RE: is this possible ?
Yes, You can execute any program you want from FreeRADIUS, and that program can return add any RADIUS attribute to the reply. Stealing someone else's thread... OK! I've looked through the docs and don't see how to do this. I can really use this capability. Very cool! Can you point me to a /doc or URL where this is explained? --- Tim Winders Associate Dean of Information Technology South Plains College Levelland, TX 79336 Problem replying to my email? Click the Sign button in the OE toolbar or, better yet, get your own FREE Personal E-Mail Digital ID: http://www.thawte.com/email/index.html BEGIN:VCARD VERSION:2.1 N:Winders;Tim FN:Tim Winders ORG:South Plains College TITLE:Associate Dean of Information Technology TEL;WORK;VOICE:(806) 894-9611 x2369 ADR;WORK:;;1401 College Ave.;Levelland;TX;79336;United States of America LABEL;WORK;ENCODING=QUOTED-PRINTABLE:1401 College Ave.=0D=0ALevelland, TX 79336=0D=0AUnited States of America KEY;X509;ENCODING=BASE64: MIICZzCCAdCgAwIBAgIDDcuZMA0GCSqGSIb3DQEBBAUAMGIxCzAJBgNVBAYTAlpBMSUwIwYD VQQKExxUaGF3dGUgQ29uc3VsdGluZyAoUHR5KSBMdGQuMSwwKgYDVQQDEyNUaGF3dGUgUGVy c29uYWwgRnJlZW1haWwgSXNzdWluZyBDQTAeFw0wNTAxMTIyMTU5MjdaFw0wNjAxMTIyMTU5 MjdaMFExHzAdBgNVBAMTFlRoYXd0ZSBGcmVlbWFpbCBNZW1iZXIxLjAsBgkqhkiG9w0BCQEW H3R3aW5kZXJzQHNvdXRocGxhaW5zY29sbGVnZS5lZHUwgZ8wDQYJKoZIhvcNAQEBBQADgY0A MIGJAoGBAK95IcXhktSwBA0pRzTx4UJH2ABtErVe6Uakhlzu1XeXPouDnUw21yOnAiss20D5 u0HDE7PaLimye+RFaT6JjAzuz9AheH7MX2g9B4cEVQ3+AsX+B3k9Yqef0T/H46IF306cf79g eTVXSxOQwrPQ3L+CV9QQ8tLM/62pSTYQ8V7vAgMBAAGjPDA6MCoGA1UdEQQjMCGBH3R3aW5k ZXJzQHNvdXRocGxhaW5zY29sbGVnZS5lZHUwDAYDVR0TAQH/BAIwADANBgkqhkiG9w0BAQQF AAOBgQBQXIfReTLlLERWofc+VbGENyywIA/RvCwGrPC/ae045v3QxvXRFswePX14DRUjED9s z4/EYEMUXFr12yBMhtaBbXxZTDKchBx8RQVXi4LI1GAwb0YTSleAyN1VYzw7CtuW7bKy9yMa mihfhxfccH5TvZm6HhBX7Gqmp8geUn3tEg== EMAIL;PREF;INTERNET:[EMAIL PROTECTED] REV:20050112T232001Z END:VCARD smime.p7s Description: S/MIME cryptographic signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: proxy EAP/PAP ?
I haven't heard from anyone, so, I have been doing A LOT of experimentation... So far, I have it working, but, it's a bit goofy. I have freeradius-1.0.5 running on RedHat Linux using a default ./configure and installation. I modified the radiusd.conf/users/proxy.conf files to support eap/pap from a Windows client, and proxying to my Tru64 box running Livingston radius. I am using the SecureW2 3.1 supplicant for Windows XP. I had to monkey around with the outer settings. I discovered that if using the default anonymous outer identity that the realm in the user dialog box is sent with the anonymous outer identity. So, if I setup a NULL realm to proxy in freeradius, then anonymous would try to be proxied to my Tru64 box and would always fail. I setup a southplainscollege.edu realm to proxy and put in [EMAIL PROTECTED] in the user credentials in SecureW2, but then it would send [EMAIL PROTECTED] as the outer identity and it would be proxied and fail. Finally, I removed the NULL realm from proxying, and in the outer identity I typed in anonymous, rather than using the default anonymous option. In the user credentials, I put in [EMAIL PROTECTED] With this setup, anonymous would be sent, no NULL realm would be found and it would be authenticated against freeradius properly as an EAP session. It would then strip southplainscollege.edu from my user credentials and proxy that to the Tru64 box and it would be authenticated. So, after MUCH monkeying around, I have this working. Is the sending of the realm with the default anonymous outer identity the expected behavior? Should I ask the SecureW2 group about the behaviour I am seeing? Hope this helps someone else. Thanks! --- Tim Winders Associate Dean of Information Technology South Plains College Levelland, TX 79336 Problem replying to my email? Click the Sign button in the OE toolbar or, better yet, get your own FREE Personal E-Mail Digital ID: http://www.thawte.com/email/index.html -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tim Winders Sent: Tuesday, September 20, 2005 2:41 PM To: freeradius-users@lists.freeradius.org Subject: proxy EAP/PAP ? Hello All - As I can't seem to get freeradius working on my Tru64 box and my box seems to be broken I thought I'd try to install freeradius on a RHEL box and use the fr proxy feature to proxy back to my Tru64 box running the Livinginston Radius server. My question, I want to be able to authenticate against the Tru64 passwd user database from a Windows client connected to a wireless AP running WPA. When I had a working fr on the Tru64 box, I was able to use the SecureW2 supplicant on XP with EAP/PAP to authenticate against passwd and it worked great. So, now, if I am running a non-EAP aware radius on the Tru64, and freeradius on a Linux box proxying to the Tru64 box, will I be able to do EAP/PAP authentication? I'm ready the proxy doc, but, I don't see anything about that, or if it's even applicable. --- Tim Winders Associate Dean of Information Technology South Plains College Levelland, TX 79336 Problem replying to my email? Click the Sign button in the OE toolbar or, better yet, get your own FREE Personal E-Mail Digital ID: http://www.thawte.com/email/index.html BEGIN:VCARD VERSION:2.1 N:Winders;Tim FN:Tim Winders ORG:South Plains College TITLE:Associate Dean of Information Technology TEL;WORK;VOICE:(806) 894-9611 x2369 ADR;WORK:;;1401 College Ave.;Levelland;TX;79336;United States of America LABEL;WORK;ENCODING=QUOTED-PRINTABLE:1401 College Ave.=0D=0ALevelland, TX 79336=0D=0AUnited States of America KEY;X509;ENCODING=BASE64: MIICZzCCAdCgAwIBAgIDDcuZMA0GCSqGSIb3DQEBBAUAMGIxCzAJBgNVBAYTAlpBMSUwIwYD VQQKExxUaGF3dGUgQ29uc3VsdGluZyAoUHR5KSBMdGQuMSwwKgYDVQQDEyNUaGF3dGUgUGVy c29uYWwgRnJlZW1haWwgSXNzdWluZyBDQTAeFw0wNTAxMTIyMTU5MjdaFw0wNjAxMTIyMTU5 MjdaMFExHzAdBgNVBAMTFlRoYXd0ZSBGcmVlbWFpbCBNZW1iZXIxLjAsBgkqhkiG9w0BCQEW H3R3aW5kZXJzQHNvdXRocGxhaW5zY29sbGVnZS5lZHUwgZ8wDQYJKoZIhvcNAQEBBQADgY0A MIGJAoGBAK95IcXhktSwBA0pRzTx4UJH2ABtErVe6Uakhlzu1XeXPouDnUw21yOnAiss20D5 u0HDE7PaLimye+RFaT6JjAzuz9AheH7MX2g9B4cEVQ3+AsX+B3k9Yqef0T/H46IF306cf79g eTVXSxOQwrPQ3L+CV9QQ8tLM/62pSTYQ8V7vAgMBAAGjPDA6MCoGA1UdEQQjMCGBH3R3aW5k ZXJzQHNvdXRocGxhaW5zY29sbGVnZS5lZHUwDAYDVR0TAQH/BAIwADANBgkqhkiG9w0BAQQF AAOBgQBQXIfReTLlLERWofc+VbGENyywIA/RvCwGrPC/ae045v3QxvXRFswePX14DRUjED9s z4/EYEMUXFr12yBMhtaBbXxZTDKchBx8RQVXi4LI1GAwb0YTSleAyN1VYzw7CtuW7bKy9yMa mihfhxfccH5TvZm6HhBX7Gqmp8geUn3tEg== EMAIL;PREF;INTERNET:[EMAIL PROTECTED] REV:20050112T232001Z END:VCARD smime.p7s Description: S/MIME cryptographic signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
proxy EAP/PAP ?
Hello All - As I can't seem to get freeradius working on my Tru64 box and my box seems to be broken I thought I'd try to install freeradius on a RHEL box and use the fr proxy feature to proxy back to my Tru64 box running the Livinginston Radius server. My question, I want to be able to authenticate against the Tru64 passwd user database from a Windows client connected to a wireless AP running WPA. When I had a working fr on the Tru64 box, I was able to use the SecureW2 supplicant on XP with EAP/PAP to authenticate against passwd and it worked great. So, now, if I am running a non-EAP aware radius on the Tru64, and freeradius on a Linux box proxying to the Tru64 box, will I be able to do EAP/PAP authentication? I'm ready the proxy doc, but, I don't see anything about that, or if it's even applicable. --- Tim Winders Associate Dean of Information Technology South Plains College Levelland, TX 79336 Problem replying to my email? Click the Sign button in the OE toolbar or, better yet, get your own FREE Personal E-Mail Digital ID: http://www.thawte.com/email/index.html BEGIN:VCARD VERSION:2.1 N:Winders;Tim FN:Tim Winders ORG:South Plains College TITLE:Associate Dean of Information Technology TEL;WORK;VOICE:(806) 894-9611 x2369 ADR;WORK:;;1401 College Ave.;Levelland;TX;79336;United States of America LABEL;WORK;ENCODING=QUOTED-PRINTABLE:1401 College Ave.=0D=0ALevelland, TX 79336=0D=0AUnited States of America KEY;X509;ENCODING=BASE64: MIICZzCCAdCgAwIBAgIDDcuZMA0GCSqGSIb3DQEBBAUAMGIxCzAJBgNVBAYTAlpBMSUwIwYD VQQKExxUaGF3dGUgQ29uc3VsdGluZyAoUHR5KSBMdGQuMSwwKgYDVQQDEyNUaGF3dGUgUGVy c29uYWwgRnJlZW1haWwgSXNzdWluZyBDQTAeFw0wNTAxMTIyMTU5MjdaFw0wNjAxMTIyMTU5 MjdaMFExHzAdBgNVBAMTFlRoYXd0ZSBGcmVlbWFpbCBNZW1iZXIxLjAsBgkqhkiG9w0BCQEW H3R3aW5kZXJzQHNvdXRocGxhaW5zY29sbGVnZS5lZHUwgZ8wDQYJKoZIhvcNAQEBBQADgY0A MIGJAoGBAK95IcXhktSwBA0pRzTx4UJH2ABtErVe6Uakhlzu1XeXPouDnUw21yOnAiss20D5 u0HDE7PaLimye+RFaT6JjAzuz9AheH7MX2g9B4cEVQ3+AsX+B3k9Yqef0T/H46IF306cf79g eTVXSxOQwrPQ3L+CV9QQ8tLM/62pSTYQ8V7vAgMBAAGjPDA6MCoGA1UdEQQjMCGBH3R3aW5k ZXJzQHNvdXRocGxhaW5zY29sbGVnZS5lZHUwDAYDVR0TAQH/BAIwADANBgkqhkiG9w0BAQQF AAOBgQBQXIfReTLlLERWofc+VbGENyywIA/RvCwGrPC/ae045v3QxvXRFswePX14DRUjED9s z4/EYEMUXFr12yBMhtaBbXxZTDKchBx8RQVXi4LI1GAwb0YTSleAyN1VYzw7CtuW7bKy9yMa mihfhxfccH5TvZm6HhBX7Gqmp8geUn3tEg== EMAIL;PREF;INTERNET:[EMAIL PROTECTED] REV:20050112T232001Z END:VCARD smime.p7s Description: S/MIME cryptographic signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Tru64 again
responding to my own post. I saw a message about looking at the core dump in another thread. So, I followed those instructions. Here is the output from gdb: This GDB was configured as alphaev67-dec-osf5.1... BFD: Unhandled OSF/1 core file section type 4464 BFD: Unhandled OSF/1 core file section type 528 BFD: Unhandled OSF/1 core file section type 0 BFD: Unhandled OSF/1 core file section type 7 BFD: Unhandled OSF/1 core file section type 16384 BFD: Unhandled OSF/1 core file section type 8192 BFD: Unhandled OSF/1 core file section type 0 BFD: Unhandled OSF/1 core file section type 32768 BFD: Unhandled OSF/1 core file section type 49152 BFD: Unhandled OSF/1 core file section type 49152 BFD: Unhandled OSF/1 core file section type 7 BFD: Unhandled OSF/1 core file section type 57344 BFD: Unhandled OSF/1 core file section type 49152 warning: big endian file does not match little endian target. Core was generated by ` '. Program terminated with signal 1, Hangup. warning: Couldn't find general-purpose registers in core file. warning: Couldn't find general-purpose registers in core file. #0 0x in ?? () when I did bt in gdb I got the same #0 0x in ?? () response and nothing else. But, in reading the above, it seems a big endian v. little endian problem. Does this help in getting freeradius to work on Tru64? --- Tim Winders Associate Dean of Information Technology South Plains College Levelland, TX 79336 Problem replying to my email? Click the Sign button in the OE toolbar or, better yet, get your own FREE Personal E-Mail Digital ID: http://www.thawte.com/email/index.html -Original Message- From: Tim Winders [mailto:[EMAIL PROTECTED] Sent: Wednesday, September 14, 2005 11:35 AM To: 'freeradius-users@lists.freeradius.org' Subject: Tru64 again I'm back at trying to get freeradius working under Tru64. This time using 1.0.5. I have an older cvs version working, but I can't remember what I did to make it work. :-( The working version I have is marked 1.1.0-pre0 built on Feb 17, 2005. First, in src/main/radiusd.c I have commented out the OSFC2 define. I do this because I'm not running C2, but it is always found and enabled, which kills the make. Then, I run configure with these options: CFLAGS=-I/usr/local/ssl/include -I/usr/local/include LDFLAGS=-L/usr/local/ssl/lib -L/usr/local/lib LIBS=-lssl -lcrypto -lsecurity ./configure \ --disable-shared \ --enable-ltdl-install=no \ --with-openssl-includes=/usr/local/ssl/include \ --with-openssl-libraries=/usr/local/ssl/lib \ --without-mysql --disable-mysql radiusd seems to compile, but with many warnings. However, when I run it, it immediately seg faults and dumps core. Unfortunately, I am not a programmer, so I don't know how to begin troubleshooting this and try to help get freeradius working under Tru64. I remember being told that none of the development team uses Tru64. So, it's possible this will never work right. But, I'm willing to help out in whatever limited capacity I can, including CPU/shell account. Any useful suggestions are welcome. --- Tim Winders Associate Dean of Information Technology South Plains College Levelland, TX 79336 Problem replying to my email? Click the Sign button in the OE toolbar or, better yet, get your own FREE Personal E-Mail Digital ID: http://www.thawte.com/email/index.html BEGIN:VCARD VERSION:2.1 N:Winders;Tim FN:Tim Winders ORG:South Plains College TITLE:Associate Dean of Information Technology TEL;WORK;VOICE:(806) 894-9611 x2369 ADR;WORK:;;1401 College Ave.;Levelland;TX;79336;United States of America LABEL;WORK;ENCODING=QUOTED-PRINTABLE:1401 College Ave.=0D=0ALevelland, TX 79336=0D=0AUnited States of America KEY;X509;ENCODING=BASE64: MIICZzCCAdCgAwIBAgIDDcuZMA0GCSqGSIb3DQEBBAUAMGIxCzAJBgNVBAYTAlpBMSUwIwYD VQQKExxUaGF3dGUgQ29uc3VsdGluZyAoUHR5KSBMdGQuMSwwKgYDVQQDEyNUaGF3dGUgUGVy c29uYWwgRnJlZW1haWwgSXNzdWluZyBDQTAeFw0wNTAxMTIyMTU5MjdaFw0wNjAxMTIyMTU5 MjdaMFExHzAdBgNVBAMTFlRoYXd0ZSBGcmVlbWFpbCBNZW1iZXIxLjAsBgkqhkiG9w0BCQEW H3R3aW5kZXJzQHNvdXRocGxhaW5zY29sbGVnZS5lZHUwgZ8wDQYJKoZIhvcNAQEBBQADgY0A MIGJAoGBAK95IcXhktSwBA0pRzTx4UJH2ABtErVe6Uakhlzu1XeXPouDnUw21yOnAiss20D5 u0HDE7PaLimye+RFaT6JjAzuz9AheH7MX2g9B4cEVQ3+AsX+B3k9Yqef0T/H46IF306cf79g eTVXSxOQwrPQ3L+CV9QQ8tLM/62pSTYQ8V7vAgMBAAGjPDA6MCoGA1UdEQQjMCGBH3R3aW5k ZXJzQHNvdXRocGxhaW5zY29sbGVnZS5lZHUwDAYDVR0TAQH/BAIwADANBgkqhkiG9w0BAQQF AAOBgQBQXIfReTLlLERWofc+VbGENyywIA/RvCwGrPC/ae045v3QxvXRFswePX14DRUjED9s z4/EYEMUXFr12yBMhtaBbXxZTDKchBx8RQVXi4LI1GAwb0YTSleAyN1VYzw7CtuW7bKy9yMa mihfhxfccH5TvZm6HhBX7Gqmp8geUn3tEg== EMAIL;PREF;INTERNET:[EMAIL PROTECTED] REV:20050112T232001Z END:VCARD smime.p7s Description: S/MIME cryptographic signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Tru64 again
I'm back at trying to get freeradius working under Tru64. This time using 1.0.5. I have an older cvs version working, but I can't remember what I did to make it work. :-( The working version I have is marked 1.1.0-pre0 built on Feb 17, 2005. First, in src/main/radiusd.c I have commented out the OSFC2 define. I do this because I'm not running C2, but it is always found and enabled, which kills the make. Then, I run configure with these options: CFLAGS=-I/usr/local/ssl/include -I/usr/local/include LDFLAGS=-L/usr/local/ssl/lib -L/usr/local/lib LIBS=-lssl -lcrypto -lsecurity ./configure \ --disable-shared \ --enable-ltdl-install=no \ --with-openssl-includes=/usr/local/ssl/include \ --with-openssl-libraries=/usr/local/ssl/lib \ --without-mysql --disable-mysql radiusd seems to compile, but with many warnings. However, when I run it, it immediately seg faults and dumps core. Unfortunately, I am not a programmer, so I don't know how to begin troubleshooting this and try to help get freeradius working under Tru64. I remember being told that none of the development team uses Tru64. So, it's possible this will never work right. But, I'm willing to help out in whatever limited capacity I can, including CPU/shell account. Any useful suggestions are welcome. --- Tim Winders Associate Dean of Information Technology South Plains College Levelland, TX 79336 Problem replying to my email? Click the Sign button in the OE toolbar or, better yet, get your own FREE Personal E-Mail Digital ID: http://www.thawte.com/email/index.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: trouble building 1.0.2 on Tru64 5.1B
Tim Winders [EMAIL PROTECTED] wrote: I am having trouble building 1.0.2 on Tru64 5.1B. make dies with this error: ld: Unresolved: set_auth_parameters Unfortunately, I don't know of anyone else running Tru64. My suggestion is to go to src/include/autoconf.h, and delete the line saying #define OSFC2. Re-build, and it should work. I rebuilt and it seemed to work, but now when I start freeradius, I get: Starting FreeRADIUS:Thu Feb 17 13:02:07 2005 : Info: Starting - reading configuration files ... /usr/local/sbin/rc.radiusd: 407044 Memory fault - core dumped radiusd I remember I had a heck of a time getting the snapshot-20041210 running, but I finally did. Unfortunately, I did not document it and never got around to sending it to the list when it was fresh on my mind. :-( === Tim BEGIN:VCARD VERSION:2.1 N:Winders;Tim FN:Tim Winders ORG:South Plains College TITLE:Associate Dean of Information Technology TEL;WORK;VOICE:(806) 894-9611 x2369 ADR;WORK:;;1401 College Ave.;Levelland;TX;79336;United States of America LABEL;WORK;ENCODING=QUOTED-PRINTABLE:1401 College Ave.=0D=0ALevelland, TX 79336=0D=0AUnited States of America KEY;X509;ENCODING=BASE64: MIICZzCCAdCgAwIBAgIDDcuZMA0GCSqGSIb3DQEBBAUAMGIxCzAJBgNVBAYTAlpBMSUwIwYD VQQKExxUaGF3dGUgQ29uc3VsdGluZyAoUHR5KSBMdGQuMSwwKgYDVQQDEyNUaGF3dGUgUGVy c29uYWwgRnJlZW1haWwgSXNzdWluZyBDQTAeFw0wNTAxMTIyMTU5MjdaFw0wNjAxMTIyMTU5 MjdaMFExHzAdBgNVBAMTFlRoYXd0ZSBGcmVlbWFpbCBNZW1iZXIxLjAsBgkqhkiG9w0BCQEW H3R3aW5kZXJzQHNvdXRocGxhaW5zY29sbGVnZS5lZHUwgZ8wDQYJKoZIhvcNAQEBBQADgY0A MIGJAoGBAK95IcXhktSwBA0pRzTx4UJH2ABtErVe6Uakhlzu1XeXPouDnUw21yOnAiss20D5 u0HDE7PaLimye+RFaT6JjAzuz9AheH7MX2g9B4cEVQ3+AsX+B3k9Yqef0T/H46IF306cf79g eTVXSxOQwrPQ3L+CV9QQ8tLM/62pSTYQ8V7vAgMBAAGjPDA6MCoGA1UdEQQjMCGBH3R3aW5k ZXJzQHNvdXRocGxhaW5zY29sbGVnZS5lZHUwDAYDVR0TAQH/BAIwADANBgkqhkiG9w0BAQQF AAOBgQBQXIfReTLlLERWofc+VbGENyywIA/RvCwGrPC/ae045v3QxvXRFswePX14DRUjED9s z4/EYEMUXFr12yBMhtaBbXxZTDKchBx8RQVXi4LI1GAwb0YTSleAyN1VYzw7CtuW7bKy9yMa mihfhxfccH5TvZm6HhBX7Gqmp8geUn3tEg== EMAIL;PREF;INTERNET:[EMAIL PROTECTED] REV:20050112T232001Z END:VCARD smime.p7s Description: S/MIME cryptographic signature
RE: trouble building 1.0.2 on Tru64 5.1B
Tim Winders [EMAIL PROTECTED] wrote: I am having trouble building 1.0.2 on Tru64 5.1B. make dies with this error: ld: Unresolved: set_auth_parameters Unfortunately, I don't know of anyone else running Tru64. My suggestion is to go to src/include/autoconf.h, and delete the line saying #define OSFC2. Re-build, and it should work. I rebuilt and it seemed to work, but now when I start freeradius, I get: Starting FreeRADIUS:Thu Feb 17 13:02:07 2005 : Info: Starting - reading configuration files ... /usr/local/sbin/rc.radiusd: 407044 Memory fault - core dumped radiusd I remember I had a heck of a time getting the snapshot-20041210 running, but I finally did. Unfortunately, I did not document it and never got around to sending it to the list when it was fresh on my mind. :-( === Tim As a followup, I built snapshot-20050216 with the same options as 1.0.2 and it does run, although with some warnings on startup: Starting FreeRADIUS:Thu Feb 17 13:16:26 2005 : Info: Starting - reading configuration files ... Thu Feb 17 13:16:26 2005 : Info: Using deprecated naslist file. Support for this will go away soon. Thu Feb 17 13:16:26 2005 : Info: rlm_exec: Wait=yes but no output defined. Did you mean output=none? radiusd BEGIN:VCARD VERSION:2.1 N:Winders;Tim FN:Tim Winders ORG:South Plains College TITLE:Associate Dean of Information Technology TEL;WORK;VOICE:(806) 894-9611 x2369 ADR;WORK:;;1401 College Ave.;Levelland;TX;79336;United States of America LABEL;WORK;ENCODING=QUOTED-PRINTABLE:1401 College Ave.=0D=0ALevelland, TX 79336=0D=0AUnited States of America KEY;X509;ENCODING=BASE64: MIICZzCCAdCgAwIBAgIDDcuZMA0GCSqGSIb3DQEBBAUAMGIxCzAJBgNVBAYTAlpBMSUwIwYD VQQKExxUaGF3dGUgQ29uc3VsdGluZyAoUHR5KSBMdGQuMSwwKgYDVQQDEyNUaGF3dGUgUGVy c29uYWwgRnJlZW1haWwgSXNzdWluZyBDQTAeFw0wNTAxMTIyMTU5MjdaFw0wNjAxMTIyMTU5 MjdaMFExHzAdBgNVBAMTFlRoYXd0ZSBGcmVlbWFpbCBNZW1iZXIxLjAsBgkqhkiG9w0BCQEW H3R3aW5kZXJzQHNvdXRocGxhaW5zY29sbGVnZS5lZHUwgZ8wDQYJKoZIhvcNAQEBBQADgY0A MIGJAoGBAK95IcXhktSwBA0pRzTx4UJH2ABtErVe6Uakhlzu1XeXPouDnUw21yOnAiss20D5 u0HDE7PaLimye+RFaT6JjAzuz9AheH7MX2g9B4cEVQ3+AsX+B3k9Yqef0T/H46IF306cf79g eTVXSxOQwrPQ3L+CV9QQ8tLM/62pSTYQ8V7vAgMBAAGjPDA6MCoGA1UdEQQjMCGBH3R3aW5k ZXJzQHNvdXRocGxhaW5zY29sbGVnZS5lZHUwDAYDVR0TAQH/BAIwADANBgkqhkiG9w0BAQQF AAOBgQBQXIfReTLlLERWofc+VbGENyywIA/RvCwGrPC/ae045v3QxvXRFswePX14DRUjED9s z4/EYEMUXFr12yBMhtaBbXxZTDKchBx8RQVXi4LI1GAwb0YTSleAyN1VYzw7CtuW7bKy9yMa mihfhxfccH5TvZm6HhBX7Gqmp8geUn3tEg== EMAIL;PREF;INTERNET:[EMAIL PROTECTED] REV:20050112T232001Z END:VCARD smime.p7s Description: S/MIME cryptographic signature
trouble building 1.0.2 on Tru64 5.1B
I am having trouble building 1.0.2 on Tru64 5.1B. make dies with this error: ld: Unresolved: set_auth_parameters rm -f .libs/radiusdS.o gmake[3]: *** [radiusd] Error 1 gmake[3]: Leaving directory `/src/freeradius-1.0.2/src/main' This is the configure line I am using: CFLAGS=-I/usr/local/ssl/include -I/usr/local/include LDFLAGS=-L/usr/local/ssl/lib -L/usr/local/lib \ LIBS=-lssl -lcrypto ./configure \ --disable-shared \ --enable-ltdl-install=no \ --with-openssl-includes=/usr/local/ssl/include \ --with-openssl-libraries=/usr/local/ssl/lib \ --disable-mysql \ --disable-dbm This configure line worked with snapshot-20041210 but not with 20050215 (I get the same error as in 1.0.2) Any suggestions? --- Tim Winders Associate Dean of Information Technology South Plains College Levelland, TX 79336 BEGIN:VCARD VERSION:2.1 N:Winders;Tim FN:Tim Winders ORG:South Plains College TITLE:Associate Dean of Information Technology TEL;WORK;VOICE:(806) 894-9611 x2369 ADR;WORK:;;1401 College Ave.;Levelland;TX;79336;United States of America LABEL;WORK;ENCODING=QUOTED-PRINTABLE:1401 College Ave.=0D=0ALevelland, TX 79336=0D=0AUnited States of America KEY;X509;ENCODING=BASE64: MIICZzCCAdCgAwIBAgIDDcuZMA0GCSqGSIb3DQEBBAUAMGIxCzAJBgNVBAYTAlpBMSUwIwYD VQQKExxUaGF3dGUgQ29uc3VsdGluZyAoUHR5KSBMdGQuMSwwKgYDVQQDEyNUaGF3dGUgUGVy c29uYWwgRnJlZW1haWwgSXNzdWluZyBDQTAeFw0wNTAxMTIyMTU5MjdaFw0wNjAxMTIyMTU5 MjdaMFExHzAdBgNVBAMTFlRoYXd0ZSBGcmVlbWFpbCBNZW1iZXIxLjAsBgkqhkiG9w0BCQEW H3R3aW5kZXJzQHNvdXRocGxhaW5zY29sbGVnZS5lZHUwgZ8wDQYJKoZIhvcNAQEBBQADgY0A MIGJAoGBAK95IcXhktSwBA0pRzTx4UJH2ABtErVe6Uakhlzu1XeXPouDnUw21yOnAiss20D5 u0HDE7PaLimye+RFaT6JjAzuz9AheH7MX2g9B4cEVQ3+AsX+B3k9Yqef0T/H46IF306cf79g eTVXSxOQwrPQ3L+CV9QQ8tLM/62pSTYQ8V7vAgMBAAGjPDA6MCoGA1UdEQQjMCGBH3R3aW5k ZXJzQHNvdXRocGxhaW5zY29sbGVnZS5lZHUwDAYDVR0TAQH/BAIwADANBgkqhkiG9w0BAQQF AAOBgQBQXIfReTLlLERWofc+VbGENyywIA/RvCwGrPC/ae045v3QxvXRFswePX14DRUjED9s z4/EYEMUXFr12yBMhtaBbXxZTDKchBx8RQVXi4LI1GAwb0YTSleAyN1VYzw7CtuW7bKy9yMa mihfhxfccH5TvZm6HhBX7Gqmp8geUn3tEg== EMAIL;PREF;INTERNET:[EMAIL PROTECTED] REV:20050112T232001Z END:VCARD smime.p7s Description: S/MIME cryptographic signature
Re: rlm_eap_tls not built because OpenSSL not found
On Sun, 12 Dec 2004, Alan DeKok wrote: Tim Winders [EMAIL PROTECTED] wrote: Unfortuantely, I can't seem to get PEAP working. The server is complaining about a client certificate, like I was using EAP/TLS rather than EAP/PEAP. Can you post the error message? It might help I suppose that would help. :-) Mon Dec 13 07:02:02 2004 : Info: rlm_eap_tls: Length Included Mon Dec 13 07:02:02 2004 : Error: TLS_accept:error in SSLv3 read client certificate A Mon Dec 13 07:02:02 2004 : Info: rlm_eap_tls: Received EAP-TLS ACK message I am trying to connect to a Cisco AP1200 from a Windows XP SP2 client. The client has Network Authentication Open, Data Encryption WEP, EAP Type Protected EAP (PEAP), Authentication Method: Secured password (EAP-MSCHAP v2). -- Tim Winders Associate Dean of Information Technology South Plains College Levelland, TX 79336 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: rlm_eap_tls not built because OpenSSL not found
Thanks, Guy. I have contacted MS and have applied the hotfix. But, I still have a problem. Will post the debug to another message. -- Tim Winders Associate Dean of Information Technology South Plains College Levelland, TX 79336 On Mon, 13 Dec 2004, Guy Davies wrote: Hi Tim, I believe that MS made changes to the format of the EAP packets in XP SP2! This breaks PEAP with a number of (but apparently not all) non-MS RADIUS servers. They have a Hotfix for this. Checkout KB 885453. I'm not *sure* that this is your problem. However, it *may* be relevant. Note that the reference to EAP/TLS in FreeRADIUS may be a slight misdirection. EAP/TLS code is referenced by several of the EAP modules. Specifically, both EAP/TTLS and PEAP use a one-way TLS outer tunnel to protect the inner authentication process. Hence, a reference to EAP/TLS is entirely consistent with using PEAP (remember, you had to configure the tls module to get peap working). Regards, Guy -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tim Winders Sent: 13 December 2004 13:08 To: [EMAIL PROTECTED] Subject: Re: rlm_eap_tls not built because OpenSSL not found On Sun, 12 Dec 2004, Alan DeKok wrote: Tim Winders [EMAIL PROTECTED] wrote: Unfortuantely, I can't seem to get PEAP working. The server is complaining about a client certificate, like I was using EAP/TLS rather than EAP/PEAP. Can you post the error message? It might help I suppose that would help. :-) Mon Dec 13 07:02:02 2004 : Info: rlm_eap_tls: Length Included Mon Dec 13 07:02:02 2004 : Error: TLS_accept:error in SSLv3 read client certificate A Mon Dec 13 07:02:02 2004 : Info: rlm_eap_tls: Received EAP-TLS ACK message I am trying to connect to a Cisco AP1200 from a Windows XP SP2 client. The client has Network Authentication Open, Data Encryption WEP, EAP Type Protected EAP (PEAP), Authentication Method: Secured password (EAP-MSCHAP v2). -- Tim Winders Associate Dean of Information Technology South Plains College Levelland, TX 79336 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html This e-mail is private and may be confidential and is for the intended recipient only. If misdirected, please notify us by telephone and confirm that it has been deleted from your system and any copies destroyed. If you are not the intended recipient you are strictly prohibited from using, printing, copying, distributing or disseminating this e-mail or any information contained in it. We use reasonable endeavours to virus scan all e-mails leaving the Company but no warranty is given that this e-mail and any attachments are virus free. You should undertake your own virus checking. The right to monitor e-mail communications through our network is reserved by us. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: rlm_eap_tls not built because OpenSSL not found
G. It's always something. Is there a way to configure a WinXP SP2 client to use EAP-TTLS/PAP? When I enable TTLS, what default_eap_type do I specify? I would guess PAP. I have tried searching through the FAQ and the list archives, but am still confused. Much of what is there doesn't seem to be relevant anymore with current freeradius versions. (I am using the 20041210 snapshot) -- Tim Winders Associate Dean of Information Technology South Plains College Levelland, TX 79336 On Mon, 13 Dec 2004, Guy Davies wrote: Hi Tim, You can't authenticate to the /etc/passwd file using PEAP/MS-CHAPv2. Any CHAP based authentication mechanism requires the server to have access to the *clear text* passwords. If you want to use PEAP/MS-CHAPv2, then you'll need to create definitions of your users either in a local (or other) database with clear text (or trivially reversible) passwords. If you want to use /etc/passwd, you could switch to EAP-TTLS/PAP. Since PAP sends the password in clear text (don't worry, it's inside the outer TTLS tunnel so it's not visible in the air), your server doesn't need the clear text held locally. It simply applies the same crypt algorithm to the received password and checks the result against your /etc/passwd file. Regards, Guy -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tim Winders Sent: 13 December 2004 15:55 To: [EMAIL PROTECTED] Subject: Re: rlm_eap_tls not built because OpenSSL not found Mon Dec 13 07:02:02 2004 : Info: rlm_eap_tls: Length Included Mon Dec 13 07:02:02 2004 : Error: TLS_accept:error in SSLv3 read client certificate A Mon Dec 13 07:02:02 2004 : Info: rlm_eap_tls: Received EAP-TLS ACK message That is not a show stopper. TLS is complaining about the client certificate you don't need for PEAP, but should process the request anyway. Examine the debug output to see if there is any other failure. I am trying to connect to a Cisco AP1200 from a Windows XP SP2 client. The client has Network Authentication Open, Data Encryption WEP, EAP Type Protected EAP (PEAP), Authentication Method: Secured password (EAP-MSCHAP v2). Why open and WEP? Why not WPA TKIP? The AP and supplicant should support this. No reason. I have changed the configuration to WPA/TKIP. Here is the degub output from radiusd after I have applied the MS hotfix as referenced in a previous message and have changed the AP and client configuration to WPA/TKIP. --- Walking the entire request list --- Cleaning up request 22 ID 236 with timestamp 41bdb896 Nothing to do. Sleeping until we see a request. rad_recv: Access-Request packet from host 10.0.1.231:21646, id=237, length=134 User-Name = twinders Framed-MTU = 1400 Called-Station-Id = 0012.7f75.d940 Calling-Station-Id = 0090.4b65.34a5 Service-Type = Login-User Message-Authenticator = 0xdc3d497356c2a583f2eaf7954c684d3a EAP-Message = 0x0201000d017477696e64657273 NAS-Port-Type = Wireless-802.11 NAS-Port = 512 NAS-IP-Address = 10.0.1.231 NAS-Identifier = sub-ap1 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 23 modcall[authorize]: module preprocess returns ok for request 23 modcall[authorize]: module chap returns noop for request 23 modcall[authorize]: module mschap returns noop for request 23 modcall[authorize]: module digest returns noop for request 23 rlm_realm: No '@' in User-Name = twinders, looking up realm NULL rlm_realm: No such realm NULL modcall[authorize]: module suffix returns noop for request 23 rlm_eap: EAP packet type response id 1 length 13 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module eap returns updated for request 23 users: Matched entry DEFAULT at line 152 modcall[authorize]: module files returns ok for request 23 modcall: group authorize returns updated for request 23 rad_check_password: Found Auth-Type EAP auth: type EAP Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 23 rlm_eap: EAP Identity rlm_eap: processing type tls rlm_eap_tls: Initiate rlm_eap_tls: Start returned 1 modcall[authenticate]: module eap returns handled for request 23 modcall: group authenticate returns handled for request 23 Sending Access-Challenge of id 237 to 10.0.1.231:21646 EAP-Message = 0x010200061920 Message-Authenticator = 0x State = 0xe2c50ab039bff81ff87783b7c4dc1736 Finished request 23 Going to the next request --- Walking the entire request list --- Waking up in 6 seconds... --- Walking the entire request list --- Cleaning up request 23 ID 237 with timestamp 41bdb8b7 Nothing to do. Sleeping until we see a request. I see where it matches the DEFALT entry in the users file. This is simply: DEFAULT Auth-Type = System Fall-Through = 1 I
Re: rlm_eap_tls not built because OpenSSL not found
On Mon, 13 Dec 2004, Alan DeKok wrote: Tim Winders [EMAIL PROTECTED] wrote: Is there a way to configure a WinXP SP2 client to use EAP-TTLS/PAP? http://www.alfa-ariss.com YES! When I enable TTLS, what default_eap_type do I specify? I would guess PAP. No. Please re-read the comments describing that configuration item. PAP is not an EAP type. If you are using PAP inside of TTLS, then you do not need to set default_eap_type inside of the TTLS subsection. OK. back to md5. YES!!! It works! Amazing!!! I could not find a reference to this in the list archives. Of course, searching on SecureW2 comes up with plenty of hits. But, I didn't know what I was looking for. I also don't see anything about this in the FAQ. Any change this might be added to the FAQ for easy reference? This is great! Thank you! -- Tim Winders Associate Dean of Information Technology South Plains College Levelland, TX 79336 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: rlm_eap_tls not built because OpenSSL not found
Thank you Guy! The SecureW2 free plugin works perfectly! -- Tim Winders Associate Dean of Information Technology South Plains College Levelland, TX 79336 On Mon, 13 Dec 2004, Guy Davies wrote: Hi Tim, EAP-TTLS is not supported by default by the MS 802.1x supplicant. *However*, you can get a copy of SecureW2 at http://www.securew2.com/, which behaves as a plugin to the MS 802.1x supplicant to provide support for EAP-TTLS. If you want to use a third party complete supplicant, I'd recommend Funk's Odyssey client. It's not free, but you can download a 30 day free trial from http://www.funk.com/. Regards, Guy -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tim Winders Sent: 13 December 2004 18:32 To: [EMAIL PROTECTED] Subject: RE: rlm_eap_tls not built because OpenSSL not found G. It's always something. Is there a way to configure a WinXP SP2 client to use EAP-TTLS/PAP? When I enable TTLS, what default_eap_type do I specify? I would guess PAP. I have tried searching through the FAQ and the list archives, but am still confused. Much of what is there doesn't seem to be relevant anymore with current freeradius versions. (I am using the 20041210 snapshot) -- Tim Winders Associate Dean of Information Technology South Plains College Levelland, TX 79336 On Mon, 13 Dec 2004, Guy Davies wrote: Hi Tim, You can't authenticate to the /etc/passwd file using PEAP/MS-CHAPv2. Any CHAP based authentication mechanism requires the server to have access to the *clear text* passwords. If you want to use PEAP/MS-CHAPv2, then you'll need to create definitions of your users either in a local (or other) database with clear text (or trivially reversible) passwords. If you want to use /etc/passwd, you could switch to EAP-TTLS/PAP. Since PAP sends the password in clear text (don't worry, it's inside the outer TTLS tunnel so it's not visible in the air), your server doesn't need the clear text held locally. It simply applies the same crypt algorithm to the received password and checks the result against your /etc/passwd file. Regards, Guy -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tim Winders Sent: 13 December 2004 15:55 To: [EMAIL PROTECTED] Subject: Re: rlm_eap_tls not built because OpenSSL not found Mon Dec 13 07:02:02 2004 : Info: rlm_eap_tls: Length Included Mon Dec 13 07:02:02 2004 : Error: TLS_accept:error in SSLv3 read client certificate A Mon Dec 13 07:02:02 2004 : Info: rlm_eap_tls: Received EAP-TLS ACK message That is not a show stopper. TLS is complaining about the client certificate you don't need for PEAP, but should process the request anyway. Examine the debug output to see if there is any other failure. I am trying to connect to a Cisco AP1200 from a Windows XP SP2 client. The client has Network Authentication Open, Data Encryption WEP, EAP Type Protected EAP (PEAP), Authentication Method: Secured password (EAP-MSCHAP v2). Why open and WEP? Why not WPA TKIP? The AP and supplicant should support this. No reason. I have changed the configuration to WPA/TKIP. Here is the degub output from radiusd after I have applied the MS hotfix as referenced in a previous message and have changed the AP and client configuration to WPA/TKIP. --- Walking the entire request list --- Cleaning up request 22 ID 236 with timestamp 41bdb896 Nothing to do. Sleeping until we see a request. rad_recv: Access-Request packet from host 10.0.1.231:21646, id=237, length=134 User-Name = twinders Framed-MTU = 1400 Called-Station-Id = 0012.7f75.d940 Calling-Station-Id = 0090.4b65.34a5 Service-Type = Login-User Message-Authenticator = 0xdc3d497356c2a583f2eaf7954c684d3a EAP-Message = 0x0201000d017477696e64657273 NAS-Port-Type = Wireless-802.11 NAS-Port = 512 NAS-IP-Address = 10.0.1.231 NAS-Identifier = sub-ap1 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 23 modcall[authorize]: module preprocess returns ok for request 23 modcall[authorize]: module chap returns noop for request 23 modcall[authorize]: module mschap returns noop for request 23 modcall[authorize]: module digest returns noop for request 23 rlm_realm: No '@' in User-Name = twinders, looking up realm NULL rlm_realm: No such realm NULL modcall[authorize]: module suffix returns noop for request 23 rlm_eap: EAP packet type response id 1 length 13 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module eap returns updated for request 23 users: Matched entry DEFAULT at line 152 modcall[authorize]: module files returns ok for request 23 modcall: group authorize returns updated for request 23 rad_check_password: Found Auth-Type EAP auth: type EAP Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 23 rlm_eap: EAP
Re: rlm_eap_tls not built because OpenSSL not found
On Fri, 10 Dec 2004 [EMAIL PROTECTED] wrote: Tim Winders schrieb: I have tried LD_LIBRARY_PATH=/usr/local/ssl I have tried --with-openssl-libraries=/usr/local/ssl/lib and --with-openssl-includes=/usr/local/ssl/include, I have tried creating symlinks to the openssl files to the /usr/local/lib directory, all to no avail. This is on a Tru64 5.1b system. What else can I try to make eap/tls build? Probably something is trying to use the libs in wrong order (-lcrypto -lssl instead of -lssl -lcrypto). LIBS=-lssl -lcrypto ./configure ... might help. Yes, that seemed to help. Tooks lots of manual work to get it all together, but I now have a working radiusd with EAP support. Unfortuantely, I can't seem to get PEAP working. The server is complaining about a client certificate, like I was using EAP/TLS rather than EAP/PEAP. -- Tim Winders Associate Dean of Information Technology South Plains College Levelland, TX 79336 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
rlm_eap_tls not built because OpenSSL not found
Hello - I have done everything I can figure out and can't get this working. I have tried both 1.01 and cvs-20041209 with the same results. I would like to be able to use eap/tls, but, in the configure, I keep getting a warning that eap/tls will silently not be built because it requires OpenSSL. I have openssl installed and it is found, but, -lssl for SSL_New doesn't seem to work. I have tried LD_LIBRARY_PATH=/usr/local/ssl I have tried --with-openssl-libraries=/usr/local/ssl/lib and --with-openssl-includes=/usr/local/ssl/include, I have tried creating symlinks to the openssl files to the /usr/local/lib directory, all to no avail. This is on a Tru64 5.1b system. What else can I try to make eap/tls build? I know it's not working because if I try to enable it in the eap.conf file radiusd won't start and the log file has this message: Error: rlm_eap: Failed to link EAP-Type/tls: The shared library loader cannot be activated for this process -- Tim Winders Associate Dean of Information Technology South Plains College Levelland, TX 79336 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_eap_tls not built because OpenSSL not found
On Fri, 10 Dec 2004, Paul Hampson wrote: On Fri, Dec 10, 2004 at 03:02:54AM -0600, Tim Winders wrote: I have tried both 1.01 and cvs-20041209 with the same results. I would like to be able to use eap/tls, but, in the configure, I keep getting a warning that eap/tls will silently not be built because it requires OpenSSL. I have openssl installed and it is found, but, -lssl for SSL_New doesn't seem to work. What version of OpenSSL? It needs to be 0.9.7... From memory, the symbol names changed between 0.9.6 and 0.9.7, too. Sorry, should have included this with the originl post: OpenSSL 0.9.7d -- Tim Winders Associate Dean of Information Technology South Plains College Levelland, TX 79336 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html