Freeradius + EAP/TLS EAP/TTLS compilation problems
Hello, I can't compile EAP-TLS and of course EAP-TTLS modules. I use freeradius-snapshot-20040129. I compiled openssl-0.9.7c because on my redhat Enterprise release 3 I've openssl-0.9.7a-24. I read the mailing-list archive and saw the recommandations of Arthur to modify the makefile but despite everything i always have the same error: ./configure --prefix=/usr/local/freeradius --with-openssl-includes=/usr/loca l/openssl/include/ --with-openssl-libraries=/usr/local/openssl/lib/ loading cache ./config.cache checking for gcc... (cached) gcc checking whether the C compiler (gcc ) works... yes checking whether the C compiler (gcc ) is a cross-compiler... no checking whether we are using GNU C... (cached) yes checking whether gcc accepts -g... (cached) yes configure: warning: silently not building rlm_eap_tls. configure: warning: FAILURE: rlm_eap_tls requires: (openssl/ssl.h) libssl. creating ./config.status creating Makefile creating config.h config.h is unchanged Can you help me ? Because that becomes urgent enough for my tests THks Lionel Gavage - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Freeradius + EAP/TLS EAP/TTLS compilation problems
Hi Jean-Paul, I've had the same thing. I've compiled openssl-0.9.7c in /usr/local/ but I always have the problem whereas I specify the directory /usr/local/openssl. openssl -> /usr/local/openssl-0.9.7c/ freeradius -> /usr/local/freeradius-snapshot-20040129/ Lionel Gavage -Message d'origine- De : [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] la part de Jean-Paul Chapalain Envoye : mercredi 4 fevrier 2004 8:36 A : [EMAIL PROTECTED] Objet : Re: Freeradius + EAP/TLS EAP/TTLS compilation problems Hi lionel, I've had a similar problem on RH 7.3. So I've compiled openssl-0.9.7c in a specific directory (with configure --prefix) to be sure of its location. Jean-Paul. Lionel Gavage wrote: > Hello, > > > I can't compile EAP-TLS and of course EAP-TTLS modules. I use > freeradius-snapshot-20040129. > I compiled openssl-0.9.7c because on my redhat Enterprise release 3 I've > openssl-0.9.7a-24. > > I read the mailing-list archive and saw the recommandations of Arthur to > modify the makefile > but despite everything i always have the same error: > > ./configure --prefix=/usr/local/freeradius --with-openssl-includes=/usr/loca > l/openssl/include/ --with-openssl-libraries=/usr/local/openssl/lib/ > loading cache ./config.cache > checking for gcc... (cached) gcc > checking whether the C compiler (gcc ) works... yes > checking whether the C compiler (gcc ) is a cross-compiler... no > checking whether we are using GNU C... (cached) yes > checking whether gcc accepts -g... (cached) yes > configure: warning: silently not building rlm_eap_tls. > configure: warning: FAILURE: rlm_eap_tls requires: (openssl/ssl.h) libssl. > creating ./config.status > creating Makefile > creating config.h > config.h is unchanged > > > Can you help me ? Because that becomes urgent enough for my tests > > > THks > > > Lionel Gavage > > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- -- Jean-Paul Chapalain - GICM - Resp. Reseaux et Infrastructure -- 32 rue Mirabeau - Le Relecq-Kerhuon - 29808 Brest Cedex 9, FRANCE -- Tel +33298002873 - Fax +33298284005 - [EMAIL PROTECTED] -- Key Fingerprint: 192C 1CFE F24A 050D F280 A086 AF15 8631 3ABB 4C7D - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Freeradius + EAP/TLS EAP/TTLS compilation problems
In my case: locate ssl.h /usr/share/doc/pyOpenSSL-0.5.1/html/openssl-ssl.html /usr/share/doc/pyOpenSSL-0.5.1/html/openssl.html /usr/include/openssl/kssl.h /usr/include/openssl/ssl.h /usr/local/openssl-0.9.7c/include/openssl/ssl.h /usr/local/openssl-0.9.7c/include/openssl/kssl.h /usr/src/openssl-0.9.7c/include/openssl/kssl.h /usr/src/openssl-0.9.7c/include/openssl/ssl.h /usr/src/openssl-0.9.7c/ssl/kssl.h /usr/src/openssl-0.9.7c/ssl/ssl.h /usr/include/openssl it's the installed rpm /usr/local/openssl-0.9.7c/ it's the compiled sources Lionel Gavage Network Engineer (SeGI/ULg) Email: [EMAIL PROTECTED]Tel: +32-4-3664845 Fax: +32-4-3662920 Bat. B26 SeGI -Message d'origine- De : [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] la part de Jean-Paul Chapalain Envoye : mercredi 4 fevrier 2004 9:06 A : [EMAIL PROTECTED] Objet : Re: Freeradius + EAP/TLS EAP/TTLS compilation problems Hi Lionel, See below the result of command : "locate ssl.h" /opt/openssl-0.9.7c/include/openssl/kssl.h /opt/openssl-0.9.7c/include/openssl/ssl.h /opt/openssl-0.9.7c/ssl/kssl.h /opt/openssl-0.9.7c/ssl/ssl.h /usr/local/openssl/include/openssl/ssl.h /usr/local/openssl/include/openssl/kssl.h /opt/openssl-0.9.7c is the directory where i' ve compiled openssl. Files ssl.h are same ! Jean-Paul. Lionel Gavage wrote: > Hi Jean-Paul, > > I've had the same thing. I've compiled openssl-0.9.7c in /usr/local/ but I > always have the problem whereas I specify the directory /usr/local/openssl. > > openssl -> /usr/local/openssl-0.9.7c/ > freeradius -> /usr/local/freeradius-snapshot-20040129/ > > > Lionel Gavage > > > -Message d'origine- > De : [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] la part de > Jean-Paul Chapalain > Envoye : mercredi 4 fevrier 2004 8:36 > A : [EMAIL PROTECTED] > Objet : Re: Freeradius + EAP/TLS EAP/TTLS compilation problems > > > Hi lionel, > > I've had a similar problem on RH 7.3. So I've compiled openssl-0.9.7c in > a specific directory (with configure --prefix) to be sure of its location. > > Jean-Paul. > > Lionel Gavage wrote: > >>Hello, >> >> >>I can't compile EAP-TLS and of course EAP-TTLS modules. I use >>freeradius-snapshot-20040129. >>I compiled openssl-0.9.7c because on my redhat Enterprise release 3 I've >>openssl-0.9.7a-24. >> >>I read the mailing-list archive and saw the recommandations of Arthur to >>modify the makefile >>but despite everything i always have the same error: >> >> > > ./configure --prefix=/usr/local/freeradius --with-openssl-includes=/usr/loca > >>l/openssl/include/ --with-openssl-libraries=/usr/local/openssl/lib/ >>loading cache ./config.cache >>checking for gcc... (cached) gcc >>checking whether the C compiler (gcc ) works... yes >>checking whether the C compiler (gcc ) is a cross-compiler... no >>checking whether we are using GNU C... (cached) yes >>checking whether gcc accepts -g... (cached) yes >>configure: warning: silently not building rlm_eap_tls. >>configure: warning: FAILURE: rlm_eap_tls requires: (openssl/ssl.h) > > libssl. > >>creating ./config.status >>creating Makefile >>creating config.h >>config.h is unchanged >> >> >>Can you help me ? Because that becomes urgent enough for my tests >> >> >>THks >> >> >>Lionel Gavage >> >> >>- >>List info/subscribe/unsubscribe? See > > http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Freeradius + EAP/TLS EAP/TTLS compilation problems
Hi Jean-Paul, Now I have: ./configure --prefix=/usr/local/freeradius loading cache ./config.cache checking for gcc... (cached) gcc checking whether the C compiler (gcc ) works... yes checking whether the C compiler (gcc ) is a cross-compiler... no checking whether we are using GNU C... (cached) yes checking whether gcc accepts -g... (cached) yes checking for openssl/ssl.h... no checking for DH_new in -lcrypto... yes checking for SSL_new in -lssl... yes checking how to run the C preprocessor... (cached) gcc -E checking for openssl/err.h... (cached) yes checking for openssl/engine.h... (cached) yes configure: warning: silently not building rlm_eap_peap. configure: warning: FAILURE: rlm_eap_peap requires: (openssl/ssl.h). creating ./config.status creating Makefile creating config.h config.h is unchanged The space thing is it find openssl/err.h and openssl/engine.h but not openssl/ssl.h whereas this file is at the same place! Do you have an idea ? Lionel. -Message d'origine- De : [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] la part de Jean-Paul Chapalain Envoye : mercredi 4 fevrier 2004 9:06 A : [EMAIL PROTECTED] Objet : Re: Freeradius + EAP/TLS EAP/TTLS compilation problems Hi Lionel, See below the result of command : "locate ssl.h" /opt/openssl-0.9.7c/include/openssl/kssl.h /opt/openssl-0.9.7c/include/openssl/ssl.h /opt/openssl-0.9.7c/ssl/kssl.h /opt/openssl-0.9.7c/ssl/ssl.h /usr/local/openssl/include/openssl/ssl.h /usr/local/openssl/include/openssl/kssl.h /opt/openssl-0.9.7c is the directory where i' ve compiled openssl. Files ssl.h are same ! Jean-Paul. Lionel Gavage wrote: > Hi Jean-Paul, > > I've had the same thing. I've compiled openssl-0.9.7c in /usr/local/ but I > always have the problem whereas I specify the directory /usr/local/openssl. > > openssl -> /usr/local/openssl-0.9.7c/ > freeradius -> /usr/local/freeradius-snapshot-20040129/ > > > Lionel Gavage > > > -Message d'origine- > De : [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] la part de > Jean-Paul Chapalain > Envoye : mercredi 4 fevrier 2004 8:36 > A : [EMAIL PROTECTED] > Objet : Re: Freeradius + EAP/TLS EAP/TTLS compilation problems > > > Hi lionel, > > I've had a similar problem on RH 7.3. So I've compiled openssl-0.9.7c in > a specific directory (with configure --prefix) to be sure of its location. > > Jean-Paul. > > Lionel Gavage wrote: > >>Hello, >> >> >>I can't compile EAP-TLS and of course EAP-TTLS modules. I use >>freeradius-snapshot-20040129. >>I compiled openssl-0.9.7c because on my redhat Enterprise release 3 I've >>openssl-0.9.7a-24. >> >>I read the mailing-list archive and saw the recommandations of Arthur to >>modify the makefile >>but despite everything i always have the same error: >> >> > > ./configure --prefix=/usr/local/freeradius --with-openssl-includes=/usr/loca > >>l/openssl/include/ --with-openssl-libraries=/usr/local/openssl/lib/ >>loading cache ./config.cache >>checking for gcc... (cached) gcc >>checking whether the C compiler (gcc ) works... yes >>checking whether the C compiler (gcc ) is a cross-compiler... no >>checking whether we are using GNU C... (cached) yes >>checking whether gcc accepts -g... (cached) yes >>configure: warning: silently not building rlm_eap_tls. >>configure: warning: FAILURE: rlm_eap_tls requires: (openssl/ssl.h) > > libssl. > >>creating ./config.status >>creating Makefile >>creating config.h >>config.h is unchanged >> >> >>Can you help me ? Because that becomes urgent enough for my tests >> >> >>THks >> >> >>Lionel Gavage >> >> >>- >>List info/subscribe/unsubscribe? See > > http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Freeradius + EAP/TLS EAP/TTLS compilation problems
Hi, ok i found the problem ;) Thank you very much Lionel -Message d'origine- De : [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] la part de Jean-Paul Chapalain Envoye : mercredi 4 fevrier 2004 8:36 A : [EMAIL PROTECTED] Objet : Re: Freeradius + EAP/TLS EAP/TTLS compilation problems Hi lionel, I've had a similar problem on RH 7.3. So I've compiled openssl-0.9.7c in a specific directory (with configure --prefix) to be sure of its location. Jean-Paul. Lionel Gavage wrote: > Hello, > > > I can't compile EAP-TLS and of course EAP-TTLS modules. I use > freeradius-snapshot-20040129. > I compiled openssl-0.9.7c because on my redhat Enterprise release 3 I've > openssl-0.9.7a-24. > > I read the mailing-list archive and saw the recommandations of Arthur to > modify the makefile > but despite everything i always have the same error: > > ./configure --prefix=/usr/local/freeradius --with-openssl-includes=/usr/loca > l/openssl/include/ --with-openssl-libraries=/usr/local/openssl/lib/ > loading cache ./config.cache > checking for gcc... (cached) gcc > checking whether the C compiler (gcc ) works... yes > checking whether the C compiler (gcc ) is a cross-compiler... no > checking whether we are using GNU C... (cached) yes > checking whether gcc accepts -g... (cached) yes > configure: warning: silently not building rlm_eap_tls. > configure: warning: FAILURE: rlm_eap_tls requires: (openssl/ssl.h) libssl. > creating ./config.status > creating Makefile > creating config.h > config.h is unchanged > > > Can you help me ? Because that becomes urgent enough for my tests > > > THks > > > Lionel Gavage > > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- -- Jean-Paul Chapalain - GICM - Resp. Reseaux et Infrastructure -- 32 rue Mirabeau - Le Relecq-Kerhuon - 29808 Brest Cedex 9, FRANCE -- Tel +33298002873 - Fax +33298284005 - [EMAIL PROTECTED] -- Key Fingerprint: 192C 1CFE F24A 050D F280 A086 AF15 8631 3ABB 4C7D - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Freeradius + EAP/TLS EAP/TTLS compilation problems
Hi Lep,
So I modified the makefile for tls and ttls modules being inspired by PEAP
module makefile
Makefile before for tls module:
# Generated automatically from Makefile.in by configure.
TARGET =
SRCS= rlm_eap_tls.c eap_tls.c cb.c tls.c mppe_keys.c
RLM_CFLAGS = $(INCLTDL) -I./../.. -I./../../libeap -DOPENSSL_NO_KRB5
HEADERS = rlm_eap_tls.h eap_tls.h ../../eap.h ../../rlm_eap.h
RLM_INSTALL =
RLM_LIBS+=
$(STATIC_OBJS): $(HEADERS)
$(DYNAMIC_OBJS): $(HEADERS)
RLM_DIR=../../
include ${RLM_DIR}../rules.mak
After:
# Generated automatically from Makefile.in by configure.
TARGET = rlm_eap_tls
SRCS= rlm_eap_tls.c eap_tls.c cb.c tls.c mppe_keys.c
RLM_CFLAGS = $(INCLTDL) -I./../.. -I./../../libeap -DOPENSSL_NO_KRB5
HEADERS = rlm_eap_tls.h eap_tls.h ../../eap.h ../../rlm_eap.h
RLM_INSTALL =
RLM_LIBS+= -lcrypto -lssl
$(STATIC_OBJS): $(HEADERS)
$(DYNAMIC_OBJS): $(HEADERS)
RLM_DIR=../../
include ${RLM_DIR}../rules.mak
even thing for the ttls module makefile!
Lionel Gavage
-Message d'origine-
De : [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] la part de Rok
Papez
Envoye : mercredi 4 fevrier 2004 17:41
A : [EMAIL PROTECTED]
Objet : Re: Freeradius + EAP/TLS EAP/TTLS compilation problems
Helo Lionel.
Lionel Gavage wrote:
> Hi,
>
> ok i found the problem ;)
The others with similar problems won't mind if you post a solution
--
Lep pozdrav,
Rok Papez.
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Freeradius PEAP Problems
even with this option, the problem is always present! an idea ? Lionel Gavage -Message d'origine- De : [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] la part de Alan DeKok Envoyé : lundi 9 février 2004 16:45 À : [EMAIL PROTECTED] Objet : Re: Freeradius PEAP Problems "Lionel Gavage" <[EMAIL PROTECTED]> wrote: > I use FreeRadius snapshot 20040129 with EAP/TLS EAP/TTLS and EAP/PEAP. > I try to set up PEAP/MS-CHAPv2 but i've the error "rlm_mschap: We require a > User-Name for MS-CHAPv2". > However I sending well a login/pass. I use Aegis Client under Windows XP. Look again. The tunneled authentication session doesn't have a username. You can set "copy_request_to_tunnel = yes" in the PEAP module. That should help. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Freeradius PEAP Problems
Activated the TTLS module:
ttls {
default_eap_type = md5
use_tunneled_reply = no
}
and it's all.
Lionel Gavage
-Message d'origine-
De : [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] la part de José
Luis Solano
Envoyé : lundi 9 février 2004 17:03
À : [EMAIL PROTECTED]
Objet : Re: Freeradius PEAP Problems
Hi Lionel!!
I would need your help because I use EAP-TLS, EAP-TTLS and PEAP. The first
one, TLS run OK, but TTLS and PEAP don't run OK. My first target now is run
TTLS and I will run PEAP after. So, can you help me please?. Currently, my
radiusd.conf is:
# Extensible Authentication Protocol
#
# For all EAP related authentications
eap {
# Invoke the default supported EAP type when
# EAP-Identity response is received
default_eap_type = tls
# Default expiry time to clean the EAP list,
# It is maintained to co-relate the
# EAP-response for each EAP-request sent.
timer_expire = 60
# Supported EAP-types
#md5 {
#}
## EAP-TLS is highly experimental EAP-Type at the moment.
# Please give feedback on the mailing list.
tls {
private_key_password = izadisan
private_key_file =
/usr/local/openssl/ssl/certs/server/server.pem
# If Private key & Certificate are located in the
# same file, then private_key_file & certificate_file
# must contain the same file name.
certificate_file =
/usr/local/openssl/ssl/certs/server/server.pem
# Trusted Root CA list
CA_file = /usr/local/openssl/ssl/certs/ca/ca.crt
dh_file = /usr/local/openssl/ssl/certs/dh
random_file = /usr/local/openssl/ssl/certs/random
#
# This can never exceed MAX_RADIUS_LEN (4096)
# preferably half the MAX_RADIUS_LEN, to
# accomodate other attributes in RADIUS packet.
# On most APs the MAX packet length is configured
# between 1500 - 1600. In these cases, fragment
# size should be <= 1024.
#
fragment_size = 600
# include_length is a flag which is by default set to
yes
# If set to yes, Total Length of the message is
included
# in EVERY packet we send.
# If set to no, Total Length of the message is
included
# ONLY in the First packet of a fragment series.
#
include_length = yes
}
}
--
What changes I need to use TTLS?
Thanks in advance Lionel!!!
José Luis Solano
SGI - Soluciones Globales Internet S.A.
Delegación Regional Sur
[EMAIL PROTECTED]
(+34) 954.088.060
- Original Message -
From: "Lionel Gavage" <[EMAIL PROTECTED]>
To: "freeradius-users" <[EMAIL PROTECTED]>
Sent: Monday, February 09, 2004 4:23 PM
Subject: Freeradius PEAP Problems
> Hi,
>
> I use FreeRadius snapshot 20040129 with EAP/TLS EAP/TTLS and EAP/PEAP.
> I try to set up PEAP/MS-CHAPv2 but i've the error "rlm_mschap: We require
a
> User-Name for MS-CHAPv2".
> However I sending well a login/pass. I use Aegis Client under Windows XP.
>
> Extract of the log:
>
> rad_check_password: Found Auth-Type EAP
> auth: type "EAP"
> modcall: entering group authenticate for request 6
> rlm_eap: Request found, released from the list
> rlm_eap: EAP/mschapv2
> rlm_eap: processing type mschapv2
> modcall: entering group Auth-Type for request 6
> rlm_mschap: We require a User-Name for MS-CHAPv2
> modcall[authenticate]: module "mschap" returns invalid for request 6
> modcall: group Auth-Type returns invalid for request 6
> rlm_eap: Freeing handler
> modcall[authenticate]: module "eap" returns reject for request 6
> modcall: group authenticate returns reject for request 6
> auth: Failed to validate the user.
> PEAP: Got tunneled reply RADIUS code 3
> EAP-Message = 0x04080004
> Message-Authenticator = 0x
> PEAP: Tunneled authentication was rejected.
> rlm_eap_peap: FAILURE
> modcall[authenticate]: module "eap" returns handled for request 6
> modcall: group authenticate returns handled for request 6
> Sending Access-Challenge of id 179 to 139.165.212.248:21648
> EAP-Message =
>
0x01090048190017030100
RE: Freeradius PEAP Problems
Hi José,
If you always have a problem don't hesitate ;)
Lionel Gavage
-Message d'origine-
De : [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] la part de José
Luis Solano
Envoyé : lundi 9 février 2004 17:17
À : [EMAIL PROTECTED]
Objet : Re: Freeradius PEAP Problems
Thanks Thanks Thanks Thanks a lot Lionel!!!
Good luck with your problem
José Luis Solano
SGI - Soluciones Globales Internet S.A.
Delegación Regional Sur
[EMAIL PROTECTED]
(+34) 954.088.060
- Original Message -----
From: "Lionel Gavage" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Monday, February 09, 2004 4:59 PM
Subject: RE: Freeradius PEAP Problems
>
> Activated the TTLS module:
>
> ttls {
> default_eap_type = md5
> use_tunneled_reply = no
> }
>
> and it's all.
>
>
> Lionel Gavage
>
> -Message d'origine-
> De : [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] la part de José
> Luis Solano
> Envoyé : lundi 9 février 2004 17:03
> À : [EMAIL PROTECTED]
> Objet : Re: Freeradius PEAP Problems
>
>
> Hi Lionel!!
>
>
> I would need your help because I use EAP-TLS, EAP-TTLS and PEAP. The first
> one, TLS run OK, but TTLS and PEAP don't run OK. My first target now is
run
> TTLS and I will run PEAP after. So, can you help me please?. Currently, my
> radiusd.conf is:
>
>
> # Extensible Authentication Protocol
> #
> # For all EAP related authentications
> eap {
> # Invoke the default supported EAP type when
> # EAP-Identity response is received
> default_eap_type = tls
>
> # Default expiry time to clean the EAP list,
> # It is maintained to co-relate the
> # EAP-response for each EAP-request sent.
> timer_expire = 60
>
> # Supported EAP-types
> #md5 {
> #}
>
> ## EAP-TLS is highly experimental EAP-Type at the moment.
> # Please give feedback on the mailing list.
> tls {
> private_key_password = izadisan
> private_key_file =
> /usr/local/openssl/ssl/certs/server/server.pem
>
> # If Private key & Certificate are located in the
> # same file, then private_key_file &
certificate_file
> # must contain the same file name.
> certificate_file =
> /usr/local/openssl/ssl/certs/server/server.pem
>
> # Trusted Root CA list
> CA_file = /usr/local/openssl/ssl/certs/ca/ca.crt
>
> dh_file = /usr/local/openssl/ssl/certs/dh
> random_file = /usr/local/openssl/ssl/certs/random
> #
> # This can never exceed MAX_RADIUS_LEN (4096)
> # preferably half the MAX_RADIUS_LEN, to
> # accomodate other attributes in RADIUS packet.
> # On most APs the MAX packet length is configured
> # between 1500 - 1600. In these cases, fragment
> # size should be <= 1024.
> #
> fragment_size = 600
>
> # include_length is a flag which is by default set
to
> yes
> # If set to yes, Total Length of the message is
> included
> # in EVERY packet we send.
> # If set to no, Total Length of the message is
> included
> # ONLY in the First packet of a fragment series.
> #
> include_length = yes
> }
> }
> --
>
> What changes I need to use TTLS?
>
>
>
> Thanks in advance Lionel!!!
>
>
>
> José Luis Solano
> SGI - Soluciones Globales Internet S.A.
> Delegación Regional Sur
> [EMAIL PROTECTED]
> (+34) 954.088.060
> - Original Message -
> From: "Lionel Gavage" <[EMAIL PROTECTED]>
> To: "freeradius-users" <[EMAIL PROTECTED]>
> Sent: Monday, February 09, 2004 4:23 PM
> Subject: Freeradius PEAP Problems
>
>
> > Hi,
> >
> > I use FreeRadius snapshot 20040129 with EAP/TLS EAP/TTLS and EAP/PEAP.
> > I try to set up PEAP/MS-CHAPv2 but i've the error "rlm_mschap: We
require
> a
> > User-Name for MS-CHAPv2".
> > However I sending well a login/pass. I use Aegis Client under Windows
XP.
> >
> > Extract of
RE: Freeradius PEAP Problems
I speficied : "default_eap_type = peap" in EAP module ... Lionel Gavage -Message d'origine- De : [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] la part de Lionel Gavage Envoyé : lundi 9 février 2004 16:49 À : [EMAIL PROTECTED] Objet : RE: Freeradius PEAP Problems even with this option, the problem is always present! an idea ? Lionel Gavage -Message d'origine- De : [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] la part de Alan DeKok Envoyé : lundi 9 février 2004 16:45 À : [EMAIL PROTECTED] Objet : Re: Freeradius PEAP Problems "Lionel Gavage" <[EMAIL PROTECTED]> wrote: > I use FreeRadius snapshot 20040129 with EAP/TLS EAP/TTLS and EAP/PEAP. > I try to set up PEAP/MS-CHAPv2 but i've the error "rlm_mschap: We require a > User-Name for MS-CHAPv2". > However I sending well a login/pass. I use Aegis Client under Windows XP. Look again. The tunneled authentication session doesn't have a username. You can set "copy_request_to_tunnel = yes" in the PEAP module. That should help. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Freeradius PEAP Problems
Hi José,
I use a freeradius snapshot because TTLS isn't in rpm package.
You must have the TLS module to use TTLS module.
The directive "default_eap_type" (in EAP module) must be fixed at "tls".
It's right
And the "default_eap_type" (in TTLS module) to "md5". It's right too.
I can send my config file to you if u want.
Lionel Gavage
-Message d'origine-
De : [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] la part de José
Luis Solano
Envoyé : lundi 9 février 2004 17:32
À : [EMAIL PROTECTED]
Objet : Re: Freeradius PEAP Problems
Sorry Lionel!!! Another question.
I have changed my radiusd.conf and I have activated the TTLS module. But
now, there are two modules activated, is it a problem?
eap {
default_eap_type = tls !!
timer_expire = 60
#md5 {
#}
tls {
private_key_password = izadisan
private_key_file =
/usr/local/openssl/ssl/certs/server/server.pem
certificate_file =
/usr/local/openssl/ssl/certs/server/server.pem
CA_file = /usr/local/openssl/ssl/certs/ca/ca.crt
dh_file = /usr/local/openssl/ssl/certs/dh
random_file = /usr/local/openssl/ssl/certs/random
fragment_size = 600
include_length = yes
}
ttls {
default_eap_type = md5
!
use_tunneled_reply = no
}
}
is it correct
My freeRADIUS is 0.8.1, TTLS runs with this version?
For "default_eap_type" is possible md5 value only?
Thanks again Lionel
José Luis Solano
SGI - Soluciones Globales Internet S.A.
Delegación Regional Sur
[EMAIL PROTECTED]
(+34) 954.088.060
- Original Message -
From: "Lionel Gavage" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Monday, February 09, 2004 4:59 PM
Subject: RE: Freeradius PEAP Problems
>
> Activated the TTLS module:
>
> ttls {
> default_eap_type = md5
> use_tunneled_reply = no
> }
>
> and it's all.
>
>
> Lionel Gavage
>
> -Message d'origine-
> De : [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] la part de José
> Luis Solano
> Envoyé : lundi 9 février 2004 17:03
> À : [EMAIL PROTECTED]
> Objet : Re: Freeradius PEAP Problems
>
>
> Hi Lionel!!
>
>
> I would need your help because I use EAP-TLS, EAP-TTLS and PEAP. The first
> one, TLS run OK, but TTLS and PEAP don't run OK. My first target now is
run
> TTLS and I will run PEAP after. So, can you help me please?. Currently, my
> radiusd.conf is:
>
>
> # Extensible Authentication Protocol
> #
> # For all EAP related authentications
> eap {
> # Invoke the default supported EAP type when
> # EAP-Identity response is received
> default_eap_type = tls
>
> # Default expiry time to clean the EAP list,
> # It is maintained to co-relate the
> # EAP-response for each EAP-request sent.
> timer_expire = 60
>
> # Supported EAP-types
> #md5 {
> #}
>
> ## EAP-TLS is highly experimental EAP-Type at the moment.
> # Please give feedback on the mailing list.
> tls {
> private_key_password = izadisan
> private_key_file =
> /usr/local/openssl/ssl/certs/server/server.pem
>
> # If Private key & Certificate are located in the
> # same file, then private_key_file &
certificate_file
> # must contain the same file name.
> certificate_file =
> /usr/local/openssl/ssl/certs/server/server.pem
>
> # Trusted Root CA list
> CA_file = /usr/local/openssl/ssl/certs/ca/ca.crt
>
> dh_file = /usr/local/openssl/ssl/certs/dh
> random_file = /usr/local/openssl/ssl/certs/random
> #
> # This can never exceed MAX_RADIUS_LEN (4096)
> # preferably half the MAX_RADIUS_LEN, to
> # accomodate other attributes in RADIUS packet.
> # On most APs the MAX packet length is configured
> # between 1500 - 1600. In these cases, fragment
> # size should be
RE: Freeradius PEAP Problems
Oki thks Alan i found thanks to you. I added "copy_request_to_tunnel = yes" in the PEAP module and set "default_eap_type = peap" in EAP module to "default_eap_type = tls" Thanks you Lionel Gavage Network Engineer (SeGI/ULg) Email: [EMAIL PROTECTED]Tél: +32-4-3664845 Fax: +32-4-3662920 Bat. B26 SeGI -Message d'origine- De : [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] la part de Lionel Gavage Envoyé : lundi 9 février 2004 17:19 À : [EMAIL PROTECTED] Objet : RE: Freeradius PEAP Problems I speficied : "default_eap_type = peap" in EAP module ... Lionel Gavage -Message d'origine- De : [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] la part de Lionel Gavage Envoyé : lundi 9 février 2004 16:49 À : [EMAIL PROTECTED] Objet : RE: Freeradius PEAP Problems even with this option, the problem is always present! an idea ? Lionel Gavage -Message d'origine- De : [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] la part de Alan DeKok Envoyé : lundi 9 février 2004 16:45 À : [EMAIL PROTECTED] Objet : Re: Freeradius PEAP Problems "Lionel Gavage" <[EMAIL PROTECTED]> wrote: > I use FreeRadius snapshot 20040129 with EAP/TLS EAP/TTLS and EAP/PEAP. > I try to set up PEAP/MS-CHAPv2 but i've the error "rlm_mschap: We require a > User-Name for MS-CHAPv2". > However I sending well a login/pass. I use Aegis Client under Windows XP. Look again. The tunneled authentication session doesn't have a username. You can set "copy_request_to_tunnel = yes" in the PEAP module. That should help. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Freeradius PEAP Problems
Sorry it doesn't work :( Lionel Gavage -Message d'origine- De : [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] la part de Lionel Gavage Envoyé : lundi 9 février 2004 17:48 À : [EMAIL PROTECTED] Objet : RE: Freeradius PEAP Problems Oki thks Alan i found thanks to you. I added "copy_request_to_tunnel = yes" in the PEAP module and set "default_eap_type = peap" in EAP module to "default_eap_type = tls" Thanks you Lionel Gavage Network Engineer (SeGI/ULg) Email: [EMAIL PROTECTED]Tél: +32-4-3664845 Fax: +32-4-3662920 Bat. B26 SeGI -Message d'origine- De : [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] la part de Lionel Gavage Envoyé : lundi 9 février 2004 17:19 À : [EMAIL PROTECTED] Objet : RE: Freeradius PEAP Problems I speficied : "default_eap_type = peap" in EAP module ... Lionel Gavage -Message d'origine- De : [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] la part de Lionel Gavage Envoyé : lundi 9 février 2004 16:49 À : [EMAIL PROTECTED] Objet : RE: Freeradius PEAP Problems even with this option, the problem is always present! an idea ? Lionel Gavage -Message d'origine- De : [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] la part de Alan DeKok Envoyé : lundi 9 février 2004 16:45 À : [EMAIL PROTECTED] Objet : Re: Freeradius PEAP Problems "Lionel Gavage" <[EMAIL PROTECTED]> wrote: > I use FreeRadius snapshot 20040129 with EAP/TLS EAP/TTLS and EAP/PEAP. > I try to set up PEAP/MS-CHAPv2 but i've the error "rlm_mschap: We require a > User-Name for MS-CHAPv2". > However I sending well a login/pass. I use Aegis Client under Windows XP. Look again. The tunneled authentication session doesn't have a username. You can set "copy_request_to_tunnel = yes" in the PEAP module. That should help. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Freeradius PEAP Problems
Hi, I use FreeRadius snapshot 20040129 with EAP/TLS EAP/TTLS and EAP/PEAP. I try to set up PEAP/MS-CHAPv2 but i've the error "rlm_mschap: We require a User-Name for MS-CHAPv2". However I sending well a login/pass. I use Aegis Client under Windows XP. Extract of the log: rad_check_password: Found Auth-Type EAP auth: type "EAP" modcall: entering group authenticate for request 6 rlm_eap: Request found, released from the list rlm_eap: EAP/mschapv2 rlm_eap: processing type mschapv2 modcall: entering group Auth-Type for request 6 rlm_mschap: We require a User-Name for MS-CHAPv2 modcall[authenticate]: module "mschap" returns invalid for request 6 modcall: group Auth-Type returns invalid for request 6 rlm_eap: Freeing handler modcall[authenticate]: module "eap" returns reject for request 6 modcall: group authenticate returns reject for request 6 auth: Failed to validate the user. PEAP: Got tunneled reply RADIUS code 3 EAP-Message = 0x04080004 Message-Authenticator = 0x PEAP: Tunneled authentication was rejected. rlm_eap_peap: FAILURE modcall[authenticate]: module "eap" returns handled for request 6 modcall: group authenticate returns handled for request 6 Sending Access-Challenge of id 179 to 139.165.212.248:21648 EAP-Message = 0x0109004819001703010018ac414f6ecefb1195938be450e38551daade29cc502427c8d1703 0100200deeb0441302502f9721238326439a05db8a1f2e0974378092c076a44c9297b4 Message-Authenticator = 0x State = 0x13eb44c46fbe30f082eaf7522f3c315e Finished request 6 Going to the next request Waking up in 6 seconds... rad_recv: Access-Request packet from host 139.165.212.248:21648, id=180, length=168 User-Name = "lga" Framed-MTU = 1400 Called-Station-Id = "000c.304f.75da" Calling-Station-Id = "000c.3052.9812" Message-Authenticator = 0x9f589078de1b5fe1cd17051ba032b42f EAP-Message = 0x0209002b19001703010020cd5ff5c0835b2f6cf5ae3109a04b77c096854a1ed328bb820781 ea790d6c1f6a NAS-Port-Type = Wireless-802.11 NAS-Port = 314 State = 0x13eb44c46fbe30f082eaf7522f3c315e Service-Type = Framed-User NAS-IP-Address = 139.165.212.248 modcall: entering group authorize for request 7 modcall[authorize]: module "preprocess" returns ok for request 7 modcall[authorize]: module "chap" returns noop for request 7 modcall[authorize]: module "mschap" returns noop for request 7 rlm_realm: No '@' in User-Name = "lga", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 7 rlm_eap: EAP packet type response id 9 length 43 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 7 users: Matched lga at 54 modcall[authorize]: module "files" returns ok for request 7 modcall: group authorize returns updated for request 7 rad_check_password: Found Auth-Type EAP auth: type "EAP" modcall: entering group authenticate for request 7 rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS eaptls_verify returned 7 rlm_eap_tls: Done initial handshake eaptls_process returned 7 rlm_eap_peap: EAPTLS_OK rlm_eap_peap: Session established. Proceeding to decode tunneled attributes. rlm_eap_peap: Received EAP-TLV response. rlm_eap_peap: Tunneled data is valid. rlm_eap_peap: Had sent TLV failure, rejecting. rlm_eap: Handler failed in EAP/peap rlm_eap: Failed in EAP select modcall[authenticate]: module "eap" returns invalid for request 7 modcall: group authenticate returns invalid for request 7 auth: Failed to validate the user. Delaying request 7 for 1 seconds Finished request 7 Going to the next request Waking up in 6 seconds... By hoping that you can help me ... Lionel Gavage - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Freeradius and PEAP
Hi, Did somebody already set up of PEAP with freeradius ? And if yes so how ? Thks Lionel Gavage - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: TTLS and TLS (EAP-TYPES)
Yes, on the level of the configuration client. Lionel Gavage -Message d'origine- De : [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] la part de José Luis Solano Envoyé : lundi 16 février 2004 13:14 À : [EMAIL PROTECTED] Objet : TTLS and TLS (EAP-TYPES) Hi Lionel, I have your radiusd.conf file, (thanks!!). But I have a simple question: if I have TL and TTL in my radius.conf, what eap-type will use freeradius TLS or TTLS? it's the client who decide the eap-type? Thanks in advance!!! José Luis Solano SGI - Soluciones Globales Internet S.A. Delegación Regional Sur [EMAIL PROTECTED] (+34) 954.088.060 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: PEAP/LDAP
Hi,
It doesn't find the clear text password for rlm_chap but the user is well
validated by LDAP.
Extract of log:
rlm_ldap: - authorize
rlm_ldap: performing user authorization for u190336
radius_xlat: '(uid=u190336)'
radius_xlat: 'dc=ulg,dc=ac,dc=be'
ldap_get_conn: Got Id: 0
rlm_ldap: performing search in dc=ulg,dc=ac,dc=be, with filter (uid=u190336)
rlm_ldap: looking for check items in directory...
rlm_ldap: looking for reply items in directory...
rlm_ldap: user u190336 authorized to use remote access
ldap_release_conn: Release Id: 0
modcall[authorize]: module "ldap" returns ok for request 6
modcall: group authorize returns ok for request 6
rad_check_password: Found Auth-Type CHAP
auth: type "CHAP"
modcall: entering group Auth-Type for request 6
rlm_chap: login attempt by "u190336" with CHAP password
rlm_chap: Could not find clear text password for user u190336
modcall[authenticate]: module "chap" returns invalid for request 6
modcall: group Auth-Type returns invalid for request 6
auth: Failed to validate the user.
TTLS: Got tunneled reply RADIUS code 3
Framed-IP-Address = 255.255.255.254
Framed-MTU = 576
Service-Type = Framed-User
TTLS: Got tunneled Access-Reject
rlm_eap: Handler failed in EAP/ttls
rlm_eap: Failed in EAP select
modcall[authenticate]: module "eap" returns invalid for request 6
modcall: group authenticate returns invalid for request 6
auth: Failed to validate the user.
I don't see what I must do !
THks.
Lionel Gavage
-Message d'origine-
De : [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] la part de
Jean-Paul Chapalain
Envoye : lundi 16 fevrier 2004 12:12
A : [EMAIL PROTECTED]
Objet : Re: PEAP/LDAP
Hi Lionel,
I succeeded in do to run a configuration only for EAP/TTLS with a LDAP
backend.
I use freeradius-snapshot of 04/feb/2004 and TTLS client of Alfa & Arris
(SecureW2) on WinXP.
See below 'users' file :
# a0153 : Define the user for 802.1x Authentication
#-
a0153
# By default use Ldap for authentication
#-
DEFAULT Auth-Type := LDAP
See below 'radiusd.conf' file :
modules {
eap {
default_eap_type = tls
timer_expire = 60
ignore_unknown_eap_types = no
md5 {
}
leap {
}
tls {
private_key_password =
private_key_file = /etc/1x/server.gicm.net.pem
certificate_file = /etc/1x/server.gicm.net.pem
CA_file = /etc/1x/root.pem
dh_file = /etc/1x/DH
random_file = /etc/1x/random
fragment_size = 1024
include_length = yes
}
ttls {
default_eap_type = md5
copy_request_to_tunnel = no
use_tunneled_reply = no
}
peap {
default_eap_type = mschapv2
}
mschapv2 {
}
}
ldap {
server =
port =
basedn = "dc=platine,dc=org"
filter = "(cn=%u)"
start_tls = no
#access_attr = "dialupAccess"
ldap_connections_number = 5
timeout = 4
timelimit = 3
net_timeout = 1
}
}
authorize {
eap
ldap
}
authenticate {
Auth-Type LDAP {
ldap
}
eap
}
Regards,
Jean-Paul.
--
-- Jean-Paul Chapalain - GICM - Resp. Reseaux et Infrastructure
-- 32 rue Mirabeau - Le Relecq-Kerhuon - 29808 Brest Cedex 9, FRANCE
-- Tel +33298002873 - Fax +33298284005 - [EMAIL PROTECTED]
-- Key Fingerprint: 192C 1CFE F24A 050D F280 A086 AF15 8631 3ABB 4C7D
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: TTLS and TLS (EAP-TYPES)
Hi José, No Windows XP client hasn't TTLS option. Windows XP client supports PEAP on the other hand. You can use SecureW2 (http://www.alfa-ariss.com/) Lionel Gavage -Message d'origine- De : [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] la part de José Luis Solano Envoyé : lundi 16 février 2004 14:04 À : [EMAIL PROTECTED] Objet : Re: TTLS and TLS (EAP-TYPES) Do you know if Windows XP client has authentication TTLS? Where is the option? If Windows XP client has not TTLS, then do you know other client? Thankss a lot!! José Luis Solano SGI - Soluciones Globales Internet S.A. Delegación Regional Sur [EMAIL PROTECTED] (+34) 954.088.060 - Original Message ----- From: "Lionel Gavage" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Monday, February 16, 2004 1:37 PM Subject: RE: TTLS and TLS (EAP-TYPES) > > Yes, on the level of the configuration client. > > Lionel Gavage > > -Message d'origine- > De : [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] la part de José > Luis Solano > Envoyé : lundi 16 février 2004 13:14 > À : [EMAIL PROTECTED] > Objet : TTLS and TLS (EAP-TYPES) > > > > > > Hi Lionel, > > I have your radiusd.conf file, (thanks!!). > But I have a simple question: if I have TL and TTL in my radius.conf, what > eap-type will use freeradius TLS or TTLS? > it's the client who decide the eap-type? > > Thanks in advance!!! > > > José Luis Solano > SGI - Soluciones Globales Internet S.A. > Delegación Regional Sur > [EMAIL PROTECTED] > (+34) 954.088.060 > > > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: TTLS and TLS (EAP-TYPES)
No problem ;) Lionel Gavage -Message d'origine- De : [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] la part de José Luis Solano Envoyé : lundi 16 février 2004 16:13 À : [EMAIL PROTECTED] Objet : Re: TTLS and TLS (EAP-TYPES) Thanks a lot Lionel! José Luis Solano SGI - Soluciones Globales Internet S.A. Delegación Regional Sur [EMAIL PROTECTED] (+34) 954.088.060 - Original Message - From: "Lionel Gavage" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Monday, February 16, 2004 2:04 PM Subject: RE: TTLS and TLS (EAP-TYPES) > Hi José, > > No Windows XP client hasn't TTLS option. Windows XP client supports PEAP on > the other hand. You can use SecureW2 (http://www.alfa-ariss.com/) > > > Lionel Gavage > > -Message d'origine- > De : [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] la part de José > Luis Solano > Envoyé : lundi 16 février 2004 14:04 > À : [EMAIL PROTECTED] > Objet : Re: TTLS and TLS (EAP-TYPES) > > > > Do you know if Windows XP client has authentication TTLS? Where is the > option? > If Windows XP client has not TTLS, then do you know other client? > > > > Thankss a lot!! > > José Luis Solano > SGI - Soluciones Globales Internet S.A. > Delegación Regional Sur > [EMAIL PROTECTED] > (+34) 954.088.060 > - Original Message - > From: "Lionel Gavage" <[EMAIL PROTECTED]> > To: <[EMAIL PROTECTED]> > Sent: Monday, February 16, 2004 1:37 PM > Subject: RE: TTLS and TLS (EAP-TYPES) > > > > > > Yes, on the level of the configuration client. > > > > Lionel Gavage > > > > -Message d'origine- > > De : [EMAIL PROTECTED] > > [mailto:[EMAIL PROTECTED] la part de José > > Luis Solano > > Envoyé : lundi 16 février 2004 13:14 > > À : [EMAIL PROTECTED] > > Objet : TTLS and TLS (EAP-TYPES) > > > > > > > > > > > > Hi Lionel, > > > > I have your radiusd.conf file, (thanks!!). > > But I have a simple question: if I have TL and TTL in my radius.conf, > what > > eap-type will use freeradius TLS or TTLS? > > it's the client who decide the eap-type? > > > > Thanks in advance!!! > > > > > > José Luis Solano > > SGI - Soluciones Globales Internet S.A. > > Delegación Regional Sur > > [EMAIL PROTECTED] > > (+34) 954.088.060 > > > > > > > > - > > List info/subscribe/unsubscribe? See > > http://www.freeradius.org/list/users.html > > > > > > - > > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > > > > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Problem with remote LDAP
Hi,
Remove the
"access_attr = "dialupAccess"" parameter in LDAP config (put in comment). And
retest.
Lionel
Gavage.
-Message d'origine-De :
[EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]De la part de José
Luis SolanoEnvoyé : lundi 16 février 2004
19:32À :
[EMAIL PROTECTED]Objet : Problem with
remote LDAP
Dear all !!
My old configuration was (2 different
PC's):
IP Client: XXX.XXX.XXX.205
IP Freeradius and LDAP:
XXX.XXX.XXX.222
With this configuration, my system runs ok!!
My currently configuration is (3 different PC's):
IP Client: XXX.XXX.XXX.205
IP Freeradius: XXX.XXX.XXX.206
IP LDAP: XXX.XXX.XXX.222
When I change the freeradius I can't access to my LDAP. (I have changed
the server freeradiud IP in my access point too!!!)
freeradius logs
-
S-IP-Address =
192.168.49.252 NAS-Port =
0 Called-Station-Id =
"00-80-C8-01-01-55"
Calling-Station-Id =
"00-0B-46-26-1B-E2"
NAS-Identifier = "DWL-1000AP+"
Framed-MTU = 1380 NAS-Port-Type
= Wireless-802.11 EAP-Message =
0x020100110130303131323234343535
Message-Authenticator = 0x3ff37aad8c3b000bbb078cef515b3a4amodcall:
entering group authorize for request 0 modcall[authorize]: module
"preprocess" returns ok for request 0rlm_ldap: - authorizerlm_ldap:
performing user authorization for 001122334455radius_xlat:
'(uid=001122334455)'radius_xlat:
'ou=Wireless,dc=sgi,dc=es'ldap_get_conn: Got Id: 0
<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<rlm_ldap:
attempting LDAP reconnectionrlm_ldap: (re)connect to XXX.XXX.XXX.222:389,
authentication 0
<<<<<<<<<<<<<<<rlm_ldap:
bind as cn=Manager,dc=sgi,dc=es/izadisan to 192.168.49.222:389rlm_ldap:
waiting for bind result ...rlm_ldap: performing search in
ou=Wireless,dc=sgi,dc=es, with filter (uid=001122334455)rlm_ldap: no
dialupAccess attribute - access denied by default
<<<<<<<<<<<<<<<<<<<<<<<<==ldap_release_conn:
Release Id: 0 modcall[authorize]: module "ldap" returns userlock for
request 0modcall: group authorize returns userlock for request
0Delaying request 0 for 1 secondsFinished request 0Going to the
next request--- Walking the entire request list ---Waking up in 1
seconds...--- Walking the entire request list ---Waking up in 1
seconds...
my radiusd.conf
ldap { server =
XXX.XXX.XXX.222 identity =
"cn=Manager,dc=sgi,dc=es" password = izadisan
basedn = "ou=Wireless,dc=sgi,dc=es" filter =
"(uid=%u)"
start_tls = no
tls_mode = no
access_attr = "dialupAccess"
dictionary_mapping = ${raddbdir}/ldap.attrmap
ldap_connections_number = 5 timeout =
4 timelimit = 3 net_timeout = 1 }
any idea??
Thanks in advance!
José Luis SolanoSGI - Soluciones Globales
Internet S.A.Delegación Regional Sur[EMAIL PROTECTED](+34)
954.088.060
RE: Problem with remote LDAP
does
it work ?
LG.
-Message d'origine-De :
[EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]De la part de José
Luis SolanoEnvoyé : lundi 16 février 2004
19:55À :
[EMAIL PROTECTED]Objet : Re: Problem with
remote LDAP
Thanks again Lionel ;) !!!
José Luis SolanoSGI - Soluciones Globales Internet S.A.Delegación
Regional Sur[EMAIL PROTECTED](+34)
954.088.060
- Original Message -
From:
Lionel Gavage
To: [EMAIL PROTECTED]
Sent: Monday, February 16, 2004 7:38
PM
Subject: RE: Problem with remote
LDAP
Hi,
Remove the
"access_attr = "dialupAccess"" parameter in LDAP config (put in comment).
And retest.
Lionel
Gavage.
-Message d'origine-De : [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]De
la part de José Luis SolanoEnvoyé : lundi 16 février
2004 19:32À : [EMAIL PROTECTED]Objet :
Problem with remote LDAP
Dear all !!
My old configuration was (2 different
PC's):
IP Client: XXX.XXX.XXX.205
IP Freeradius and LDAP:
XXX.XXX.XXX.222
With this configuration, my system runs ok!!
My currently configuration is (3 different PC's):
IP Client: XXX.XXX.XXX.205
IP Freeradius: XXX.XXX.XXX.206
IP LDAP: XXX.XXX.XXX.222
When I change the freeradius I can't access to my LDAP. (I have
changed the server freeradiud IP in my access point too!!!)
freeradius logs
-
S-IP-Address =
192.168.49.252 NAS-Port =
0 Called-Station-Id =
"00-80-C8-01-01-55"
Calling-Station-Id =
"00-0B-46-26-1B-E2"
NAS-Identifier =
"DWL-1000AP+" Framed-MTU =
1380 NAS-Port-Type =
Wireless-802.11 EAP-Message
=
0x020100110130303131323234343535
Message-Authenticator = 0x3ff37aad8c3b000bbb078cef515b3a4amodcall:
entering group authorize for request 0 modcall[authorize]:
module "preprocess" returns ok for request 0rlm_ldap: -
authorizerlm_ldap: performing user authorization for
001122334455radius_xlat:
'(uid=001122334455)'radius_xlat:
'ou=Wireless,dc=sgi,dc=es'ldap_get_conn: Got Id: 0
<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<rlm_ldap:
attempting LDAP reconnectionrlm_ldap: (re)connect to
XXX.XXX.XXX.222:389, authentication 0
<<<<<<<<<<<<<<<rlm_ldap:
bind as cn=Manager,dc=sgi,dc=es/izadisan to
192.168.49.222:389rlm_ldap: waiting for bind result ...rlm_ldap:
performing search in ou=Wireless,dc=sgi,dc=es, with filter
(uid=001122334455)rlm_ldap: no dialupAccess attribute - access denied
by default
<<<<<<<<<<<<<<<<<<<<<<<<==ldap_release_conn:
Release Id: 0 modcall[authorize]: module "ldap" returns userlock
for request 0modcall: group authorize returns userlock for request
0Delaying request 0 for 1 secondsFinished request 0Going to
the next request--- Walking the entire request list ---Waking up
in 1 seconds...--- Walking the entire request list ---Waking up in
1 seconds...
my radiusd.conf
ldap { server =
XXX.XXX.XXX.222 identity =
"cn=Manager,dc=sgi,dc=es" password = izadisan
basedn = "ou=Wireless,dc=sgi,dc=es" filter =
"(uid=%u)"
start_tls = no
tls_mode = no
access_attr = "dialupAccess"
dictionary_mapping = ${raddbdir}/ldap.attrmap
ldap_connections_number = 5 timeout =
4 timelimit = 3 net_timeout =
1 }
any idea??
Thanks in advance!
José Luis SolanoSGI - Soluciones Globales
Internet S.A.Delegación Regional Sur[EMAIL PROTECTED](+34)
954.088.060
PEAP/LDAP
Hi,
I have some problems with PEAP/LDAP (and TTLS/LDAP).
When I use LDAP only with a local authentification I don't have problem.
Reciprocally with PEAP module without LDAP.
But with these two modules the user is validated on the level of LDAP server
but the 802.1x authentificaton failed!
I don't have user entry in users files.
Thanks.
Lionel Gavage
Extract of radius.conf:
authorize {
preprocess
chap
mschap
suffix
eap
files
ldap
}
authenticate {
Auth-Type PAP {
pap
}
Auth-Type CHAP {
chap
}
Auth-Type MS-CHAP {
mschap
}
unix
eap
Auth-Type LDAP {
ldap
}
}
Extract of log:
rad_recv: Access-Request packet from host 139.165.212.248:21645, id=234,
length=172
User-Name = "u190336"
Framed-MTU = 1400
Called-Station-Id = "000c.304f.75da"
Calling-Station-Id = "000c.3052.9812"
Message-Authenticator = 0xc7f68224c50a922844d275cfcbdb5853
EAP-Message =
0x020b002b1900170301002098ab17170a67942473547a6c29b7c9fbca9c855e8117506214a1
92b989347f11
NAS-Port-Type = Wireless-802.11
NAS-Port = 322
State = 0xfc69a5223e55955e5e876a12c9561f84
Service-Type = Framed-User
NAS-IP-Address = 139.165.212.248
modcall: entering group authorize for request 11
modcall[authorize]: module "preprocess" returns ok for request 11
modcall[authorize]: module "chap" returns noop for request 11
modcall[authorize]: module "mschap" returns noop for request 11
rlm_realm: No '@' in User-Name = "u190336", looking up realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "suffix" returns noop for request 11
rlm_eap: EAP packet type response id 11 length 43
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module "eap" returns updated for request 11
users: Matched DEFAULT at 154
users: Matched DEFAULT at 173
modcall[authorize]: module "files" returns ok for request 11
rlm_ldap: - authorize
rlm_ldap: performing user authorization for u190336
radius_xlat: '(uid=u190336)'
radius_xlat: 'dc=ulg,dc=ac,dc=be'
ldap_get_conn: Got Id: 0
rlm_ldap: performing search in dc=ulg,dc=ac,dc=be, with filter (uid=u190336)
rlm_ldap: looking for check items in directory...
rlm_ldap: looking for reply items in directory...
rlm_ldap: user u190336 authorized to use remote access
ldap_release_conn: Release Id: 0
modcall[authorize]: module "ldap" returns ok for request 11
modcall: group authorize returns updated for request 11
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
modcall: entering group authenticate for request 11
rlm_eap: Request found, released from the list
rlm_eap: EAP/peap
rlm_eap: processing type peap
rlm_eap_peap: Authenticate
rlm_eap_tls: processing TLS
eaptls_verify returned 7
rlm_eap_tls: Done initial handshake
eaptls_process returned 7
rlm_eap_peap: EAPTLS_OK
rlm_eap_peap: Session established. Proceeding to decode tunneled
attributes.
rlm_eap_peap: Received EAP-TLV response.
rlm_eap_peap: Tunneled data is valid.
rlm_eap_peap: Had sent TLV failure, rejecting.
rlm_eap: Handler failed in EAP/peap
rlm_eap: Failed in EAP select
modcall[authenticate]: module "eap" returns invalid for request 11
modcall: group authenticate returns invalid for request 11
auth: Failed to validate the user.
Delaying request 11 for 1 seconds
Finished request 11
Going to the next request
Waking up in 5 seconds...
Lionel Gavage
Network Engineer (SeGI/ULg)
Email: [EMAIL PROTECTED]Tél: +32-4-3664845
Fax: +32-4-3662920
Bat. B26 SeGI
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Alfa&Ariss Client Heeeeeeeeeeeeelp!!!!!!!
Hi
José,
I've
the same problem. Without LDAP it works.
However LDAP server returns OK for the validation of
the user ...
I
don't reach to correct this problem :(
Lionel
Gavage
-Message d'origine-De :
[EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]De la part de José
Luis SolanoEnvoyé : mardi 17 février 2004
13:15À :
[EMAIL PROTECTED]Objet : Alfa&Ariss
Client Help!!!
Hi all!!!
I have installed freeradius-snapshot-20040216
with redhat 9.
I use Alfa&Ariss client under Windows XP,
cisco pcmcia car on my laptop.
When Alfa&Ariss client ask me user, password
and domain I write my user and password, but I don't know exactly what is my
domain.
I think there are two possible raisons to this
error:
1.- Write the correct domain.
2.- My radiusd.conf is not correct.
help please!!!
My freeradius logs and radiusd.conf
are:
My freeradius error is:
---
rad_recv: Access-Request packet from host
XXX.XXX.XXX.252:1229, id=90,
length=146 User-Name =
"001122334455" NAS-IP-Address =
XXX.XXX.XXX.252 NAS-Port =
0 Called-Station-Id =
"00-80-C8-01-01-55"
Calling-Station-Id =
"00-0B-46-26-1B-E2"
NAS-Identifier = "DWL-1000AP+"
Framed-MTU = 1380 NAS-Port-Type
= Wireless-802.11 EAP-Message =
0x020100110130303131323234343535
Message-Authenticator = 0xb2dfd83cf36fc223a2a5326d6b528259modcall:
entering group authorize for request 2 modcall[authorize]: module
"preprocess" returns ok for request 2rlm_ldap: - authorizerlm_ldap:
performing user authorization for 001122334455radius_xlat:
'(uid=001122334455)'radius_xlat:
'ou=Wireless,dc=sgi,dc=es'ldap_get_conn: Got Id: 0rlm_ldap: performing
search in ou=Wireless,dc=sgi,dc=es, with filter
(uid=001122334455)rlm_ldap: looking for check items in
directory...rlm_ldap: Adding radiusExpiration as Expiration, value 08
& op=21rlm_ldap: Adding radiusAuthType as Auth-Type, value EAP &
op=21rlm_ldap: looking for reply items in directory...rlm_ldap: user
001122334455 authorized to use remote accessldap_release_conn: Release Id:
0 modcall[authorize]: module "ldap" returns ok for request
2modcall: group authorize returns ok for request 2auth: Failed to
validate the user.
<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<=
--
radiusd.conf
--
...
eap
{ default_eap_type = ttls
timer_expire = 60
ignore_unknown_eap_types = no
md5 {
}
leap
{ }
tls
{
private_key_password =
izadisan
private_key_file =
/usr/local/openssl/ssl/certs/server/server.pem
certificate_file =
/usr/local/openssl/ssl/certs/server/server.pem
CA_file =
/usr/local/openssl/ssl/certs/ca/ca.pem
dh_file =
/usr/local/openssl/ssl/certs/dh
random_file =
/usr/local/openssl/ssl/certs/random
fragment_size =
1024
include_length = yes }
ttls
{
default_eap_type = md5
copy_request_to_tunnel = no
use_tunneled_reply =
no } mschapv2
{ } }
...
ldap
{
server =
192.168.49.222
identity =
"cn=Manager,dc=sgi,dc=es"
password =
izadisan
basedn =
"ou=Wireless,dc=sgi,dc=es"
filter =
"(uid=%u)"
start_tls =
no
tls_mode =
no
dictionary_mapping =
${raddbdir}/ldap.attrmap
ldap_connections_number =
5
timeout =
4
timelimit =
3
net_timeout = 1 }
José Luis SolanoSGI - Soluciones Globales
Internet S.A.Delegación Regional Sur[EMAIL PROTECTED](+34)
954.088.060
RE: Alfa&Ariss Client Heeeeeeeeeeeeelp!!!!!!!
I know but the problem is with LDAP module. Without LDAP module all work
fine.
I use PAP with SecureW2 but if i use the LDAP module it doesn't work.
Lionel Gavage
-Message d'origine-
De : [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] la part de Rok
Papez
Envoye : mardi 17 fevrier 2004 15:29
A : [EMAIL PROTECTED]
Objet : Re: Alfa&Ariss Client Help!!!
Hello Lionel.
Lionel Gavage wrote:
> I've the same problem. Without LDAP it works.
> However LDAP server returns OK for the validation of the user ...
> I don't reach to correct this problem :(
>
>
> Lionel Gavage
>
> -Message d'origine-
> mschapv2 {
> }
SecureW2 supports only PAP, not MS-CHAP.
--
best regards,
Rok Papez.
P.S.: It doesn't help to scream "help" in the subject. Just enter a sane
topic.
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Alfa&Ariss Client Heeeeeeeeeeeeelp!!!!!!!
Me too ! ;p Lionel Gavage -Message d'origine- De : [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] la part de Jean-Paul Chapalain Envoye : mercredi 18 fevrier 2004 10:11 A : [EMAIL PROTECTED] Objet : Re: Alfa&Ariss Client Help!!! Hi Alan, Alan DeKok wrote: > Jean-Paul Chapalain <[EMAIL PROTECTED]> wrote: > >>After many tests, for me the only "EAP methods" that run with Ldap is >>EAP/TTLS (PAP) (SecureW2 client). >>I suppose that all other methods use MS-CHAP(LEAP) or MS-CHAPV2(PEAP) >>and freeradius can retreive clair password for Ldap bind. > > > Then don't bind as the user to LDAP. Use LDAP to retreive the > clear-text password. Could you say me how to retreive clear-text password from Ldap with FreeRadius ? > > There are other people using LDAP with PEAP. With a same config, EAP/TTLS is working with Ldap when EAP/LEAP or EAP/PEAP is working only with local User-Password ! I'm interested for a sample of EAP/LEAP or EAP/PEAP config working with Ldap Backend. > > Alan DeKok. > > - Thanks, Jean-Paul. -- Jean-Paul Chapalain - GICM - Resp. Reseaux et Infrastructure -- 32 rue Mirabeau - Le Relecq-Kerhuon - 29808 Brest Cedex 9, FRANCE -- Tel +33298002873 - Fax +33298284005 - [EMAIL PROTECTED] -- Key Fingerprint: 192C 1CFE F24A 050D F280 A086 AF15 8631 3ABB 4C7D - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Alfa&Ariss Client Heeeeeeeeeeeeelp!!!!!!!
Hi José, I can send to you my radius.conf configuration where EAP/TTLS with LDAP work with SecureW2 client. Lionel. -Message d'origine- De : [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] la part de José Luis Solano Envoyé : lundi 23 février 2004 10:11 À : [EMAIL PROTECTED] Objet : Re: Alfa&Ariss Client Help!!! Hi Jean-Paul, As you know, I'm fightting with my freeradius to run EAP/TTLS. I use Secure W2 client and LDAP, so could you (Jean-Paul) send me your configuration, please? I would need: -do I need to change anything when I install freeradius? -Modules eap, authorize, authenticate and ldap in radiusd.conf -users file configuration -have you changed anything in dictionary file? Thanks in advance José Luis Solano SGI - Soluciones Globales Internet S.A. Delegación Regional Sur [EMAIL PROTECTED] (+34) 954.088.060 - Original Message - From: "Jean-Paul Chapalain" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Friday, February 20, 2004 4:14 PM Subject: Re: Alfa&Ariss Client Help!!! > Hi Tom, > > Tom Rixom wrote: > > Sorry about the previous email wasn't awake yet... here is a repost: > > > > Hello, > > > > If your LDAP back-end uses encrypted passwords certain authentication > > methods cannot be used. > > > > PEAP-EAP-MSCHAPV2 for example requires either clear-text passwords or > > Microsoft NT HASH passwords. I am not sure about LEAP. > > > > Because SecureW2 v1 sends over the password in the clear it can be used > > on any kind of database encryption their is. > > > > Are you using encryption in your LDAP database? > > I'm using Active Directory which encrypt the password. > > > > Tom Rixom > > Alfa & Ariss > > > > Today, i succeeded a configuration with FreeRadius for EAP/TTLS (PAP) > (SecureW2 client on Windows) which running with user/password check on > Ldap back-end(AD). > > But for EAP/PEAP and EAP/LEAP challenge use MS-CHAP or MS-CHAPV2 for > hashing. So FreeRadius can't retreive clear-text password from packets > and can't perform check on Ldap back-end. > Are you agree with this ? > > I 'm searching a solution to authenticate LEAP client (Mac OSX) with > FreeReadius and Ldap back-end. > > Regards, > > Jean-Paul. > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
user groups in freeradius
Hi, does freeradius server manage the user groups in its config file ? Because it's not possible for me to use unix group (/etc/group) ! :( So, i tested this: # Autorise certains login DEFAULT Auth-Type := LDAP, NAS-IP-Address == "xxx.xxx.xxx.xxx", User-Name =~ "id1|id2|id3|id4" Fall-Through = No But the problem was the line is too long (about 50 usernames). And thus I would like to create a group with all these usernames. Thks Lionel. Lionel Gavage Network Engineer (SeGI/ULg) Email: [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: user groups in freeradius
-Message d'origine- De : [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] la part de Alan DeKok Envoyé : mercredi 16 juin 2004 16:46 À : [EMAIL PROTECTED] Objet : Re: user groups in freeradius "Lionel Gavage" <[EMAIL PROTECTED]> wrote: > does freeradius server manage the user groups in its config file ? No. Is it on the roadmap ?;) > Because it's not possible for me to use unix group (/etc/group) ! :( Read the "man" page for "rlm_passwd". The different usernames are stored in LDAP and not exist on the level system. Lionel. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
freeradius 1.0.0-pre3 problem when it is launched with another port that by default
Hi,
I use freeradius 1.0.0-pre3. I must use two radius servers on the same
computer.
But when I specify another listen port, this last is not used. The
freeradius server listens on the default port !
[EMAIL PROTECTED] freeradius-WDS]# ./sbin/radiusd -p 1645 -X
...
Listening on authentication *:1812
Listening on accounting *:1813
Ready to process requests.
In the radiusd.conf file :
bind_address = *
port = 1645
listen {
ipaddr = xx.xx.xx.xx
port = 1645
}
I tested various possibilities. Can you help me please ?
Thks in advance.
Lionel.
Lionel Gavage
Network Engineer (SeGI/ULg)
Email: [EMAIL PROTECTED]
Bat. B26 SeGI
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: freeradius 1.0.0-pre3 problem when it is launched with another port that by default
Yes but even without it doesn't work. By using the directive "listen" in the
radiusd.conf file (as indicated in my preceding mail)
radiusd.conf:
bind_address = *
port = 1645
listen {
# IP address on which to listen.
# Allowed values are:
# dotted quad (1.2.3.4)
# hostname(radius.example.com)
# wildcard(*)
ipaddr = xx.xx.xx.xx
# Port on which to listen.
# Allowed values are:
# integer port number (1812)
# 0 means "use /etc/services for the proper port"
port = 1645
# Type of packets to listen for.
# Allowed values are:
# authlisten for authentication packets
# acctlisten for accounting packets
#
#type = auth
}
and the result:
[EMAIL PROTECTED] freeradius-WDS]# ./sbin/radiusd -X
There appears to be another RADIUS server running on the authentication port
1812
Indeed, I have another radius server on port 1812 but according to the
configuration file, I ask it to listen on port 1645.
Where is the problem ?
Lionel.
Lionel Gavage
Network Engineer (SeGI/ULg)
Email: [EMAIL PROTECTED]
Bat. B26 SeGI
-Message d'origine-
De : [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] la part de Alan
DeKok
Envoyé : vendredi 17 septembre 2004 16:27
À : [EMAIL PROTECTED]
Objet : Re: freeradius 1.0.0-pre3 problem when it is launched with
another port that by default
"Lionel Gavage" <[EMAIL PROTECTED]> wrote:
> I use freeradius 1.0.0-pre3. I must use two radius servers on the same
> computer.
> But when I specify another listen port, this last is not used. The
> freeradius server listens on the default port !
>
> [EMAIL PROTECTED] freeradius-WDS]# ./sbin/radiusd -p 1645 -X
> ...
> Listening on authentication *:1812
If you read the rest of the output, you would see it say:
Ignoring deprecated command-line option -p
"-p" isn't supported any more in 1.0.0.
Alan DeKok.
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: AP1230 + VLAN assignment
Hi, It's possible to switch VLAN when the user connecting to Cisco Aironet. For 802.1x with VLAN switching, three radius attribute-value pairs are defined. In the user file for example: xxx User-Password == "xxx" Tunnel-Type:1 = 13, Tunnel-Medium-Type:1 = 6, Tunnel-Private-Group-ID:1 = 17 So the integer values "13" and "6" are representing "VLAN" and "802" ASCII strings respectively. The value "17" is the VLAN id to be used Regards, Lionel. Lionel Gavage Network Engineer (SeGI/ULg) Bat. B26 SeGI -Message d'origine- De : [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] la part de Alan DeKok Envoyé : mercredi 29 septembre 2004 20:21 À : [EMAIL PROTECTED] Objet : Re: AP1230 + VLAN assignment Jean-Marie GUILLEMOT <[EMAIL PROTECTED]> wrote: > I'm trying to assign wireless users connecting to Cisco Aironet 1230 to VLAN > thanks to Freeradius. I'm not sure that's possible. See the Cisco AP documentation for a list of what attributes it can understand in an Access-Accept. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: AP1230 + VLAN assignment
Hi Jean-Marie, it's preferable to use the integer values instead of ASCII strings. So for the switching VLAN, I create a local VLAN on Cisco Aironet with a speficied SSID. The user configuration questions this SSID and according to the user, this one is switched in the VLAN defines in configuration file. If I'm not enough "clear" does not hesitate to say it ;) Regards, Lionel. Lionel Gavage Network Engineer (SeGI/ULg) Email: [EMAIL PROTECTED]Tél: +32-4-3664845 Fax: +32-4-3662920 Bat. B26 SeGI -Message d'origine- De : [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] la part de Lionel Gavage Envoyé : jeudi 30 septembre 2004 7:47 À : [EMAIL PROTECTED] Objet : RE: AP1230 + VLAN assignment Hi, It's possible to switch VLAN when the user connecting to Cisco Aironet. For 802.1x with VLAN switching, three radius attribute-value pairs are defined. In the user file for example: xxx User-Password == "xxx" Tunnel-Type:1 = 13, Tunnel-Medium-Type:1 = 6, Tunnel-Private-Group-ID:1 = 17 So the integer values "13" and "6" are representing "VLAN" and "802" ASCII strings respectively. The value "17" is the VLAN id to be used Regards, Lionel. Lionel Gavage Network Engineer (SeGI/ULg) Bat. B26 SeGI -Message d'origine- De : [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] la part de Alan DeKok Envoyé : mercredi 29 septembre 2004 20:21 À : [EMAIL PROTECTED] Objet : Re: AP1230 + VLAN assignment Jean-Marie GUILLEMOT <[EMAIL PROTECTED]> wrote: > I'm trying to assign wireless users connecting to Cisco Aironet 1230 to VLAN > thanks to Freeradius. I'm not sure that's possible. See the Cisco AP documentation for a list of what attributes it can understand in an Access-Accept. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
