Re: 802.1x and LDAP
FreeRadius users mailing list freeradius-users@lists.freeradius.org on August 19, 2005 at 10:54 -0800 wrote: With each of these I still have the problem where the Access-Request packet doesn't contain a User-Password attribute. I am guessing that there is something very fundamental that I am not understanding.. like there isn't supposed to be a User-Password attribute coming from the AP but if that's the case then I really don't understand how we authenticate against the LDAP directory without a password. Hi there, Do some reasearch on configuring TTLS with FreeRadius -- there's a howto around somewhere. Once you get TTLS/PAP working (with the auth info in the users file), you can easily make LDAP work. An understanding of the tunnelling system used with most 802.1x auth protocols would be helpful for you -- the trouble is that the password is inside the tunnel, and your FreeRadius config isn't understanding your tunnel. -kb -- Kris Benson, CCP, I.S.P. Technical Analyst, District Projects School District #57 (Prince George) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: General Question..
FreeRadius users mailing list freeradius-users@lists.freeradius.org on August 17, 2005 at 15:47 -0800 wrote: Can we use Radius/LDAP to do this. What I was hope we can do is as follow: everyone will get one user-id/password But for every service we will create a boolean attribute. All services, dialup/wireless/vpn/etc will use one radius server for both Auth(authenticate/authorize). The question is can FreeRadius(or any radius) be configured to as the LDAP for the correct service attribute and give access both base on the user-id/password and what the value of the services? Sort of. The best bet is to use the LDAP posixgroup objectclass -- then you can force certain radius clients to require a specific group membership. Let me know when you get closer to implementation and I can help you with some config files. -kb -- Kris Benson, CCP, I.S.P. Technical Analyst, District Projects School District #57 (Prince George) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Debian 802.1x LDAP
FreeRadius users mailing list freeradius-users@lists.freeradius.org on August 16, 2005 at 18:18 -0800 wrote: Thanks Kris! Everything appeared to compile, install and run without any errors. If you have any tips or good links for up to date information on how to set freeradius up to talk to a Cisco WAP I could use the help. grin No problem. Sorry, I don't have any Cisco experience -- it's a bit beyond our budget at this point. Now, the D-Link and Linksys $50-special AP's, that's a different story! :-) -kb -- Kris Benson, CCP, I.S.P. Technical Analyst, District Projects School District #57 (Prince George) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Debian 802.1x LDAP
FreeRadius users mailing list freeradius-users@lists.freeradius.org on August 15, 2005 at 23:40 -0800 wrote: rlm_eap: Failed to link EAP-Type/tls: rlm_eap_tls.so: cannot open shared object file: No such file or directory I have googled this and found some messages that suggest compiling from source and using the --shared-disabled flag at compile time but I've tried building from source and can't even get LDAP working.. each time I un-comment the ldap line from the radiusd.conf file and try to start using radiusd -x I get a segfault. Hi Cian, Make sure you have done this: apt-get install libssl-dev apt-get install libldap2 apt-get install libldap2-dev apt-get install libmysqlclient14 apt-get install libmysqlclient14-dev apt-get install slapd apt-get install ldap-utils apt-get install db4.2-util after those packages are all installed, try compiling again. If that doesn't work, let me know and I can help you further -- this is where I solved my problem. :-) -kb -- Kris Benson, CCP, I.S.P. Technical Analyst, District Projects School District #57 (Prince George) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: conecpt question
FreeRadius users mailing list freeradius-users@lists.freeradius.org on August 11, 2005 at 15:23 -0800 wrote: what i am dreaming of (at least regarding radius ;-) ): - wlan with wpa/802.1x using freeradius - clients mostly windows xp, several mac os x, few linux (unimportant right now) - the normal users (known to the local unix network the accesspoint/switch is connected to via nis or (some day) ldap) can access easily just with their username and password, if possible without client certificates (to keep things simple for the user) - some special 'accounts' (for guests etc.) in the freeradius users files can this be realized with freeradius? as far as i understand the conecpts behind this all this means a have to use peap, eap/ttls or eap/mschap-v2, am i right? has anyone set up something like this and can help me with some ideas, hints about trap-doors and other trouble ahead? or even some example configuration files? I've done something similar. First off, if your passwords are stored using irreversible encryption (e.g. Unix passwd file), you are only going to be able to use EAP-TTLS/PAP. Reason being that both PEAP and MSCHAPv2 require a challenge-response type mechanism, where the server has the plaintext password available to it (either by reversible encryption or plaintext). For EAP-TTLS, WindowsXP supplicants will either be installed with the wireless card (in the case of the newer Intel ones) or you'll have to pick up SecureW2. Both options work quite well. You don't need client certs with EAP-TTLS. The MacOS X.2 (or better) with latest patches will do TTLS builtin. There is a supplicant available for Linux, too -- Xsupplicant, courtesy of the Open1x project. Let me know if you need any other tips or tricks. -kb -- Kris Benson, CCP, I.S.P. Technical Analyst, District Projects School District #57 (Prince George) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: LEAP and PEAP protocols
FreeRadius users mailing list freeradius-users@lists.freeradius.org on August 12, 2005 at 09:04 -0800 wrote: LEAP is a proprietary protocol of Cisco's. They have never published a spec, but it has been reverse engineered. (use Google) It is severely flawed. What he said. PEAP is in an Internet Draft (v2), but what Microsoft has implemented (v0) and what Cisco supports(v1) are two different derivations of previous versions. You will have to do some archival spelunking to get specs that may agree with the implementations. PEAP and LEAP are different beasts. If you want the auth features of LEAP (e.g. simple username/password), your best bet is to look at EAP-TTLS/PAP. If you want the hashing functions (whereby CHAP of some sort is used), PEAP will work, given the right subtype. -kb -- Kris Benson, CCP, I.S.P. Technical Analyst, District Projects School District #57 (Prince George) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP challenge gets ignored with some clients
SP2 has a stupid problem where it won't talk to non-MS RADIUS servers. There's a fix, though. If anyone needs this hotfix, let me know. MS sent it to me, but their ongoing support is a PITA -- I told them thanks and to close the ticket, but they kept e-mailing me so I finally told them what I really though. :-) -kb -- Kris Benson, CCP, I.S.P. Technical Analyst, District Projects School District #57 (Prince George) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius EAP-TLS quesiton
FreeRadius users mailing list freeradius-users@lists.freeradius.org on August 9, 2005 at 19:03 -0800 wrote: Kris, Thanks for your help. Do you think that (1) and (2) in my previous message could be the reason that freeradius will not authenticate the client? No, not now. Judging from the message you send OOB, it's an issue with the OpenSSL libraries. In fact, if gcc and openssl can't find them, support for TLS (and any other public-key based method) is likely not even compiled into your freeradius binary. Fix the library problem, then generate your dh and random files. If those work, try radius... if it still doesn't work, make sure the rlm_eap_tls module is compiled and installed. If not, recompile freeradius and check again. -kb -- Kris Benson, CCP, I.S.P. Technical Analyst, District Projects School District #57 (Prince George) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius - LDAP Authenication
FreeRadius users mailing list freeradius-users@lists.freeradius.org on August 10, 2005 at 05:34 -0800 wrote: Kris, Aug 10 07:06:21 2005 : Debug: rlm_ldap: bind as uid=sbarnes,ou=people,o=marymount.edu.o=marymount.edu/cortina to info.marymount.edu:389 Wed Aug 10 07:06:21 2005 : Error: rlm_ldap: uid=sbarnes,ou=people,o=marymount.edu.o=marymount.edu bind to info.marymount.edu:389 failed: Can't contact LDAP server Even tried authentication to the backup LDAP server. Is there anyway to test the ldap module by hand as it were? I think I'm at the end of my abilities here, but will make a couple more comments. First off, I'm nowhere near being an LDAP pro, but what's up with the o=mayrmount.edu.o=marymount.edu ? There are two things that stick out to me here -- first off, the '.' between the elements... I'm used to seeing a comma. Second, the duplication of the o=. Do you *really* have a child element named the same as its parent? I'm sorry I can't be of more assistance... but if ldapsearch works with the same binding credentials as FreeRadius (n.b. bind as the *user* sbarnes *not* as admin), then the issue looks to be something with the way FreeRadius the Sun software interact. Is there, by chance, a policy restricting number of connections per minute on the Sun server? FreeRadius likes to connect at least twice in the authentication process -- once to search the directory, again to bind as the user it found. -kb -- Kris Benson, CCP, I.S.P. Technical Analyst, District Projects School District #57 (Prince George) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius EAP-TLS quesitons
FreeRadius users mailing list freeradius-users@lists.freeradius.org on August 10, 2005 at 10:50 -0800 wrote: When generating the random file, you can also do: openssl rand -out /etc/raddb/certs/random 100 You could, but then it would be the same random numbers every time its loaded... with this you get different random numbers every time. -kb -- Kris Benson, CCP, I.S.P. Technical Analyst, District Projects School District #57 (Prince George) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius - LDAP Authenication
FreeRadius users mailing list freeradius-users@lists.freeradius.org on August 10, 2005 at 11:17 -0800 wrote: I think I'm at the end of my abilities here, but will make a couple more comments. First off, I'm nowhere near being an LDAP pro, but what's up with the o=mayrmount.edu.o=marymount.edu ? There are two things that stick out to me here -- first off, the '.' between the elements... I'm used to seeing a comma. Second, the duplication of the o=. Do you *really* have a child element named the same as its parent? We do indeed have a child with the same name as the parent and they both have . in them. Fun Hey For sure one other idea, then... If your structure is this: o=marymount.edu. | - o=marymount.edu. should this maybe be o=marymount.edu.,o=marymount.edu. ? (note trailing periods, making an FQDN) Or perhaps if your structure is this: o=marymount.edu | - o=marymount.edu should this maybe be o=marymount.edu,o=marymount.edu ? Just a thought... your original looks like a typo, based on the fact that the two fields are not being joined by a comma. HTH, -kb -- Kris Benson, CCP, I.S.P. Technical Analyst, District Projects School District #57 (Prince George) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_ldap: Attribute User-Password is required for authentication
FreeRadius users mailing list freeradius-users@lists.freeradius.org on August 9, 2005 at 02:53 -0800 wrote: Hi Vladimir, Tks for your help, I've managed to setup the ldap with freeradius. One last question is that is it possible to have freeradius authenticate thru ldap and also the users file. The reason is because I need to create a guest account for guests to login our wireless network. But the guest may not allow me to install SecureW2 on their notebook, so I am hoping I can setup a common password for guest inside users file. Or is there an easier way to accomplish this? Appreciate if you can help me again. Thank you. You've hit the nail on the head. Your users file will just need an entry for the guest user... they may need to install SecureW2 anyways, if you're using TTLS as the EAP method... though PEAP should work as long as the password you put in the users file is plaintext. -kb -- Kris Benson, CCP, I.S.P. Technical Analyst, District Projects School District #57 (Prince George) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius EAP-TLS quesitons
FreeRadius users mailing list freeradius-users@lists.freeradius.org on
August 9, 2005 at 10:54 -0800 wrote:
Hello,
Two part question:
1. Is it critical to have certificates, dh and random files in
etc/raddb/certs directory for eap-tls to work.
2. Is it ok to generate random file as date random
1. Yes, sort of. You can put it in a different directory if you change
the eap.conf entries.
2. No. This is the correct way:
To generate the dh file you can use a function that comes with openssl
openssl dhparam -check -text -5 512 -out dh
This will generate a 512 Diffie-Hellman key named dh.
Move this file to /etc/mycerts/
mv dh /etc/mycerts/.
To generate a random file you will need a short C program using openssl
libraries. Paste this text into a file named 'random.c':
8 cut---
#include stdio.h
#include openssl/rand.h
main (void) {
unsigned char buf[100];
if (!RAND_bytes(buf, 100)) {
// the usual md5(time+pid)
}
printf(Random : %s\n, buf);
}
8 cut---
Compile it like this: gcc random.c -o random -lcrypto
I will generate 32-bit LSB executable named random, try it with ./random.
Move this file to /etc/mycerts/:
mv random /etc/mycerts/.
-kb
--
Kris Benson, CCP, I.S.P.
Technical Analyst, District Projects
School District #57 (Prince George)
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Newbie: General Questions About Installation
FreeRadius users mailing list freeradius-users@lists.freeradius.org on August 7, 2005 at 11:16 -0800 wrote: On Sun, 7 Aug 2005 15:05:50 +0100 [EMAIL PROTECTED] wrote: Hi, I'm attempting to get my hands around installing FreeRadius-1.0.4 on a Debian Linux machine while also trying learn Linux better. I've been reading through all the various documentation, but had a few general questions that I was hoping someone would be so kind to reply on. Install FreeBSD, go to /usr/ports/net/freeradius and simply type make install clean Voila, all you need including dependiences will be automatically installed on your system. Or if you wanna go for a BSD wannabe in the Linux world, use Gentoo, there you just type emerge freeradius and you get the same result as on BSD. Dealing with Debian you either get outdated applications or pretty unstable system, depending of the Debian branch you may want to use. Please keep in mind this is my subjective opinion based on my long time experience. And BTW, the version you are trying to install is also outdated and with known security issues. Dude! He's trying to install the most recent version: 1.0.4... While I would agree that FreeBSD is generally a better choice than any Linux variant, YMMV. You are right about outdated packages -- the Debian Freeradius package is v1.0.2... and comes without EAP-TLS and anything that requires it. -kb -- Kris Benson, CCP, I.S.P. Technical Analyst, District Projects School District #57 (Prince George) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius - LDAP Authenication
FreeRadius users mailing list freeradius-users@lists.freeradius.org on
August 8, 2005 at 07:32 -0800 wrote:
I am now at a loss, if anyone has a working config that they wouldn't mind
sharing that would be much appreciated.
Here's mine:
radiusd.conf section
ldap {
server = localhost
identity =
cn=radiusadmin,ou=roleaccounts,dc=sd57,dc=bc,dc=ca
password = neveryoumind
basedn = dc=sd57,dc=bc,dc=ca
filter = (mail=%{User-Name})
start_tls = no
dictionary_mapping = ${raddbdir}/ldap.attrmap
ldap_connections_number = 5
groupname_attribute = cn
groupmembership_filter =
(|((objectClass=GroupOfNames)(member=%{Ldap-UserDn}))((objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))
#groupmembership_attribute = WirelessUsers
timeout = 4
timelimit = 3
net_timeout = 1
# compare_check_items = yes
# do_xlat = yes
# access_attr_used_for_allow = yes
}
users file
DEFAULT Ldap-Group == NetworkAccessWireless, Auth-Type = LDAP
Class = %l,
Reply-Message = %u,
Fall-Through = 1
ldap LDIF (passwords removed to protect the innocent)
dn: dc=sd57,dc=bc,dc=ca
dc: sd57
objectClass: dcObject
objectClass: organizationalUnit
ou: Ess Dee Five Seven
dn: ou=roleaccounts,dc=sd57,dc=bc,dc=ca
ou: roleaccounts
objectClass: organizationalUnit
dn: cn=ldapadmin,ou=roleaccounts,dc=sd57,dc=bc,dc=ca
objectClass: person
cn: ldapadmin
sn: AdminAcct
userPassword: {CRYPT}*
dn: cn=radiusadmin,ou=roleaccounts,dc=sd57,dc=bc,dc=ca
objectClass: person
cn: radiusadmin
sn: AdminAcct
userPassword: {CRYPT}*
dn: ou=techstaff,dc=sd57,dc=bc,dc=ca
ou: techstaff
objectClass: organizationalUnit
dn: cn=NetworkAccessWireless,dc=sd57,dc=bc,dc=ca
objectClass: top
objectClass: groupOfNames
member: uid=kbenson,ou=techstaff,dc=sd57,dc=bc,dc=ca
cn: NetworkAccessWireless
dn: uid=kbenson,ou=techstaff,dc=sd57,dc=bc,dc=ca
sn: Benson
mail: [EMAIL PROTECTED]
cn: Kris Benson
gidNumber: 100
homeDirectory: /home/staff/kbenson
objectClass: inetOrgPerson
objectClass: posixAccount
uidNumber: 3
userPassword: {CRYPT}*
uid: kbenson
Let me know if there's anything else you would like to see...
-kb
--
Kris Benson, CCP, I.S.P.
Technical Analyst, District Projects
School District #57 (Prince George)
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Newbie: General Questions About Installation
FreeRadius users mailing list freeradius-users@lists.freeradius.org on August 6, 2005 at 00:25 -0800 wrote: in console just type apt-get install freeradius or use synaptic package managed (x windows / gnome ) and do a search for Freeradius. that will install and create the user/group freerad and put all the files in their appropriate place. once thats done your configuration files will be in /etc/freeradius edit radiusd.conf to your liking clients.conf etc There's one major issue with the Debian freeradius package -- any module that requires hooks to OpenSSL is not included due to some legal issue. This includes eap_tls, eap_ttls, eap_peap, etc. The compile-from-source solution works well -- you just need to apt-get install these: libmysqlclient14-dev libldap2-dev (if you want LDAP support) libssl-dev HTH, -kb -- Kris Benson, CCP, I.S.P. Technical Analyst, District Projects School District #57 (Prince George) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius - LDAP Authenication
FreeRadius users mailing list freeradius-users@lists.freeradius.org on August 5, 2005 at 08:12 -0800 wrote: rlm_ldap: - authorize rlm_ldap: performing user authorization for testuser radius_xlat: '((objectClass=aRadiusAccount)(uid=testuser))' radius_xlat: 'o=marymount.edu,o=marymount.edu' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to 198.100.0.18:389, authentication 0 rlm_ldap: bind as cn=account mgr/* to 198.100.0.18:389 rlm_ldap: cn=directory manager bind to 198.100.0.18:389 failed: Can't contact LDAP server rlm_ldap: (re)connection attempt failed rlm_ldap: search failed rlm_ldap: ldap_release_conn: Release Id: 0 Here's the section of your debug where the problem lies. note this line: rlm_ldap: cn=directory manager bind to 198.100.0.18:389 failed: Can't contact LDAP server Have you double checked the IP address? I'm not sure on how descriptive the error messages are -- perhaps double check that the admin user/password also works -- start by making it the full dn of the admin user in the 'identity' field. If you this doesn't work, let me know and we can go from there... -kb -- Kris Benson, CCP, I.S.P. Technical Analyst, District Projects School District #57 (Prince George) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius - LDAP Authenication
FreeRadius users mailing list freeradius-users@lists.freeradius.org on August 5, 2005 at 09:58 -0800 wrote: This is pretty clear that it cannot connect. What does your ldapsearch command look like? Perhaps, you have the wrong port or ip in your config? What does telnet 198.100.0.18 389 show you? Hi Dusty and Kris, The ip address I am using for the ldap is correct, when using ldapsearch ldapsearch -h 198.100.0.18 -b ou=people,o=marymount.edu,o=marymount.edu -D cn=directory manager -W I can connect and get prompted for the password, after which I get a complete dump of the LDAP. What if you change the identity portion of the radiusd.conf to be the full DN of the admin user? I have a sneaking suspicion that the can't connect may also include can't authenticate... So, assuming that the directory manager user is in the people ou, try this for the identity: cn=directory manager,ou=people,o-marymount.edu,o=marymount.edu -kb -- Kris Benson, CCP, I.S.P. Technical Analyst, District Projects School District #57 (Prince George) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius - LDAP Authenication
FreeRadius users mailing list freeradius-users@lists.freeradius.org on August 5, 2005 at 12:27 -0800 wrote: I have tried various accounts my own and test accounts along with variations of the DN and I get the same errors. I'm at a loss as ldapsearch and telneting to the port all seem to work. Well, having just looked at your config again, I'm wondering if it isn't this filter: ldap: filter = ((objectClass=aRadiusAccount)(uid=%u)) is that 'a' supposed to be there? Also, have you custom defined the LDAP schmea for this objectclass? If not, I don't believe the 'aRadiusAccount' is valid, at least not in the standard OpenLDAP w/FreeRadius extensions schema that I have. What if you start by removing that part of the filter and just searching for the uid? -kb -- Kris Benson, CCP, I.S.P. Technical Analyst, District Projects School District #57 (Prince George) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: different eap/tls config for different interfaces
[EMAIL PROTECTED] wrote: If so, is it possible to have 2 different tls sections that service the 2 different interfaces? No. FreeRADIUS supports only 1 TLS module at a time. What Alan forgot to mention is a solution. If you run two copies of the Radius server, with one bound to either a different set of ports, or one to each IP, you could have separate configs. -kb -- Kris Benson, CCP, I.S.P. Technical Analyst, District Projects School District #57 (Prince George) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: dialadmin question
FreeRadius users mailing list freeradius-users@lists.freeradius.org on August 2, 2005 at 16:42 -0800 wrote: hi all, can I use dialadmin for create users and autenticate this in a lan and exit out the router?? LAN (many users) - router/fw --- internet | | freeradius server Hi Damon, I'm not familiar with dialadmin, but I think you would have some difficulty coercing the LAN clients into authenticating like that. Currently the only commonly-supported authentication method I am aware of for 802.3 ethernet networks is 802.1x. This would require either using HostAP (rumoured to work on wired NICs) or upgrade your LAN switches to ones that support 802.1x. Alternatively, you could use VLAN sectioning combined with a web server that can provide an authentication interface to the client. This is a bit of a pain, however. Hope that helps, -kb -- Kris Benson, CCP, I.S.P. Technical Analyst, District Projects School District #57 (Prince George) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius + TLS for Wifi networks
[EMAIL PROTECTED] on August 3, 2005 at 03:51 -0800 wrote: However, I noticed that we have had multiple dropped connections from Windows XP Pro with the Planet WAP-4000 and 3Com Office Connect Wireless Access Points every 30 to 45 minutes but the freeradius server logs does not show any errors. Remember: the logs only show what is sent to the radius server -- if the WAP doesn't send an accounting packet or authentication packet, nothing will be in your logs. I don't think this is a freeradius issue but I need to verify with someone that this is not a radius related problem. It doesn't sound like it is. Is there any configuration parameters within freeradius that I can tweak to debug and check that radius is not the one causing this problem? Well, if you start radius like so: radiusd -X it will output debug info to stdout. It's rather complete information, but it only starts one process and may cause more output than you really want. Logically, I don't think it's a radius issue but I might be wrong. The only way it's a radius issue is if the machine is trying to reauthenticate, and radius is denying it the second time. Of course, this would show up in the radius logs if your AP was doing the right thing. If there is anyone that would like to get a copy of our RADIUS + TLS HOWTO documentation with to find out how we did this integration, please send me a personal email and I will send the PDF copy over. I'd love to see your documentation -- we're in the process of writing our own now, and anything that might have some more gotchas is good. -kb -- Kris Benson, CCP, I.S.P. Technical Analyst, District Projects School District #57 (Prince George) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: mod_radius, apache2 and the auth cookie.
FreeRadius users mailing list freeradius-users@lists.freeradius.org on August 2, 2005 at 01:55 -0800 wrote: Hi, Was was pointed out, you'll get authentication dialogs for every gif jpg on the page. This is a BAD idea. The gifs etc are located in an unprotected directory, surely this prevents from having to re-authenticate for each? In theory, yes. However, this has been nixed by most browsers, in that mixed content presents a security risk. Your IE users will see a message saying This page contains both secure and non-secure items... at least on first connect, the FF users may not even get that -- I don't recall what happens with mixed content in FF. If I get a failed login, then try to login again it just uses cached credentials and doesn't prompt for details, if I close and re-open the browser it does then allow me to enter details. Then your browser is broken. Firefox and Opera are also broken in that case. :-( A bit of a dig around reveals this from the Apache site, which implies that all browsers cache the credentials. http://httpd.apache.org/docs/howto/auth.html#basicfaq It sounds to me like the server isn't sending the correct error code for auth-failed, thus the browser thinks it's OK to use the old credentials. -kb -- Kris Benson, CCP, I.S.P. Technical Analyst, District Projects School District #57 (Prince George) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: authenticate machine accounts with ntlm_auth
I'm very frustrated now after spending a couple of weeks trying to get free radius to authenticate my Win2k machine accounts against active directory. :-( Sorry, blame Microsoft. It isn't possible, but they don't make it obvious that it's not possible. Alan, do you know of any way to get this working. I have been assured that Funk can do this, have you any idea how Funk are doing it. Funk costs too much. Maybe I'm not allowed to ask such questions. Funk does it by running the radius server on the AD server. At that point, they can use *internal* Windows API's or hacks to get at the data. Since FreeRADIUS is running externally, it can't use those API's, and thus won't work. FreeRADIUS *will* run on XP. If someone were to write the necessary code, you could run the server on XP, and do what Funk does. It sounds to me like you're saying this is a server-side issue. Since AD is available via LDAP, why couldn't this FreeRadius install just use rlm_ldap to access the machine account info in AD? The Microsoft side of things isn't my greatest strength, least of all the AD/LDAP stuff, but it seems as though this *should* work. :-) -kb -- Kris Benson, CCP, I.S.P. Technical Analyst, District Projects School District #57 (Prince George) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
accounting 'detail' file and EAP
Hi all, So I have FreeRadius set up (and working) to authenticate off an LDAP installation. Everything is great. I even have EAP-TTLS/PAP working, so I don't have to store the plaintext passwords. I just have one problem now: accounting data. Since I'm using TTLS, the User-Name field is not the authenticated one, and is simply whatever the user chose to put in for the outside-the-tunnel username. Has anyone come up with a way to either A) ensure the outside username matches the inside one (guaranteeing the outside one isn't falsified) or B) log the accounting details with the tunnel information? Any help would be appreciated -- thanks in advance. -kb -- Kris Benson, CCP, I.S.P. Technical Analyst, District Projects School District #57 (Prince George) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-TTLS and PAP inner tunnel authentication
FreeRadius users mailing list freeradius-users@lists.freeradius.org on July 29, 2005 at 01:40 -0800 wrote: From a suggestion on the mailing list I plan on using EAP-TTLS and PAP inner tunnel authentication. The reason I'm going this route is because I want to authenticate against linux user accounts and the password is encrypted in /etc/shadow so the ms-chap route is no good since it can't work with encrypted passwords. How do I configure free radius to work with EAP-TTLS and PAP inner tunnel authentication, I wasn't able to find much on the net. I'm quite a fast learner however. Hi Sura, Just follow the config file comments for enabling TTLS and make it the default EAP type. Just make sure you follow the instructions here: http://rbirri.9online.fr/howto/Freeradius_+_TTLS.html for making your random and dh files -- I haven't seen this documented officially, however I have seen other instructions that *broke* our certificate use. -kb -- Kris Benson, CCP, I.S.P. Technical Analyst, District Projects School District #57 (Prince George) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_ldap: Attribute User-Password is required forauthentication
melvin [EMAIL PROTECTED] on July 24, 2005 at 02:47 -0800 wrote: Hi Kris, Thanks for your reply. I will be very grateful if you could post your config entries to me. Many tks. Hi Melvin, Please see attached. I have included the certs, passwords, etc. as they are currently testing only ones -- and may help you get things going. The user passwords are one of two: whatever or testing123 depending on whether we needed to use a different one somewhere during our testing. :-) Let me know if you have any other questions. Cheers, -kb -- Kris Benson, CCP, I.S.P. Technical Analyst, District Projects School District #57 (Prince George) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Debian and 'module eap returns noop for request'
Kris Benson [EMAIL PROTECTED] wrote: I have self-compiled the EAP module on Debian due to the binary distribution restrictions, and the error I'm getting is: module eap returns noop for request [number] And what does the *rest* of the debug output say? Hi Alan, I was thinking I'd save you the trouble of wading through all that... but since you asked. :-) here's the debug output: [deletia] Just did some further testing. MacOS 10.4.2 won't connect either, giving the same debug information as the Windows client already mentioned. So it's not the hotfix issue! BTW: Microsoft has e-mailed me the hotfix -- if anybody needs it, please let me know! -kb -- Kris Benson, CCP, I.S.P. Technical Analyst, District Projects School District #57 (Prince George) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_ldap: Attribute User-Password is required forauthentication
melvin [EMAIL PROTECTED] wrote: Sorry as I am not an expert in radius but if I do not set Auth-Type = LDAP how do I ensure that the authentication goes thru ldap. LDAP is an authentication server? That's news to me. All the users have their passwords stored in ldap and therefore I hope to utilise the ldap to do the authentication. LDAP is a database. Let FreeRADIUS read the passwords from LDAP, and have FreeRADIUS do the authentication. FreeRADIUS is an authentication server. LDAP is not. Hi Alan, Melvin, LDAP does provide some authentication -- through the 'BIND' statement. Incidentally, this is how the FreeRadius rlm_ldap module chooses to authenticate against an LDAP entry... it attempts to 'bind' to it, passing the username and password to LDAP. I have successfully integrated FreeRadius LDAP -- I can get you my config entries if you would like. It worked with OpenLDAP practically out-of-the-box. -kb -- Kris Benson, CCP, I.S.P. Technical Analyst, District Projects School District #57 (Prince George) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Debian and 'module eap returns noop for request'
Hi all, I'm currently in the process of trying to get a D-Link DWL-2100AP and a DWL-7000AP to authenticate off FreeRadius, but FreeRadius doesn't seem to be too keen on talking EAP to them. I have self-compiled the EAP module on Debian due to the binary distribution restrictions, and the error I'm getting is: module eap returns noop for request [number] for every time a Windows XP SP2 client tries to connect. The Windows Hotfix is now only available by request, so I haven't been able to try that to see if it solves the problem. If someone has it, please e-mail it to me! :-) I'm not sure if this is a Windows issue or a FreeRadius issue at this point -- the noop seems odd, but perhaps it's what is being sent that is causing it. If someone could offer some suggestions, it would be greatly appreciated. Kindest regards, -kb -- Kris Benson, CCP, I.S.P. Technical Analyst, District Projects School District #57 (Prince George) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Debian and 'module eap returns noop for request'
Kris Benson [EMAIL PROTECTED] wrote:
I have self-compiled the EAP module on Debian due to the binary
distribution restrictions, and the error I'm getting is:
module eap returns noop for request [number]
And what does the *rest* of the debug output say?
Hi Alan,
I was thinking I'd save you the trouble of wading through all that... but
since you asked. :-)
here's the debug output:
###
Starting - reading configuration files ...
reread_config: reading radiusd.conf
Config: including file: /etc/freeradius/clients.conf
Config: including file: /etc/freeradius/eap.conf
main: prefix = /usr
main: localstatedir = /var
main: logdir = /var/log/freeradius
main: libdir = /usr/lib/freeradius
main: radacctdir = /var/log/freeradius/radacct
main: hostname_lookups = no
main: max_request_time = 30
main: cleanup_delay = 5
main: max_requests = 1024
main: delete_blocked_requests = 0
main: port = 0
main: allow_core_dumps = no
main: log_stripped_names = no
main: log_file = /var/log/freeradius/radius.log
main: log_auth = no
main: log_auth_badpass = no
main: log_auth_goodpass = no
main: pidfile = /var/run/freeradius/freeradius.pid
main: user = freerad
main: group = freerad
main: usercollide = no
main: lower_user = before
main: lower_pass = no
main: nospace_user = no
main: nospace_pass = no
main: checkrad = /usr/sbin/checkrad
main: proxy_requests = no
security: max_attributes = 200
security: reject_delay = 1
security: status_server = no
main: debug_level = 0
read_config_files: reading dictionary
read_config_files: reading naslist
Using deprecated naslist file. Support for this will go away soon.
read_config_files: reading clients
read_config_files: reading realms
radiusd: entering modules setup
Module: Library search path is /usr/lib/freeradius
Module: Loaded exec
exec: wait = yes
exec: program = (null)
exec: input_pairs = request
exec: output_pairs = (null)
exec: packet_type = (null)
rlm_exec: Wait=yes but no output defined. Did you mean output=none?
Module: Instantiated exec (exec)
Module: Loaded expr
Module: Instantiated expr (expr)
Module: Loaded PAP
pap: encryption_scheme = crypt
Module: Instantiated pap (pap)
Module: Loaded CHAP
Module: Instantiated chap (chap)
Module: Loaded MS-CHAP
mschap: use_mppe = yes
mschap: require_encryption = no
mschap: require_strong = no
mschap: with_ntdomain_hack = no
mschap: passwd = (null)
mschap: authtype = MS-CHAP
mschap: ntlm_auth = (null)
Module: Instantiated mschap (mschap)
Module: Loaded eap
eap: default_eap_type = leap
eap: timer_expire = 60
eap: ignore_unknown_eap_types = no
eap: cisco_accounting_username_bug = no
rlm_eap: Loaded and initialized type leap
tls: rsa_key_exchange = no
tls: dh_key_exchange = yes
tls: rsa_key_length = 512
tls: dh_key_length = 512
tls: verify_depth = 0
tls: CA_path = (null)
tls: pem_file_type = yes
tls: private_key_file = /etc/freeradius/certs/cert-srv.pem
tls: certificate_file = /etc/freeradius/certs/cert-srv.pem
tls: CA_file = /etc/freeradius/certs/demoCA/cacert.pem
tls: private_key_password = whatever
tls: dh_file = /etc/freeradius/certs/dh
tls: random_file = /etc/freeradius/certs/random
tls: fragment_size = 1024
tls: include_length = yes
tls: check_crl = yes
tls: check_cert_cn = (null)
rlm_eap: Loaded and initialized type tls
peap: default_eap_type = mschapv2
peap: copy_request_to_tunnel = yes
peap: use_tunneled_reply = yes
peap: proxy_tunneled_request_as_eap = yes
rlm_eap: Loaded and initialized type peap
mschapv2: with_ntdomain_hack = no
rlm_eap: Loaded and initialized type mschapv2
Module: Instantiated eap (eap)
Module: Loaded preprocess
preprocess: huntgroups = /etc/freeradius/huntgroups
preprocess: hints = /etc/freeradius/hints
preprocess: with_ascend_hack = no
preprocess: ascend_channels_per_line = 23
preprocess: with_ntdomain_hack = no
preprocess: with_specialix_jetstream_hack = no
preprocess: with_cisco_vsa_hack = no
Module: Instantiated preprocess (preprocess)
Module: Loaded files
files: usersfile = /etc/freeradius/users
files: acctusersfile = /etc/freeradius/acct_users
files: preproxy_usersfile = /etc/freeradius/preproxy_users
files: compat = no
Module: Instantiated files (files)
Module: Loaded Acct-Unique-Session-Id
acct_unique: key = User-Name, Acct-Session-Id, NAS-IP-Address,
Client-IP-Addre ss, NAS-Port
Module: Instantiated acct_unique (acct_unique)
Module: Loaded realm
realm: format = suffix
realm: delimiter = @
realm: ignore_default = no
realm: ignore_null = no
Module: Instantiated realm (suffix)
Module: Loaded detail
detail: detailfile =
/var/log/freeradius/radacct/%{Client-IP-Address}/detail-%
Y%m%d
detail: detailperm = 384
detail: dirperm = 493
detail: locking = no
Module: Instantiated detail (detail)
Module: Loaded System
unix: cache = no
unix: passwd = (null)
unix: shadow = /etc/shadow
unix: group = (null)
unix: radwtmp = /var/log/freeradius/radwtmp
unix: usegroup
