A late comer to the party
I'm sorry if this issue has been beaten to death on this list. I just subscribed. I'm trying to get freeradius running under OS X 10.3.5 Server. I have downloaded 1.0.0. After these commands % ./configure --prefix=/ % make it always ends up with Making static in rlm_sql_mysql... gcc -g -O2 -D_REENTRANT -D_POSIX_PTHREAD_SEMANTICS -DOPENSSL_NO_KRB5 -Wall -D_GNU_SOURCE -DNDEBUG -I../.. -I../../../../include -I/usr/include/mysql -O3 -fno-omit-frame-pointer -arch i386 -arch ppc -pipe -c sql_mysql.c -o sql_mysql.o gcc: cannot read specs file for arch `i386' make[10]: *** [sql_mysql.o] Error 1 make[9]: *** [common] Error 1 make[8]: *** [static] Error 2 make[7]: *** [common] Error 1 make[6]: *** [static] Error 2 make[5]: *** [common] Error 1 make[4]: *** [all] Error 2 make[3]: *** [common] Error 1 make[2]: *** [all] Error 2 make[1]: *** [common] Error 1 make: *** [all] Error 2 I would imaging this line ought to say -arch ppc but I'm not smart enough to fix it. Thanks for any help or suggestions, Phil Ershler
Re: Expiration date question
On Sep 4, 2004, at 11:47 AM, Bartosz Jozwiak wrote: Hello all, I am planning implement expiration user account. When I set expiartion to, for example, 4 September 2004 then the account with expire on 4 September 2004 at 23h59m ? Or it will be already expired on 4 September 2004. Sorry it this question is a bit stupid. :) Bartek A stupid answer, setup a junk account and see when you can no longer access the account. Phil - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
LDAP2 Authentication
Hi, I am trying to get Radiator to authenticate against LDAP and Open Directory on an OS X server. Here's what my config file looks like at this point. # opendirectory.cfg # # Example Radiator configuration file. # This very simple file will allow you to get started with # OpenDirectory LDAP. # # Open Directory stores passwords in a proprietary encrypted format # and therfore requires the new ServerChecksPassword parameter # # This example works with the example DemoCorp directory provided # with OpenDirectory. You will need to edit the "Cosine User Id" # and "User Password" for users in the DemoCorp directory whom # you want to authenticate. The config will look for the user name # matching "Cosine User Id", so use your DXplorer or similar to # set "Cosine User Id" to be your dialup user name, and # "User Pasword" to be the dialup password. # # See radius.cfg for more complete examples of features and # syntax, and refer to the reference manual for a complete description # of all the features and syntax. # # You should consider this file to be a starting point only # $Id: opendirectory.cfg,v 1.1 2000/02/15 07:12:00 mikem Exp $ Foreground LogStdout LogDir . DbDir . AuthPort 1812 AcctPort # You will probably want to change this to suit your site. Secret mysecret DupInterval 0 # Open Directory has proprietary encrypted passwords # so we must get the server to check them. ServerChecksPassword Hostaaa.bbb.ccc.ddd address obscured to protect the accused BaseDN cn=users,dc=cvrti,dc=utah,dc=edu UsernameAttruid # Open Directory is happy with multiple requests # on one connection HoldServerConnection # You can use CheckAttr, ReplyAttr and AuthAttrDef # to specify check and reply attributes int eh LDAP # database. See the reference manual for more # information # These are the classic things to add to each users # reply to allow a PPP dialup session. It may be # different for your NAS. This will add some # reply items to everyone's reply AddToReply Framed-Protocol = PPP,\ Framed-IP-Netmask = 255.255.255.255,\ Framed-Routing = None,\ Framed-MTU = 1500,\ Framed-Compression = Van-Jacobson-TCP-IP # You can enable debugging of the Net::LDAP # module with this: Debug 255 # Log accounting to the detail file in LogDir AcctLogFileName ./detail And here is the debug information that I am getting back. It looks to me like the LDAP system doesn't like the HASHed information it is getting. I'm not enough of a "perl head" to know how to fix this issue. Thanks for any and all information, Phil Net::LDAP=HASH(0x9a3258) sending: 30 0C 02 01 01 60 07 02 01 02 04 00 80 00 __ __ 0` 12: SEQUENCE { 00021: INTEGER = 1 00057: [APPLICATION 0] { 00071: INTEGER = 2 000A0: STRING = '' 000C0: [CONTEXT 0] 000E : } 000E : } Net::LDAP=HASH(0x9a3258) received: 30 32 02 01 01 61 2D 0A 01 02 04 00 04 26 72 65 02...a-..&re 71 75 65 73 74 65 64 20 70 72 6F 74 6F 63 6F 6C quested protocol 20 76 65 72 73 69 6F 6E 20 6E 6F 74 20 61 6C 6C version not all 6F 77 65 64 __ __ __ __ __ __ __ __ __ __ __ __ owed 50: SEQUENCE { 00021: INTEGER = 1 0005 45: [APPLICATION 1] { 00071: ENUM = 2 000A0: STRING = '' 000C 38: STRING = 'requested protocol version not allowed' 0034 : } 0034 : } Thu Sep 30 09:57:43 2004: ERR: Could not bind connection with , , error: LDAP_PROTOCOL_ERROR (server aaa.bbb.ccc.ddd:389) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
eap-ttls on OS X
Hello, As per the suggestion made by Andreas Wolf, I picked up a set of prebuilt binaries based on freeradius-snapshot-20040607 and an (experimental) OpenDirectory module for OS X server. After following all of the instructions in "Setting up a simple WPA Enterprise Infrastructure with MacOS X, AirPort Extreme and freeRadius" I cannot seem to get the radius server to authenticate against OpenDirectory. Instead it seems to insist on trying to authenticate against eap_unix as evidenced (I think, please correct me if I'm wrong) in the debug listing below. Is there somewhere I've gone wrong or misconfigured? Thanks, Phil Fri Oct 1 19:09:37 2004 : Debug: modsingle[authenticate]: calling eap (rlm_eap) for request 5 Fri Oct 1 19:09:37 2004 : Debug: rlm_eap: Request found, released from the list Fri Oct 1 19:09:37 2004 : Debug: rlm_eap: EAP/ttls Fri Oct 1 19:09:37 2004 : Debug: rlm_eap: processing type ttls Fri Oct 1 19:09:37 2004 : Debug: rlm_eap_ttls: Authenticate Fri Oct 1 19:09:37 2004 : Debug: rlm_eap_tls: processing TLS Fri Oct 1 19:09:37 2004 : Info: rlm_eap_tls: Length Included Fri Oct 1 19:09:37 2004 : Debug: eaptls_verify returned 11 Fri Oct 1 19:09:37 2004 : Debug: eaptls_process returned 7 Fri Oct 1 19:09:37 2004 : Debug: rlm_eap_ttls: Session established. Proceeding to decode tunneled attributes. TTLS tunnel data in : 00 00 00 01 00 00 00 0f 65 72 73 68 6c 65 72 00 TTLS tunnel data in 0010: 00 00 00 02 00 00 00 18 62 79 74 6d 69 6e 65 32 TTLS tunnel data in 0020: 00 00 00 00 00 00 00 00 TTLS: Got tunneled request User-Name = "ershler" User-Password = "myTestPassword" FreeRADIUS-Proxied-To = 127.0.0.1 TTLS: Sending tunneled request User-Name = "ershler" User-Password = "myTestPassword" FreeRADIUS-Proxied-To = 127.0.0.1 Fri Oct 1 19:09:37 2004 : Debug: Processing the authorize section of radiusd.conf Fri Oct 1 19:09:37 2004 : Debug: modcall: entering group authorize for request 5 Fri Oct 1 19:09:37 2004 : Debug: modsingle[authorize]: calling preprocess (rlm_preprocess) for request 5 Fri Oct 1 19:09:37 2004 : Debug: modsingle[authorize]: returned from preprocess (rlm_preprocess) for request 5 Fri Oct 1 19:09:37 2004 : Debug: modcall[authorize]: module "preprocess" returns ok for request 5 Fri Oct 1 19:09:37 2004 : Debug: modsingle[authorize]: calling chap (rlm_chap) for request 5 Fri Oct 1 19:09:37 2004 : Debug: modsingle[authorize]: returned from chap (rlm_chap) for request 5 Fri Oct 1 19:09:37 2004 : Debug: modcall[authorize]: module "chap" returns noop for request 5 Fri Oct 1 19:09:37 2004 : Debug: modsingle[authorize]: calling mschap (rlm_mschap) for request 5 Fri Oct 1 19:09:37 2004 : Debug: modsingle[authorize]: returned from mschap (rlm_mschap) for request 5 Fri Oct 1 19:09:37 2004 : Debug: modcall[authorize]: module "mschap" returns noop for request 5 Fri Oct 1 19:09:37 2004 : Debug: modsingle[authorize]: calling suffix (rlm_realm) for request 5 Fri Oct 1 19:09:37 2004 : Debug: rlm_realm: No '@' in User-Name = "ershler", looking up realm NULL Fri Oct 1 19:09:37 2004 : Debug: rlm_realm: No such realm "NULL" Fri Oct 1 19:09:37 2004 : Debug: modsingle[authorize]: returned from suffix (rlm_realm) for request 5 Fri Oct 1 19:09:37 2004 : Debug: modcall[authorize]: module "suffix" returns noop for request 5 Fri Oct 1 19:09:37 2004 : Debug: modsingle[authorize]: calling eap (rlm_eap) for request 5 Fri Oct 1 19:09:37 2004 : Debug: rlm_eap: No EAP-Message, not doing EAP Fri Oct 1 19:09:37 2004 : Debug: modsingle[authorize]: returned from eap (rlm_eap) for request 5 Fri Oct 1 19:09:37 2004 : Debug: modcall[authorize]: module "eap" returns noop for request 5 Fri Oct 1 19:09:37 2004 : Debug: modsingle[authorize]: calling files (rlm_files) for request 5 Fri Oct 1 19:09:37 2004 : Debug: users: Matched DEFAULT at 152 Fri Oct 1 19:09:37 2004 : Debug: modsingle[authorize]: returned from files (rlm_files) for request 5 Fri Oct 1 19:09:37 2004 : Debug: modcall[authorize]: module "files" returns ok for request 5 Fri Oct 1 19:09:37 2004 : Debug: modcall: group authorize returns ok for request 5 Fri Oct 1 19:09:37 2004 : Debug: rad_check_password: Found Auth-Type System Fri Oct 1 19:09:37 2004 : Debug: auth: type "System" Fri Oct 1 19:09:37 2004 : Debug: Processing the authenticate section of radiusd.conf Fri Oct 1 19:09:37 2004 : Debug: modcall: entering group authenticate for request 5 Fri Oct 1 19:09:37 2004 : Debug: modsingle[authenticate]: calling unix (rlm_unix) for request 5 Fri Oct 1 19:09:37 2004 : Auth: rlm_unix: [ershler]: invalid shell [] Fri Oct 1 19:09:37 2004 : Debug: modsingle[authenticate]: returned from unix (rlm_unix) for request 5 Fri Oct 1 19:09:37 2004 : Debug: modcall[authenticate]: module "unix" returns reject for request 5 Fri Oct 1 19:09:37 2004 : Debug: modcall: g
Re: eap-ttls on OS X
On Oct 2, 2004, at 6:59 AM, Alan DeKok wrote: Philip Ershler <[EMAIL PROTECTED]> wrote: I cannot seem to get the radius server to authenticate against OpenDirectory. Instead it seems to insist on trying to authenticate against eap_unix There is no "eap_unix" format. What's happening is that a normal username/password authentication is sent inside of the EAP-TTLS tunnel. The server processes this tunneled authentication in pretty much the same way as a normal username/password autentication request. You have something (the "users" file, probably) setting "Auth-Type = System", so that's getting picked up and used. The solution is twofold: 1) get normal username/password authentication working to eDirectory ignore EAP. Ignore wireless. Use "radtest" to send test packets 2) once that works, try EAP-TTLS. Everything shoukld work fine. Alan, I appreciate your response. First of all, I made a mistake when I said eap_unix, I meant to say rlm_unix. You are indeed correct, I have the "Auth-Type = System". The installation instructions say "Also, make sure /etc/raddb/users has the DEFAULT user set to authenticate against the 'System'. freeRadius will figure out from there which module to call. From the debug output it seems that rlm_unix is getting called rather than rlm_osxauth. I'm not smart enough to know how to fix this one. Thanks, Phil - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: eap-ttls on OS X
On Oct 3, 2004, at 7:16 PM, Alan DeKok wrote: Philip Ershler <[EMAIL PROTECTED]> wrote: it seems that rlm_unix is getting called rather than rlm_osxauth. I'm not smart enough to know how to fix this one. There is no osxauth included with the server. There is a patch, see bugs.freeradius.org, I forget which bug number. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html OK, so here is where I'm confused.Andreas Wolf put together a binary distribution of freeradius with a module for osxauth. [EMAIL PROTECTED]:rlm_osxauth> pwd /usr/local/freeradius/sources/freeradius-snapshot-20040607/src/modules/ rlm_osxauth [EMAIL PROTECTED]:rlm_osxauth> ls CVS Makefile README eapolclient.log out rlm_osxauth.c [EMAIL PROTECTED]:rlm_osxauth> He made the statement that if one sets auth_type to system, the server would figure out which module to call. But here's the debug output from sudo radtest ershler myTestPassword 127.0.0.1:1812 123 testing123 I've been staring at code all day long, but I'm not sharp enough to figure out what's going on. I even tried putting standard unix /etc/passwd and /etc/group files on the system and spec'ing them in the conf file, but it can't see to authenticate against them either. I'd appreciate any further suggestions, and I certainly appreciate all the work you have put into the freeRadius project. Thanks, Phil rad_recv: Access-Request packet from host 127.0.0.1:56784, id=216, length=59 User-Name = "ershler" User-Password = "myTestPassword" NAS-IP-Address = 255.255.255.255 NAS-Port = 123 Sun Oct 3 20:07:10 2004 : Debug: Processing the authorize section of radiusd.conf Sun Oct 3 20:07:10 2004 : Debug: modcall: entering group authorize for request 1 Sun Oct 3 20:07:10 2004 : Debug: modsingle[authorize]: calling preprocess (rlm_preprocess) for request 1 Sun Oct 3 20:07:10 2004 : Debug: modsingle[authorize]: returned from preprocess (rlm_preprocess) for request 1 Sun Oct 3 20:07:10 2004 : Debug: modcall[authorize]: module "preprocess" returns ok for request 1 Sun Oct 3 20:07:10 2004 : Debug: modsingle[authorize]: calling chap (rlm_chap) for request 1 Sun Oct 3 20:07:10 2004 : Debug: modsingle[authorize]: returned from chap (rlm_chap) for request 1 Sun Oct 3 20:07:10 2004 : Debug: modcall[authorize]: module "chap" returns noop for request 1 Sun Oct 3 20:07:10 2004 : Debug: modsingle[authorize]: calling mschap (rlm_mschap) for request 1 Sun Oct 3 20:07:10 2004 : Debug: modsingle[authorize]: returned from mschap (rlm_mschap) for request 1 Sun Oct 3 20:07:10 2004 : Debug: modcall[authorize]: module "mschap" returns noop for request 1 Sun Oct 3 20:07:10 2004 : Debug: modsingle[authorize]: calling suffix (rlm_realm) for request 1 Sun Oct 3 20:07:10 2004 : Debug: rlm_realm: No '@' in User-Name = "ershler", looking up realm NULL Sun Oct 3 20:07:10 2004 : Debug: rlm_realm: No such realm "NULL" Sun Oct 3 20:07:10 2004 : Debug: modsingle[authorize]: returned from suffix (rlm_realm) for request 1 Sun Oct 3 20:07:10 2004 : Debug: modcall[authorize]: module "suffix" returns noop for request 1 Sun Oct 3 20:07:10 2004 : Debug: modsingle[authorize]: calling eap (rlm_eap) for request 1 Sun Oct 3 20:07:10 2004 : Debug: rlm_eap: No EAP-Message, not doing EAP Sun Oct 3 20:07:10 2004 : Debug: modsingle[authorize]: returned from eap (rlm_eap) for request 1 Sun Oct 3 20:07:10 2004 : Debug: modcall[authorize]: module "eap" returns noop for request 1 Sun Oct 3 20:07:10 2004 : Debug: modsingle[authorize]: calling files (rlm_files) for request 1 Sun Oct 3 20:07:10 2004 : Debug: users: Matched DEFAULT at 152 Sun Oct 3 20:07:10 2004 : Debug: modsingle[authorize]: returned from files (rlm_files) for request 1 Sun Oct 3 20:07:10 2004 : Debug: modcall[authorize]: module "files" returns ok for request 1 Sun Oct 3 20:07:10 2004 : Debug: modcall: group authorize returns ok for request 1 Sun Oct 3 20:07:10 2004 : Debug: rad_check_password: Found Auth-Type System Sun Oct 3 20:07:10 2004 : Debug: auth: type "System" Sun Oct 3 20:07:10 2004 : Debug: Processing the authenticate section of radiusd.conf Sun Oct 3 20:07:10 2004 : Debug: modcall: entering group authenticate for request 1 Sun Oct 3 20:07:10 2004 : Debug: modsingle[authenticate]: calling unix (rlm_unix) for request 1 Sun Oct 3 20:07:10 2004 : Auth: rlm_unix: [ershler]: invalid shell [/usr/local/bin/bash] Sun Oct 3 20:07:10 2004 : Debug: modsingle[authenticate]: returned from unix (rlm_unix) for request 1 Sun Oct 3 20:07:10 2004 : Debug: modcall[authenticate]: module "unix" returns reject for request 1 Sun Oct 3 20:07:10 2004 : D