A late comer to the party
I'm sorry if this issue has been beaten to death on this list. I just subscribed. I'm trying to get freeradius running under OS X 10.3.5 Server. I have downloaded 1.0.0. After these commands % ./configure --prefix=/ % make it always ends up with Making static in rlm_sql_mysql... gcc -g -O2 -D_REENTRANT -D_POSIX_PTHREAD_SEMANTICS -DOPENSSL_NO_KRB5 -Wall -D_GNU_SOURCE -DNDEBUG -I../.. -I../../../../include -I/usr/include/mysql -O3 -fno-omit-frame-pointer -arch i386 -arch ppc -pipe -c sql_mysql.c -o sql_mysql.o gcc: cannot read specs file for arch `i386' make[10]: *** [sql_mysql.o] Error 1 make[9]: *** [common] Error 1 make[8]: *** [static] Error 2 make[7]: *** [common] Error 1 make[6]: *** [static] Error 2 make[5]: *** [common] Error 1 make[4]: *** [all] Error 2 make[3]: *** [common] Error 1 make[2]: *** [all] Error 2 make[1]: *** [common] Error 1 make: *** [all] Error 2 I would imaging this line ought to say -arch ppc but I'm not smart enough to fix it. Thanks for any help or suggestions, Phil Ershler
Re: Expiration date question
On Sep 4, 2004, at 11:47 AM, Bartosz Jozwiak wrote: Hello all, I am planning implement expiration user account. When I set expiartion to, for example, 4 September 2004 then the account with expire on 4 September 2004 at 23h59m ? Or it will be already expired on 4 September 2004. Sorry it this question is a bit stupid. :) Bartek A stupid answer, setup a junk account and see when you can no longer access the account. Phil - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
LDAP2 Authentication
Hi,
I am trying to get Radiator to authenticate against LDAP and Open
Directory on an OS X server. Here's what my config file looks like at
this point.
# opendirectory.cfg
#
# Example Radiator configuration file.
# This very simple file will allow you to get started with
# OpenDirectory LDAP.
#
# Open Directory stores passwords in a proprietary encrypted format
# and therfore requires the new ServerChecksPassword parameter
#
# This example works with the example DemoCorp directory provided
# with OpenDirectory. You will need to edit the "Cosine User Id"
# and "User Password" for users in the DemoCorp directory whom
# you want to authenticate. The config will look for the user name
# matching "Cosine User Id", so use your DXplorer or similar to
# set "Cosine User Id" to be your dialup user name, and
# "User Pasword" to be the dialup password.
#
# See radius.cfg for more complete examples of features and
# syntax, and refer to the reference manual for a complete description
# of all the features and syntax.
#
# You should consider this file to be a starting point only
# $Id: opendirectory.cfg,v 1.1 2000/02/15 07:12:00 mikem Exp $
Foreground
LogStdout
LogDir .
DbDir .
AuthPort 1812
AcctPort
# You will probably want to change this to suit your site.
Secret mysecret
DupInterval 0
# Open Directory has proprietary encrypted passwords
# so we must get the server to check them.
ServerChecksPassword
Hostaaa.bbb.ccc.ddd address obscured to
protect the accused
BaseDN cn=users,dc=cvrti,dc=utah,dc=edu
UsernameAttruid
# Open Directory is happy with multiple requests
# on one connection
HoldServerConnection
# You can use CheckAttr, ReplyAttr and AuthAttrDef
# to specify check and reply attributes int eh LDAP
# database. See the reference manual for more
# information
# These are the classic things to add to each users
# reply to allow a PPP dialup session. It may be
# different for your NAS. This will add some
# reply items to everyone's reply
AddToReply Framed-Protocol = PPP,\
Framed-IP-Netmask = 255.255.255.255,\
Framed-Routing = None,\
Framed-MTU = 1500,\
Framed-Compression = Van-Jacobson-TCP-IP
# You can enable debugging of the Net::LDAP
# module with this:
Debug 255
# Log accounting to the detail file in LogDir
AcctLogFileName ./detail
And here is the debug information that I am getting back. It looks to
me like the LDAP system doesn't like the HASHed information it is
getting. I'm not enough of a "perl head" to know how to fix this issue.
Thanks for any and all information,
Phil
Net::LDAP=HASH(0x9a3258) sending:
30 0C 02 01 01 60 07 02 01 02 04 00 80 00 __ __ 0`
12: SEQUENCE {
00021: INTEGER = 1
00057: [APPLICATION 0] {
00071: INTEGER = 2
000A0: STRING = ''
000C0: [CONTEXT 0]
000E : }
000E : }
Net::LDAP=HASH(0x9a3258) received:
30 32 02 01 01 61 2D 0A 01 02 04 00 04 26 72 65 02...a-..&re
71 75 65 73 74 65 64 20 70 72 6F 74 6F 63 6F 6C quested protocol
20 76 65 72 73 69 6F 6E 20 6E 6F 74 20 61 6C 6C version not all
6F 77 65 64 __ __ __ __ __ __ __ __ __ __ __ __ owed
50: SEQUENCE {
00021: INTEGER = 1
0005 45: [APPLICATION 1] {
00071: ENUM = 2
000A0: STRING = ''
000C 38: STRING = 'requested protocol version not allowed'
0034 : }
0034 : }
Thu Sep 30 09:57:43 2004: ERR: Could not bind connection with , ,
error: LDAP_PROTOCOL_ERROR (server aaa.bbb.ccc.ddd:389)
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
eap-ttls on OS X
Hello, As per the suggestion made by Andreas Wolf, I picked up a set of prebuilt binaries based on freeradius-snapshot-20040607 and an (experimental) OpenDirectory module for OS X server. After following all of the instructions in "Setting up a simple WPA Enterprise Infrastructure with MacOS X, AirPort Extreme and freeRadius" I cannot seem to get the radius server to authenticate against OpenDirectory. Instead it seems to insist on trying to authenticate against eap_unix as evidenced (I think, please correct me if I'm wrong) in the debug listing below. Is there somewhere I've gone wrong or misconfigured? Thanks, Phil Fri Oct 1 19:09:37 2004 : Debug: modsingle[authenticate]: calling eap (rlm_eap) for request 5 Fri Oct 1 19:09:37 2004 : Debug: rlm_eap: Request found, released from the list Fri Oct 1 19:09:37 2004 : Debug: rlm_eap: EAP/ttls Fri Oct 1 19:09:37 2004 : Debug: rlm_eap: processing type ttls Fri Oct 1 19:09:37 2004 : Debug: rlm_eap_ttls: Authenticate Fri Oct 1 19:09:37 2004 : Debug: rlm_eap_tls: processing TLS Fri Oct 1 19:09:37 2004 : Info: rlm_eap_tls: Length Included Fri Oct 1 19:09:37 2004 : Debug: eaptls_verify returned 11 Fri Oct 1 19:09:37 2004 : Debug: eaptls_process returned 7 Fri Oct 1 19:09:37 2004 : Debug: rlm_eap_ttls: Session established. Proceeding to decode tunneled attributes. TTLS tunnel data in : 00 00 00 01 00 00 00 0f 65 72 73 68 6c 65 72 00 TTLS tunnel data in 0010: 00 00 00 02 00 00 00 18 62 79 74 6d 69 6e 65 32 TTLS tunnel data in 0020: 00 00 00 00 00 00 00 00 TTLS: Got tunneled request User-Name = "ershler" User-Password = "myTestPassword" FreeRADIUS-Proxied-To = 127.0.0.1 TTLS: Sending tunneled request User-Name = "ershler" User-Password = "myTestPassword" FreeRADIUS-Proxied-To = 127.0.0.1 Fri Oct 1 19:09:37 2004 : Debug: Processing the authorize section of radiusd.conf Fri Oct 1 19:09:37 2004 : Debug: modcall: entering group authorize for request 5 Fri Oct 1 19:09:37 2004 : Debug: modsingle[authorize]: calling preprocess (rlm_preprocess) for request 5 Fri Oct 1 19:09:37 2004 : Debug: modsingle[authorize]: returned from preprocess (rlm_preprocess) for request 5 Fri Oct 1 19:09:37 2004 : Debug: modcall[authorize]: module "preprocess" returns ok for request 5 Fri Oct 1 19:09:37 2004 : Debug: modsingle[authorize]: calling chap (rlm_chap) for request 5 Fri Oct 1 19:09:37 2004 : Debug: modsingle[authorize]: returned from chap (rlm_chap) for request 5 Fri Oct 1 19:09:37 2004 : Debug: modcall[authorize]: module "chap" returns noop for request 5 Fri Oct 1 19:09:37 2004 : Debug: modsingle[authorize]: calling mschap (rlm_mschap) for request 5 Fri Oct 1 19:09:37 2004 : Debug: modsingle[authorize]: returned from mschap (rlm_mschap) for request 5 Fri Oct 1 19:09:37 2004 : Debug: modcall[authorize]: module "mschap" returns noop for request 5 Fri Oct 1 19:09:37 2004 : Debug: modsingle[authorize]: calling suffix (rlm_realm) for request 5 Fri Oct 1 19:09:37 2004 : Debug: rlm_realm: No '@' in User-Name = "ershler", looking up realm NULL Fri Oct 1 19:09:37 2004 : Debug: rlm_realm: No such realm "NULL" Fri Oct 1 19:09:37 2004 : Debug: modsingle[authorize]: returned from suffix (rlm_realm) for request 5 Fri Oct 1 19:09:37 2004 : Debug: modcall[authorize]: module "suffix" returns noop for request 5 Fri Oct 1 19:09:37 2004 : Debug: modsingle[authorize]: calling eap (rlm_eap) for request 5 Fri Oct 1 19:09:37 2004 : Debug: rlm_eap: No EAP-Message, not doing EAP Fri Oct 1 19:09:37 2004 : Debug: modsingle[authorize]: returned from eap (rlm_eap) for request 5 Fri Oct 1 19:09:37 2004 : Debug: modcall[authorize]: module "eap" returns noop for request 5 Fri Oct 1 19:09:37 2004 : Debug: modsingle[authorize]: calling files (rlm_files) for request 5 Fri Oct 1 19:09:37 2004 : Debug: users: Matched DEFAULT at 152 Fri Oct 1 19:09:37 2004 : Debug: modsingle[authorize]: returned from files (rlm_files) for request 5 Fri Oct 1 19:09:37 2004 : Debug: modcall[authorize]: module "files" returns ok for request 5 Fri Oct 1 19:09:37 2004 : Debug: modcall: group authorize returns ok for request 5 Fri Oct 1 19:09:37 2004 : Debug: rad_check_password: Found Auth-Type System Fri Oct 1 19:09:37 2004 : Debug: auth: type "System" Fri Oct 1 19:09:37 2004 : Debug: Processing the authenticate section of radiusd.conf Fri Oct 1 19:09:37 2004 : Debug: modcall: entering group authenticate for request 5 Fri Oct 1 19:09:37 2004 : Debug: modsingle[authenticate]: calling unix (rlm_unix) for request 5 Fri Oct 1 19:09:37 2004 : Auth: rlm_unix: [ershler]: invalid shell [] Fri Oct 1 19:09:37 2004 : Debug: modsingle[authenticate]: returned from unix (rlm_unix) for request 5 Fri Oct 1 19:09:37 2004 : Debug: modcall[authenticate]: module "unix" returns reject for request 5 Fri Oct 1 19:09:37 2004 : Debug: modcall: g
Re: eap-ttls on OS X
On Oct 2, 2004, at 6:59 AM, Alan DeKok wrote: Philip Ershler <[EMAIL PROTECTED]> wrote: I cannot seem to get the radius server to authenticate against OpenDirectory. Instead it seems to insist on trying to authenticate against eap_unix There is no "eap_unix" format. What's happening is that a normal username/password authentication is sent inside of the EAP-TTLS tunnel. The server processes this tunneled authentication in pretty much the same way as a normal username/password autentication request. You have something (the "users" file, probably) setting "Auth-Type = System", so that's getting picked up and used. The solution is twofold: 1) get normal username/password authentication working to eDirectory ignore EAP. Ignore wireless. Use "radtest" to send test packets 2) once that works, try EAP-TTLS. Everything shoukld work fine. Alan, I appreciate your response. First of all, I made a mistake when I said eap_unix, I meant to say rlm_unix. You are indeed correct, I have the "Auth-Type = System". The installation instructions say "Also, make sure /etc/raddb/users has the DEFAULT user set to authenticate against the 'System'. freeRadius will figure out from there which module to call. From the debug output it seems that rlm_unix is getting called rather than rlm_osxauth. I'm not smart enough to know how to fix this one. Thanks, Phil - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: eap-ttls on OS X
On Oct 3, 2004, at 7:16 PM, Alan DeKok wrote: Philip Ershler <[EMAIL PROTECTED]> wrote: it seems that rlm_unix is getting called rather than rlm_osxauth. I'm not smart enough to know how to fix this one. There is no osxauth included with the server. There is a patch, see bugs.freeradius.org, I forget which bug number. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html OK, so here is where I'm confused.Andreas Wolf put together a binary distribution of freeradius with a module for osxauth. [EMAIL PROTECTED]:rlm_osxauth> pwd /usr/local/freeradius/sources/freeradius-snapshot-20040607/src/modules/ rlm_osxauth [EMAIL PROTECTED]:rlm_osxauth> ls CVS Makefile README eapolclient.log out rlm_osxauth.c [EMAIL PROTECTED]:rlm_osxauth> He made the statement that if one sets auth_type to system, the server would figure out which module to call. But here's the debug output from sudo radtest ershler myTestPassword 127.0.0.1:1812 123 testing123 I've been staring at code all day long, but I'm not sharp enough to figure out what's going on. I even tried putting standard unix /etc/passwd and /etc/group files on the system and spec'ing them in the conf file, but it can't see to authenticate against them either. I'd appreciate any further suggestions, and I certainly appreciate all the work you have put into the freeRadius project. Thanks, Phil rad_recv: Access-Request packet from host 127.0.0.1:56784, id=216, length=59 User-Name = "ershler" User-Password = "myTestPassword" NAS-IP-Address = 255.255.255.255 NAS-Port = 123 Sun Oct 3 20:07:10 2004 : Debug: Processing the authorize section of radiusd.conf Sun Oct 3 20:07:10 2004 : Debug: modcall: entering group authorize for request 1 Sun Oct 3 20:07:10 2004 : Debug: modsingle[authorize]: calling preprocess (rlm_preprocess) for request 1 Sun Oct 3 20:07:10 2004 : Debug: modsingle[authorize]: returned from preprocess (rlm_preprocess) for request 1 Sun Oct 3 20:07:10 2004 : Debug: modcall[authorize]: module "preprocess" returns ok for request 1 Sun Oct 3 20:07:10 2004 : Debug: modsingle[authorize]: calling chap (rlm_chap) for request 1 Sun Oct 3 20:07:10 2004 : Debug: modsingle[authorize]: returned from chap (rlm_chap) for request 1 Sun Oct 3 20:07:10 2004 : Debug: modcall[authorize]: module "chap" returns noop for request 1 Sun Oct 3 20:07:10 2004 : Debug: modsingle[authorize]: calling mschap (rlm_mschap) for request 1 Sun Oct 3 20:07:10 2004 : Debug: modsingle[authorize]: returned from mschap (rlm_mschap) for request 1 Sun Oct 3 20:07:10 2004 : Debug: modcall[authorize]: module "mschap" returns noop for request 1 Sun Oct 3 20:07:10 2004 : Debug: modsingle[authorize]: calling suffix (rlm_realm) for request 1 Sun Oct 3 20:07:10 2004 : Debug: rlm_realm: No '@' in User-Name = "ershler", looking up realm NULL Sun Oct 3 20:07:10 2004 : Debug: rlm_realm: No such realm "NULL" Sun Oct 3 20:07:10 2004 : Debug: modsingle[authorize]: returned from suffix (rlm_realm) for request 1 Sun Oct 3 20:07:10 2004 : Debug: modcall[authorize]: module "suffix" returns noop for request 1 Sun Oct 3 20:07:10 2004 : Debug: modsingle[authorize]: calling eap (rlm_eap) for request 1 Sun Oct 3 20:07:10 2004 : Debug: rlm_eap: No EAP-Message, not doing EAP Sun Oct 3 20:07:10 2004 : Debug: modsingle[authorize]: returned from eap (rlm_eap) for request 1 Sun Oct 3 20:07:10 2004 : Debug: modcall[authorize]: module "eap" returns noop for request 1 Sun Oct 3 20:07:10 2004 : Debug: modsingle[authorize]: calling files (rlm_files) for request 1 Sun Oct 3 20:07:10 2004 : Debug: users: Matched DEFAULT at 152 Sun Oct 3 20:07:10 2004 : Debug: modsingle[authorize]: returned from files (rlm_files) for request 1 Sun Oct 3 20:07:10 2004 : Debug: modcall[authorize]: module "files" returns ok for request 1 Sun Oct 3 20:07:10 2004 : Debug: modcall: group authorize returns ok for request 1 Sun Oct 3 20:07:10 2004 : Debug: rad_check_password: Found Auth-Type System Sun Oct 3 20:07:10 2004 : Debug: auth: type "System" Sun Oct 3 20:07:10 2004 : Debug: Processing the authenticate section of radiusd.conf Sun Oct 3 20:07:10 2004 : Debug: modcall: entering group authenticate for request 1 Sun Oct 3 20:07:10 2004 : Debug: modsingle[authenticate]: calling unix (rlm_unix) for request 1 Sun Oct 3 20:07:10 2004 : Auth: rlm_unix: [ershler]: invalid shell [/usr/local/bin/bash] Sun Oct 3 20:07:10 2004 : Debug: modsingle[authenticate]: returned from unix (rlm_unix) for request 1 Sun Oct 3 20:07:10 2004 : Debug: modcall[authenticate]: module "unix" returns reject for request 1 Sun Oct 3 20:07:10 2004 : D
