Re: users file auth failing
On Mon, 2008-10-27 at 18:41 -0600, Anthony Chavez wrote: Module: Instantiating ldap ldap { server = directory.somedomain port = 389 password = secret identity = cn=Manager,dc=somedomain I don't know how much of this was from clean up, but if possible you really really shouldn't use cn=Manager,dc=somedomain for this. It is generally concidered a no go to let anything use the directory manager. At our site I created a dedicated radiusd user who has exactly and only the rights needed by radius. I don't know if that is an option at your site, but if it is I strongly suggest it. Pat - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
undefined symbol: eaptls_session_idx
I built my own version of freeradius from the ubuntu package for 8.10. The ubuntu version stamp on it is 2.1.0+dfsg-0ubuntu2 so I expect it is freeradius 2.1.0 (and the source confirms this). I modified the package scripts so that I can link the program to openssl and get the eap modules. The program built without a hitch so I was a bit shocked to find that I get a linking error when I start the server. What can I do to fix this? Ubuntu 8.04, x86 My guess is recompile, but without knowing what I did wrong I will just get a bad build again and again and again. snip Module: Linked to module rlm_eap Module: Instantiating eap eap { default_eap_type = md5 timer_expire = 60 ignore_unknown_eap_types = no cisco_accounting_username_bug = no max_sessions = 2048 } Module: Linked to sub-module rlm_eap_md5 Module: Instantiating eap-md5 Module: Linked to sub-module rlm_eap_leap Module: Instantiating eap-leap Module: Linked to sub-module rlm_eap_gtc Module: Instantiating eap-gtc gtc { challenge = Password: auth_type = PAP } rlm_eap: Failed to link EAP-Type/tls: /usr/lib/freeradius/rlm_eap_tls.so: undefined symbol: eaptls_session_idx /etc/freeradius/eap.conf[17]: Instantiation failed for module eap /etc/freeradius/sites-enabled/inner-tunnel-ldap[223]: Failed to find module eap. /etc/freeradius/sites-enabled/inner-tunnel-ldap[176]: Errors parsing authenticate section. } } Errors initializing modules - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Authentication seems to work, only it doesn't actually (EAP-TTLS)
My long term goal is EAP-TTLS + PAP with FreeRadius 2.0 and LDAP That being said I have taken one of my existing, working with FreeRadius 1.1.5, access points and pointed it at my test radius server. When I try and connect the agent sends dozens of requests that the debug log seems very happy with Login OK: [prieheck] (from client However, that seems to be the extent of it. The login's are approved, but it doesn't seem like anyone is getting informed. A radeapclient test: +++ About to send encoded packet: User-Name = prieheck Cleartext-Password = please NAS-IP-Address = 127.0.0.1 EAP-Code = Response EAP-Id = 210 EAP-Type-Identity = prieheck Message-Authenticator = 0x00 NAS-Port = 0 +++ EAP decoded packet: EAP-Message = 0x01d300160410e04884bebefb1c9c1940272ac62346e4 Message-Authenticator = 0xe1b0cbd908bc1932ee01c1634efccc17 State = 0x5d58d3605d8bd76df879afd5c99b16ef EAP-Id = 211 EAP-Code = Request EAP-Type-MD5 = 0x10e04884bebefb1c9c1940272ac62346e4 +++ About to send encoded packet: User-Name = prieheck Cleartext-Password = please NAS-IP-Address = 127.0.0.1 EAP-Code = Response EAP-Id = 211 Message-Authenticator = 0x NAS-Port = 0 EAP-Type-MD5 = 0x105df5963fda67a6941067d7019e8bbe14 State = 0x5d58d3605d8bd76df879afd5c99b16ef +++ EAP decoded packet: EAP-Message = 0x03d30004 Message-Authenticator = 0xd8d24fc4a6faa627be412bfc40169290 User-Name = prieheck EAP-Id = 211 EAP-Code = Success Total approved auths: 1 Total denied auths: 1 So it looks to me like the eap bit is all going good, but I am at a loss (especially concerning the denied auth there...). EAP/PEAP is working just fine so I think it may be my eap.conf file related to ttls: eap.conf eap { default_eap_type = md5 timer_expire = 60 ignore_unknown_eap_types = no cisco_accounting_username_bug = no md5 { } leap { } gtc { auth_type = PAP } tls { certdir = ${confdir}/certs cadir = ${confdir}/certs private_key_file = ${certdir}/radius.key certificate_file = ${certdir}/radius.crt CA_file = ${cadir}/cacert.pem dh_file = ${certdir}/dh random_file = ${certdir}/random cipher_list = DEFAULT make_cert_command = ${certdir}/bootstrap } ttls { default_eap_type = md5 copy_request_to_tunnel = no use_tunneled_reply = no virtual_server = inner-tunnel } peap { default_eap_type = mschapv2 copy_request_to_tunnel = no use_tunneled_reply = no virtual_server = inner-tunnel } mschapv2 { } md5 { } } This is a bit of the debug output from free radius snip ++[pap] returns ok Login OK: [prieheck] (from client AP1200 port 0 via TLS tunnel) } # server inner-tunnel TTLS: Got tunneled reply RADIUS code 2 TTLS: Got tunneled Access-Accept rlm_eap: Freeing handler ++[eap] returns ok Login OK: [prieheck] (from client AP1200 port 385 cli 0106.cfa9.d2eb) +- entering group post-auth ++[exec] returns noop Sending Access-Accept of id 222 to 10.4.6.7 port 1645 MS-MPPE-Recv-Key = 0x9a15665cdb643dd496bc1bf028a244b31833e89886d373d74f7864714839c048 MS-MPPE-Send-Key = 0x92acfe330cfa9a94b9fc61226a1c438c2572287a8aac94c71ed2e0828050f174 EAP-Message = 0x03060004 Message-Authenticator = 0x User-Name = prieheck Finished request 4. Going to the next request Waking up in 4.0 seconds. Cleaning up request 0 ID 218 with timestamp +19 Waking up in 0.3 seconds. Cleaning up request 1 ID 219 with timestamp +20 Cleaning up request 2 ID 220 with timestamp +20 Waking up in 0.4 seconds. rad_recv: Access-Request packet from host 10.4.6.7 port 1645, id=223, length=142 User-Name = prieheck Framed-MTU = 1400 Called-Station-Id = 000f.f7d4.d460 Calling-Station-Id = 0106.cfa9.d2eb Service-Type = Login-User /snip Currently using FreeRadius 2.0.5 on 32-bit Ubuntu, built by me. I would happily share any of my other config lines, but don't know what you would want to see and don't want to flood you with too much data Pat - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authentication seems to work, only it doesn't actually (EAP-TTLS)
On Thu, 2008-08-14 at 15:59 +0200, Alan DeKok wrote: Pat Riehecky wrote: My long term goal is EAP-TTLS + PAP with FreeRadius 2.0 and LDAP That should be easy enough. That being said I have taken one of my existing, working with FreeRadius 1.1.5, access points and pointed it at my test radius server. Why? Why not just test everything from the command-line? See my web site for examples of testing EAP (http://deployingradius.com). Found the tools needed (knowledge) to figure out my own errors there. Thanks! Pat - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Ldap attribute config stuff
Ok, to begin I am not a radius guru. In fact, the word novice applies very strongly here That being said on to my inquiry. I have two radius systems on site. One of them is for our wireless system and the other for our old trying to die dialup. The wireless system is setup to authenticate to our LDAP repository and make sure that users have a particular attribute before letting them on. Our dial up system is a big mess of flat files on a version of the software I wont admit to. I would very much like to get the radius server doing the wireless work to also do our dial up work. To do this I have loaded some attributes into our LDAP server for it to query, but then I run into a bit of a problem. How do I configure a required attribute of Wireless=yes for one set of clients and an attribute of DialUP=yes for the other? Can this be done? Did I miss the doc on this? Solaris 9 SPARC, FreeRadius 1.1.6 Any help I can get on this would be very appreciated. Pat - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html