Re[4]: Windows Vista doing PEAP - WORKING!!!
Hello Alan, I can confirm it's working now!!! When I've seen the comment in the release notes of Radiator I thought it was a conditional compiling (#ifdef) flag, thanks for the help! Tuesday, November 28, 2006, 10:06:11 PM, you wrote: > Pedro Ribeiro <[EMAIL PROTECTED]> wrote: >> The "Radiator" people are talking about problems with SSL empty >> fragments handing in Windows Vista ... >> I've tried to compile FreeRADIUS with >> SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS but the final result is the same, >> clients can't connect! > i.e. the patch below MAY help. There is still an issue in the > FreeRADIUS state machine where it MAY send an empty ACK once the SSL > tunnel is set up. Most clients seem to be OK with this, but maybe > Vista isn't. > A solution, I *think* would be to have FreeRADIUS send an EAP > Identity request inside of the tunneled session for PEAP, as soon as > the session is established. This should work with third-party > supplicants, and may allow Vista to work, too. > Alan DeKok. > -- > http://deployingradius.com - The web site of the book > http://deployingradius.com/blog/ - The blog > Index: src/modules/rlm_eap/types/rlm_eap_tls/rlm_eap_tls.c > === > RCS file: > /source/radiusd/src/modules/rlm_eap/types/rlm_eap_tls/rlm_eap_tls.c,v > retrieving revision 1.21.4.11 > diff -u -r1.21.4.11 rlm_eap_tls.c > --- src/modules/rlm_eap/types/rlm_eap_tls/rlm_eap_tls.c 26 Oct 2006 17:13:04 > - 1.21.4.11 > +++ src/modules/rlm_eap/types/rlm_eap_tls/rlm_eap_tls.c 28 Nov 2006 > 22:04:44 - > @@ -368,7 +368,7 @@ > * time needed during negotiation, but it is not very > * large. > */ > - ctx_options |= SSL_OP_SINGLE_DH_USE; > + ctx_options |= SSL_OP_SINGLE_DH_USE | > SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS; > SSL_CTX_set_options(ctx, ctx_options); > > /* -- Best regards, =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Pedro Ribeiro IPLNet - Rede de dados e comunicações Instituto Politécnico de Lisboa (IPL) Mail: mailto:[EMAIL PROTECTED] VoIP: sip:[EMAIL PROTECTED] =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re[2]: Windows Vista doing PEAP
Hello Alan, The "Radiator" people are talking about problems with SSL empty fragments handing in Windows Vista ... I've tried to compile FreeRADIUS with SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS but the final result is the same, clients can't connect! in: http://www.open.com.au/radiator/history.html > # Enabled SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS in PEAP TLS, to work > around a problem with Vista Beta 2 clients, where the extra empty > fragment (sent as a security measure by OpenSSL) confuses the Vista > PEAP supplicant. See http://www.openssl.org/~bodo/tls-cbc.txt for > reasons behind the empty fragments. Reported by David Spindler. Best Regards! Wednesday, October 4, 2006, 4:14:25 PM, you wrote: > "King, Michael" <[EMAIL PROTECTED]> wrote: >> So we've been using FreeRADIUS talking to ActiveDirectory to >> authenticate our WinXP clients (Over 2000) for over a year now. >> Along comes Vista. Of COURSE it doesn't work. Microsoft changed >> something, and it broke a working config. Arrg. > Try: http://www.striker.ottawa.on.ca/~aland/vista.patch > You'll have to re-build & re-install the EAP module (you don't need > to touch the rest of the server). It won't help, but it will print > out a little more information. We'll probably have to do a few cycles > before it's tracked down, though. >> My (amatuer) analyis, (Aka my gut) is that Vista is Doing something in >> TLS, not PEAP. (I don't see my mschap module fire). > The TLS tunnel is set up, BUT vista is doing something slightly > different that confuses FreeRADIUS, so FreeRADIUS doesn't continue the > EAP conversation. > Alan DeKok. > -- > http://deployingradius.com - The web site of the book > http://deployingradius.com/blog/ - The blog > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html -- Best regards, =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Pedro Ribeiro IPLNet - Rede de dados e comunicações Instituto Politécnico de Lisboa (IPL) Mail: mailto:[EMAIL PROTECTED] VoIP: sip:[EMAIL PROTECTED] =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Long SQL queries in attributes
Hello freeradius-users,
I'm having trouble using long (>253 chars) SQL queries in the
"users" file.
It seems the limitations of attribute size are being applied to
SQL queries even before expanding %{...} variables.
Example:
>DEFAULT NAS-Port-Type == 'Wireless-802.11', Service-Type == 'Login-User',
>Client-IP-Address != 127.0.0.1
>IPLNet-VLAN = `%{sql:SELECT DISTINCT VLAN FROM alunos.RadiusVLAN AS
> v,alunos.Bindings AS b WHERE (Realm = '%{Realm}' OR Realm IS NULL) AND
> (HuntgroupName = '%{HuntgroupName}' OR HuntgroupName IS NULL) AND (User =
> SUBSTRING_INDEX('%{reply:User-Name}','@',1) AND Domain = '%{Realm}' AND
> v.CodigoCurso = b.CodigoCurso OR v.CodigoCurso IS NULL) ORDER BY
> v.CodigoCurso DESC,Realm DESC,HuntgroupName DESC LIMIT 1:-1003}`,
>Fall-Through = Yes
Is there any way to overcome this limitation ??
TIA.
--
Best regards,
Pedro mailto:[EMAIL PROTECTED]
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius 1.0.4 and Cisco WLSE
Hello M.McNeil, I've tried it also, but after upgrade of WLSE to a new version it stopped working. Then I've configured the same AP (AP1231G) that I'm using as WDS "master" with the local RADIUS server for LEAP authentication and configured FreeRADIUS to proxy all the requests of WDS/WLSE authentication to that AP ... Friday, August 19, 2005, 6:42:16 PM, you wrote: > Hello, > I am having an issue getting Cisco's WLSE 2.11 to successfully > authenticate with FreeRadius 1.0.4. I read where Alan DeKok stated that > the "supplicant" is broken, and was wondering if this is something Cisco > has to fix with the WLSE? or is there a way for me to fix the > supplicant? Finally, I read where there were some freeradius patches > that would remedy this problem. Can someone provide me with a copy of > those patches ? The ones posted on this site have errors in them and > the LEAP patch fails consistently at line 147 of > rlm_eap/types/rlm_leap/rlm_eap_leap.c Any help would be greatly > appreciated. > Best Regards, > Mike McNeil > Sr. Network Engineer > University of California Berkeley > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html -- Best regards, Pedromailto:[EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Accepting all users in PEAP
Hello freeradius-users, I'm trying to make life easier for users that don't configure well the access to our wireless network or are using the wrong credentials. My idea was to always accept them, but force them to some special network (Vlan) that for every web access redirects them to a page explaining the problem (yes I know Reply-Message is meant to this, but unfortunately Windows doesn't show the message to users ...) I've made some tests to this without success ... Does anyone have a similar setup that could give-me some tips (example configuration) ? Thanks! Note: Our Wireless Network is based in Cisco AP1230G APs with FreeRADIUS doing the AAA and getting the users credentials from a MySQL Backend. Authentication EAP/PEAP/MSCHAPv2 or EAP/TTLS/PAP For curious people here goes the URL for some extra information: http://www.net.ipl.pt/index.php?id=19 ( in Portuguese ) -- Best regards, Pedro mailto:[EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius + FreeTDS + MSSQL70
Pedro Ribeiro wrote: Hi there What version of FreeRADIUS you're using ? Michael Lam wrote: Dear All How to setup the Freeradius to support FreeTDS and MSSQL70? You must install unixODBC and freetds, the configure FreeRADIUS to work with unixODBC (rlm_sql_unixodbc) and use a DSN provided by freetds with the apropriate version... Can provide more information and document? I have a (badly) written document i made to myself as guide-line to this very same situation. Mail me if you'd like a copy. mssql.conf driver = "rlm_sql_freetds" server = "192.168.1.1" login = "sa" password = "radius" radus_db = "radius" See above, as you're not using rlm_sql_freetds you'll need to change sql.conf and not mssql.conf :) OOPS! my mistake: since you're not using rlm_sql_freetds, you'll write in mssql.conf : driver="rlm_sql_unixodbc" ^^ Sorry once more for the mistake. After I run the "radiusd -X", the get the error "rlm_sql (sql): Could not link driver rlm_sql_freetds: rlm_sql_freetds.so: cannot open shared object file: No such file or directory" THANKS Since rlm_sql_freetds is not part of the distribution, it can't be found :) HTH Pedro Ribeiro - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius + FreeTDS + MSSQL70
Hi there What version of FreeRADIUS you're using ? Michael Lam wrote: Dear All How to setup the Freeradius to support FreeTDS and MSSQL70? You must install unixODBC and freetds, the configure FreeRADIUS to work with unixODBC (rlm_sql_unixodbc) and use a DSN provided by freetds with the apropriate version... Can provide more information and document? I have a (badly) written document i made to myself as guide-line to this very same situation. Mail me if you'd like a copy. mssql.conf driver = "rlm_sql_freetds" server = "192.168.1.1" login = "sa" password = "radius" radus_db = "radius" See above, as you're not using rlm_sql_freetds you'll need to change sql.conf and not mssql.conf :) After I run the "radiusd -X", the get the error "rlm_sql (sql): Could not link driver rlm_sql_freetds: rlm_sql_freetds.so: cannot open shared object file: No such file or directory" THANKS Since rlm_sql_freetds is not part of the distribution, it can't be found :) HTH Pedro Ribeiro - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Where to log ...
I'm trying to log all the freeradius messages sent/received and till
the moment I've not found the right place/places to do it.
I've seen that the default log files aren't logging "Access-Challenge"
messages in EAP and also don't logging reject messages produced by
explicit rejects in the users file.
I'm I placing well the logging modules ?
Where should I put them to get the desired effect, one file logs all
the radius packets received and another all the ones sent ...
Thanks in advance.
PS: Is there any effort to support EAP-FAST and "fast-reauthentication"
that I can join ???
Relevant extracts of my config:
> detail {
> detailfile = ${logdir}/%{Client-IP-Address}-acct-%Y%m.log
> detailperm = 0600
> }
> detail auth_log {
> detailfile = ${logdir}/%{Client-IP-Address}-auth-%Y%m.log
> detailperm = 0600
> }
> detail reply_log {
> detailfile = ${logdir}/%{Client-IP-Address}-reply-%Y%m.log
> detailperm = 0600
> }
> detail pre_proxy_log {
> detailfile = ${logdir}/%{Client-IP-Address}-pre-proxy-%Y%m.log
> detailperm = 0600
> }
> detail post_proxy_log {
> detailfile =
> ${logdir}/%{Client-IP-Address}-post-proxy-%Y%m.log
> detailperm = 0600
> }
> authorize {
> preprocess
> auth_log
> chap
> mschap
> suffix
> eap
> files
> sql
> }
> accounting {
> detail
> sql
> }
> post-auth {
> reply_log
> sql
> Post-Auth-Type REJECT {
> reply_log
> }
> }
> pre-proxy {
> preproxy_users
> attr_filter
> pre_proxy_log
> }
> post-proxy {
> post_proxy_log
> attr_filter
> eap
> }
--
Best regards,
Pedro mailto:[EMAIL PROTECTED]
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
