Re: VMPS fallback vlan
On 02/09/2012 11:40 AM, Phil Mayers wrote:
On 09/02/12 15:49, Walter Gould wrote:
All,
I have FR vmps configured to query postgresql for a mac address and
return the vlan that is assigned to it. That is working well. However, I
would like to configure vmps to return a "fallback" or guest vlan for
cases when a mac address is not in the database.
Can anyone give me some suggestions or config examples?
This depends entirely on how you are settings the VLAN for "known"
users. If you can show the config you are using, I can be more
specific, but basically you check for the "not found" state, or check
for the "reply vlan not set" state.
For example:
vmps {
...
sql
if (notfound) {
update reply {
VMPS-... = ...
}
}
...
}
Possibly the most general thing is:
vmps {
...
sql
...
if (!reply:VMPS-VLAN-Name) {
update reply {
VMPS-VLAN-Name = GUEST
}
}
}
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
Phil,
Thanks for your reply. I tried what you mentioned above, but cannot
seem to get it to work. Below is my vmps file and debug output. Any
suggestions will be appreciated.
Thanks,
Walter
vmps {
#
# Some requests may not have a MAC address. Try to
# create one using other attributes.
if (!VMPS-Mac) {
if (VMPS-Ethernet-Frame =~
/0x.{12}(..)(..)(..)(..)(..)(..).*/) {
update request {
VMPS-Mac =
"%{1}:%{2}:%{3}:%{4}:%{5}:%{6}"
}
}
else {
update request {
VMPS-Mac = "%{VMPS-Cookie}"
}
}
}
# Do a simple mapping of MAC to VLAN.
#
# See radiusd.conf for the definition of the "mac2vlan"
# module.
#
mac2vlan
# required VMPS reply attributes
update reply {
VMPS-Packet-Type = VMPS-Join-Response
VMPS-Cookie = "%{VMPS-Mac}"
#
# If you have VLAN's in a database, you can select
# the VLAN name based on the MAC address.
#
VMPS-VLAN-Name = "%{sql:select vlan from users
where mac='%{VMPS-Mac}'}"
}
if (!reply:VMPS-VLAN-Name) {
update reply {
VMPS-VLAN-Name = "Guests"
}
}
# correct reply packet type for reconfirmation requests
#
if (VMPS-Packet-Type == VMPS-Reconfirm-Request){
update reply {
VMPS-Packet-Type := VMPS-Reconfirm-Response
}
}
linelog
}
# Proxying of VMPS requests is NOT supported.
}
Here's the debug:
VMPS-Packet-Type = VMPS-Join-Request
VMPS-Error-Code = VMPS-No-Error
VMPS-Sequence-Number = 2449
VMPS-Client-IP-Address = switch_ip
VMPS-Port-Name = "Gi1/0/12"
VMPS-VLAN-Name = "--NONE--"
VMPS-Domain-Name = "gangsta"
VMPS-Unknown = 0x00
VMPS-MAC = d4:be:d9:12:20:6c
server vmps {
Doing VMPS
+- entering group vmps {...}
++? if (!VMPS-Mac)
? Evaluating !(VMPS-Mac) -> FALSE
++? if (!VMPS-Mac) -> FALSE
++[mac2vlan] returns notfound
expand: %{VMPS-Mac} -> d4:be:d9:12:20:6c
sql_xlat
expand: %{User-Name} ->
sql_set_user escaped user --> ''
expand: select vlan from users where mac='%{VMPS-Mac}' ->
select vlan from users where mac='d4:be:d9:12:20:6c'
rlm_sql (sql): Reserving sql socket id: 4
rlm_sql_postgresql: Status: PGRES_TUPLES_OK
rlm_sql_postgresql: query affected rows = 0 , fields = 1
SQL query did not return any results
rlm_sql (sql): Released sql socket id: 4
expand: %{sql:select vlan from users where mac='%{VMPS-Mac}'} ->
++[reply] returns notfound
++? if (!reply:VMPS-VLAN-Name)
? Evaluating !(reply:VMPS-VLAN-Name) -> FALSE
++? if (!reply:VMPS-VLAN-Name) -> FALSE
++? if (VMPS-Packet-Type == VMPS-Reconfirm-Request)
? Evaluating (VMPS-Packet-Type == VMPS-Reconfirm-Request) -> FALSE
++? if (VMPS-Packet-Type == VMPS-Reconfirm-Request) -> FALSE
[linelog] expand: %S %{VMPS-Mac} %{reply:VMPS-VLAN-Name}
%{VMPS-Client-IP-Address} %{VMPS-Port-Name} -> 2012-02-10 14:41:01
d4:be:d9:12:20:6c switch_ip Gi1/0/1
VMPS fallback vlan
All, I have FR vmps configured to query postgresql for a mac address and return the vlan that is assigned to it. That is working well. However, I would like to configure vmps to return a "fallback" or guest vlan for cases when a mac address is not in the database. Can anyone give me some suggestions or config examples? Thanks, Walter - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Fwd: ldap group lookup help
I never saw a reply to my below e-mail. Would anybody have any thoughts or ideas on why our ldap group lookups fail after some period of time...? If it would help to send debug output, I can... Just for my information, are many folks out there using ldap/AD group lookups on large FR installs? Thanks in advance, Walter Original Message Subject:ldap group lookup help Date: Thu, 02 Sep 2010 09:49:02 -0500 From: Walter Gould To: FreeRadius users mailing list Group, We are having problems with ldap group lookups... Here's our environment. Using Freeradius 2.1.8 to authenticate wireless users against our AD servers and perform ldap group membership lookups. Using WPA2-AES-PEAP-MSCHAPv2. When radiusd is started, initially the lookups work fine and we see successful auth's in our radius logs. But, after some period of time, we eventually begin to see bunches of "Invalid user:" radius logs. The only thing that seems to fix this is to remove the ldap group lookups from the freeradius config. In our ldap module, the basedn we specify is dc=auburn,dc=edu (as we have multiple user ou's). Not sure if that might be causing an issue or not..? One thing I have noticed is there are 3 ldap group lookups that each say "rlm_ldap::ldap_groupcmp: User found in group ". I have read posts about configuring the ldap module to us the inner-tunnel - which I have done. Is there anyway to reduce the number of group lookups to only one? Not sure if the extra lookups are causing unneeded traffic which may be causing issues? Also, I see 10 Access-Request packets and about the same number of Access-Challenge packets.. Is this normal? Just wondering if excessive unneeded traffic is what is overloading the AD/ldap servers? Any help or suggestions will be appreciated. Thanks, Walter Gould Auburn University - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
ldap group lookup help
Group, We are having problems with ldap group lookups... Here's our environment. Using Freeradius 2.1.8 to authenticate wireless users against our AD servers and perform ldap group membership lookups. Using WPA2-AES-PEAP-MSCHAPv2. When radiusd is started, initially the lookups work fine and we see successful auth's in our radius logs. But, after some period of time, we eventually begin to see bunches of "Invalid user:" radius logs. The only thing that seems to fix this is to remove the ldap group lookups from the freeradius config. In our ldap module, the basedn we specify is dc=auburn,dc=edu (as we have multiple user ou's). Not sure if that might be causing an issue or not..? One thing I have noticed is there are 3 ldap group lookups that each say "rlm_ldap::ldap_groupcmp: User found in group ". I have read posts about configuring the ldap module to us the inner-tunnel - which I have done. Is there anyway to reduce the number of group lookups to only one? Not sure if the extra lookups are causing unneeded traffic which may be causing issues? Also, I see 10 Access-Request packets and about the same number of Access-Challenge packets.. Is this normal? Just wondering if excessive unneeded traffic is what is overloading the AD/ldap servers? Any help or suggestions will be appreciated. Thanks, Walter Gould Auburn University - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ntlm_auth and Server 2008 R2 issues
Alan Buxey wrote: Hi, Samba 4 will be a full member of an AD domain. It will have access to the NT hashed passwords. It will (presumably) be able to export them via LDAP, like a real LDAP server. oooh! yippee! So help me out here - what exactly does that mean? And, how will it help us? anyway, regarding initial issue samba 3.4.3 might fix the issue but it must also be ntoed that microsoft implemented a new security thing for NTLM Authentication in Win 7 and server 2008 R2 - perhaps the initial poster is becoming unstuck because of a policy on the server ? eg http://technet.microsoft.com/en-us/library/dd560653%28WS.10%29.aspx (why do i feel dirty for posting a technet URL? ;-)) Thanks for posting this Alan.. I will run this by our AD admin. Maybe (hopefully), it is a server policy that is screwing us. Walter - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ntlm_auth and Server 2008 R2 issues
Alan DeKok wrote: Walter Gould wrote: We are having the same issue as noted here: http://lists.freeradius.org/pipermail/freeradius-users/2009-November/msg00664.html See also https://bugzilla.samba.org/show_bug.cgi?id=6563 Yes, I saw that one... I have read other posts on the list that have said it won't work (which kind of makes sense to me). However, it sure would be nice to side step Samba on this issue. It's impossible. (for now) for now...? Can you expand? We are not doing group checking at this point, just authentication. Currently running FreeRADIUS 2.0.3. Any suggestions/comments will be appreciated. I guess my next e-mail will be to the Samba mailing list Install FreeRADIUS 2.1.8, and possibly Samba 3.4.3 Are there thought that these two may work? Thanks for the help, Walter - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
ntlm_auth and Server 2008 R2 issues
We are having the same issue as noted here: http://lists.freeradius.org/pipermail/freeradius-users/2009-November/msg00664.html I am guessing there is no way to use LDAP for MSCHAP authentication? I have read other posts on the list that have said it won't work (which kind of makes sense to me). However, it sure would be nice to side step Samba on this issue. We are not doing group checking at this point, just authentication. Currently running FreeRADIUS 2.0.3. Any suggestions/comments will be appreciated. I guess my next e-mail will be to the Samba mailing list Thanks, Walter - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRADIUS + 802.1X wireless rollout questions
Alan DeKok wrote: Walter Gould wrote: Here's where my concerns lie - I am concerned about how many simultaneous authentication requests that a single Freeradius server can handle. I have read the "Testimonials" and the "Why we're #1" pages on the freeradius site - which says there are numerous sites using freeradius to support more than 10,000 or 20,000 users. And, sites with 15,000,000 users. Our school currently has around 21,000 students on our campus. Of that 21,000 - there is usually around 1000 users logged into our wireless network at any given time, however, that number continually increases. The authentication load on the server is relatively easy to calculate. If you have N users on, each with an average session time of S seconds, the load on the system will be N/S. e.g. 1K users, 20 minute session time (1200s) is about 1 auth/s. That is very little load... With EAP, there are multiple packet per user authentication, and SSL setup overhead. See raddb/certs/README. Interaction with Active Directory adds even more overhead. But a 2Gh machine should be fine. As was pointed out, you'll need a second machine for failover before the first one is at all busy. Questions: 1. Do any of you have feedback/thoughts/experience on how our freeradius server may handle the auth. request load given our situation? 2. Do you think that we may need to tweak any of the settings in the radiusd.conf file (max_requests, max_request_time, etc)? The default configuration should be pretty much fine. 3. Any other advice/suggestions you have or think of would be welcome and appreciated. Test the system to prove for yourself that the above numbers are true. Use "eapol_test" from "wpa_supplicant" on client machines to hammer the server with test authentications. That will give you a *measured* number for server performance. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Alan D. and Alan B., Thanks for both of your inputs and suggestions. I appreciate them. They have given me some good direction for testing and measuring performance. Thanks again, Walter - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
FreeRADIUS + 802.1X wireless rollout questions
List, Our institution (a 4 yr. state college) is planning on implementing a 802.1X wireless network in the coming months. We have a test network in place now and all seems to be working well. We have two FreeRADIUS servers. We followed the "FreeRADIUS Active Directory Integration HOWTO <http://wiki.freeradius.org/FreeRADIUS_Active_Directory_Integration_HOWTO>" from the wiki to get freeradius talking with our centrally managed AD servers for authentication. We are using freeradius version 2.0.3. The primary server specs are: Intel 2GHz Xeon QC, 2GB installed RAM. The secondary is currently running on a vm. I hope to purchase a piece of hardware similar to the one above to run this on in the near future. Here's where my concerns lie - I am concerned about how many simultaneous authentication requests that a single Freeradius server can handle. I have read the "Testimonials" and the "Why we're #1" pages on the freeradius site - which says there are numerous sites using freeradius to support more than 10,000 or 20,000 users. Our school currently has around 21,000 students on our campus. Of that 21,000 - there is usually around 1000 users logged into our wireless network at any given time, however, that number continually increases. Questions: 1. Do any of you have feedback/thoughts/experience on how our freeradius server may handle the auth. request load given our situation? 2. Do you think that we may need to tweak any of the settings in the radiusd.conf file (max_requests, max_request_time, etc)? 3. Any other advice/suggestions you have or think of would be welcome and appreciated. Thanks, Walter -- Walter Gould Info. Tech. Specialist Office of Information Technology Auburn University, AL - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: SSL certificate problems
Alan DeKok wrote: Walter Gould wrote: Sorry to bother you guys again - I created new SSL certificates per your above instructions... After the certs were created, I then: 1. copied them to the /etc/raddb/certs directory 2. updated /etc/raddb/eap.conf with the certificate names & private key password 3. copied and installed the new certificate (server.pem) onto my XP laptop and 4. started radiusd in debug mode, below is the output It is acting as you describe in the FAQ - You didn't add the root certificate to the XP machine. See the EAP-TLS "howto's" on the web site. Thanks Alan - once I did this, it worked. I had the root certificate (ca.pem) confused with one of the other certs. The SSL certificate terminology is bit crazy to me... thanks again, Walter - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: SSL certificate problems
Alan DeKok wrote:
Walter Gould wrote:
I am following the document "FreeRADIUS Active Directory Integration
HOWTO" from the freeradius Wiki. I am having problems with creating
SSL certificates. When I follow the instructions at the bottom of this
doc and run the CA.all script, I see the following errors:
Ugh.
Download CVS head (see the web page for CVS instructions).
$ cd raddb/certs
$ vi *.cnf ca.cnf, server.cnf to set your local parameters
$ ./bootstrap
And you will have certificates than can be used in 1.1.x.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Alan & list,
Sorry to bother you guys again - I created new SSL certificates per
your above instructions... After the certs were created, I then:
1. copied them to the /etc/raddb/certs directory
2. updated /etc/raddb/eap.conf with the certificate names & private key
password
3. copied and installed the new certificate (server.pem) onto my XP
laptop and
4. started radiusd in debug mode, below is the output
It is acting as you describe in the FAQ -
"the client sends a series of Access-Request messages, the server sends
an series of Access-Challenge responses, and then... nothing happens.
After a little wait, it all starts again."
So, I am wondering will I need to install the hotfix as listed in the
FAQ - and, will this have to be done on ALL Windows machines? I am
thinking that I still do not have something configured right on my
side. If I uncheck the "validate server certs" box on the XP client, I
can connect and authenticate successfully.
Thanks again -
Walter
Starting - reading configuration files ...
reread_config: reading radiusd.conf
Config: including file: /etc/raddb/proxy.conf
Config: including file: /etc/raddb/clients.conf
Config: including file: /etc/raddb/snmp.conf
Config: including file: /etc/raddb/eap.conf
main: prefix = "/usr"
main: localstatedir = "/var"
main: logdir = "/var/log/radius"
main: libdir = "/usr/lib"
main: radacctdir = "/var/log/radius/radacct"
main: hostname_lookups = no
main: snmp = no
main: max_request_time = 30
main: cleanup_delay = 5
main: max_requests = 1024
main: delete_blocked_requests = 0
main: port = 0
main: allow_core_dumps = no
main: log_stripped_names = no
main: log_file = "/var/log/radius/radius.log"
main: log_auth = yes
main: log_auth_badpass = no
main: log_auth_goodpass = no
main: pidfile = "/var/run/radiusd/radiusd.pid"
main: user = "radiusd"
main: group = "radiusd"
main: usercollide = no
main: lower_user = "no"
main: lower_pass = "no"
main: nospace_user = "no"
main: nospace_pass = "no"
main: checkrad = "/usr/sbin/checkrad"
main: proxy_requests = yes
proxy: retry_delay = 5
proxy: retry_count = 3
proxy: synchronous = no
proxy: default_fallback = yes
proxy: dead_time = 120
proxy: post_proxy_authorize = no
proxy: wake_all_if_all_dead = no
security: max_attributes = 200
security: reject_delay = 1
security: status_server = no
main: debug_level = 0
read_config_files: reading dictionary
read_config_files: reading naslist
Using deprecated naslist file. Support for this will go away soon.
read_config_files: reading clients
read_config_files: reading realms
radiusd: entering modules setup
Module: Library search path is /usr/lib
Module: Loaded exec
exec: wait = yes
exec: program = "(null)"
exec: input_pairs = "request"
exec: output_pairs = "(null)"
exec: packet_type = "(null)"
rlm_exec: Wait=yes but no output defined. Did you mean output=none?
Module: Instantiated exec (exec)
Module: Loaded expr
Module: Instantiated expr (expr)
Module: Loaded MS-CHAP
mschap: use_mppe = yes
mschap: require_encryption = no
mschap: require_strong = no
mschap: with_ntdomain_hack = yes
mschap: passwd = "(null)"
mschap: ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key
--username=%{mschap:User-Name} --challenge=%{mschap:Challenge:-00}
--nt-response=%{mschap:NT-Response:-00}"
Module: Instantiated mschap (mschap)
Module: Loaded eap
eap: default_eap_type = "peap"
eap: timer_expire = 60
eap: ignore_unknown_eap_types = no
eap: cisco_accounting_username_bug = no
tls: rsa_key_exchange = no
tls: dh_key_exchange = yes
tls: rsa_key_length = 512
tls: dh_key_length = 512
tls: verify_depth = 0
tls: CA_path = "(null)"
tls: pem_file_type = yes
tls: private_key_file = "/etc/raddb/certs/server.pem"
tls: certificate_file = "/etc/raddb/certs/server.pem"
tls: CA_file = "/etc/raddb/certs/ca.pem"
tls: private_key_password = "whatever"
tls: dh_file = "/etc/raddb/certs/dh"
tls: random_file = "/etc/raddb/certs/random"
tls: fragment_size = 1024
tls: include_length = yes
tls: check_crl = no
tls: check_cert_cn = "(nu
Re: SSL certificate problems
Walter Gould wrote:
Alan DeKok wrote:
Walter Gould wrote:
I am following the document "FreeRADIUS Active Directory Integration
HOWTO" from the freeradius Wiki. I am having problems with creating
SSL certificates. When I follow the instructions at the bottom of this
doc and run the CA.all script, I see the following errors:
Ugh.
Download CVS head (see the web page for CVS instructions).
$ cd raddb/certs
$ vi *.cnfca.cnf, server.cnf to set your local parameters
$ ./bootstrap
And you will have certificates than can be used in 1.1.x.
Alan DeKok.
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
Alan,
Thanks for your help. I did what you suggested and then copied the
certs that were created to my /etc/raddb/certs directory. Also, I
edited eap.conf to match the new private key password and the newly
created certificate names. I now try to run radiusd in debug mode and
it dies. I have checked file/directory permissions on the certs
directory and they look ok to me - of course I know that doesn't mean
much...
Below is the debug. Please let me know if you need anything else...
Thanks again,
Walter
Starting - reading configuration files ...
reread_config: reading radiusd.conf
Config: including file: /etc/raddb/proxy.conf
Config: including file: /etc/raddb/clients.conf
Config: including file: /etc/raddb/snmp.conf
Config: including file: /etc/raddb/eap.conf
main: prefix = "/usr"
main: localstatedir = "/var"
main: logdir = "/var/log/radius"
main: libdir = "/usr/lib"
main: radacctdir = "/var/log/radius/radacct"
main: hostname_lookups = no
main: snmp = no
main: max_request_time = 30
main: cleanup_delay = 5
main: max_requests = 1024
main: delete_blocked_requests = 0
main: port = 0
main: allow_core_dumps = no
main: log_stripped_names = no
main: log_file = "/var/log/radius/radius.log"
main: log_auth = yes
main: log_auth_badpass = no
main: log_auth_goodpass = no
main: pidfile = "/var/run/radiusd/radiusd.pid"
main: user = "radiusd"
main: group = "radiusd"
main: usercollide = no
main: lower_user = "no"
main: lower_pass = "no"
main: nospace_user = "no"
main: nospace_pass = "no"
main: checkrad = "/usr/sbin/checkrad"
main: proxy_requests = yes
proxy: retry_delay = 5
proxy: retry_count = 3
proxy: synchronous = no
proxy: default_fallback = yes
proxy: dead_time = 120
proxy: post_proxy_authorize = no
proxy: wake_all_if_all_dead = no
security: max_attributes = 200
security: reject_delay = 1
security: status_server = no
main: debug_level = 0
read_config_files: reading dictionary
read_config_files: reading naslist
Using deprecated naslist file. Support for this will go away soon.
read_config_files: reading clients
read_config_files: reading realms
radiusd: entering modules setup
Module: Library search path is /usr/lib
Module: Loaded exec
exec: wait = yes
exec: program = "(null)"
exec: input_pairs = "request"
exec: output_pairs = "(null)"
exec: packet_type = "(null)"
rlm_exec: Wait=yes but no output defined. Did you mean output=none?
Module: Instantiated exec (exec)
Module: Loaded expr
Module: Instantiated expr (expr)
Module: Loaded MS-CHAP
mschap: use_mppe = yes
mschap: require_encryption = no
mschap: require_strong = no
mschap: with_ntdomain_hack = yes
mschap: passwd = "(null)"
mschap: ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key
--username=%{mschap:User-Name} --challenge=%{mschap:Challenge:-00}
--nt-response=%{mschap:NT-Response:-00}"
Module: Instantiated mschap (mschap)
Module: Loaded eap
eap: default_eap_type = "peap"
eap: timer_expire = 60
eap: ignore_unknown_eap_types = no
eap: cisco_accounting_username_bug = no
tls: rsa_key_exchange = no
tls: dh_key_exchange = yes
tls: rsa_key_length = 512
tls: dh_key_length = 512
tls: verify_depth = 0
tls: CA_path = "(null)"
tls: pem_file_type = yes
tls: private_key_file = "/etc/raddb/certs/server.pem"
tls: certificate_file = "/etc/raddb/certs/server.pem"
tls: CA_file = "/etc/raddb/certs/ca.pem"
tls: private_key_password = "whatever"
tls: dh_file = "/etc/raddb/certs/dh"
tls: random_file = "/etc/raddb/certs/random"
tls: fragment_size = 1024
tls: include_length = yes
tls: check_crl = no
tls: check_cert_cn = "(null)"
tls: cipher_list = "DEFAULT"
tls: check_cert_issuer = "(null)"
rlm_eap_tls: Loading the certificate file as a chain
rlm_eap: SSL error error:0200100D:system library:fopen:Permission denied
rlm_eap_tls: Error reading certificate file
rlm_eap: Failed to initialize type tls
radiusd.conf[10]: eap: Module instantiation failed.
radiusd.conf[1947] Unknown module "eap".
radiusd.conf[1894] Failed to parse authenticate section.
Alan & list,
Ignore my previous e-mail. It was indeed a permissions problem.
Thanks again,
Walter
--
Walter P. Gould
Info. Tech. Specialist
Office of Information Technology
Auburn University, AL
[EMAIL PROTECTED]
www.auburn.edu/~gouldwp
334-844-9327
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: SSL certificate problems
Alan DeKok wrote:
Walter Gould wrote:
I am following the document "FreeRADIUS Active Directory Integration
HOWTO" from the freeradius Wiki. I am having problems with creating
SSL certificates. When I follow the instructions at the bottom of this
doc and run the CA.all script, I see the following errors:
Ugh.
Download CVS head (see the web page for CVS instructions).
$ cd raddb/certs
$ vi *.cnf ca.cnf, server.cnf to set your local parameters
$ ./bootstrap
And you will have certificates than can be used in 1.1.x.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Alan,
Thanks for your help. I did what you suggested and then copied the
certs that were created to my /etc/raddb/certs directory. Also, I
edited eap.conf to match the new private key password and the newly
created certificate names. I now try to run radiusd in debug mode and
it dies. I have checked file/directory permissions on the certs
directory and they look ok to me - of course I know that doesn't mean
much...
Below is the debug. Please let me know if you need anything else...
Thanks again,
Walter
Starting - reading configuration files ...
reread_config: reading radiusd.conf
Config: including file: /etc/raddb/proxy.conf
Config: including file: /etc/raddb/clients.conf
Config: including file: /etc/raddb/snmp.conf
Config: including file: /etc/raddb/eap.conf
main: prefix = "/usr"
main: localstatedir = "/var"
main: logdir = "/var/log/radius"
main: libdir = "/usr/lib"
main: radacctdir = "/var/log/radius/radacct"
main: hostname_lookups = no
main: snmp = no
main: max_request_time = 30
main: cleanup_delay = 5
main: max_requests = 1024
main: delete_blocked_requests = 0
main: port = 0
main: allow_core_dumps = no
main: log_stripped_names = no
main: log_file = "/var/log/radius/radius.log"
main: log_auth = yes
main: log_auth_badpass = no
main: log_auth_goodpass = no
main: pidfile = "/var/run/radiusd/radiusd.pid"
main: user = "radiusd"
main: group = "radiusd"
main: usercollide = no
main: lower_user = "no"
main: lower_pass = "no"
main: nospace_user = "no"
main: nospace_pass = "no"
main: checkrad = "/usr/sbin/checkrad"
main: proxy_requests = yes
proxy: retry_delay = 5
proxy: retry_count = 3
proxy: synchronous = no
proxy: default_fallback = yes
proxy: dead_time = 120
proxy: post_proxy_authorize = no
proxy: wake_all_if_all_dead = no
security: max_attributes = 200
security: reject_delay = 1
security: status_server = no
main: debug_level = 0
read_config_files: reading dictionary
read_config_files: reading naslist
Using deprecated naslist file. Support for this will go away soon.
read_config_files: reading clients
read_config_files: reading realms
radiusd: entering modules setup
Module: Library search path is /usr/lib
Module: Loaded exec
exec: wait = yes
exec: program = "(null)"
exec: input_pairs = "request"
exec: output_pairs = "(null)"
exec: packet_type = "(null)"
rlm_exec: Wait=yes but no output defined. Did you mean output=none?
Module: Instantiated exec (exec)
Module: Loaded expr
Module: Instantiated expr (expr)
Module: Loaded MS-CHAP
mschap: use_mppe = yes
mschap: require_encryption = no
mschap: require_strong = no
mschap: with_ntdomain_hack = yes
mschap: passwd = "(null)"
mschap: ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key
--username=%{mschap:User-Name} --challenge=%{mschap:Challenge:-00}
--nt-response=%{mschap:NT-Response:-00}"
Module: Instantiated mschap (mschap)
Module: Loaded eap
eap: default_eap_type = "peap"
eap: timer_expire = 60
eap: ignore_unknown_eap_types = no
eap: cisco_accounting_username_bug = no
tls: rsa_key_exchange = no
tls: dh_key_exchange = yes
tls: rsa_key_length = 512
tls: dh_key_length = 512
tls: verify_depth = 0
tls: CA_path = "(null)"
tls: pem_file_type = yes
tls: private_key_file = "/etc/raddb/certs/server.pem"
tls: certificate_file = "/etc/raddb/certs/server.pem"
tls: CA_file = "/etc/raddb/certs/ca.pem"
tls: private_key_password = "whatever"
tls: dh_file = "/etc/raddb/certs/dh"
tls: random_file = "/etc/raddb/certs/random"
tls: fragment_size = 1024
tls: include_length = yes
tls: check_crl = no
tls: check_cert_cn = "(null)"
tls: cipher_list = "DEFAULT"
tls: check_cert_issuer = "(null)"
rlm_eap_tls: Loading the certificate file as a chain
rlm_eap: SSL error error:0200100D:system library:fopen:Permission denied
rlm_eap_tls: Error reading certificate file
rlm_eap: Failed to initialize type tls
radiusd.conf[10]: eap: Module instantiation failed.
radiusd.conf[1947] Unknown module "eap".
radiusd.conf[1894] Failed to parse authenticate section.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
SSL certificate problems
List,
I am following the document "FreeRADIUS Active Directory Integration
HOWTO" from the freeradius Wiki. I am having problems with creating
SSL certificates. When I follow the instructions at the bottom of this
doc and run the CA.all script, I see the following errors:
+ openssl pkcs12 -export -in demoCA/cacert.pem -inkey newreq.pem -out
root.p12 -cacerts -passin pass:removed -passout pass:removed
Error opening input file demoCA/cacert.pem
demoCA/cacert.pem: No such file or directory
+ openssl pkcs12 -in root.p12 -out root.pem -passin pass:removed
-passout pass:removed
Error opening input file root.p12
root.p12: No such file or directory
+ openssl x509 -inform PEM -outform DER -in root.pem -out root.der
Error opening Certificate root.pem
3925:error:02001002:system library:fopen:No such file or
directory:bss_file.c:352:fopen('root.pem','r')
3925:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:354:
unable to load certificate
I saw a mailing list posting that said to move the CA.all script and the
xpextensions file to the /etc/raddb/certs directory and run it from
there, however after doing that I still receive the same errors.
Anybody have any ideas on this? After googling awhile, it seems like
this might be an openssl syntax error w/in the script.
Also, I am using FreeRADIUS 1.1.3 (CentOS rpm install).
Thanks,
Walter
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: NAS-IP-Address = 0.0.0.0
[EMAIL PROTECTED] wrote: You are aware that this is not Cisco technical support? Yes - I am...smirk. radius server attribute 4 a.b.c.d Ivan Kalik Kalik Informatika ISP That didn't seem to work. For others that may run into this problem, this did: ip radius source-interface Vlan 1 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
NAS-IP-Address = 0.0.0.0
Please excuse me if this has already been covered in the docs or the FAQ (I looked - but nothing jumped out at me). In accounting packets coming from Cisco Catalyst 6513 switches, the NAS-IP-Address = 0.0.0.0. Does anybody know why and if this can be changed? I have tried modifying the aaa accounting commands on the switch, but has not seemed to fix it. On our 3750 series switches, this doesn't happen and the correct switch/NAS ip address is listed in the NAS-IP-Address attribute field. Thanks in advance, Walter - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Acct-Status-Type attribute
Alan DeKok wrote: Walter Gould wrote: Why would I not be getting any accounting data written to this file? This is in the FAQ. Alan DeKok. Alan, You were right - thanks for pointing me there. http://wiki.freeradius.org/index.php/FAQ#How_do_I_enable_FreeRADIUS_to_log_accounting_attribute_type_X.3F Walter - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Acct-Status-Type attribute
Kevin Bonner wrote:
Access-Request is not from an accounting packet. You have a detail module
listed in your authorize or post-auth section which is adding this data to
the detail-combined file. You should have something similar to this in your
radiusd.conf file:
Thanks for your reply. You were right about this.
===
modules {
...
detail detail-radrelay {
detailfile = ${radacctdir}/detail-combined
detailperm = 0600
locking = yes
}
...
}
accounting {
...
detail-radrelay
...
}
===
I have put sections like this in my radiusd.conf file, but now - I am
getting no data in the detail-combined file. I have checked permissions
on the file and it is owned by user radiusd and group radiusd. Also,
there are no related errors in my radius.log file. Why would I not be
getting any accounting data written to this file? Seems like something
is still mis-configured.
Below are my config sections related to this:
modules {
...
detail detail-combined {
detailfile = ${radacctdir}/detail-combined
detailperm = 0600
dirperm = 0755
locking = yes
}
...
}
accounting {
...
detail-combined
...
}
Also, I have run radiusd in debug mode and it loads the above module
fine.
Thanks for any assistance,
Walter
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Acct-Status-Type attribute
I am running freeradius-1.1.3. I am using freeradius to authenticate users logging into Cisco switches and routers. I am trying to use radrelay to send the radius accounting data to our syslog server. When I run radrelay in debug mode, it gives this error: Record Rate since startup: 42.57 Packet Rate since startup: 0.00 read_one: No Acct-Status-Type attribute present. Rejecting record. read_one: No Acct-Status-Type attribute present. Rejecting record. radrelay: Running and Processing Records. Seconds since startup: 7 Records Read: 299 Packets Sent: 0 When I check the contents of the /var/log/radius/radacct/detail-combined file, it contains the following attributes: Packet-Type = Access-Request Wed Oct 3 15:36:02 2007 NAS-IP-Address = 10.3.51.1 NAS-Port = 1 NAS-Port-Type = Virtual User-Name = "testuser" Calling-Station-Id = "10.3.0.51" Client-IP-Address = 10.3.51.1 Is it possible to have the Acct-Status-Type attribute included in the Access Request that is logged to the /var/log/radius/radacct/detail-combined file? If so - how would I go about achieving this? I have checked the /etc/raddb/dictionary and related files (in /usr/share/freeradius/) and see the Acct-Status-Type attribute listed, but am not sure why it is not being included in the above accounting access-request. Thanks in advance, Walter Gould Auburn University - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
