Re: newbie install problem
>I have RedHat ES4 and I downloaded FreeRadius-1.0.5. >unzipped it and >did >./configure >make >make install > >It didn't seem to complain, but I can't run it. I can't >find the >radiusd >file. And after server startup I don't see any radius >daemon running. >How do >I run it? The radiusd binary should be in the /usr/local/sbin folder. If not, something went wrong during compile/installation. Check the output again. It may help if you redirect it to a file (like make > make_output.txt). You can also check configure.log. Lefteris, __ Yahoo! Mail - PC Magazine Editors' Choice 2005 http://mail.yahoo.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Success Story (A tribute to the FreeRADIUS project)
Hello everyone, I am writing this -long overdue- letter to express my gratitude to all FR developers and other people who help through this mailing list. I may not be an active poster, but this list's archive has been a tremendous help during my involvement with FreeRADIUS. Thanks to the intense support (and of course great open source software), my project was a success and I managed to learn a couple of things too :-). To whom it may concern, I have deployed the following setup for my Univercity wifi hotspot: WiFi users connect to APs in the Univercity premises. Authentication follows two scenarios (depending on the particular AP site): Scenario A or NoCat Scenario (low security): -A NoCat captive gateway runs on a PC connected directly to the AP (or the AP itself, for embedded devices). This PC is also responsible for DHCP, firewall rules etc... -The user's web browser is redirected to the login page hosted at the AAA server for this building. There runs the NoCat Auth Server and (of course) a FreeRADIUS server. the NCA server gives the user credentials to FR, who in turns authorizes them against the local Windows AD (where Univercity users reside) and a mysql database (for temporary wifi accounts -can be duration-restricted). -After the NoCat gateway lets the user in, it periodically sends accounting information to the FR server (to be stored in the mysql DB). Scenario B or EAP scenario (high security): -A FreeRADIUS proxy runs on a PC connected directly to the AP (or the AP itself, for embedded devices). This PC is also responsible for DHCP, firewall rules etc... -The AP has WPA-Enterprise enabled and connects to the proxy FR for authentication. -Users IEEE.1X clients for EAP authentication (mainly PEAP). -The FR proxy forwards authentication packets to the central FR server (the same one as scenario A) who authenticates ands authorizes against the Windows AD and mysql DB. -Accounting packets are sent either by the AP (through the proxy) or a NoCat gateway (set in "Open" mode) which runs at the same PC with the proxy. Accounting information is monitored through the dialup_admin front-end, which is also used for temporary wifi accounts (that go in the mysql db). (The above may imply a large scale deployment but there are only two APs for now :-) [both running scenario A].) That's about it in a nutshell. I named the whole system the WAL (Wireless Aueb -my Univercity- Lan). As you can see, I have also made heavy use of the NoCat project (thanks to everyone in that mailing list/developer team too!!) but it saddens me to see that it got stuck in version 0.82 :-(. Anyway, thanks again and keep up the good work. I am not done with FR just yet, so I'll ne seeing you all :-). Stefanis Eleftherios MsC Student in Computer Science AUEB PS: Sorry for the long post, I just thought it would be nice for people to see what FR (combined with other great open source software) can do in a complete WiFi deployment. PS2: The total software cost for the WAL was 0$ and took one person (me) a total of about 2 months to architecture and setup. __ Yahoo! Mail - PC Magazine Editors' Choice 2005 http://mail.yahoo.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP/TLS problem: Received unexpected tunneled data after successful handshake
> "rlm_eap_tls: Received unexpected tunneled data > after successful handshake." > I had the same problem a while ago. It turned out the error lay with the generated certificates. I never pinpointed the exact problem (i fiddled with the scripts a lot), so i can't give any detailed solution but i'd try to recreate them (the certs) if i were you. Hope i helped, Lefteris __ Do you Yahoo!? Yahoo! Search - Find what youre looking for faster http://search.yahoo.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP/TLS problem: Received unexpected tunneled data after
>If you have a Cisco AP you should use AAA, >For a Cisco client you don't need AAA. Ok, I'll try using the commands found in the cisco file in the docs. I'm not sure what you mean by Cisco client though. >The errors should have been different, at least... That is correct, have a look at what i get from peap: I noticed someone else having from with TLV i am not sure what that is, but i got a rlm_eap_peap: Had sent TLV failure, rejecting. Any hints there? Anyway the entire output is attached. __ Do you Yahoo!? Yahoo! SiteBuilder - Free web site building tool. Try it! http://webhosting.yahoo.com/ps/sb/Starting - reading configuration files ... reread_config: reading radiusd.conf Config: including file: /usr/local/etc/raddb/proxy.conf Config: including file: /usr/local/etc/raddb/clients.conf Config: including file: /usr/local/etc/raddb/snmp.conf Config: including file: /usr/local/etc/raddb/sql.conf main: prefix = "/usr/local" main: localstatedir = "/usr/local/var" main: logdir = "/usr/local/var/log/radius" main: libdir = "/usr/local/lib" main: radacctdir = "/usr/local/var/log/radius/radacct" main: hostname_lookups = no main: max_request_time = 30 main: cleanup_delay = 5 main: max_requests = 1024 main: delete_blocked_requests = 0 main: port = 0 main: allow_core_dumps = no main: log_stripped_names = no main: log_file = "/usr/local/var/log/radius/radius.log" main: log_auth = no main: log_auth_badpass = no main: log_auth_goodpass = no main: pidfile = "/usr/local/var/run/radiusd/radiusd.pid" main: bind_address = 195.251.248.176 IP address [195.251.248.176] main: user = "(null)" main: group = "(null)" main: usercollide = no main: lower_user = "no" main: lower_pass = "no" main: nospace_user = "no" main: nospace_pass = "no" main: checkrad = "/usr/local/sbin/checkrad" main: proxy_requests = yes proxy: retry_delay = 5 proxy: retry_count = 3 proxy: synchronous = no proxy: default_fallback = yes proxy: dead_time = 120 proxy: post_proxy_authorize = yes proxy: wake_all_if_all_dead = no security: max_attributes = 200 security: reject_delay = 1 security: status_server = no main: debug_level = 0 read_config_files: reading dictionary read_config_files: reading naslist Using deprecated naslist file. Support for this will go away soon. read_config_files: reading clients Using deprecated clients file. Support for this will go away soon. read_config_files: reading realms Using deprecated realms file. Support for this will go away soon. radiusd: entering modules setup Module: Library search path is /usr/local/lib Module: Loaded expr Module: Instantiated expr (expr) Module: Loaded PAP pap: encryption_scheme = "crypt" Module: Instantiated pap (pap) Module: Loaded CHAP Module: Instantiated chap (chap) Module: Loaded MS-CHAP mschap: use_mppe = yes mschap: require_encryption = no mschap: require_strong = no mschap: passwd = "(null)" mschap: authtype = "MS-CHAP" Module: Instantiated mschap (mschap) Module: Loaded eap eap: default_eap_type = "tls" eap: timer_expire = 60 eap: ignore_unknown_eap_types = no rlm_eap: Loaded and initialized type md5 rlm_eap: Loaded and initialized type leap tls: rsa_key_exchange = no tls: dh_key_exchange = yes tls: rsa_key_length = 512 tls: dh_key_length = 512 tls: verify_depth = 0 tls: CA_path = "(null)" tls: pem_file_type = yes tls: private_key_file = "/home/gela/keys/cert-srv.pem" tls: certificate_file = "/home/gela/keys/cert-srv.pem" tls: CA_file = "/home/gela/keys/root.pem" tls: private_key_password = "whatever" tls: dh_file = "/home/gela/keys/dh1024.pem" tls: random_file = "/home/gela/keys/random.pem" tls: fragment_size = 1024 tls: include_length = yes tls: check_crl = no rlm_eap: Loaded and initialized type tls peap: default_eap_type = "mschapv2" peap: copy_request_to_tunnel = no peap: use_tunneled_reply = no rlm_eap: Loaded and initialized type peap ttls: default_eap_type = "md5" ttls: copy_request_to_tunnel = no ttls: use_tunneled_reply = no rlm_eap: Loaded and initialized type ttls Module: Instantiated eap (eap) Module: Loaded preprocess preprocess: huntgroups = "/usr/local/etc/raddb/huntgroups" preprocess: hints = "/usr/local/etc/raddb/hints" preprocess: with_ascend_hack = no preprocess: ascend_channels_per_line = 23 preprocess: with_ntdomain_hack = no preprocess: with_specialix_jetstream_hack = no preprocess: with_cisco_vsa_hack = yes Module: Instantiated preprocess (preprocess) Module: Loaded realm realm: format = "suffix" realm: delimiter = "@" Module: Instantiated realm (suffix) Module: Loaded SQL sql: driver = "rlm_sql_mysql" sql: server = "localhost" sql: port = "" sql: login = "gela" sql: password = "lesgeo" sql: radius_db = "radius" sql: acct_table = "radacct" sql: acct_table2 = "radacct" sql: authcheck_table = "radcheck" sql: authreply_table = "radreply" sql: groupcheck_table = "radgroupcheck" sql: groupreply_table = "radgrouprep
Re: EAP/TLS problem: Received unexpected tunneled data after
Ok, here's some more info about my configuration on the user-side: I have installed the client and CA certificates (cert-clt.p12, root.der) which I created using the script described in Ken Roser's How-To (doc/EAP/TLS.pdf). They seem to be working fine (the TLS handshake doesn't complain about any of them). In the authentication tab i selected "Use Smart Card or Certificate". When i try to connect i get a popup prompting me to choose the (client)certificate i want to use. Note that since i don't have winXP, i use my card's software to detect and connect to my AP. I have tried two different cards so far with the same result(PCMCIA AmbiCom and ZoomAir with PCI adapter). I have also tried using PEAP and TTLS(SecureW2) but (as was expected) to no avail. As far as the client(Cisco) is concerned, there aren't much more to be said. I didn't use the aaa commands in the documentation, since it didn't seem necessary in the How-To's (should I?). I just added a radius server (providing ip address , shared secret and selecting "EAP authentication") and changed the authentication option for my SSID from "Open Authentication " to "Open authentication with EAP". Tomorrow i am going to try and use HostAp as a client for freeradius and i'll tell you if there this any progress. Thanks again for taking an interest. __ Do you Yahoo!? Yahoo! SiteBuilder - Free web site building tool. Try it! http://webhosting.yahoo.com/ps/sb/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP/TLS problem: Received unexpected tunneled data after successful handshake
>What client are you using, and how have you configured >it? I am using a Cisco Aironet 1200. I configured it to use "Open Authentication with EAP", set the radius server IP and shared secret. I did all these through the AP's html interface. On the user side were running window 2000 with SP4 and the authentication patch. __ Do you Yahoo!? Yahoo! SiteBuilder - Free web site building tool. Try it! http://webhosting.yahoo.com/ps/sb/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
EAP/TLS problem: Received unexpected tunneled data after successful handshake
Hi all, I've been having some problems with EAP/TLS (and subsequently with TTLS and PEAP). I've been working with the two How-to's from /doc (by the way thanks guys). I think i have configured everything properly (openssl certs and stuff) but i still can't get freeradius to authenticate EAP users properly. I'm attaching the stuff i get from the server(debugging mode) Thanks in advance! __ Do you Yahoo!? Yahoo! SiteBuilder - Free web site building tool. Try it! http://webhosting.yahoo.com/ps/sb/Starting - reading configuration files ... reread_config: reading radiusd.conf Config: including file: /usr/local/etc/raddb/proxy.conf Config: including file: /usr/local/etc/raddb/clients.conf Config: including file: /usr/local/etc/raddb/snmp.conf Config: including file: /usr/local/etc/raddb/sql.conf main: prefix = "/usr/local" main: localstatedir = "/usr/local/var" main: logdir = "/usr/local/var/log/radius" main: libdir = "/usr/local/lib" main: radacctdir = "/usr/local/var/log/radius/radacct" main: hostname_lookups = no main: max_request_time = 30 main: cleanup_delay = 5 main: max_requests = 1024 main: delete_blocked_requests = 0 main: port = 0 main: allow_core_dumps = no main: log_stripped_names = no main: log_file = "/usr/local/var/log/radius/radius.log" main: log_auth = no main: log_auth_badpass = no main: log_auth_goodpass = no main: pidfile = "/usr/local/var/run/radiusd/radiusd.pid" main: bind_address = 195.251.248.176 IP address [195.251.248.176] main: user = "(null)" main: group = "(null)" main: usercollide = no main: lower_user = "no" main: lower_pass = "no" main: nospace_user = "no" main: nospace_pass = "no" main: checkrad = "/usr/local/sbin/checkrad" main: proxy_requests = yes proxy: retry_delay = 5 proxy: retry_count = 3 proxy: synchronous = no proxy: default_fallback = yes proxy: dead_time = 120 proxy: post_proxy_authorize = yes proxy: wake_all_if_all_dead = no security: max_attributes = 200 security: reject_delay = 1 security: status_server = no main: debug_level = 0 read_config_files: reading dictionary read_config_files: reading naslist Using deprecated naslist file. Support for this will go away soon. read_config_files: reading clients Using deprecated clients file. Support for this will go away soon. read_config_files: reading realms Using deprecated realms file. Support for this will go away soon. radiusd: entering modules setup Module: Library search path is /usr/local/lib Module: Loaded expr Module: Instantiated expr (expr) Module: Loaded PAP pap: encryption_scheme = "crypt" Module: Instantiated pap (pap) Module: Loaded CHAP Module: Instantiated chap (chap) Module: Loaded MS-CHAP mschap: use_mppe = yes mschap: require_encryption = no mschap: require_strong = no mschap: passwd = "(null)" mschap: authtype = "MS-CHAP" Module: Instantiated mschap (mschap) Module: Loaded eap eap: default_eap_type = "tls" eap: timer_expire = 60 eap: ignore_unknown_eap_types = no rlm_eap: Loaded and initialized type md5 rlm_eap: Loaded and initialized type leap tls: rsa_key_exchange = no tls: dh_key_exchange = yes tls: rsa_key_length = 512 tls: dh_key_length = 512 tls: verify_depth = 0 tls: CA_path = "(null)" tls: pem_file_type = yes tls: private_key_file = "/home/gela/keys/cert-srv.pem" tls: certificate_file = "/home/gela/keys/cert-srv.pem" tls: CA_file = "/home/gela/keys/root.pem" tls: private_key_password = "whatever" tls: dh_file = "/home/gela/keys/dh1024.pem" tls: random_file = "/home/gela/keys/random.pem" tls: fragment_size = 4096 tls: include_length = yes tls: check_crl = no rlm_eap: Loaded and initialized type tls peap: default_eap_type = "mschapv2" peap: copy_request_to_tunnel = no peap: use_tunneled_reply = no rlm_eap: Loaded and initialized type peap ttls: default_eap_type = "md5" ttls: copy_request_to_tunnel = no ttls: use_tunneled_reply = no rlm_eap: Loaded and initialized type ttls Module: Instantiated eap (eap) Module: Loaded preprocess preprocess: huntgroups = "/usr/local/etc/raddb/huntgroups" preprocess: hints = "/usr/local/etc/raddb/hints" preprocess: with_ascend_hack = no preprocess: ascend_channels_per_line = 23 preprocess: with_ntdomain_hack = no preprocess: with_specialix_jetstream_hack = no preprocess: with_cisco_vsa_hack = yes Module: Instantiated preprocess (preprocess) Module: Loaded realm realm: format = "suffix" realm: delimiter = "@" Module: Instantiated realm (suffix) Module: Loaded SQL sql: driver = "rlm_sql_mysql" sql: server = "localhost" sql: port = "" sql: login = "gela" sql: password = "lesgeo" sql: radius_db = "radius" sql: acct_table = "radacct" sql: acct_table2 = "radacct" sql: authcheck_table = "radcheck" sql: authreply_table = "radreply" sql: groupcheck_table = "radgroupcheck" sql: groupreply_table = "radgroupreply" sql: usergroup_table = "usergroup" sql: nas_table = "nas" sql: dict_table = "dictionary" sql: sqltrace =
