Restricting access to NAS via http login authentication list
Hello, Didnt really know what kind of title I should have given this one but I will try to explain what it is I am aiming for. The switches I use supports both http and https login towards the switch to administrate it. The switch has support for using an athentication towards a radius server to check if the user wanting to login to the switch is a existing user in the radius server. The problem I have is that every user in the user file in Freeradius can access the switch when im using an authentication list which checks against the radius server. Is there anyway to restrict so that only one specific user in the users file can get access to the NAS? Best regards/ Peter Carlstedt _ Hotmail: Trusted email with Microsoft’s powerful SPAM protection. https://signup.live.com/signup.aspx?id=60969- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Passwords in cert
Hello everyone, was wondering if I can use different passwords when making the certs for ca.cnf, server.cnf client.cnf? What i mean is if it has to be the same password in output_password input_password for all of the files? Best regards/ Peter Carlstedt _ Your E-mail and More On-the-Go. Get Windows Live Hotmail Free. https://signup.live.com/signup.aspx?id=60969- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
eap.conf - tls{private_key_password = whatever}
Hello everyone, hope someone can answer me quite fast on this one =) Have tried google it but couldnt find something about it. Since I want to use peap i need to change the line private_key_password = whatever in the tls section to my own private key which I set in the server.cnf file which is used for creating the certs. What I wonder is which of the passwords is it that it asks for? The input_password or the output_password in the server.cnf file? I have just tested making certs once before and at that time I didnt know which I should use so I used same password for both input and output. Well now I need to know instead which one I should use since I use different password for input and output =) Hope someone can help. Thanks! /Peter Carlstedt _ Your E-mail and More On-the-Go. Get Windows Live Hotmail Free. https://signup.live.com/signup.aspx?id=60969- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Possible to add a NAS in any MySQL table?
Hello everyone, I´ve been searching the net for answers but havent´been able to find any information about how to add a NAS in the MySQL tables instead of using the clients.conf file. It is possible to use one of the tables that comes with Freeradius? If it is possible, is there any HOW to guide for it somewhere? Best regards/ Peter Carlstedt _ Keep your friends updated—even when you’re not signed in. http://www.microsoft.com/middleeast/windows/windowslive/see-it-in-action/social-network-basics.aspx?ocid=PID23461::T:WLMTAGL:ON:WL:en-xm:SI_SB_5:092010- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Re: Problems when trying to start Freeradius with eap
: auth_type = PAP } Module: Linked to sub-module rlm_eap_tls Module: Instantiating eap-tls tls { rsa_key_exchange = no dh_key_exchange = yes rsa_key_length = 512 dh_key_length = 512 verify_depth = 0 pem_file_type = yes private_key_file = /usr/local/etc/raddb/certs/server.pem certificate_file = /usr/local/etc/raddb/certs/server.pem CA_file = /usr/local/etc/raddb/certs/ca.pem private_key_password = kaffe dh_file = /usr/local/etc/raddb/certs/dh random_file = /usr/local/etc/raddb/certs/random fragment_size = 1024 include_length = yes check_crl = no cipher_list = DEFAULT make_cert_command = /usr/local/etc/raddb/certs/bootstrap cache { enable = no lifetime = 24 max_entries = 255 } } Generating a 2048 bit RSA private key ..+++ +++ unable to write 'random state' writing new private key to 'server.key' - problems making Certificate Request 4098:error:0D07A097:asn1 encoding routines:ASN1_mbstring_ncopy:string too long:a_mbstr.c:154:maxsize=2 make: *** [server.csr] Error 1 Generating DH parameters, 1024 bit long safe prime, generator 2 This is going to take a long time ..+.+...+...+..+...+...+...+.++...+++*++*++* unable to write 'random state' Generating a 2048 bit RSA private key ...+++ ...+++ unable to write 'random state' writing new private key to 'server.key' - problems making Certificate Request 4101:error:0D07A097:asn1 encoding routines:ASN1_mbstring_ncopy:string too long:a_mbstr.c:154:maxsize=2 Exec-Program output: openssl req -new -out server.csr -keyout server.key -config ./server.cnf Exec-Program-Wait: plaintext: openssl req -new -out server.csr -keyout server.key -config ./server.cnf Exec-Program: returned: 1 rlm_eap: Failed to initialize type tls /usr/local/etc/raddb/eap.conf[17]: Instantiation failed for module eap /usr/local/etc/raddb/sites-enabled/inner-tunnel[223]: Failed to find module eap. /usr/local/etc/raddb/sites-enabled/inner-tunnel[176]: Errors parsing authenticate section. Best regards/ Peter Carlstedt _ Windows Live: Keep your friends up to date with what you do online. http://www.microsoft.com/middleeast/windows/windowslive/see-it-in-action/social-network-basics.aspx?ocid=PID23461::T:WLMTAGL:ON:WL:en-xm:SI_SB_1:092010- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Problems with PEAP
Hello everyone, I know that it is something I have forgot to configure but I cant for my life remember what it is. What I want to do is to authenticate a user from a windows machine using PEAP. The error I get in the output is: rad_recv: Access-Request packet from host 192.168.118.10 port 35923, id=92, length=230 Service-Type = Framed-User Framed-MTU = 1400 User-Name = Jens State = 0x99a8723d9faf6be067d44ee908d21fb0 NAS-Port-Id = wlan2 Calling-Station-Id = 00-26-BB-14-50-CF Called-Station-Id = 02-0B-6B-33-62-35:3 EAP-Message = 0x0207005b19001703010050ff6dcfaa2e20081def82599ed160a801cb8b3e047fe0408eca8f0ed5bf985a4594dbf7056245f7ff06e823be7ba31220fb494d61db652b3f05bf75b3767bbfcce4d3c8e706312e385afb35dd2fe6f8f9 Message-Authenticator = 0x0ba6d2c1daab0232a5b4bd95fac8dc78 NAS-Identifier = MikroTik NAS-IP-Address = 192.168.118.10 +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = Jens, looking up realm NULL [suffix] No such realm NULL ++[suffix] returns noop [eap] EAP packet type response id 7 length 91 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] EAP type mschapv2 [peap] Got tunneled request EAP-Message = 0x0207003f1a0207003a31f7f5bfb93119478c28430861f7428ecc06883db97ed65677dadd8058359801947d67a7f575431297004a656e73 server { PEAP: Setting User-Name to Jens Sending tunneled request EAP-Message = 0x0207003f1a0207003a31f7f5bfb93119478c28430861f7428ecc06883db97ed65677dadd8058359801947d67a7f575431297004a656e73 FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = Jens State = 0xdb1b00f8db1c1ab8275dfb2a6c0e04ae Service-Type = Framed-User Framed-MTU = 1400 NAS-Port-Id = wlan2 Calling-Station-Id = 00-26-BB-14-50-CF Called-Station-Id = 02-0B-6B-33-62-35:3 NAS-Identifier = MikroTik NAS-IP-Address = 192.168.118.10 server inner-tunnel { +- entering group authorize {...} ++[chap] returns noop ++[mschap] returns noop ++[unix] returns notfound [suffix] No '@' in User-Name = Jens, looking up realm NULL [suffix] No such realm NULL ++[suffix] returns noop ++[control] returns noop [eap] EAP packet type response id 7 length 63 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns noop Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/mschapv2 [eap] processing type mschapv2 [mschapv2] +- entering group MS-CHAP {...} [mschap] No Cleartext-Password configured. Cannot create LM-Password. [mschap] No Cleartext-Password configured. Cannot create NT-Password. [mschap] Told to do MS-CHAPv2 for Jens with NT-Password [mschap] FAILED: No NT/LM-Password. Cannot perform authentication. [mschap] FAILED: MS-CHAP2-Response is incorrect ++[mschap] returns reject [eap] Freeing handler ++[eap] returns reject Failed to authenticate the user. } # server inner-tunnel [peap] Got tunneled reply code 3 MS-CHAP-Error = \007E=691 R=1 EAP-Message = 0x04070004 Message-Authenticator = 0x [peap] Got tunneled reply RADIUS code 3 MS-CHAP-Error = \007E=691 R=1 EAP-Message = 0x04070004 Message-Authenticator = 0x [peap] Tunneled authentication was rejected. [peap] FAILURE ++[eap] returns handled Sending Access-Challenge of id 92 to 192.168.118.10 port 35923 EAP-Message = 0x0108002b19001703010020e9867cd0d691777dff28957e278ff9ee7618f8d26722621a3472801821e637a5 Message-Authenticator = 0x State = 0x99a8723d9ea06be067d44ee908d21fb0 Finished request 197. Things I´ve have configured in raddb and in raddb/modules is: 1. Added a user called Jens with Cleartext-Password := kaffe 2. Added two NAS in clients.conf 3. set default_eap_type = peap, copy_request_to_tunnel = yes and under the peap section also default_eap_type = mschapv2 in eap.conf 4. set uncommented use_mppe = yes and set require_encryption = yes, require_strong = yes in mschap in the directory modules. is there anything else I need to do that I have forgot so I can use peap? Best regards/ Peter Carlstedt _ Windows Live Hotmail: Your friends can get your Facebook updates, right from Hotmail®. http://www.microsoft.com/middleeast/windows/windowslive/see-it-in-action/social-network-basics.aspx?ocid=PID23461::T:WLMTAGL:ON:WL:en
RE: Re: Problems with PEAP
Message: 6 Date: Mon, 7 Dec 2009 23:00:02 - (UTC) From: t...@kalik.net Subject: Re: Problems with PEAP To: FreeRadius users mailing list freeradius-users@lists.freeradius.org Message-ID: 50214.87.194.16.13.1260226802.squir...@www.kalik.net Content-Type: text/plain;charset=iso-8859-1 Hello everyone, I know that it is something I have forgot to configure but I cant for my life remember what it is. What I want to do is to authenticate a user from a windows machine using PEAP. Things I?ve have configured in raddb and in raddb/modules is: 1. Added a user called Jens with Cleartext-Password := kaffe No, you haven't: ++[files] returns noop There is no entry for that user in users file. At least not the one server is using. If you have multiple installations make sure that you are configuring fioles belonging to the instance you are running. Have a look at the debug of the server startup - it will tell you where users file is (when files module is instantiated). Ivan Kalik Hi Ivan Kalik, Yes I do have an input for Jens with Cleartext-Password := kaffe in the users file. Also I do not have several installations of Freeradius on the same installation of Ubuntu Desktop 9.04. This one was newly installed yesterday so there is only one installation. Also I could login using a different user which was a row above the user Jens. My users file have two users: peter Cleartext-Password := kaffe jens Cleartext-Password := kaffe After I logged in with the user peter I could login using jens. Best regards/ Peter Carlstedt _ Windows Live: Friends get your Flickr, Yelp, and Digg updates when they e-mail you. http://www.microsoft.com/middleeast/windows/windowslive/see-it-in-action/social-network-basics.aspx?ocid=PID23461::T:WLMTAGL:ON:WL:en-xm:SI_SB_3:092010- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Problems when trying to start Freeradius with eap
Hello everyone. Im trying to start my radius server and have some problems doing that. I think I have missed to uncomment eap somewhere or something like that but I can find where. I will give the output from the terminal, i've also tried to make my own certificate, but it says it has problems making them, dont really understand why and it is in the same output. Hope you can help me on this one because I cant find what Im doing wrong. pe...@freeradius:~$ sudo radiusd -X FreeRADIUS Version 2.1.7, for host i686-pc-linux-gnu, built on Dec 2 2009 at 16:29:59 Copyright (C) 1999-2009 The FreeRADIUS server project and contributors. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License v2. Starting - reading configuration files ... including configuration file /usr/local/etc/raddb/radiusd.conf including configuration file /usr/local/etc/raddb/proxy.conf including configuration file /usr/local/etc/raddb/clients.conf including files in directory /usr/local/etc/raddb/modules/ including configuration file /usr/local/etc/raddb/modules/files including configuration file /usr/local/etc/raddb/modules/realm including configuration file /usr/local/etc/raddb/modules/checkval including configuration file /usr/local/etc/raddb/modules/linelog including configuration file /usr/local/etc/raddb/modules/mac2vlan including configuration file /usr/local/etc/raddb/modules/counter including configuration file /usr/local/etc/raddb/modules/attr_filter including configuration file /usr/local/etc/raddb/modules/preprocess including configuration file /usr/local/etc/raddb/modules/logintime including configuration file /usr/local/etc/raddb/modules/sradutmp including configuration file /usr/local/etc/raddb/modules/inner-eap including configuration file /usr/local/etc/raddb/modules/always including configuration file /usr/local/etc/raddb/modules/mschap including configuration file /usr/local/etc/raddb/modules/ippool including configuration file /usr/local/etc/raddb/modules/sqlcounter_expire_on_login including configuration file /usr/local/etc/raddb/modules/passwd including configuration file /usr/local/etc/raddb/modules/smbpasswd including configuration file /usr/local/etc/raddb/modules/unix including configuration file /usr/local/etc/raddb/modules/chap including configuration file /usr/local/etc/raddb/modules/wimax including configuration file /usr/local/etc/raddb/modules/krb5 including configuration file /usr/local/etc/raddb/modules/smsotp including configuration file /usr/local/etc/raddb/modules/pap including configuration file /usr/local/etc/raddb/modules/pam including configuration file /usr/local/etc/raddb/modules/acct_unique including configuration file /usr/local/etc/raddb/modules/detail.log including configuration file /usr/local/etc/raddb/modules/cui including configuration file /usr/local/etc/raddb/modules/ldap including configuration file /usr/local/etc/raddb/modules/policy including configuration file /usr/local/etc/raddb/modules/attr_rewrite including configuration file /usr/local/etc/raddb/modules/radutmp including configuration file /usr/local/etc/raddb/modules/detail.example.com including configuration file /usr/local/etc/raddb/modules/sql_log including configuration file /usr/local/etc/raddb/modules/otp including configuration file /usr/local/etc/raddb/modules/echo including configuration file /usr/local/etc/raddb/modules/etc_group including configuration file /usr/local/etc/raddb/modules/digest including configuration file /usr/local/etc/raddb/modules/detail including configuration file /usr/local/etc/raddb/modules/mac2ip including configuration file /usr/local/etc/raddb/modules/expr including configuration file /usr/local/etc/raddb/modules/exec including configuration file /usr/local/etc/raddb/modules/perl including configuration file /usr/local/etc/raddb/modules/expiration including configuration file /usr/local/etc/raddb/eap.conf including configuration file /usr/local/etc/raddb/sql.conf including configuration file /usr/local/etc/raddb/sql/mysql/dialup.conf including configuration file /usr/local/etc/raddb/policy.conf including files in directory /usr/local/etc/raddb/sites-enabled/ including configuration file /usr/local/etc/raddb/sites-enabled/control-socket including configuration file /usr/local/etc/raddb/sites-enabled/default including configuration file /usr/local/etc/raddb/sites-enabled/inner-tunnel including dictionary file /usr/local/etc/raddb/dictionary main { prefix = /usr/local localstatedir = /usr/local/var logdir = /usr/local/var/log/radius libdir = /usr/local/lib radacctdir = /usr/local/var/log/radius/radacct hostname_lookups = no max_request_time = 30 cleanup_delay = 5 max_requests = 1024 allow_core_dumps = no pidfile = /usr/local/var/run/radiusd/radiusd.pid checkrad = /usr/local/sbin/checkrad debug_level = 0
PEAP with MSCHAPv2
Hello everyone. Im trying to understand how the certificates work in Freeradius. Last time I asked about why I need to install a root certificate on all the windows clients I got the answer that it is because PEAP works that way. But when I read about it on other sites it says that EAP-TTLS and PEAP was created so that you wont need client-side certificates? Is there a difference in client-side certificates and the root certificate? The PEAP0 I want to use is EAP-MSCHAPv2 since that one should not require client-side certificates if I have understood it correctly. Best Regards/ Peter Carlstedt _ Windows Live: Friends get your Flickr, Yelp, and Digg updates when they e-mail you. http://www.microsoft.com/middleeast/windows/windowslive/see-it-in-action/social-network-basics.aspx?ocid=PID23461::T:WLMTAGL:ON:WL:en-xm:SI_SB_3:092010- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Freeradius-Users Digest, Vol 56, Issue 18
Hi, Hello everyone. Im trying to understand how the certificates work in Freeradius. Last time I asked about why I need to install a root certificate on all the windows clients I got the answer that it is because PEAP works that way. But when I read about it on other sites it says that EAP-TTLS and PEAP was created so that you wont need client-side certificates? client-side certificate means a specific cert for the client..not the root CA. you need a root CA installed because thats that the RADIUS server has been signed with. if you've used a CA to sign the RADIUS cert that is commonly in the client you wont need to install the CA...but eg self-signed CA will need to be installed. The PEAP0 I want to use is EAP-MSCHAPv2 since that one should not require client-side certificates if I have understood it correctly. RADIUS server signed by CA CA needs to be on the client if you want to really trust/verify the cert alan Okay, so is there anyway for me to get the root CA installed without having to do it manually on the clients? Peter _ Windows Live: Make it easier for your friends to see what you’re up to on Facebook. http://www.microsoft.com/middleeast/windows/windowslive/see-it-in-action/social-network-basics.aspx?ocid=PID23461::T:WLMTAGL:ON:WL:en-xm:SI_SB_2:092009- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Making certs for Windows users
Hello everyone. I got some questions regarding how to make a certificate that works towards windows clients while running Freeradius with PEAP. Well I have read on the wiki for Freeradius about making a standalone cert for windows clients (root cert) but why do i need that installed on the windows clients when i want to run peap? Isn´t peap meant to work in the way that you shouldnt have to install stand alone certs in the users computers? Anyway... I dont really understand what it is that i need to do to make real certificates, I´ve read the readme file in raddb/certs but dont understand what it says. I have got ca.cnf anf ca.pem etc since i started the radius server the first time where it said that it made some certs, which i guess it test certificates... the readme file only says that i should remove the old ones but when i try to get into the certs folder through the terminal it says i do not have permission to go into that folder.. Im using Ubuntu Desktop and I dont know a way to get into the folder with the root other than typing sudo cd certs which do not work. :/ Can I ignore the part which says that I need to remove the certs created when i run the server the first time and just do changes in the ca.cnf? As a sidenote, I´ve never worked with certificates before, I know what they are meant to do but more than that i dont know. Best regards/ Peter Carlstedt _ Windows Live Hotmail: Your friends can get your Facebook updates, right from Hotmail®. http://www.microsoft.com/middleeast/windows/windowslive/see-it-in-action/social-network-basics.aspx?ocid=PID23461::T:WLMTAGL:ON:WL:en-xm:SI_SB_4:092009- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Re: Making certs for Windows users
Message: 1 Date: Mon, 30 Nov 2009 09:43:07 + From: Peter Carlstedt pc_...@hotmail.com Subject: Making certs for Windows users To: freeradius-users@lists.freeradius.org Message-ID: snt120-w2c8f3e29e26de093d3f90b4...@phx.gbl Content-Type: text/plain; charset=iso-8859-1 Hello everyone. I got some questions regarding how to make a certificate that works towards windows clients while running Freeradius with PEAP. Well I have read on the wiki for Freeradius about making a standalone cert for windows clients (root cert) but why do i need that installed on the windows clients when i want to run peap? Isn?t peap meant to work in the way that you shouldnt have to install stand alone certs in the users computers? Anyway... I dont really understand what it is that i need to do to make real certificates, I?ve read the readme file in raddb/certs but dont understand what it says. I have got ca.cnf anf ca.pem etc since i started the radius server the first time where it said that it made some certs, which i guess it test certificates... the readme file only says that i should remove the old ones but when i try to get into the certs folder through the terminal it says i do not have permission to go into that folder.. Im using Ubuntu Desktop and I dont know a way to get into the folder with the root other than typing sudo cd certs which do not work. :/ Can I ignore the part which says that I need to remove the certs created when i run the server the first time and just do changes in the ca.cnf? As a sidenote, I?ve never worked with certificates before, I know what they are meant to do but more than that i dont know. Best regards/ Peter Carlstedt -- Message: 5 Date: Mon, 30 Nov 2009 11:15:09 +0100 From: Alan DeKok al...@deployingradius.com Subject: Re: Making certs for Windows users To: FreeRadius users mailing list freeradius-users@lists.freeradius.org Message-ID: 4b139b2d.8000...@deployingradius.com Content-Type: text/plain; charset=ISO-8859-1 Peter Carlstedt wrote: I got some questions regarding how to make a certificate that works towards windows clients while running Freeradius with PEAP. The howto's are detailed, and should be relatively clear. Well I have read on the wiki for Freeradius about making a standalone cert for windows clients (root cert) but why do i need that installed on the windows clients when i want to run peap? Because that's how peap works. Isn?t peap meant to work in the way that you shouldnt have to install stand alone certs in the users computers? No. Anyway... I dont really understand what it is that i need to do to make real certificates, I?ve read the readme file in raddb/certs but dont understand what it says. I have got ca.cnf anf ca.pem etc since i started the radius server the first time where it said that it made some certs, which i guess it test certificates... the readme file only says that i should remove the old ones but when i try to get into the certs folder through the terminal it says i do not have permission to go into that folder.. Im using Ubuntu Desktop and I dont know a way to get into the folder with the root other than typing sudo cd certs which do not work. :/ This is Unix 101. You need to be root to edit the files in that directory. Yes I understand that I need root permissions to edit files in that directory BUT is there anyway to get those permission without having to login with the root account? There are reasons of why you should use sudoin the terminal as a normal user instead of logging in as the root user. So what i mean is if there are some kind of command which gives me the same permissions as the root user in the terminal, was thinking about that since you can use the command gksudo nautilus to browse through directories which has root permission only. Is there any command which can give me the same permissions in the terminal? Can I ignore the part which says that I need to remove the certs created when i run the server the first time and just do changes in the ca.cnf? Sure. And then it won't work. Alan DeKok. So the only differences between the test cert and a real one is only what is written in the ca.cnf? I dont need to add or remove anything or make an extra file or something like that? Sorry for all (maybe stupid) questions but Im new to the thing of creating certs. -- Best regards/ Peter Carlstedt _ Windows Live: Make it easier for your friends to see what you’re up to on Facebook. http://www.microsoft.com/middleeast/windows/windowslive/see-it-in-action/social-network-basics.aspx?ocid=PID23461::T:WLMTAGL:ON:WL:en-xm:SI_SB_2:092009- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Error while trying to make root CA
Hello everyone, it took a while for me to understand how to get root privileges in the terminal, i finally decided to login as root though I know I should not do that but I couldnt find a way around it since i need to get into raddb/certs with the terminal so i can remove some files and stuff that the readme say. Well I tried to runt the bootstrap command and got an error saying that it has problems making the Cert Request. Here down below is the output from the bootstrap command. How do I fix this, have I done something that I shouldnt have done? Best regards/ Peter Carlstedt r...@peter-desktop:/usr/local/etc/raddb/certs# ./bootstrap openssl req -new -out server.csr -keyout server.key -config ./server.cnf Generating a 2048 bit RSA private key +++ ..+++ writing new private key to 'server.key' - openssl req -new -x509 -keyout ca.key -out ca.pem \ -days `grep default_days ca.cnf | sed 's/.*=//;s/^ *//'` -config ./ca.cnf Generating a 2048 bit RSA private key ...+++ +++ writing new private key to 'ca.key' - problems making Certificate Request 9578:error:0D07A097:asn1 encoding routines:ASN1_mbstring_ncopy:string too long:a_mbstr.c:154:maxsize=2 make: *** [ca.key] Error 1 Generating DH parameters, 1024 bit long safe prime, generator 2 This is going to take a long time ..+..+.+..+++..+..+..+...++...+...+...+.+..++.++.+...+..+..++.+.+.++...+.+++.+.+.+..+...+..+...+..+++...++++++.+.+..++...+..+...+.++..+...++...+..++*++*++* Generating a 2048 bit RSA private key .+++ ..+++ writing new private key to 'server.key' - Generating a 2048 bit RSA private key ..+++ ...+++ writing new private key to 'ca.key' - problems making Certificate Request 9587:error:0D07A097:asn1 encoding routines:ASN1_mbstring_ncopy:string too long:a_mbstr.c:154:maxsize=2 _ Windows Live Hotmail: Your friends can get your Facebook updates, right from Hotmail®. http://www.microsoft.com/middleeast/windows/windowslive/see-it-in-action/social-network-basics.aspx?ocid=PID23461::T:WLMTAGL:ON:WL:en-xm:SI_SB_4:092009- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Freeradius-Users Digest, Vol 55, Issue 113
-- next part -- An HTML attachment was scrubbed... URL: https://lists.freeradius.org/pipermail/freeradius-users/attachments/20091124/095ab34c/attachment.html -- Message: 2 Date: Tue, 24 Nov 2009 19:35:17 - (UTC) From: t...@kalik.net Subject: Re: The MySQL databases for Freeradius To: FreeRadius users mailing list freeradius-users@lists.freeradius.org Message-ID: 64909.87.194.16.13.1259091317.squir...@www.kalik.net Content-Type: text/plain;charset=iso-8859-1 I am sitting here trying to figure out how FreeRadius works towards MySQL. The database radcheck is for a singeluser if I have understood it correctly. What I want to do is that through MS Access make a form where I can add several attributes to the same row in the table. But since radcheck only seem to work with one attribute per row for one user I dont really know how to do. You *can* have multiple entries (rows) for each user. You don't have to cram everything into a single row. Okay, but I don´t think it makes any sense that you have multiple inputs of the same user in a table? Say for example that you have like 200 different users and every user have to have like 3 different attributes. The table would get extremly large. What I want to do is to through MySQL link a user to a specific group and in that way start up the segmentation. So depending on what group you are a member in you get into different VLANs etc. That´s why I hoped that I could use radusergroup to link a user to a group and then in radgroupcheck add group specific attributes like NAS-Port-Id´s or Called-Station-Id´s and in that way being able to do a segmentation on SSID or WLAN. What I mean is that if I have a user called test-user and want to have two attributes for that user, in this case Cleartext-Password NAS-Port-Id I need to have two rows for that user. Tes, you do. radcheck: -- |id|username |attribute |op |value | |1 |user-test |Cleartext-Password|== |test-pass | That should be :=. |2 |user-test |NAS-Port-Id |== |raket | --- The reason I want to make a form is because I want others than me being able to add new users and have them connected to the correct group which then will have a separate VLAN and SSID. The form you generate with MS Access will put data into - MS Access backend. You can't connect that form to MySQL. If you are a fan of Windows use Windows (ASP.NET) forms or webforms which can place data into MySQL. I have actually being able to do changes to the MySQL table by using MS Access and ODBC. But I have had some problems making a form that works towards radcheck though. I´m not really a windows fan, but I need a Backend that restricts the admins for messing up the Freeradius server. What I need is a GUI where you can search for a specific group and add a new user or edit a user in that group. I really dont want to see a list of all the users there is and then have to search through 200 users to find the one i wish to edit. So is it possible with dialupadmin to add a user and link that user to a group so you can only list that groups users? Also is it possible in anyway to make group specific attributes so I wont have to add SSID restrictions on user level? I have seen in the source of Freeradius that dialup admin comes with it. I´ve started to think about testing it. So do I need to build dialupadmin in the same way I did with OpenSSL and FreeRadius or did it get installed at the same time as I installed Freeradius? Also is there anywhere I can read about how to link dialup admin to MySQL etc.? Freeradius comes with it's own admin GUI - dialup admin. There are also outside projects like daloRadius. Or you can make your own using things like PHP. So then I thought that if i use the table called radusergroup and link the user to a specific group it should work in a way that all members of this group may only connect to the network if they try to connect to the correct SSID. It seems that did not work either. No, it will not work. Groups in sql emulate DEFAULT entries in users file - if chack doesn't match, replies are ignored - user is not rejected. I am at a loss here and dont really know what I should do. If you want user to get rejected if SSID doesn't match, you will need to make it an entry in radcheck table. As long as the password is there too user will be rejected. Ivan Kalik Thank you for your time. Best regards/ Peter Carlstedt * _ Windows Live Hotmail: Your friends can get your Facebook updates, right from Hotmail®. http
The MySQL databases for Freeradius
Hello everyone! I am sitting here trying to figure out how FreeRadius works towards MySQL. It is quite hard for me to try to explain what I want to do since Im not good with MySQL but I will try anyway and hope someone will understand what I mean. =) The database radcheck is for a singeluser if I have understood it correctly. What I want to do is that through MS Access make a form where I can add several attributes to the same row in the table. But since radcheck only seem to work with one attribute per row for one user I dont really know how to do. What I mean is that if I have a user called test-user and want to have two attributes for that user, in this case Cleartext-Password NAS-Port-Id I need to have two rows for that user. The table looks like this in Access(when i want to use two or more attributes): radcheck: -- |id|username |attribute |op |value | |1 |user-test |Cleartext-Password|== |test-pass | |2 |user-test |NAS-Port-Id |== |raket | --- The reason I want to make a form is because I want others than me being able to add new users and have them connected to the correct group which then will have a separate VLAN and SSID. So then I thought that if i use the table called radusergroup and link the user to a specific group it should work in a way that all members of this group may only connect to the network if they try to connect to the correct SSID. It seems that did not work either. I am at a loss here and dont really know what I should do. Sorry if my explaination is bad but it is quite hard for me to explain. Best regards/ Peter Carlstedt _ Windows Live: Keep your friends up to date with what you do online. http://www.microsoft.com/middleeast/windows/windowslive/see-it-in-action/social-network-basics.aspx?ocid=PID23461::T:WLMTAGL:ON:WL:en-xm:SI_SB_1:092010- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
No NAS-PORT seen
Hello everyone! After some work now I have succesfully got MySQL to work towards the Freeradius server or at least I think it does. But hurm.. I´ve added a user by adding a user in radcheck, ive written insert into radcheck (id, username, attribute, op, value) VALUES (null, 'test-user', 'Cleartext-Password', ':=', 'test-pass'); and then I´ve written select * from radcheck; which shows the new user. Well all of that works but from that point and forward it doesnt, I cant get my new user to authenticate towards the radius server and I get from attr_filter that the request matched entry DEFAULT at line 11, which sends a reject message if I have understood it correctly. Also I´ve commented out that the radius server should use the users file to do checks against when someone tries to authenticate, well that dont seem to work because when i try to authenticate towards the radius server with a user in the users file I succeed while i do not succeed when i try to authenticate by using the user that i created in the mysql database. Have I missed something? But something i also noticed is that when i authenticate as the user who is in the users file and have commented out that it should use the users file it gets a message from rlm_radutmp saying No NAS-Port seen. Cannot do anything. Have I done something terrible wrong? Ive installed and made my own build of Freeradius 2.1.7 after i installed mysql client and all those libraries and mysql server. also I installed OpenSSL 0.9.8l before installation of the Freeradius server. Since the log is so big from radiusd -X is there any possibility to save it into a file? And how do i do that? Best regards/ Peter Carlstedt _ Windows Live Hotmail: Your friends can get your Facebook updates, right from Hotmail®. http://www.microsoft.com/middleeast/windows/windowslive/see-it-in-action/social-network-basics.aspx?ocid=PID23461::T:WLMTAGL:ON:WL:en-xm:SI_SB_4:092009- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Update of No NAS-PORT seen
Hello again! I have an update of the problem. I also got an error which I´ve had before, then Ivan Kalik I think told me that i need to enable copy_request_to_tunnel = yes. Well I have that enabled so I can authenticate by peap. But now I get the same error when I try to authenticate the user which has been created in the MySQL database. The error I get is: (only mentioning the mschapv2 mschap response from the output) [mschapv2] +- entering group MS-CHAP {...} [mschap] No Cleartext-Password configured. Cannot create LM-Password. [mschap] No Cleartext-Password configured. Cannot create NT-Password. [mschap] Told to do MS-CHAPv2 for test-user with NT-Password [mschap] FAILED: No NT/LM-Password. Cannot perform authentication. [mschap] FAILED: MS-CHAP2-Response is incorrect ++[mschap] returns reject Also as a side note, the user in the database has a Cleartext-Password := test-pass. I read on the wiki that I should use := and not == to do the check of the password. Also I have not set a AUTH-TYPE, i let the server figure it out on its own. Best regards/ Peter Message: 5 Date: Mon, 23 Nov 2009 14:03:41 + From: Peter Carlstedt pc_...@hotmail.com Subject: No NAS-PORT seen To: freeradius-users@lists.freeradius.org Message-ID: snt120-w743f9b44dfaedbdcb59f0b4...@phx.gbl Content-Type: text/plain; charset=iso-8859-1 Hello everyone! After some work now I have succesfully got MySQL to work towards the Freeradius server or at least I think it does. But hurm.. I?ve added a user by adding a user in radcheck, ive written insert into radcheck (id, username, attribute, op, value) VALUES (null, 'test-user', 'Cleartext-Password', ':=', 'test-pass'); and then I?ve written select * from radcheck; which shows the new user. Well all of that works but from that point and forward it doesnt, I cant get my new user to authenticate towards the radius server and I get from attr_filter that the request matched entry DEFAULT at line 11, which sends a reject message if I have understood it correctly. Also I?ve commented out that the radius server should use the users file to do checks against when someone tries to authenticate, well that dont seem to work because when i try to authenticate towards the radius server with a user in the users file I succeed while i do not succeed when i try to authenticate by using the user that i created in the mysql database. Have I missed something? But something i also noticed is that when i authenticate as the user who is in the users file and have commented out that it should use the users file it gets a message from rlm_radutmp saying No NAS-Port seen. Cannot do anything. Have I done something terrible wrong? Ive installed and made my own build of Freeradius 2.1.7 after i installed mysql client and all those libraries and mysql server. also I installed OpenSSL 0.9.8l before installation of the Freeradius server. Since the log is so big from radiusd -X is there any possibility to save it into a file? And how do i do that? Best regards/ Peter Carlstedt _ Windows Live Hotmail: Your friends can get your Facebook updates, right from Hotmail?. http://www.microsoft.com/middleeast/windows/windowslive/see-it-in-action/social-network-basics.aspx?ocid=PID23461::T:WLMTAGL:ON:WL:en-xm:SI_SB_4:092009 -- next part -- An HTML attachment was scrubbed... URL: https://lists.freeradius.org/pipermail/freeradius-users/attachments/20091123/7742bdb9/attachment.html -- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html End of Freeradius-Users Digest, Vol 55, Issue 106 * _ Windows Live Hotmail: Your friends can get your Facebook updates, right from Hotmail®. http://www.microsoft.com/middleeast/windows/windowslive/see-it-in-action/social-network-basics.aspx?ocid=PID23461::T:WLMTAGL:ON:WL:en-xm:SI_SB_4:092009- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: No NAS-PORT seen
-- Message: 2 Date: Mon, 23 Nov 2009 15:25:32 +0100 From: Alan DeKok al...@deployingradius.com Subject: Re: No NAS-PORT seen To: FreeRadius users mailing list freeradius-users@lists.freeradius.org Message-ID: 4b0a9b5c.6000...@deployingradius.com Content-Type: text/plain; charset=ISO-8859-1 Peter Carlstedt wrote: Well all of that works but from that point and forward it doesnt, I cant get my new user to authenticate towards the radius server and I get from attr_filter that the request matched entry DEFAULT at line 11, which sends a reject message if I have understood it correctly. Also I?ve commented out that the radius server should use the users file to do checks against when someone tries to authenticate, well that dont seem to work because when i try to authenticate towards the radius server with a user in the users file I succeed while i do not succeed when i try to authenticate by using the user that i created in the mysql database. Have I missed something? It shouldn't be that hard. If you change the configuration, re-start the server. I re-start the server all the time when I change the configuration...so that is not the case. I´ve checked if it works with radtest and it does. So in my mind it feels like i´ve missed something in the peap configuration? And READ the debug output. There's a lot of text in it, but it describes which modules its using, and what it's doing. The ONLY answer to configuration problems is in the debug output. But something i also noticed is that when i authenticate as the user who is in the users file and have commented out that it should use the users file it gets a message from rlm_radutmp saying No NAS-Port seen. Cannot do anything. That only comes from accounting traffic, not from authentication traffic. Please do NOT confuse the two. Ive installed and made my own build of Freeradius 2.1.7 after i installed mysql client and all those libraries and mysql server. also I installed OpenSSL 0.9.8l before installation of the Freeradius server. Since the log is so big from radiusd -X is there any possibility to save it into a file? And how do i do that? $ script radius.log $ radiusd -X (run) $ exit And then look at the file radius.log Alan DeKok. Ok thanks! I´ll do that. Peter Carlstedt -- Message: 4 Date: Mon, 23 Nov 2009 14:53:42 + From: Peter Carlstedt pc_...@hotmail.com Subject: Update of No NAS-PORT seen To: freeradius-users@lists.freeradius.org Message-ID: snt120-w79b8526aa982daa24e059b4...@phx.gbl Content-Type: text/plain; charset=iso-8859-1 Hello again! I have an update of the problem. I also got an error which I?ve had before, then Ivan Kalik I think told me that i need to enable copy_request_to_tunnel = yes. Well I have that enabled so I can authenticate by peap. But now I get the same error when I try to authenticate the user which has been created in the MySQL database. The error I get is: (only mentioning the mschapv2 mschap response from the output) [mschapv2] +- entering group MS-CHAP {...} [mschap] No Cleartext-Password configured. Cannot create LM-Password. [mschap] No Cleartext-Password configured. Cannot create NT-Password. [mschap] Told to do MS-CHAPv2 for test-user with NT-Password [mschap] FAILED: No NT/LM-Password. Cannot perform authentication. [mschap] FAILED: MS-CHAP2-Response is incorrect ++[mschap] returns reject Also as a side note, the user in the database has a Cleartext-Password := test-pass. I read on the wiki that I should use := and not == to do the check of the password. Also I have not set a AUTH-TYPE, i let the server figure it out on its own. Best regards/ Peter _ Windows Live: Make it easier for your friends to see what you’re up to on Facebook. http://www.microsoft.com/middleeast/windows/windowslive/see-it-in-action/social-network-basics.aspx?ocid=PID23461::T:WLMTAGL:ON:WL:en-xm:SI_SB_2:092009- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
MySql on Freeradius
Hello everyone! I have succeeded in most what i want to accomplice but stupid me forgot that I would also want to be able to administrate the users through a GUI instead of jump into the users.conf file everytime i need to add a new user. Since I want OpenSSL support i need to make my own build which Ubuntu´s own Freeradius release in Synaptic does not seem to have support for. I have tried to find information on the net about how to make a build of Freeradius that works together with MySql. The guides I have read is all about installing with the help of synaptic package manager in ubuntu 9.04 and install freeradius-mysql. A question I have is if that module comes with the build I make when im downloading from Freeradius site? If not do I need it to be able to get mysql work together with freeradius and if I do need it, how can I do a separate installation of it? Or can I use the one I find in Ubuntu´s Synaptic Package Manager? Lots of questions I know, hope you can find the time to answer them. Best regards/ Peter _ Windows Live: Keep your friends up to date with what you do online. http://www.microsoft.com/middleeast/windows/windowslive/see-it-in-action/social-network-basics.aspx?ocid=PID23461::T:WLMTAGL:ON:WL:en-xm:SI_SB_1:092010- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Freeradius-Users Digest, Vol 55, Issue 73
By the way I forgot to ask, is there anywhere I can read about this kind of things? I want to get a good understanding on how outer and inner tunnels work and what they do. Don´t think I´ve seen anything about it on the Freeradius wiki...or may I be blind? :) Best regards/ Peter ? http://card.mail.cn.yahoo.com/ -- next part -- An HTML attachment was scrubbed... URL: https://lists.freeradius.org/pipermail/freeradius-users/attachments/20091117/de370439/attachment.html -- Message: 3 Date: Tue, 17 Nov 2009 07:31:46 + From: Peter Carlstedt pc_...@hotmail.com Subject: RE: RE: Problems to do an SSID based authentication(t...@kalik.net) To: freeradius-users@lists.freeradius.org Message-ID: snt120-w48964a845caddd61707f89b4...@phx.gbl Content-Type: text/plain; charset=windows-1252 Hi Ivan! It worked! Woho! ^^ Thank you very much for your help =), of course alan to =) Now I will probably get a ton of more problems in my walk towards a good setup. =) Best regards/ Peter Carlstedt -- next part -- An HTML attachment was scrubbed... URL: https://lists.freeradius.org/pipermail/freeradius-users/attachments/20091116/b10f1801/attachment.html -- Message: 3 Date: Tue, 17 Nov 2009 00:01:08 - (UTC) From: t...@kalik.net Subject: RE: RE: Problems to do an SSID based authentication To: FreeRadius users mailing list freeradius-users@lists.freeradius.org Message-ID: 62479.87.194.16.13.1258416068.squir...@www.kalik.net Content-Type: text/plain;charset=iso-8859-1 My users.conf file looks like this: Peter Cleartext-Password := kaffe , Called-Station-Id == 04-0B-6B-33-62-35:raket Jens Cleartext-Password := kaffe , Called-Station-Id == 02-0B-6B-33-62-35:3 The logs from my radius -X is following: rad_recv: Access-Request packet from host 192.168.118.10 port 42531, id=97, length=194 Service-Type = Framed-User Framed-MTU = 1400 User-Name = Jens Acct-Session-Id = 82200128 Acct-Multi-Session-Id = 02-0B-6B-33-62-35-00-26-BB-14-50-CF-82-20-00-00-00-00-01-10 Calling-Station-Id = 00-26-BB-14-50-CF Called-Station-Id = 02-0B-6B-33-62-35:3 EAP-Message = 0x02020009014a656e73 Message-Authenticator = 0x12ec684d2cb511be9cf431ceeae1a5c8 NAS-Identifier = MikroTik NAS-IP-Address = 192.168.118.10 +- entering group authorize {...} ... Sending tunneled request EAP-Message = 0x02080009014a656e73 FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = Jens server inner-tunnel { ... You haven't got ssid in inner-tunnel request. Enable copy_request_to_tunnel in peap section of eap.conf. Ivan Kalik Kalik Informatika ISP -- _ Windows Live: Make it easier for your friends to see what you?re up to on Facebook. http://www.microsoft.com/middleeast/windows/windowslive/see-it-in-action/social-network-basics.aspx?ocid=PID23461::T:WLMTAGL:ON:WL:en-xm:SI_SB_2:092009 -- next part -- An HTML attachment was scrubbed... URL: https://lists.freeradius.org/pipermail/freeradius-users/attachments/20091117/21cfc75b/attachment.html _ Keep your friends updated—even when you’re not signed in. http://www.microsoft.com/middleeast/windows/windowslive/see-it-in-action/social-network-basics.aspx?ocid=PID23461::T:WLMTAGL:ON:WL:en-xm:SI_SB_5:092010- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
SSID based authentication
Hello everyone. As you know by now I am the one asking alot of questions but if you dont ask you dont learn;) Well I have been searching the net for an answer but have not found any. I described in my lastest question how to get SSID authentication to work but I missed on important thing. If I want an enduser to be able to connect to the same SSID on multiple AP´s then I can not use Called-Station-ID since it also includes information about the mac address for a specific AP. So how do I do to be able to authenticate by just using the SSID and not the mac address for a specific AP? Im using mikrotik and it do not have dynamic VLAN so I will have to bind a VLAN per SSID. Best regards/ Peter Carlstedt _ Windows Live: Keep your friends up to date with what you do online. http://www.microsoft.com/middleeast/windows/windowslive/see-it-in-action/social-network-basics.aspx?ocid=PID23461::T:WLMTAGL:ON:WL:en-xm:SI_SB_1:092010- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Problems to do an SSID based authentication
Hello everyone! I am trying to do an SSID based authentication per user. What I mean is that i try in the users.conf file to check for which SSID the users is trying to use to login and if it is wrong it shall do an reject for that user. The problem is that i dont succeed with this so I thought it does not hurt to ask the ones who knows. My users.conf file looks like this: #lameuserAuth-Type := Reject #Reply-Message = Your account has been disabled. # # Deny access for a group of users. # # Note that there is NO 'Fall-Through' attribute, so the user will not # be given any additional resources. # #DEFAULTGroup == disabled, Auth-Type := Reject #Reply-Message = Your account has been disabled. # # # This is a complete entry for steve. Note that there is no Fall-Through # entry so that no DEFAULT entry will be used, and the user will NOT # get any attributes in addition to the ones listed here. # #steveCleartext-Password := testing #Service-Type = Framed-User, #Framed-Protocol = PPP, #Framed-IP-Address = 172.16.3.33, #Framed-IP-Netmask = 255.255.255.0, #Framed-Routing = Broadcast-Listen, #Framed-Filter-Id = std.ppp, #Framed-MTU = 1500, #Framed-Compression = Van-Jacobsen-TCP-IP PeterCleartext-Password := kaffe , Called-Station-Id == 04-0B-6B-33-62-35:raket #Tunnel-Type = VLAN, #Tunnel-Medium-Type = IEEE-802, #Tunnel-Private-Group-Id = 2 JensCleartext-Password := kaffe , Called-Station-Id == 02-0B-6B-33-62-35:3 #Tunnel-Type = VLAN, #Tunnel-Medium-Type = IEEE-802, #Tunnel-Private-Group-Id = 3 #NAS-Port-Id == wlan1 Mattiasuser-password := kaffe Tunnel-Type = VLAN, Tunnel-Medium-Type = IEEE-802, Tunnel-Private-Group-Id = 1 # # This is an entry for a user with a space in their name. # Note the double quotes surrounding the name. # #John DoeCleartext-Password := hello #Reply-Message = Hello, %{User-Name} # # Dial user back and telnet to the default host for that port # #DegCleartext-Password := ge55ged #Service-Type = Callback-Login-User, #Login-IP-Host = 0.0.0.0, #Callback-Number = 9,5551212, #Login-Service = Telnet, #Login-TCP-Port = Telnet # # Another complete entry. After the user dialbk has logged in, the # connection will be broken and the user will be dialed back after which # he will get a connection to the host timeshare1. # #dialbkCleartext-Password := callme #Service-Type = Callback-Login-User, #Login-IP-Host = timeshare1, #Login-Service = PortMaster, #Callback-Number = 9,1-800-555-1212 # # user swilson will only get a static IP number if he logs in with # a framed protocol on a terminal server in Alphen (see the huntgroups file). # # Note that by setting Fall-Through, other attributes will be added from # the following DEFAULT entries # #swilsonService-Type == Framed-User, Huntgroup-Name == alphen #Framed-IP-Address = 192.168.1.65, #Fall-Through = Yes # # If the user logs in as 'username.shell', then authenticate them # using the default method, give them shell access, and stop processing # the rest of the file. # #DEFAULTSuffix == .shell #Service-Type = Login-User, #Login-Service = Telnet, #Login-IP-Host = your.shell.machine # # The rest of this file contains the several DEFAULT entries. # DEFAULT entries match with all login names. # Note that DEFAULT entries can also Fall-Through (see first entry). # A name-value pair from a DEFAULT entry will _NEVER_ override # an already existing name-value pair. # # # Set up different IP address pools for the terminal servers. # Note that the + behind the IP address means that this is the base # IP address. The Port-Id (S0, S1 etc) will be added to it. # #DEFAULTService-Type == Framed-User, Huntgroup-Name == alphen #Framed-IP-Address = 192.168.1.32+, #Fall-Through = Yes #DEFAULTService-Type == Framed-User, Huntgroup-Name == delft #Framed-IP-Address = 192.168.2.32+, #Fall-Through = Yes # # Sample defaults for all framed connections. # #DEFAULTService-Type == Framed-User #Framed-IP-Address = 255.255.255.254, #Framed-MTU = 576, #Service-Type = Framed-User, #Fall-Through = Yes # # Default for PPP: dynamic IP address, PPP mode, VJ-compression. # NOTE: we do not use Hint = PPP, since PPP might also be auto-detected #by the terminal server in which case there may not be a P suffix. #The terminal server sends Framed-Protocol = PPP for auto PPP. # DEFAULTFramed-Protocol == PPP Framed-Protocol = PPP, Framed-Compression = Van-Jacobson-TCP-IP # # Default for CSLIP: dynamic IP address, SLIP mode, VJ-compression. # DEFAULTHint == CSLIP Framed-Protocol = SLIP, Framed-Compression = Van-Jacobson-TCP-IP # # Default for SLIP: dynamic IP address, SLIP mode. # DEFAULTHint == SLIP Framed-Protocol = SLIP # # Last default: rlogin to our main
RE: RE: Problems to do an SSID based authentication
-- Message: 3 Date: Mon, 16 Nov 2009 10:03:22 + From: Alan Buxey a.l.m.bu...@lboro.ac.uk Subject: Re: Problems to do an SSID based authentication To: FreeRadius users mailing list freeradius-users@lists.freeradius.org Message-ID: 20091116100322.gb5...@lboro.ac.uk Content-Type: text/plain; charset=us-ascii Hi, I am trying to do an SSID based authentication per user. What I mean is that i try in the users.conf file to check for which SSID the users is trying to use to login and if it is wrong it shall do an reject for that user. The problem is that i dont succeed with this so I thought it does not hurt to ask the ones who knows. My users.conf file looks like this: PeterCleartext-Password := kaffe , Called-Station-Id == 04-0B-6B-33-62-35:raket JensCleartext-Password := kaffe , Called-Station-Id == 02-0B-6B-33-62-35:3 so Peter can only connect from 04-0B-6B-33-62-35:raket and Jens can only get on from 02-0B-6B-33-62-35:3 ? okay - where is your log from 'radiusd -X' ? alan Hi Alan! The logs from my radius -X is following: rad_recv: Access-Request packet from host 192.168.118.10 port 42531, id=97, length=194 Service-Type = Framed-User Framed-MTU = 1400 User-Name = Jens Acct-Session-Id = 82200128 Acct-Multi-Session-Id = 02-0B-6B-33-62-35-00-26-BB-14-50-CF-82-20-00-00-00-00-01-10 Calling-Station-Id = 00-26-BB-14-50-CF Called-Station-Id = 02-0B-6B-33-62-35:3 EAP-Message = 0x02020009014a656e73 Message-Authenticator = 0x12ec684d2cb511be9cf431ceeae1a5c8 NAS-Identifier = MikroTik NAS-IP-Address = 192.168.118.10 +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = Jens, looking up realm NULL [suffix] No such realm NULL ++[suffix] returns noop [eap] EAP packet type response id 2 length 9 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[unix] returns notfound [files] users: Matched entry Jens at line 92 ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] Found existing Auth-Type, not changing it. ++[pap] returns noop Found Auth-Type = EAP +- entering group authenticate {...} [eap] EAP Identity [eap] processing type tls [tls] Initiate [tls] Start returned 1 ++[eap] returns handled Sending Access-Challenge of id 97 to 192.168.118.10 port 42531 EAP-Message = 0x010300061920 Message-Authenticator = 0x State = 0xb5e02fd1b5e336db4711a92c3e7dc829 Finished request 1. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.118.10 port 46429, id=98, length=316 Service-Type = Framed-User Framed-MTU = 1400 User-Name = Jens State = 0xb5e02fd1b5e336db4711a92c3e7dc829 Acct-Session-Id = 82200128 Acct-Multi-Session-Id = 02-0B-6B-33-62-35-00-26-BB-14-50-CF-82-20-00-00-00-00-01-10 Calling-Station-Id = 00-26-BB-14-50-CF Called-Station-Id = 02-0B-6B-33-62-35:3 EAP-Message = 0x02030071198000671603010062015e03014b01325d9b7522753ffde3bdcb960b88f167535ca9ec96ffa88e3f5577fc7b4c18002f00350005000ac013c014c009c00a0032003800130004011d00090007046a656e73000a0006000400170018000b00020100 Message-Authenticator = 0xbb5e04e25bd1a69911623d1fa6fc555e NAS-Identifier = MikroTik NAS-IP-Address = 192.168.118.10 +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = Jens, looking up realm NULL [suffix] No such realm NULL ++[suffix] returns noop [eap] EAP packet type response id 3 length 113 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS TLS Length 103 [peap] Length Included [peap] eaptls_verify returned 11 [peap] (other): before/accept initialization [peap] TLS_accept: before/accept initialization [peap] TLS 1.0 Handshake [length 0062], ClientHello [peap] TLS_accept: SSLv3 read client hello A [peap] TLS 1.0 Handshake [length 002a], ServerHello [peap] TLS_accept: SSLv3 write server hello A [peap] TLS 1.0 Handshake [length 085e], Certificate [peap] TLS_accept: SSLv3 write certificate A [peap] TLS 1.0 Handshake [length 0004], ServerHelloDone [peap] TLS_accept: SSLv3 write server done A [peap] TLS_accept: SSLv3 flush data [peap] TLS_accept: Need to read more data: SSLv3 read client certificate A In SSL Handshake Phase In SSL Accept mode [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 98 to 192.168.118.10 port 46429 EAP-Message =
RE: RE: Problems to do an SSID based authentication(t...@kalik.net)
Hi Ivan! It worked! Woho! ^^ Thank you very much for your help =), of course alan to =) Now I will probably get a ton of more problems in my walk towards a good setup. =) Best regards/ Peter Carlstedt -- next part -- An HTML attachment was scrubbed... URL: https://lists.freeradius.org/pipermail/freeradius-users/attachments/20091116/b10f1801/attachment.html -- Message: 3 Date: Tue, 17 Nov 2009 00:01:08 - (UTC) From: t...@kalik.net Subject: RE: RE: Problems to do an SSID based authentication To: FreeRadius users mailing list freeradius-users@lists.freeradius.org Message-ID: 62479.87.194.16.13.1258416068.squir...@www.kalik.net Content-Type: text/plain;charset=iso-8859-1 My users.conf file looks like this: Peter Cleartext-Password := kaffe , Called-Station-Id == 04-0B-6B-33-62-35:raket Jens Cleartext-Password := kaffe , Called-Station-Id == 02-0B-6B-33-62-35:3 The logs from my radius -X is following: rad_recv: Access-Request packet from host 192.168.118.10 port 42531, id=97, length=194 Service-Type = Framed-User Framed-MTU = 1400 User-Name = Jens Acct-Session-Id = 82200128 Acct-Multi-Session-Id = 02-0B-6B-33-62-35-00-26-BB-14-50-CF-82-20-00-00-00-00-01-10 Calling-Station-Id = 00-26-BB-14-50-CF Called-Station-Id = 02-0B-6B-33-62-35:3 EAP-Message = 0x02020009014a656e73 Message-Authenticator = 0x12ec684d2cb511be9cf431ceeae1a5c8 NAS-Identifier = MikroTik NAS-IP-Address = 192.168.118.10 +- entering group authorize {...} ... Sending tunneled request EAP-Message = 0x02080009014a656e73 FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = Jens server inner-tunnel { ... You haven't got ssid in inner-tunnel request. Enable copy_request_to_tunnel in peap section of eap.conf. Ivan Kalik Kalik Informatika ISP -- _ Windows Live: Make it easier for your friends to see what you’re up to on Facebook. http://www.microsoft.com/middleeast/windows/windowslive/see-it-in-action/social-network-basics.aspx?ocid=PID23461::T:WLMTAGL:ON:WL:en-xm:SI_SB_2:092009- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
clients.conf
Hello everyone again! Well as you may understand from the Subject I have a question about how clients.conf works. I´ve read the documentation in the file about how to add a client but when i tired to add another client it stoped working. I will try to explain how I have setup the network. I have one radius server connected to a Netgear wired switch, from that switch I have a AP(Mikrotik) connected. What I am trying to do is to add the Mikrotik into the clients.conf file but when I do i get an error at startup(dont remember the error message). Right now im instead using client 192.168.118.0/24{ } which accepts all NASes in the subnet. What i wrote in clients.conf before i changed to include a whole subnet is: client Netgear{ ipaddr = x.x.x.x netmask = 24 secret = xx require_message_authentication = no } client Mikrotik { ipaddr = x.x.x.x netmask = 24 secret = xxx require_message_authentication = no } What I am wondering about is if I have done a correct setup when trying to add several stand alone clients? Best regards/ Peter From: freeradius-users-requ...@lists.freeradius.org Subject: Freeradius-Users Digest, Vol 55, Issue 52 To: freeradius-users@lists.freeradius.org Date: Thu, 12 Nov 2009 08:43:56 +0100 Send Freeradius-Users mailing list submissions to freeradius-users@lists.freeradius.org To subscribe or unsubscribe via the World Wide Web, visit http://lists.freeradius.org/mailman/listinfo/freeradius-users or, via email, send a message with subject or body 'help' to freeradius-users-requ...@lists.freeradius.org You can reach the person managing the list at freeradius-users-ow...@lists.freeradius.org When replying, please edit your Subject line so it is more specific than Re: Contents of Freeradius-Users digest... Today's Topics: 1. Re: [Fwd: Re: [Fwd: I need some help with freeradius 2.0.4]] (Ivan Kalik) 2. Re: I need some help with freeradius 2.0.4 (Wagner Pereira) 3. Re: [Fwd: Re: [Fwd: I need some help with freeradius 2.0.4]] (Wagner Pereira) 4. Re: [Fwd: Re: [Fwd: I need some help with freeradius 2.0.4]] (t...@kalik.net) 5. SSL renegotiation ? (John) 6. Re: FreeRadius with 3COM (Guk Victor) 7. Microsoft: SmardCard or Certificate Auth (swatzy) -- Message: 1 Date: Wed, 11 Nov 2009 19:30:35 + From: Ivan Kalik t...@kalik.net Subject: Re: [Fwd: Re: [Fwd: I need some help with freeradius 2.0.4]] To: FreeRadius users mailing list freeradius-users@lists.freeradius.org Message-ID: 4afb10db.7040...@kalik.net Content-Type: text/plain; charset=ISO-8859-1; format=flowed Wagner Pereira wrote: Dear colleagues, I am introducing now a new information. Below is what is declared into my IOS - Cisco 6500. Is this correct? Why don't you just read the cisco wiki page. Ivan Kalik Kalik Informatika ISP -- Message: 2 Date: Wed, 11 Nov 2009 17:42:15 -0200 From: Wagner Pereira wpere...@pop-sp.rnp.br Subject: Re: I need some help with freeradius 2.0.4 To: FreeRadius users mailing list freeradius-users@lists.freeradius.org Message-ID: 4afb1397.9000...@pop-sp.rnp.br Content-Type: text/plain; charset=ISO-8859-1; format=flowed Ok, Ivan. I guess I removed that HTML craps now : ) Below is my new radgroupreply: mysql select * from radgroupreply; ++---+---++---+--+ | id | groupname | attribute | op | value | Prio | ++---+---++---+--+ | 3 | pop-sp | Service-Type | := | NAS-Prompt-User | | | 5 | reject | reply-message | := | Autentica??o recusada | NULL | ++---+---++---+--+ 2 rows in set (0.00 sec) Hugs, -- Wagner Pereira PoP-SP/RNP - Ponto de Presen?a da RNP em S?o Paulo CCE/USP - Centro de Computa??o Eletr?nica da Universidade de S?o Paulo http://www.pop-sp.rnp.br (11) 3091-8902 t...@kalik.net escreveu: !DOCTYPE html PUBLIC -//W3C//DTD HTML 4.01 Transitional//EN Enough with that HTML It produces extraordinary ammount of crap as you can see: I did what you recommended (I guess). See below:br No, you didn't. But getting closer. |nbsp; 1 | pop-spnbsp;nbsp;nbsp; | Framed-Compression | := | Van-Jacobson-TCP-IPnbsp;nbsp; Remove *all* Framed attributes. |nbsp; 3 | pop-spnbsp;nbsp;nbsp; | Service-Typenbsp;nbsp;nbsp;nbsp;nbsp;nbsp; | := | NAS-Promptnbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp; |nbsp;nbsp;nbsp;nbsp;nbsp; | br That should be NAS-Prompt-User. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See
OpenSSL + Freeradius
Hello everyone. I just wanted to thank you so much for your time. I found a solution without having to modify the control rules files in the debian folder. So I got freeradius function with OpenSSL and PEAP now. Now I only need to find a know how for configuring Freeradius so it will accept authentication from Mac and Windows machines. Can anyone of you recommend a good site? :) Best regards/ Peter _ Windows Live: Friends get your Flickr, Yelp, and Digg updates when they e-mail you. http://www.microsoft.com/middleeast/windows/windowslive/see-it-in-action/social-network-basics.aspx?ocid=PID23461::T:WLMTAGL:ON:WL:en-xm:SI_SB_3:092010- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Freeradius-Users Digest, Vol 55, Issue 38
From: freeradius-users-requ...@lists.freeradius.org Subject: Freeradius-Users Digest, Vol 55, Issue 38 To: freeradius-users@lists.freeradius.org Date: Tue, 10 Nov 2009 11:35:54 +0100 Send Freeradius-Users mailing list submissions to freeradius-users@lists.freeradius.org To subscribe or unsubscribe via the World Wide Web, visit http://lists.freeradius.org/mailman/listinfo/freeradius-users or, via email, send a message with subject or body 'help' to freeradius-users-requ...@lists.freeradius.org You can reach the person managing the list at freeradius-users-ow...@lists.freeradius.org When replying, please edit your Subject line so it is more specific than Re: Contents of Freeradius-Users digest... Today's Topics: 1. Re: Freeradius-Users Digest, Vol 55, Issue 32 (Ana Gallardo) 2. Re: Problem with server atribute in NAS table with mysql (Ana Gallardo) 3. Cannot upgade to 2.1.7 (kachin Agarwal) 4. FreeRadius crashed on accounting load tests with 1000 concurrent clients (Dinh Pham Cong) 5. Re: FreeRadius crashed on accounting load tests with 1000 concurrent clients (Alan DeKok) -- Message: 1 Date: Tue, 10 Nov 2009 08:40:17 +0100 From: Ana Gallardo ana.gallardo...@gmail.com Subject: Re: Freeradius-Users Digest, Vol 55, Issue 32 To: FreeRadius users mailing list freeradius-users@lists.freeradius.org Message-ID: 74556fcf0911092340p498089f7ud0f98614a6d91...@mail.gmail.com Content-Type: text/plain; charset=iso-8859-1 I have a problem which I and a friend here have been trying to solve for some days now. ?what is your problem? After we have run in terminal ./configure ; make sudo make install and afterwards try to run radius with radiusd -X (same as freeradius -X if youre using freeradius installed through Synaptic Package Manager). and when you run in debug mode?? You can try this howto that works fine http://www.linuxinsight.com/building-debian-freeradius-package-with-eap-tls-ttls-peap-support.html We've tried following it and it does not work following that guide. I can add how our control and rules looks like in the parts which has to be changed in that guide. Changes in control: Build-Depends: debhelper (= 5), dpatch (= 2), dpkg-dev (= 1.13.19), autotools-dev, libtool (= 1.5), libltdl3-dev, libpam0g-dev, libmysqlclient15-dev | libmysqlclient-dev, libgdbm-dev, libldap2-dev, libsasl2-dev, libiodbc2-dev, libkrb5-dev, libperl-dev, libpcap-dev, python-dev, snmp, libsnmp9-dev | libsnmp-dev, libpq-dev, libssl-dev Changes in rules: (In Section Autoconf) ifeq ($(openssl), no) confflags += --with-openssl --with-rlm_eap_peap --with-rlm_eap_tls --with-rlm_eap_ttls --without-rlm_otp endif (In Section Binary Arch) I choosed not to delete it entirely since im not sure if it is this section that i should delete, if you check the code here against the part in http://www.linuxinsight.com/building-debian-freeradius-package-with-eap-tls-ttls-peap-support.html it is different so I just commented it out. ifeq ($(openssl), no) #for pkg in $(shell grep ^Package debian/control | awk '{print $$2}') ; do \ #if dh_shlibdeps -p $$pkg -- -O | grep -q libssl; then \ #echo $$pkg links to openssl ; \ #exit 1 ; \ #fi ; \ #done endif The problem comes when we try do run make it seems that way anyhow. After we have run make command in the terminal we get this output: (not all of the output, the parts which i think is about the error) /home/peter/Desktop/freeradius-server-2.1.7/src/lib/libfreeradius-radius.la -lnsl -lresolv -lpthread \ -lcrypt -lltdl -lcrypto -lssl -lcrypto rm -f .libs/radiusd.nm .libs/radiusd.nmS .libs/radiusd.nmT creating .libs/radiusdS.c (cd .libs gcc -g -O2 -c -fno-builtin radiusdS.c) rm -f .libs/radiusdS.c .libs/radiusd.nm .libs/radiusd.nmS .libs/radiusd.nmT gcc .libs/radiusdS.o -o .libs/radiusd .libs/acct.o .libs/auth.o .libs/client.o .libs/conffile.o .libs/crypt.o .libs/exec.o .libs/files.o .libs/listen.o .libs/log.o .libs/mainconfig.o .libs/modules.o .libs/modcall.o .libs/radiusd.o .libs/stats.o .libs/session.o .libs/threads.o .libs/util.o .libs/valuepair.o .libs/version.o .libs/xlat.o .libs/event.o .libs/realms.o .libs/evaluate.o .libs/vmps.o .libs/detail.o -Wl,--export-dynamic /home/peter/Desktop/freeradius-server-2.1.7/src/lib/.libs/libfreeradius-radius.so -lnsl -lresolv -lpthread -lcrypt /usr/lib/libltdl.so -lssl -lcrypto -ldl .libs/modules.o: In function `setup_modules': /home/peter/Desktop/freeradius-server-2.1.7/src/main/modules.c:1333: undefined reference to `lt__PROGRAM__LTX_preloaded_symbols' collect2: ld returned 1 exit status make[4]: *** [radiusd] Error 1 make[4]: Leaving directory `/home/peter/Desktop/freeradius-server-2.1.7/src/main' make[3]: *** [common] Error 2 make[3]: Leaving
RE: Freeradius-Users Digest, Vol 55, Issue 32
Hello all again! I have a problem which I and a friend here have been trying to solve for some days now. It happens in both version 2.1.0 and 2.1.7 and has something to do with OpenSSL. We have downloaded the source for both versions and installed OpenSSL, libssl-dev and libpq-dev which everyone on the google-net talks about. We have modified rules and control in ~/FreeRadius-Server/debian/ so it should have support for OpenSSL, I will include the changes here: Rules(instead of having without we changed to with for openssl, peap, tls ttls) ifeq ($(openssl), no) confflags += --with-openssl --with-rlm_eap_peap --with-rlm_eap_tls --with-rlm_eap_ttls --without-rlm_otp Control(Did not have to change or add anything but want to add these lines so you can see if there is any faulty lines here) Build-Depends: debhelper (= 5), dpatch (= 2), dpkg-dev (= 1.13.19), autotools-dev, libtool (= 1.5), libltdl3-dev, libpam0g-dev, libmysqlclient15-dev | libmysqlclient-dev, libgdbm-dev, libldap2-dev, libsasl2-dev, libiodbc2-dev, libkrb5-dev, libperl-dev, libpcap-dev, python-dev, snmp, libsnmp9-dev | libsnmp-dev, libpq-dev, libssl-dev After we have run in terminal ./configure ; make sudo make install and afterwards try to run radius with radiusd -X (same as freeradius -X if youre using freeradius installed through Synaptic Package Manager). So is there anything we have missed? We have been reading about that Freeradius do not include support for OpenSSL since the problem with license but we have also read that if you want to get OpenSSL support anyway you should do like we have done. Is there anyway to get around this problem or is everyone facing same problem as we do with these versions of FreeRadius? We have also read about another one using version 2.1.6 with same problem so i guess it is common for all versions from at least 2.1.0 and upwards? Best Regards/ Peter Carlstedt From: freeradius-users-requ...@lists.freeradius.org Subject: Freeradius-Users Digest, Vol 55, Issue 32 To: freeradius-users@lists.freeradius.org Date: Mon, 9 Nov 2009 15:30:11 +0100 Send Freeradius-Users mailing list submissions to freeradius-users@lists.freeradius.org To subscribe or unsubscribe via the World Wide Web, visit http://lists.freeradius.org/mailman/listinfo/freeradius-users or, via email, send a message with subject or body 'help' to freeradius-users-requ...@lists.freeradius.org You can reach the person managing the list at freeradius-users-ow...@lists.freeradius.org When replying, please edit your Subject line so it is more specific than Re: Contents of Freeradius-Users digest... Today's Topics: 1. Re: WLAN - Freeradius - OpenLDAP - VLANs (Jos? Johnny RANDRIAMAMPIONONA) 2. Cannot upgade to 2.1.7 (kachin Agarwal) 3. Re: Cannot upgade to 2.1.7 (Alan Buxey) 4. Re: WLAN - Freeradius - OpenLDAP - VLANs (nf-vale) 5. Problem with server atribute in NAS table with mysql (Ana Gallardo) 6. Re: Problem with server atribute in NAS table with mysql (Alan Buxey) 7. Re: WLAN - Freeradius - OpenLDAP - VLANs (_Stefan_H) -- Message: 1 Date: Mon, 9 Nov 2009 12:25:13 + From: Jos? Johnny RANDRIAMAMPIONONA vasian...@gmail.com Subject: Re: WLAN - Freeradius - OpenLDAP - VLANs To: FreeRadius users mailing list freeradius-users@lists.freeradius.org Message-ID: d379502d0911090425p7e48137brc0d7a21e4aa3a...@mail.gmail.com Content-Type: text/plain; charset=iso-8859-1 Freeradius work well with openldap but only with cleartext password (PAP). Best regards! 2009/11/9 _Stefan_H stefanh...@networld.at First I know my english is not the best, but i hope you will understand it. In the course of a project i have to make an authentification against a freeradius server for the WLAN Users. On the Server(OpenSUSE11.1) is a LDAP Directory and i want that the WLAN Users have to authentificate with their accounts. After the successful authentification they will be put into an other VLAN, that they can use their homedirectories. I would like to know how I should do it, because i inform me about the Authentification Types(EAP-TLS,TTLS,PEAP) and know I am totally confused which i have to configure at the freeradius Server. I think that PEAP would be the easiest, but I really don't know which can be used whth a dynamic VLAN. http://old.nabble.com/file/p26230857/1.jpeg The AP is an Linksys WRT-54-GS and the Switch is an CISCO-2950 -- View this message in context: http://old.nabble.com/WLANFreeradiusOpenLDAPVLANs-tp26230857p26230857.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- JJohnny RANDRIAMAMPIONONA Phone: +212663682554, +212533158575 National