freeradius and syslog-ng
Hi,
I have freeradius v2.0.5. I modified the log{} section of radiusd.conf to
send logs to syslog-ng. In syslog-ng, I filter them out to a log
collector. This seems to be working well. Now, I would like to get detail
and auth to the log collector. Anyone know if this is possible?
Thanks!
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
CA.all problem
Hi, Using the provided script CA.all, trying to create self-signed certs on a new freeradius box and running into a missing serial file problem. Executing the commands in the script line-by-line shows that the command openssl ca -policy policy_anything -out newcert.pem -passin pass:whatever -key whatever -extensions xpserver_ext -extfile xpextensions -infiles newreq.pem is what is looking for the file ./demoCA/serial which does not exist. I think it is normally created during CA.pl -newca but this doesn't appear to happen with the script's command of echo newreq.pem | /usr/local/ssl/misc/CA.pl -newca. I'm using OpenSSL version 0.9.8e. Anyone have this experience? Thanks! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: CA.all problem
Thanks Alan. I have actually figured out some openssl commands that seem to have worked ok for me. I'll post them a little later for what it's worth to anyone. Alan DeKok wrote: Mack Ragan wrote: Using the provided script CA.all, trying to create self-signed certs on a new freeradius box and running into a missing serial file problem. Executing the commands in the script line-by-line shows that the command openssl ca -policy policy_anything -out newcert.pem -passin pass:whatever -key whatever -extensions xpserver_ext -extfile xpextensions -infiles newreq.pem is what is looking for the file ./demoCA/serial which does not exist. I think it is normally created during CA.pl -newca but this doesn't appear to happen with the script's command of echo newreq.pem | /usr/local/ssl/misc/CA.pl -newca. I'm using OpenSSL version 0.9.8e. Anyone have this experience? OpenSSL has changed the way their scripts run a number of times. I've pretty mich given up trying to keep up. Instead, use the certificate generation tools in 2.0.0-pre2. They're simple and easy to use. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: eap_ttls and eap_peap linking problem SOLVED
SOLVED -- sort of Using CVS snapshopt 20040625, still had same problem. Using ./configure --with- system-libtool did not work either...same results. Using ./configure --disable-shared results in an error free make and make install. Now, radiusd runs fine. Configured eap_ttls and it seems to work fine so far, to. Must have been a problem with my version of libtool (1.5.2). Any thoughts/comments as to advantages/disadvantages of enabling/disabling shared libs? Hope this helps someone -- mack On 23 Jun 2004 at 16:04, Mack wrote: Hi, Problem linking eap_ttls and eap_peap on the following system: Gentoo Linux gcc-3.3.3 glibc-2.3.3 libtool-1.5.2 openssl-0.9.7d kernel 2.6.7 I am using the latest nightly CVS build (20040623). Here's some of the output of make: . Making static dynamic in rlm_eap_peap... gmake[9]: Entering directory `/home/mack/sources/freeradius-snapshot- 20040623/src/modules/rlm_eap/types/rlm_eap_peap' gmake[9]: Nothing to be done for `static'. /home/mack/sources/freeradius-snapshot-20040623/libtool --mode=compile gcc -g - O2 -D_REENTRANT -D_POSIX_PTHREAD_SEMANTICS -DOPENSSL_NO_KRB5 -Wall -D_GNU_SOURCE -g -Wshadow -Wpointer-arith -Wcast-qual -Wcast-align - Wwrite-strings -Wstrict-prototypes -Wmissing-prototypes -Wmissing-declarations - Wnested-externs -W -Wredundant-decls -Wundef -I../../../../include -I../.. - I../rlm_eap_tls -DOPENSSL_NO_KRB5 -I./../../libeap -c rlm_eap_peap.c mkdir .libs gcc -g -O2 -D_REENTRANT -D_POSIX_PTHREAD_SEMANTICS - DOPENSSL_NO_KRB5 -Wall -D_GNU_SOURCE -g -Wshadow -Wpointer-arith - Wcast-qual -Wcast-align -Wwrite-strings -Wstrict-prototypes -Wmissing-prototypes - Wmissing-declarations -Wnested-externs -W -Wredundant-decls -Wundef - I../../../../include -I../.. -I../rlm_eap_tls -DOPENSSL_NO_KRB5 -I./../../libeap -c rlm_eap_peap.c -fPIC -DPIC -o .libs/rlm_eap_peap.o rlm_eap_peap.c: In function `eappeap_authenticate': rlm_eap_peap.c:190: warning: passing arg 2 of `record_plus' from incompatible pointer type gcc -g -O2 -D_REENTRANT -D_POSIX_PTHREAD_SEMANTICS - DOPENSSL_NO_KRB5 -Wall -D_GNU_SOURCE -g -Wshadow -Wpointer-arith - Wcast-qual -Wcast-align -Wwrite-strings -Wstrict-prototypes -Wmissing-prototypes - Wmissing-declarations -Wnested-externs -W -Wredundant-decls -Wundef - I../../../../include -I../.. -I../rlm_eap_tls -DOPENSSL_NO_KRB5 -I./../../libeap -c rlm_eap_peap.c -o rlm_eap_peap.o /dev/null 21 /home/mack/sources/freeradius-snapshot-20040623/libtool --mode=compile gcc -g - O2 -D_REENTRANT -D_POSIX_PTHREAD_SEMANTICS -DOPENSSL_NO_KRB5 -Wall -D_GNU_SOURCE -g -Wshadow -Wpointer-arith -Wcast-qual -Wcast-align - Wwrite-strings -Wstrict-prototypes -Wmissing-prototypes -Wmissing-declarations - Wnested-externs -W -Wredundant-decls -Wundef -I../../../../include -I../.. - I../rlm_eap_tls -DOPENSSL_NO_KRB5 -I./../../libeap -c peap.c gcc -g -O2 -D_REENTRANT -D_POSIX_PTHREAD_SEMANTICS - DOPENSSL_NO_KRB5 -Wall -D_GNU_SOURCE -g -Wshadow -Wpointer-arith - Wcast-qual -Wcast-align -Wwrite-strings -Wstrict-prototypes -Wmissing-prototypes - Wmissing-declarations -Wnested-externs -W -Wredundant-decls -Wundef - I../../../../include -I../.. -I../rlm_eap_tls -DOPENSSL_NO_KRB5 -I./../../libeap -c peap.c -fPIC -DPIC -o .libs/peap.o peap.c: In function `eappeap_process': peap.c:578: warning: comparison between signed and unsigned gcc -g -O2 -D_REENTRANT -D_POSIX_PTHREAD_SEMANTICS - DOPENSSL_NO_KRB5 -Wall -D_GNU_SOURCE -g -Wshadow -Wpointer-arith - Wcast-qual -Wcast-align -Wwrite-strings -Wstrict-prototypes -Wmissing-prototypes - Wmissing-declarations -Wnested-externs -W -Wredundant-decls -Wundef - I../../../../include -I../.. -I../rlm_eap_tls -DOPENSSL_NO_KRB5 -I./../../libeap -c peap.c -o peap.o /dev/null 21 /home/mack/sources/freeradius-snapshot-20040623/libtool --mode=link gcc -release 1.1.0-pre0 \ -module -export-dynamic -g -O2 -D_REENTRANT - D_POSIX_PTHREAD_SEMANTICS -DOPENSSL_NO_KRB5 -Wall - D_GNU_SOURCE -g -Wshadow -Wpointer-arith -Wcast-qual -Wcast-align -Wwrite- strings -Wstrict-prototypes -Wmissing-prototypes -Wmissing-declarations -Wnested- externs -W -Wredundant-decls -Wundef -I../../../../include -I../.. -I../rlm_eap_tls - DOPENSSL_NO_KRB5 -I./../../libeap \ -o rlm_eap_peap.la -rpath /usr/local/lib rlm_eap_peap.lo peap.lo ../../../../lib/libradius.la \ ../rlm_eap_tls/rlm_eap_tls.la -L./../../libeap -leap -lcrypto -lssl -lcrypto -lnsl -lresolv - lpthread -lcrypto *** Warning: Linking the shared library rlm_eap_peap.la against the loadable module *** rlm_eap_tls.so is not portable! gcc -shared .libs/rlm_eap_peap.o .libs/peap.o -Wl,--rpath - Wl,/home/mack/sources/freeradius-snapshot-20040623/src/lib/.libs -Wl,--rpath - Wl,/home/mack/sources/freeradius-snapshot- 20040623/src/modules/rlm_eap/types/rlm_eap_tls/.libs -Wl,--rpath - Wl,/home/mack/sources/freeradius-snapshot- 20040623/src/modules/rlm_eap/libeap/.libs ../../../../lib/.libs
Re: eap_ttls and eap_peap linking problem SOLVED
Alain, Thanks for clearing it up for me. Sounds like shared is the way to go. I'll look into using an older version of libtool that will work with freeradius so I can use shared. thanks, mack On 25 Jun 2004 at 14:14, Alain Perry wrote: thoughts/comments as to advantages/disadvantages of enabling/disabling shared libs? I'm probably not the best here to answer that, but my first guess would be with security issues. If openssl is updated by your package management system because of a security hole or anything, you will have to recompile freeradius against it to be safe. The second one would the code size: if you have another piece of software using openssl, for example apache, openssl will be loaded twice into memory. That's the two main ones I can think of, but hey, if that's the only way to make freeradius work for you, it might be worth it :-) -- Alain Perry - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- This message has been scanned for viruses and dangerous content by the CSU Email Gateway, and is believed to be clean. -- This message has been scanned for viruses and dangerous content by the CSU Email Gateway, and is believed to be clean. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: eap_ttls and eap_peap linking problem SOLVED
Alan, Yep, that's what I figured. What's the highest version of libtool that freeradius supports, and what version did you use in your tests? Are there any plans for freeradius to support a more current version of libtool (i think latest stable is 1.5.6)? thanks, mack On 25 Jun 2004 at 10:04, Alan DeKok wrote: Mack [EMAIL PROTECTED] wrote: Using ./configure --disable-shared results in an error free make and make install. Now, radiusd runs fine. Configured eap_ttls and it seems to work fine so far, to. Must have been a problem with my version of libtool (1.5.2). libtool 1.5.2 is not supported by the server. Yep, that's what I figured. What's that latest version of libtool that freeradius supports? Any plans to support libtool 1.5.2? In my tests, the eap_ttls peap work fine with both dynamic static linking. Which version of libtool was used in these tests? I'd rather enable shared, so I'm willing to revert to an Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- This message has been scanned for viruses and dangerous content by the CSU Email Gateway, and is believed to be clean. -- This message has been scanned for viruses and dangerous content by the CSU Email Gateway, and is believed to be clean. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
eap_ttls and eap_peap linking problem
Hi, Problem linking eap_ttls and eap_peap on the following system: Gentoo Linux gcc-3.3.3 glibc-2.3.3 libtool-1.5.2 openssl-0.9.7d kernel 2.6.7 I am using the latest nightly CVS build (20040623). Here's some of the output of make: . Making static dynamic in rlm_eap_peap... gmake[9]: Entering directory `/home/mack/sources/freeradius-snapshot- 20040623/src/modules/rlm_eap/types/rlm_eap_peap' gmake[9]: Nothing to be done for `static'. /home/mack/sources/freeradius-snapshot-20040623/libtool --mode=compile gcc -g - O2 -D_REENTRANT -D_POSIX_PTHREAD_SEMANTICS -DOPENSSL_NO_KRB5 -Wall -D_GNU_SOURCE -g -Wshadow -Wpointer-arith -Wcast-qual -Wcast-align - Wwrite-strings -Wstrict-prototypes -Wmissing-prototypes -Wmissing-declarations - Wnested-externs -W -Wredundant-decls -Wundef -I../../../../include -I../.. - I../rlm_eap_tls -DOPENSSL_NO_KRB5 -I./../../libeap -c rlm_eap_peap.c mkdir .libs gcc -g -O2 -D_REENTRANT -D_POSIX_PTHREAD_SEMANTICS - DOPENSSL_NO_KRB5 -Wall -D_GNU_SOURCE -g -Wshadow -Wpointer-arith - Wcast-qual -Wcast-align -Wwrite-strings -Wstrict-prototypes -Wmissing-prototypes - Wmissing-declarations -Wnested-externs -W -Wredundant-decls -Wundef - I../../../../include -I../.. -I../rlm_eap_tls -DOPENSSL_NO_KRB5 -I./../../libeap -c rlm_eap_peap.c -fPIC -DPIC -o .libs/rlm_eap_peap.o rlm_eap_peap.c: In function `eappeap_authenticate': rlm_eap_peap.c:190: warning: passing arg 2 of `record_plus' from incompatible pointer type gcc -g -O2 -D_REENTRANT -D_POSIX_PTHREAD_SEMANTICS - DOPENSSL_NO_KRB5 -Wall -D_GNU_SOURCE -g -Wshadow -Wpointer-arith - Wcast-qual -Wcast-align -Wwrite-strings -Wstrict-prototypes -Wmissing-prototypes - Wmissing-declarations -Wnested-externs -W -Wredundant-decls -Wundef - I../../../../include -I../.. -I../rlm_eap_tls -DOPENSSL_NO_KRB5 -I./../../libeap -c rlm_eap_peap.c -o rlm_eap_peap.o /dev/null 21 /home/mack/sources/freeradius-snapshot-20040623/libtool --mode=compile gcc -g - O2 -D_REENTRANT -D_POSIX_PTHREAD_SEMANTICS -DOPENSSL_NO_KRB5 -Wall -D_GNU_SOURCE -g -Wshadow -Wpointer-arith -Wcast-qual -Wcast-align - Wwrite-strings -Wstrict-prototypes -Wmissing-prototypes -Wmissing-declarations - Wnested-externs -W -Wredundant-decls -Wundef -I../../../../include -I../.. - I../rlm_eap_tls -DOPENSSL_NO_KRB5 -I./../../libeap -c peap.c gcc -g -O2 -D_REENTRANT -D_POSIX_PTHREAD_SEMANTICS - DOPENSSL_NO_KRB5 -Wall -D_GNU_SOURCE -g -Wshadow -Wpointer-arith - Wcast-qual -Wcast-align -Wwrite-strings -Wstrict-prototypes -Wmissing-prototypes - Wmissing-declarations -Wnested-externs -W -Wredundant-decls -Wundef - I../../../../include -I../.. -I../rlm_eap_tls -DOPENSSL_NO_KRB5 -I./../../libeap -c peap.c -fPIC -DPIC -o .libs/peap.o peap.c: In function `eappeap_process': peap.c:578: warning: comparison between signed and unsigned gcc -g -O2 -D_REENTRANT -D_POSIX_PTHREAD_SEMANTICS - DOPENSSL_NO_KRB5 -Wall -D_GNU_SOURCE -g -Wshadow -Wpointer-arith - Wcast-qual -Wcast-align -Wwrite-strings -Wstrict-prototypes -Wmissing-prototypes - Wmissing-declarations -Wnested-externs -W -Wredundant-decls -Wundef - I../../../../include -I../.. -I../rlm_eap_tls -DOPENSSL_NO_KRB5 -I./../../libeap -c peap.c -o peap.o /dev/null 21 /home/mack/sources/freeradius-snapshot-20040623/libtool --mode=link gcc -release 1.1.0-pre0 \ -module -export-dynamic -g -O2 -D_REENTRANT - D_POSIX_PTHREAD_SEMANTICS -DOPENSSL_NO_KRB5 -Wall - D_GNU_SOURCE -g -Wshadow -Wpointer-arith -Wcast-qual -Wcast-align -Wwrite- strings -Wstrict-prototypes -Wmissing-prototypes -Wmissing-declarations -Wnested- externs -W -Wredundant-decls -Wundef -I../../../../include -I../.. -I../rlm_eap_tls - DOPENSSL_NO_KRB5 -I./../../libeap \ -o rlm_eap_peap.la -rpath /usr/local/lib rlm_eap_peap.lo peap.lo ../../../../lib/libradius.la \ ../rlm_eap_tls/rlm_eap_tls.la -L./../../libeap -leap -lcrypto -lssl -lcrypto -lnsl -lresolv - lpthread -lcrypto *** Warning: Linking the shared library rlm_eap_peap.la against the loadable module *** rlm_eap_tls.so is not portable! gcc -shared .libs/rlm_eap_peap.o .libs/peap.o -Wl,--rpath - Wl,/home/mack/sources/freeradius-snapshot-20040623/src/lib/.libs -Wl,--rpath - Wl,/home/mack/sources/freeradius-snapshot- 20040623/src/modules/rlm_eap/types/rlm_eap_tls/.libs -Wl,--rpath - Wl,/home/mack/sources/freeradius-snapshot- 20040623/src/modules/rlm_eap/libeap/.libs ../../../../lib/.libs/libradius.so ../rlm_eap_tls/.libs/rlm_eap_tls.so -L/home/mack/sources/freeradius-snapshot- 20040623/src/modules/rlm_eap/libeap /home/mack/sources/freeradius-snapshot- 20040623/src/modules/rlm_eap/libeap/.libs/libeap.so -lssl -lnsl -lresolv -lpthread - lcrypto -Wl,-soname -Wl,rlm_eap_peap-1.1.0-pre0.so -o .libs/rlm_eap_peap-1.1.0- pre0.so (cd .libs rm -f rlm_eap_peap.so ln -s rlm_eap_peap-1.1.0-pre0.so rlm_eap_peap.so) ar cru .libs/rlm_eap_peap.a rlm_eap_peap.o peap.o ranlib .libs/rlm_eap_peap.a creating rlm_eap_peap.la (cd .libs rm -f rlm_eap_peap.la ln -s ../rlm_eap_peap.la rlm_eap_peap.la) gmake[9]: Leaving
Re: radius, 802.1x, eap/tls, and edirectory (ldap)
Alan, At your request, I'll try to reformat this so that it is presented as a problem/challenge rather than a why doesn't my solution work post: Problem: My AP is a 3com 7250. It requires that you enable 802.1x on itself, the client, and the radius server if you want to use the radius server as the authentication server. My understanding is that 802.1x requires EAP-something. I chose EAP-TLS because my client is stock XP and my understanding is that EAP-TLS is my only option with that client. My boss asked me if it was possible to authenticate our wireless users against Novell's eDirectory (LDAP). He did not specifically require 802.1x/EAP-anything. The only reason I'm using 802.1x/EAP is because the AP requires it. I have successfully implemented EAP-TLS authentication between the client, AP, and freeradius. Now I am attempting to add LDAP authentication, but have not been successful. I can provide any configs/logs if needed. Solution: None so far. Anyone have any suggestions/comments? What would ya'll do in my position? thanks, mack On 21 Jun 2004 at 23:52, Alan DeKok wrote: Mack [EMAIL PROTECTED] wrote: My AP requires that I enable 802.1x in order to use RADIUS authentication. So, I figured I'd use EAP-TLS. Are you picking it at random, or are youi looking at the features it offers, and using your requirements to decide on a solution? I'm just testing now...using an XP client, so I chose to use EAP-TLS. I want to use LDAP because that's where our userbase is stored (Novell eDirectory). The idea is to authenticate users via LDAP. I thought I had been pretty clear in my response: EAP-TLS and LDAP are mutually incompatible. Stop trying to get them to work togerther. I'm only using EAP-TLS because the AP won't let me use RADIUS otherwise. Of course, I'm such a newbie that I'm probably getting it all wrong. That's where I was hoping the list would help. You should ask about how to solve a problem, rather than asking why the solution you chose didn't work. If you were given my task, how would you go about implementing this? I told you. Go back and read my message. If you could describe a problem, I might be able to come up with an alternate solution. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- This message has been scanned for viruses and dangerous content by the CSU Email Gateway, and is believed to be clean. -- This message has been scanned for viruses and dangerous content by the CSU Email Gateway, and is believed to be clean. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radius, 802.1x, eap/tls, and edirectory (ldap)
Gary Alan, Thanks guys. Sorry for being so stupid about all of this, but thanks to ya'll and the reading that I've done is this short period of time, I have learned a great deal about how this stuff works. When using TTLS or PEAP, it seems that I'll still need EAP-TLS...but just on the server-side, not the client (am I right?). I think that TTLS will be a better fit as it seems to support more methods, and PEAP seems to be strickly a MS thing. I actually got the PEAP working now, though, thanks to your direction. I'll look into demoing third party clients. Know of any free ones, though? It looks like maybe the 0.9.3 version of freeradius does not support TTLS. Is this correct? If so, does the CVS version include support? Sorry if this, too, is documented somewhere, but I just thought I'd ask while I was here. Thanks for the help! mack On 22 Jun 2004 at 12:37, Gary McKinney wrote: Mack, Take a look at the following URL: http://3w.denobula.com:5/EAPTLS.pdf It may be a little dated but all of the info is still relevent... one thing to take notice of is there is NO user password exchanged as EAP/TLS does not use a user's password for authentication - that chore is handled by the fact the supplicant contains a VALID user certificate the server recognizes. I think the above is what Alan is trying to convey to you - you can not use EAP/TLS and LDAP together as there is NO user password exchanged between the supplicant and Freeradius (or any other radius server) in that mode. If you are looking to use LDAP and a very secure method for the link between the client and the AP you will have to use a different method (PEAP or EAP/TTLS come to mind)... You may want to check out other supplicant software (if you are thinking of using the EAP/TTLS method you may want to check out the Odyssey Supplicant software from Funk Software (they are the one's who came up with TTLS and are working on a RFC to that effect). I may not have stated all of the above totally correctly but you should get the basic meaning [grin]... There are several RFC's that come with the freeradius package - I would strongly suggest reading them as they are the basis for all the different protocols and authentication methods Alan and company have based the Freeradius software against ( I think ) I hope the above information is helpful and taken in the manner in which it was meant (to be informative and helpful)... gm... -- Original Message -- From: Mack [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] Date: Tue, 22 Jun 2004 12:02:33 -0400 Alan, At your request, I'll try to reformat this so that it is presented as a problem/challenge rather than a why doesn't my solution work post: Problem: My AP is a 3com 7250. It requires that you enable 802.1x on itself, the client, and the radius server if you want to use the radius server as the authentication server. My understanding is that 802.1x requires EAP-something. I chose EAP-TLS because my client is stock XP and my understanding is that EAP-TLS is my only option with that client. My boss asked me if it was possible to authenticate our wireless users against Novell's eDirectory (LDAP). He did not specifically require 802.1x/EAP-anything. The only reason I'm using 802.1x/EAP is because the AP requires it. I have successfully implemented EAP-TLS authentication between the client, AP, and freeradius. Now I am attempting to add LDAP authentication, but have not been successful. I can provide any configs/logs if needed. Solution: None so far. Anyone have any suggestions/comments? What would ya'll do in my position? thanks, mack On 21 Jun 2004 at 23:52, Alan DeKok wrote: Mack [EMAIL PROTECTED] wrote: My AP requires that I enable 802.1x in order to use RADIUS authentication. So, I figured I'd use EAP-TLS. Are you picking it at random, or are youi looking at the features it offers, and using your requirements to decide on a solution? I'm just testing now...using an XP client, so I chose to use EAP-TLS. I want to use LDAP because that's where our userbase is stored (Novell eDirectory). The idea is to authenticate users via LDAP. I thought I had been pretty clear in my response: EAP-TLS and LDAP are mutually incompatible. Stop trying to get them to work togerther. I'm only using EAP-TLS because the AP won't let me use RADIUS otherwise. Of course, I'm such a newbie that I'm probably getting it all wrong. That's where I was hoping the list would help. You should ask about how to solve a problem, rather than asking why the solution you chose didn't work. If you were given my task, how would you go about implementing this? I told you. Go back and read my message. If you could describe a problem, I might be able to come up
Re: radius, 802.1x, eap/tls, and edirectory (ldap)
Arnauld, I am still making sure my configs are okay before starting up the CVS version. Will let you know how it goes. I am using the drivers provided by 3COM for my wireless nic, which is a 3CRPAG175a really nice a/b/g card with an xjack antenna. My supplicant is whatever comes stock with XP, plus whatever Windows Update offers on top of that (service packs, recommended update related to wireless, etc.) I did not see any, nor would I recommend using, drivers from the windows update site. I don't think a supplicant/client was shipped with my card, but to be honest I did not look very hard. I'm just playing with the XP supplicant right now, but will look at third- party next (like Odyssey (Funk), etc.) since they should support TTLS. I think the Window XP supplicant will work with PEAP, but not TTLS (someone correct me if I'm wrong). This is my first attempt at anything wireless (as you may have noticed by my previous posts), so I haven't had much experience with the various supplicants out there. I think you can get a fully working demo of Odyssey (double check that) from Funk Software...it's supposed to do TTLS, plus some other cool stuff with Novell Client signons. We'll see. I'll let you know how my TTLS efforts go with the CVS version. BTW...are you also attempting Novell LDAP with TTLS? later, mack On 22 Jun 2004 at 22:14, Arnauld Dravet wrote: It looks like maybe the 0.9.3 version of freeradius does not support TTLS. Is this correct? If so, does the CVS version include support? Sorry if this, too, is documented somewhere, but I just thought I'd ask while I was here. I grabbed compiled the CVS few hours ago in the goal to make TTLS+mschapv2 and it crashes when i launch radiusd, saying that it can't find the rlm_eap module . .. Anyway, just for my information (still trying to get my auth working ..) are you using a supplicant like aegis, or just the one provided with your wifi card ? In my case, i used the dell drivers, freeradius 0.9.3, and got strange things during ssl initialisation. can'tg et the logs right now though .. -- Arnauld Dravet - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- This message has been scanned for viruses and dangerous content by the CSU Email Gateway, and is believed to be clean. -- This message has been scanned for viruses and dangerous content by the CSU Email Gateway, and is believed to be clean. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radius, 802.1x, eap/tls, and edirectory (ldap)
Arnauld, About your runtime error... I'm getting this one: Failed to link to module 'rlm_exec': rlm_exec.a: cannot open shared object file: No such file or directory This happens straight out of the box, running radiusd -X...no configuration changes made yet (testing if it runs). I'm running the latest cvs shapshot, 20040622, on a gentoo linux system. Did a standard ./configure, make, make install, with no errors. Strange...if I comment exec in the instantiate section of radiusd.conf, it then gives me the same error but this time with rlm_expr.a. Anyone have any clues what's going on? thanks On 22 Jun 2004 at 22:14, Arnauld Dravet wrote: It looks like maybe the 0.9.3 version of freeradius does not support TTLS. Is this correct? If so, does the CVS version include support? Sorry if this, too, is documented somewhere, but I just thought I'd ask while I was here. I grabbed compiled the CVS few hours ago in the goal to make TTLS+mschapv2 and it crashes when i launch radiusd, saying that it can't find the rlm_eap module . .. Anyway, just for my information (still trying to get my auth working ..) are you using a supplicant like aegis, or just the one provided with your wifi card ? In my case, i used the dell drivers, freeradius 0.9.3, and got strange things during ssl initialisation. can'tg et the logs right now though .. -- Arnauld Dravet - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- This message has been scanned for viruses and dangerous content by the CSU Email Gateway, and is believed to be clean. -- This message has been scanned for viruses and dangerous content by the CSU Email Gateway, and is believed to be clean. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radius, 802.1x, eap/tls, and edirectory (ldap)
Alan, I agree...I should read the docs and the lists more thoroughly. My AP requires that I enable 802.1x in order to use RADIUS authentication. So, I figured I'd use EAP-TLS. I'm just testing now...using an XP client, so I chose to use EAP-TLS. I want to use LDAP because that's where our userbase is stored (Novell eDirectory). The idea is to authenticate users via LDAP. I'm only using EAP-TLS because the AP won't let me use RADIUS otherwise. Of course, I'm such a newbie that I'm probably getting it all wrong. That's where I was hoping the list would help. If you were given my task, how would you go about implementing this? thanks, mack On 21 Jun 2004 at 11:07, Alan DeKok wrote: Mack [EMAIL PROTECTED] wrote: I had scanned them prior to posting, but there seem to be no solutions to all of the problems people have with this configuration. From what I can seem you're trying to use EAP-TLS, *and* some kind of LDAP authorization/authentication, but you're not putting the usernames used by EAP-TLS into LDAP. The solution is simple: a) put the usernames into LDAP b) or, get the clients to use usernames which are in ldap. My impression is that most of the gurus on the list are assuming WAY too much of some of us newbies. They keep coming back with the same replies, like read the faqs, readme, rfc, etc., etc. A significant number of questions on this list are answered in the FAQ, README, documentation, etc. Those replies are meant to tell people to stop wasting their time asking questions on the list, when the answer is already in front of them. But, that begs the question: If that's going to be the reply each time, then why even bother with the list in the first place? If you would read the list, you would see that most of the questions involve things which are *not* in the FAQ or README. Those questions are answered. My requirement is to enable 802.1x authentication to the AP's using EAP/TLS. Additionally, I need to be able to authenticate the users to Novell via LDAP. You can't do this. It's impossible. EAP-TLS is an authentication mechanism. LDAP doesn't know about EAP-TLS, and therefore won't be able to authenticate any EAP-TLS request. The logs keep passing the EAP username (common name from cert) to ldap and of course ldap spits it out because the object does not exist. Have you tried adding that object to LDAP? I really don't see what the problem is here. Maybe this isn't even possible, but here's what I had hoped to come away with: the wireless user boots their laptop, then gets authenticated via eap/tls. That will work. They then open a browser, and are asked for username and password (via dialog box?), or either redirected to a login page. By who? The AP won't do this. And since the AP won't do this, *nothing* will. The username and password are then passed to ldap for authentication. Successful authentication results in the client being given internet access. Is this possible? I doubt it. I also don't understand why you want the user to log in twice. Alan DEKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- This message has been scanned for viruses and dangerous content by the CSU Email Gateway, and is believed to be clean. -- This message has been scanned for viruses and dangerous content by the CSU Email Gateway, and is believed to be clean. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radius, 802.1x, eap/tls, and edirectory (ldap)
Gary, No, no, not you. I didn't mean you...sorry. You've been helpful...more so, you've shown a willingness to help. Thanks for that. I followed your suggestion about looking deeper into the list archives, and have progressed a bit further (i think). I stumbled upon PEAP, and configured my client to use mschapv2, thus answering the question of how to send LDAP username password to radius. This is all with EAP-TLS working (as far as I can tell). However, there's one catch... While running radiusd in debug mode, watching the output while the client authenticates (sends username password), it seems to get caught in a loop...same output over over again, and the client never gets totally authenticated. The output appears to indicate that the ldap auth and eap auth were both successful, but this is where it keeps looping...over and over again, keeps saying both were successful. Unless I'm just misinterpreting the output (that's VERY likely). I've attached some of the output to this email (hope that's ok...seemed to big to include in the body of the message). I am using a gentoo ebuild of freeradius now, but will look into the 1.0.0-pre1 version. I did notice that many of the posts assumed the users were on a 1.0.0-pre1 build. If nothing else, I can at least read thru the different docs included in that build, as you've suggested. Ready for a really dumb question? What does ymmv mean? I've often seen it on lists/boards, but have never seen a translation. Thanks for the help, mack On 21 Jun 2004 at 6:10, Gary McKinney wrote: Mack, I Was not trying to blow you off by making the statement of reading the archives... I am still, what I consider, a newbie as well... The statement about a lot of discussion on the subject you are requesting is true so I thought you would be better served checking over those discussions! As for documentation - have you read the rlm-eap and rlm-ldap documentation in the docs directory of the installation package (at least the version 1.0.0-pre1 and later source code) has information on what you are looking for in terms of using eap/tls and ldap together (in the rlm-eap docs). If you can use the pre-release code I would suggest doing so - while 0.9.3 is stable I have found the pre-release code does more [ymmv]... gm.. - Original Message - From: Mack [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Sunday, June 20, 2004 10:30 PM Subject: Re: radius, 802.1x, eap/tls, and edirectory (ldap) Gary, I had scanned them prior to posting, but there seem to be no solutions to all of the problems people have with this configuration. My impression is that most of the gurus on the list are assuming WAY too much of some of us newbies. They keep coming back with the same replies, like read the faqs, readme, rfc, etc., etc. But, that begs the question: If that's going to be the reply each time, then why even bother with the list in the first place? Oh, well. I am definitely taking a more indepth look at the archives, though, as you've suggested. If nothing else, maybe that will help me form better questions. Thanks for the help! mack On 19 Jun 2004 at 6:34, Gary McKinney wrote: Mack, Check the email archives over the last three months - there is a great deal of information on using EAP/TLS and how to use LDAP with freeradius (including example snippets). gm... - Original Message - From: Mack [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Friday, June 18, 2004 11:52 PM Subject: radius, 802.1x, eap/tls, and edirectory (ldap) Hi, I'm a newbie to all of this, so please bear with me. This list is all I've got! We are introducing a wireless infrastructure on our campus (a little late in the game). Right now we're in testing phase. In this testing phase, We are using several 3com 7250 AP's, some 3com cards capable of 802.1x, and Novell eDirectory (LDAP). My requirement is to enable 802.1x authentication to the AP's using EAP/TLS. Additionally, I need to be able to authenticate the users to Novell via LDAP. All via the FreeRADIUS server. I have configured freeradius version 0.9.3 to work successfully with only ldap authentication against Novell eDirectory. I have also verified that 802.1x authentication is working with the AP. However, if I attempt to somehow enable both authentication mechanisms, I fail. The logs keep passing the EAP username (common name from cert) to ldap and of course ldap spits it out because the object does not exist. Again, I'm new to this, and maybe I have made incorrect assumptions of what the end result should be. Maybe this isn't even possible, but here's what I had hoped to come away with: the wireless user boots their laptop, then gets
Re: radius, 802.1x, eap/tls, and edirectory (ldap)
Gary, I didn't recognize any services as being a wireless network card manager. Didn't see anything in add/remove, either. Where/how did you find yours? Thanks for clueing me in on the meaning of ymmv! I'll keep digging around for more information on my problem. BTW...did you have a chance to look at the output I attached? If so, what's your interpretation? thanks, mack On 21 Jun 2004 at 20:47, Gary McKinney wrote: Hi Mack, As for the looping problem - one question - do you have a wireless network card manager running in the background on the laptop ( I don't mean the nic driver) along with the supplicant??? I have EAP/TTLS running at home and ran into a looping problem that sounds the same (authenticated but kept on re-authenticating)... I am running the Odyssey Supplicant on a Windows 2000 machine and there was a Linksys NIC Manager program running at the same time the supplicant was running. The NIC manager was causing the supplicant to disconnect from the nic thereby causing the supplicant to re-authenticate continuously! (duh!). Turning off the NIC manager software fixed the problem As for YMMV it means Your Mileage May Vary [grin]... gm... - Original Message - From: Mack [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Monday, June 21, 2004 8:21 PM Subject: Re: radius, 802.1x, eap/tls, and edirectory (ldap) Gary, No, no, not you. I didn't mean you...sorry. You've been helpful...more so, you've shown a willingness to help. Thanks for that. I followed your suggestion about looking deeper into the list archives, and have progressed a bit further (i think). I stumbled upon PEAP, and configured my client to use mschapv2, thus answering the question of how to send LDAP username password to radius. This is all with EAP-TLS working (as far as I can tell). However, there's one catch... While running radiusd in debug mode, watching the output while the client authenticates (sends username password), it seems to get caught in a loop...same output over over again, and the client never gets totally authenticated. The output appears to indicate that the ldap auth and eap auth were both successful, but this is where it keeps looping...over and over again, keeps saying both were successful. Unless I'm just misinterpreting the output (that's VERY likely). I've attached some of the output to this email (hope that's ok...seemed to big to include in the body of the message). I am using a gentoo ebuild of freeradius now, but will look into the 1.0.0-pre1 version. I did notice that many of the posts assumed the users were on a 1.0.0-pre1 build. If nothing else, I can at least read thru the different docs included in that build, as you've suggested. Ready for a really dumb question? What does ymmv mean? I've often seen it on lists/boards, but have never seen a translation. Thanks for the help, mack On 21 Jun 2004 at 6:10, Gary McKinney wrote: Mack, I Was not trying to blow you off by making the statement of reading the archives... I am still, what I consider, a newbie as well... The statement about a lot of discussion on the subject you are requesting is true so I thought you would be better served checking over those discussions! As for documentation - have you read the rlm-eap and rlm-ldap documentation in the docs directory of the installation package (at least the version 1.0.0-pre1 and later source code) has information on what you are looking for in terms of using eap/tls and ldap together (in the rlm-eap docs). If you can use the pre-release code I would suggest doing so - while 0.9.3 is stable I have found the pre-release code does more [ymmv]... gm.. - Original Message - From: Mack [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Sunday, June 20, 2004 10:30 PM Subject: Re: radius, 802.1x, eap/tls, and edirectory (ldap) Gary, I had scanned them prior to posting, but there seem to be no solutions to all of the problems people have with this configuration. My impression is that most of the gurus on the list are assuming WAY too much of some of us newbies. They keep coming back with the same replies, like read the faqs, readme, rfc, etc., etc. But, that begs the question: If that's going to be the reply each time, then why even bother with the list in the first place? Oh, well. I am definitely taking a more indepth look at the archives, though, as you've suggested. If nothing else, maybe that will help me form better questions. Thanks for the help! mack On 19 Jun 2004 at 6:34, Gary McKinney wrote: Mack, Check the email archives over the last three months - there is a great deal of information on using EAP/TLS and how to use
Re: radius, 802.1x, eap/tls, and edirectory (ldap)
Gary, I had scanned them prior to posting, but there seem to be no solutions to all of the problems people have with this configuration. My impression is that most of the gurus on the list are assuming WAY too much of some of us newbies. They keep coming back with the same replies, like read the faqs, readme, rfc, etc., etc. But, that begs the question: If that's going to be the reply each time, then why even bother with the list in the first place? Oh, well. I am definitely taking a more indepth look at the archives, though, as you've suggested. If nothing else, maybe that will help me form better questions. Thanks for the help! mack On 19 Jun 2004 at 6:34, Gary McKinney wrote: Mack, Check the email archives over the last three months - there is a great deal of information on using EAP/TLS and how to use LDAP with freeradius (including example snippets). gm... - Original Message - From: Mack [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Friday, June 18, 2004 11:52 PM Subject: radius, 802.1x, eap/tls, and edirectory (ldap) Hi, I'm a newbie to all of this, so please bear with me. This list is all I've got! We are introducing a wireless infrastructure on our campus (a little late in the game). Right now we're in testing phase. In this testing phase, We are using several 3com 7250 AP's, some 3com cards capable of 802.1x, and Novell eDirectory (LDAP). My requirement is to enable 802.1x authentication to the AP's using EAP/TLS. Additionally, I need to be able to authenticate the users to Novell via LDAP. All via the FreeRADIUS server. I have configured freeradius version 0.9.3 to work successfully with only ldap authentication against Novell eDirectory. I have also verified that 802.1x authentication is working with the AP. However, if I attempt to somehow enable both authentication mechanisms, I fail. The logs keep passing the EAP username (common name from cert) to ldap and of course ldap spits it out because the object does not exist. Again, I'm new to this, and maybe I have made incorrect assumptions of what the end result should be. Maybe this isn't even possible, but here's what I had hoped to come away with: the wireless user boots their laptop, then gets authenticated via eap/tls. They then open a browser, and are asked for username and password (via dialog box?), or either redirected to a login page. The username and password are then passed to ldap for authentication. Successful authentication results in the client being given internet access. Is this possible? Or, am I totally misunderstanding how this is all supposed to work (very likely)? I must admit, I'm not very comfortable when working with the config files. Not too sure what I'm doing in there. I tackled this whole project somewhat blindly, with the help of various bits of info I gathered from google searches. I do need to obtain a good book on this stuff...that's obvious...but I am hoping that someone on this list has experience with getting freeradius to work with eap/tls and novell ldap authentication and is willing to share that experience and wisdom. (Embarrassed) Sorry again for the newbie-ness of this post, and thanks in advance for any help! mack -- This message has been scanned for viruses and dangerous content by the CSU Email Gateway, and is believed to be clean. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html --- [This E-mail scanned for viruses by Declude Ant-Virus Scanner] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- This message has been scanned for viruses and dangerous content by the CSU Email Gateway, and is believed to be clean. -- This message has been scanned for viruses and dangerous content by the CSU Email Gateway, and is believed to be clean. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
radius, 802.1x, eap/tls, and edirectory (ldap)
Hi, I'm a newbie to all of this, so please bear with me. This list is all I've got! We are introducing a wireless infrastructure on our campus (a little late in the game). Right now we're in testing phase. In this testing phase, We are using several 3com 7250 AP's, some 3com cards capable of 802.1x, and Novell eDirectory (LDAP). My requirement is to enable 802.1x authentication to the AP's using EAP/TLS. Additionally, I need to be able to authenticate the users to Novell via LDAP. All via the FreeRADIUS server. I have configured freeradius version 0.9.3 to work successfully with only ldap authentication against Novell eDirectory. I have also verified that 802.1x authentication is working with the AP. However, if I attempt to somehow enable both authentication mechanisms, I fail. The logs keep passing the EAP username (common name from cert) to ldap and of course ldap spits it out because the object does not exist. Again, I'm new to this, and maybe I have made incorrect assumptions of what the end result should be. Maybe this isn't even possible, but here's what I had hoped to come away with: the wireless user boots their laptop, then gets authenticated via eap/tls. They then open a browser, and are asked for username and password (via dialog box?), or either redirected to a login page. The username and password are then passed to ldap for authentication. Successful authentication results in the client being given internet access. Is this possible? Or, am I totally misunderstanding how this is all supposed to work (very likely)? I must admit, I'm not very comfortable when working with the config files. Not too sure what I'm doing in there. I tackled this whole project somewhat blindly, with the help of various bits of info I gathered from google searches. I do need to obtain a good book on this stuff...that's obvious...but I am hoping that someone on this list has experience with getting freeradius to work with eap/tls and novell ldap authentication and is willing to share that experience and wisdom. (Embarrassed) Sorry again for the newbie-ness of this post, and thanks in advance for any help! mack -- This message has been scanned for viruses and dangerous content by the CSU Email Gateway, and is believed to be clean. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
