06, Nataniel Klug [EMAIL PROTECTED] wrote: I could not understand what you mean with this MIA. I will look for more info into my PPPoE-Server. Hi, ok, sorry about that bit of levity. I meant missing in action in respect of your not connected users. As I said, freeradius doesn't keep some state of connected users, if they really aren't serviced anymore due to whatever circumstances, it doesn't know so unless told by something (looks like the mentioned PPPoE server here). As you didn't provide much detail I'm left to guessing around. So I talked about the accounting function of freeradius as something which might be seen as coming near to having a state by recording information it *gets*. So, if you cannot find suitable inforamtion in the documentation, please consider asking more specifically and provide as much information about your problem as possible. best regards K. Hoercher - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Need help setting up PEAP authentication
On 7/19/06, Reynald Borer [EMAIL PROTECTED] wrote: Error: TLS_accept:error in SSLv3 read client certificate A Error: rlm_eap: SSL error error::lib(0):func(0):reason(0) Error: rlm_eap: SSL error error::lib(0):func(0):reason(0) Info: rlm_eap_mschapv2: Issuing Challenge That's no problem, provided you really try PEAP. It's just openssl complaining that it can't verify the non-mandatory client's certificate. So does someone have a working freeradius configuration to share with me ? Or some tips to get it working ? Assuming you really listed all modified conf files, you should check http://www.tldp.org/HOWTO/8021X-HOWTO/freeradius.html#confradius #5. (cited out of context) Here is what is displayed in the logs (without verbose mode): Anything else leads to much more if's and perhaps' an assuming's so you should provide the debug output as mentioned in various docs. regards K. Hoercher - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius-1.1.1 with CRL configuration
Hi, In an somewhat related issue I found that c_rehash indeed only generates the hash-named symlink to the first certificate/crl in a pem file containing more than one of them. So, yes, you need to do what you did, but it is not sufficient. You could split the certificates, crls etc in different files and rehash again or alternatively provide the necessary symlinks yourself, by script or whatever suits you. But this is not a freeradius an esp. no -devel problem, please check openssl docs. regards K. Hoercher - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius and certs
The .pem .p12 and .der are just typical endings of filenames containing certs in different 'styles'. FR will use the .pem ones (default in openssl, I think). windows in general is more easily convinced to accept .der. Assuming you talk about some eap-* usage, FR alone, in most circumstances, will only need 1 root and 1 server certificate (might be helpfully named root* and cert-srv*), encoded in PEM format, thus *.pem. Whatever you run as supplicant on what OS determines what sort of client certificate (and eventually root certificate, perhaps in different encoding than the one above) you need. So depending on what you're actually trying to achieve, you only need a subset of the3x3-matrix you listed. regards K. Hoercher - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: need help from FR gurus.
On 6/9/06, Abul Monsur Mannan [EMAIL PROTECTED] wrote: rlm_sql (sql): /usr/local/src/freeradius-1.1.1/src/modules/rlm_sql/drivers/rlm_sql_mysql is NOT an SQL driver! radiusd.conf[14]: sql: Module instantiation failed. radiusd.conf[1798] Unknown module sql. radiusd.conf[1727] Failed to parse authorize section. Is there any GURU to help me out of this problem. No guru needed up to now (not wanting to picture myself even remotely as one *g*) However it looks like you want some setup more closely related to a default one. No need and most probably place for /usr/local/src/freeradius-1.1.1/src/modules/rlm_sql/drivers/rlm_sql_mysql in your sql.conf. Your should keep it to the provided rlm_sql_mysql for now. Furthermore you seem to rely on the compiled source tree of freeradius as an installation. That doesn't provide a sane environment for meaningful debugging. Please use a package provided by your disrtrbution or do a make install in the alternative. After that being done, please post a debugging output (freeradius -X -A) and eventually relevant snippet of your configuration if problems still exist. That should be the minimum effort on your side before bothering the real guru(s) here. Regards, Klaus Hoercher - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: NAS table fields
On 6/9/06, Cliff Hayes [EMAIL PROTECTED] wrote: For example, in the clients.conf file, the only required fields are SECRET and SHORTNAME. In the NAS table, SHORTNAME is optional (can be NULL), and NASNAME cannot be NULL. So, do I copy what I had in the clients.conf SHORTNAME into the NAS table NASNAME? If so, what is SHORTNAME FOR? nasname is equivalent to a client stanza's name in clients.conf as in Defines a RADIUS client. The format is 'client [hostname|ip-address]' Be sure that a hostname is resolvable at start time. shortname equals shortname insofar :) Sometimes it gets printed out (debug log, dialup admin) instead of the fq client name. Also, what is COMMUNITY for? Not sure, looks like being related to snmp stuff. If youd don't have something like that now you will not need it. Which fields are used by FreeRadius and which ones are just for reference? Not sure, just wanted to supply few hints off my head Regards, Klaus Hoercher - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: revoking ca certificates
On 6/1/06, sumi thra [EMAIL PROTECTED] wrote:
Any body knows how to revoke the certificates? what changes needs to be
done in the freeradius eap.conf file.
No possible changes there will help you in that purpose. Having said
that, I'd like to provide some details I found while digging around
out of curiosity.
Unless mentioned otherwise I'm speaking of freeradius-1.1.1 (.deb
built using released debian subdir) and openssl 0.9.8b (debian/sid).
freeradius uses X509_V_FLAG_CRL_CHECK in
src/modules/rlm_eap/types/rlm_eap_tls/rlm_eap_tls.c which will only
check a crl for the last entity in a certificate chain according to
http://www.mail-archive.com/openssl-users@openssl.org/msg42197.html .
I didn't find any spec/rfc/etc that commands this behaviour, but I
think of Dr Henson as being quite authoritative on that issue :)
So I tested an added (better: ORed) X509_V_FLAG_CRL_CHECK_ALL and got
the behaviour the OP wanted: checked crls for (all) CAs in a chain.
PEM ones worked.
While I'm not convinced that this makes sense for a (explicitly
trusted) root-CA (the revoked-to-be cert signs the revocation) I do
see a valid use case for honoring revoked intermediate CAs. Despite
RFC2716 6.1 speaking about revoked client certificates only, I think
it would be desirable to incorporate the rationale behind the whole
TLS stuff (RFC2246 D.3). Up to now I didn't look much further for
updated/contradicting related specifications. Any hints?
A quick look into 1.1.2 left me with the impression that nothing would
prevent the same modification there. But before eventually filing some
wishlist bug with a more detailed patch, I'd like to read some
comments on the whole issue, esp. concerning the following:
openssl ca -gencrl -keyfile ./privatekey.pem -cert cacert.pem revoke
cacert.pem -out crl.pem
Not sure what OP is exactly doing here.
Presuming X509_V_FLAG_CRL_CHECK_ALL shall be used, should it also
honor crls for root CAs (as it would do out of the box)? configurable
choice maybe?
Furthermore hash-linked crls for all possible CAs must be provided in
CA_path otherwise TLS will fail regardless of validity of offered
certs.
1. copied ca crl to ./ directory( my ca crl files are in current
directory )
2. c_rehash ./
tls {
...
CA_file = ./cacert.pem
CA_path = ./
check_crl = yes
}
I was too lazy to check if relative paths do work here. Checking with
absolute ones led to the following caveat: if you combine the needed
cr's in one file by concatenating c_rehash does only generate one
hashname link by virtue of 'openssl crl [...] -hash' providing only
(the first?) one. Adding the appropriately named missing ones manually
does work.
regards
K. Hoercher
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
