AP point support 802.1x but only with WPA
Hello, I would like to know whether someone uses Freeradius with the Access Point Dlink DWL-3200. I must exclusively use the Radius server (802.1x) for the authentication without any type of WPA-*. The last firmware versions of this Access Point allow to use the Radius server only in combination of several kinds of Wpa,but this is not what serves to me. Someone would know to tell me what Firmware use to be able exclusively to use 802.1x without using for WPA (and from where I can download it)? Many Thanks Best Regards, Luigi _ FREE pop-up blocking with the new MSN Toolbar - get it now! http://toolbar.msn.click-url.com/go/onm00200415ave/direct/01/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Problem using radiusMaxBandwidthDown attribute
Hello I need to use the radiusMaxBandwidthDown and radiusMaxBandwidthUp in ldap but RADIUS-LDAPv3.schema doesn't contain those attribute. Could someone tell me where I can take a complete RADIUS-LDAPv3.schema containing these attributes or could someone tell me the scheme about these two attributes so that I can add them in RADIUS-LDAPv3.schema? What I must add in ldap.attrmap? Many thanks to all Best Regards, Luigi _ Express yourself instantly with MSN Messenger! Download today it's FREE! http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Problem using EAP-TTLS
Hello,i've installed freeradius 1.1.2 and I've configured eap-ttls
in eap.conf
tls {
private_key_password = whatever
private_key_file = ${raddbdir}/certs/cert-srv.pem
certificate_file = ${raddbdir}/certs/cert-srv.pem
CA_file = ${raddbdir}/certs/demoCA/cacert.pem
dh_file = ${raddbdir}/certs/dh
random_file = ${raddbdir}/certs/random
fragment_size = 1024
include_length = yes
}
ttls {
default_eap_type = md5
copy_request_to_tunnel = no
use_tunneled_reply = no
}
I've not made other changes to this file.
I've launched chillispot with --eapolenable option -> chilli --eapolenable
I've installed and configured SecureW2 client on WinXP.
The problem is that EAP-TTLS are not used as shown in this log:
Starting - reading configuration files ...
reread_config: reading radiusd.conf
Config: including file: /usr/local/etc/raddb/proxy.conf
Config: including file: /usr/local/etc/raddb/clients.conf
Config: including file: /usr/local/etc/raddb/snmp.conf
Config: including file: /usr/local/etc/raddb/eap.conf
Config: including file: /usr/local/etc/raddb/sql.conf
main: prefix = "/usr/local"
main: localstatedir = "/usr/local/var"
main: logdir = "/usr/local/var/log/radius"
main: libdir = "/usr/local/lib"
main: radacctdir = "/usr/local/var/log/radius/radacct"
main: hostname_lookups = no
main: max_request_time = 30
main: cleanup_delay = 5
main: max_requests = 1024
main: delete_blocked_requests = 0
main: port = 0
main: allow_core_dumps = no
main: log_stripped_names = no
main: log_file = "/usr/local/var/log/radius/radius.log"
main: log_auth = yes
main: log_auth_badpass = yes
main: log_auth_goodpass = yes
main: pidfile = "/usr/local/var/run/radiusd/radiusd.pid"
main: user = "(null)"
main: group = "(null)"
main: usercollide = no
main: lower_user = "no"
main: lower_pass = "no"
main: nospace_user = "no"
main: nospace_pass = "no"
main: checkrad = "/usr/local/sbin/checkrad"
main: proxy_requests = yes
proxy: retry_delay = 5
proxy: retry_count = 3
proxy: synchronous = no
proxy: default_fallback = yes
proxy: dead_time = 120
proxy: post_proxy_authorize = no
proxy: wake_all_if_all_dead = no
security: max_attributes = 200
security: reject_delay = 1
security: status_server = no
main: debug_level = 0
read_config_files: reading dictionary
read_config_files: reading naslist
Using deprecated naslist file. Support for this will go away soon.
read_config_files: reading clients
read_config_files: reading realms
radiusd: entering modules setup
Module: Library search path is /usr/local/lib
Module: Loaded exec
exec: wait = yes
exec: program = "(null)"
exec: input_pairs = "request"
exec: output_pairs = "(null)"
exec: packet_type = "(null)"
rlm_exec: Wait=yes but no output defined. Did you mean output=none?
Module: Instantiated exec (exec)
Module: Loaded expr
Module: Instantiated expr (expr)
Module: Loaded PAP
pap: encryption_scheme = "crypt"
Module: Instantiated pap (pap)
Module: Loaded CHAP
Module: Instantiated chap (chap)
Module: Loaded MS-CHAP
mschap: use_mppe = yes
mschap: require_encryption = no
mschap: require_strong = no
mschap: with_ntdomain_hack = no
mschap: passwd = "(null)"
mschap: ntlm_auth = "(null)"
Module: Instantiated mschap (mschap)
Module: Loaded System
unix: cache = no
unix: passwd = "(null)"
unix: shadow = "(null)"
unix: group = "(null)"
unix: radwtmp = "/usr/local/var/log/radius/radwtmp"
unix: usegroup = no
unix: cache_reload = 600
Module: Instantiated unix (unix)
Module: Loaded LDAP
ldap: server = "localhost"
ldap: port = 389
ldap: net_timeout = 1
ldap: timeout = 4
ldap: timelimit = 3
ldap: identity = "cn=Manager,dc=valug,dc=it"
ldap: tls_mode = no
ldap: start_tls = no
ldap: tls_cacertfile = "(null)"
ldap: tls_cacertdir = "(null)"
ldap: tls_certfile = "(null)"
ldap: tls_keyfile = "(null)"
ldap: tls_randfile = "(null)"
ldap: tls_require_cert = "allow"
ldap: password = "mypass"
ldap: basedn = "ou=homewifi,dc=valug,dc=it"
ldap: filter = "(uid=%{Stripped-User-Name:-%{User-Name}})"
ldap: base_filter = "(objectclass=radiusprofile)"
ldap: default_profile = "(null)"
ldap: profile_attribute = "(null)"
ldap: password_header = "(null)"
ldap: password_attribute = "userPassword"
ldap: access_attr = "userPassword"
ldap: groupname_attribute = "cn"
ldap: groupmembership_filter =
"(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))"
ldap: groupmembership_attribute = "radiusGroupName"
ldap: dictionary_mapping = "/usr/local/etc/raddb/ldap.attrmap"
ldap: ldap_debug = 0
ldap: ldap_connections_number = 5
ldap: compare_check_items = no
ldap: access_attr_used_for_allow = yes
ldap: do_xlat = yes
ldap: set_auth_type = yes
rlm_ldap: Registering ldap_groupcmp for Ldap-Group
rlm_ldap: Registering ldap_xlat with xlat_name ldap
r
Re: A few clarifications on EAP-TTLS
Windows XP does not support EAP-TTLS. You would have to install extra software e.g. SecureW2 MacOS X does I belive. Sorry And linux support it ? _ FREE pop-up blocking with the new MSN Toolbar - get it now! http://toolbar.msn.click-url.com/go/onm00200415ave/direct/01/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
A few clarifications on EAP-TTLS
ddb/huntgroups"
preprocess: hints = "/usr/local/etc/raddb/hints"
preprocess: with_ascend_hack = no
preprocess: ascend_channels_per_line = 23
preprocess: with_ntdomain_hack = no
preprocess: with_specialix_jetstream_hack = no
preprocess: with_cisco_vsa_hack = no
Module: Instantiated preprocess (preprocess)
Module: Loaded realm
realm: format = "suffix"
realm: delimiter = "@"
realm: ignore_default = no
realm: ignore_null = no
Module: Instantiated realm (suffix)
Module: Loaded files
files: usersfile = "/usr/local/etc/raddb/users"
files: acctusersfile = "/usr/local/etc/raddb/acct_users"
files: preproxy_usersfile = "/usr/local/etc/raddb/preproxy_users"
files: compat = "no"
Module: Instantiated files (files)
Module: Loaded checkval
checkval: item-name = "Calling-Station-Id"
checkval: check-name = "Calling-Station-Id"
checkval: data-type = "string"
checkval: notfound-reject = no
rlm_checkval: Registered name Calling-Station-Id for attribute 31
Module: Instantiated checkval (checkval)
Module: Loaded Acct-Unique-Session-Id
acct_unique: key = "User-Name, Acct-Session-Id, NAS-IP-Address,
Client-IP-Address, NAS-Port"
Module: Instantiated acct_unique (acct_unique)
Module: Loaded detail
detail: detailfile =
"/usr/local/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d"
detail: detailperm = 384
detail: dirperm = 493
detail: locking = no
Module: Instantiated detail (detail)
Module: Loaded radutmp
radutmp: filename = "/usr/local/var/log/radius/radutmp"
radutmp: username = "%{User-Name}"
radutmp: case_sensitive = yes
radutmp: check_with_nas = yes
radutmp: perm = 384
radutmp: callerid = yes
Module: Instantiated radutmp (radutmp)
Listening on authentication *:1812
Listening on accounting *:1813
Ready to process requests.
--- Walking the entire request list ---
Nothing to do. Sleeping until we see a request.
rad_recv: Access-Request packet from host 127.0.0.1:1041, id=0, length=219
User-Name = "utente"
CHAP-Challenge = 0xb8e461988db3fcb15283eae64c342d1b
CHAP-Password = 0x0090a807a589b4864d7900bee913da1710
NAS-IP-Address = 127.0.0.1
Service-Type = Login-User
Framed-IP-Address = 192.168.182.8
Calling-Station-Id = "XX-XX-XX-XX-XX-XX"
Called-Station-Id = "YY-YY-YY-YY-YY-YY"
NAS-Identifier = "localhost"
Acct-Session-Id = "44f1bf3c0001"
NAS-Port-Type = Wireless-802.11
NAS-Port = 1
Message-Authenticator = 0x81223a8de1013cb55976c322793533a2
WISPr-Logoff-URL = "http://192.168.182.5:3990/logoff";
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 0
modcall[authorize]: module "preprocess" returns ok for request 0
rlm_chap: Setting 'Auth-Type := CHAP'
modcall[authorize]: module "chap" returns ok for request 0
modcall[authorize]: module "mschap" returns noop for request 0
rlm_realm: No '@' in User-Name = "utente", looking up realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "suffix" returns noop for request 0
rlm_eap: No EAP-Message, not doing EAP
modcall[authorize]: module "eap" returns noop for request 0
This is the error
rlm_eap: No EAP-Message, not doing EAP
what's wrong?
I must install specific software on the clients (like Xsupplicant) or I can
solve in other way (trasparent for the clients)?
Many Thanks
Luigi Natalino
_
Don't just search. Find. Check out the new MSN Search!
http://search.msn.click-url.com/go/onm00200636ave/direct/01/
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-TTLSv1 use or support
Ok Josh, thanks for your information. Best regards,Luigi _ Express yourself instantly with MSN Messenger! Download today it's FREE! http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
EAP-TTLSv1 use or support
Hello, I would to know if the last version of freeradius (1.1.2) use (or support) EAP-TTLSv1 or EAP-TTLSv0 (http://tools.ietf.org/wg/eap/draft-funk-eap-ttls-v1-01.txt). And if for the moment only EAP-TTLSv0 is used,is foreseen for the future an updating of the version? Thanks in advance Regards,Luigi _ Express yourself instantly with MSN Messenger! Download today it's FREE! http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Use multiple radiusCallingStationId attribute
Hello I'm setting radiusCallingStationId attribute to perform some MAC-Address based controls. The schema tells that this attribute is multivalued but when i try to add more then one of this attribute i get this error : entry failed schema check: attribute 'radiusCallingStationId' cannot have multiple values conn=0 op=5 RESULT tag=103 err=19 text=attribute 'radiusCallingStationId' cannot have multiple values For each user i need to store multiple radiusCallingStationId to make the control on user ID with MAC-Address in user authentication. Thanks in advance Luigi Natalino a.k.a. Bill Wood _ Express yourself instantly with MSN Messenger! Download today it's FREE! http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
LDAP macAddress attribute for MAC-Address filters
Hi, I need to implement MAC-Address filters,every user may have multiple MAC-Address. I'm using freeradius with openldap. Can i use ldap macAddress attribute to make this filters? How does Radius understand this attribute? Are request same modifications to ldap.attrmap, and if so what are the modifications to be made? Thanks in advance Bill Wood _ Express yourself instantly with MSN Messenger! Download today it's FREE! http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
