Re: Post Auth Configurations
On Thu, Jul 18, 2013 at 10:46 AM, Alan DeKok wrote: > Navodit Bhardwaj wrote: >> For each Access-Request recieved and authenticated successfully I want >> to do following: >> >> 1. Verify if Access-Request contains a parameter i.e IMEI of mobile >> 2. If Not, send Access-Reject. Else, >> 3. compare IMEI to value in database and assign a 32bit hex number in >> Access-Accept > > You should be able to just write this in unlang. Write down which > attributes you have, and what values you're looking for. Then, write > the logic. Navodit, I just asked a similar question and this is the logic I added to my default site, right after 'preprocess': if (CVPN3000-Tunnel-Group-Name == 'Bookstore') { if (SQL-Group == 'RADIUS:bookstore') { noop } else { reject } } What the above logic "says" is: If the user is requesting to be in the Bookstore VPN group then if they are part of the RADIUS:bookstore group, continue (noop), else reject them. You'll need to change 'CVPN3000-Tunnel-Group-Name' and 'Bookstore', and remove the second 'if' statement. >> Basically, I am doing a second authentication after initial >> authentication (PAP, CHAP) is successful. > > Don't do that. Do it *before* PAP or CHAP. In the "authorize" section. Alan, I've got a similar question that dovetails into this discussion. Suppose I wanted to reject certain users and wanted the Reply-Message to be customized per user authenticating, but I want to ensure that I am not leaking the customized message. Is there a way to test the user/pw combo first and *then* perform unlang logic? Thanks, -mz - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
something like huntgroups?
Greetings! Our Cisco VPN concentrator is sending some RADIUS attributes in the request packet and if certain values appear, then I'd like to only allow a subset of users to login. I've looked at: http://wiki.freeradius.org/SQL-Huntgroup-HOWTO/dbeef165862fe9ba7ef6f7d011889d1f7212cf9b the SQL Huntgroup howto and it seemed close, but the scenario that I am looking at is slightly different and I am getting mixed up. I am hoping for some help. Here is my scenario: We have a generic VPN profile that we'd like to allow *all* users to login to - this works well. When users login to the "secret" profile, then the following VPN attribute is included in the request: Vendor-3076-Attr-146 = 0x554d44 The attribute and value are known and constant, thus I can make decisions on them. Users who are in the "secret" group should be able to login to *both* the generic profile (which does not have the Vendor-3076-Attr-146 = 0x554d44 pair) and the "secret" profile, which does have the pair. If a user is not in the secret group, then their login should fail if the Vendor-3076-Attr-146 = 0x554d44 pair is in the request. Thanks for any advice or design input! Cheers, -mz - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: multiple entries per radius_check table
On Mon, Jul 1, 2013 at 3:30 PM, Arran Cudbard-Bell wrote: > > On 1 Jul 2013, at 17:59, Matt Zagrabelny wrote: > >> Greetings, >> >> I am using a Pg datastore to hold authentication data and using the Pg >> module for FR to hook into it. >> >> I am using a basic view for the radius_check table: >> >> # SELECT * from radius_check_users where username = 'mzagrabe'; >> id | username | attribute| op | value >> ---+--+++ >> 1 | mzagrabe | Crypt-Password | := | $1$somehash >> >> I'd also like to have the option of denying users with something like: >> >> atlas-# SELECT * from radius_sanction where username = 'mzagrabe'; >> id | username | attribute | op | value >> ---+--+---++ >> 1 | mzagrabe | Auth-Type | := | Reject >> (1 row) >> >> I'd like to create a UNION of these two views so that both records >> would be returned when FR queried for 'mzagrabe'. Is it enough to >> ensure that the "Reject" records appears before the "Crypt-Password" >> records in the resulting UNION for FR to reject the request? > > It can appear before or after, it doesn't matter. > > https://github.com/FreeRADIUS/freeradius-server/blob/master/src/modules/rlm_pap/rlm_pap.c#L330 Great! Thanks, Arran! Sincerely, -mz - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
multiple entries per radius_check table
Greetings, I am using a Pg datastore to hold authentication data and using the Pg module for FR to hook into it. I am using a basic view for the radius_check table: # SELECT * from radius_check_users where username = 'mzagrabe'; id | username | attribute| op | value ---+--+++ 1 | mzagrabe | Crypt-Password | := | $1$somehash I'd also like to have the option of denying users with something like: atlas-# SELECT * from radius_sanction where username = 'mzagrabe'; id | username | attribute | op | value ---+--+---++ 1 | mzagrabe | Auth-Type | := | Reject (1 row) I'd like to create a UNION of these two views so that both records would be returned when FR queried for 'mzagrabe'. Is it enough to ensure that the "Reject" records appears before the "Crypt-Password" records in the resulting UNION for FR to reject the request? Any other advice or hints? Thanks! -mz - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: inactive users can authenticate
On Wed, Jun 26, 2013 at 9:27 AM, Alan DeKok wrote: > Mihajlo Joksimovic wrote: >> i have an uptodate Debian derivate with samba4. >> The base_filter rule in the modules/ldap file is not accepted. There i >> gave sambaacctflags but nothing happens. still all users get accepted. >> in Base_filter I can write what I want, it always like skips this point. >> So everyone can login, also the disabled accounts. > > If only there was a way to debug this. That was documented in the > "man" page. Or the web pages. Or daily on this list. That's funny. :) Because Alan makes us smile, I'll add: radiusd -X -mz - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authenticate SSH users against Freeradius
On Mon, May 20, 2013 at 12:58 PM, Roberto Carna wrote: > Dear, I have: > > (A) One Freeradius server on Debian 6: freeradius installation and > client.conf configuration > (B) Another Debian 6 box with sshd: libpam-radius-auth installation > (C) Several Windows and Linux ssh clients > > In (A) freeradius server, can I define the ssh users in client.conf file > only ??? clients.conf is for the FR clients - not the users. computer1 running FR computer2 running sshd computer2 is the client and belongs in the clients.conf file. > In (B) debian sshd box server, do I have to install a radius client in > addition to libpam-radius-auth package ??? And do I have to define any ssh > user here ?? FR is doing whatever you want it to do in the PAM stack. We only have it perform the authentication, but you could also have it perform authorization, IIRC. You will (also) need to set up local users or a central user repository (LDAP, SQL, etc.) Check libnss-* packages for anything other than /etc/passwd: % apt-cache search libnss libnss-gw-name - nss module that names the current gateway’s IP address libnss-cache - NSS module for using nsscache-generated files libnss-db - NSS module for using Berkeley Databases as a naming service libnss-extrausers - nss module to have an additional passwd, shadow and group file libnss-ldap - NSS module for using LDAP as a naming service libnss-lwres - NSS module for using bind9's lwres as a naming service libnss-myhostname - nss module providing fallback resolution for the current hostname libnss-mysql-bg - NSS module for using MySQL as a naming service libnss-pgsql2 - NSS module for using PostgreSQL as a naming service libpam-ccreds - Pam module to cache authentication credentials libpam-ldap - Pluggable Authentication Module for LDAP libnss3 - Network Security Service libraries libnss3-1d - Network Security Service libraries - transitional package libnss3-dbg - Debugging symbols for the Network Security Service libraries libnss3-dev - Development files for the Network Security Service libraries libnss3-tools - Network Security Service tools libnss-mdns - NSS module for Multicast DNS name resolution libnss-ldapd - NSS module for using LDAP as a naming service nslcd - Daemon for NSS and PAM lookups using LDAP nss-passwords - read passwords from a Mozilla keyring nss-updatedb - Cache name service directories in DB format nsscache - asynchronously synchronise local NSS databases with remote directory services libpathfinder-dev - Development files for pathfinder libpathfinder-nss-1 - Pathfinder integration Library for LibNSS libnss-rainbow2 - nss library for rainbow libnss-winbind - Samba nameservice integration plugins winbind - Samba nameservice integration server libnss-sss - Nss library for the System Security Services Daemon libnss-sshsock2 - NSS module using an ssh socket connection > > Please, I need a good howto because I'm lost. You will need to read a lot to get up to speed. -mz - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Basic question to authenticate switches and Linux boxes
On Wed, May 8, 2013 at 3:26 PM, Roberto Carna wrote: > Dear, I'm new at Freeredius as an AAA sever in a Linux box and I need to > authenticate Allied switches and Debian/Centos boxes. > > What package/module do I have to install in adition to freeradius ??? For the Debian clients you might want: libpam-radius-auth You can use apt-cache to search for things: % apt-cache search radius pam freeradius - high-performance and highly configurable RADIUS server libpam-radius-auth - The PAM RADIUS authentication module yardradius - YARD Radius Authorization and Accounting Server And > what authentication procedure do I have ti use in order to let universal AAA > ??? I don't understand this question. -mz - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: design question
On Tue, Mar 5, 2013 at 9:17 PM, Arran Cudbard-Bell wrote: > > On 5 Mar 2013, at 18:03, Matt Zagrabelny wrote: > >> On Mon, Mar 4, 2013 at 4:28 PM, Arran Cudbard-Bell >> wrote: >> >>> >>> You know SQL supports groups right? and that a group matching can be >>> conditional on attributes in the request? and that you can add aditional >>> config items to client definitions to mark them as a special devices? >> >> Hi Arran, >> >> Thanks for the reply. I've grepped the wiki and mailing list archives >> and could not answer the following: >> >> What do I change in the nas table (in the database) to mark the >> network boxes as "special devices"? I see the schema as: >> >> CREATE TABLE nas ( >> id SERIAL PRIMARY KEY, >> nasname VARCHAR(128) NOT NULL, >> shortname VARCHAR(32) NOT NULL, >> type VARCHAR(30) NOT NULL DEFAULT 'other', >> ports int4, >> secret VARCHAR(60) NOT NULL, >> server VARCHAR(64), >> community VARCHAR(50), >> description VARCHAR(200) >> ); >> >> Is it the "server" field? If so, could you also briefly explain how to >> apply that to group matching? (I have added users to groups using the >> usergroup table, but haven't touched the radgroupcheck/reply yet.) > > So long as you're using static devices in clients.conf you can use the xlat > expansion "%{client:}". I am using static devices, but I am using a nas table in a PG database. Does that affect the xlat expansion? I already had a 'shortname' (but not a group field) in the table schema and tried: authorize { update request { Client-Group := "%{client:shortname}" } sql } Here is a snippet of the 'freeradius -X' output: ++[files] returns noop expand: %{client:shortname} -> ++[request] returns noop [sql] expand: %{Stripped-User-Name} -> [sql] ... expanding second conditional You can see that the expand didn't work as expected. Data in the table looks like: atlas=> SELECT * from radius_nas limit 1; id | nasname | shortname | type | secret | server +-+---+--+-+ 72 | ups| ups | | sUperS3cret | (1 row) And also the configuration in dialup.conf: nas_query = "SELECT id, nasname, shortname, type, secret, server FROM ${nas_table}" Any ideas? Thanks, -mz - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: design question
On Mon, Mar 4, 2013 at 4:28 PM, Arran Cudbard-Bell wrote: > > You know SQL supports groups right? and that a group matching can be > conditional on attributes in the request? and that you can add aditional > config items to client definitions to mark them as a special devices? Hi Arran, Thanks for the reply. I've grepped the wiki and mailing list archives and could not answer the following: What do I change in the nas table (in the database) to mark the network boxes as "special devices"? I see the schema as: CREATE TABLE nas ( id SERIAL PRIMARY KEY, nasname VARCHAR(128) NOT NULL, shortname VARCHAR(32) NOT NULL, type VARCHAR(30) NOT NULL DEFAULT 'other', ports int4, secret VARCHAR(60) NOT NULL, server VARCHAR(64), community VARCHAR(50), description VARCHAR(200) ); Is it the "server" field? If so, could you also briefly explain how to apply that to group matching? (I have added users to groups using the usergroup table, but haven't touched the radgroupcheck/reply yet.) Thanks for any help! -mz - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: design question
On Mon, Mar 4, 2013 at 3:27 PM, Olivier Beytrison wrote: > On 04.03.2013 22:17, Olivier Beytrison wrote: >> >> On 04.03.2013 21:56, Matt Zagrabelny wrote: >>> >>> Greetings, >>> >>> I am configuring a general purpose RADIUS server that any number of >>> clients can connect to for authn - it uses a PostgreSQL DB as the >>> backend datastore. I would also like to setup a secondary RADIUS >>> server listening on a different port (ie. 1814) and use the same Pg DB >>> as a backend, but use a "restricted" view as the "users" table, then >>> configure devices (certain network gear) that wish to only allow users >>> in the "restricted" view to use that secondary RADIUS server and >>> corresponding port. >> >> >> You can use the same listen ports, but group clients (which mean NAS) in >> two groups, and assign a specific virtual server for each groups, with >> different policy, database lookup and such. > > > Just to add, I think you should define a virtual server with a default > virtual_server in the listen {} section, then for your specific NAS that > needs special policy/authn, simply specify a different virtual_server in the > client {} section > > I also wanted to add that you'll find all the information you need here > http://wiki.freeradius.org/config/Virtual-server (but my @#°@¦§¬ mail client > sent the mail instead of pasting the link) :) Hi Olivier, Thanks for the replies. I'll start digesting that wiki page soon*. I'm not sure if Debian patched the 2.1.10 line to take care of any grievous bugs, but if we start hitting them, we may need to upgrade. FWIW, we were/are running 1.1.0 on Solaris, so we'll be excited to have the new bugs to deal with. :) Cheers, -mz - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
design question
Greetings, I am configuring a general purpose RADIUS server that any number of clients can connect to for authn - it uses a PostgreSQL DB as the backend datastore. I would also like to setup a secondary RADIUS server listening on a different port (ie. 1814) and use the same Pg DB as a backend, but use a "restricted" view as the "users" table, then configure devices (certain network gear) that wish to only allow users in the "restricted" view to use that secondary RADIUS server and corresponding port. I am currently using Debian 6.0 with corresponding FR 2.1.10+dfsg-2+squeeze1. My questions are these: Has anyone here setup a second instance of FR running on the same system as their primary instance, but with different configs? Do you have any suggestions for layout or keeping configs/logs straight? Or said another way, how much confusion will there be in /etc/freeradius (default Debian config dir) due to the second instance? Is it worth it, just to have a single system have all of your RADIUS servers or should I just stand up another virtual server and use that instead? Thanks for any help or hints! -matt zagrabelny - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: pam.d ssh radius
On Tue, Feb 12, 2013 at 3:50 PM, T W wrote: > > All, > > I got this working at the end of last year, but now I've having trouble. > I'm setting up SSH access using RADIUS auth on a Ubuntu 12.10 system. Im > using the latest version of libpam-radius-auth (1.3.17-0ubuntu4) and have > followed the readme along with many other explanations and can not get it > working. I'm getting the same error even when I try on different VM's > running different versions of Ubuntu. The error "PAM (sshd) illegal module > type: auth" makes it sound like it does not support the auth method. Anyone > else run into this? Haven't run into what you've described, but we do use the RADIUS client PAM module as you've noted. Our /etc/pam.d/sshd looks like: # PAM configuration for the Secure Shell service # Read environment variables from /etc/environment and # /etc/security/pam_env.conf. auth required pam_env.so # [1] # In Debian 4.0 (etch), locale-related environment variables were moved to # /etc/default/locale, so read that as well. auth required pam_env.so envfile=/etc/default/locale auth sufficient pam_radius_auth.so # Standard Un*x authentication. #@include common-auth # Disallow non-root logins when /etc/nologin exists. accountrequired pam_nologin.so # Uncomment and edit /etc/security/access.conf if you need to set complex # access limits that are hard to express in sshd_config. # account required pam_access.so # Standard Un*x authorization. @include common-account # Standard Un*x session setup and teardown. @include common-session # Print the message of the day upon successful login. # This includes a dynamically generated part from /run/motd.dynamic # and a static (admin-editable) part from /etc/motd. sessionoptional pam_motd.so motd=/run/motd.dynamic noupdate sessionoptional pam_motd.so # [1] # Print the status of the user's mailbox upon successful login. sessionoptional pam_mail.so standard noenv # [1] # Set up user limits from /etc/security/limits.conf. sessionrequired pam_limits.so # Set up SELinux capabilities (need modified pam) # session required pam_selinux.so multiple # Standard Un*x password updating. @include common-password Hope that helps. -mz - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Debian (Squeeze) FreeRadius package missing config files
On Wed, Nov 21, 2012 at 9:18 AM, David Gethings wrote: > Hi All, > > It appears that the Debian package for freeradius 2.1.10 does not install > the configuration files. At least that is what is happening on my system. As > I try to resolve this is it possible to get a copy of the config files from > some other location? David, Would you run: apt-cache policy freeradius ? The config files do get placed in /etc/freeradius, so there was an error somewhere along the line during your install. % dpkg-deb -c freeradius-common_2.1.10+dfsg-2+squeeze1_all.deb | grep etc drwxr-xr-x root/root 0 2012-09-11 12:07 ./etc/ drwxr-xr-x root/root 0 2012-09-11 12:07 ./etc/freeradius/ -rw-r--r-- root/root 27201 2012-09-11 12:07 ./etc/freeradius/radiusd.conf -rw-r--r-- root/root 877 2012-09-11 12:07 ./etc/freeradius/dictionary % dpkg-deb -c freeradius_2.1.10+dfsg-2+squeeze1_amd64.deb | grep etc drwxr-xr-x root/root 0 2012-09-11 12:07 ./etc/ drwxr-xr-x root/root 0 2012-09-11 12:07 ./etc/freeradius/ drwxr-xr-x root/root 0 2012-09-11 12:07 ./etc/freeradius/modules/ -rw-r--r-- root/root 3357 2012-09-11 12:07 ./etc/freeradius/modules/otp -rw-r--r-- root/root 1255 2012-09-11 12:07 ./etc/freeradius/modules/attr_filter -rw-r--r-- root/root 269 2012-09-11 12:07 ./etc/freeradius/modules/dynamic_clients -rw-r--r-- root/root 509 2012-09-11 12:07 ./etc/freeradius/modules/cui -rw-r--r-- root/root 1232 2012-09-11 12:07 ./etc/freeradius/modules/smsotp -rw-r--r-- root/root 558 2012-09-11 12:07 ./etc/freeradius/modules/expr -rw-r--r-- root/root 5267 2012-09-11 12:07 ./etc/freeradius/modules/ldap -rw-r--r-- root/root 347 2012-09-11 12:07 ./etc/freeradius/modules/mac2vlan -rw-r--r-- root/root 571 2012-09-11 12:07 ./etc/freeradius/modules/pap -rw-r--r-- root/root 1968 2012-09-11 12:07 ./etc/freeradius/modules/passwd -rw-r--r-- root/root 1587 2012-09-11 12:07 ./etc/freeradius/modules/perl -rw-r--r-- root/root 3289 2012-09-11 12:07 ./etc/freeradius/modules/echo -rw-r--r-- root/root 601 2012-09-11 12:07 ./etc/freeradius/modules/sqlcounter_expire_on_login -rw-r--r-- root/root 139 2012-09-11 12:07 ./etc/freeradius/modules/chap -rw-r--r-- root/root 2104 2012-09-11 12:07 ./etc/freeradius/modules/mschap -rw-r--r-- root/root 379 2012-09-11 12:07 ./etc/freeradius/modules/ntlm_auth -rw-r--r-- root/root 1661 2012-09-11 12:07 ./etc/freeradius/modules/preprocess -rw-r--r-- root/root 680 2012-09-11 12:07 ./etc/freeradius/modules/mac2ip -rw-r--r-- root/root 2162 2012-09-11 12:07 ./etc/freeradius/modules/sql_log -rw-r--r-- root/root 4465 2012-09-11 12:07 ./etc/freeradius/modules/inner-eap -rw-r--r-- root/root 1510 2012-09-11 12:07 ./etc/freeradius/modules/radutmp -rw-r--r-- root/root 559 2012-09-11 12:07 ./etc/freeradius/modules/policy -rw-r--r-- root/root 642 2012-09-11 12:07 ./etc/freeradius/modules/pam -rw-r--r-- root/root 2903 2012-09-11 12:07 ./etc/freeradius/modules/counter -rw-r--r-- root/root 2502 2012-09-11 12:07 ./etc/freeradius/modules/linelog -rw-r--r-- root/root 543 2012-09-11 12:07 ./etc/freeradius/modules/unix -rw-r--r-- root/root 847 2012-09-11 12:07 ./etc/freeradius/modules/realm -rw-r--r-- root/root 1088 2012-09-11 12:07 ./etc/freeradius/modules/logintime -rw-r--r-- root/root 1336 2012-09-11 12:07 ./etc/freeradius/modules/attr_rewrite -rw-r--r-- root/root 2134 2012-09-11 12:07 ./etc/freeradius/modules/detail -rw-r--r-- root/root 273 2012-09-11 12:07 ./etc/freeradius/modules/digest -rw-r--r-- root/root 1724 2012-09-11 12:07 ./etc/freeradius/modules/detail.log -rw-r--r-- root/root 442 2012-09-11 12:07 ./etc/freeradius/modules/sradutmp -rw-r--r-- root/root 1522 2012-09-11 12:07 ./etc/freeradius/modules/files -rw-r--r-- root/root 816 2012-09-11 12:07 ./etc/freeradius/modules/etc_group -rw-r--r-- root/root 924 2012-09-11 12:07 ./etc/freeradius/modules/detail.example.com -rw-r--r-- root/root 354 2012-09-11 12:07 ./etc/freeradius/modules/smbpasswd -rw-r--r-- root/root 548 2012-09-11 12:07 ./etc/freeradius/modules/expiration -rw-r--r-- root/root 1376 2012-09-11 12:07 ./etc/freeradius/modules/checkval -rw-r--r-- root/root 3526 2012-09-11 12:07 ./etc/freeradius/modules/wimax -rw-r--r-- root/root 2200 2012-09-11 12:07 ./etc/freeradius/modules/ippool -rw-r--r-- root/root 420 2012-09-11 12:07 ./etc/freeradius/modules/always -rw-r--r-- root/root 766 2012-09-11 12:07 ./etc/freeradius/modules/exec -rw-r--r-- root/root 153 2012-09-11 12:07 ./etc/freeradius/modules/krb5 -rw-r--r-- root/root 287 2012-09-11 12:07 ./etc/freeradius/modules/opendirectory -rw-r--r-- root/root 457 2012-09-11 12:07 ./etc/freeradius/modules/acct_unique -rw-r--r-- root/root 1604 2012-09-11 12:07 ./etc/freeradius/huntgroups -rw-r--r-- root/root 3042 2012-09-11 12:07 ./etc/free
Re: buffer overflow on mschap reject
On 06/13/12 13:04, alan buxey wrote: > Hi, > >> I did have a retry_msg which was left as the default value of >> >> retry_msg = "Re-enter (or reset) the password" >> >> After I commented out this line the problem went away. >> >> Thanks for your help. I'm guessing this shouldn't crash with the example >> config? maybe the mschap stuff bloats the reply too much? > > doesnt crash here - what code release are you using? # ntlm_auth -V Version 3.5.15 # radiusd -X | head -1 FreeRADIUS Version 2.1.11, for host x86_64-pc-linux-gnu, built on Jun 11 2012 at 11:10:29 > > alan > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: buffer overflow on mschap reject
On 06/12/12 15:20, Alan DeKok wrote: > Matt Richards wrote: >> Hello, >> >> I have got radius setup to authenticate wireless clients using MS-CHAP >> and everything works correctly if the entered user / pass is correct. >> >> If the password is wrong, however, I get a buffer overflow error and >> radiusd dies. > > You probably set the "retry_msg" to a very long string. I did have a retry_msg which was left as the default value of retry_msg = "Re-enter (or reset) the password" After I commented out this line the problem went away. Thanks for your help. I'm guessing this shouldn't crash with the example config? maybe the mschap stuff bloats the reply too much? > >>> *** buffer overflow detected ***: radiusd terminated >>> === Backtrace: = > > Reading doc/bugs would help here. > >> I can replicate this issue with radtest. > > Do you have a minimal config which could help? > >> Does anybody know why this might be happening? If you require any >> additional info please let me know. One thing I was thinking about >> trying it going back a few versions of ntlm_auth and tring again. Its >> interesting how I don't seem to be able to find any information relating >> to this on the Internet. > > The error path here is very small. i.e. ~15 lines of code. > > Running the server under "valgrind" would help, too. But first build > it with debugging symbols. > > Alan DeKok. > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
buffer overflow on mschap reject
Hello, I have got radius setup to authenticate wireless clients using MS-CHAP and everything works correctly if the entered user / pass is correct. If the password is wrong, however, I get a buffer overflow error and radiusd dies. I get the follow on the console when this happens ... > +- entering group authenticate {...} > [eap] Request found, released from the list > [eap] EAP/mschapv2 > [eap] processing type mschapv2 > [mschapv2] # Executing group from file /etc/raddb/sites-enabled/inner-tunnel > [mschapv2] +- entering group MS-CHAP {...} > [mschap] Creating challenge hash with username: rer > [mschap] Told to do MS-CHAPv2 for rer with NT-Password > [mschap]expand: --username=%{mschap:User-Name:-None} -> --username=rer > [mschap] No NT-Domain was found in the User-Name. > [mschap]expand: %{mschap:NT-Domain} -> > [mschap]... expanding second conditional > [mschap]expand: --domain=%{%{mschap:NT-Domain}:-WC1} -> --domain=WC1 > [mschap] mschap2: 5f > [mschap] Creating challenge hash with username: rer > [mschap]expand: --challenge=%{mschap:Challenge:-00} -> > --challenge=a20a6c5d363dd4b6 > [mschap]expand: --nt-response=%{mschap:NT-Response:-00} -> > --nt-response=5182a275d21751ab7007e8de241d8d516215a95d3384ccf9 > Exec-Program output: Logon failure (0xc06d) > Exec-Program-Wait: plaintext: Logon failure (0xc06d) > Exec-Program: returned: 1 > [mschap] External script failed. > [mschap] FAILED: MS-CHAP2-Response is incorrect > *** buffer overflow detected ***: radiusd terminated > === Backtrace: = > /lib/libc.so.6(__fortify_fail+0x37)[0x7fea6d97c427] > /lib/libc.so.6(+0xe8150)[0x7fea6d97a150] > /lib/libc.so.6(+0xe76eb)[0x7fea6d9796eb] > /lib/libc.so.6(__snprintf_chk+0x7b)[0x7fea6d9795bb] > /usr/lib64/freeradius/rlm_mschap-2.1.11.so(+0x31bb)[0x7fea6c24a1bb] > radiusd(modcall+0xb4b)[0x41c4bb] > radiusd(indexed_modcall+0xd3)[0x418b53] > /usr/lib64/freeradius/rlm_eap_mschapv2-2.1.11.so(+0x166a)[0x7fea696d366a] > /usr/lib64/freeradius/rlm_eap-2.1.11.so(+0x2f76)[0x7fea6bc39f76] > /usr/lib64/freeradius/rlm_eap-2.1.11.so(eaptype_select+0x176)[0x7fea6bc3a926] > /usr/lib64/freeradius/rlm_eap-2.1.11.so(+0x2739)[0x7fea6bc39739] > radiusd(modcall+0xb4b)[0x41c4bb] > radiusd(indexed_modcall+0xd3)[0x418b53] > radiusd(rad_authenticate+0x985)[0x40a075] > /usr/lib64/freeradius/rlm_eap_peap-2.1.11.so(eappeap_process+0x976)[0x7fea698d8f26] > /usr/lib64/freeradius/rlm_eap_peap-2.1.11.so(+0x1825)[0x7fea698d7825] > /usr/lib64/freeradius/rlm_eap-2.1.11.so(+0x2f76)[0x7fea6bc39f76] > /usr/lib64/freeradius/rlm_eap-2.1.11.so(eaptype_select+0x176)[0x7fea6bc3a926] > /usr/lib64/freeradius/rlm_eap-2.1.11.so(+0x2739)[0x7fea6bc39739] > radiusd(modcall+0xb4b)[0x41c4bb] > radiusd(indexed_modcall+0xd3)[0x418b53] > radiusd(rad_authenticate+0x985)[0x40a075] > radiusd(radius_handle_request+0x52)[0x424d42] > radiusd(thread_pool_addrequest+0x9)[0x425039] > radiusd[0x4269e6] > /usr/lib/libfreeradius-radius-2.1.11.so(fr_event_loop+0x33b)[0x7fea6e04860b] > radiusd(main+0x55a)[0x41cd2a] > /lib/libc.so.6(__libc_start_main+0xe6)[0x7fea6d8b0ba6] > radiusd[0x408fe9] The version of freeradius i'm running is ... FreeRADIUS Version 2.1.11, for host x86_64-pc-linux-gnu, built on Jun 11 2012 at 11:10:29 I can replicate this issue with radtest. Does anybody know why this might be happening? If you require any additional info please let me know. One thing I was thinking about trying it going back a few versions of ntlm_auth and tring again. Its interesting how I don't seem to be able to find any information relating to this on the Internet. Thanks, Matt. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: cisco WAP/FreeRadius/OpenLDAP
s server, and add jradius to > the accounting section of sites-enabled. > "radiusd -X" gives: > /usr/local/etc/raddb/sites-enabled/default[443]: Failed to load module > "jradius". > /usr/local/etc/raddb/sites-enabled/default[378]: Errors parsing accounting > section. > > I have verified that the jradius libraries have been compiled and installed > /usr/local/lib. > > I've managed to comile freeRadius with the jradius module before just > fine.not sure what the problem is now. Any help would be greatly > appreciated. > > Travis Dimmig > Software Development Specialist > Impulse Point > www.impulse.com<http://www.impulse.com> > > -- next part -- > An HTML attachment was scrubbed... > URL: > <https://lists.freeradius.org/pipermail/freeradius-users/attachments/20111027/66f79dc6/attachment.html> > > -- > > Message: 4 > Date: Thu, 27 Oct 2011 21:00:00 +0200 > From: Alan DeKok > Subject: Re: Failed to load module "jradius" > To: FreeRadius users mailing list > > Message-ID: <4ea9aa30.3020...@deployingradius.com> > Content-Type: text/plain; charset=UTF-8 > > Travis Dimmig wrote: >> I don?t seem to be able to get freeRadius to load the ?jradius? module. >> My steps are as follows: >>... >> ?radiusd ?X? gives: >> >> /usr/local/etc/raddb/sites-enabled/default[443]: Failed to load module >> "jradius". > > It should give more than that. Look at the *previous* lines to see > the real cause of the problem. > > Alan DeKok. > > > -- > > Message: 5 > Date: Thu, 27 Oct 2011 18:59:33 + > From: Travis Dimmig > Subject: RE: Failed to load module "jradius" > To: FreeRadius users mailing list > > Message-ID: > <2ecc69012853fb42a8adaba5eb3b4b800c9d1...@dsm-mail01.dsm.net> > Content-Type: text/plain; charset="us-ascii" > > Figured it out. The jradius.conf needs to be in > /usr/local/etc/raddb/modules. I swear it used to be one directory up... > Anyway, I don't know if it's the freeRadius team or the JRadius team that > maintains this plugin, but the config file is not automatically copied into > the "modules" directory even when freeRadius is compiled with jradius support. > > > Travis > > From: freeradius-users-bounces+tdimmig=impulse@lists.freeradius.org > [mailto:freeradius-users-bounces+tdimmig=impulse@lists.freeradius.org] On > Behalf Of Travis Dimmig > Sent: Thursday, October 27, 2011 2:29 PM > To: FreeRadius users mailing list > Subject: Failed to load module "jradius" > > I don't seem to be able to get freeRadius to load the "jradius" module. My > steps are as follows: > > wget ftp://ftp.freeradius.org/pub/freeradius/freeradius-server-2.1.12.tar.gz > tar -xzvf freeradius-server-2.1.12.tar.gz > cd freeradius-server-2.1.12 > echo "rlm_jradius" >> src/modules/stable > ./configure && make && make install > cp src/modules/rlm_jradius/jradius./conf /usr/local/etc/raddb > > I configure jradius.conf to point to my JRadius server, and add jradius to > the accounting section of sites-enabled. > "radiusd -X" gives: > /usr/local/etc/raddb/sites-enabled/default[443]: Failed to load module > "jradius". > /usr/local/etc/raddb/sites-enabled/default[378]: Errors parsing accounting > section. > > I have verified that the jradius libraries have been compiled and installed > /usr/local/lib. > > I've managed to comile freeRadius with the jradius module before just > fine.not sure what the problem is now. Any help would be greatly > appreciated. > > Travis Dimmig > Software Development Specialist > Impulse Point > www.impulse.com<http://www.impulse.com> > > -- next part -- > An HTML attachment was scrubbed... > URL: > <https://lists.freeradius.org/pipermail/freeradius-users/attachments/20111027/392fa3ba/attachment.html> > > -- > > Message: 6 > Date: Thu, 27 Oct 2011 21:01:21 +0200 > From: Alan DeKok > Subject: Re: cisco WAP/FreeRadius/OpenLDAP > To: FreeRadius users mailing list > > Message-ID: <4ea9aa81.50...@deployingradius.com> > Content-Type: text/plain; charset=ISO-8859-1 > > Matt Arguin wrote: >> having trouble setting up my RADIUS(FreeRADIUS Version 2.1.7) to >> auth to my openldap server (openldap-2.3.43-12.el5_6.7) on CentOS 5.5. >> >> i am trying to configure EAP-TLS > > Then you don't need
cisco WAP/FreeRadius/OpenLDAP
Hi All, having trouble setting up my RADIUS(FreeRADIUS Version 2.1.7) to auth to my openldap server (openldap-2.3.43-12.el5_6.7) on CentOS 5.5. i am trying to configure EAP-TLS and think i am pretty close. I am currently wondering if possibly i have an incorrect mapping in the ldap.attrs file (it is completely default right now).running 'radiusd -X' i do see some errors such as: rlm_ldap: performing search in dc=currensee,dc=com, with filter (uid=anonymous) rlm_ldap: object not found [ldap] search failed but later down the path of the session it looks like things are going ok , seeing a bunch of EAP challeges and it expanding the username and stuff being put in to the inner-tunnel. However, in the end: rlm_ldap: performing search in dc=currensee,dc=com, with filter (uid=marguin2) [ldap] checking if remote access for marguin2 is allowed by uid [ldap] looking for check items in directory... [ldap] looking for reply items in directory... WARNING: No "known good" password was found in LDAP. Are you sure that the user is configured correctly? my ldap attribute for password is userPassword and i have tried changing the values in the ldap.attrs to match this but that did not help. Here is the full output of the run of radiusd in debug mode. Any insight is appreciated: Ready to process requests. rad_recv: Access-Request packet from host 192.168.10.31 port 1645, id=181, length=132 User-Name = "anonymous" Framed-MTU = 1400 Called-Station-Id = "64a0.e729.b890" Calling-Station-Id = "1c65.9d32.fb68" Service-Type = Login-User Message-Authenticator = 0x247be03937ef0698a7ad23d2f86aa54b EAP-Message = 0x0202000e01616e6f6e796d6f7573 NAS-Port-Type = Wireless-802.11 NAS-Port = 799 NAS-Port-Id = "799" NAS-IP-Address = 192.168.10.31 +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "anonymous", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 2 length 14 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated [ldap] performing user authorization for anonymous [ldap] expand: %{Stripped-User-Name} -> [ldap] expand: %{User-Name} -> anonymous [ldap] expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) -> (uid=anonymous) [ldap] expand: dc=currensee,dc=com -> dc=currensee,dc=com rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to ldap.local.currensee.com:389, authentication 0 rlm_ldap: bind as cn=radius,ou=Services,dc=currensee,dc=com/c17ad5805204465ab39d11e0381272c5 to ldap.local.currensee.com:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: performing search in dc=currensee,dc=com, with filter (uid=anonymous) rlm_ldap: object not found [ldap] search failed rlm_ldap: ldap_release_conn: Release Id: 0 ++[ldap] returns notfound ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop [eap] EAP packet type response id 2 length 14 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated Found Auth-Type = EAP Found Auth-Type = EAP Warning: Found 2 auth-types on request for user 'anonymous' +- entering group authenticate {...} [eap] EAP Identity [eap] processing type tls [tls] Initiate [tls] Start returned 1 ++[eap] returns handled Sending Access-Challenge of id 181 to 192.168.10.31 port 1645 EAP-Message = 0x010300061920 Message-Authenticator = 0x State = 0x12d3382012d02152159f345e3e0c333a Finished request 0. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.10.31 port 1645, id=182, length=228 User-Name = "anonymous" Framed-MTU = 1400 Called-Station-Id = "64a0.e729.b890" Calling-Station-Id = "1c65.9d32.fb68" Service-Type = Login-User Message-Authenticator = 0x07f8f2c72439114d5efd54762efa740b EAP-Message = 0x0203005c19001603010051014d03014ea9917e4e0fee76b71533a74710796e73ac02e494439b92a5338ee6d1f1bcd92600390038003500160013000a00330032002f00050004001500120009001400110008000600030100 NAS-Port-Type = Wireless-802.11 NAS-Port = 799 NAS-Port-Id = "799" State = 0x12d3382012d02152159f345e3e0c333a NAS-IP-Address = 192.168.10.31 +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "anonymous", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 3 length 92 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authentica
TTLS OSX Airport Connection Dropping
I have a setup with four Linksys E4200 wireless routers all sharing the same SSID. All are configured to authenticate against the same freeradius server via WPA 2 enterprise. I have freeradius (2.1.7) setup to authenticate against activedirectory using ntlm_auth via TTLS and mschap. Android and iOS connect correctly with this setup. Windows connects correctly as well, but is using PEAP instead of TTLS. The problem occurs with OSX (running latest build - 10.6.8). When connecting via Airport, it connects, then the text "Authenticated via TTLS" briefly appears, then it switches back to saying "Authenticating..." During this time the wireless will remain connected for 2-3 hours, until it disconnects. After that, Airport prompts for the wireless username / password again (even though these are supposed to be automatically remembered). Turning off / on airport always resolves the issue and gives another 2-3 hours of connectivity. The error occurs in four macbook pro's tested. Thanks so much for any help! If someone could point me in some direction, that would be great. The log containing the conversation between an OSX machine and freeradius is available at: http://nofouls.com/images/radlog.txt - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
PAP problem?
Hi list, I'm pretty sure this issue is straight forward but I've searched the list and cant come up with an answer. I'm usuing freeradius 2.19 on cent OS 5.5 Im trying to auth users from a NAC box (Bradford campus manager) against an AD domain using freeradius. All works fine when I point an AP at freeradius, but things fail when using our NAC to forward requests to FreeRadius. I suspect the problem is that the NAC is trying to use PAP, but im not sure how to really resolve the problem. Here are my logs: Ready to process requests. rad_recv: Access-Request packet from host 129.67.147.204 port 32960, id=174, length=78 User-Name = "SAMBA_TEST" User-Password = "password" NAS-Identifier = "pmbcm01.pmb.ox.ac.uk" NAS-IP-Address = 129.67.147.204 +- entering group authorize {...} ++[preprocess] returns ok [auth_log] expand: /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -> /var/log/radius/radacct/129.67.147.204/auth-detail-20110303 [auth_log] /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/radius/radacct/129.67.147.204/auth-detail-20110303 [auth_log] expand: %t -> Thu Mar 3 11:45:17 2011 ++[auth_log] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "SAMBA_TEST", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] No EAP-Message, not doing EAP ++[eap] returns noop ++[unix] returns notfound ++[files] returns noop [ldap] performing user authorization for SAMBA_TEST [ldap] WARNING: Deprecated conditional expansion ":-". See "man unlang" for details [ldap] expand: (&(sAMAccountName=%{Stripped-User-Name:-%{User-Name}})) -> (&(sAMAccountName=SAMBA_TEST)) [ldap] expand: cn=Users,dc=PMB,dc=OX,dc=AC,dc=UK -> cn=Users,dc=PMB,dc=OX,dc=AC,dc=UK rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to 129.67.147.225:389, authentication 0 rlm_ldap: bind as cn=samba,cn=Users,dc=PMB,dc=OX,dc=AC,dc=UK/password to 129.67.147.225:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: performing search in cn=Users,dc=PMB,dc=OX,dc=AC,dc=UK, with filter (&(sAMAccountName=SAMBA_TEST)) [ldap] looking for check items in directory... [ldap] looking for reply items in directory... WARNING: No "known good" password was found in LDAP. Are you sure that the user is configured correctly? [ldap] user SAMBA_TEST authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 ++[ldap] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop No authenticate method (Auth-Type) configuration found for the request: Rejecting the user Failed to authenticate the user. Using Post-Auth-Type Reject +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} -> SAMBA_TEST attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 0 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 0 Sending Access-Reject of id 174 to 129.67.147.204 port 32960 Waking up in 4.9 seconds. Cleaning up request 0 ID 174 with timestamp + Cheers, Matt - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Using an external CA certificate
Thanks Alex, that was spot on and fixed the issue, much appreciated. -Original Message- From: freeradius-users-bounces+matt.langthorpe=pmb.ox.ac...@lists.freeradius.org [mailto:freeradius-users-bounces+matt.langthorpe=pmb.ox.ac...@lists.freeradius.org] On Behalf Of Alexander Clouter Sent: 01 March 2011 13:30 To: freeradius-users@lists.freeradius.org Subject: Re: Using an external CA certificate Matt Langthorpe wrote: > > Having a bit of trouble following the official freeradius wiki when it > comes to certificates. Basically I have my own certificate which I > want to use. I have a ***.crt file which was sent by my issuer, and a > private.pem file which was created when I made my CSR request using > openssl. > alex@chipmunk:~$ unzip 10133697.zip Archive: 10133697.zip extracting: 10133697.ca-bundle extracting: 10133697.crt alex@chipmunk:~$ cat 10133697.crt 10133697.ca-bundle > server.pem The infernal folks at Comodo seemed to have changed their process recently so that you get the bundle, the old style approach was: $ cat 10133697.crt TERENASSLCA.crt UTNAddTrustServer_CA.crt AddTrustExternalCARoot.crt > server.pem Now in your 'eap.conf' file use the following and you should be set: private_key_password = secret private_key_file = ${certdir}/server.key certificate_file = ${certdir}/server.pem FYI, if you have to do a similar thing with Apache, you want: SSLEngine on SSLCertificateFile /etc/apache2/certs/example/10133697.crt SSLCertificateKeyFile /etc/apache2/certs/example/privkey.pem SSLCertificateChainFile /etc/apache2/certs/example/10133697.ca-bundle > I have uploaded the two files into my raddb/certs folder, but am > unsure as to where to point to them in my eap.conf? I notice none of > the cert files listed in eap.conf have a *.crt extension which is a > bit confusing. > This is UNIX, file extensions are generally meaningless and should be ignored. Cheers -- Alexander Clouter .sigmonster says: I think the world is run by C students. -- Al McGuire - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Using an external CA certificate
Hi List, Having a bit of trouble following the official freeradius wiki when it comes to certificates. Basically I have my own certificate which I want to use. I have a ***.crt file which was sent by my issuer, and a private.pem file which was created when I made my CSR request using openssl. I have uploaded the two files into my raddb/certs folder, but am unsure as to where to point to them in my eap.conf? I notice none of the cert files listed in eap.conf have a *.crt extension which is a bit confusing. Thanks in advance, Matt - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Rejecting EAP-TLS based on cert Subject field [RESOLVED]
On 1/28/2011 3:48 AM, Alan DeKok wrote: > Put the "unlang" in the "authenticate" section, after "eap": > Auth-Type eap { > eap > if (...) { > ... > } > } Thank you!! That did the trick. The entirety of my authenticate section is now: authenticate { Auth-Type Kerberos { krb5 } Auth-Type eap { eap if ( "%{TLS-Client-Cert-Subject}" =~ /\/OU=Evil\// ) { reject } } } And it works perfectly. Thank you! As for Windows XP dealing with the rejection > You're sending a *radius* reject. It doesn't include an EAP-Message > with an *EAP* reject. So you need to create a fake one: > update reply { > EAP-Message := 0x > } > That can work sometimes... Ah, thanks for the tip. I added this in the "Post-Auth-Type REJECT" section: if ( "%{control:Auth-Type}" == "EAP" ) { update reply { EAP-Message := 0x04010004 } } The code seems to work as expected, but Windows XP still doesn't seem to handle it sensibly. But I can live with that. Thank you, Alan! -Matt - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Rejecting EAP-TLS based on cert Subject field
On 1/27/2011 3:03 PM, Phil Mayers wrote: >> I've met this need (using 2.1.11 from git) with a simple bit of unlang >> in post-auth{}: >> if ( "%{TLS-Client-Cert-Subject}" =~ /OU=Evil/ ) { >> reject >> } > > Just put this in the "authorize" section? If it's early in the EAP > conversation, TLS-Client-* won't be set so won't match, meaning this > will succeed as soon as yo uget that far. I'm not sure I follow you here. Are you saying that there is a place in the authorize section where TLS-Client-* _would_ be accessible to unlang? I've tried it in a few places (before eap, after eap, at the top of the section, at the bottom of the section) and it seemed to have no effect. But it's entirely possible that I missed something during these tests. > Correct. Unlang is only processed in authorize-like steps, not arbitrary > bits of the config. I can understand that. But given that the eap module has access to some client cert fields during authentication (e.g. check_cert_issuer and check_cert_cn), it would be nice to be able to access these and other client cert fields with unlang (or something similar) at that stage. But, admittedly, I'm way over my head here :-) so I'll make do with one of the methods described earlier in this thread. Thanks, -Matt - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Rejecting EAP-TLS based on cert Subject field
On 1/27/2011 3:41 PM, Matt Garretson wrote: > The XP client still tries three times (duh), but at least radius.log reflects > a failure: > > Error: TLS_accept: error in SSLv3 read client certificate B > Error: rlm_eap: SSL error error:140890B2:SSL > routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned > Error: SSL: SSL_read failed in a system call (-1), TLS session fails. > Auth: Login incorrect (TLS Alert write:fatal:certificate unknown): [snip] *sigh* I left out the first (and most useful) logging line in the above: Auth: rlm_eap_tls: Certificate CN (eviluser) fails external verification! So, again, it's better than what I'd had before, but not as elegant as I was hoping. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Rejecting EAP-TLS based on cert Subject field
On 1/27/2011 1:24 PM, Matt Garretson wrote: > Thanks. That's actually my goal. But unlang isn't allowed in > authenticate{}, and my attempts to sneak it into the authentication > phase via the tls{} section in eap.conf didn't seem to work. > Any other ways to do it? Replying to myself here I got a bit closer to my goal by putting this in the verify{} subsection of tls{} : tmpdir = /tmp/radiusd client = "/usr/local/bin/checkcert %{TLS-Client-Cert-Filename}" Where /usr/local/bin/checkcert contains: #!/bin/sh if /usr/bin/openssl x509 -in "$1" -noout -text | \ /bin/grep -q " Subject:.* OU=Evil," ; then RC=1 else RC=0 fi exit $RC The XP client still tries three times (duh), but at least radius.log reflects a failure: Error: TLS_accept: error in SSLv3 read client certificate B Error: rlm_eap: SSL error error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned Error: SSL: SSL_read failed in a system call (-1), TLS session fails. Auth: Login incorrect (TLS Alert write:fatal:certificate unknown): [snip] Still, it would be nice if I could use unlang (or something) to match against %{TLS-Client-Cert-Subject} during the authenticate stage somehow. Is there a way that I'm missing? Thanks, -Matt - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Rejecting EAP-TLS based on cert Subject field
On 1/27/2011 1:14 PM, Alan Buxey wrote: > you are authenticating...and then rejecting in the post-auth > stage. you really need to break the process in the authentication > stage. Thanks. That's actually my goal. But unlang isn't allowed in authenticate{}, and my attempts to sneak it into the authentication phase via the tls{} section in eap.conf didn't seem to work. Any other ways to do it? I'd thought of using rlm_perl, but couldn't see that the cert fields are passed to the module. Thanks, -Matt - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Rejecting EAP-TLS based on cert Subject field
For years, we've been doing simple EAP-TLS with various versions of FreeRADIUS. Now, a new requirement has come down to me such that radius will have to reject certain valid client certs based on a string in the Subject field of the client cert. I've met this need (using 2.1.11 from git) with a simple bit of unlang in post-auth{}: if ( "%{TLS-Client-Cert-Subject}" =~ /OU=Evil/ ) { reject } It works, but there are two non-ideal things about the way it works: 1) Windows XP doesn't seem to notice the rejection and keeps retrying for a minute or two, ultimately failing to show any failure/error message to the user. 2) The rejection is not logged in radiusd.log; rather, three "Auth: Login OK" lines are logged (the repetition is due to XP's retries) Is there any way I can address these two issues? I did try putting the above unlang into eap.conf's tls{} section (where check_cert_issuer and check_cert_cn would be), in hopes that the rejection would occur during the auth rather than after it, but the code doesn't seem to have any effect there. Thanks in advance for any clues... -Matt - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Check line and radgroupcheck evaluation question
As usual, thanks Alan. I appreciate the help. -M On Wed, Jun 16, 2010 at 7:55 AM, Alan DeKok wrote: > Matt Hite wrote: >> Are check lines in the "users" file short-circuit "AND" evaluated from >> left to right? > > Yes. > >> Extrapolating this presumption out to radgroupcheck >> when using a MySQL database, are the check items evaluated simply in >> order of column id value (ie. the order they are returned from the >> SELECT)? > > Yes. > > Alan DeKok. > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Check line and radgroupcheck evaluation question
Hello, Are check lines in the "users" file short-circuit "AND" evaluated from left to right? Extrapolating this presumption out to radgroupcheck when using a MySQL database, are the check items evaluated simply in order of column id value (ie. the order they are returned from the SELECT)? authorize_group_check_query = "SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = '%{Sql-Group}' ORDER BY id" Just trying to wrap my head around how one might do something useful with radgroupcheck. I guess you are supposed to be able to match some condition on the row whose group matches with the lowest column ID and then subsequent rows that also have the same matching group (with higher column ID's) can be used to set attributes or look for further requisite conditions? I am actually wanting to reject connections when groups of users come in on the wrong huntgroup. I've seen significant discussion and confusion in the mailing list archives in regards to this. Most of the time I see people say "use radcheck to reject." I did spot a gem from Ivan Kalik, though, which led me down this path. >>However, the issue remains: >>I do not want the user to be rejected per se. I only want the user to be >>rejected if her own huntgroup as stored in radgroupcheck is different from >>he huntgroup of the Called-Station-Id in the radhuntgroup table. The goal >>is to prevent a user to login to a hotspot router, that does not belong to >>the huntgroup the user belongs to. > >Hm, and what do you think: > >>> Huntgroup-Name != "Test", Auth-Type := Reject > >that does? As a joke, put them in radgroupcheck and see if it does >*exactly* what you have described. Thanks for your help, -M - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: peap/eap/mschapv2 + MySQL
> >> I'd love to use inner-tunnel if I could get it to work. > > so..whats the error then - radiusd -X - it should be quite obvious > Alan: I believe I posted the errors I have been getting. I have posted the debug output in previous posts in this thread. If there is more information that you think I should be giving pleas le me know. -- mattsig - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: peap/eap/mschapv2 + MySQL
>> Ok, well like I said, mysql wasn't being queried by the inner-tunnel >> server. Still not clear on why that was happening, but I worked around >> it by commenting out inner-tunnel as the virtual server to use for >> peap. So the default server is being used and working. > > er, it wasnt working when you proxy to inner-tunnel > because SQL *WASNT* configured in your inner-tunnel section... > > go have a look at your inner-tunnel config again and tell me where > 'sql' appears in your authenticate section? > > now see how you have it configured in your 'default' hmm.. well as far as I can tell, 'sql' isn't supposed to be in the authenticate section. In my default config it is in the authorize section just as it is in inner-tunnel. When I did try to add it to authenticate, I get an error on startup: inner-tunnel[223]: "SQL" modules aren't allowed in 'authenticate' sections -- they have no such method. inner-tunnel[223]: Failed to parse "sql" entry. > > if you use inner-tunnel then you have far more efficient > config and server CPU usage etc. > I'd love to use inner-tunnel if I could get it to work. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: peap/eap/mschapv2 + MySQL
> Now I've read a million posts on the web, including this list where > people have reported the same problem. In most cases the problem was > that the inner-tunnel server wasn't configured for sql. I definitely > have sql on in the inner-tunnel file (which I will post in a sec). The > mysql server IS being queried on the initial request, but not in > inner-tunnel. Can someone please shed some light on this for me > please. Ok, well like I said, mysql wasn't being queried by the inner-tunnel server. Still not clear on why that was happening, but I worked around it by commenting out inner-tunnel as the virtual server to use for peap. So the default server is being used and working. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
peap/eap/mschapv2 + MySQL
Hello list, First of all: freeradius-2.1.8, Mysql 5.1.41 on Ubuntu 10.04 / Airport Extreme v7.5 I'm having trouble authenticating users with EAP/mschapv2 against a mysql database. Users authenticate fine if they are in the users file. Here's the main problem it seems from the debug output: Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/mschapv2 [eap] processing type mschapv2 [mschapv2] +- entering group MS-CHAP {...} [mschap] No Cleartext-Password configured. Cannot create LM-Password. [mschap] No Cleartext-Password configured. Cannot create NT-Password. [mschap] Told to do MS-CHAPv2 for oogabooga with NT-Password [mschap] FAILED: No NT/LM-Password. Cannot perform authentication. [mschap] FAILED: MS-CHAP2-Response is incorrect ++[mschap] returns reject Now I've read a million posts on the web, including this list where people have reported the same problem. In most cases the problem was that the inner-tunnel server wasn't configured for sql. I definitely have sql on in the inner-tunnel file (which I will post in a sec). The mysql server IS being queried on the initial request, but not in inner-tunnel. Can someone please shed some light on this for me please. Here is my inner-tunnel file and debug output (long). Thanks, Matt /etc/freeradius/sites-enabled/inner-tunnel : server inner-tunnel { authorize { chap mschap unix suffix update control { Proxy-To-Realm := LOCAL } eap { ok = return } files sql expiration logintime pap } authenticate { Auth-Type PAP { pap } Auth-Type CHAP { chap } Auth-Type MS-CHAP { mschap } unix eap } session { radutmp } post-auth { Post-Auth-Type REJECT { attr_filter.access_reject } } pre-proxy { } post-proxy { eap } } # inner-tunnel server block debug output: rad_recv: Access-Request packet from host 10.20.20.254 port 65023, id=181, length=153 User-Name = "oogabooga" NAS-IP-Address = 10.20.20.254 NAS-Port = 0 Called-Station-Id = "F8-1E-DF-FC-8C-82:xyz" Calling-Station-Id = "00-17-F2-45-F7-CF" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 0Mbps 802.11" EAP-Message = 0x028d000e016f6f6761626f6f6761 Message-Authenticator = 0x9388a95b4d72cd941931671109245b66 +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "oogabooga", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 141 length 14 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[unix] returns notfound ++[files] returns noop [sql] expand: %{Stripped-User-Name} -> [sql] ... expanding second conditional [sql] expand: %{User-Name} -> oogabooga [sql] expand: %{%{User-Name}:-DEFAULT} -> oogabooga [sql] expand: %{%{Stripped-User-Name}:-%{%{User-Name}:-DEFAULT}} -> oogabooga [sql] sql_set_user escaped user --> 'oogabooga' rlm_sql (sql): Reserving sql socket id: 3 [sql] expand: SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'oogabooga' ORDER BY id rlm_sql_mysql: query: SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'oogabooga' ORDER BY id [sql] User found in radcheck table [sql] expand: SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radreply WHERE username = 'oogabooga' ORDER BY id rlm_sql_mysql: query: SELECT id, username, attribute, value, op FROM radreply WHERE username = 'oogabooga' ORDER BY id [sql] expand: SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority -> SELECT groupname FROM radusergroup WHERE username = 'oogabooga' ORDER BY priority rlm_sql_mysql: query: SELECT gr
Re: Log IP address (Calling-Station-Id?) of failed authentication attempts
Was a bit confused with this one. You can't actually use msg_goodpass and/or msg_badpass unless auth_goodpass and/or auth_badpass is set to "yes." Doing this DOES force logging of passwords. (Comments in radiusd.conf seem to confirm.) Did a bit more digging (ie. checked out source code and looked at it). It appears the functionality to log client IP (Calling-Station-Id) is already there -- you only need "auth = yes" in radiusd.conf enabled. Enabling "auth_badpass = yes" and/or "auth_goodpass = yes" and msg_goodpass/msg_badpass to include %{Calling-Station-Id} is not necessary. Specifically, there is a function in auth.c called auth_name() that is called during radlog_request(). This function will expand Calling-Station-Id for inclusion in the log message. It appears the actual NAS equipment I am using (Force10) just doesn't send a Calling-Station-Id; hence FreeRADIUS doesn't log it. Works fine with Cisco kit though. Mystery solved! -M On Sun, May 9, 2010 at 1:19 AM, Alan DeKok wrote: > Matt Hite wrote: >> It looks like I can possibly enable auth_badpass and auth_goodpass in >> radiusd.conf and then set: >> >> msg_goodpass = "%{Calling-Station-Id}" >> msg_badpass = "%{Calling-Station-Id}" > > Yes. > >> Is this going about it the right way? > > Yes. > >> Also, I really don't want the failed passwords to get logged. (I don't >> want to see my colleagues plain-text passwords.) If I do use the >> aforementioned technique, am I also going to see passwords? I'm >> guessing yes. > > No. See "auth_badpass" and "auth_goodpass" configuration items. If > they're set to "no", passwords are not logged. > > Alan DeKok. > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Log IP address (Calling-Station-Id?) of failed authentication attempts
Hello. I would like to log the client IP of failed & successful authentications to my RADIUS-enabled switches. Right now failed/success show up like this: radiusd[13877]: Login incorrect: [xyzzy] (from client SW-2745-C1.sv4 port 0) radiusd[13877]: Login OK: [plugh] (from client SW-2745-C1.sv4 port 0) It looks like I can possibly enable auth_badpass and auth_goodpass in radiusd.conf and then set: msg_goodpass = "%{Calling-Station-Id}" msg_badpass = "%{Calling-Station-Id}" Is this going about it the right way? Also, I really don't want the failed passwords to get logged. (I don't want to see my colleagues plain-text passwords.) If I do use the aforementioned technique, am I also going to see passwords? I'm guessing yes. Thanks for your help and insight. -M - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Log the 802.1x session
On Fri, Apr 9, 2010 at 12:11 PM, Garber, Neal wrote: > >From what I've read, supplicants can send an EAPOL-Logoff message to > > If the requirement is to determine when the user disconnects, isn't this best > handled by accounting data? That is, if the authenticator supports sending > Accounting-Request packets to RADIUS, then when the user disconnects, it > should send an Acct-Status-Type=stop request. Absolutely. While I've not played with 802.1X + accounting personally, it looks like there is decent support in Cisco kit: http://www-europe.cisco.com/en/US/docs/ios/sec_user_services/configuration/guide/sec_cfg_ieee802_pba.html#wp1280467 -M - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Log the 802.1x session
On Fri, Apr 9, 2010 at 8:46 AM, Rosario Lumia wrote: > Sorry for my (very) bad english. Only for clearness: I'd want to know if > there is a way to log the end of a 802.1x session. I mean: a client turn off > his wireless card and (I think) AP can (??) send a message to freeradius > because the association between client and AP is lost. > My question was: is it possible? > Your answer was very clear. Answer: probably not. >From what I've read, supplicants can send an EAPOL-Logoff message to an authenticator (ie. an AP/switch). The authenticator could then disable the "port." I can't think of any good reason the authenticator would send this message to RADIUS. I've also read that Windows clients will send an EAPOL-Start message when a user logs off instead of an EAPOL-Logoff. Neither of these are really good methods for determining whether an association between a client and an AP is lost. -M - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius + PEAP.. stuck on validating identity..
On 01/04/2010, at 8:40 PM, Bruno Kremel wrote: > 2010/4/1 Matt Harlum : >> >> On 01/04/2010, at 1:44 PM, Matt Harlum wrote: >> >> On 01/04/2010, at 7:39 AM, Bruno Kremel wrote: >> >> On Wednesday 31 March 2010 21:28:48 Alan DeKok wrote: >> What should be there? >> Beacuse I don't know I am using Daloradius web interafce for adding data to >> database, so I just loaded default daloradius sql which was intendet >> (according to readme od daloradius) for 2.X Freeradius... and added accounts >> in web interface... >> >> Here's an example from my radcheck table in the SQL Database >> id | UserName | Attribute | op | Value | >> ++--+---+++ >> | 1 | exampleuser | User-Password | == | password123 | >> This is how yours should be set up, otherwise you will get the "validating" >> issue in Windows. >> >> I was wrong >> it should be >> Here's an example from my radcheck table in the SQL Database >> id | UserName | Attribute | op | Value | >> ++--+---+++ >> | 1 | exampleuser | Cleartext-Password | := | password123 | >> My configuration was wrong it'd seem, I hadn't noticed as I'm primarily >> using EAP-TLS with EAP-TTLS as a fallback. didn't test it when I upgraded to >> 2.x >> Regards, >> Matt Harlum >> >> >> To me it seems that name/password was accepted so I have no clue where >> >> is the problem.. >> >> The password was NOT accepted. It was *ignored*. >> >> And what is that Accept-Accept on the end of the log?... also radtest gives >> me >> Accept-Accept only on correct login and password so I think that it's not >> that >> SQL... >> >> >> As Alan said, it was simply ignored because of the misconfiguration >> Regards, >> Matt Harlum >> >> >> >> - >> List info/subscribe/unsubscribe? See >> http://www.freeradius.org/list/users.html >> > > Thank you for answer.. You are right with that sql it is some mess in > daloradius, but I tryed to disable SQL and use /etc/freeradius/users > file instead, but I am stuck on Attempting to authenticate now.. log > says this: Are you trying to use EAP-TTLS? > Going to the next request > Waking up in 4.9 seconds. > rad_recv: Access-Request packet from host 192.168.3.1 port 1320, id=0, > length=137 > Cleaning up request 39 ID 0 with timestamp +589 >User-Name = "pokus" >NAS-IP-Address = 192.168.3.1 >Called-Station-Id = "00259c523046" >Calling-Station-Id = "001e650eb532" >NAS-Identifier = "00259c523046" >NAS-Port = 9 >Framed-MTU = 1400 >State = 0x53b1704550ba694fbe3359243d2a2638 >NAS-Port-Type = Wireless-802.11 >EAP-Message = 0x020b00061900 >Message-Authenticator = 0x5fde19c57e8672a11c18b0b34d8c3acd > +- entering group authorize > ++[preprocess] returns ok > ++[chap] returns noop > ++[mschap] returns noop >rlm_realm: No '@' in User-Name = "pokus", looking up realm NULL >rlm_realm: No such realm "NULL" > ++[suffix] returns noop > rlm_eap: EAP packet type response id 11 length 6 > rlm_eap: Continuing tunnel setup. > ++[eap] returns ok > rad_check_password: Found Auth-Type EAP > auth: type "EAP" > +- entering group authenticate > rlm_eap: Request found, released from the list > rlm_eap: EAP/peap > rlm_eap: processing type peap > rlm_eap_peap: Authenticate > rlm_eap_tls: processing TLS > rlm_eap_tls: Received EAP-TLS ACK message > rlm_eap_tls: ack handshake fragment handler > eaptls_verify returned 1 > eaptls_process returned 13 > rlm_eap_peap: EAPTLS_HANDLED > ++[eap] returns handled > Sending Access-Challenge of id 0 to 192.168.3.1 port 1320 >EAP-Message = 0x010c00061900 >Message-Authenticator = 0x >State = 0x53b1704557bd694fbe3359243d2a2638 > Finished request 40. > Going to the next request > Waking up in 4.9 seconds. > Cleaning up request 40 ID 0 with timestamp +589 > Ready to process requests. Hard for me to tell what's going wrong here, radiusd -X should give more diagnostic information that would help also, what was the exact section of your users file like? with obfuscated login credentials of course. > That Access-Challenge should authenticate my client if I am not wrong, > but it still shows me validating identity and the attempting to > authenticate... > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius + PEAP.. stuck on validating identity..
On 01/04/2010, at 1:44 PM, Matt Harlum wrote: > > On 01/04/2010, at 7:39 AM, Bruno Kremel wrote: > >> On Wednesday 31 March 2010 21:28:48 Alan DeKok wrote: >> What should be there? >> Beacuse I don't know I am using Daloradius web interafce for adding data to >> database, so I just loaded default daloradius sql which was intendet >> (according to readme od daloradius) for 2.X Freeradius... and added accounts >> in web interface... > > Here's an example from my radcheck table in the SQL Database > id | UserName | Attribute | op | Value | > ++--+---+++ > | 1 | exampleuser | User-Password | == | password123 | > > This is how yours should be set up, otherwise you will get the "validating" > issue in Windows. > I was wrong it should be Here's an example from my radcheck table in the SQL Database id | UserName | Attribute | op | Value | ++--+---+++ | 1 | exampleuser | Cleartext-Password | := | password123 | My configuration was wrong it'd seem, I hadn't noticed as I'm primarily using EAP-TLS with EAP-TTLS as a fallback. didn't test it when I upgraded to 2.x Regards, Matt Harlum > >>> >>>> To me it seems that name/password was accepted so I have no clue where >>>> is the problem.. >>> >>> The password was NOT accepted. It was *ignored*. >>> >> And what is that Accept-Accept on the end of the log?... also radtest gives >> me >> Accept-Accept only on correct login and password so I think that it's not >> that >> SQL... >> > > As Alan said, it was simply ignored because of the misconfiguration > > Regards, > Matt Harlum > > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius + PEAP.. stuck on validating identity..
On 01/04/2010, at 7:39 AM, Bruno Kremel wrote: > On Wednesday 31 March 2010 21:28:48 Alan DeKok wrote: > What should be there? > Beacuse I don't know I am using Daloradius web interafce for adding data to > database, so I just loaded default daloradius sql which was intendet > (according to readme od daloradius) for 2.X Freeradius... and added accounts > in web interface... Here's an example from my radcheck table in the SQL Database id | UserName | Attribute | op | Value | ++--+---+++ | 1 | exampleuser | User-Password | == | password123 | This is how yours should be set up, otherwise you will get the "validating" issue in Windows. >> >>> To me it seems that name/password was accepted so I have no clue where >>> is the problem.. >> >> The password was NOT accepted. It was *ignored*. >> > And what is that Accept-Accept on the end of the log?... also radtest gives > me > Accept-Accept only on correct login and password so I think that it's not > that > SQL... > As Alan said, it was simply ignored because of the misconfiguration Regards, Matt Harlum - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: problem with PEAP/MSCHAPv2
Hi, What OS is the client machine running? It would seem like an issue with the client to me. Regards, Matt Harlum On 31/03/2010, at 8:31 PM, Christian Pinedo Zamalloa wrote: > wrong version num > ber - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Memory Leak on version 2.1.3
Hi, Even though you're running it in production I'd recommend updating every now and again. IMHO it's worth it, RADIUS is used for Authentication after all. I tend to keep a copy of my last build in case I need to revert anyway. Regards, Matt Harlum On 25/03/2010, at 10:35 AM, Zhang, Ge (Gina) wrote: > The server is in production and we won't upgrade for a while. > > Where to find the changelog? > > Thanks for your help! > > Regards, > Gina > > -Original Message- > From: > freeradius-users-bounces+gina.zhang=alcatel-lucent@lists.freeradius.org > [mailto:freeradius-users-bounces+gina.zhang=alcatel-lucent@lists.freeradius.org] > On Behalf Of Gary Gatten > Sent: Wednesday, March 24, 2010 6:31 PM > To: 'freeradius-users@lists.freeradius.org' > Subject: Re: Memory Leak on version 2.1.3 > > there are at least 3 newer versions. Have you tried the latest and/or read > the changelog? > > - Original Message - > From: freeradius-users-bounces+ggatten=waddell@lists.freeradius.org > > To: FreeRadius users mailing list > Sent: Wed Mar 24 18:24:54 2010 > Subject: Memory Leak on version 2.1.3 > > Hi, > > I am using 2.1.3 freeradius server and found memory leak. > I use ttls+mschapv2 for authentication. After each authentication, the memory > usage increases. > Is there a patch fix for this? > > Thanks, > Gina Zhang > > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius says it is listening on port 1812, but isn't
After my previous email I've successfully re-installed my custom config and am able to auth my clients again Regards, Matt Harlum On 25/03/2010, at 12:11 AM, Gary Gatten wrote: > If u really want 2 knw the issue, undo the changes one by one until it breaks > again. > > - Original Message - > From: freeradius-users-bounces+ggatten=waddell@lists.freeradius.org > > To: FreeRadius users mailing list > Sent: Wed Mar 24 04:56:19 2010 > Subject: Re: Freeradius says it is listening on port 1812, but isn't > > Hi, > > I believe the problem is now resolved > > The only things I changed was that my hosts file was wrong, the IP for the > servers FQDN was incorrect but I'm not sure this is what it was > I also turned off ip forwarding with sysctl -w net.inet.ip.forwarding=0 > Even though natd, and the firewall have been disabled. must be a weird OSX > thing > > Sorry for wasting your time guys and thanks for the help > > Regards, > Matt Harlum > > On 24/03/2010, at 8:27 PM, Matt Harlum wrote: > >> On 24/03/2010, at 8:21 PM, Fajar A. Nugraha wrote: >> >>> On Wed, Mar 24, 2010 at 3:51 PM, Matt Harlum wrote: >>>> Hi, >>>> >>>> I'm running Freeradius 2.1.6 on MacOSX 10.5.7 on a Dual-G4 867Mhz PowerMac >>>> >>>> Since march last year I've had 2.1.6 installed however it's been switched >>>> off for the last few months. >>>> Recently I powered it back on and have run system updates etc and got to >>>> the point I am now >>>> >>>> When I launch FreeRadius it says it is listening on *:1812 for auth >>>> however my AP is unable to connect, >>> >>> "unable to connect" is the result. Many things can cause it, from >>> incorrent radius IP/secret settings on AP to firewalls blocking >>> packets. >> >> Checked both which are correct, no firewalls enabled >> >>> >>>> and trying telnet on port 1812 results in "Connection Refused" >>> >>> you can't test UDP with telnet. Try the included radtest and radclient >>> >> >> Ahh ok, I'll give those a try >> >>>> >>>> I've tried reverting the configuration to default but it hasn't worked. >>>> running radiusd -x does not throw any errors >>> >>> does it print incoming packets and process it? >>> does tcpdump (or whatever packet capture tools you have) shows incoming >>> packets? >>> >> >> It doesn't show anything when connection attempts are made, I'll let you >> know how I go with netcat and the radtest tools >> Thanks >> >>> -- >>> Fajar >>> - >>> List info/subscribe/unsubscribe? See >>> http://www.freeradius.org/list/users.html >> >> >> - >> List info/subscribe/unsubscribe? See >> http://www.freeradius.org/list/users.html > > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Multiple radius servers with the same CA
Hi, John covered pretty much everything I was going to say I'd recommend choosing a machine to generate your keys and certs on and sticking with that, otherwise you'll end up with SSL Certs with clashing serial numbers Plus it'll allow you to revoke certificates later if need be Regards, Matt Harlum On 24/03/2010, at 11:30 PM, John Dennis wrote: > On 03/24/2010 06:21 AM, sphaero wrote: >> >> Hi All, >> >> I've been searching the archives for a while on some guidance into setting >> up multiple radius servers using the same CA for use with EAP/TTLS. >> >> I've generated a CA which is distributed to all the clients (i.e. SecureW2). >> I've got 2 radius servers for redundancy. All NAS devices have two radius >> server configured. >> >> I'm using the scripts from freeradius 2.0 to generate the certificates >> according to instructions in the README. I've setup the ca.cnf and >> server.cnf (not using eap/tls so I skip clients.cf). >> >> On the primary radius server I generated the certificates by issuing: >> make >> >> Now on the second radius server I just copy the following files: >> /certs/ca.pem >> /certs/ca.key >> /certs/ca.der >> /certs/*.cnf >> /certs/Makefile >> /certs/README >> /certs/xpextensions >> >> and issue: >> make server >> make dh >> >> This seems to have worked. But is this really correct? >> I'm renewing one radius server and did this procedure again but now I'm >> receiving "chain could not be validated" errors in SecureW2. Radius log >> seems fine however EAP communication is not finished which corresponds with >> the client stopping communication since it can't validate the certificate. >> I'm really getting lost in the SSL jungle? I would really like to understand >> how this is done right, since it is about security. > > It would help to read the Makefile and understand it. Your goal is to produce > multiple certificates, each with a unique subject (e.g. the host name of the > radius server) and have it signed by the ca. There is no need to do this > process on each machine, the creation of certs can be done on any machine. > > Find the part of the Makefile which says this: > > "Create a new server certificate, signed by the above CA." > > If you make the target server.pem target (e.g. make server) it will cause the > Makefile to execute a series of commands to produce the certificate starting > with a CSR (Certificate Signing Request). Note, the server.csr target depends > on server.cnf so make sure you edit this for each server whose certificate > you want to generate (see the req(1) man page to understand how the > certificate subject, e.g. DN, may be specified). > > But also note in the Makefile that server.crt is dependent on ca.key and > ca.pem, which themselves are dependent on ca.cnf. If when you copy the files > the ca.cnf file ends up with a newer timestamp than ca.key or ca.pem then a > new ca will be created, you don't want that. You can either fix the > timestamps using touch or just make all the certs on one machine so you don't > have to worry about the ca being recreated. > > > After you've created your certificates on the one machine (don't foget to > rename the server.{crt,p12,pem} files) dump them out using > > openssl x509 -in XXX.pem -inform PEM -text > > and verify each has the certificate subject you expected. > > Then verify the each cert with: > > openssl verify -CAfile ca.pem XXX.pem > > If that succeeds you'll know each is successfully signed by the same ca and > you can distribute that ca to your clients. Then copy your server certs to > your RADIUS hosts, don't forget to edit the config so certificate names match > how you named your certs (it will no longer be server.{crt,p12,pem}. > -- > John Dennis > > Looking to carve out IT costs? > www.redhat.com/carveoutcosts/ > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Multiple radius servers with the same CA
Hi, is it possible that make server generated a new CA etc? I'd recommend making a copy of the current CA cert on each machine and doing a diff Regards, Matt Harlum On 24/03/2010, at 9:21 PM, sphaero wrote: > > Hi All, > > I've been searching the archives for a while on some guidance into setting > up multiple radius servers using the same CA for use with EAP/TTLS. > > I've generated a CA which is distributed to all the clients (i.e. SecureW2). > I've got 2 radius servers for redundancy. All NAS devices have two radius > server configured. > > I'm using the scripts from freeradius 2.0 to generate the certificates > according to instructions in the README. I've setup the ca.cnf and > server.cnf (not using eap/tls so I skip clients.cf). > > On the primary radius server I generated the certificates by issuing: > make > > Now on the second radius server I just copy the following files: > /certs/ca.pem > /certs/ca.key > /certs/ca.der > /certs/*.cnf > /certs/Makefile > /certs/README > /certs/xpextensions > > and issue: > make server > make dh > > This seems to have worked. But is this really correct? > I'm renewing one radius server and did this procedure again but now I'm > receiving "chain could not be validated" errors in SecureW2. Radius log > seems fine however EAP communication is not finished which corresponds with > the client stopping communication since it can't validate the certificate. > I'm really getting lost in the SSL jungle? I would really like to understand > how this is done right, since it is about security. > > Rg, > > Arnaud > -- > View this message in context: > http://old.nabble.com/Multiple-radius-servers-with-the-same-CA-tp28013061p28013061.html > Sent from the FreeRadius - User mailing list archive at Nabble.com. > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius says it is listening on port 1812, but isn't
Hi, I believe the problem is now resolved The only things I changed was that my hosts file was wrong, the IP for the servers FQDN was incorrect but I'm not sure this is what it was I also turned off ip forwarding with sysctl -w net.inet.ip.forwarding=0 Even though natd, and the firewall have been disabled. must be a weird OSX thing Sorry for wasting your time guys and thanks for the help Regards, Matt Harlum On 24/03/2010, at 8:27 PM, Matt Harlum wrote: > On 24/03/2010, at 8:21 PM, Fajar A. Nugraha wrote: > >> On Wed, Mar 24, 2010 at 3:51 PM, Matt Harlum wrote: >>> Hi, >>> >>> I'm running Freeradius 2.1.6 on MacOSX 10.5.7 on a Dual-G4 867Mhz PowerMac >>> >>> Since march last year I've had 2.1.6 installed however it's been switched >>> off for the last few months. >>> Recently I powered it back on and have run system updates etc and got to >>> the point I am now >>> >>> When I launch FreeRadius it says it is listening on *:1812 for auth however >>> my AP is unable to connect, >> >> "unable to connect" is the result. Many things can cause it, from >> incorrent radius IP/secret settings on AP to firewalls blocking >> packets. > > Checked both which are correct, no firewalls enabled > >> >>> and trying telnet on port 1812 results in "Connection Refused" >> >> you can't test UDP with telnet. Try the included radtest and radclient >> > > Ahh ok, I'll give those a try > >>> >>> I've tried reverting the configuration to default but it hasn't worked. >>> running radiusd -x does not throw any errors >> >> does it print incoming packets and process it? >> does tcpdump (or whatever packet capture tools you have) shows incoming >> packets? >> > > It doesn't show anything when connection attempts are made, I'll let you know > how I go with netcat and the radtest tools > Thanks > >> -- >> Fajar >> - >> List info/subscribe/unsubscribe? See >> http://www.freeradius.org/list/users.html > > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius says it is listening on port 1812, but isn't
On 24/03/2010, at 8:21 PM, Fajar A. Nugraha wrote: > On Wed, Mar 24, 2010 at 3:51 PM, Matt Harlum wrote: >> Hi, >> >> I'm running Freeradius 2.1.6 on MacOSX 10.5.7 on a Dual-G4 867Mhz PowerMac >> >> Since march last year I've had 2.1.6 installed however it's been switched >> off for the last few months. >> Recently I powered it back on and have run system updates etc and got to the >> point I am now >> >> When I launch FreeRadius it says it is listening on *:1812 for auth however >> my AP is unable to connect, > > "unable to connect" is the result. Many things can cause it, from > incorrent radius IP/secret settings on AP to firewalls blocking > packets. Checked both which are correct, no firewalls enabled > >> and trying telnet on port 1812 results in "Connection Refused" > > you can't test UDP with telnet. Try the included radtest and radclient > Ahh ok, I'll give those a try >> >> I've tried reverting the configuration to default but it hasn't worked. >> running radiusd -x does not throw any errors > > does it print incoming packets and process it? > does tcpdump (or whatever packet capture tools you have) shows incoming > packets? > It doesn't show anything when connection attempts are made, I'll let you know how I go with netcat and the radtest tools Thanks > -- > Fajar > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Freeradius says it is listening on port 1812, but isn't
Hi, I'm running Freeradius 2.1.6 on MacOSX 10.5.7 on a Dual-G4 867Mhz PowerMac Since march last year I've had 2.1.6 installed however it's been switched off for the last few months. Recently I powered it back on and have run system updates etc and got to the point I am now When I launch FreeRadius it says it is listening on *:1812 for auth however my AP is unable to connect, and trying telnet on port 1812 results in "Connection Refused" I've tried reverting the configuration to default but it hasn't worked. running radiusd -x does not throw any errors Listening on authentication address * port 1812 Listening on accounting address * port 1813 Listening on command file /usr/local/var/run/radiusd/radiusd.sock Listening on proxy address * port 1814 Ready to process requests. Anyone have any ideas as to why this would be happening all of a sudden? perhaps the system updates broke it? Regards, Matt Harlum - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Users Groups
Can you clarify this statement: "but my user still got the privilege to connect to all the routers in the network" Do you send a specific RADIUS attribute, like a VSA? Or are you making this statement based upon receiving an Access-Accept? -M On Thu, Mar 11, 2010 at 5:16 AM, Siryx XL wrote: > Yes... i did it. > > When I run freeradius in debug mode (radiusd -X) I see that the nasipaddress > make a match with radhuntgroup, but nothing happen after that, just the > default process of authentication. > >> Date: Wed, 10 Mar 2010 14:58:08 -0800 >> Subject: Re: Users Groups >> From: li...@beatmixed.com >> To: freeradius-users@lists.freeradius.org >> >> Did you perform step #3 in the How-To? >> >> radiusd.conf: >> >> update request { >> Huntgroup-Name := "%{sql:select groupname from radhuntgroup where >> nasipaddress=\"%{NAS-IP-Address}\"}" >> } >> >> On Wed, Mar 10, 2010 at 12:53 PM, Siryx XL wrote: >> > I tried the huntgroups but it didn't work. >> > >> > I use this guide http://wiki.freeradius.org/SQL_Huntgroup_HOWTO because >> > i'm >> > using MySQL to store all my users, huntgroups, etc. >> > >> > I create the huntgroup table, associate the nasipaddres to a group, >> > create >> > the radgroupchek, and associate my user with the group; but my user >> > still >> > got the privilege to connect to all the routers in the network. >> > >> > Something is missing? thanks for the help. >> > >> > >> > Date: Sat, 6 Mar 2010 07:20:27 +1300 >> > Subject: Re: Users Groups >> > From: plambrecht...@gmail.com >> > To: freeradius-users@lists.freeradius.org >> > >> > On Sat, Mar 6, 2010 at 5:42 AM, John Dennis wrote: >> > >> > On 03/05/2010 11:31 AM, Siryx XL wrote: >> > >> > Hi everyone. >> > >> > I'm using FreeRADIUS Version 2.1.1, I use it to control the access to a >> > routers networks. >> > >> > I want to permit certain users to get access to some routers and deny >> > access to another routers. Like group the users per routers, I read some >> > documentation, but i can't make it work. >> > >> > Have you tried using huntgroups? >> > >> > Me I always use huntgroups + ldap as that way the groups are managed in >> > your >> > LDAP directory. >> > >> > >> > http://lists.freeradius.org/mailman/htdig/freeradius-users/2009-November/msg1.html >> > >> > >> > >> > >> > Hotmail: Powerful Free email with security by Microsoft. Get it now. >> > - >> > List info/subscribe/unsubscribe? See >> > http://www.freeradius.org/list/users.html >> > >> - >> List info/subscribe/unsubscribe? See >> http://www.freeradius.org/list/users.html > > > Hotmail: Free, trusted and rich email service. Get it now. > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Users Groups
Did you perform step #3 in the How-To? radiusd.conf: update request { Huntgroup-Name := "%{sql:select groupname from radhuntgroup where nasipaddress=\"%{NAS-IP-Address}\"}" } On Wed, Mar 10, 2010 at 12:53 PM, Siryx XL wrote: > I tried the huntgroups but it didn't work. > > I use this guide http://wiki.freeradius.org/SQL_Huntgroup_HOWTO because i'm > using MySQL to store all my users, huntgroups, etc. > > I create the huntgroup table, associate the nasipaddres to a group, create > the radgroupchek, and associate my user with the group; but my user still > got the privilege to connect to all the routers in the network. > > Something is missing? thanks for the help. > > > Date: Sat, 6 Mar 2010 07:20:27 +1300 > Subject: Re: Users Groups > From: plambrecht...@gmail.com > To: freeradius-users@lists.freeradius.org > > On Sat, Mar 6, 2010 at 5:42 AM, John Dennis wrote: > > On 03/05/2010 11:31 AM, Siryx XL wrote: > > Hi everyone. > > I'm using FreeRADIUS Version 2.1.1, I use it to control the access to a > routers networks. > > I want to permit certain users to get access to some routers and deny > access to another routers. Like group the users per routers, I read some > documentation, but i can't make it work. > > Have you tried using huntgroups? > > Me I always use huntgroups + ldap as that way the groups are managed in your > LDAP directory. > > http://lists.freeradius.org/mailman/htdig/freeradius-users/2009-November/msg1.html > > > > > Hotmail: Powerful Free email with security by Microsoft. Get it now. > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: vlan and freeradius
On Wed, Mar 3, 2010 at 10:44 AM, Phil Mayers wrote: >> but how to set the fail VLAN and guest VLAN to Y ??? > > Setting the "Fail" and "Guest" VLAN by radius doesn't make any sense. > > The "Fail" vlan is what to use when the radius server is unavailable. > > The "Guest" vlan is what to do when the client doesn't do 802.1x i.e. no > radius. > > So you can't set these over radius. Look in the Cisco documentation for information on: dot1x auth-fail vlan vlan-id and dot1x guest-vlan vlan-id -M - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Is it possible to make groups of called-station-id 's?
Hi All We are using FR 2.1.5 for authenticating wireless users against our LDAP database. Recently, our student wireless vlan is getting too large, and we wish to subdivide it. Currently we place users in the appropriate vlan based on the user type returned via the groupmembership_attribute as defined in modules/ldap. So if that attribute =student, we put them in student vlan. Our users file entry looks like: DEFAULT FreeRADIUS-Proxied-To == 127.0.0.1, Called-Station-Id =~ ".*Wireless ", Huntgroup-Name == WSS1, unbldap-Ldap-Group == student User-Name=`%{User-Name}`, Tunnel-Private-Group-Id=student, Tunnel-Type=VLAN, Fall-Through = no To reduce the number of broadcast domains going out a wireless access point, we are thinking of placing all students in Building X into a student_vlanX. To do this, we need to identify all the APs in the building. For each AP in that building we'd have something like this in our users file (where 00-01-02-AA-BB-CC is the mac-address of an access point in building X): DEFAULT FreeRADIUS-Proxied-To == 127.0.0.1, Called-Station-Id =~ "00-01-02-AA-BB-CC.*Wireless", Huntgroup-Name == WSS1, unbldap-Ldap-Group == student User-Name=`%{User-Name}`, Tunnel-Private-Group-Id=student_vlanX, Tunnel-Type=VLAN, Fall-Through = no I'm quite certain this would work, however I was hoping there'd be some way similar to the huntgroups file (which I realize is for NAS's which our AP's are not acting as) that could group all our Access Point devices into a group s we wouldn't have to have a statement in the users file like the one above for every single wireless access point in our network. Any advice is appreciated. Thanks Matt - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Device specific Access-Accept attributes and granular user group control
Hello -- I am running freeradius2-2.1.7 with MySQL as the backend datastore. I've got a deployment up and running supporting the admin login to about 200 switches from a single vendor. I'm looking to expand my deployment and thus some new requirements have surfaced. Requirements: - Different brands of gear should get different VSAs and/or general attributes returned in Access-Accept messages. For example, if I log in from a Cisco device, I should get a different RADIUS attribute sent back than when logging in from a F5 or a NetScreen. - Some users can log into certain groups of devices, others should not be able to I'm fairly certain the #2 requirement will require the user of huntgroups. Does anyone have any idea how to accomplish requirement #1? Thanks for your help in pointing me in the right direction. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Accounting SQL Entries
Hello list. I have been testing FreeRADIUS for a project we are looking at running to authenticate users for Giganews. I have got the authentication part working well, and the authentication attempts get logged correctly into MySQL. Now, I am trying to log the session details, such as data to and from the host. I've tried various configs, FAQs and similar without little luck. I am slightly stumped as to where to look now. Can anyone offer any help or advice. Thank you. M -- freeradius: FreeRADIUS Version 2.0.4, for host i486-pc-linux-gnu, built on Sep 7 2008 at 23:35:34 Copyright (C) 1999-2008 The FreeRADIUS server project and contributors. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: showing NAS-IP of 127.0.01 instead of
I just figured that out via a sniff. Thanks for the note. I'll go after the requesting software now. From: Garber, Neal [mailto:neal.gar...@energyeast.com] Sent: November 25, 2009 2:27 PM To: 'm...@unb.ca'; 'FreeRadius users mailing list' Subject: RE: showing NAS-IP of 127.0.01 instead of > The problem is that although the Access-Request packet is shown as coming from the correct host, > that host's ip address is not showing up as the NAS-IP-Address for that request. Instead, it's showing > as 127.0.0.1 as seen below: > I'm wondering what could cause this? Any help is appreciated. The NAS is sending that attribute within the request - ask the NAS vendor why they are sending 127.0.0.1. I've seen this issue with Lantronix console servers (not sure if that's the NAS you are using). They eventually updated their firmware to use the correct address. As a workaround, I did the following in the authorize section of the default server (before preprocess if you want huntgroup name lookup to work properly): if (NAS-IP-Address == "127.0.0.1") { update request { NAS-IP-Address := "%{Client-IP-Address}" } } - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
showing NAS-IP of 127.0.01 instead of
Hi, I'm running FreeRADIUS Version 2.1.5. We are trying to do system authentication for some users. Doing this by creating huntgroups based on NAS-IP-Address, and then telling that huntgroup to use System for authentication. The problem is that although the Access-Request packet is shown as coming from the correct host, that host's ip address is not showing up as the NAS-IP-Address for that request. Instead, it's showing as 127.0.0.1 as seen below: rad_recv: Access-Request packet from host 192.168.27.7 port 53201, id=130, length=51 User-Name = "xm7z1" User-Password = "abc.123" NAS-IP-Address = 127.0.0.1 I'm wondering what could cause this? Any help is appreciated. Thanks Matt - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Pre-release of 2.1.7
Builds okay on Fedora 7 and Fedora 10: ./configure --with-system-libtool --prefix=/opt/radius --localstatedir=/var "make tests" also passes on both, FWIW. But I won't be able to actually install it for a week or two. Alan, thanks for all of your hard work on FreeRADIUS! -Matt - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Reloading CRL for EAP-TLS
>> >>> Are you planing improve CRL support in version 2.0 in some near future? >> What do you mean by better support? Are you asking for a way to update CRLs without a bounce of freeradius? -- Matt - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRADIUS EAP-TLS and SSL certificate chains
Remember when you put your Root CA file (and perhaps the CRL for that CA) into your certificate directory, and ran 'c_rehash '? Well - it's just like that. You might have had RootCA.pem with the Verisign CA certificate. Personally - I like to have a separate file for each intermediate CA certificate in the chain. When you think you are done - you can test the validity of your new certificate like this: openssl verify -crl_check -CApath /path/to/certificate-file/server.pem.cert Hope this helps. Give it a go and let us know if you have any problems. -- Matt On Fri, Feb 13, 2009 at 12:11 PM, Meyers, Dan wrote: > I'm sure I must just be being thick with our FreeRADIUS config, but i've > completed failed to find anything online or in the docs explaining > *what* i'm doing wrong, so i'm posting here. > > We've had a FreeRADIUS server set up for some time now, with an SSL > certificate directly signed by one of Verisign's root CA's, for the > purposes of doing EAP-TLS domain auth. This worked fine on both > FreeRADIUS 1.1.7 and 2.0.5. However our cert is due to expire in a > month, and it would appear no one issues root signed certs any more, > they're all cert chains. Obviously with things like apache this is fine, > as you install the chain bundle file at the same time as your actual > cert, and the chain gets passed to the client, who follows it to a root > CA they do already trust. I'm having trouble working out how to do this > with FreeRADIUS however. All the info I can find suggests that if I edit > my certificate file so that it contains multiple certs, from least > trusted at the top (my server cert) down the chain and file to the one > which has been signed by a root CA the user's machine will already > trust, then machines will follow the chain as expected and accept the > certificate. However if I do this, and have a chain file of the same > format as I use successfully on the web server (i.e. multiple BEGIN and > END blocks with a single cert between each pair), then my client > machines still fail to pick up the chain, and thus can't validate the > certificate. > > Am I missing something blindingly obvious with regards to how to do > certificate chains in FreeRADIUS? If so, please tell me what. > > Thanks > > -- > Dan Meyers > Network Specialist, Lancaster University > E-Mail: d.mey...@lancaster.ac.uk > > > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Certificate Provisioning for EAP-TLS Networks
> How do you get the certificates on the device in the first place? Well - that's the problem. I would like for there be a USB cable method of putting the key material on the device. Then we could build some nifty client script to automate the provisioning. But these devices in particular don't have that. As it is - we need to setup some ad-hoc or other non-routed WLAN with PSK or WEP security, put the device(s) on there and at that point the devices can pull the certs down via http or tftp. So, here's how it goes in our test environment. We have the 'production' WLAN which must remain WPA2/EAP-TLS. For compliance there is no flexibility of the security of that WLAN. *sigh* OK no worries it makes it a cool problem to solve. :-) So I've just got a laptop temporarily setup with a little ad-hoc network for provisioning the phones via tftp. These will be in a dozen remote locations so I need to build a solution enabling rapid provisioning of the devices with minimal local technical oversight. -- Matt - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Certificate Provisioning for EAP-TLS Networks
I am running FreeRadius at my company on a WLAN - using SSL key material issued by our internal certificate authority. All is well. However a pretty big limitation of this security architecture is of course getting the SSL key material onto the devices. In our case - the devices are SIP phones with no wired ethernet connection. I know there are other sites with similar issues. I would like to hear some ideas on what folks are doing to manage SSL key material on devices. This would include initial key provisioning and re-keying when certs expire. Presently ours expire every 90 days. Thoughts? -- Matt - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRADIUS + OpenLDAP + MSCHAPv2
On Nov 14 Tim Gustafson wrote: I'm running FreeRADIUS on a shiny-new CentOS 5.2 machine. The easiest way to install the latest FreeRADIUS on CentOS I know of is to visit <http://koji.fedoraproject.org/koji/packageinfo?packageID=298>, find the latest source RPM and rebuild it. It's a small amount of work, but will stop people saying "upgrade" a lot.. I'm trying to figure out how to configure FreeRADIUS to authenticate against an OpenLDAP server using MSCHAPv2. I Googled a lot of different phrases, and came up with some things that were mildly helpful. Right now, I have FreeRADIUS authenticating against the LDAP server without using MSCHAPv2, but I'm not understanding how to now activate the MSCHAPv2 part. I have it working. You need to check your ldap.attrmap (or whatever you've set dictionary_mapping to) points at the right LDAP field. I use the samba schema, so: checkItem NT-Password sambaNtPassword Then your debug log should include entries like: rlm_ldap: sambaNtPassword -> NT-Password == 0x WARNING: No "known good" password was found in LDAP. Are you sure that the user is configured correctly? ..but this is OK, since with "mschap" before "ldap" in your authorize{} block, FreeRADIUS will handle the challenge-response stuff correctly for MSCHAPv2 using the NT hash from OpenLDAP. Make sure you bind to OpenLDAP with sufficient privilege to read the NT hash! HTH Matt - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: [awful patch] "Multiple levels of TLS nesting is invalid."
At 14:19 +0200 Alan DeKok wrote: I have run into another bug: if I instantiate rlm_ldap in my servers "dcs-inner" and "maths-inner", it seems to use the base DN for "maths-inner" (instantiated second) for queries from "dcs-inner". As always, debug mode. By this point we've correctly walked from default -> dcs -> dcs-inner. But.. as dcs-inner invokes rlm_ldap, it's using the wrong ldap instance: server dcs-inner { +- entering group authorize {...} [dcs-inner-preprocess] hints: Matched DEFAULT at 1 ++[dcs-inner-preprocess] returns ok ++? if ("%{User-Name}" =~ /^([EMAIL PROTECTED])(@([-[:alnum:].]+))?$/) expand: %{User-Name} -> mb ? Evaluating ("%{User-Name}" =~ /^([EMAIL PROTECTED])(@([-[:alnum:].]+))?$/) -> TRUE ++? if ("%{User-Name}" =~ /^([EMAIL PROTECTED])(@([-[:alnum:].]+))?$/) -> TRUE ++- entering if ("%{User-Name}" =~ /^([EMAIL PROTECTED])(@([-[:alnum:].]+))?$/) {...} expand: %{1} -> mb +++[request] returns ok ++- if ("%{User-Name}" =~ /^([EMAIL PROTECTED])(@([-[:alnum:].]+))?$/) returns ok [mschap] Found MS-CHAP attributes. Setting 'Auth-Type = mschap' ++[mschap] returns ok [dcs-inner-eap] No EAP-Message, not doing EAP ++[dcs-inner-eap] returns noop rlm_ldap: Entering ldap_groupcmp() [dcs-inner-files] expand: dc=maths,dc=qmul,dc=ac,dc=uk -> dc=maths,dc=qmul,dc=ac,dc=uk [dcs-inner-files] expand: (uid=%{Stripped-User-Name}) -> (uid=mb) rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to ldapserver.maths.qmul.ac.uk:389, authentication 0 rlm_ldap: setting TLS Require Cert to never rlm_ldap: starting TLS rlm_ldap: bind as cn=radiusd,dc=maths,dc=qmul,dc=ac,dc=uk/ to ldapserver.maths.qmul.ac.uk:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: performing search in dc=maths,dc=qmul,dc=ac,dc=uk, with filter (uid=mb) rlm_ldap: object not found or got ambiguous search result rlm_ldap::ldap_groupcmp: search failed rlm_ldap: ldap_release_conn: Release Id: 0 My radius.conf includes: modules { $INCLUDE ${confdir}/modules/ $INCLUDE ${confdir}/dcs/modules.conf $INCLUDE ${confdir}/maths/modules.conf } instantiate { } $INCLUDE ${confdir}/dcs/server $INCLUDE ${confdir}/maths/server NB x/modules.conf includes x/inner/modules.conf and x/server includes x/inner/server for x in {dcs, maths}. The "server" files, modulo these includes, only contain server{} blocks. If I transpose the $INCLUDE ${confdir}/x/server lines, then it uses the dcs LDAP instance, AFAICT: server dcs-inner { +- entering group authorize {...} [dcs-inner-preprocess] hints: Matched DEFAULT at 1 ++[dcs-inner-preprocess] returns ok ++? if ("%{User-Name}" =~ /^([EMAIL PROTECTED])(@([-[:alnum:].]+))?$/) expand: %{User-Name} -> mb ? Evaluating ("%{User-Name}" =~ /^([EMAIL PROTECTED])(@([-[:alnum:].]+))?$/) -> TRUE ++? if ("%{User-Name}" =~ /^([EMAIL PROTECTED])(@([-[:alnum:].]+))?$/) -> TRUE ++- entering if ("%{User-Name}" =~ /^([EMAIL PROTECTED])(@([-[:alnum:].]+))?$/) {...} expand: %{1} -> mb +++[request] returns ok ++- if ("%{User-Name}" =~ /^([EMAIL PROTECTED])(@([-[:alnum:].]+))?$/) returns ok [mschap] Found MS-CHAP attributes. Setting 'Auth-Type = mschap' ++[mschap] returns ok [dcs-inner-eap] No EAP-Message, not doing EAP ++[dcs-inner-eap] returns noop rlm_ldap: Entering ldap_groupcmp() [dcs-inner-files] expand: dc=dcs,dc=qmul,dc=ac,dc=uk -> dc=dcs,dc=qmul,dc=ac,dc=uk [dcs-inner-files] expand: %{Stripped-User-Name} -> mb [dcs-inner-files] expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) -> (uid=mb) rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to mortar.dcs.qmul.ac.uk:389, authentication 0 rlm_ldap: setting TLS CACert File to /etc/raddb/dcs/certs/DCS_CA_cert.pem rlm_ldap: setting TLS Require Cert to demand rlm_ldap: starting TLS rlm_ldap: bind as cn=radiusd,ou=Infrastructure,dc=dcs,dc=qmul,dc=ac,dc=uk/xx to mortar.dcs.qmul.ac.uk:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: performing search in dc=dcs,dc=qmul,dc=ac,dc=uk, with filter (uid=mb) rlm_ldap: ldap_release_conn: Release Id: 0 ${confdir}/dcs/inner/server references ${confdir}/dcs/inner/ldap.common which contains identity = "cn=radiusd,ou=Infrastructure,dc=dcs,dc=qmul,dc=ac,dc=uk" basedn = "dc=dcs,dc=qmul,dc=ac,dc=uk" etc. whereas ${confdir}/maths/inner/server references ${confdir}/maths/inner/ldap.common which contains identity = "cn=radiusd,dc=maths,dc=qmul,dc=ac,dc=uk" basedn = "dc=maths,dc=qmul,dc=ac,dc=uk" and so on. I'm guessing that such parameters aren't scoped locally enough. HTH Matt - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: [awful patch] "Multiple levels of TLS nesting is invalid."
At 14:19 +0200 Alan DeKok wrote: Matt Bernstein wrote: We will have multiple server certificates; our departments are rather independent here. Ugh. There's not really any good reason for this. If the departmental certs are signed by a university CA, then you can still get away with one server instance. I'm not claiming there's no technical solution. On the other hand, our departments don't trust each other more in a political way. We don't really have a university PKI. For eduroam, it's arguable that you want your server cert as local to your user base as possible. Our Maths users have no reason to trust a server certificate issued by my department. update control { Virtual-Server = "%{Realm}" } What does this achieve? What I said in my previous message: If you have one server certificate for TTLS, you don't need this extra layer of nesting. The TTLS && PEAP modules will look for a *dynamic* definition of the virtual server for the inner-tunnel. OK, thanks: sorry I didn't understand that before. Does it avoid the first layer of proxying? It does what I said it does. OK, so without a single CA it doesn't help us. My set-up is working without it, AFAICT: Yes, I did read your message. I did see the point where you said your configuration worked. Maybe I was trying to describe how you could acheive your goal *without* source code patches. OK. I think the only way to avoid carrying my filthy patch is to run multiple non-virtual servers. Maybe the inner eap config can be the same for the "inner" virtual servers, but the server{} blocks will necessarily be different. Well, yes. That's the point of virtual servers. I have run into another bug: if I instantiate rlm_ldap in my servers "dcs-inner" and "maths-inner", it seems to use the base DN for "maths-inner" (instantiated second) for queries from "dcs-inner". As always, debug mode. Sorry--I'll start a new reply on this point. Am I just being too weird and hairy? Or should I use a separate radiusd and raddb for each subrealm, as is the case with my production FreeRADIUS 1.1 set-up? It's a little complicated. Unnecessarily so, IMHO. I'm trying to allow different departments to use eduroam with whatever AAA backends they want without the bother of having to run a RADIUS server. My institution might be unusual in that there are multiple backends--even within our computing service--but the reasons behind this are not necessarily technical. I hope this makes where I'm coming from a little clearer. Matt - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: [awful patch] "Multiple levels of TLS nesting is invalid."
On Oct 15 Alan DeKok wrote: Matt Bernstein wrote: So saith FreeRADIUS 2.1.1, but I wasn't trying to do multiple levels of TLS nesting. I'm trying to use virtual servers so that a single radiusd can terminate TTLS/PEAP for multiple subrealms, _and_ use the inner-tunnel trick, keeping the configs completely independent for each subrealm. If you have one server certificate for TTLS, you don't need this extra layer of nesting. We will have multiple server certificates; our departments are rather independent here. This allows me to hook up different departments with different AAA infrastructures into one radius set-up for our eduroam service. My "default" server has a pair of listen{} blocks, and little else: authorize { suffix update control { Virtual-Server = "%{Realm}" } What does this achieve? Does it avoid the first layer of proxying? My set-up is working without it, AFAICT: server default { +- entering group authorize {...} [suffix] Looking up realm "dcs.qmul.ac.uk" for User-Name = "[EMAIL PROTECTED]" [suffix] Found realm "dcs.qmul.ac.uk" [suffix] Adding Realm = "dcs.qmul.ac.uk" [suffix] Proxying request from user username to realm dcs.qmul.ac.uk [suffix] Preparing to proxy authentication request to realm "dcs.qmul.ac.uk" ++[suffix] returns updated } # server default Sending proxied request internally to virtual server. server dcs { +- entering group authorize {...} [dcs-eap] EAP packet type response id 3 length 149 ..etc.. ..and "dcs" has its own EAP config, which references a virtual_server "dcs-inner" for the PEAP/TTLS innards, which has _its_ own EAP config. That's... complicated. A famous aphorism of Butler Lampson goes: All problems in computer science can be solved by another level of indirection... Kevlin Henney's corollary to this is, "...except for the problem of too many layers of indirection." (from <http://en.wikipedia.org/wiki/Abstraction_layer>) Maybe the inner eap config can be the same for the "inner" virtual servers, but the server{} blocks will necessarily be different. I'm trying to normalise it, rather than complicate it. My problem is that eap.c (line 219), as called by "dcs-inner", notices the request has a grandparent, and assumes it's multiple layers of TLS nesting. Interestingly, the comment omits the magic word "TLS". I think perhaps that the virtual servers appear to count as layers. Anyway, this braindead patch makes it work for me: Which pretty much removes the limits on nested queries. I understand I agree; I put the great-grandparent check in there to catch runaway loops. I never said my fix was right. why you're doing this, but I'm not sure what the side effects are. Sure. If you're not, I haven't a prayer. ;) My guess is that the eap.c code predates the virtual servers, so when eap.c was written its assumption that the nesting must be TLS could well have been true, but today newer code-paths exist which weird hairy people expect to work.. I have run into another bug: if I instantiate rlm_ldap in my servers "dcs-inner" and "maths-inner", it seems to use the base DN for "maths-inner" (instantiated second) for queries from "dcs-inner". Am I just being too weird and hairy? Or should I use a separate radiusd and raddb for each subrealm, as is the case with my production FreeRADIUS 1.1 set-up? Cheers Matt - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
[awful patch] "Multiple levels of TLS nesting is invalid."
So saith FreeRADIUS 2.1.1, but I wasn't trying to do multiple levels of TLS nesting. I'm trying to use virtual servers so that a single radiusd can terminate TTLS/PEAP for multiple subrealms, _and_ use the inner-tunnel trick, keeping the configs completely independent for each subrealm. This allows me to hook up different departments with different AAA infrastructures into one radius set-up for our eduroam service. My "default" server has a pair of listen{} blocks, and little else: authorize { suffix } authenticate { } So, rlm_realm finds my virtual servers in proxy.conf, eg: realm dcs.qmul.ac.uk { nostrip virtual_server = dcs } ..and "dcs" has its own EAP config, which references a virtual_server "dcs-inner" for the PEAP/TTLS innards, which has _its_ own EAP config. My problem is that eap.c (line 219), as called by "dcs-inner", notices the request has a grandparent, and assumes it's multiple layers of TLS nesting. Interestingly, the comment omits the magic word "TLS". I think perhaps that the virtual servers appear to count as layers. Anyway, this braindead patch makes it work for me: --- freeradius-server-2.1.1/src/modules/rlm_eap/eap.c.orig 2008-09-25 09:41:26.0 +0100 +++ freeradius-server-2.1.1/src/modules/rlm_eap/eap.c 2008-10-14 15:19:53.800553926 +0100 @@ -216,10 +216,13 @@ /* * Multiple levels of nesting are invalid. */ - if (handler->request->parent && handler->request->parent->parent) { - RDEBUG2("Multiple levels of TLS nesting is invalid."); + if (handler->request->parent && handler->request->parent->parent && handler->request->parent->parent->parent ) { + RDEBUG2("Multiple levels of TLS nesting is really invalid."); return EAP_INVALID; } + if (handler->request->parent && handler->request->parent->parent) { + RDEBUG2("Multiple levels of nesting is thought invalid, continuing anyway."); + } /* * Figure out what to do. ..and my "radiusd -X" output now looks like this: Found Auth-Type = dcs-inner-eap +- entering group authenticate {...} [dcs-inner-eap] Request found, released from the list [dcs-inner-eap] Multiple levels of nesting is thought invalid, continuing anyway. [dcs-inner-eap] EAP/mschapv2 [dcs-inner-eap] processing type mschapv2 [mschapv2] +- entering group MS-CHAP {...} [mschap] No Cleartext-Password configured. Cannot create LM-Password. [mschap] Found NT-Password [mschap] Told to do MS-CHAPv2 for [EMAIL PROTECTED] with NT-Password [mschap] adding MS-CHAPv2 MPPE keys ++[mschap] returns ok MSCHAP Success ++[dcs-inner-eap] returns handled So.. I hope this is useful. Do drop me a mail on- or off-list on , if you want any further information or if I'm not being clear enough. Matt - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: groupmembership and vlan assignment
Would it make more sense then to use a Perl program instead for the authorization and then have that program: - verify credentials against ldap. - do the regexp matching on the entitlement field? Thanks, Matt [EMAIL PROTECTED] -Original Message- From: Alan DeKok [mailto:[EMAIL PROTECTED] Sent: Friday, August 01, 2008 8:27 AM To: [EMAIL PROTECTED]; FreeRadius users mailing list Subject: Re: groupmembership and vlan assignment Matt Ashfield wrote: > Hmmm...welll I was hoping for another way to assign vlans based on ldap > attributes, but I don't figure on rewriting rlm_ldap. You don't have to rewrite the whole module. Just change 100 lines in one function. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
re: groupmembership and vlan assignment
Is there a way to regexp checking on the group_membership field instead? Thanks Matt Ashfield [EMAIL PROTECTED] -Original Message- From: Alan DeKok [mailto:[EMAIL PROTECTED] Sent: Monday, July 28, 2008 3:23 PM To: [EMAIL PROTECTED]; FreeRadius users mailing list Subject: Re: groupmembership and vlan assignment Matt Ashfield wrote: > DEFAULT FreeRADIUS-Proxied-To == 127.0.0.1, Huntgroup-Name == UNBFWSS, > unbldap-Ldap-Group =~ .*staff1, Autz-Type := Ldap1, Auth-Type := Ldap1 The LDAP Group checking does *equality* checking, not regular expression checking. Sorry. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: groupmembership and vlan assignment
Hmmm...welll I was hoping for another way to assign vlans based on ldap attributes, but I don't figure on rewriting rlm_ldap. Thanks Matt [EMAIL PROTECTED] -Original Message- From: Alan DeKok [mailto:[EMAIL PROTECTED] Sent: Wednesday, July 30, 2008 3:49 PM To: [EMAIL PROTECTED]; FreeRadius users mailing list Subject: Re: groupmembership and vlan assignment Matt Ashfield wrote: > That's what I was afraid of. Any suggestions to getting around this? Edit the source code to rlm_ldap to implement regex checks. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: groupmembership and vlan assignment
That's what I was afraid of. Any suggestions to getting around this? Thanks Matt Ashfield [EMAIL PROTECTED] -Original Message- From: Alan DeKok [mailto:[EMAIL PROTECTED] Sent: Monday, July 28, 2008 3:23 PM To: [EMAIL PROTECTED]; FreeRadius users mailing list Subject: Re: groupmembership and vlan assignment Matt Ashfield wrote: > DEFAULT FreeRADIUS-Proxied-To == 127.0.0.1, Huntgroup-Name == UNBFWSS, > unbldap-Ldap-Group =~ .*staff1, Autz-Type := Ldap1, Auth-Type := Ldap1 The LDAP Group checking does *equality* checking, not regular expression checking. Sorry. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: groupmembership and vlan assignment
Nobody replied to my original post, and I got to thinking, would I be able to use wildcards in my users file to achieve this when looking for which Ldap-Group the user has been placed in? i.e. DEFAULT FreeRADIUS-Proxied-To == 127.0.0.1, Huntgroup-Name == UNBFWSS, unbldap-Ldap-Group =~ ".*staff1", Autz-Type := Ldap1, Auth-Type := Ldap1 Where unbldap-Ldap-Group gets set via groupmembership_attribute = eduPersonPrimaryAffiliation and eduPersonEntitlement: urn:mace:uni.ca:wireless?vlan=staff1 in LDAP Thanks Matt Ashfield [EMAIL PROTECTED] From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt Ashfield Sent: Wednesday, July 23, 2008 10:29 AM To: 'FreeRadius users mailing list' Subject: groupmembership and vlan assignment Hello We have been using the groupmembership attribute in radius.conf to assign users to the appropriate vlans. Up until now we've done it based on the type of LDAP user they are (ie, staff, student, faculty, etc..): groupmembership_attribute = eduPersonPrimaryAffiliation, (where eduPersonPrimaryAffliation=staff, student, facult, etc..) Unfortunately, our student vlans have grown significantly large and we want to take measures to make them smaller. We have looked into using LDAP entitlement fields. There are however a few issues here: - The eduPersonEntitlement attribute is not unique. A user record can have multiple instances of this attribute for each different entitlement they have. - The eduPersonEntitlement attribute has a value that is not simply the name of a vlan. It is typically something like: eduPersonEntitlement: urn:mace:uni.ca:wireless?vlan=student1 So I'd need to parse the value as well to pull out the vlan name, in this case "student1". I'm unsure how to get around these two issues. Any suggestions are welcome. Thanks Matt [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
groupmembership and vlan assignment
Hello We have been using the groupmembership attribute in radius.conf to assign users to the appropriate vlans. Up until now we've done it based on the type of LDAP user they are (ie, staff, student, faculty, etc..): groupmembership_attribute = eduPersonPrimaryAffiliation, (where eduPersonPrimaryAffliation=staff, student, facult, etc..) Unfortunately, our student vlans have grown significantly large and we want to take measures to make them smaller. We have looked into using LDAP entitlement fields. There are however a few issues here: - The eduPersonEntitlement attribute is not unique. A user record can have multiple instances of this attribute for each different entitlement they have. - The eduPersonEntitlement attribute has a value that is not simply the name of a vlan. It is typically something like: eduPersonEntitlement: urn:mace:uni.ca:wireless?vlan=student1 So I'd need to parse the value as well to pull out the vlan name, in this case "student1". I'm unsure how to get around these two issues. Any suggestions are welcome. Thanks Matt [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Keeping a set amount of detail logs
On Thu, Jul 17, 2008 at 7:49 AM, Alan DeKok <[EMAIL PROTECTED]> wrote: > [EMAIL PROTECTED] wrote: > > I've enabled "detail auth_log" and "detail reply_log" (it'd be great > > if there was a way to tie auths and replies together from the > > different log files somehow) and FreeRadius is creating new logs each > > day. I'm assuming that I'll need to take care of removing old logs on > > my own? Otherwise I'll be filling my disk up pretty quickly. > > Yes. See logrotate, or any one of many log rotation tools. Right, I'm familiar with logrotate. The problem is that FreeRadius is rotating the logs already and I don't know of a way to get logrotate to just keep track of a set number of logfiles that it doesn't rotate itself. ie., "keep 10 logfiles only" - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: POP3
Alan DeKok wrote: > Slava wrote: >> Could anyone tell me if there exists a solution to integrate FR with a >> POP3 server > Look for patches to let cucipop do RADIUS authentication. If there > are none, maybe cucipop does PAM authentication. You could then use the > PAM RADIUS module. FWIW, Qpopper also can use PAM, although I haven't tried it myself: http://www.eudora.com/products/unsupported/qpopper/faq.html#PAM - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: xp sp3 and freeradius 2.0.5
I'm seeing the same problems with Vista devices: Sending Access-Accept of id 12 to 131.202.9.32 port 2048 User-Name = "u3t98" Tunnel-Private-Group-Id:0 = "Academic" Tunnel-Type:0 = VLAN MS-MPPE-Recv-Key = 0xce1ea72659c68cceba45498192e03bbb73292f9cdc314bbdea6e5ede0302b86a MS-MPPE-Send-Key = 0xe2cafe2564df85dd04dddb4816c00c8afeea831cbbdb444b45789625771f6c9c EAP-Message = 0x03180004 Message-Authenticator = 0x Even though I have MPPE disabled in FR: mschap { # # As of 0.9, the mschap module does NOT support # reading from /etc/smbpasswd. # # If you are using /etc/smbpasswd, see the 'passwd' # module for an example of how to use /etc/smbpasswd # if use_mppe is not set to no mschap will # add MS-CHAP-MPPE-Keys for MS-CHAPv1 and # MS-MPPE-Recv-Key/MS-MPPE-Send-Key for MS-CHAPv2 # #use_mppe = no use_mppe = no Thoughts? Matt Ashfield [EMAIL PROTECTED] -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of SecureW2 (List) Sent: Monday, July 07, 2008 10:58 AM To: 'FreeRadius users mailing list' Subject: RE: xp sp3 and freeradius 2.0.5 Dear Oxiel, Are you using wired or wireless 802.1x? I have been seeing issues on Windows XP SP3 WIRED 802.1X configurations when the MPPE keys are being sent by the RADIUS server (which are not used in (most) wired 802.1X setups): >Sending Access-Accept of id 8 to 192.168.100.245 port 5001 >User-Name = "host/caja02.cosmart.bo" >MS-MPPE-Recv-Key = 0xbc92e431af5c7ffb4d5b7995391751603d37b0f0ff4b90fbfecd1785d2d987b9 >MS-MPPE-Send-Key = 0x298436d731ecef7178d901f10b1654124cb4b52e1e1ed23fd33b1ec32476b480 >EAP-Message = 0x03090004 >Message-Authenticator = 0x If you are using wired try disabling the MPPE keys in Freeradius. Regards, Tom > -Oorspronkelijk bericht- > Van: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] > Namens Ivan Kalik > Verzonden: maandag 7 juli 2008 15:32 > Aan: freeradius-users@lists.freeradius.org > Onderwerp: Re: xp sp3 and freeradius 2.0.5 > > >Has anybody achieved to authenticate xp sp3 with default 802.1x client to > freeradius ? > > You! > > >Sending Access-Accept of id 8 to 192.168.100.245 port 5001 > >User-Name = "host/caja02.cosmart.bo" > >MS-MPPE-Recv-Key = > 0xbc92e431af5c7ffb4d5b7995391751603d37b0f0ff4b90fbfecd1785d2d987b9 > >MS-MPPE-Send-Key = > 0x298436d731ecef7178d901f10b1654124cb4b52e1e1ed23fd33b1ec32476b480 > >EAP-Message = 0x03090004 > >Message-Authenticator = 0x > > Ivan Kalik > Kalik Informatika ISP > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Goodbye SNMP, hello statistics.
Exciting stuff! On Fri, Jun 20, 2008 at 2:48 PM, Alan DeKok <[EMAIL PROTECTED]> wrote: > I've commited some code (~1K LoC) to CVS head that will go into 2.0.6. > In short, there's no point in using SNMP any more. The good news is > that the Status-Server packet is overloaded to get all sorts of > statistics that weren't available in SNMP. For more information, see: > >share/dictionary.freeradius > > Some comments: > > - the statistics can ONLY be queried from localhost. This will not be > changed. > > - You can ask for ALL auth statistics (across all "listen" sockets) > > - Or, specify a socket IP/port, and it will return the stats for that > socket. > > - You can do this for auth/acct sockets independently > > - you can query statistics for one client, and optionally specify > the server IP/port (if the "listen" section has it's own clients) > > - you can ask for total auth/acct packets that are proxied to home servers > > - you can ask for total auth/acct packets that are sent to individual > home servers. > > - you can tell when a home server was marked dead / alive, and how many > requests have been sent, but not responded to. > > - you can ask for stats on the internal queues in the server (e.g. if > it's busy, there will be many packets waiting, and all of the child > threads will be doing work) > > The end result is that it's simpler to implement than SNMP, has fewer > issues, and returns more data than the SNMP statistics would return. > > Enjoy. > > Alan DeKok. > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius/eDirectory/802.1X authentication issue
>See why I say I don't know a whole lot about how all this works?? :) So >it sounds like I don't even need LDAP, but it's helpful for at least I know it is possible to use EAP-TLS, and then use some attribute from the certificate and query LDAP about it. If that's the case in your configuration, you should be able to see that from the config files in your $raddb directory. You can post the config if you have questions. Matt On Wed, Jun 11, 2008 at 6:44 PM, Newall, Bryce <[EMAIL PROTECTED]> wrote: > > > -Original Message- > > From: > [EMAIL PROTECTED] > > [mailto:freeradius-users- > > [EMAIL PROTECTED] On Behalf Of Alan > DeKok > > Sent: Wednesday, June 11, 2008 10:30 AM > > To: FreeRadius users mailing list > > Subject: Re: FreeRadius/eDirectory/802.1X authentication issue > > > > > We need to have FreeRADIUS speak LDAP > > > with Novell eDirectory, and be able to authenticate wireless clients > > > using EAP-TLS (or even EAP-TTLS, but we're using TLS right now). > > > > Er... EAP-TLS means that it won't normally do user lookups in LDAP. > > See why I say I don't know a whole lot about how all this works?? :) So > it sounds like I don't even need LDAP, but it's helpful for at least > testing the RADIUS configuration with a program like NTRadPing to make > sure it's working correctly before jumping into the EAP-TLS setup. > > > And you should ugprade to 2.0.5. It makes 1.1.0 look as bad as IAS. > > SLES 10 SP2 still ships with FreeRADIUS 1.1.0. Go figure. Any > suggestions as to where to find some good HOWTO docs? I went through > the FreeRADIUS Wiki, but it wasn't very complete. > > Thanks! > > Bryce Newall > Systems Administrator > Poway Unified School District > (858) 679-2576 > [EMAIL PROTECTED] > > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: FR and PEAP question
11 09:42:02 2008 : Debug: auth: type Local Wed Jun 11 09:42:02 2008 : Debug: auth: No User-Password or CHAP-Password attribute in the request Wed Jun 11 09:42:02 2008 : Debug: auth: Failed to validate the user. Wed Jun 11 09:42:02 2008 : Auth: Login incorrect: [mda] (from client hh932 port 2 cli 00-11-25-81-1D-DA) Wed Jun 11 09:42:02 2008 : Debug: Delaying reject of request 1 for 1 seconds Wed Jun 11 09:42:02 2008 : Debug: Going to the next request Wed Jun 11 09:42:02 2008 : Debug: Waking up in 0.9 seconds. Wed Jun 11 09:42:03 2008 : Debug: Sending delayed reject for request 1 Sending Access-Reject of id 3 to 11.2.19.3 port 2048 Wed Jun 11 09:42:03 2008 : Debug: Waking up in 4.9 seconds. Wed Jun 11 09:42:08 2008 : Debug: Cleaning up request 1 ID 3 with timestamp +355 Wed Jun 11 09:42:08 2008 : Debug: Ready to process requests. Matt [EMAIL PROTECTED] -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ivan Kalik Sent: Tuesday, June 10, 2008 11:21 AM To: freeradius-users@lists.freeradius.org Subject: RE: FR and PEAP question eapol_test from wpa_supplicant JRadius Simulator Ivan Kalik Kalik Informatika ISP Dana 10/6/2008, "Matt Ashfield" <[EMAIL PROTECTED]> piše: >I'd like to test this with PEAP/MSCHAP requests if possible. Is there a >howto? Clearly I'm down the wrong path here. > >Matt >[EMAIL PROTECTED] > > >-Original Message- >From: [EMAIL PROTECTED] >[mailto:[EMAIL PROTECTED] On Behalf >Of Ivan Kalik >Sent: Tuesday, June 10, 2008 11:02 AM >To: freeradius-users@lists.freeradius.org >Subject: RE: FR and PEAP question > >FreeRADIUS-Proxied-To == 127.0.0.1 will match only for eap requests. You >can't test for it with pap requests (radtest). > >Ivan Kalik >Kalik Informatika ISP > > >Dana 10/6/2008, "Matt Ashfield" <[EMAIL PROTECTED]> piše: > >>I thought it would get referenced because in my users file I have: >> >>DEFAULT FreeRADIUS-Proxied-To == 127.0.0.1, Huntgroup-Name == UNBFWSS, >>unbldap-Ldap-Group == staff, Autz-Type := Ldap1 >> User-Name=`%{User-Name}`, >> Tunnel-Private-Group-Id=staff, >> Tunnel-Type=VLAN, >> Fall-Through = no >> >>And in huntgroups I have this. Although I am unsure if this is correct. >>UNBFWSS NAS-IP-Address == 127.0.0.1 >> >> >>Matt >>[EMAIL PROTECTED] >> >> >>-Original Message- >>From: [EMAIL PROTECTED] >>[mailto:[EMAIL PROTECTED] On Behalf >>Of Ivan Kalik >>Sent: Tuesday, June 10, 2008 10:36 AM >>To: freeradius-users@lists.freeradius.org >>Subject: RE: FR and PEAP question >> >>>The password that is being supplied by radtest is in plain-text, should I >>be >>>supplying it in ntPassword-encrypted format? >> >>No. >> >>> >>>It looks to me like I have something wrong with my authenticate section. >>> >>>My authorize section looks like: >>>authorize { >>>preprocess >>>chap >>>mschap >>>suffix >>>eap >>>Autz-Type Ldap1 { >>>redundant-load-balance{ >>>unbldap >>>unbldap2 >>>} >>>mschap >>>} >>>} >>> >> >>Not really. You just haven't called that Autz-Type anywhere. >> >>Ivan Kalik >>Kalik Informatika ISP >> >>- >>List info/subscribe/unsubscribe? See >>http://www.freeradius.org/list/users.html >> >> > >- >List info/subscribe/unsubscribe? See >http://www.freeradius.org/list/users.html > > >- >List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: FR and PEAP question
I'd like to test this with PEAP/MSCHAP requests if possible. Is there a howto? Clearly I'm down the wrong path here. Matt [EMAIL PROTECTED] -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ivan Kalik Sent: Tuesday, June 10, 2008 11:02 AM To: freeradius-users@lists.freeradius.org Subject: RE: FR and PEAP question FreeRADIUS-Proxied-To == 127.0.0.1 will match only for eap requests. You can't test for it with pap requests (radtest). Ivan Kalik Kalik Informatika ISP Dana 10/6/2008, "Matt Ashfield" <[EMAIL PROTECTED]> piše: >I thought it would get referenced because in my users file I have: > >DEFAULT FreeRADIUS-Proxied-To == 127.0.0.1, Huntgroup-Name == UNBFWSS, >unbldap-Ldap-Group == staff, Autz-Type := Ldap1 > User-Name=`%{User-Name}`, > Tunnel-Private-Group-Id=staff, > Tunnel-Type=VLAN, > Fall-Through = no > >And in huntgroups I have this. Although I am unsure if this is correct. >UNBFWSS NAS-IP-Address == 127.0.0.1 > > >Matt >[EMAIL PROTECTED] > > >-Original Message- >From: [EMAIL PROTECTED] >[mailto:[EMAIL PROTECTED] On Behalf >Of Ivan Kalik >Sent: Tuesday, June 10, 2008 10:36 AM >To: freeradius-users@lists.freeradius.org >Subject: RE: FR and PEAP question > >>The password that is being supplied by radtest is in plain-text, should I >be >>supplying it in ntPassword-encrypted format? > >No. > >> >>It looks to me like I have something wrong with my authenticate section. >> >>My authorize section looks like: >>authorize { >>preprocess >>chap >>mschap >>suffix >>eap >>Autz-Type Ldap1 { >>redundant-load-balance{ >>unbldap >>unbldap2 >>} >>mschap >>} >>} >> > >Not really. You just haven't called that Autz-Type anywhere. > >Ivan Kalik >Kalik Informatika ISP > >- >List info/subscribe/unsubscribe? See >http://www.freeradius.org/list/users.html > > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: FR and PEAP question
I thought it would get referenced because in my users file I have: DEFAULT FreeRADIUS-Proxied-To == 127.0.0.1, Huntgroup-Name == UNBFWSS, unbldap-Ldap-Group == staff, Autz-Type := Ldap1 User-Name=`%{User-Name}`, Tunnel-Private-Group-Id=staff, Tunnel-Type=VLAN, Fall-Through = no And in huntgroups I have this. Although I am unsure if this is correct. UNBFWSS NAS-IP-Address == 127.0.0.1 Matt [EMAIL PROTECTED] -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ivan Kalik Sent: Tuesday, June 10, 2008 10:36 AM To: freeradius-users@lists.freeradius.org Subject: RE: FR and PEAP question >The password that is being supplied by radtest is in plain-text, should I be >supplying it in ntPassword-encrypted format? No. > >It looks to me like I have something wrong with my authenticate section. > >My authorize section looks like: >authorize { >preprocess >chap >mschap >suffix >eap >Autz-Type Ldap1 { >redundant-load-balance{ >unbldap >unbldap2 >} >mschap >} >} > Not really. You just haven't called that Autz-Type anywhere. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: FR and PEAP question
HI, Im now trying your suggestions for getting FR and PEAP working together. Below is the result of a radtest that I did. The password that is being supplied by radtest is in plain-text, should I be supplying it in ntPassword-encrypted format? It looks to me like I have something wrong with my authenticate section. My authorize section looks like: authorize { preprocess chap mschap suffix eap Autz-Type Ldap1 { redundant-load-balance{ unbldap unbldap2 } mschap } } The radtest result is below: rad_recv: Access-Request packet from host 127.0.0.1 port 32769, id=97, length=55 User-Name = "mda" User-Password = "abc123" NAS-IP-Address = 127.0.0.1 NAS-Port = 0 Tue Jun 10 10:07:34 2008 : Debug: +- entering group authorize Tue Jun 10 10:07:34 2008 : Debug: modsingle[authorize]: calling preprocess (rlm_preprocess) for request 0 Tue Jun 10 10:07:34 2008 : Debug: modsingle[authorize]: returned from preprocess (rlm_preprocess) for request 0 Tue Jun 10 10:07:34 2008 : Debug: ++[preprocess] returns ok Tue Jun 10 10:07:34 2008 : Debug: modsingle[authorize]: calling chap (rlm_chap) for request 0 Tue Jun 10 10:07:34 2008 : Debug: modsingle[authorize]: returned from chap (rlm_chap) for request 0 Tue Jun 10 10:07:34 2008 : Debug: ++[chap] returns noop Tue Jun 10 10:07:34 2008 : Debug: modsingle[authorize]: calling mschap (rlm_mschap) for request 0 Tue Jun 10 10:07:34 2008 : Debug: modsingle[authorize]: returned from mschap (rlm_mschap) for request 0 Tue Jun 10 10:07:34 2008 : Debug: ++[mschap] returns noop Tue Jun 10 10:07:34 2008 : Debug: modsingle[authorize]: calling suffix (rlm_realm) for request 0 Tue Jun 10 10:07:34 2008 : Debug: rlm_realm: No '@' in User-Name = "mda", looking up realm NULL Tue Jun 10 10:07:34 2008 : Debug: rlm_realm: No such realm "NULL" Tue Jun 10 10:07:34 2008 : Debug: modsingle[authorize]: returned from suffix (rlm_realm) for request 0 Tue Jun 10 10:07:34 2008 : Debug: ++[suffix] returns noop Tue Jun 10 10:07:34 2008 : Debug: modsingle[authorize]: calling eap (rlm_eap) for request 0 Tue Jun 10 10:07:34 2008 : Debug: rlm_eap: No EAP-Message, not doing EAP Tue Jun 10 10:07:34 2008 : Debug: modsingle[authorize]: returned from eap (rlm_eap) for request 0 Tue Jun 10 10:07:34 2008 : Debug: ++[eap] returns noop Tue Jun 10 10:07:34 2008 : Debug: modsingle[authorize]: calling files (rlm_files) for request 0 Tue Jun 10 10:07:34 2008 : Debug: modsingle[authorize]: returned from files (rlm_files) for request 0 Tue Jun 10 10:07:34 2008 : Debug: ++[files] returns noop Tue Jun 10 10:07:34 2008 : Debug: auth: No authenticate method (Auth-Type) configuration found for the request: Rejecting the user Tue Jun 10 10:07:34 2008 : Debug: auth: Failed to validate the user. Tue Jun 10 10:07:34 2008 : Auth: Login incorrect: [mda] (from client localhost port 0) Tue Jun 10 10:07:34 2008 : Debug: Delaying reject of request 0 for 1 seconds Tue Jun 10 10:07:34 2008 : Debug: Going to the next request Tue Jun 10 10:07:34 2008 : Debug: Waking up in 0.9 seconds. Tue Jun 10 10:07:35 2008 : Debug: Sending delayed reject for request 0 Sending Access-Reject of id 97 to 127.0.0.1 port 32769 Tue Jun 10 10:07:35 2008 : Debug: Waking up in 4.9 seconds. Tue Jun 10 10:07:40 2008 : Debug: Cleaning up request 0 ID 97 with timestamp +17 Tue Jun 10 10:07:40 2008 : Debug: Ready to process requests. Any assistance is appreciated. Thanks Matt [EMAIL PROTECTED] -Original Message- From: Thibault Le Meur [mailto:[EMAIL PROTECTED] Sent: Monday, May 26, 2008 11:00 AM To: [EMAIL PROTECTED]; FreeRadius users mailing list Subject: Re: FR and PEAP question Matt Ashfield a écrit : > > Hi, > > Were looking into using PEAP with MSChapV2, instead of PAP (dont > want to use the SecureW2 client anymore) so are investigating ways to > store the password in LDAP. > > According to > http://deployingradius.com/documents/protocols/compatibility.html ,the > options are storing the password in Clear-Text or in an NT Hash > (ntlm_auth). > > In talking with our LDAP people, I was told the following: > > SunOne does not support nt-hash passwords. Supported formats are > CLEAR, CRYPT, DES, NS-MTA-MD5 (Netscape MD5), SHA, and SSHA. > > Fedora Directory Server 1.1.0 supports CLEAR, CRYPT, DES, MD5, > NS-MTA-MD5, SHA, SHA256, SHA384, SHA512, SSHA, SSHA256, SSHA384, and > SSHA512. > This means that your userPassword attribute must contain your password in the previously mentionned has forms. This userPassword attribute is used internally by your LDAP directory in order to authenticate your access (bind) to the LDAP server. > It sounds to me like if we want to do PEAP/MSChapV2 wed have to store > the password i
Re: EAP TLS Authentication failing!!!! "Unknown CA"
I'm happy to be wrong about this, but in my experience, this parameter: -CApath ca.pem Needs to be an actual path, not a PEM CA file, where you have performed these steps: download certificate authority cert in PEM format run c_rehash . (openssl script) On Thu, May 15, 2008 at 10:37 AM, Avinash Patil <[EMAIL PROTECTED]> wrote: > Hi All, > > I am trying to use authenticate one embedded WLAN device with using > freeRadius server 2.0.4 > > I have radiusd.conf,client.conf files as per my configuration. > I have created certificates using bootstrap script.Values in > ca.cnf,client.cnf and server.cnf have been modified accordingly. > > I have copied ca.pem, client.pem to device filesystem.Private key has been > extracted from client.pem. > > Since last week I am trying to authenticate freeradius server but I am > getting error like "Unknown CA". > Please see attached radius logs. > > When I verify client certificate using "openssl verify -CApath ca.pem > client.pem" > I see following error: > > Error 20 at depth 0 lookup : unable to get local issuer certificate. > > Device is already tested with Windows 2003 server's TLS(of course with > different set of certificates :<) ) and it is working fine. > What will be possible reason behind this and where am I going wrong? > > Appreciate your help. > > Thanks and Regards, > > Avinash. > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-TLS with different CA per user?
In our company, we do have certificates signed by multiple Certificate Authorities...but there is a hierarchy. So, some users come in from Domain A (root CA) some come in from Domain B (intermediate CA). So then it's easyjust maintain the CA_path containing the root and any necessary intermediate CAs. On Sat, Jun 7, 2008 at 11:48 AM, SecureW2 (List) <[EMAIL PROTECTED]> wrote: > Frank, > > It is not really a configuration issue, but more an Identity Management > issue. > > It is not common to have a CA per user, but a CA per domain. And per domain > you have users. > > So: > > User X from domain A has CA 1. > User Y from domain B has CA 2. > > If this is what you are trying to achieve you can simply setup a > configuration per domain/realm of these users. > > Regards, > > Tom > > > -Oorspronkelijk bericht- > > Van: [EMAIL PROTECTED] > > [mailto:freeradius-users-bounces+list = > [EMAIL PROTECTED] > > Namens Frank Sweetser > > Verzonden: vrijdag 6 juni 2008 20:07 > > Aan: freeradius-users@lists.freeradius.org > > Onderwerp: EAP-TLS with different CA per user? > > > > > > I have a configuration which I need, but haven't been able to figure out > > how > > to make freeradius do it. > > > > I have two users, A and B, both authenticating over wireless using EAP- > > TLS. > > User A has a certificate which has been signed by CA X, and B has one > > signed > > by CA Y. > > > > What I need is to tell freeradius that certificates presented by user A > > should > > only be checked against CA X, and similarly B only by Y. Putting both X > > and Y > > in the same CA list won't work in this case due to what appears to be a > > limitation in OpenSSL. > > > > I've been over all the existing docs I can find, and I haven't been able > > any > > way to do this. Anyone have any suggestion what I might try? > > > > -- > > Frank Sweetser fs at wpi.edu | For every problem, there is a solution > > that > > WPI Senior Network Engineer | is simple, elegant, and wrong. - HL > > Mencken > > GPG fingerprint = 6174 1257 129E 0D21 D8D4 E8A3 8E39 29E3 E2E8 8CEC > > - > > List info/subscribe/unsubscribe? See > > http://www.freeradius.org/list/users.html > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
deployingradius.com down?
I can't seem to get to deployingradius.com website. Anyone know if this is down? Matt [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
FR failing
We have two FR servers (running 1.1.15) on Red Hat machines. We are using it to authenticate wireless users against an LDAP directory. Occasionally, one of the FR servers (it happens to each, just not at the same time), stops working. The service remains up, but it's like the conversation between radius and ldap doesn't work for some reason, and radius stops trying altogether afterwards. The log shows: Thu May 1 14:33:02 2008 : Error: rlm_eap: Either EAP-request timed out OR EAP-response to an unknown EAP-request Thu May 1 14:33:02 2008 : Auth: Login incorrect: [rsmall] (from client unbsj111 port 32401 cli 00-1E-C2-C0-8E-36) Thu May 1 14:33:15 2008 : Error: rlm_eap: Either EAP-request timed out OR EAP-response to an unknown EAP-request Thu May 1 14:33:15 2008 : Auth: Login incorrect: [anonymous] (from client hh2380 port 45380 cli 00-12-F0-D3-3C-03) Thu May 1 14:34:02 2008 : Error: Discarding duplicate request from client hh2380:20001 - ID: 200 due to unfinished request 1428 Any help is greatly appreciated. Thanks Matt A [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Can't compile on Centos 5.1 x86_64
Sergio Belkin wrote: > I can't compile freeradius-2.0.2 on Centos 5.1 x86_64. It outputs: > /usr/lib/libltdl.so: could not read symbols: File in wrong format > collect2: ld returned 1 exit status You might try using your system's own libtool. Try these configure options: --with-system-libtool --disable-ltdl-install It might not help, but it's probably worth a shot. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Administering with MySQL DB
The nas table definition can be found at the bottom of this page http://wiki.freeradius.org/MySQL_DDL_script make sure to set: readclients = yes (probably at the bottom of sql.conf) the column names in the nas table are pretty self-explanatory after you have that set up. Just be sure to re-start radius after you make changes to that table since it's read at startup. On Jan 18, 2008 1:18 PM, Andy Smith <[EMAIL PROTECTED]> wrote: > Hi, > > thanks, Ive looked at this and its a good guide to initial install but > doesnt seem to provide any detailed info on how to administer the data in > the tables. IE there is a sample of some data from a test system but this > doesnt even mention the "NAS" table, how are other people administering > their systems? > > thanks! Andy. > > > >* FreeRadius Wiki is a good starting point. SQL Howto* > > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > -- Dread Pirate Roberts: Truly, you have a dizzying intellect. Vizzini: WAIT TILL I GET GOING! Where was I? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Version 2.0.0 has been released
Alan T DeKok wrote: > January 10, 2007 - Version 2.0.0 has been released. Congratulations, and thanks for all your hard work on FreeRADIUS! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Stopping LDAP searches during each part of EAP session?
I have a freeradius server configured to do both EAP-TLS and LDAP auth. It works great so far. If I have a cert. configured, then I'm authenticated with the cert. If I don't have a cert then I get prompted for my un/pw on my NAS's Captive Portal page, which then passes my username/password on to the Radius server which then checks my LDAP server if my un/pw are correct. When I look through the debug logs, however, I see that the rlm_ldap module is doing an LDAP search for my username during each stage of the EAP session. Is there a way to configure freeradius so that it won't try LDAP auth in the middle of an EAP session? Here's my radiusd.conf: prefix = /usr exec_prefix = /usr sysconfdir = /etc localstatedir = /var sbindir = /usr/sbin logdir = ${localstatedir}/log/radius raddbdir = ${sysconfdir}/raddb radacctdir = ${logdir}/radacct confdir = ${raddbdir} run_dir = ${localstatedir}/run/radiusd log_file = ${logdir}/radius.log libdir = /usr/lib pidfile = ${run_dir}/radiusd.pid user = radius group = radius max_request_time = 30 delete_blocked_requests = no cleanup_delay = 5 max_requests = 8192 bind_address = * port = 0 hostname_lookups = no allow_core_dumps = no regular_expressions = yes extended_expressions= yes log_stripped_names = no log_auth = yes log_auth_badpass = no log_auth_goodpass = no usercollide = no lower_user = after lower_pass = no nospace_user = no nospace_pass = no checkrad = ${sbindir}/checkrad security { max_attributes = 200 reject_delay = 0 status_server = yes } proxy_requests = no $INCLUDE ${confdir}/clients.conf snmp= no thread pool { start_servers = 10 max_servers = 128 min_spare_servers = 3 max_spare_servers = 20 max_requests_per_server = 0 } modules { pap { encryption_scheme = crypt } chap { authtype = CHAP } pam { pam_auth = radiusd } unix { cache = no cache_reload = 600 shadow = /etc/shadow radwtmp = ${logdir}/radwtmp } $INCLUDE ${confdir}/eap.conf mschap { authtype = MS-CHAP } ldap { server = "ldap.mycompany.com" basedn = "ou=people,dc=mycompany,dc=com" filter = "(&(accountInstance=wireless)(uid=%{Stripped-User-Name:-%{User-Name}}))" start_tls = yes dictionary_mapping = ${raddbdir}/ldap.attrmap ldap_connections_number = 25 timeout = 10 timelimit = 10 net_timeout = 1 access_attr_used_for_allow = yes } realm suffix { format = suffix delimiter = "@" ignore_default = no ignore_null = no } realm realmpercent { format = suffix delimiter = "%" ignore_default = no ignore_null = no } realm ntdomain { format = prefix delimiter = "\\" ignore_default = no ignore_null = no } checkval { item-name = Calling-Station-Id check-name = Calling-Station-Id data-type = string } preprocess { huntgroups = ${confdir}/huntgroups hints = ${confdir}/hints with_ascend_hack = no ascend_channels_per_line = 23 with_ntdomain_hack = no with_specialix_jetstream_hack = no with_cisco_vsa_hack = no } files { usersfile = ${confdir}/users acctusersfile = ${confdir}/acct_users compat = no } detail { detailfile = ${radacctdir}/%{Client-IP-Address}/detail-%Y%m%d detailperm = 0600 } acct_unique { key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port" } radutmp { filename = ${logdir}/radutmp username = %{User-Name} case_sensitive = yes check_with_nas = yes perm = 0600 callerid = "yes" } radutmp sradutmp { filename = ${logdir}/sradutmp perm = 0644 callerid = "no" } attr_filter { attrsfile = ${confdir}/attrs } counter daily { filename = ${raddbdir}/db.daily key = User-Name count-attribute = Acct-Session-Time reset = daily counter-name = Daily-Session-Time check-name = Max-Daily-Session allowed-servicetype = Framed-User cache-size = 5000
Re: Server instability
What kind of error messages are you getting in your log when it blows up? Quoting Phil Mayers <[EMAIL PROTECTED]>: > On Mon, 2007-09-24 at 15:39 -0400, Nathan Hay wrote: > > I am a newbie, running 3 (for redundancy) FreeRadius servers (1.1.7) > > on SUSE 10 SP1 (32-bit) to authenticate our wireless clients (PEAP > > MSCHAPv2) to our eDirectory via LDAP. We average 800-900 simultaneous > > wireless clients (need to support a potential 4K in the future). > > > > The setup works well and authenticates users very quickly, but every > > couple days, the radiusd process will either blow up and start > > consuming 99% of the CPU or die altogether. More often it blows up. > > We had stability problems initially, even when the process was > > running, so I took everything out of the config that we didn't need > > and that seemed to help. > > First question; are you HUPing the daemon? If so, don't - it won't work > well. > > Second question; if this happens reliably can you recompile from > scratch: > > ./configure --enable-developer > make > make install > > ...and when it happens do this: > > gdb /usr/local/sbin/radiusd > set pagination off > set logging file /root/radiusd-wireless.txt > set logging on > attach $PID > thread apply all bt full > > ...that'll give some details as to what the server is doing when it > pegs the CPU. Other options are strace or (if your Linux system has it) > SystemTap. The aim being to determine what it's doing when it goes wrong. > > > > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: randomly crashing
Saw this happen again last night. Last log entries I have are: Thu Sep 20 19:06:24 2007 : Error: TLS_accept:error in SSLv3 read client certificate A Thu Sep 20 19:06:24 2007 : Error: rlm_eap: SSL error error::lib(0):func(0):reason(0) Thu Sep 20 19:06:25 2007 : Error: rlm_eap: SSL error error::lib(0):func(0):reason(0) Thu Sep 20 19:06:25 2007 : Auth: Login OK: [n2i7w] (from client localhost port 16689 cli 00-16-6F-07- 3F-71) Thu Sep 20 19:06:37 2007 : Auth: Login OK: [nagios] (from client nagios port 0) Thu Sep 20 19:06:49 2007 : Error: Discarding duplicate request from client hh2380:20006 - ID: 133 due to unfinished request 922 After the error it crashed. Not sure why I'm seeing this. Any thoughts are welcome!? thanks Matt [EMAIL PROTECTED] -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt Ashfield Sent: Tuesday, September 18, 2007 9:49 AM To: [EMAIL PROTECTED]; freeradius-users@lists.freeradius.org Subject: RE: randomly crashing >version of FR? modules or backend auth system used? Using FR 1.1.5 and using mod_auth_ldap for auth - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: randomly crashing
>version of FR? modules or backend auth system used? Using FR 1.1.5 and using mod_auth_ldap for auth - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: randomly crashing
Hi... Matt Ashfield wrote: > We're running FR to authenticate users on our wireless network. It appears > that radius is randomly stopping/crashing. I have checked logs, but have > been unable to locate the problem and am wondering if someone could point me For what it's worth (probably not much!)... a month ago, I was having "random" segfaults with a new installation of 1.1.7 on Fedora 7 x86_64. In most cases, the crash seemed to correspond with this log entry you've mentioned: > Mon Sep 17 00:31:30 2007 : Error: rlm_eap: Either EAP-request timed out OR > EAP-response to an unknown EAP-request My segfault would typically occur right after the above log entry. Analyzing with gdb usually gave a serpentine backtrace into threading libraries and SSL-related functions -- well beyond my ability to debug. I was about to give up, when an openssl package update was issued by Fedora (0.9.8b-14.fc7, around August 14). The changelog wasn't very descriptive, but ever since updating the openssl RPMs, freeradius hasn't segfaulted at all. Was it an SSL bugfix that fixed it? Beats me. Maybe it was simply the running of ldconfig after the update. Maybe it was something else entirely. But the point is, it might pay to make sure your libraries are in order. :) (Previously I'd also had seeming 64-bit library issues with Kerberos which were causing Freeradius crashes.) -Matt PS: I do still see the "Either EAP-request timed out OR EAP-response to an unknown EAP-request" rlm_eap error maybe 5-10 times a day, but the Freeradius daemon no longer crashes from them. And the client auth succeeds on the retry ~30 seconds later. Never saw this behavior with Freeradius 1.1.2, but I wouldn't be surprised if it was happening back then, and that 1.1.7 simply has more verbose logging of such occurrences now. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
randomly crashing
Hi, We're running FR to authenticate users on our wireless network. It appears that radius is randomly stopping/crashing. I have checked logs, but have been unable to locate the problem and am wondering if someone could point me in a good location to look for reasons for the failure. I've checked the radius.log file for the past 2 failures, and all I see are: For the 2nd to last failure: Mon Sep 17 00:30:24 2007 : Error: rlm_eap: SSL error error::lib(0):func(0):reason(0) Mon Sep 17 00:31:30 2007 : Error: rlm_eap: Either EAP-request timed out OR EAP-response to an unknown EAP-request Mon Sep 17 00:31:30 2007 : Auth: Login incorrect: [s3n14] (from client hh2380 port 18045 cli 00-1B-63-C1-7E-00) Mon Sep 17 00:34:49 2007 : Auth: Login OK: [nagios] (from client nagios port 0) Mon Sep 17 00:34:58 2007 : Error: TLS_accept:error in SSLv3 read client certificate A Mon Sep 17 00:34:58 2007 : Error: rlm_eap: SSL error error::lib(0):func(0):reason(0) Mon Sep 17 00:36:03 2007 : Error: Discarding duplicate request from client hh2380:20008 - ID: 173 due to unfinished request 36 And for the latest failure: Mon Sep 17 12:40:25 2007 : Auth: Login incorrect (rlm_ldap: Bind as user failed): [s8r1z] (from client localhost port 30831 c li 00-1A-73-82-59-7C) Mon Sep 17 12:40:25 2007 : Auth: Login incorrect: [s8r1z] (from client hh2380 port 30831 cli 00-1A-73-82-59-7C) Mon Sep 17 12:40:33 2007 : Error: rlm_eap: Either EAP-request timed out OR EAP-response to an unknown EAP-request Mon Sep 17 12:40:33 2007 : Auth: Login incorrect: [c264c] (from client hh2380 port 30784 cli 00-11-24-C6-90-7E) In my /var/log/messages file there's nothing related to the failures. We use the following to start FR: /usr/local/sbin/radiusd -y Any advice is appreciated. Matt [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: building RPM from source
Fred Zinsli wrote: > I have got a copy of 1.1.7 source but my issue is that I don't know how > to enable mysql in the spec file. The spec file that comes in the Fedora source RPM I suggested shows you exactly how to do it. In fact, it's done for you. :) > Also, do I have to have mysql installed on the build machine to enable > mysql suppport? Yes, both the mysql and mysql-devel packages would be required. You don't need mysql-server installed, unless of course you want to run the MySQL server on that machine. (The spec file also requires some other packages, which you can easily snip out if you don't actually need to build/use the stuff which depends on them.) > But /usr/include/mysql doesn't exist on the machine. I'm guessing none of the MySQL packages are installed. Try: "yum install mysql mysql-devel". -Matt - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: building RPM from source
Fred Zinsli wrote: > I am attempting to build an RPM from source on my FC5 box. Try to get a more recent source RPM from a repository, and then tweak the spec file to fit your needs. The Fedora builds will support MySQL by default. It'd be easier than trying to write your own spec file from scratch. The current version in Fedora 7 is 1.1.6, and 1.1.7 is available in the development repo. (I am running 1.1.7 built from the devel source RPM.) -Matt - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Segfault with -X and rlm_krb5 under Fedora 7 x86_64
Alan DeKok wrote: > That would seem to be the case, yes. But it's very weird. Doubly so > since there's no code in rlm_krb5 that depends on debug_flag >= 2. > > So... the culprit is likely elsewhere. Exactly where it is located is > difficult to say. Thanks, Alan. Just a quick update... upon looking deeper, it looks like it might be an autoconf/libtool issue with x86_64 under Fedora 7. If I come up with any potentially useful info, I'll post it here. Sorry for the noise. -Matt - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Segfault with -X and rlm_krb5 under Fedora 7 x86_64
This may be a Fedora/Kerberos issue rather than a Freeradius issue, but... Has anyone experienced "radiusd -X" segfaulting when using rlm_krb5? This is under Fedora 7 (x86_64), with freeradius 1.1.6 and 2.0.0-pre1 built from source tarballs. (I am trying to migrate to this environment from a working freeradius-1.1.0 / Fedora Core 2 / i686 installation.) The segfault is actually occurring in the Kerberos libraries, which means that Freeradius might not be the issue, however the segfault occurs only when radiusd is given "-X" or "-sfxx" options. I.e. "radiusd -sfx" and "radiusd" work as expected, and do not segfault. (One thing off the top of my head: Does this point to something possibly happening when debug_flag is >= 2 ?) The killer request: radtest testuser testpass localhost 1 testing123 Below are my users and radiusd.conf files. Full gdb output from a segfault case follows. So, this isn't a bug report... i'm just hoping for tips on how to proceed... thanks in advance for any clues. -Matt ### begin complete users file ### DEFAULT Auth-Type:=Kerberos ### end complete users file ### ### begin partial radiusd.conf ### # stuff that was changed from the default 1.1.6 radiusd.conf : prefix = /opt/radius localstatedir = /var user = radiusd group = radiusd log_auth = yes proxy_requests = no modules { krb5 { keytab = radius-krb5.keytab service_principal = radius } } authenticate { Auth-Type Kerberos { krb5 } } ### end partial radiusd.conf ### ### begin gdb output ### [EMAIL PROTECTED] raddb]# gdb radiusd GNU gdb Red Hat Linux (6.6-15.fc7rh) Copyright (C) 2006 Free Software Foundation, Inc. GDB is free software, covered by the GNU General Public License, and you are welcome to change it and/or distribute copies of it under certain conditions. Type "show copying" to see the conditions. There is absolutely no warranty for GDB. Type "show warranty" for details. This GDB was configured as "x86_64-redhat-linux-gnu"... Using host libthread_db library "/lib64/libthread_db.so.1". (gdb) run -X Starting program: /usr/local/sbin/radiusd -X [Thread debugging using libthread_db enabled] [New Thread 46912517212928 (LWP 25560)] Starting - reading configuration files ... reread_config: reading radiusd.conf Config: including file: /opt/radius/etc/raddb/clients.conf Config: including file: /opt/radius/etc/raddb/snmp.conf Config: including file: /opt/radius/etc/raddb/eap.conf Config: including file: /opt/radius/etc/raddb/sql.conf main: prefix = "/opt/radius" main: localstatedir = "/var" main: logdir = "/var/log/radius" main: libdir = "/opt/radius/lib" main: radacctdir = "/var/log/radius/radacct" main: hostname_lookups = no main: max_request_time = 30 main: cleanup_delay = 5 main: max_requests = 1024 main: delete_blocked_requests = 0 main: port = 0 main: allow_core_dumps = no main: log_stripped_names = no main: log_file = "/var/log/radius/radius.log" main: log_auth = yes main: log_auth_badpass = no main: log_auth_goodpass = no main: pidfile = "/var/run/radiusd/radiusd.pid" main: user = "radiusd" main: group = "radiusd" main: usercollide = no main: lower_user = "no" main: lower_pass = "no" main: nospace_user = "no" main: nospace_pass = "no" main: checkrad = "/opt/radius/sbin/checkrad" main: proxy_requests = no security: max_attributes = 200 security: reject_delay = 1 security: status_server = no main: debug_level = 0 read_config_files: reading dictionary read_config_files: reading naslist read_config_files: reading clients read_config_files: reading realms radiusd: entering modules setup Module: Library search path is /opt/radius/lib Module: Loaded exec exec: wait = yes exec: program = "(null)" exec: input_pairs = "request" exec: output_pairs = "(null)" exec: packet_type = "(null)" rlm_exec: Wait=yes but no output defined. Did you mean output=none? Module: Instantiated exec (exec) Module: Loaded expr Module: Instantiated expr (expr) Module: Loaded Kerberos krb5: keytab = "radius-krb5.keytab" krb5: service_principal = "radius" rlm_krb5: krb5_init ok Module: Instantiated krb5 (krb5) Module: Loaded PAP pap: encryption_scheme = "crypt" pap: auto_header = yes Module: Instantiated pap (pap) Module: Loaded CHAP Module: Instantiated chap (chap) Module: Loaded MS-CHAP mschap: use_mppe = yes mschap: require_encryption = no mschap: require_strong = no mschap: with_ntdomain_hack = no mschap: passwd = "(null)" mschap: ntlm_auth = "(null)" Module: Instantiated mschap (mschap) Module: Loaded System unix: cache = no unix: passwd = "(null)" unix: shadow
RE: MSCHAPv2 with 1.1.4
Same thing basically: rlm_mschap: No User-Password configured. Cannot create LM-Password. rlm_mschap: Found NT-Password rlm_mschap: Told to do MS-CHAPv2 for [EMAIL PROTECTED] with NT-Password rlm_mschap: FAILED: MS-CHAP2-Response is incorrect modcall[authenticate]: module "mschap" returns reject for request 0 My users file now looks like: #cobb User-Password=="secret" #cobb Cleartext-Password=="secret" #cobb Cleartext-Password:="secret" #cobb NT-Password == "0xB6FFB3200061D7B7928F0D932F095128" #cobb NT-Password == "B6FFB3200061D7B7928F0D932F095128" #cobb NT-Password := "0xB6FFB3200061D7B7928F0D932F095128" cobb NT-Password := "B6FFB3200061D7B7928F0D932F095128" - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html