ldap attribute
Hello, i want to get different attribute from ldap. Something like cn. Is this possible and where must be set it? Mit freundlichen Grüßen David Sandmann *** Fachinformatiker für Systemintegration Ernst-Moritz-Arndt-Universität Rechenzentrum Felix-Hausdorff-Straße 12 17489 Greifswald www.rz.uni-greifswald.de +49 3834 86 1424 +49 3834 86791424 sandm...@uni-greifswald.de *** - Description: Binary data smime.p7s Description: S/MIME cryptographic signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
ldap attribute
Hello, i want to get different attribute from ldap. Something like cn. Is this possible and where must be set it? Mit freundlichen Grüßen David Sandmann *** Fachinformatiker für Systemintegration Ernst-Moritz-Arndt-Universität Rechenzentrum Felix-Hausdorff-Straße 12 17489 Greifswald www.rz.uni-greifswald.de +49 3834 86 1424 +49 3834 86791424 sandm...@uni-greifswald.de *** smime.p7s Description: S/MIME cryptographic signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Fwd: freeradius logging
Hi all, I am hoping that someone can help me. I need more informations in the logs because sometimes the radius service will be stopped. But i don't know why. Where i must configure this Loglevel to get more informations in this logs? best regards David Sandmann smime.p7s Description: S/MIME cryptographic signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Login incorrect (Home Server says so)... - But why?
well, problem is solved. The IP for the my realm was wrong. Now everything works without any problem - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Login incorrect (Home Server says so)... - But why?
Dear group,
you obviously still know my old thread:
http://lists.freeradius.org/mailman/htdig/freeradius-users/2008-July/msg00091.html
I am using still freeradius 1.1.7
Well, the problem was not the foreign server which had the problems. It is kind
of embarrassing to say: The reason was my access points. There was a setting,
saying that each password should be transfered while being coded with md5.
Although I don´t know why this had any influence on the clients with
MSChapv2/PEAP or TTLS/PAP I removed the setting and voila it works.
So now, foreigner from other wanted enterprises can use our WLAN using their
login credentials. So, the other way should also work. Do you know eduroam? The
service we use is similar to this
Let´s look at my setup:
WLAN-accesspoints with SSID1 for local
users--Windows
2003 with IAS and active directory
same WLAN-accesspoints with SSID2 for foreign
usersmyFreeRadiusServer-Windows 2003 with IAS and
active directory
outside central
server-myFreeRadiusServer-Windows
2003 with IAS and active directory
outside central
server-someonesOtherRadiusServer1
outside central
server-someonesOtherRadiusServer2
...
So, my local users are able tu use SSID1 with 802.1X. They use PEAP with
MSCHAPv2 to use the WLAN. No problem. It works.
Also, if they accidently use SSID2, which is for foreigners, they can use it.
They login with [EMAIL PROTECTED]. Everything which ends with @mydomain.de
is proxied from myFreeRadiusServer to the Windows 2003 with IAS and active
directory. This is also working without any problems.
Foreigners can use their credentials, e.g.: [EMAIL PROTECTED]. This
credentials are passed to myFreeRadiusServer. Everything else, that doesn´t
end @mydomain.de is passed to the outside central server. There is a list
which maps the other @someonesOtherdomain.com to the right
someonesOtherRadiusServers So dozen of other servers. And from there the
request is proxied to the corresponding someonesOtherRadiusServer which
belongs to the right @someonesOtherdomain.com
What is working: I can use the [EMAIL PROTECTED] from a foreign enterprise to
login and use the WLAN. No problem here. But the other way round doesn´t work.
I asked a collegue from one of those foreign enterprises to test the login with
[EMAIL PROTECTED]
He gave me the following error message:
Mon Aug 4 17:19:57 2008 : Auth: Login incorrect (Home Server says so):
[EMAIL PROTECTED] (from client CB-Access-Point-802.11 port 2 cli
00-1B-77-A4-7B-A2)
I don´t know where the problem is. Perhaps you can give me a hint?
Coming to my configuration files with changed IP addresses...:
-
clients.conf:
client WLAN-IP-AP1 {
secret = oft36fW!
shortname = WLAN-AP1
nastype = other
}
...
client outside central server-IP {
secret = ASECRETPASSWORD
shortname = top-level-radius1
nastype = other
}
client outside central backup server-IP {
secret = ASECRETPASSWORD
shortname = top-level-radius1
nastype = other
}
-
proxy.conf
realm mydomain.com {
type = radius
authhost = IAS-IP:1812
accthost = IAS-IP:1813
secret = anotherpass
#ldflag = round_robin1
nostrip
}
realm DEFAULT {
type = radius
authhost = outside central server:1812
accthost = outside central server:1813
secret = pass
nostrip
}
realm DEFAULT {
type = radius
authhost = outside central backup server:1812
accthost = outside central backup server:1813
secret = pass
nostrip
}
-
users
DEFAULT, Realm == mydomain.com, FreeRADIUS-Proxied-To == IAS-IP
User-Name = `%{User-Name}`,
Fall-Through = yes,
Auth-Type := EAP
DEFAULT, User-Name =~ [EMAIL PROTECTED]
Auth-Type := EAP
DEFAULT, User-Name =~ [EMAIL PROTECTED]
Auth-Type := EAP
DEFAULT Realm == NULL
Auth-Type := Reject
-
-
eap.conf
Although it is not doing anything as I learned
eap {
timer_expire = 60
ignore_unknown_eap_types = yes
cisco_accounting_username_bug = no
md5 {
}
leap {
}
tls {
private_key_password = pass
private_key_file = /usr/src/freeradius/key.pem
#${raddbdir}/certs/cert-srv.pem
RE: =?UTF-8?Q?freeradius-proxy_+_PAP_works, _PEAP_and_the_rest_doesn=C2=B4t?=
Hi, so, I did some new runs. There are no more DH error within the radiusd -X output, but as you already pointed out, the freeradius is acting as proxy. Here is my hardware setup just for clarification: 1. setup: WLAN access router = Aruba WLAN concentrators = IAS/Radius = external RADIUS server What worked: - Login through Web Redirect homepage + PAP + external servers - Login through 802.1X/MSCHAPv2/PEAP for users on the IAS/RADIUS But I couldn´t get external RADIUS server get connected to the IAS/RADIUS with given local login credentials Therefore I tried FreeRadius, which leads to the 2. setup: WLAN access router = Aruba WLAN concentrators = FreeRadius (which proxies to) = Win2003 with IAS/Radius // external RADIUS server I´m still waiting for an answer whether there´s now a succesful request from external server to my local on, What is working: - Login through 802.1X/MSCHAPv2/PEAP for users on the IAS/RADIUS, which are now procied succesfully through the FreeRadius What is not working: - Login through Web Redirect homepage + PAP + external servers So, first get that problem solved: - PAP through IAS/RADIUS to external servers was working - PAP through the FreeRADIUS server to external servers isn´t working So, how to fix this? thanks and a happy weekend - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
=?UTF-8?Q?freeradius-proxy_+_PAP_works, _PEAP_and_the_rest_doesn=C2=B4t?=
Hi, I´m really going crazy with freeradius. I want to setup a working freeradius proxy. Well, everything should have been configured correctly. I have my certificates, I have installed everything, so freeradius tells me no more errors when starting. Well, what do I want? - External users should be able to login on WLAN via 802.1X with MSCHAPv2/PEAP in Windows XP. When using local radtest to verify the user, everything looks okay. But as soon I take a windows client, properly configured, or the radeapclient, it doesn´t work. Here is the output from radius -X. It is 1.1.7, but the same errors occur on version 2.0.5: There are two different requests. On (working) with local radtest, the other one with radeapclient. Starting - reading configuration files ... reread_config: reading radiusd.conf Config: including file: /etc/raddb/proxy.conf Config: including file: /etc/raddb/clients.conf Config: including file: /etc/raddb/snmp.conf Config: including file: /etc/raddb/eap.conf Config: including file: /etc/raddb/sql.conf main: prefix = /usr main: localstatedir = /var main: logdir = /var/log/radius main: libdir = /usr/lib/freeradius main: radacctdir = /var/log/radius/radacct main: hostname_lookups = no main: snmp = no main: max_request_time = 30 main: cleanup_delay = 5 main: max_requests = 1024 main: delete_blocked_requests = 0 main: port = 0 main: allow_core_dumps = no main: log_stripped_names = no main: log_file = /var/log/radius/radius.log main: log_auth = no main: log_auth_badpass = no main: log_auth_goodpass = no main: pidfile = /var/run/radiusd/radiusd.pid main: user = (null) main: group = (null) main: usercollide = no main: lower_user = no main: lower_pass = no main: nospace_user = no main: nospace_pass = no main: checkrad = /usr/sbin/checkrad main: proxy_requests = yes security: max_attributes = 200 security: reject_delay = 1 security: status_server = no main: debug_level = 0 read_config_files: reading dictionary read_config_files: reading naslist Using deprecated naslist file. Support for this will go away soon. read_config_files: reading clients read_config_files: reading realms radiusd: entering modules setup Module: Library search path is /usr/lib/freeradius Module: Loaded exec exec: wait = yes exec: program = (null) exec: input_pairs = request exec: output_pairs = (null) exec: packet_type = (null) rlm_exec: Wait=yes but no output defined. Did you mean output=none? Module: Instantiated exec (exec) Module: Loaded expr Module: Instantiated expr (expr) Module: Loaded PAP pap: encryption_scheme = crypt pap: auto_header = yes Module: Instantiated pap (pap) Module: Loaded CHAP Module: Instantiated chap (chap) Module: Loaded MS-CHAP mschap: use_mppe = yes mschap: require_encryption = no mschap: require_strong = no mschap: with_ntdomain_hack = no mschap: passwd = (null) mschap: ntlm_auth = (null) Module: Instantiated mschap (mschap) Module: Loaded System unix: cache = no unix: passwd = (null) unix: shadow = (null) unix: group = (null) unix: radwtmp = /var/log/radius/radwtmp unix: usegroup = no unix: cache_reload = 600 Module: Instantiated unix (unix) Module: Loaded eap eap: default_eap_type = peap eap: timer_expire = 60 eap: ignore_unknown_eap_types = no eap: cisco_accounting_username_bug = no rlm_eap: Loaded and initialized type md5 rlm_eap: Loaded and initialized type leap tls: rsa_key_exchange = no tls: dh_key_exchange = yes tls: rsa_key_length = 512 tls: dh_key_length = 512 tls: verify_depth = 0 tls: CA_path = (null) tls: pem_file_type = yes tls: private_key_file = /usr/src/freeradius/key-bamberg.pem tls: certificate_file = /usr/src/freeradius/freeradius-cert.pem tls: CA_file = /usr/src/freeradius/chain.txt tls: private_key_password = oft36fW! tls: dh_file = /etc/raddb/certs/dh tls: random_file = /etc/raddb/certs/random tls: fragment_size = 1024 tls: include_length = yes tls: check_crl = no tls: check_cert_cn = (null) tls: cipher_list = (null) tls: check_cert_issuer = (null) rlm_eap_tls: Loading the certificate file as a chain WARNING: rlm_eap_tls: Unable to set DH parameters. DH cipher suites may not work! WARNING: Fix this by running the OpenSSL command listed in eap.conf rlm_eap: Loaded and initialized type tls ttls: default_eap_type = mschapv2 ttls: copy_request_to_tunnel = no ttls: use_tunneled_reply = yes rlm_eap: Loaded and initialized type ttls peap: default_eap_type = mschapv2 peap: copy_request_to_tunnel = no peap: use_tunneled_reply = yes peap: proxy_tunneled_request_as_eap = yes rlm_eap: Loaded and initialized type peap mschapv2: with_ntdomain_hack = no rlm_eap: Loaded and initialized type mschapv2 Module: Instantiated eap (eap) Module: Loaded preprocess preprocess: huntgroups = /etc/raddb/huntgroups preprocess: hints = /etc/raddb/hints preprocess: with_ascend_hack = no preprocess: ascend_channels_per_line = 23 preprocess: with_ntdomain_hack = no preprocess: with_specialix_jetstream_hack = no preprocess: with_cisco_vsa_hack = no preprocess: with_alvarion_vsa_hack = no Module: Instantiated
Re: =?UTF-8?Q?freeradius-proxy_+_PAP_works, _PEAP_and_the_rest_doesn=C2=B4t?=
- External users should be able to login on WLAN via 802.1X with MSCHAPv2/PEAP in Windows XP. That's relatively easy. In 2.0, just install it, configure a user/password (see the FAQ), start it in debug mode as root, and un-check validate server certificate on the Windows box. Well, this is already running with internal user. Those are correctly proxied to the local internal Radius Server. Also they don´t have to uncheck the validate server certificate They can authenticate it against against an valid CA. There everything runs great. The problem exists with external customers that are proxied to another one. When using local radtest to verify the user, everything looks okay. But as soon I take a windows client, properly configured, or the radeapclient, it doesn´t work. Here is the output from radius -X. It is 1.1.7, but the same errors occur on version 2.0.5: Don't run 1.1.7. Honest. Well I tried 2.0.5 first, then I switched to 1.1.7 just for testing. Both don´t work. #/This message appears about 2000+ times shrug It's 1.1.7. Well, the output from radius -X had 17,5MB of size... rad_recv: Access-Reject packet from host 139.212.22.110:1812, id=1, length=40 Reply-Message = Request Denied Proxy-State = 0x3931 So... the home server is rejecting the user. Have you run the home server in debug mode to see what it's doing, and why it's rejecting the request? If not, why not? Is it even FreeRADIUS? Well, I do not have any influence on that home server on my own. But... My guess is that the home server cannot do EAP. If so, why are you going crazy with freeradius? You're blaming the proxy for the actionsof the home server. ... Go fix the home server to do EAP. If you can't make it do EAP, throw it away, and replace it with FreeRADIUS. ... that Radius Server is an FreeRadius server. I called the administrator of it. And it is running great with all other Radius server within the rest of the sharing WLAN access community. It is in fact running now for years. So, must be another error, I guess? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
