Re: Multiple radius servers with the same CA
John Dennis wrote: > > [snip] > Did you edit your eap.conf file to point to radius2.pem? Did you set > your private_key_password in eap.conf to match $PASSWORD_CA used above? > BTW, don't use the same password as in the example ;-) > > Did you verify the certs as suggested above? > > Saying something doesn't work isn't helpful, the log output would be > helpful. > > -- > John Dennis > > Looking to carve out IT costs? > www.redhat.com/carveoutcosts/ > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > > Yep did all that. I think I was working on this too long, starting to see double. On the machine where I generate the certificate: openssl verify -CAfile ca.pem lx0008.pem lx0008.pem: OK However if I copy the file over to the other machine: openssl verify -CAfile ca.pem lx0008.pem lx0008.pem: /C=NL/ST=Radius/O=AOg/CN=Radius Certificate/emailaddress...@aog.nl error 9 at 0 depth lookup:certificate is not yet valid But I discoverd a time sync issue here. Clocks are 10 min. apart. This was a bit of clue, right. So I checked the client I was testing this on, and it was a day behind. So it could never validate the certificate. So setting up some time synchronisation resolved this. openssl verify -CAfile ca.pem lx0008.pem lx0008.pem: OK Here's the log output of the failed attempt. The eap exchange stops at: Sending Access-Challenge After setting time right it works as expected. Thanks for all help! Rg, Arnaud rad_recv: Access-Request packet from host 10.6.254.189:1024, id=51, length=214 Framed-MTU = 1480 NAS-IP-Address = 10.6.254.189 NAS-Identifier = "ENNR" User-Name = "l...@aog.nl" Service-Type = Framed-User Framed-Protocol = PPP NAS-Port = 1 NAS-Port-Type = Ethernet NAS-Port-Id = "1" Called-Station-Id = "00-18-fe-57-b7-60" Calling-Station-Id = "00-d0-59-9d-9a-3c" Connect-Info = "CONNECT Ethernet 100Mbps Full duplex" Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "138" State = 0x271f405150fffa1a648249140e571065 EAP-Message = 0x022200061500 Message-Authenticator = 0xd9de91ff01317e671b475cdf3125a11a Processing the authorize section of radiusd.conf modcall: entering group authorize for request 3 modcall[authorize]: module "preprocess" returns ok for request 3 modcall[authorize]: module "chap" returns noop for request 3 modcall[authorize]: module "mschap" returns noop for request 3 rlm_realm: Looking up realm "aog.nl" for User-Name = "l...@aog.nl" rlm_realm: Found realm "DEFAULT" rlm_realm: Adding Stripped-User-Name = "lsa" rlm_realm: Proxying request from user lsa to realm DEFAULT rlm_realm: Adding Realm = "DEFAULT" rlm_realm: Authentication realm is LOCAL. modcall[authorize]: module "suffix" returns noop for request 3 rlm_eap: EAP packet type response id 34 length 6 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 3 users: Matched entry DEFAULT at line 156 modcall[authorize]: module "files" returns ok for request 3 rlm_pap: WARNING! No "known good" password found for the user. Authentication may fail because of this. modcall[authorize]: module "pap" returns noop for request 3 modcall: leaving group authorize (returns updated) for request 3 Found Autz-Type asa Processing the authorize section of radiusd.conf modcall: entering group asa for request 3 radius_xlat: 'lsa' rlm_sql (asa): sql_set_user escaped user --> 'lsa' radius_xlat: 'SELECT UserID,Usernaam,'SHA-Password' AS Attribute, Wachtwoord, ':=' AS Op FROM bas_user WHERE Usernaam = 'lsa' AND Actief = 1 ORDER BY UserID' rlm_sql (asa): Reserving sql socket id: 1 radius_xlat: '' radius_xlat: 'SELECT UserID,Usernaam,'Reply-Message' AS Attribute, Achternaam, '=' AS Op from bas_user WHERE Usernaam = 'lsa' AND Actief = 1 ORDER BY UserID ' radius_xlat: '' rlm_sql (asa): Released sql socket id: 1 modcall[authorize]: module "asa" returns ok for request 3 rlm_pap: Normalizing SHA-Password from hex encoding rlm_pap: Found existing Auth-Type, not changing it. modcall[authorize]: module "pap" returns noop for request 3 modcall: leaving group asa (returns ok) for request 3 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 3 rlm_eap: Request found, released from the list rlm_eap: EAP/ttls rlm_eap: processing type ttls rlm_eap_ttls: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Received EAP-TLS ACK message rlm_eap_tls: ack handshake fragment handler eaptls_verify returned 1 eaptls_process returned 13 modcall[authenticate]: module "eap" returns handled for request 3 modcall: leaving group authenticate (returns handled) for request 3 Sending Access-Challenge of id 51 t
Re: Multiple radius servers with the same CA
sphaero wrote: > > Hi all, > > Thanks for these clarifications. So to clear this up I know have one > machine to generate the certificates. This machine had it's CA setup > according to instructions found in the certs/README distributed with FR 2. > > Certificates for a second radius server (radius2) using the same CA are > generated as follow: > > # Certificate request (.csr) en key (.key) > openssl req -new -out radius2.csr -keyout lx0008.key -config ./server.cnf > # Certificate (.crt) > openssl ca -batch -keyfile ca.key -cert ca.pem -in radius2.csr -key > $PASSWORD_CA -out radius2.crt -extensions xpserver_ext -extfile > xpextensions -config ./server.cnf > # p12 > openssl pkcs12 -export -in radius2.crt -inkey radius2.key -out radius2.p12 > -passin pass:$PASSWORD_SERVER -passout pass:$PASSWORD_SERVER > # PEM > openssl pkcs12 -in radius2.p12 -out radius2.pem -passin > pass:$PASSWORD_SERVER -passout pass:$PASSWORD_SERVER > > (Ofcourse the password vars are replaced with the vars in the ca.cnf & > server.cnf) > > I then copy the following files onto this second radius server: > radius2.pem and ca.pem > > Finally I generate a dh file on the second radius server: > openssl dhparam -out dh 1024 > > Bump, still doesn't work :( > I'm still doing something wrong? > > Rg, > > Arnaud > Forget that last sentence. It does work. Was probably something with the nas. But if someone can confirm this procedure so it's safe. Rg, Arnaud -- View this message in context: http://old.nabble.com/Multiple-radius-servers-with-the-same-CA-tp28013061p28016006.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Multiple radius servers with the same CA
Matt Harlum wrote: > > Hi, > > John covered pretty much everything I was going to say > > I'd recommend choosing a machine to generate your keys and certs on and > sticking with that, otherwise you'll end up with SSL Certs with clashing > serial numbers > Plus it'll allow you to revoke certificates later if need be > > > Regards, > Matt Harlum > > On 24/03/2010, at 11:30 PM, John Dennis wrote: > >> On 03/24/2010 06:21 AM, sphaero wrote: >>> >>> Hi All, >>> >>> I've been searching the archives for a while on some guidance into >>> setting >>> up multiple radius servers using the same CA for use with EAP/TTLS. >>> >>> I've generated a CA which is distributed to all the clients (i.e. >>> SecureW2). >>> I've got 2 radius servers for redundancy. All NAS devices have two >>> radius >>> server configured. >>> >>> I'm using the scripts from freeradius 2.0 to generate the certificates >>> according to instructions in the README. I've setup the ca.cnf and >>> server.cnf (not using eap/tls so I skip clients.cf). >>> >>> On the primary radius server I generated the certificates by issuing: >>> make >>> >>> Now on the second radius server I just copy the following files: >>> /certs/ca.pem >>> /certs/ca.key >>> /certs/ca.der >>> /certs/*.cnf >>> /certs/Makefile >>> /certs/README >>> /certs/xpextensions >>> >>> and issue: >>> make server >>> make dh >>> >>> This seems to have worked. But is this really correct? >>> I'm renewing one radius server and did this procedure again but now I'm >>> receiving "chain could not be validated" errors in SecureW2. Radius log >>> seems fine however EAP communication is not finished which corresponds >>> with >>> the client stopping communication since it can't validate the >>> certificate. >>> I'm really getting lost in the SSL jungle? I would really like to >>> understand >>> how this is done right, since it is about security. >> >> It would help to read the Makefile and understand it. Your goal is to >> produce multiple certificates, each with a unique subject (e.g. the host >> name of the radius server) and have it signed by the ca. There is no need >> to do this process on each machine, the creation of certs can be done on >> any machine. >> >> Find the part of the Makefile which says this: >> >> "Create a new server certificate, signed by the above CA." >> >> If you make the target server.pem target (e.g. make server) it will cause >> the Makefile to execute a series of commands to produce the certificate >> starting with a CSR (Certificate Signing Request). Note, the server.csr >> target depends on server.cnf so make sure you edit this for each server >> whose certificate you want to generate (see the req(1) man page to >> understand how the certificate subject, e.g. DN, may be specified). >> >> But also note in the Makefile that server.crt is dependent on ca.key and >> ca.pem, which themselves are dependent on ca.cnf. If when you copy the >> files the ca.cnf file ends up with a newer timestamp than ca.key or >> ca.pem then a new ca will be created, you don't want that. You can either >> fix the timestamps using touch or just make all the certs on one machine >> so you don't have to worry about the ca being recreated. >> >> >> After you've created your certificates on the one machine (don't foget to >> rename the server.{crt,p12,pem} files) dump them out using >> >> openssl x509 -in XXX.pem -inform PEM -text >> >> and verify each has the certificate subject you expected. >> >> Then verify the each cert with: >> >> openssl verify -CAfile ca.pem XXX.pem >> >> If that succeeds you'll know each is successfully signed by the same ca >> and you can distribute that ca to your clients. Then copy your server >> certs to your RADIUS hosts, don't forget to edit the config so >> certificate names match how you named your certs (it will no longer be >> server.{crt,p12,pem}. >> -- >> John Dennis >> >> Looking to carve out IT costs? >> www.redhat.com/carveoutcosts/ >> - > > Hi all, Thanks for these clarifications. So to clear this up I know have one machine to generate the certificates. This machine had it's CA setup accor
Re: Multiple radius servers with the same CA
Matt Harlum wrote: > > Hi, > > is it possible that make server generated a new CA etc? > > I'd recommend making a copy of the current CA cert on each machine and > doing a diff > > Regards, > Matt Harlum > > [snip] > > You're absolutely right. I did a md5sum on the CA.pem on the production radius and this new one and it is different. Now how did that happen? I did a md5sum on all ca.* files and the .key and .pem are different. It must have happened either by issuing make server.pem or make dh I've checked the history of my actions: 66 make server.pem 67 nano ../eap.conf 68 fg 69 freeradius -X & 70 make dh 71 freeradius -X & I remember I started freeradius while I hadn't generated the dh file. I'm going to check the exact actions of the Makefile. Rg, Arnaud -- View this message in context: http://old.nabble.com/Multiple-radius-servers-with-the-same-CA-tp28013061p28014386.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Multiple radius servers with the same CA
Hi All, I've been searching the archives for a while on some guidance into setting up multiple radius servers using the same CA for use with EAP/TTLS. I've generated a CA which is distributed to all the clients (i.e. SecureW2). I've got 2 radius servers for redundancy. All NAS devices have two radius server configured. I'm using the scripts from freeradius 2.0 to generate the certificates according to instructions in the README. I've setup the ca.cnf and server.cnf (not using eap/tls so I skip clients.cf). On the primary radius server I generated the certificates by issuing: make Now on the second radius server I just copy the following files: /certs/ca.pem /certs/ca.key /certs/ca.der /certs/*.cnf /certs/Makefile /certs/README /certs/xpextensions and issue: make server make dh This seems to have worked. But is this really correct? I'm renewing one radius server and did this procedure again but now I'm receiving "chain could not be validated" errors in SecureW2. Radius log seems fine however EAP communication is not finished which corresponds with the client stopping communication since it can't validate the certificate. I'm really getting lost in the SSL jungle? I would really like to understand how this is done right, since it is about security. Rg, Arnaud -- View this message in context: http://old.nabble.com/Multiple-radius-servers-with-the-same-CA-tp28013061p28013061.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Wiki editing
Am I overlooking something? How do you edit the wiki. I can't find a way to register an account to edit wiki pages. I was about to add some comments about the rlm_sql_iodb driver since everybody need to know the driver looks for the DSN in radius_db config option and not in the server configuration option. (at least for 1.1.8) Rg, Arnaud -- View this message in context: http://old.nabble.com/Wiki-editing-tp27700281p27700281.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: make certificate with make is only 1 month valid
A workaround for the Makefile would be to add: CA_DEF_DAYS = `grep default_days ca.cnf | sed 's/.*=//;s/^ *//' to the Makefile and change line 55: ca.key ca.pem: ca.cnf openssl req -new -x509 -keyout ca.key -out ca.pem -days $(CA_DEF_DAYS) -config ./ca.cnf This has worked for me. I've set default_days to 3650 and tested the Makefile: openssl x509 -in ca.pem -noout -dates notBefore=Sep 21 10:11:53 2008 GMT notAfter=Sep 19 10:11:53 2018 GMT -- View this message in context: http://www.nabble.com/make-certificate-with-make-is-only-1-month-valid-tp19607549p19666745.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: make certificate with make is only 1 month valid
Alan DeKok-2 wrote: > > sphaero wrote: >> I was just wondering why the Makefile in freeradius 2.0 for creating >> certificates only produces a CA which is valid for 1 month. I don't >> reckon >> that's handy for production use. > > They are "test" certificates. For production use you need to edit the > OpenSSL configuration files. > > > Well according to your site the instructions are for production use. http://deployingradius.com/ link to "Create certificates for production use." Rg, Arnaud -- View this message in context: http://www.nabble.com/make-certificate-with-make-is-only-1-month-valid-tp19607549p19613999.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
make certificate with make is only 1 month valid
Hi, I was just wondering why the Makefile in freeradius 2.0 for creating certificates only produces a CA which is valid for 1 month. I don't reckon that's handy for production use. Is there any particular reason? Changing the ca.cnf file doesn't change it? Adding "-days 3650" to the Makefile helps though but that's no fix just a workaround IMHO. Rg, Arnaud -- View this message in context: http://www.nabble.com/make-certificate-with-make-is-only-1-month-valid-tp19607549p19607549.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Why do I need to force Auth-Type?
Alan DeKok-2 wrote: > > > List "pap" *inside* of the Autz-Type blocks, *after* your SQL modules. > >> This is all done on freeradius 1.1.6 (OSS 10.3) > > Ugh. 2.0 is much better. > > Alan DeKok. > Thanks for that Alan, that does work as well. However I still don'y know why freeradius didn't try pap in the first place. I need to work with the 1.1 serie since eventually I need to implement this HP procurve agent for freeradius and I haven't found any support for 2.0 series yet. Rg, Arnaud Loonstra -- View this message in context: http://www.nabble.com/Why-do-I-need-to-force-Auth-Type--tp18925418p18943719.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Why do I need to force Auth-Type?
In a previous post "PAP what password encryption is used?" I managed to get authentication working with a msssql backend however I need to force Auth-Type := PAP. I read it's bad practice to force the Auth-Type so I was wondering what I could do to let freeradius figure the authentication itself. This is all done on freeradius 1.1.6 (OSS 10.3) I've setup an sql module: sql mssql { driver = "rlm_sql_unixodbc" # Connect info server = "test" login = "Radius_User" password = "blabla" radius_db = "V2" # niet gebruikt wel geset! acct_table1 = "radacct" acct_table2 = "radacct" authcheck_table = "user" authreply_table = "user" # niet gebruikt wel geset! groupcheck_table = "radgroupcheck" groupreply_table = "radgroupreply" usergroup_table = "usergroup" # Remove stale session if checkrad does not see a double login deletestalesessions = yes # Print all SQL statements when in debug mode (-x) sqltrace = no sqltracefile = ${logdir}/sqltrace.sql # number of sql connections to make to server num_sql_socks = 5 sql_user_name = "%{Stripped-User-Name:-%{User-Name:-none}}" # Custom query die attributen klaar zet! authorize_check_query = "SELECT UserID,Usernaam,'SHA-Password' AS Attribute, Wachtwoord, ':=' AS Op FROM ${authcheck_table} WHERE Usernaam = '%{SQL-User-Name}' ORDER BY UserID" authorize_reply_query = "SELECT UserID,Usernaam from {authreply_table} WHERE Usernaam = '%{SQL-User-Name}' ORDER BY UserID" } You can see I'm using a custom SQL query to get the right attributes. I can only compare username and password in this database. I actually don't need any groupcheck's etc. I've setup its authorize entry: Autz-Type mssql { mssql } and finally in users file: DEFAULT Realm == mssql.nl", Autz-Type := mssql This setup doesn't work: modcall: entering group authorize for request 1 modcall[authorize]: module "preprocess" returns ok for request 1 modcall[authorize]: module "chap" returns noop for request 1 modcall[authorize]: module "mschap" returns noop for request 1 rlm_realm: Looking up realm "mssql.nl" for User-Name = "[EMAIL PROTECTED]" rlm_realm: Found realm "DEFAULT" rlm_realm: Adding Stripped-User-Name = "lsa" rlm_realm: Proxying request from user lsa to realm DEFAULT rlm_realm: Adding Realm = "DEFAULT" rlm_realm: Authentication realm is LOCAL. modcall[authorize]: module "suffix" returns noop for request 1 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module "eap" returns noop for request 1 users: Matched entry DEFAULT at line 153 modcall[authorize]: module "files" returns ok for request 1 rlm_pap: WARNING! No "known good" password found for the user. Authentication may fail because of this. modcall[authorize]: module "pap" returns noop for request 1 modcall: leaving group authorize (returns ok) for request 1 Found Autz-Type mssql Processing the authorize section of radiusd.conf modcall: entering group mssql for request 1 radius_xlat: 'lsa' rlm_sql (mssql): sql_set_user escaped user --> 'lsa' radius_xlat: 'SELECT UserID,Usernaam,'SHA-Password' AS Attribute, Wachtwoord, ':=' AS Op FROM bas_user WHERE Usernaam = 'lsa' ORDER BY UserID' rlm_sql (mssql): Reserving sql socket id: 3 radius_xlat: '' radius_xlat: 'SELECT UserID,Usernaam from {authreply_table} WHERE Usernaam = 'lsa' ORDER BY UserID' rlm_sql_getvpdata: database query error radius_xlat: '' rlm_sql (mssql): Released sql socket id: 3 modcall[authorize]: module "mssql" returns ok for request 1 modcall: leaving group mssql (returns ok) for request 1 auth: No authenticate method (Auth-Type) configuration found for the request: Rejecting the user auth: Failed to validate the user. Delaying request 1 for 1 seconds Finished request 1 Going to the next request --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Sending Access-Reject of id 223 to 127.0.0.1 port 32770 Waking up in 4 seconds... rad_recv: Access-Reject packet from host 127.0.0.1:1812, id=223, length=20 If I add Auth-Type in users file it works: DEFAULT Realm == mssql.nl", Autz-Type := mssql, Auth-Type := PAP Rg, Arnaud Loonstra -- View this message in context: http://www.nabble.com/Why-do-I-need-to-force-Auth-Type--tp18925418p18925418.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Best config practices?
Oh forgot to tell to add the custom configs to radiusd.conf. So these custom file should be - near the ldap section - in the authorize {} section - in the authenticate {} section respectively :/etc/raddb # grep -n custom- radiusd.conf 720:$INCLUDE ${confdir}/custom-mods.conf 1856:$INCLUDE ${confdir}/custom-autz.conf 1959:$INCLUDE ${confdir}/custom-auth.conf -- View this message in context: http://www.nabble.com/Best-config-practices--tp18922693p18924598.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Best config practices?
Ok, To finalise for the archive: In the freeradius config directory I create the following 3 files: custom-mods.conf, custom-autz.conf, custom-auth.conf custommods.conf: ldap bla1 { server = "10.48.65.1" port = 636 basedn = "o=bla1" filter = "(cn=%{Stripped-User-Name:-%{User-Name}})" access_attr = "cn" tls_require_cert = "never" set_auth_type = yes } ldap bla2 { server = "10.60.65.1" port = 636 basedn = "o=bla2" filter = "(cn=%{Stripped-User-Name:-%{User-Name}})" access_attr = "cn" tls_require_cert = "never" set_auth_type = yes } sql bla3 { driver = "rlm_sql_unixodbc" # Connect info server = "mssql" login = "login_User" password = "passs" radius_db = "database" acct_table1 = "radacct" acct_table2 = "radacct" authcheck_table = "table_user" authreply_table = "table_user" groupcheck_table = "radgroupcheck" groupreply_table = "radgroupreply" usergroup_table = "usergroup" deletestalesessions = yes # Print all SQL statements when in debug mode (-x) sqltrace = no sqltracefile = ${logdir}/sqltrace.sql # number of sql connections to make to server num_sql_socks = 5 sql_user_name = "%{Stripped-User-Name:-%{User-Name:-none}}" # Custom query die attributen klaar zet! authorize_check_query = "SELECT UserID,Username,'SHA-Password' AS Attribute, Password, ':=' AS Op FROM ${authcheck_table} WHERE Username = '%{SQL-User-Name}' ORDER BY UserID" authorize_reply_query = "SELECT UserID,Username from {authreply_table} WHERE Username = '%{SQL-User-Name}' ORDER BY UserID" } custom-autz.conf: Autz-Type bla1 { bla1 } Autz-Type bla2 { bla2 } Autz-Type bla3 { bla3 } custom-auth.conf: Auth-Type bla1 { bla1 } Auth-Type bla2 { bla2 } add in proxy.conf : realm DEFAULT { type= radius authhost= LOCAL accthost= LOCAL } and finally in users: DEFAULT Realm == DEFAULT, User-Name =~ "[EMAIL PROTECTED]", Autz-Type := bla1 DEFAULT Realm == DEFAULT, User-Name =~ "[EMAIL PROTECTED]", Autz-Type := bla2 DEFAULT Realm == DEFAULT, User-Name =~ "[EMAIL PROTECTED]", Autz-Type := bla3 that's it. This is for the 1.1 series. 2.0 could be done differently. Correct? Rg, Arnaud -- View this message in context: http://www.nabble.com/Best-config-practices--tp18922693p18924526.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Best config practices?
Stefan Winter-4 wrote: > > > Well, if you have LOCAL for *every* realm, my suggestion would be not > not call any realm module at all. Then the proxy.conf file is ignored > and you can leave it untouched. > > Then, obviously using Realm == test.com in the users file should be > replaced. You can do it by > > DEFAULT User-Name =~ "[EMAIL PROTECTED]", Autz-Type := test.com > > HTH, > > Stefan Winter > That's handy suggestion. But what if want to proxy certain realms to other radius servers. I would still need to use the proxy.conf file. I might set realm DEFAULT in proxy.conf and DEFAULT Realm == DEFAULT, User-Name =~ "[EMAIL PROTECTED]", Autz-Type := test.com and I'm back in business :) Thanks, Arnaud -- View this message in context: http://www.nabble.com/Best-config-practices--tp18922693p18923309.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Best config practices?
I'm setting up a new freeradius setup using many different authorization modules. Mostly ldap and sql modules. For authentication I'm hoping to use the default and as few custom as possible but I have to use some of the ldap backends for authentication as well. (simple bind) I wonder what are the best configuration practices. I've heard Alan DeKok many times; http://deployingradius.com/documents/configuration/setup.html. So I want to change the default config as little as possible. I was thinking to start adding a few custom files to include in the default config. $raddb/custom_mods.conf : the custom ldap and sql module definitions $raddb/custom_auth.conf : custom authentication entries $raddb/custom_autz.conf : custom authorization entries I'm using realms to link the different authorization modules. If I'm correct I need to add every realm to the proxy.conf file and set it to LOCAL. Is this really needed? realm test.com { type= radius authhost= LOCAL accthost= LOCAL } Finally I need to add the realms to users file DEFAULT Realm == "test.com", Autz-Type := test.com (Auth-Type should be figured out by freeradius) Is this the best way to setup a decent configuration? I'd like to skip the proxy.conf configuration since it's saying the same for all realms. Anyone some suggestions? Rg, Arnaud Loonstra -- View this message in context: http://www.nabble.com/Best-config-practices--tp18922693p18922693.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PAP what password encryption is used?
Nicolas Goutte-2 wrote: > > PAP needs cleartext passwords > > See: http://en.wikipedia.org/wiki/Password_authentication_protocol > > Yes, I know. But in order to match the cleartext password to the encrypted password in the database it needs to know what encryption is used. Rg, Arnaud Loonstra -- View this message in context: http://www.nabble.com/PAP-what-password-encryption-is-used--tp18887393p18890180.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PAP what password encryption is used?
It seems it is SHA. I found in the output that freeradius couldn't determine the Auth-Type so rejected the user: auth: No authenticate method (Auth-Type) configuration found for the request: Rejecting the user I've forced PAP by setting it in the users file for the realm: DEFAULT Realm == "bla.com", Autz-Type := bla, Auth-Type := PAP It works: rad_check_password: Found Auth-Type PAP auth: type "PAP" Processing the authenticate section of radiusd.conf modcall: entering group PAP for request 0 rlm_pap: login attempt with password testing rlm_pap: Using SHA1 encryption. rlm_pap: Normalizing SHA-Password from hex encoding rlm_pap: User authenticated successfully Great, now some good config practicing Thanks for all help :P Arnaud -- View this message in context: http://www.nabble.com/PAP-what-password-encryption-is-used--tp18887393p18887899.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
PAP what password encryption is used?
Hello, I've been asked to setup freeradius to talk to a SQL Server database which contains users and passwords. This was not so much of a pain but I can't figure what password encryption is used. So I had hoped somebody with some more password encryption experience could shine a light here :) In the database I've set a password to 'testing' which results in the database as: DC724AF18FBDD4E59189F5FE768A5F8311527050 This looks like a SHA algorithm? I've browsed through the source code of the program that generates these password hashes. Indeed it uses SHA. This is the library they use: http://www.aspencrypt.com/object_context.html#CreateHash. They use the 'calgSHA'. But when I set the Password attribute in freeradius to SHA_password it doesn't match. It reads the database succesfully when I set User_password and use the hash as a password: radtest [EMAIL PROTECTED] DC724AF18FBDD4E59189F5FE768A5F8311527050 localhost 0 testing123 Sending Access-Request of id 61 to 127.0.0.1 port 1812 User-Name = "[EMAIL PROTECTED]" User-Password = "DC724AF18FBDD4E59189F5FE768A5F8311527050" NAS-IP-Address = 255.255.255.255 NAS-Port = 0 rad_recv: Access-Accept packet from host 127.0.0.1:1812, id=61, length=43 Service-Type = Framed-User Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "132" But when I change User-Password to SHA-Password it doesn't match: radtest [EMAIL PROTECTED] testing localhost 0 testing123 Sending Access-Request of id 131 to 127.0.0.1 port 1812 User-Name = "[EMAIL PROTECTED]" User-Password = "testing" NAS-IP-Address = 255.255.255.255 NAS-Port = 0 Re-sending Access-Request of id 131 to 127.0.0.1 port 1812 User-Name = "[EMAIL PROTECTED]" User-Password = "testing" NAS-IP-Address = 255.255.255.255 NAS-Port = 0 rad_recv: Access-Reject packet from host 127.0.0.1:1812, id=131, length=20 So this isn't a SHA password hash? I don't know for sure if this the same encryption method but 'echo testing | openssl sha' generates a different hash: 581165b0cc90703a8e669d91effba108fbe2c83c Rg, Arnaud -- View this message in context: http://www.nabble.com/PAP-what-password-encryption-is-used--tp18887393p18887393.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html