Post a question on freeradius
Email id: suryalakshmi.annadu...@carc.co.inmailto:suryalakshmi.annadu...@carc.co.in Or ritu.gla...@gmail.commailto:ritu.gla...@gmail.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Active Directory authentication question
Dear Stephan, just the last question pleasein your guide you say:
In /etc/raddb/eap.conf, change the ttls section as follows:
default_eap_type = mschapv2
copy_request_to_tunnel = yes
use_tunneled_reply = no
That's OKbut what do I have to put in the eap section from eap.conf file???
eap {
default_eap_type = ttls
default_eap_type=ttls or =mschapv2 ???
Thanks a lot,
Roberto
2013/9/24 stefan.pae...@diamond.ac.uk:
You need the following items on your Debian system to build eapol_test:
libssl-dev, libnl1, libnl-dev
:-)
Stefan
-Original Message-
From: freeradius-users-
bounces+stefan.paetow=diamond.ac...@lists.freeradius.org
[mailto:freeradius-users-
bounces+stefan.paetow=diamond.ac...@lists.freeradius.org] On Behalf Of
Roberto Carna
Sent: 24 September 2013 15:17
To: FreeRadius users mailing list
Subject: Re: Active Directory authentication question
Dear, I'm advancing in the Freeradius + AD authenticationjust a
short question: when I want to make the eapol_test tool, I get this
error:
# make eapol_test
/usr/bin/ld: cannot find -lnl
collect2: error: ld returned 1 exit status
make: *** [eapol_test] Error 1
I've followed all the steps to use this tool, but I can't make it.
What can be the problem ???
Thanks
2013/9/24 stefan.pae...@diamond.ac.uk:
Hi Roberto,
You have to install Kerberos, yes. I believe you'll need the krb5-
user package.
When you install krb5-user, it should install krb5.conf for you, but
I'm not up to date on Debian specifically.
Stefan
-Original Message-
From: Roberto Carna [mailto:robertocarn...@gmail.com]
Sent: 23 September 2013 19:16
To: Paetow, Stefan (DLSLtd,RAL,LSCI)
Subject: Re: Active Directory authentication question
Dear Stepahn, I use Debian 7 for my Freeradius server and there I've
installed Samba, Winbind and krb5.confnot Kerberos (or whatever
the package is called).
Do I need to install the Kerberos package, or simply install the
krb5.conf and then edit it ???
Thanks again.
Roberto
2013/9/23 stefan.pae...@diamond.ac.uk:
Hi Roberto,
When in the process do you get that error?
Here are my configuration bits. In the [global] section of the
SMB.CONF file I have:
workgroup = DIAMOND
security = ads
realm = DIAMOND.LOCAL (my test domain) password server = IP
address
of
my primary domain controller
Everything else is left as-is (default). My test domain is called
DIAMOND.LOCAL.
Stefan
-Original Message-
From: Roberto Carna [mailto:robertocarn...@gmail.com]
Sent: 23 September 2013 15:58
To: Paetow, Stefan (DLSLtd,RAL,LSCI)
Subject: Re: Active Directory authentication question
Dear Stephan, can you send me a complete smb.conf file because I
am
a
bit lost in the correct configuration ?
I'm getting the error:
Could not connect to server 10.11.0.64 Connection failed:
NT_STATUS_BAD_NETWORK_NAME
--
This e-mail and any attachments may contain confidential,
copyright
and or privileged material, and are for the use of the intended
addressee only. If you are not the intended addressee or an
authorised recipient of the addressee please notify us of receipt by
returning the e-mail and do not use, copy, retain, distribute or
disclose the information in or attached to the e-mail.
Any opinions expressed within this e-mail are those of the
individual
and not necessarily of Diamond Light Source Ltd.
Diamond Light Source Ltd. cannot guarantee that this e-mail or any
attachments are free from viruses and we cannot accept liability for
any damage which you may sustain as a result of software viruses
which may be transmitted in or with the message.
Diamond Light Source Limited (company no. 4375679). Registered in
England and Wales with its registered office at Diamond House,
Harwell
Science and Innovation Campus, Didcot, Oxfordshire, OX11 0DE,
United Kingdom
--
This e-mail and any attachments may contain confidential, copyright
and or privileged material, and are for the use of the intended
addressee only. If you are not the intended addressee or an authorised
recipient of the addressee please notify us of receipt by returning the
e-mail and do not use, copy, retain, distribute or disclose the
information in or attached to the e-mail.
Any opinions expressed within this e-mail are those of the individual
and not necessarily of Diamond Light Source Ltd.
Diamond Light Source Ltd. cannot guarantee that this e-mail or any
attachments are free from viruses and we cannot accept liability for
any damage which you may sustain as a result of software viruses which
may be transmitted in or with the message.
Diamond Light Source Limited (company no. 4375679). Registered in
England and Wales with its registered office at Diamond House,
Harwell
Science and Innovation
RE: Active Directory authentication question
In the eap section, the default is md5, set it to ttls
And Roberto, you've emailed the entire FreeRADIUS mailing list. :-)
Stefan
-Original Message-
From: freeradius-users-
bounces+stefan.paetow=diamond.ac...@lists.freeradius.org
[mailto:freeradius-users-
bounces+stefan.paetow=diamond.ac...@lists.freeradius.org] On Behalf Of
Roberto Carna
Sent: 25 September 2013 14:27
To: FreeRadius users mailing list
Subject: Re: Active Directory authentication question
Dear Stephan, just the last question pleasein your guide you say:
In /etc/raddb/eap.conf, change the ttls section as follows:
default_eap_type = mschapv2
copy_request_to_tunnel = yes
use_tunneled_reply = no
That's OKbut what do I have to put in the eap section from eap.conf
file???
eap {
default_eap_type = ttls
default_eap_type=ttls or =mschapv2 ???
Thanks a lot,
Roberto
2013/9/24 stefan.pae...@diamond.ac.uk:
You need the following items on your Debian system to build
eapol_test:
libssl-dev, libnl1, libnl-dev
:-)
Stefan
-Original Message-
From: freeradius-users-
bounces+stefan.paetow=diamond.ac...@lists.freeradius.org
[mailto:freeradius-users-
bounces+stefan.paetow=diamond.ac...@lists.freeradius.org] On Behalf
bounces+Of
Roberto Carna
Sent: 24 September 2013 15:17
To: FreeRadius users mailing list
Subject: Re: Active Directory authentication question
Dear, I'm advancing in the Freeradius + AD authenticationjust a
short question: when I want to make the eapol_test tool, I get this
error:
# make eapol_test
/usr/bin/ld: cannot find -lnl
collect2: error: ld returned 1 exit status
make: *** [eapol_test] Error 1
I've followed all the steps to use this tool, but I can't make it.
What can be the problem ???
Thanks
2013/9/24 stefan.pae...@diamond.ac.uk:
Hi Roberto,
You have to install Kerberos, yes. I believe you'll need the krb5-
user package.
When you install krb5-user, it should install krb5.conf for you,
but
I'm not up to date on Debian specifically.
Stefan
-Original Message-
From: Roberto Carna [mailto:robertocarn...@gmail.com]
Sent: 23 September 2013 19:16
To: Paetow, Stefan (DLSLtd,RAL,LSCI)
Subject: Re: Active Directory authentication question
Dear Stepahn, I use Debian 7 for my Freeradius server and there
I've installed Samba, Winbind and krb5.confnot Kerberos (or
whatever the package is called).
Do I need to install the Kerberos package, or simply install the
krb5.conf and then edit it ???
Thanks again.
Roberto
2013/9/23 stefan.pae...@diamond.ac.uk:
Hi Roberto,
When in the process do you get that error?
Here are my configuration bits. In the [global] section of the
SMB.CONF file I have:
workgroup = DIAMOND
security = ads
realm = DIAMOND.LOCAL (my test domain) password server = IP
address
of
my primary domain controller
Everything else is left as-is (default). My test domain is
called
DIAMOND.LOCAL.
Stefan
-Original Message-
From: Roberto Carna [mailto:robertocarn...@gmail.com]
Sent: 23 September 2013 15:58
To: Paetow, Stefan (DLSLtd,RAL,LSCI)
Subject: Re: Active Directory authentication question
Dear Stephan, can you send me a complete smb.conf file because
I am
a
bit lost in the correct configuration ?
I'm getting the error:
Could not connect to server 10.11.0.64 Connection failed:
NT_STATUS_BAD_NETWORK_NAME
--
This e-mail and any attachments may contain confidential,
copyright
and or privileged material, and are for the use of the intended
addressee only. If you are not the intended addressee or an
authorised recipient of the addressee please notify us of receipt
by returning the e-mail and do not use, copy, retain, distribute
or disclose the information in or attached to the e-mail.
Any opinions expressed within this e-mail are those of the
individual
and not necessarily of Diamond Light Source Ltd.
Diamond Light Source Ltd. cannot guarantee that this e-mail or
any
attachments are free from viruses and we cannot accept liability
for any damage which you may sustain as a result of software
viruses which may be transmitted in or with the message.
Diamond Light Source Limited (company no. 4375679). Registered
in England and Wales with its registered office at Diamond
House,
Harwell
Science and Innovation Campus, Didcot, Oxfordshire, OX11 0DE,
United Kingdom
--
This e-mail and any attachments may contain confidential,
copyright
and or privileged material, and are for the use of the intended
addressee only. If you are not the intended addressee or an
authorised recipient of the addressee please notify us of receipt
Re: Active Directory authentication question
Dear Stephan: Notebook with Windows 7 + AP + EAP-TTLS + MSCHAPv2 +
Freeradius + AD is working now !!!
But just a doubt: if I access with my Android device, using EAP-TLS
(not EAP-TTLS) + MSCHAPv2, I can access the same...why ???
Regards and thanks,
Roberto
2013/9/25 stefan.pae...@diamond.ac.uk:
In the eap section, the default is md5, set it to ttls
And Roberto, you've emailed the entire FreeRADIUS mailing list. :-)
Stefan
-Original Message-
From: freeradius-users-
bounces+stefan.paetow=diamond.ac...@lists.freeradius.org
[mailto:freeradius-users-
bounces+stefan.paetow=diamond.ac...@lists.freeradius.org] On Behalf Of
Roberto Carna
Sent: 25 September 2013 14:27
To: FreeRadius users mailing list
Subject: Re: Active Directory authentication question
Dear Stephan, just the last question pleasein your guide you say:
In /etc/raddb/eap.conf, change the ttls section as follows:
default_eap_type = mschapv2
copy_request_to_tunnel = yes
use_tunneled_reply = no
That's OKbut what do I have to put in the eap section from eap.conf
file???
eap {
default_eap_type = ttls
default_eap_type=ttls or =mschapv2 ???
Thanks a lot,
Roberto
2013/9/24 stefan.pae...@diamond.ac.uk:
You need the following items on your Debian system to build
eapol_test:
libssl-dev, libnl1, libnl-dev
:-)
Stefan
-Original Message-
From: freeradius-users-
bounces+stefan.paetow=diamond.ac...@lists.freeradius.org
[mailto:freeradius-users-
bounces+stefan.paetow=diamond.ac...@lists.freeradius.org] On Behalf
bounces+Of
Roberto Carna
Sent: 24 September 2013 15:17
To: FreeRadius users mailing list
Subject: Re: Active Directory authentication question
Dear, I'm advancing in the Freeradius + AD authenticationjust a
short question: when I want to make the eapol_test tool, I get this
error:
# make eapol_test
/usr/bin/ld: cannot find -lnl
collect2: error: ld returned 1 exit status
make: *** [eapol_test] Error 1
I've followed all the steps to use this tool, but I can't make it.
What can be the problem ???
Thanks
2013/9/24 stefan.pae...@diamond.ac.uk:
Hi Roberto,
You have to install Kerberos, yes. I believe you'll need the krb5-
user package.
When you install krb5-user, it should install krb5.conf for you,
but
I'm not up to date on Debian specifically.
Stefan
-Original Message-
From: Roberto Carna [mailto:robertocarn...@gmail.com]
Sent: 23 September 2013 19:16
To: Paetow, Stefan (DLSLtd,RAL,LSCI)
Subject: Re: Active Directory authentication question
Dear Stepahn, I use Debian 7 for my Freeradius server and there
I've installed Samba, Winbind and krb5.confnot Kerberos (or
whatever the package is called).
Do I need to install the Kerberos package, or simply install the
krb5.conf and then edit it ???
Thanks again.
Roberto
2013/9/23 stefan.pae...@diamond.ac.uk:
Hi Roberto,
When in the process do you get that error?
Here are my configuration bits. In the [global] section of the
SMB.CONF file I have:
workgroup = DIAMOND
security = ads
realm = DIAMOND.LOCAL (my test domain) password server = IP
address
of
my primary domain controller
Everything else is left as-is (default). My test domain is
called
DIAMOND.LOCAL.
Stefan
-Original Message-
From: Roberto Carna [mailto:robertocarn...@gmail.com]
Sent: 23 September 2013 15:58
To: Paetow, Stefan (DLSLtd,RAL,LSCI)
Subject: Re: Active Directory authentication question
Dear Stephan, can you send me a complete smb.conf file because
I am
a
bit lost in the correct configuration ?
I'm getting the error:
Could not connect to server 10.11.0.64 Connection failed:
NT_STATUS_BAD_NETWORK_NAME
--
This e-mail and any attachments may contain confidential,
copyright
and or privileged material, and are for the use of the intended
addressee only. If you are not the intended addressee or an
authorised recipient of the addressee please notify us of receipt
by returning the e-mail and do not use, copy, retain, distribute
or disclose the information in or attached to the e-mail.
Any opinions expressed within this e-mail are those of the
individual
and not necessarily of Diamond Light Source Ltd.
Diamond Light Source Ltd. cannot guarantee that this e-mail or
any
attachments are free from viruses and we cannot accept liability
for any damage which you may sustain as a result of software
viruses which may be transmitted in or with the message.
Diamond Light Source Limited (company no. 4375679). Registered
in England and Wales with its registered office at Diamond
House,
Harwell
Science and Innovation Campus, Didcot, Oxfordshire, OX11 0DE,
United Kingdom
RE: Active Directory authentication question
Because your EAP-TLS process works? Remember, you set up EAP-TLS first (which
worked).
You just configured EAP-TTLS with EAP-MSCHAPv2 as an additional authentication
method. Since the default_eap_type is set to ttls, your server *prefers* using
EAP-TTLS with EAP-MSCHAPv2, but it still supports other methods (like EAP-TLS
and PEAP with EAP-MSCHAPv2).
Stefan
-Original Message-
From: freeradius-users-
bounces+stefan.paetow=diamond.ac...@lists.freeradius.org
[mailto:freeradius-users-
bounces+stefan.paetow=diamond.ac...@lists.freeradius.org] On Behalf Of
Roberto Carna
Sent: 25 September 2013 15:44
To: FreeRadius users mailing list
Subject: Re: Active Directory authentication question
Dear Stephan: Notebook with Windows 7 + AP + EAP-TTLS + MSCHAPv2 +
Freeradius + AD is working now !!!
But just a doubt: if I access with my Android device, using EAP-TLS
(not EAP-TTLS) + MSCHAPv2, I can access the same...why ???
Regards and thanks,
Roberto
2013/9/25 stefan.pae...@diamond.ac.uk:
In the eap section, the default is md5, set it to ttls
And Roberto, you've emailed the entire FreeRADIUS mailing list. :-)
Stefan
-Original Message-
From: freeradius-users-
bounces+stefan.paetow=diamond.ac...@lists.freeradius.org
[mailto:freeradius-users-
bounces+stefan.paetow=diamond.ac...@lists.freeradius.org] On Behalf
bounces+Of
Roberto Carna
Sent: 25 September 2013 14:27
To: FreeRadius users mailing list
Subject: Re: Active Directory authentication question
Dear Stephan, just the last question pleasein your guide you
say:
In /etc/raddb/eap.conf, change the ttls section as follows:
default_eap_type = mschapv2
copy_request_to_tunnel = yes
use_tunneled_reply = no
That's OKbut what do I have to put in the eap section from
eap.conf file???
eap {
default_eap_type = ttls
default_eap_type=ttls or =mschapv2 ???
Thanks a lot,
Roberto
2013/9/24 stefan.pae...@diamond.ac.uk:
You need the following items on your Debian system to build
eapol_test:
libssl-dev, libnl1, libnl-dev
:-)
Stefan
-Original Message-
From: freeradius-users-
bounces+stefan.paetow=diamond.ac...@lists.freeradius.org
[mailto:freeradius-users-
bounces+stefan.paetow=diamond.ac...@lists.freeradius.org] On
bounces+Behalf Of
Roberto Carna
Sent: 24 September 2013 15:17
To: FreeRadius users mailing list
Subject: Re: Active Directory authentication question
Dear, I'm advancing in the Freeradius + AD authenticationjust
a short question: when I want to make the eapol_test tool, I get
this
error:
# make eapol_test
/usr/bin/ld: cannot find -lnl
collect2: error: ld returned 1 exit status
make: *** [eapol_test] Error 1
I've followed all the steps to use this tool, but I can't make
it.
What can be the problem ???
Thanks
2013/9/24 stefan.pae...@diamond.ac.uk:
Hi Roberto,
You have to install Kerberos, yes. I believe you'll need the
krb5-
user package.
When you install krb5-user, it should install krb5.conf for
you,
but
I'm not up to date on Debian specifically.
Stefan
-Original Message-
From: Roberto Carna [mailto:robertocarn...@gmail.com]
Sent: 23 September 2013 19:16
To: Paetow, Stefan (DLSLtd,RAL,LSCI)
Subject: Re: Active Directory authentication question
Dear Stepahn, I use Debian 7 for my Freeradius server and
there
I've installed Samba, Winbind and krb5.confnot Kerberos
(or
whatever the package is called).
Do I need to install the Kerberos package, or simply install
the krb5.conf and then edit it ???
Thanks again.
Roberto
2013/9/23 stefan.pae...@diamond.ac.uk:
Hi Roberto,
When in the process do you get that error?
Here are my configuration bits. In the [global] section of
the
SMB.CONF file I have:
workgroup = DIAMOND
security = ads
realm = DIAMOND.LOCAL (my test domain) password server = IP
address
of
my primary domain controller
Everything else is left as-is (default). My test domain is
called
DIAMOND.LOCAL.
Stefan
-Original Message-
From: Roberto Carna [mailto:robertocarn...@gmail.com]
Sent: 23 September 2013 15:58
To: Paetow, Stefan (DLSLtd,RAL,LSCI)
Subject: Re: Active Directory authentication question
Dear Stephan, can you send me a complete smb.conf file
because I am
a
bit lost in the correct configuration ?
I'm getting the error:
Could not connect to server 10.11.0.64 Connection failed:
NT_STATUS_BAD_NETWORK_NAME
--
This e-mail and any attachments may contain confidential,
copyright
and or privileged material, and are for the use
Re: Active Directory authentication question
But in the EAP-TLS section from eap.conf file, I don't see any
reference to MSCHAPv2and remember the NTLM authentication query is
set up in the MSCHAPv2 module
2013/9/25 stefan.pae...@diamond.ac.uk:
Because your EAP-TLS process works? Remember, you set up EAP-TLS first (which
worked).
You just configured EAP-TTLS with EAP-MSCHAPv2 as an additional
authentication method. Since the default_eap_type is set to ttls, your server
*prefers* using EAP-TTLS with EAP-MSCHAPv2, but it still supports other
methods (like EAP-TLS and PEAP with EAP-MSCHAPv2).
Stefan
-Original Message-
From: freeradius-users-
bounces+stefan.paetow=diamond.ac...@lists.freeradius.org
[mailto:freeradius-users-
bounces+stefan.paetow=diamond.ac...@lists.freeradius.org] On Behalf Of
Roberto Carna
Sent: 25 September 2013 15:44
To: FreeRadius users mailing list
Subject: Re: Active Directory authentication question
Dear Stephan: Notebook with Windows 7 + AP + EAP-TTLS + MSCHAPv2 +
Freeradius + AD is working now !!!
But just a doubt: if I access with my Android device, using EAP-TLS
(not EAP-TTLS) + MSCHAPv2, I can access the same...why ???
Regards and thanks,
Roberto
2013/9/25 stefan.pae...@diamond.ac.uk:
In the eap section, the default is md5, set it to ttls
And Roberto, you've emailed the entire FreeRADIUS mailing list. :-)
Stefan
-Original Message-
From: freeradius-users-
bounces+stefan.paetow=diamond.ac...@lists.freeradius.org
[mailto:freeradius-users-
bounces+stefan.paetow=diamond.ac...@lists.freeradius.org] On Behalf
bounces+Of
Roberto Carna
Sent: 25 September 2013 14:27
To: FreeRadius users mailing list
Subject: Re: Active Directory authentication question
Dear Stephan, just the last question pleasein your guide you
say:
In /etc/raddb/eap.conf, change the ttls section as follows:
default_eap_type = mschapv2
copy_request_to_tunnel = yes
use_tunneled_reply = no
That's OKbut what do I have to put in the eap section from
eap.conf file???
eap {
default_eap_type = ttls
default_eap_type=ttls or =mschapv2 ???
Thanks a lot,
Roberto
2013/9/24 stefan.pae...@diamond.ac.uk:
You need the following items on your Debian system to build
eapol_test:
libssl-dev, libnl1, libnl-dev
:-)
Stefan
-Original Message-
From: freeradius-users-
bounces+stefan.paetow=diamond.ac...@lists.freeradius.org
[mailto:freeradius-users-
bounces+stefan.paetow=diamond.ac...@lists.freeradius.org] On
bounces+Behalf Of
Roberto Carna
Sent: 24 September 2013 15:17
To: FreeRadius users mailing list
Subject: Re: Active Directory authentication question
Dear, I'm advancing in the Freeradius + AD authenticationjust
a short question: when I want to make the eapol_test tool, I get
this
error:
# make eapol_test
/usr/bin/ld: cannot find -lnl
collect2: error: ld returned 1 exit status
make: *** [eapol_test] Error 1
I've followed all the steps to use this tool, but I can't make
it.
What can be the problem ???
Thanks
2013/9/24 stefan.pae...@diamond.ac.uk:
Hi Roberto,
You have to install Kerberos, yes. I believe you'll need the
krb5-
user package.
When you install krb5-user, it should install krb5.conf for
you,
but
I'm not up to date on Debian specifically.
Stefan
-Original Message-
From: Roberto Carna [mailto:robertocarn...@gmail.com]
Sent: 23 September 2013 19:16
To: Paetow, Stefan (DLSLtd,RAL,LSCI)
Subject: Re: Active Directory authentication question
Dear Stepahn, I use Debian 7 for my Freeradius server and
there
I've installed Samba, Winbind and krb5.confnot Kerberos
(or
whatever the package is called).
Do I need to install the Kerberos package, or simply install
the krb5.conf and then edit it ???
Thanks again.
Roberto
2013/9/23 stefan.pae...@diamond.ac.uk:
Hi Roberto,
When in the process do you get that error?
Here are my configuration bits. In the [global] section of
the
SMB.CONF file I have:
workgroup = DIAMOND
security = ads
realm = DIAMOND.LOCAL (my test domain) password server = IP
address
of
my primary domain controller
Everything else is left as-is (default). My test domain is
called
DIAMOND.LOCAL.
Stefan
-Original Message-
From: Roberto Carna [mailto:robertocarn...@gmail.com]
Sent: 23 September 2013 15:58
To: Paetow, Stefan (DLSLtd,RAL,LSCI)
Subject: Re: Active Directory authentication question
Dear Stephan, can you send me a complete smb.conf file
because I am
a
bit lost in the correct configuration ?
I'm getting the error:
Could not connect to server 10.11.0.64
Re: Active Directory authentication question
Well. There's no such thing as EAP-TLS/MSCHAPv2 . So I'd guess that your Android device is just doing PEAPv0/EAP-MSCHAPv2 or such and your config allows it to. If you ran in full debug mode when connecting with the Android device you'd see exactly what's happening alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Active Directory authentication question
But in the EAP-TLS section from eap.conf file, I don't see any reference to MSCHAPv2and remember the NTLM authentication query is set up in the MSCHAPv2 module EAP-TLS does not use MSCHAPv2. It uses certificates. I quote Alan DeKok's response to your question on September 18: Dear, I have several Windows 7 clients over WiFi autheticating throug EAP-TLS to a Freeradius 2.1 service against a local MySQL database, it works OK. EAP-TLS doesn't use MySQL for storing credentials. Everything is in the certificate. Because I don't know so much about Windows world, I need to know if I have to use NTLM, LDAP or Kerberos in order to authenticate against the remote AD. For MS-CHAP and PEAP, you use ntlm. You don't have any other choice. For EAP-TLS, you don't use AD or MySQL. -- This e-mail and any attachments may contain confidential, copyright and or privileged material, and are for the use of the intended addressee only. If you are not the intended addressee or an authorised recipient of the addressee please notify us of receipt by returning the e-mail and do not use, copy, retain, distribute or disclose the information in or attached to the e-mail. Any opinions expressed within this e-mail are those of the individual and not necessarily of Diamond Light Source Ltd. Diamond Light Source Ltd. cannot guarantee that this e-mail or any attachments are free from viruses and we cannot accept liability for any damage which you may sustain as a result of software viruses which may be transmitted in or with the message. Diamond Light Source Limited (company no. 4375679). Registered in England and Wales with its registered office at Diamond House, Harwell Science and Innovation Campus, Didcot, Oxfordshire, OX11 0DE, United Kingdom - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Active Directory authentication question
Dear, I'm advancing in the Freeradius + AD authenticationjust a short question: when I want to make the eapol_test tool, I get this error: # make eapol_test /usr/bin/ld: cannot find -lnl collect2: error: ld returned 1 exit status make: *** [eapol_test] Error 1 I've followed all the steps to use this tool, but I can't make it. What can be the problem ??? Thanks 2013/9/24 stefan.pae...@diamond.ac.uk: Hi Roberto, You have to install Kerberos, yes. I believe you'll need the krb5-user package. When you install krb5-user, it should install krb5.conf for you, but I'm not up to date on Debian specifically. Stefan -Original Message- From: Roberto Carna [mailto:robertocarn...@gmail.com] Sent: 23 September 2013 19:16 To: Paetow, Stefan (DLSLtd,RAL,LSCI) Subject: Re: Active Directory authentication question Dear Stepahn, I use Debian 7 for my Freeradius server and there I've installed Samba, Winbind and krb5.confnot Kerberos (or whatever the package is called). Do I need to install the Kerberos package, or simply install the krb5.conf and then edit it ??? Thanks again. Roberto 2013/9/23 stefan.pae...@diamond.ac.uk: Hi Roberto, When in the process do you get that error? Here are my configuration bits. In the [global] section of the SMB.CONF file I have: workgroup = DIAMOND security = ads realm = DIAMOND.LOCAL (my test domain) password server = IP address of my primary domain controller Everything else is left as-is (default). My test domain is called DIAMOND.LOCAL. Stefan -Original Message- From: Roberto Carna [mailto:robertocarn...@gmail.com] Sent: 23 September 2013 15:58 To: Paetow, Stefan (DLSLtd,RAL,LSCI) Subject: Re: Active Directory authentication question Dear Stephan, can you send me a complete smb.conf file because I am a bit lost in the correct configuration ? I'm getting the error: Could not connect to server 10.11.0.64 Connection failed: NT_STATUS_BAD_NETWORK_NAME -- This e-mail and any attachments may contain confidential, copyright and or privileged material, and are for the use of the intended addressee only. If you are not the intended addressee or an authorised recipient of the addressee please notify us of receipt by returning the e-mail and do not use, copy, retain, distribute or disclose the information in or attached to the e-mail. Any opinions expressed within this e-mail are those of the individual and not necessarily of Diamond Light Source Ltd. Diamond Light Source Ltd. cannot guarantee that this e-mail or any attachments are free from viruses and we cannot accept liability for any damage which you may sustain as a result of software viruses which may be transmitted in or with the message. Diamond Light Source Limited (company no. 4375679). Registered in England and Wales with its registered office at Diamond House, Harwell Science and Innovation Campus, Didcot, Oxfordshire, OX11 0DE, United Kingdom -- This e-mail and any attachments may contain confidential, copyright and or privileged material, and are for the use of the intended addressee only. If you are not the intended addressee or an authorised recipient of the addressee please notify us of receipt by returning the e-mail and do not use, copy, retain, distribute or disclose the information in or attached to the e-mail. Any opinions expressed within this e-mail are those of the individual and not necessarily of Diamond Light Source Ltd. Diamond Light Source Ltd. cannot guarantee that this e-mail or any attachments are free from viruses and we cannot accept liability for any damage which you may sustain as a result of software viruses which may be transmitted in or with the message. Diamond Light Source Limited (company no. 4375679). Registered in England and Wales with its registered office at Diamond House, Harwell Science and Innovation Campus, Didcot, Oxfordshire, OX11 0DE, United Kingdom - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Active Directory authentication question
Roberto Carna wrote: Dear, I'm advancing in the Freeradius + AD authenticationjust a short question: when I want to make the eapol_test tool, I get this error: # make eapol_test /usr/bin/ld: cannot find -lnl collect2: error: ld returned 1 exit status make: *** [eapol_test] Error 1 I've followed all the steps to use this tool, but I can't make it. What can be the problem ??? You do realize that eapol_test isn't part of FreeRADIUS, right? Please ask the eapol_test authors how to fix it. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Active Directory authentication question
On 09/24/2013 10:16 AM, Roberto Carna wrote: Dear, I'm advancing in the Freeradius + AD authenticationjust a short question: when I want to make the eapol_test tool, I get this error: # make eapol_test /usr/bin/ld: cannot find -lnl collect2: error: ld returned 1 exit status make: *** [eapol_test] Error 1 Basic software development isn't really a topic for this list. You should really look elsewhere for information on how to build and install on your chosen platform. You also need to understand error messages. But just to get you going cannot find -lnl means the linker cannot find the libnl library, therefore you need to install the libnl-devel package for your distribution. The devel package because includes the files you need during development as opposed to runtime. -- John - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Active Directory authentication question
You need the following items on your Debian system to build eapol_test: libssl-dev, libnl1, libnl-dev :-) Stefan -Original Message- From: freeradius-users- bounces+stefan.paetow=diamond.ac...@lists.freeradius.org [mailto:freeradius-users- bounces+stefan.paetow=diamond.ac...@lists.freeradius.org] On Behalf Of Roberto Carna Sent: 24 September 2013 15:17 To: FreeRadius users mailing list Subject: Re: Active Directory authentication question Dear, I'm advancing in the Freeradius + AD authenticationjust a short question: when I want to make the eapol_test tool, I get this error: # make eapol_test /usr/bin/ld: cannot find -lnl collect2: error: ld returned 1 exit status make: *** [eapol_test] Error 1 I've followed all the steps to use this tool, but I can't make it. What can be the problem ??? Thanks 2013/9/24 stefan.pae...@diamond.ac.uk: Hi Roberto, You have to install Kerberos, yes. I believe you'll need the krb5- user package. When you install krb5-user, it should install krb5.conf for you, but I'm not up to date on Debian specifically. Stefan -Original Message- From: Roberto Carna [mailto:robertocarn...@gmail.com] Sent: 23 September 2013 19:16 To: Paetow, Stefan (DLSLtd,RAL,LSCI) Subject: Re: Active Directory authentication question Dear Stepahn, I use Debian 7 for my Freeradius server and there I've installed Samba, Winbind and krb5.confnot Kerberos (or whatever the package is called). Do I need to install the Kerberos package, or simply install the krb5.conf and then edit it ??? Thanks again. Roberto 2013/9/23 stefan.pae...@diamond.ac.uk: Hi Roberto, When in the process do you get that error? Here are my configuration bits. In the [global] section of the SMB.CONF file I have: workgroup = DIAMOND security = ads realm = DIAMOND.LOCAL (my test domain) password server = IP address of my primary domain controller Everything else is left as-is (default). My test domain is called DIAMOND.LOCAL. Stefan -Original Message- From: Roberto Carna [mailto:robertocarn...@gmail.com] Sent: 23 September 2013 15:58 To: Paetow, Stefan (DLSLtd,RAL,LSCI) Subject: Re: Active Directory authentication question Dear Stephan, can you send me a complete smb.conf file because I am a bit lost in the correct configuration ? I'm getting the error: Could not connect to server 10.11.0.64 Connection failed: NT_STATUS_BAD_NETWORK_NAME -- This e-mail and any attachments may contain confidential, copyright and or privileged material, and are for the use of the intended addressee only. If you are not the intended addressee or an authorised recipient of the addressee please notify us of receipt by returning the e-mail and do not use, copy, retain, distribute or disclose the information in or attached to the e-mail. Any opinions expressed within this e-mail are those of the individual and not necessarily of Diamond Light Source Ltd. Diamond Light Source Ltd. cannot guarantee that this e-mail or any attachments are free from viruses and we cannot accept liability for any damage which you may sustain as a result of software viruses which may be transmitted in or with the message. Diamond Light Source Limited (company no. 4375679). Registered in England and Wales with its registered office at Diamond House, Harwell Science and Innovation Campus, Didcot, Oxfordshire, OX11 0DE, United Kingdom -- This e-mail and any attachments may contain confidential, copyright and or privileged material, and are for the use of the intended addressee only. If you are not the intended addressee or an authorised recipient of the addressee please notify us of receipt by returning the e-mail and do not use, copy, retain, distribute or disclose the information in or attached to the e-mail. Any opinions expressed within this e-mail are those of the individual and not necessarily of Diamond Light Source Ltd. Diamond Light Source Ltd. cannot guarantee that this e-mail or any attachments are free from viruses and we cannot accept liability for any damage which you may sustain as a result of software viruses which may be transmitted in or with the message. Diamond Light Source Limited (company no. 4375679). Registered in England and Wales with its registered office at Diamond House, Harwell Science and Innovation Campus, Didcot, Oxfordshire, OX11 0DE, United Kingdom - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- This e-mail and any attachments may contain confidential, copyright and or privileged material, and are for the use of the intended addressee only. If you are not the intended addressee or an authorised recipient of the addressee please notify us of receipt by returning the e-mail and do
Re: Active Directory authentication question
Or ask your distribution provider why they still provide wpa_supplicant package without eapol_test tool ;) alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Expiration and EAP verification question
In strongswan for ikev1 it uses xauth-eap that I use to do validation with RADIUS (that's the only way for ikev1 clients with strongswan). My design is that I don't actually care about secondary authentication with RADIUS since it's already doing certificate validation from strongswan side before doing secondary authentication. All is good if I was only need secondary authentication since I can bypass with verify_eap from strongswan side but I want to make use of the Expiration module on freeradius side (works great). I have few questions so it can help me determine next course of action: 1) is there a way to configure freeradius for Accounting only and also does the user expiration check? 2) is it possible for me in any way to reject expired user but accept eap based authentication (from configuration or code modification)? 3) when connection is rejected does the strongswan side (xauth-eap plugin in particular) receive information that can differentiate this logic (send attribute that it can handle maybe? I have no idea how that work)? Thanks - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Expiration and EAP verification question
WorkingMan wrote: My design is that I don't actually care about secondary authentication with RADIUS since it's already doing certificate validation from strongswan side before doing secondary authentication. All is good if I was only need secondary authentication since I can bypass with verify_eap from strongswan side but I want to make use of the Expiration module on freeradius side (works great). Bypassing authentication is generally a bad idea. I have few questions so it can help me determine next course of action: 1) is there a way to configure freeradius for Accounting only and also does the user expiration check? No. User expiration checks are done on authentication. 2) is it possible for me in any way to reject expired user but accept eap based authentication (from configuration or code modification)? Yes. 3) when connection is rejected does the strongswan side (xauth-eap plugin in particular) receive information that can differentiate this logic (send attribute that it can handle maybe? I have no idea how that work)? A reject is a reject. The client usually doesn't get told *why* it was rejected. Rather than asking vague questions, it would help to read the config files. They're documented in exhaustive detail. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Expiration and EAP verification question
Alan DeKok aland at deployingradius.com writes: WorkingMan wrote: My design is that I don't actually care about secondary authentication with RADIUS since it's already doing certificate validation from strongswan side before doing secondary authentication. All is good if I was only need secondary authentication since I can bypass with verify_eap from strongswan side but I want to make use of the Expiration module on freeradius side (works great). Bypassing authentication is generally a bad idea. I have few questions so it can help me determine next course of action: 1) is there a way to configure freeradius for Accounting only and also does the user expiration check? No. User expiration checks are done on authentication. 2) is it possible for me in any way to reject expired user but accept eap based authentication (from configuration or code modification)? Yes. 3) when connection is rejected does the strongswan side (xauth-eap plugin in particular) receive information that can differentiate this logic (send attribute that it can handle maybe? I have no idea how that work)? A reject is a reject. The client usually doesn't get told *why* it was rejected. Rather than asking vague questions, it would help to read the config files. They're documented in exhaustive detail. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Can you give me an example on how to always accept connection on EAP-* authentication (it will be password based from xauth-eap from strongswan) but at the same time still honour Expiration logic? I am not sure what to do it (or what to look for). I have been trying different settings for a week now without success. Background: As you know default IPSec VPN clients for iOS and Android are ikev1 based and that doesn't support EAP-TLS which is ideal for me (mutual certificate authentication). For ikev1 I can still do mutual certificate authentication but I want freeradius to do accounting stuff and sort of centralize login (otherwise there is no need of RADIUS). the only option with strongswan is via xauth-eap (internally via eap-radius; using eap-md5, eap-mschapv2, etc password based authentication). There is no way according to strongswan's team to do accounting only with ikev1 that's why I need to use xauth-eap so I can talk to freeradius. There is no need to do password authentication when certificate is already validated by the server and you can filter clients via certificate details (so it is safe; unless someone can sign fake client certificate). If I didn't care about user expiration (and simultaneous access control) I wouldn't need to ask for help (simply modify xauth-eap to always pass authentication and doesn't bother talking to RADIUS during authentication). I really want to use as much freeradius' feature as possible so I don't have to do things on the side (ex: do expiration check on VPN side). Any help would be much appreciated. Thanks - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Expiration and EAP verification question
WorkingMan wrote: Can you give me an example on how to always accept connection on EAP-* authentication (it will be password based from xauth-eap from strongswan) No. EAP doesn't (and can't) work that way. but at the same time still honour Expiration logic? I am not sure what to do it (or what to look for). I have been trying different settings for a week now without success. Because EAP is designed to make this impossible. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Active Directory authentication question
What I mean is that EAP-TLS is easier to me than AD authentication at this point, because I've just put it to work...and if I want to use AD auth I have to take EAP-TLS out and start again with NTLM / AD authenticationis it OK ??? Roberto, you don't have to remove EAP-TLS to support NTLM/MS-CHAPv2 authentication. What you can do in eap.conf is specify which EAP type you want to use by default. If you prefer EAP-TLS, you can specify default_eap_type = tls. But if the client does not support that and asks for EAP-TTLS or PEAP instead, then, if your server is configured correctly, it can support those additional types too. For NTLM authentication, what you *do* need is to add your FreeRADIUS machine to the Windows 2012 domain. Since you're on a flavour of Unix/Linux, you need to install Samba on your Linux box and configure it to talk to the Windows 2012 domain controller (via Kerberos). You may want to read this page, which describes how we've made authentication against Active Directory work with PEAP (specifically PEAP with EAP-MSCHAPv2) and EAP-TTLS with EAP-MSCHAPv2: http://confluence.diamond.ac.uk/display/PAAUTH/Using+Active+Directory+as+authentication+source We don't use PEAP and don't have any test clients that support PEAP, but EAP-TTLS/EAP-MSCHAPv2 works splendidly (which is good enough for our purposes and is widely supported by Windows clients). You can use rad_eap_test (there is information about this on the link above, including how to build the binary) to specify which EAP method you want to use and then which inner authentication to use (where applicable). So you can leave your existing setup (I assume default_eap_type is 'tls') alone and still test your NTLM authencation. Folks, feel free to correct... but that's what worked here. Stefan -- This e-mail and any attachments may contain confidential, copyright and or privileged material, and are for the use of the intended addressee only. If you are not the intended addressee or an authorised recipient of the addressee please notify us of receipt by returning the e-mail and do not use, copy, retain, distribute or disclose the information in or attached to the e-mail. Any opinions expressed within this e-mail are those of the individual and not necessarily of Diamond Light Source Ltd. Diamond Light Source Ltd. cannot guarantee that this e-mail or any attachments are free from viruses and we cannot accept liability for any damage which you may sustain as a result of software viruses which may be transmitted in or with the message. Diamond Light Source Limited (company no. 4375679). Registered in England and Wales with its registered office at Diamond House, Harwell Science and Innovation Campus, Didcot, Oxfordshire, OX11 0DE, United Kingdom - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Active Directory authentication question
Thanks Stepahn for all your important help. Regards, Roberto 2013/9/19 stefan.pae...@diamond.ac.uk: What I mean is that EAP-TLS is easier to me than AD authentication at this point, because I've just put it to work...and if I want to use AD auth I have to take EAP-TLS out and start again with NTLM / AD authenticationis it OK ??? Roberto, you don't have to remove EAP-TLS to support NTLM/MS-CHAPv2 authentication. What you can do in eap.conf is specify which EAP type you want to use by default. If you prefer EAP-TLS, you can specify default_eap_type = tls. But if the client does not support that and asks for EAP-TTLS or PEAP instead, then, if your server is configured correctly, it can support those additional types too. For NTLM authentication, what you *do* need is to add your FreeRADIUS machine to the Windows 2012 domain. Since you're on a flavour of Unix/Linux, you need to install Samba on your Linux box and configure it to talk to the Windows 2012 domain controller (via Kerberos). You may want to read this page, which describes how we've made authentication against Active Directory work with PEAP (specifically PEAP with EAP-MSCHAPv2) and EAP-TTLS with EAP-MSCHAPv2: http://confluence.diamond.ac.uk/display/PAAUTH/Using+Active+Directory+as+authentication+source We don't use PEAP and don't have any test clients that support PEAP, but EAP-TTLS/EAP-MSCHAPv2 works splendidly (which is good enough for our purposes and is widely supported by Windows clients). You can use rad_eap_test (there is information about this on the link above, including how to build the binary) to specify which EAP method you want to use and then which inner authentication to use (where applicable). So you can leave your existing setup (I assume default_eap_type is 'tls') alone and still test your NTLM authencation. Folks, feel free to correct... but that's what worked here. Stefan -- This e-mail and any attachments may contain confidential, copyright and or privileged material, and are for the use of the intended addressee only. If you are not the intended addressee or an authorised recipient of the addressee please notify us of receipt by returning the e-mail and do not use, copy, retain, distribute or disclose the information in or attached to the e-mail. Any opinions expressed within this e-mail are those of the individual and not necessarily of Diamond Light Source Ltd. Diamond Light Source Ltd. cannot guarantee that this e-mail or any attachments are free from viruses and we cannot accept liability for any damage which you may sustain as a result of software viruses which may be transmitted in or with the message. Diamond Light Source Limited (company no. 4375679). Registered in England and Wales with its registered office at Diamond House, Harwell Science and Innovation Campus, Didcot, Oxfordshire, OX11 0DE, United Kingdom - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Active Directory authentication question
Dear, I have several Windows 7 clients over WiFi autheticating throug EAP-TLS to a Freeradius 2.1 service against a local MySQL database, it works OK. Now I have to change the authentication from MySQL to a remote Active Directory on a Windows 2012 server. Because I don't know so much about Windows world, I need to know if I have to use NTLM, LDAP or Kerberos in order to authenticate against the remote AD. Thanks a lot !!! Roberto - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Active Directory authentication question
Roberto Carna wrote: Dear, I have several Windows 7 clients over WiFi autheticating throug EAP-TLS to a Freeradius 2.1 service against a local MySQL database, it works OK. EAP-TLS doesn't use MySQL for storing credentials. Everything is in the certificate. Now I have to change the authentication from MySQL to a remote Active Directory on a Windows 2012 server. FreeRADIUS is an authentication server. MySQL is not. It's a database. Using the correct terminology menas it's easier to come up with a solution. Using the wrong terminology means you're lost, and you can't find a solution. Because I don't know so much about Windows world, I need to know if I have to use NTLM, LDAP or Kerberos in order to authenticate against the remote AD. For MS-CHAP and PEAP, you use ntlm. You don't have any other choice. For EAP-TLS, you don't use AD or MySQL. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Active Directory authentication question
Sorry, so I'm a bit confused... I'm using Windows 7 clients for accesing the WiFi network through EAP-TLS with X.509 certificates. But in this way, I could see that I can authenticate users or hosts...if I choose users, I can see a dialog box to fill user and password and I suppose they are checked against MySQL database (because I see the query in debug mode). Is this correct or not ??? And finally, if I use EAP-TLS with X.509 certificates, do you mean I don't need to use the authentication against the active directory database ??? Maybe this is easier to me because I've put EAP-TLS to work. Thanks a lot, Roberto 2013/9/18 Alan DeKok al...@deployingradius.com: Roberto Carna wrote: Dear, I have several Windows 7 clients over WiFi autheticating throug EAP-TLS to a Freeradius 2.1 service against a local MySQL database, it works OK. EAP-TLS doesn't use MySQL for storing credentials. Everything is in the certificate. Now I have to change the authentication from MySQL to a remote Active Directory on a Windows 2012 server. FreeRADIUS is an authentication server. MySQL is not. It's a database. Using the correct terminology menas it's easier to come up with a solution. Using the wrong terminology means you're lost, and you can't find a solution. Because I don't know so much about Windows world, I need to know if I have to use NTLM, LDAP or Kerberos in order to authenticate against the remote AD. For MS-CHAP and PEAP, you use ntlm. You don't have any other choice. For EAP-TLS, you don't use AD or MySQL. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Active Directory authentication question
On 18 Sep 2013, at 15:39, Roberto Carna robertocarn...@gmail.com wrote: Sorry, so I'm a bit confused... I'm using Windows 7 clients for accesing the WiFi network through EAP-TLS with X.509 certificates. But in this way, I could see that I can authenticate users or hosts...if I choose users, I can see a dialog box to fill user and password and I suppose they are checked against MySQL database (because I see the query in debug mode). Is this correct or not ??? MySQL can be used to retrieve additional attributes associated with a given user/host. It can even perform lookups based on fields in the cert presented, but it can't be used to store X.509 certificate data. And finally, if I use EAP-TLS with X.509 certificates, do you mean I don't need to use the authentication against the active directory database ??? Maybe this is easier to me because I've put EAP-TLS to work. No, the easier way is to complete the certificate chain using the signing cert which created the client certs in the first place. This needs to be made available to the EAP-TLS module. -Arran Arran Cudbard-Bell a.cudba...@freeradius.org FreeRADIUS Development Team - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Active Directory authentication question
On 09/18/2013 11:01 AM, Roberto Carna wrote: Arran, I have a private CA and I've created the server and client certs of course...and I've generated the .p12 cert (includind the CA cert) to install in my Windows 7 clientsit works OK. What I mean is that EAP-TLS is easier to me than AD authentication at this point, because I've just put it to work...and if I want to use AD auth I have to take EAP-TLS out and start again with NTLM / AD authenticationis it OK ??? I think you have a misconception. The client decides what type of authentication mechanism it's going to use. The radius server should be able to handle a wide variety of authentication mechanisms supplied by a diverse range of clients. So in your case you've got one mechanism working, great, now add support for another, when you're done your radius server can handle 2 mechanisms. Keep iterating on this basic cycle until your server supports the range of clients you need to support. -- John - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Active Directory authentication question
Arran, I have a private CA and I've created the server and client certs of course...and I've generated the .p12 cert (includind the CA cert) to install in my Windows 7 clientsit works OK. What I mean is that EAP-TLS is easier to me than AD authentication at this point, because I've just put it to work...and if I want to use AD auth I have to take EAP-TLS out and start again with NTLM / AD authenticationis it OK ??? Regards 2013/9/18 Arran Cudbard-Bell a.cudba...@freeradius.org: On 18 Sep 2013, at 15:39, Roberto Carna robertocarn...@gmail.com wrote: Sorry, so I'm a bit confused... I'm using Windows 7 clients for accesing the WiFi network through EAP-TLS with X.509 certificates. But in this way, I could see that I can authenticate users or hosts...if I choose users, I can see a dialog box to fill user and password and I suppose they are checked against MySQL database (because I see the query in debug mode). Is this correct or not ??? MySQL can be used to retrieve additional attributes associated with a given user/host. It can even perform lookups based on fields in the cert presented, but it can't be used to store X.509 certificate data. And finally, if I use EAP-TLS with X.509 certificates, do you mean I don't need to use the authentication against the active directory database ??? Maybe this is easier to me because I've put EAP-TLS to work. No, the easier way is to complete the certificate chain using the signing cert which created the client certs in the first place. This needs to be made available to the EAP-TLS module. -Arran Arran Cudbard-Bell a.cudba...@freeradius.org FreeRADIUS Development Team - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Active Directory authentication question
Roberto Carna wrote: Sorry, so I'm a bit confused... Because you're unfamiliar with the correct terminology, and with how things really work. To recap: EAP-TLS uses certificates to identify users. And nothing else. No passwords, etc. AD is a database. MySQL is a database. They store user information. They don't authenticate users. FreeRADIUS is an authentication server. Where necessary, it pulls user information from a database. It also returns user profiles to a WiFI AP. e.g. VLAN, etc. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Quick question about $ variables
Hi all,
I've been looking at using ${...} variables wherever I can and so far it's been
relatively successful. The only place where I am stuck is using some
comparisons, e.g.
if (%{Attribute} == ${variable}) {
...
}
The Attribute portion expands, the $-variable part does not (although it is in
double-quotes as per the unlang documentation). Quoting the literal value of
the variable works.
Am I correct in saying that this is not supported? Just asking so I know how
far I can push this :-)
Stefan Paetow
Software Engineer
+44 1235 778812
Diamond Light Source Ltd.
Diamond House, Harwell Science and Innovation Campus
Didcot, Oxfordshire, OX11 0DE
--
This e-mail and any attachments may contain confidential, copyright and or
privileged material, and are for the use of the intended addressee only. If you
are not the intended addressee or an authorised recipient of the addressee
please notify us of receipt by returning the e-mail and do not use, copy,
retain, distribute or disclose the information in or attached to the e-mail.
Any opinions expressed within this e-mail are those of the individual and not
necessarily of Diamond Light Source Ltd.
Diamond Light Source Ltd. cannot guarantee that this e-mail or any attachments
are free from viruses and we cannot accept liability for any damage which you
may sustain as a result of software viruses which may be transmitted in or with
the message.
Diamond Light Source Limited (company no. 4375679). Registered in England and
Wales with its registered office at Diamond House, Harwell Science and
Innovation Campus, Didcot, Oxfordshire, OX11 0DE, United Kingdom
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Quick question about $ variables
stefan.pae...@diamond.ac.uk wrote:
Hi all,
I've been looking at using ${...} variables wherever I can and so far it's
been relatively successful. The only place where I am stuck is using some
comparisons, e.g.
if (%{Attribute} == ${variable}) {
That's wrong. Use:
if (Attribute == ${variable}) {
- Attributes can be referenced just by their name. There's no need to
wrap them in %{...}. That is only for other strings.
- wrapping the ${variable} in means it will *not* get expanded when
the configuration file loads.
The Attribute portion expands, the $-variable part does not (although it is
in double-quotes as per the unlang documentation). Quoting the literal value
of the variable works.
Am I correct in saying that this is not supported? Just asking so I know how
far I can push this :-)
${variable} is not supported, and will not be support.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Quick question about $ variables
Thank you very much for the quick answer, Alan.
:-)
Stefan
-Original Message-
From: freeradius-users-bounces+stefan.paetow=diamond.ac...@lists.freeradius.org
[mailto:freeradius-users-bounces+stefan.paetow=diamond.ac...@lists.freeradius.org]
On Behalf Of Alan DeKok
Sent: 28 May 2013 17:15
To: FreeRadius users mailing list
Subject: Re: Quick question about $ variables
stefan.pae...@diamond.ac.uk wrote:
Hi all,
I've been looking at using ${...} variables wherever I can and so far it's
been relatively successful. The only place where I am stuck is using some
comparisons, e.g.
if (%{Attribute} == ${variable}) {
That's wrong. Use:
if (Attribute == ${variable}) {
- Attributes can be referenced just by their name. There's no need to wrap
them in %{...}. That is only for other strings.
- wrapping the ${variable} in means it will *not* get expanded when the
configuration file loads.
The Attribute portion expands, the $-variable part does not (although it is
in double-quotes as per the unlang documentation). Quoting the literal value
of the variable works.
Am I correct in saying that this is not supported? Just asking so I
know how far I can push this :-)
${variable} is not supported, and will not be support.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
--
This e-mail and any attachments may contain confidential, copyright and or
privileged material, and are for the use of the intended addressee only. If you
are not the intended addressee or an authorised recipient of the addressee
please notify us of receipt by returning the e-mail and do not use, copy,
retain, distribute or disclose the information in or attached to the e-mail.
Any opinions expressed within this e-mail are those of the individual and not
necessarily of Diamond Light Source Ltd.
Diamond Light Source Ltd. cannot guarantee that this e-mail or any attachments
are free from viruses and we cannot accept liability for any damage which you
may sustain as a result of software viruses which may be transmitted in or with
the message.
Diamond Light Source Limited (company no. 4375679). Registered in England and
Wales with its registered office at Diamond House, Harwell Science and
Innovation Campus, Didcot, Oxfordshire, OX11 0DE, United Kingdom
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Basic question to authenticate switches and Linux boxes
Roberto Carna wrote: Dear, sorry for my confusion...I need to do te following: 1) Autehnticate and authorize users accesing switches through TELNET and/or HTTP 2) Authenticate and authorize users accesing Linux servers through SSH You're about 2 steps removed from RADIUS. First, find out how those systems use RADIUS. Then look at the RADIUS pieces. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Basic question to authenticate switches and Linux boxes
Dear, sorry for my confusion...I need to do te following: 1) Autehnticate and authorize users accesing switches through TELNET and/or HTTP 2) Authenticate and authorize users accesing Linux servers through SSH Thanks again. Roberto 2013/5/9 Edvin Seferovic | Kolpinghaus St. Pölten edvin.sefero...@kolp.at You need to rephrase your question. Do you want to: a.) authenticate and authorize users accessing the console of your switch? b.) authenticate a machine/user connected to a port of a switch (MAC auth or 801.x) c.) Linux boxes are machines... see B d.) authenticate users accessing the boxes... Regards, E:S On 09.05.2013 21:38, Roberto Carna wrote: Dear Matt, my second question is: If I have to authenticate Linux boxes and switches against Freeradius, do I have to use libpam-radius-auth for both devices or what ??? Thanks again, Roberto 2013/5/8 Matt Zagrabelny mzagr...@d.umn.edu On Wed, May 8, 2013 at 3:26 PM, Roberto Carna robertocarn...@gmail.com wrote: Dear, I'm new at Freeredius as an AAA sever in a Linux box and I need to authenticate Allied switches and Debian/Centos boxes. What package/module do I have to install in adition to freeradius ??? For the Debian clients you might want: libpam-radius-auth You can use apt-cache to search for things: % apt-cache search radius pam freeradius - high-performance and highly configurable RADIUS server libpam-radius-auth - The PAM RADIUS authentication module yardradius - YARD Radius Authorization and Accounting Server And what authentication procedure do I have ti use in order to let universal AAA ??? I don't understand this question. -mz - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Inner tunnel post auth question
Hi, The upgraded freeradius works fine, no surprise there I guess. Can't get any updated control, reply or whatever attributes to pass back to the default virtual server from the tunnel though, try as I might. Perhaps it's something to do with it being PEAP? I tried the authorize section and post auth section, but it never makes it through. It's not really critical at this point, just annoying me. I'm sure it's something I need to do differently but I'm not sure what. Thanks Andy -Original Message- From: freeradius-users-bounces+andy.franks=sath.nhs...@lists.freeradius.org [mailto:freeradius-users-bounces+andy.franks=sath.nhs...@lists.freeradius.org] On Behalf Of Alan DeKok Sent: 11 May 2013 14:26 To: FreeRadius users mailing list Subject: Re: Inner tunnel post auth question Franks Andy (RLZ) IT Systems Engineer wrote: My FR version is 2.1.10+dfsg-3build2_amd64. Unless there’s a nice package for Ubuntu 12.04 server then I’ll be compiling from source then I think. Yes. Upgrading would be good. so yes, the “use_tunneled reply” bit is there. Is that what’s causing the copying of attributes from within the tunnel to fail, or is that setting what it’s supposed to be? The use_tunneled_reply configuration only works for Access-Accept. I’m still getting my head around the eap thing – like for example why I need authorization and authentication settings in the inner-tunnel virtual server for eap again – my intuition would tell me that the inner eap just needs mschap in there if that’s the protocol inside the tunnel, but then perhaps it’s something to do with the “protection” bit of peap that means it’s a “tunnel within a tunnel” or something. Like I said still getting my head around it all. You need eap in the inner-tunnel because PEAP sends EAP in the inner-tunnel. I’d still like to get the attributes copying from the inner to outer tunnels regardless of the fix in 2.2. It’s gnawing at me a bit. Well... if you want a feature from a later version of the server, upgrade. You can't magically create a feature without code changes. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Inner tunnel post auth question
Franks Andy (RLZ) IT Systems Engineer wrote: My FR version is 2.1.10+dfsg-3build2_amd64. Unless there’s a nice package for Ubuntu 12.04 server then I’ll be compiling from source then I think. Yes. Upgrading would be good. so yes, the “use_tunneled reply” bit is there. Is that what’s causing the copying of attributes from within the tunnel to fail, or is that setting what it’s supposed to be? The use_tunneled_reply configuration only works for Access-Accept. I’m still getting my head around the eap thing – like for example why I need authorization and authentication settings in the inner-tunnel virtual server for eap again – my intuition would tell me that the inner eap just needs mschap in there if that’s the protocol inside the tunnel, but then perhaps it’s something to do with the “protection” bit of peap that means it’s a “tunnel within a tunnel” or something. Like I said still getting my head around it all. You need eap in the inner-tunnel because PEAP sends EAP in the inner-tunnel. I’d still like to get the attributes copying from the inner to outer tunnels regardless of the fix in 2.2. It’s gnawing at me a bit. Well... if you want a feature from a later version of the server, upgrade. You can't magically create a feature without code changes. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Inner tunnel post auth question
Hi,
This may have come up before but I can't find any solutions :
I'm using a NAS which always performs EAP/MSCHAP2 authentication, so
I've stripped the sites-enabled/default right down to pretty much just
include the eap stuff for authorisation/authentication, and am doing all
the rest inside the inner tunnel - fine.
When the radius returns an access-accept, it runs the stuff in the
inner-tunnel post_auth section ok, and I can record the attributes I
want to a mysql db, including a custom ldap attribute inserted into a
control variable.
However it seems that following a reject, the post_auth reject section
of inner-tunnel isn't actually used, so it doesn't record any info about
the attributes in the sql database if I use an sql call.
Ok .. so do it in the default post_auth reject bit - ok but I can't
figure how to pass back control variables to the outer tunnel. I'd
imagine it should be similar to the description in the post auth reject
section of the inner tunnel :
update outer.reply {
User-Name = %{request:User-Name}
}
But the section never gets called, so I tried putting it after the ldap
authorization bit, as I can't do it in the authentication part, or so I
gather (no unlang support in there?).
In the below update, ldap-UserDescription is my custom attribute, which
I can see from the logs is being populated :
[ldap] description - Ldap-UserDescription == test ip phone
Authorize {
..
..
ldap
update outer.control {
Ldap-UserDescription := %{control:Ldap-UserDescription}
}
}
But again it doesn't make it through (or am I doing it wrong?)
+- entering group REJECT {...}
expand: %{control:Ldap-UserDescription} - :
++[reply] returns noop
Am I being stupid? The best thing would be for the post_auth reject
section in inner tunnel to run, but failing that I need to work out the
control item passback to the outer tunnel.
Thanks for any help in advance!
Andy
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Inner tunnel post auth question
Andy,
What version of FreeRadius are you using?
I *think* that unless you are using the git source for 2.2.1, post-auth reject
is broken. There was some stuff I was doing a few months ago that got fixed in
2.2.1 … but I'm getting old and can't remember all the details :-(
On 10 May 2013, at 13:53, Franks Andy (RLZ) IT Systems Engineer
andy.fra...@sath.nhs.uk wrote:
Hi,
This may have come up before but I can’t find any solutions :
I’m using a NAS which always performs EAP/MSCHAP2 authentication, so I’ve
stripped the sites-enabled/default right down to pretty much just include the
eap stuff for authorisation/authentication, and am doing all the rest inside
the inner tunnel – fine.
When the radius returns an access-accept, it runs the stuff in the
inner-tunnel post_auth section ok, and I can record the attributes I want to
a mysql db, including a custom ldap attribute inserted into a control
variable.
However it seems that following a reject, the post_auth reject section of
inner-tunnel isn’t actually used, so it doesn’t record any info about the
attributes in the sql database if I use an sql call.
Ok .. so do it in the default post_auth reject bit – ok but I can’t figure
how to pass back control variables to the outer tunnel. I’d imagine it should
be similar to the description in the post auth reject section of the inner
tunnel :
update outer.reply {
User-Name = %{request:User-Name}
}
have u got
use_tunneled_reply = yes
set up in eap.conf?
Rgds
Alex
But the section never gets called, so I tried putting it after the ldap
authorization bit, as I can’t do it in the authentication part, or so I
gather (no unlang support in there?).
In the below update, ldap-UserDescription is my custom attribute, which I can
see from the logs is being populated :
[ldap] description - Ldap-UserDescription == test ip phone
Authorize {
..
..
ldap
update outer.control {
Ldap-UserDescription := %{control:Ldap-UserDescription}
}
}
But again it doesn’t make it through (or am I doing it wrong?)
+- entering group REJECT {...}
expand: %{control:Ldap-UserDescription} - :
++[reply] returns noop
Am I being stupid? The best thing would be for the post_auth reject section
in inner tunnel to run, but failing that I need to work out the control item
passback to the outer tunnel.
Thanks for any help in advance!
Andy
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Inner tunnel post auth question
On 10/05/13 13:53, Franks Andy (RLZ) IT Systems Engineer wrote: Hi, This may have come up before but I can’t find any solutions : I’m using a NAS which alwaysperformsEAP/MSCHAP2authentication, so I’ve stripped the sites-enabled/default right down to pretty much just include the eap stuff for authorisation/authentication, and am doing all the rest inside the inner tunnel–fine. When the radius returns an access-accept, it runs the stuff in theinner-tunnelpost_auth section ok, and I can record the attributes I want to a mysql db, including a custom ldap attribute inserted into a control variable. However it seems that following a reject, the post_auth reject section of inner-tunnel isn’t actually used, so it doesn’t record any info about the attributes in the sql databaseif I use an sql call. Correct. This is fixed in 2.x.x head and 3.x See here: https://github.com/FreeRADIUS/freeradius-server/commit/860dd99c9d6390686b12f622a87f2f82d84bc867#src/main/auth.c - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Inner tunnel post auth question
My FR version is 2.1.10+dfsg-3build2_amd64. Unless there's a nice
package for Ubuntu 12.04 server then I'll be compiling from source then
I think.
This is the peap bit of eap.conf :
peap {
default_eap_type = mschapv2
copy_request_to_tunnel = yes
use_tunneled_reply = yes
# proxy_tunneled_request_as_eap = yes
virtual_server = inner-tunnel
so yes, the use_tunneled reply bit is there. Is that what's causing
the copying of attributes from within the tunnel to fail, or is that
setting what it's supposed to be? I'm still getting my head around the
eap thing - like for example why I need authorization and authentication
settings in the inner-tunnel virtual server for eap again - my intuition
would tell me that the inner eap just needs mschap in there if that's
the protocol inside the tunnel, but then perhaps it's something to do
with the protection bit of peap that means it's a tunnel within a
tunnel or something. Like I said still getting my head around it all.
I'd still like to get the attributes copying from the inner to outer
tunnels regardless of the fix in 2.2. It's gnawing at me a bit.
Thanks
Andy
From:
freeradius-users-bounces+andy.franks=sath.nhs...@lists.freeradius.org
[mailto:freeradius-users-bounces+andy.franks=sath.nhs.uk@lists.freeradiu
s.org] On Behalf Of Alex Sharaz
Sent: 10 May 2013 14:09
To: FreeRadius users mailing list
Subject: Re: Inner tunnel post auth question
Andy,
What version of FreeRadius are you using?
I *think* that unless you are using the git source for 2.2.1, post-auth
reject is broken. There was some stuff I was doing a few months ago that
got fixed in 2.2.1 ... but I'm getting old and can't remember all the
details :-(
On 10 May 2013, at 13:53, Franks Andy (RLZ) IT Systems Engineer
andy.fra...@sath.nhs.uk wrote:
Hi,
This may have come up before but I can't find any solutions :
I'm using a NAS which always performs EAP/MSCHAP2 authentication, so
I've stripped the sites-enabled/default right down to pretty much just
include the eap stuff for authorisation/authentication, and am doing all
the rest inside the inner tunnel - fine.
When the radius returns an access-accept, it runs the stuff in the
inner-tunnel post_auth section ok, and I can record the attributes I
want to a mysql db, including a custom ldap attribute inserted into a
control variable.
However it seems that following a reject, the post_auth reject section
of inner-tunnel isn't actually used, so it doesn't record any info about
the attributes in the sql database if I use an sql call.
Ok .. so do it in the default post_auth reject bit - ok but I can't
figure how to pass back control variables to the outer tunnel. I'd
imagine it should be similar to the description in the post auth reject
section of the inner tunnel :
update outer.reply {
User-Name = %{request:User-Name}
}
have u got
use_tunneled_reply = yes
set up in eap.conf?
Rgds
Alex
But the section never gets called, so I tried putting it after the ldap
authorization bit, as I can't do it in the authentication part, or so I
gather (no unlang support in there?).
In the below update, ldap-UserDescription is my custom attribute, which
I can see from the logs is being populated :
[ldap] description - Ldap-UserDescription == test ip phone
Authorize {
..
..
ldap
update outer.control {
Ldap-UserDescription := %{control:Ldap-UserDescription}
}
}
But again it doesn't make it through (or am I doing it wrong?)
+- entering group REJECT {...}
expand: %{control:Ldap-UserDescription} - :
++[reply] returns noop
Am I being stupid? The best thing would be for the post_auth reject
section in inner tunnel to run, but failing that I need to work out the
control item passback to the outer tunnel.
Thanks for any help in advance!
Andy
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Basic question to authenticate switches and Linux boxes
Dear Matt, my second question is: If I have to authenticate Linux boxes and switches against Freeradius, do I have to use libpam-radius-auth for both devices or what ??? Thanks again, Roberto 2013/5/8 Matt Zagrabelny mzagr...@d.umn.edu On Wed, May 8, 2013 at 3:26 PM, Roberto Carna robertocarn...@gmail.com wrote: Dear, I'm new at Freeredius as an AAA sever in a Linux box and I need to authenticate Allied switches and Debian/Centos boxes. What package/module do I have to install in adition to freeradius ??? For the Debian clients you might want: libpam-radius-auth You can use apt-cache to search for things: % apt-cache search radius pam freeradius - high-performance and highly configurable RADIUS server libpam-radius-auth - The PAM RADIUS authentication module yardradius - YARD Radius Authorization and Accounting Server And what authentication procedure do I have ti use in order to let universal AAA ??? I don't understand this question. -mz - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Basic question to authenticate switches and Linux boxes
You need to rephrase your question. Do you want to: a.) authenticate and authorize users accessing the console of your switch? b.) authenticate a machine/user connected to a port of a switch (MAC auth or 801.x) c.) Linux boxes are machines... see B d.) authenticate users accessing the boxes... Regards, E:S On 09.05.2013 21:38, Roberto Carna wrote: Dear Matt, my second question is: If I have to authenticate Linux boxes and switches against Freeradius, do I have to use libpam-radius-auth for both devices or what ??? Thanks again, Roberto 2013/5/8 Matt Zagrabelny mzagr...@d.umn.edu mailto:mzagr...@d.umn.edu On Wed, May 8, 2013 at 3:26 PM, Roberto Carna robertocarn...@gmail.com mailto:robertocarn...@gmail.com wrote: Dear, I'm new at Freeredius as an AAA sever in a Linux box and I need to authenticate Allied switches and Debian/Centos boxes. What package/module do I have to install in adition to freeradius ??? For the Debian clients you might want: libpam-radius-auth You can use apt-cache to search for things: % apt-cache search radius pam freeradius - high-performance and highly configurable RADIUS server libpam-radius-auth - The PAM RADIUS authentication module yardradius - YARD Radius Authorization and Accounting Server And what authentication procedure do I have ti use in order to let universal AAA ??? I don't understand this question. -mz - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Basic question to authenticate switches and Linux boxes
On Wed, May 8, 2013 at 3:26 PM, Roberto Carna robertocarn...@gmail.com wrote: Dear, I'm new at Freeredius as an AAA sever in a Linux box and I need to authenticate Allied switches and Debian/Centos boxes. What package/module do I have to install in adition to freeradius ??? For the Debian clients you might want: libpam-radius-auth You can use apt-cache to search for things: % apt-cache search radius pam freeradius - high-performance and highly configurable RADIUS server libpam-radius-auth - The PAM RADIUS authentication module yardradius - YARD Radius Authorization and Accounting Server And what authentication procedure do I have ti use in order to let universal AAA ??? I don't understand this question. -mz - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Question on ldap module's base_filter
G'day list I've come across an issue with the ldap module parameter base_filter, and I'm not yet sure whether I'm hitting a bug (I guess: less likely) than I'm missing / missunderstanding its correct use. I'm running a Debian Squeeze derivative (Univention Corporate Server), FR 2.1.10 and OpenLDAP. On squeeze base_filter come preconfigured as disabled (#base_filter = (objectclass=radiusprofile) Now my idea was to set base_filter = (sambaAcctFlags=[U ]) to only let user objects (that are not disabled) get authorized. This field is present on user object so it would be great to have it used somehow. The curious thing was that radtest I always get Access-Accept even when a user has a the disabled flag (sambaAcctFlags=[UD ]). This led me to check whether I can just set base_filter=(notExisting=thisDoesntExist) And the result also was: Access-Accept, so I guess base_filter isn't read as I'd have expected it at first sigh :-\ When I launch freeradius in debug mode I can see a message base_filter = (sambaAcctFlags=[U ]) passing on the screen so I guess the value at least is getting read. Can you give me a clever hint where/what to look for? Best regards Mathieu - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: question about freeradius
Hi, I am just wondering if I can use freeradius for hotspot and dial up accounts on same box or does it have to be separate box for hotspot and dial up accounts? that would depend on how you configured it and had each function isolated when not needing same resources etc. we use ours for 802.1X federated access, local 802.1X, captive portal, router/switch admin login, VLAN allocations via VMPS, VPN login etc - each function is undertaken by seperate virtual server definitions in sites-enabled (with different policies applied) and seperate module calls when different requirements for authentications are needed. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Question about EAP-TTLS session resumption
Hi,
We're trying to put together an EAP-TTLS authentication solution with another
open-source authentication server (Jasig CAS). We've found that only the first
authentication process succeeds, but everything else after fails. In order for
us to pinpoint whether this is a problem in the CAS software or the JRadius
implementation of the EAP-TTLS Radius authenticator, I'd just like to confirm
with the Radius experts on the list that I have some things right.
As far as I understand RFC5281 (the EAP-TTLS RFC) in general and Section 15.3
(session resumption) more in particular, the EAP-TTLS session should only be
resumed if the client was successfully authenticated with the server. So am I
correct in saying that if an EAP-TTLS session was established and a username
and password were passed through the tunnel that were not successfully
authenticated (i.e. the password was incorrect), the session cannot be resumed
and should start again, i.e. a new tunnel session should be negotiated and the
authentication request retried?
What we've seen is that the radiusd -X output shows a full EAP-TTLS session
negotiation the first time, but then only a resumption (or at least that's what
FreeRADIUS assumes, based on the debug output) of the session to continue.
FreeRADIUS then sees the EAP handler fail.
Should that session (i.e. 'request 7 ID 9') have been renegotiated and
restarted because the user-password combination of 'bob' and 'test' is invalid?
-- begin of debug output --
Ready to process requests.
rad_recv: Access-Request packet from host 172.23.6.33 port 49802, id=2,
length=53
User-Name = bob
EAP-Message = 0x020801626f62
Message-Authenticator = 0xeec2f0280b8274f92fc902a15122729c
# Executing section authorize from file /etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = bob, looking up realm NULL
[suffix] No such realm NULL
++[suffix] returns noop
[eap] EAP packet type response id 0 length 8
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No known good password found for the user. Authentication may
fail because of this.
++[pap] returns noop
Found Auth-Type = EAP
# Executing group from file /etc/raddb/sites-enabled/default
+- entering group authenticate {...}
[eap] EAP Identity
[eap] processing type tls
[tls] Initiate
[tls] Start returned 1
++[eap] returns handled
Sending Access-Challenge of id 2 to 172.23.6.33 port 49802
EAP-Message = 0x010100061520
Message-Authenticator = 0x
State = 0xee0ac522ee0bd0bfaaf533badfdea46d
Finished request 0.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 172.23.6.33 port 49802, id=3,
length=135
User-Name = bob
State = 0xee0ac522ee0bd0bfaaf533badfdea46d
EAP-Message =
0x020100481500160301003d01390301517e66cc1774b02aba3b0067774c719d9a7c24c36fb94a5d97f862a59f866bd3120039003800330032001600130035002f000a0100
Message-Authenticator = 0x93d337adcf53e180ece72e8e881f3022
# Executing section authorize from file /etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = bob, looking up realm NULL
[suffix] No such realm NULL
++[suffix] returns noop
[eap] EAP packet type response id 1 length 72
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /etc/raddb/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/ttls
[eap] processing type ttls
[ttls] Authenticate
[ttls] processing EAP-TLS
[ttls] eaptls_verify returned 7
[ttls] Done initial handshake
[ttls] (other): before/accept initialization
[ttls] TLS_accept: before/accept initialization
[ttls] TLS 1.0 Handshake [length 003d], ClientHello
[ttls] TLS_accept: SSLv3 read client hello A
[ttls] TLS 1.0 Handshake [length 002a], ServerHello
[ttls] TLS_accept: SSLv3 write server hello A
[ttls] TLS 1.0 Handshake [length 085e], Certificate
[ttls] TLS_accept: SSLv3 write certificate A
[ttls] TLS 1.0 Handshake [length 020d], ServerKeyExchange
[ttls] TLS_accept: SSLv3 write key exchange A
[ttls] TLS 1.0 Handshake [length 0004], ServerHelloDone
[ttls] TLS_accept: SSLv3 write server done A
[ttls] TLS_accept: SSLv3 flush data
[ttls] TLS_accept: Need to read more data: SSLv3 read client certificate A
In SSL Handshake Phase
In SSL Accept mode
[ttls] eaptls_process returned 13
++[eap] returns handled
Sending Access-Challenge of id 3 to 172.23.6.33 port 49802
EAP-Message =
Re: Question about EAP-TTLS session resumption
stefan.pae...@diamond.ac.uk wrote: We're trying to put together an EAP-TTLS authentication solution with another open-source authentication server (Jasig CAS). We've found that only the first authentication process succeeds, but everything else after fails. In order for us to pinpoint whether this is a problem in the CAS software or the JRadius implementation of the EAP-TTLS Radius authenticator, I'd just like to confirm with the Radius experts on the list that I have some things right. Well, TTLS session resumption works with wpa_supplicant, Windows, Macs, etc. As far as I understand RFC5281 (the EAP-TTLS RFC) in general and Section 15.3 (session resumption) more in particular, the EAP-TTLS session should only be resumed if the client was successfully authenticated with the server. So am I correct in saying that if an EAP-TTLS session was established and a username and password were passed through the tunnel that were not successfully authenticated (i.e. the password was incorrect), the session cannot be resumed and should start again, i.e. a new tunnel session should be negotiated and the authentication request retried? Yes. What we've seen is that the radiusd -X output shows a full EAP-TTLS session negotiation the first time, but then only a resumption (or at least that's what FreeRADIUS assumes, based on the debug output) of the session to continue. FreeRADIUS then sees the EAP handler fail. It sees more than that. There's no point in reading only *one* message out of many. The reason the other debug messages exist is because they're *useful*. Should that session (i.e. 'request 7 ID 9') have been renegotiated and restarted because the user-password combination of 'bob' and 'test' is invalid? The debug log *doesn't* show session resumption. If it did, it would have text about session resumption. -- begin of debug output -- Which shows that the inner-tunnel configuration is incapable of authenticating a user bob with password test. This has nothing to do with session resumption. Your inner-tunnel configuration is wrong. You haven't configured a known good password for the user. So how is the server supposed to check that bob/test is a valid user/password? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Question about EAP-TTLS session resumption
Alan, The user 'bob' does not exist, so FreeRADIUS does the correct thing (i.e. rejecting the user). This has not been in doubt at all. However, when you go to the bottom of the output, where the request for user 'steve' (who is a valid user, and for whom a correct password was supplied) is sent, the request fails. The session for 'steve' is partial and stops prematurely, which leads me to believe that the EAP-TTLS client (the JRadius EAPTTLSAuthenticator bean) is not complying with the RFC, i.e. restart the EAP session, negotiate a fresh tunnel, and then attempt to authenticate the valid user 'steve' with the given password. Based on the debug output, it appears that the client simply re-uses the existing tunnel, which, according to the RFC and your confirmation, is not correct. So thanks for confirming that part of the theory. :-) To prove that, I've just had a bit more of a play-around with the Java webapp, and when we restart it between authentication requests, the correct process is followed, i.e. establish an EAP session, negotiate a tunnel, attempt authentication, and every session is complete. I'll have a word with David over at Coova about the bean in question. Regards Stefan -Original Message- From: freeradius-users-bounces+stefan.paetow=diamond.ac...@lists.freeradius.org [mailto:freeradius-users-bounces+stefan.paetow=diamond.ac...@lists.freeradius.org] On Behalf Of Alan DeKok Sent: 29 April 2013 14:08 To: FreeRadius users mailing list Subject: Re: Question about EAP-TTLS session resumption stefan.pae...@diamond.ac.uk wrote: We're trying to put together an EAP-TTLS authentication solution with another open-source authentication server (Jasig CAS). We've found that only the first authentication process succeeds, but everything else after fails. In order for us to pinpoint whether this is a problem in the CAS software or the JRadius implementation of the EAP-TTLS Radius authenticator, I'd just like to confirm with the Radius experts on the list that I have some things right. Well, TTLS session resumption works with wpa_supplicant, Windows, Macs, etc. As far as I understand RFC5281 (the EAP-TTLS RFC) in general and Section 15.3 (session resumption) more in particular, the EAP-TTLS session should only be resumed if the client was successfully authenticated with the server. So am I correct in saying that if an EAP-TTLS session was established and a username and password were passed through the tunnel that were not successfully authenticated (i.e. the password was incorrect), the session cannot be resumed and should start again, i.e. a new tunnel session should be negotiated and the authentication request retried? Yes. What we've seen is that the radiusd -X output shows a full EAP-TTLS session negotiation the first time, but then only a resumption (or at least that's what FreeRADIUS assumes, based on the debug output) of the session to continue. FreeRADIUS then sees the EAP handler fail. It sees more than that. There's no point in reading only *one* message out of many. The reason the other debug messages exist is because they're *useful*. Should that session (i.e. 'request 7 ID 9') have been renegotiated and restarted because the user-password combination of 'bob' and 'test' is invalid? The debug log *doesn't* show session resumption. If it did, it would have text about session resumption. -- begin of debug output -- Which shows that the inner-tunnel configuration is incapable of authenticating a user bob with password test. This has nothing to do with session resumption. Your inner-tunnel configuration is wrong. You haven't configured a known good password for the user. So how is the server supposed to check that bob/test is a valid user/password? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- This e-mail and any attachments may contain confidential, copyright and or privileged material, and are for the use of the intended addressee only. If you are not the intended addressee or an authorised recipient of the addressee please notify us of receipt by returning the e-mail and do not use, copy, retain, distribute or disclose the information in or attached to the e-mail. Any opinions expressed within this e-mail are those of the individual and not necessarily of Diamond Light Source Ltd. Diamond Light Source Ltd. cannot guarantee that this e-mail or any attachments are free from viruses and we cannot accept liability for any damage which you may sustain as a result of software viruses which may be transmitted in or with the message. Diamond Light Source Limited (company no. 4375679). Registered in England and Wales with its registered office at Diamond House, Harwell Science and Innovation Campus, Didcot, Oxfordshire, OX11 0DE, United Kingdom - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Question about EAP-TTLS session resumption
stefan.pae...@diamond.ac.uk wrote: However, when you go to the bottom of the output, where the request for user 'steve' (who is a valid user, and for whom a correct password was supplied) is sent, the request fails. The session for 'steve' is partial and stops prematurely, which leads me to believe that the EAP-TTLS client (the JRadius EAPTTLSAuthenticator bean) is not complying with the RFC, i.e. restart the EAP session, negotiate a fresh tunnel, and then attempt to authenticate the valid user 'steve' with the given password. Except it's not a request for steve: User-Name = steve EAP-Message = 0x020801626f62 The EAP-Message says that the EAP Identity is for user bob. The EAP client you're using is broken. Fix that before you try anything else. Based on the debug output, it appears that the client simply re-uses the existing tunnel, which, according to the RFC and your confirmation, is not correct. So thanks for confirming that part of the theory. :-) Likely, yes. To prove that, I've just had a bit more of a play-around with the Java webapp, and when we restart it between authentication requests, the correct process is followed, i.e. establish an EAP session, negotiate a tunnel, attempt authentication, and every session is complete. I'll have a word with David over at Coova about the bean in question. Sounds like a plan. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Question about EAP-TTLS session resumption
Thanks again for the confirmation, Alan. :-) Stefan -Original Message- From: freeradius-users-bounces+stefan.paetow=diamond.ac...@lists.freeradius.org [mailto:freeradius-users-bounces+stefan.paetow=diamond.ac...@lists.freeradius.org] On Behalf Of Alan DeKok Sent: 29 April 2013 15:35 To: FreeRadius users mailing list Subject: Re: Question about EAP-TTLS session resumption stefan.pae...@diamond.ac.uk wrote: However, when you go to the bottom of the output, where the request for user 'steve' (who is a valid user, and for whom a correct password was supplied) is sent, the request fails. The session for 'steve' is partial and stops prematurely, which leads me to believe that the EAP-TTLS client (the JRadius EAPTTLSAuthenticator bean) is not complying with the RFC, i.e. restart the EAP session, negotiate a fresh tunnel, and then attempt to authenticate the valid user 'steve' with the given password. Except it's not a request for steve: User-Name = steve EAP-Message = 0x020801626f62 The EAP-Message says that the EAP Identity is for user bob. The EAP client you're using is broken. Fix that before you try anything else. Based on the debug output, it appears that the client simply re-uses the existing tunnel, which, according to the RFC and your confirmation, is not correct. So thanks for confirming that part of the theory. :-) Likely, yes. To prove that, I've just had a bit more of a play-around with the Java webapp, and when we restart it between authentication requests, the correct process is followed, i.e. establish an EAP session, negotiate a tunnel, attempt authentication, and every session is complete. I'll have a word with David over at Coova about the bean in question. Sounds like a plan. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- This e-mail and any attachments may contain confidential, copyright and or privileged material, and are for the use of the intended addressee only. If you are not the intended addressee or an authorised recipient of the addressee please notify us of receipt by returning the e-mail and do not use, copy, retain, distribute or disclose the information in or attached to the e-mail. Any opinions expressed within this e-mail are those of the individual and not necessarily of Diamond Light Source Ltd. Diamond Light Source Ltd. cannot guarantee that this e-mail or any attachments are free from viruses and we cannot accept liability for any damage which you may sustain as a result of software viruses which may be transmitted in or with the message. Diamond Light Source Limited (company no. 4375679). Registered in England and Wales with its registered office at Diamond House, Harwell Science and Innovation Campus, Didcot, Oxfordshire, OX11 0DE, United Kingdom - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Question about EAP-TTLS session resumption
The user 'bob' does not exist, so FreeRADIUS does the correct thing (i.e. rejecting the user). This has not been in doubt at all. Instantiate a new EAPTTLSAuthenticator() for each authentication session and you should be fine. The Authenticator class is there to maintain a context through a single authentication session, generally. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
question about freeradius
Hey Guys I am just wondering if I can use freeradius for hotspot and dial up accounts on same box or does it have to be separate box for hotspot and dial up accounts? Tim - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: question about freeradius
El abr 28, 2013 10:13 p.m., Tim Reichhart t...@nwohiobb.com escribió: Hey Guys I am just wondering if I can use freeradius for hotspot and dial up accounts on same box or does it have to be separate box for hotspot and dial up accounts? Tim - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html In same box, with virtual seves. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Question about differences between possibilities of authentication
Hi All,
The last week I've had my first encounter with FreeRADIUS as we were supposed
to deploy eduroam. I had a lot of fun doing it although I have dreamt about the
config files after a couple of days :)
Everything is working as it should so no worries there, but I'm curious about
something. I configured the proxies and the local realm. When I did a radtest
like this:
radtest che...@localdomain.nl password 127.0.0.1 1 secret
I would get an Accept-Accept. The debug output would show that first a bind and
then an LDAP search is performed in our eDirectory. Okay! Fun times I thought,
let's try it on my mobile phone because a test account I got from an academic
institution in the UK worked so local authentication should work as well! I
entered the credentials but now comes the difference. Using a Wifi device made
the LDAP search fail because it tried to authenticate the u...@domain.nl in
stead of stripping the suffix.
I've been staring at the config files to see if I got the LDAP-filter defined
two times somewhere but that doesn't seem to be the case. Now, this wasn't a
really big problem because users can be pretty stupid and we decided to let
them authenticate using their email address in stead of their username@domain
which would to too much confusion for them.
The LDAP filter was:
filter = (uid=%{Stripped-User-Name:-%{User-Name}})
Is now:
filter = (|(cn=%{Stripped-User-Name:-%{User-Name}})(mail=%{User-Name}))
The proxy.conf lines right before it's defaulted to eduroam:
realm ettyhillesumlyceum.nl {
}
Anyone has an idea why radtest would behave differently from an 802.1x login?
Regards,
Bas
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Question on certificates before deep dive into EAP-TLS
Mathieu Simon wrote: Telling students how to install a internal CA root isn't going to work, it already didn't work for teachers in the past ... Yes. That is a problem. But allowing only (internal) devices with certs from the internal CA through CA_file would allow us to more easily integrate those non-personal but school-owned devices. That would work. I just hope I'm not telling complete bullshit... ;-) Nope. Thank you Alan for your time to answer! It's what I do. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Question about differences between possibilities of authentication
Bas Penris wrote:
Everything is working as it should so no worries there, but I'm curious
about something. I configured the proxies and the local realm. When I
did a radtest like this:
radtest che...@localdomain.nl password 127.0.0.1 1 secret
I would get an Accept-Accept.
That's the easy part.
The debug output would show that first a
bind and then an LDAP search is performed in our eDirectory. Okay! Fun
times I thought, let's try it on my mobile phone because a test account
I got from an academic institution in the UK worked so local
authentication should work as well! I entered the credentials but now
comes the difference. Using a Wifi device made the LDAP search fail
because it tried to authenticate the u...@domain.nl
in stead of stripping the suffix.
Don't test from a mobile device until you've done complete EAP testing
yourself. You'll get a LOT more useful information.
See my web page: http://deployingradius.com
I've been staring at the config files to see if I got the LDAP-filter
defined two times somewhere but that doesn't seem to be the case. Now,
this wasn't a really big problem because users can be pretty stupid and
we decided to let them authenticate using their email address in stead
of their username@domain which would to too much confusion for them.
It's usually best to use the full email address. It simplifies a lot
of issues.
The LDAP filter was:
filter = (uid=%{Stripped-User-Name:-%{User-Name}})
Is now:
filter = (|(cn=%{Stripped-User-Name:-%{User-Name}})(mail=%{User-Name}))
The proxy.conf lines right before it's defaulted to eduroam:
realm ettyhillesumlyceum.nl {
}
So.. you're posting tiny pieces of the config. But not the debug
output as suggested in the FAQ, README, man page, web pages, and daily
on this list?
Anyone has an idea why radtest would behave differently from an 802.1x
login?
Because it's doing different searches. See the debug output for more
information. It's all in there. Really. That's why we tell people to
read it, and to post it here.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Betr.: Re: Question about differences between possibilities of authentication
Hi Alan,
The reason I didn't post the debugs and config files was because I thought
there might be an easy explanation which one of you would be able to spoon up
without any trouble. Especially because nothing is broken and everything works
as it's supposed to.
I'll get back with a debug log and the config after the weekend.
Regards,
Bas
Alan DeKok al...@deployingradius.com 12-04-13 15:52
Bas Penris wrote:
Everything is working as it should so no worries there, but I'm curious
about something. I configured the proxies and the local realm. When I
did a radtest like this:
radtest che...@localdomain.nl password 127.0.0.1 1 secret
I would get an Accept-Accept.
That's the easy part.
The debug output would show that first a
bind and then an LDAP search is performed in our eDirectory. Okay! Fun
times I thought, let's try it on my mobile phone because a test account
I got from an academic institution in the UK worked so local
authentication should work as well! I entered the credentials but now
comes the difference. Using a Wifi device made the LDAP search fail
because it tried to authenticate the u...@domain.nl
in stead of stripping the suffix.
Don't test from a mobile device until you've done complete EAP testing
yourself. You'll get a LOT more useful information.
See my web page: http://deployingradius.com
I've been staring at the config files to see if I got the LDAP-filter
defined two times somewhere but that doesn't seem to be the case. Now,
this wasn't a really big problem because users can be pretty stupid and
we decided to let them authenticate using their email address in stead
of their username@domain which would to too much confusion for them.
It's usually best to use the full email address. It simplifies a lot
of issues.
The LDAP filter was:
filter = (uid=%{Stripped-User-Name:-%{User-Name}})
Is now:
filter = (|(cn=%{Stripped-User-Name:-%{User-Name}})(mail=%{User-Name}))
The proxy.conf lines right before it's defaulted to eduroam:
realm ettyhillesumlyceum.nl {
}
So.. you're posting tiny pieces of the config. But not the debug
output as suggested in the FAQ, README, man page, web pages, and daily
on this list?
Anyone has an idea why radtest would behave differently from an 802.1x
login?
Because it's doing different searches. See the debug output for more
information. It's all in there. Really. That's why we tell people to
read it, and to post it here.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Betr.: Re: Question about differences between possibilities of authentication
Bas Penris wrote: The reason I didn't post the debugs and config files was because I thought there might be an easy explanation which one of you would be able to spoon up without any trouble. We need certain information to answer questions. One piece of which is the debug output. That's why we ask for it DAILY on this list. There is NO excuse for not posting it when you're trying to debug a problem. Especially because nothing is broken and everything works as it's supposed to. So you said it didn't do what you wanted, but that it works? I'll get back with a debug log and the config after the weekend. Did I ask for the configuration? No. I asked for the debug output. That's what I want. I don't want copies of your configuration. If I had wanted copies of the configuration, I would have asked for them. Please follow instructions. A MAJOR reason why people have trouble is that they refuse to follow instructions. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Question on certificates before deep dive into EAP-TLS
G'day
As a (hopefully) answer-able question to those experienced with EAP-TLS
that I've
been twisting my brain:
Usually I've seen example for EAP-TLS setups that used a server-side
certificate
issued from the same CA as the one it should allow EAP-TLS clients who
present
their certificate to FR.
Am I guessing correctly that CA_file can contain a different list of CA(s)
than the server certificate that is shown to the client? (Taken from
Debian's FR 2.1.12)
eap.conf:
tls {
[...]
certificate_file = /etc/freeradius/ssl/cert.p
# Trusted Root CA list
CA_file = /etc/univention/ssl/ucsCA/CAcert.pem
[...]
The real-life example would be that people could use PEAP-MSCHAPv2 for
credential-based logins (server certificate being signed by a trusted
external CA)
while some devices could login using EAP-TLS but only when they present
a certificate from an internal CA (that usually isn't being trusted by
devices
outside of control of IT department).
Best regards
Mathieu
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Question on certificates before deep dive into EAP-TLS
Mathieu Simon wrote: Usually I've seen example for EAP-TLS setups that used a server-side certificate issued from the same CA as the one it should allow EAP-TLS clients who present their certificate to FR. Yes. Am I guessing correctly that CA_file can contain a different list of CA(s) than the server certificate that is shown to the client? Yes. It contains a list of valid CAs. The real-life example would be that people could use PEAP-MSCHAPv2 for credential-based logins (server certificate being signed by a trusted external CA) While that works, it's not recommended. It means that the client will trust *any* certificate signed by that CA, for network access. It's usually a bad idea. while some devices could login using EAP-TLS but only when they present a certificate from an internal CA (that usually isn't being trusted by devices outside of control of IT department). That works. The client will need *both* CAs. But why be this complicated? Just use one CA, which is for both EAP-TLS and PEAP. It can issue client certs to some machines, and *not* issue client certs to others. You don't need one CA per EAP method. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Question on certificates before deep dive into EAP-TLS
Hi Am 11.04.2013 20:08, schrieb Alan DeKok: snip! The real-life example would be that people could use PEAP-MSCHAPv2 for credential-based logins (server certificate being signed by a trusted external CA) While that works, it's not recommended. It means that the client will trust *any* certificate signed by that CA, for network access. It's usually a bad idea. Correct, that for sure isn't what I'd want :-) certificate_file - the server-side certificate - would contain the certificate (and it's trust chain) by the trusted CA. CA_file would only contain the internal CA, such as that only those signed by the one internal CA IT has control over it, would be accepted by FR. (oh and I'd want to have a regularly up-to-date revocation list...) snip! You don't need one CA per EAP method. Sure, I am only looking for the server-side certificate (certificate_file) being signed by a CA that most devices trust - since most of the users are going to use PEAP-MSCHAPv2 with devices not under direct controll of IT. Telling students how to install a internal CA root isn't going to work, it already didn't work for teachers in the past ... But allowing only (internal) devices with certs from the internal CA through CA_file would allow us to more easily integrate those non-personal but school-owned devices. I just hope I'm not telling complete bullshit... ;-) Thank you Alan for your time to answer! -- Mathieu - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Question about interaction Between Vmware View 5.1 and smsotp
Hello Stéphane, can you please send a screenshot of your View Radius Configuration, your full configuration and the full debugging output which includes an authentication request from pap_challenge_request.pl and from View. Cheers, Thomas - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Question about interaction Between Vmware View 5.1 and smsotp
Hello Stéphane, It works. Thank you. Yes, the radiusd process listen on some multiples ports and i was wrong when i put the value 1812 on VMware View. for the list. The problem was that View was configured to port 1812 which does not do SMSOTP with my configuration, so we reconfigured it to port 11812 and it worked. A little question, this is normal workflow = Client view ask for user/pass AD = ASk for OTP = ask again for user/passAD? If I remeber correctly you either should put the username as: domain\username or usern...@full.realm.de than it should ask only once. But the last time I configured it with View is one year ago. Cheers, Thomas - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Question about radwho/radutmp dates
Hi folks, How long time does radwho/radutmp store accounting information? Thanks in advance -- -- Sergio Belkin http://www.sergiobelkin.com Watch More TV http://sebelk.blogspot.com LPIC-2 Certified - http://www.lpi.org - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: design question
On Tue, Mar 5, 2013 at 9:17 PM, Arran Cudbard-Bell
a.cudba...@freeradius.org wrote:
On 5 Mar 2013, at 18:03, Matt Zagrabelny mzagr...@d.umn.edu wrote:
On Mon, Mar 4, 2013 at 4:28 PM, Arran Cudbard-Bell
a.cudba...@freeradius.org wrote:
You know SQL supports groups right? and that a group matching can be
conditional on attributes in the request? and that you can add aditional
config items to client definitions to mark them as a special devices?
Hi Arran,
Thanks for the reply. I've grepped the wiki and mailing list archives
and could not answer the following:
What do I change in the nas table (in the database) to mark the
network boxes as special devices? I see the schema as:
CREATE TABLE nas (
id SERIAL PRIMARY KEY,
nasname VARCHAR(128) NOT NULL,
shortname VARCHAR(32) NOT NULL,
type VARCHAR(30) NOT NULL DEFAULT 'other',
ports int4,
secret VARCHAR(60) NOT NULL,
server VARCHAR(64),
community VARCHAR(50),
description VARCHAR(200)
);
Is it the server field? If so, could you also briefly explain how to
apply that to group matching? (I have added users to groups using the
usergroup table, but haven't touched the radgroupcheck/reply yet.)
So long as you're using static devices in clients.conf you can use the xlat
expansion %{client:config item}.
I am using static devices, but I am using a nas table in a PG
database. Does that affect the xlat expansion? I already had a
'shortname' (but not a group field) in the table schema and tried:
authorize {
update request {
Client-Group := %{client:shortname}
}
sql
}
Here is a snippet of the 'freeradius -X' output:
++[files] returns noop
expand: %{client:shortname} -
++[request] returns noop
[sql] expand: %{Stripped-User-Name} -
[sql] ... expanding second conditional
You can see that the expand didn't work as expected.
Data in the table looks like:
atlas= SELECT * from radius_nas limit 1;
id | nasname | shortname | type | secret | server
+-+---+--+-+
72 | ups| ups | | sUperS3cret |
(1 row)
And also the configuration in dialup.conf:
nas_query = SELECT id, nasname, shortname, type, secret, server FROM
${nas_table}
Any ideas?
Thanks,
-mz
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: design question
On Mon, Mar 4, 2013 at 4:28 PM, Arran Cudbard-Bell a.cudba...@freeradius.org wrote: You know SQL supports groups right? and that a group matching can be conditional on attributes in the request? and that you can add aditional config items to client definitions to mark them as a special devices? Hi Arran, Thanks for the reply. I've grepped the wiki and mailing list archives and could not answer the following: What do I change in the nas table (in the database) to mark the network boxes as special devices? I see the schema as: CREATE TABLE nas ( id SERIAL PRIMARY KEY, nasname VARCHAR(128) NOT NULL, shortname VARCHAR(32) NOT NULL, type VARCHAR(30) NOT NULL DEFAULT 'other', ports int4, secret VARCHAR(60) NOT NULL, server VARCHAR(64), community VARCHAR(50), description VARCHAR(200) ); Is it the server field? If so, could you also briefly explain how to apply that to group matching? (I have added users to groups using the usergroup table, but haven't touched the radgroupcheck/reply yet.) Thanks for any help! -mz - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: design question
On 5 Mar 2013, at 18:03, Matt Zagrabelny mzagr...@d.umn.edu wrote:
On Mon, Mar 4, 2013 at 4:28 PM, Arran Cudbard-Bell
a.cudba...@freeradius.org wrote:
You know SQL supports groups right? and that a group matching can be
conditional on attributes in the request? and that you can add aditional
config items to client definitions to mark them as a special devices?
Hi Arran,
Thanks for the reply. I've grepped the wiki and mailing list archives
and could not answer the following:
What do I change in the nas table (in the database) to mark the
network boxes as special devices? I see the schema as:
CREATE TABLE nas (
id SERIAL PRIMARY KEY,
nasname VARCHAR(128) NOT NULL,
shortname VARCHAR(32) NOT NULL,
type VARCHAR(30) NOT NULL DEFAULT 'other',
ports int4,
secret VARCHAR(60) NOT NULL,
server VARCHAR(64),
community VARCHAR(50),
description VARCHAR(200)
);
Is it the server field? If so, could you also briefly explain how to
apply that to group matching? (I have added users to groups using the
usergroup table, but haven't touched the radgroupcheck/reply yet.)
So long as you're using static devices in clients.conf you can use the xlat
expansion %{client:config item}.
Add an extra string attribute to raddb/dictionary, something like Client-Group,
then populate it before calling the sql module.
authorize {
update request {
Client-Group := %{client:group}
}
sql
}
Then add a 'group' config item in the client {} definition.
You can then use Client-Group as a check item.
-Arran
Thanks for any help!
-mz
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
design question
Greetings, I am configuring a general purpose RADIUS server that any number of clients can connect to for authn - it uses a PostgreSQL DB as the backend datastore. I would also like to setup a secondary RADIUS server listening on a different port (ie. 1814) and use the same Pg DB as a backend, but use a restricted view as the users table, then configure devices (certain network gear) that wish to only allow users in the restricted view to use that secondary RADIUS server and corresponding port. I am currently using Debian 6.0 with corresponding FR 2.1.10+dfsg-2+squeeze1. My questions are these: Has anyone here setup a second instance of FR running on the same system as their primary instance, but with different configs? Do you have any suggestions for layout or keeping configs/logs straight? Or said another way, how much confusion will there be in /etc/freeradius (default Debian config dir) due to the second instance? Is it worth it, just to have a single system have all of your RADIUS servers or should I just stand up another virtual server and use that instead? Thanks for any help or hints! -matt zagrabelny - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: design question
On 04.03.2013 21:56, Matt Zagrabelny wrote: Greetings, I am configuring a general purpose RADIUS server that any number of clients can connect to for authn - it uses a PostgreSQL DB as the backend datastore. I would also like to setup a secondary RADIUS server listening on a different port (ie. 1814) and use the same Pg DB as a backend, but use a restricted view as the users table, then configure devices (certain network gear) that wish to only allow users in the restricted view to use that secondary RADIUS server and corresponding port. You can use the same listen ports, but group clients (which mean NAS) in two groups, and assign a specific virtual server for each groups, with different policy, database lookup and such. I am currently using Debian 6.0 with corresponding FR 2.1.10+dfsg-2+squeeze1. Beware that there are some known bugs in 2.1.10 as well as some security flaws. you should go with the latest 2.2.X git branch Olivier -- Olivier Beytrison Network Security Engineer, HES-SO Fribourg Mail: oliv...@heliosnet.org - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: design question
On 04.03.2013 22:17, Olivier Beytrison wrote:
On 04.03.2013 21:56, Matt Zagrabelny wrote:
Greetings,
I am configuring a general purpose RADIUS server that any number of
clients can connect to for authn - it uses a PostgreSQL DB as the
backend datastore. I would also like to setup a secondary RADIUS
server listening on a different port (ie. 1814) and use the same Pg DB
as a backend, but use a restricted view as the users table, then
configure devices (certain network gear) that wish to only allow users
in the restricted view to use that secondary RADIUS server and
corresponding port.
You can use the same listen ports, but group clients (which mean NAS) in
two groups, and assign a specific virtual server for each groups, with
different policy, database lookup and such.
Just to add, I think you should define a virtual server with a default
virtual_server in the listen {} section, then for your specific NAS that
needs special policy/authn, simply specify a different virtual_server in
the client {} section
I also wanted to add that you'll find all the information you need here
http://wiki.freeradius.org/config/Virtual-server (but my @#°@¦§¬ mail
client sent the mail instead of pasting the link) :)
Olivier
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: design question
On Mon, Mar 4, 2013 at 3:27 PM, Olivier Beytrison oliv...@heliosnet.org wrote:
On 04.03.2013 22:17, Olivier Beytrison wrote:
On 04.03.2013 21:56, Matt Zagrabelny wrote:
Greetings,
I am configuring a general purpose RADIUS server that any number of
clients can connect to for authn - it uses a PostgreSQL DB as the
backend datastore. I would also like to setup a secondary RADIUS
server listening on a different port (ie. 1814) and use the same Pg DB
as a backend, but use a restricted view as the users table, then
configure devices (certain network gear) that wish to only allow users
in the restricted view to use that secondary RADIUS server and
corresponding port.
You can use the same listen ports, but group clients (which mean NAS) in
two groups, and assign a specific virtual server for each groups, with
different policy, database lookup and such.
Just to add, I think you should define a virtual server with a default
virtual_server in the listen {} section, then for your specific NAS that
needs special policy/authn, simply specify a different virtual_server in the
client {} section
I also wanted to add that you'll find all the information you need here
http://wiki.freeradius.org/config/Virtual-server (but my @#°@¦§¬ mail client
sent the mail instead of pasting the link) :)
Hi Olivier,
Thanks for the replies. I'll start digesting that wiki page soon*.
I'm not sure if Debian patched the 2.1.10 line to take care of any
grievous bugs, but if we start hitting them, we may need to upgrade.
FWIW, we were/are running 1.1.0 on Solaris, so we'll be excited to
have the new bugs to deal with. :)
Cheers,
-mz
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: design question
On 4 Mar 2013, at 15:56, Matt Zagrabelny mzagr...@d.umn.edu wrote: Greetings, I am configuring a general purpose RADIUS server that any number of clients can connect to for authn - it uses a PostgreSQL DB as the backend datastore. I would also like to setup a secondary RADIUS server listening on a different port (ie. 1814) and use the same Pg DB as a backend, but use a restricted view as the users table, then configure devices (certain network gear) that wish to only allow users in the restricted view to use that secondary RADIUS server and corresponding port. Um, ok, why? You know SQL supports groups right? and that a group matching can be conditional on attributes in the request? and that you can add aditional config items to client definitions to mark them as a special devices? -Arran - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Proxy configuration question
Hello,
I have a rudimentary proxy configuration question:
I am doing some testing with a Freeradius server in the lab and the
setup looks as follows:
[Host] --WiFi--- [AP]---[Wireless Cntrlr]---[AAA/Freeradius server]
Using EAP-TTLS for authentication.
My wpa_supplicant config file looks like:
ctrl_interface=DIR=/var/run/wpa_supplicant GROUP=admin
network={
ssid=mySSID
scan_ssid=1
key_mgmt=WPA-EAP
eap=TTLS
anonymous_identity=anonym...@example.com
ca_cert=/home/testuser/Downloads/ca.pem
phase2=autheap=PAP
identity=daniel
password=daniel
}
The RADIUS server gets the Access request and then tries to proxy it
to example.com. I dont want the request or authentication to be proxied
elsewhere. The authentication needs to happen on the local RADIUS server
itself. What am I missing in the config?
The server and client certs are all there in /etc/raddb/certs directory.
Below is a snippet of the logs that I am seeing on the RADIUS server:
Tue Feb 26 17:29:43 2013 : Info: Ready to process requests.
rad_recv: Access-Request packet from host 192.168.0.8 port 34438, id=117,
length=234
User-Name = anonym...@example.com
Calling-Station-Id = 00-03-7F-10-51-82
NAS-IP-Address = 192.168.0.8
NAS-Port = 34
Called-Station-Id = 8C-0C-90-15-D1-9C:mySSID
Service-Type = Framed-User
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
NAS-Identifier = 8C-0C-90-15-D1-9C
Connect-Info = CONNECT 802.11a/n
EAP-Message = 0x0201001a01616e6f6e796d6f7573406578616d706c652e636f6d
Vendor-25053-Attr-3 = 0x5275636b7573576972656c65737332
Message-Authenticator = 0xfdf3d6097b64d1237a34e27dd120bfec
Tue Feb 26 17:29:43 2013 : Info: # Executing section authorize from file
/etc/raddb/sites-enabled/default
Tue Feb 26 17:29:43 2013 : Info: +- entering group authorize {...}
Tue Feb 26 17:29:43 2013 : Info: ++[preprocess] returns ok
Tue Feb 26 17:29:43 2013 : Info: ++[chap] returns noop
Tue Feb 26 17:29:43 2013 : Info: ++[mschap] returns noop
Tue Feb 26 17:29:43 2013 : Info: ++[digest] returns noop
Tue Feb 26 17:29:43 2013 : Info: [suffix] Looking up realm example.com for
User-Name = anonym...@example.com
Tue Feb 26 17:29:43 2013 : Info: [suffix] Found realm example.com
Tue Feb 26 17:29:43 2013 : Info: [suffix] Adding Stripped-User-Name =
anonymous
Tue Feb 26 17:29:43 2013 : Info: [suffix] Adding Realm = example.com
Tue Feb 26 17:29:43 2013 : Info: [suffix] Proxying request from user anonymous
to realm example.com
Tue Feb 26 17:29:43 2013 : Info: [suffix] Preparing to proxy authentication
request to realm example.com
Tue Feb 26 17:29:43 2013 : Info: ++[suffix] returns updated
Tue Feb 26 17:29:43 2013 : Info: [eap] Request is supposed to be proxied to
Realm example.com. Not doing EAP.
Tue Feb 26 17:29:43 2013 : Info: ++[eap] returns noop
Tue Feb 26 17:29:43 2013 : Info: [files] users: Matched entry anonymous at line
207
Tue Feb 26 17:29:43 2013 : Info: ++[files] returns ok
Tue Feb 26 17:29:43 2013 : Info: ++[expiration] returns noop
Tue Feb 26 17:29:43 2013 : Info: ++[logintime] returns noop
Tue Feb 26 17:29:43 2013 : Info: ++[pap] returns noop
Tue Feb 26 17:29:43 2013 : Info: WARNING: Empty pre-proxy section. Using
default return values.
Any help appreciated.
-BPa
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Proxy configuration question
On 27/02/13 14:46, bpa...@ovi.com wrote: The RADIUS server gets the Access request and then tries to proxy it to example.com. I dont want the request or authentication to be proxied elsewhere. The authentication needs to happen on the local RADIUS server itself. What am I missing in the config? If you don't want to proxy the request, don't configure the server to proxy. In you case, you should remove the suffix module from authorize and/or remove the example.com realm from the proxy.conf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Proxy configuration question
Thanks Phil.
Just a quick add-on question.
In radiusd.conf there is :
# To disable proxying, change the yes to no, and comment the
# $INCLUDE line.
#
# allowed values: {no, yes}
#
proxy_requests = yes
$INCLUDE proxy.conf
Would switching off proxy, be sufficient? Or will I end up with other issues?
-BPa
From: Phil Mayers p.may...@imperial.ac.uk
To: freeradius-users@lists.freeradius.org
Sent: Wednesday, February 27, 2013 9:10 AM
Subject: Re: Proxy configuration question
On 27/02/13 14:46, bpa...@ovi.com wrote:
The RADIUS server gets the Access request and then tries to proxy it
to example.com. I dont want the request or authentication to be proxied
elsewhere. The authentication needs to happen on the local RADIUS server
itself. What am I missing in the config?
If you don't want to proxy the request, don't configure the server to proxy.
In you case, you should remove the suffix module from authorize
and/or remove the example.com realm from the proxy.conf
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Proxy configuration question
On 27/02/13 17:23, bpa...@ovi.com wrote:
Thanks Phil.
Just a quick add-on question.
In radiusd.conf there is :
# To disable proxying, change the yes to no, and comment the
# $INCLUDE line.
#
# allowed values: {no, yes}
#
proxy_requests = yes
$INCLUDE proxy.conf
Would switching off proxy, be sufficient? Or will I end up with other
issues?
TBH I can't remember the various effects. Try it and see.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Config question: substitute another attribute for username
Adam Moffett wrote: What I'd like to do is actually ignore the username and password they're sedning and instead match a vendor specific attribute called DAN-CPE-MAC-ADDRESS. Sure. Edit the files configuration, and change the key field to DAN-CPE-MAC-ADDRESS. Then, use the MAC address as the key in the users file: 0a:0b:0c:0d:0e:0f Foo-Bar = Baz Reply-Message = wow Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Config question: substitute another attribute for username
I have a wireless system that can talk to RADIUS to control access for the wireless stations. The AP is a NAS and the stations can be programmed with a username and password. The idea is you reply with VSA's that set up QoS policies for the clients. This is all working fine and dandy. What I'd like to do is actually ignore the username and password they're sedning and instead match a vendor specific attribute called DAN-CPE-MAC-ADDRESS. Alternately, they all come with a default username set in them. Will there be any harm if I make multiple users with the same name? cpe1 DAN-CPE-MAC-ADDRESS := 0a:0b:0c:0d:0e:0f cpe1 DAN-CPE-MAC-ADDRESS := 01:02:03:04:05:06 etc etc. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Config question: substitute another attribute for username
Sure. Edit the files configuration, and change the key field to DAN-CPE-MAC-ADDRESS. Awesome. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Design question - proxying RADIUS auth request to a backend webservice
Hi, I'm looking for some input from the experts to help validate a solution approach that I've come up with. The problem I'm trying to solve is that allow NAS equipment and other RADIUS clients to authenticate users against a proprietary authentication service that uses REST APIs over HTTP. The solution that I've put together is to use rlm_perl which allows me to use standard Perl modules to interact with the authentication service. I'm pretty happy with the results so far in that I am able to build exactly what I need and authentication against the webservice works just fine. The question to the list, are there other solution approaches that might be better? Any significant disadvantages to using rlm_perl as I've described? Would it be better to write a custom module instead, hoping that by doing so there may be some performance improvements? Any input is greatly appreciated. Walter Goulet - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Design question - proxying RADIUS auth request to a backend webservice
Walter Goulet wrote: I'm looking for some input from the experts to help validate a solution approach that I've come up with. The problem I'm trying to solve is that allow NAS equipment and other RADIUS clients to authenticate users against a proprietary authentication service that uses REST APIs over HTTP. That works... provided that the backend is fast. The solution that I've put together is to use rlm_perl which allows me to use standard Perl modules to interact with the authentication service. I'm pretty happy with the results so far in that I am able to build exactly what I need and authentication against the webservice works just fine. That's the real test: it works. The question to the list, are there other solution approaches that might be better? Any significant disadvantages to using rlm_perl as I've described? Would it be better to write a custom module instead, hoping that by doing so there may be some performance improvements? In git master there's an rlm_rest module. That *might* be higher performance. But if it works, don't touch it until there are issues. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Design question - proxying RADIUS auth request to a backend webservice
Hi, The question to the list, are there other solution approaches that might be better? Any significant disadvantages to using rlm_perl as I've described? Would it be better to write a custom module instead, hoping that by doing so there may be some performance improvements? PERL method should be fine...the alternative is the latest HEAD (3.x) pre-release code which actually has an rlm_rest module (so no writing of a module to be done!) alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Design question - proxying RADIUS auth request to a backend webservice
Oh wow; that's even cooler! I'll give that module a shot. Thanks! On Sun, Feb 17, 2013 at 4:12 PM, a.l.m.bu...@lboro.ac.uk wrote: Hi, The question to the list, are there other solution approaches that might be better? Any significant disadvantages to using rlm_perl as I've described? Would it be better to write a custom module instead, hoping that by doing so there may be some performance improvements? PERL method should be fine...the alternative is the latest HEAD (3.x) pre-release code which actually has an rlm_rest module (so no writing of a module to be done!) alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Design question - proxying RADIUS auth request to a backend webservice
On Sun, Feb 17, 2013 at 11:05 PM, Walter Goulet wgou...@gmail.com wrote: I'm looking for some input from the experts to help validate a solution approach that I've come up with. The problem I'm trying to solve is that allow NAS equipment and other RADIUS clients to authenticate users against a proprietary authentication service that uses REST APIs over HTTP. The solution that I've put together is to use rlm_perl which allows me to use standard Perl modules to interact with the authentication service. I'm pretty happy with the results so far in that I am able to build exactly what I need and authentication against the webservice works just fine. The question to the list, are there other solution approaches that might be better? Any significant disadvantages to using rlm_perl as I've described? Would it be better to write a custom module instead, hoping that by doing so there may be some performance improvements? Any input is greatly appreciated. Not exactly your case, but. Here is my story. I had a need to proxy/convert DHCP requests from equipment (and later - end user's routers/computers (I worked @ISP)) to RADIUS. First version was using FreeRADIUS's rlm_perl for handling incoming DHCP requests and it did work pretty cool, while sometimes it had problems with duplicated requests, didn't scale well (probably my fault, but I didn't wish to find this out) and so on, so I analyzed request patterns, read RFC 2131, and reimplemented DHCP server on pure perl, without using FreeRADIUS's DHCP feature. As a backend RADIUS client (to connect to closed source commercial billing system) I used Authen::Radius first (leftover from quick-n-dirty rlm_perl version), but it didn't work well for me and was not powerful enough, so I used Net::Radius::Packet/Net::Radius::Dictionary and implemented stripped down radius client myself. So, as for your question, besides using rlm_rest (which is devel as of now, as I understand) you may try writing stripped down RADIUS server combined with REST client for your auth service. But for that you either have to reimplement full radius server (which is not an option, I think), or implement just a subset, which works only for your specific equipment. It may be an option. Cheers, Just my $0.02. -- Alexandr Kovalenko http://uafug.org.ua/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Design question - proxying RADIUS auth request to a backend webservice
Thanks for your input; your descriptions of limitations you ran into is helpful. I think I will stick with using rlm_perl for now; I definitely don't want to tackle writing my own stripped down RADIUS server. If performance or scale become problems I will investigate other options at that time. On Sun, Feb 17, 2013 at 5:35 PM, Alexandr Kovalenko alexandr.kovale...@gmail.com wrote: On Sun, Feb 17, 2013 at 11:05 PM, Walter Goulet wgou...@gmail.com wrote: I'm looking for some input from the experts to help validate a solution approach that I've come up with. The problem I'm trying to solve is that allow NAS equipment and other RADIUS clients to authenticate users against a proprietary authentication service that uses REST APIs over HTTP. The solution that I've put together is to use rlm_perl which allows me to use standard Perl modules to interact with the authentication service. I'm pretty happy with the results so far in that I am able to build exactly what I need and authentication against the webservice works just fine. The question to the list, are there other solution approaches that might be better? Any significant disadvantages to using rlm_perl as I've described? Would it be better to write a custom module instead, hoping that by doing so there may be some performance improvements? Any input is greatly appreciated. Not exactly your case, but. Here is my story. I had a need to proxy/convert DHCP requests from equipment (and later - end user's routers/computers (I worked @ISP)) to RADIUS. First version was using FreeRADIUS's rlm_perl for handling incoming DHCP requests and it did work pretty cool, while sometimes it had problems with duplicated requests, didn't scale well (probably my fault, but I didn't wish to find this out) and so on, so I analyzed request patterns, read RFC 2131, and reimplemented DHCP server on pure perl, without using FreeRADIUS's DHCP feature. As a backend RADIUS client (to connect to closed source commercial billing system) I used Authen::Radius first (leftover from quick-n-dirty rlm_perl version), but it didn't work well for me and was not powerful enough, so I used Net::Radius::Packet/Net::Radius::Dictionary and implemented stripped down radius client myself. So, as for your question, besides using rlm_rest (which is devel as of now, as I understand) you may try writing stripped down RADIUS server combined with REST client for your auth service. But for that you either have to reimplement full radius server (which is not an option, I think), or implement just a subset, which works only for your specific equipment. It may be an option. Cheers, Just my $0.02. -- Alexandr Kovalenko http://uafug.org.ua/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Design question - proxying RADIUS auth request to a backend webservice
On 17 Feb 2013, at 18:38, Walter Goulet wgou...@gmail.com wrote: Thanks for your input; your descriptions of limitations you ran into is helpful. I think I will stick with using rlm_perl for now; I definitely don't want to tackle writing my own stripped down RADIUS server. If performance or scale become problems I will investigate other options at that time. The only way rlm_rest gets out development is if people test it and contribute to it. I'm willing to put the effort in to extend it and fix any issues if people are willing to test it and make suggestions. -Arran - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
DHCP question
I am trying to design a system with full redundancy. I know I can use FreeRadius proxy and/or multiple front ends with a MySQL master-master for the data. For IP redundancy I can install heartbeat so all of that is fine. My biggest unknown is DHCP. How does the new FreeRadius DHCP server store lease information? Will the design I am creating allow for DHCP failover from one machine to the next. One design caveat, the DHCP request will be Relay with Option 82 (hence the need for heartbeat). Any issues with Option 82 requests? David - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
git question
Are we still using git fetch origin v2.1.x:v2.1.x to get v2.2? David - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: DHCP question
On 14/02/13 13:13, David Peterson wrote: I am trying to design a system with full redundancy. I know I can use FreeRadius proxy and/or multiple front ends with a MySQL master-master for the data. For IP redundancy I can install heartbeat so all of that is fine. My biggest unknown is DHCP. How does the new FreeRadius DHCP server store lease information? Will the design I am creating allow for DHCP failover from one machine to the next. It stores leases however you configure it to. Unlike ISC dhcpd, there's no built-in lease database. The server comes with examples using the sqlippool module. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: git question
On 14/02/13 13:26, David Peterson wrote: Are we still using git fetch origin v2.1.x:v2.1.x to get v2.2? No. v2.x.x is the branch name now. git clone ... git checkout v2.x.x - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: git question
On 02/14/2013 08:26 AM, David Peterson wrote: Are we still using git fetch origin v2.1.x:v2.1.x to get v2.2? $ git branch -r origin/HEAD - origin/master origin/master origin/v1.1.x origin/v2.1.x-apple origin/v2.x.x According to the above there is no v2.1.x branch. BTW, git remote is can be very useful for setting up your .git/config so you don't have to deal with verbose syntax. -- John Dennis jden...@redhat.com Looking to carve out IT costs? www.redhat.com/carveoutcosts/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Question : EAP-SIM without RANDs, SRESs, KCs ?
Dear All
I found same problem of old topic posted back in Feb-2012
For ref :
http://lists.freeradius.org/pipermail/freeradius-users/2012-February/058868.html
I think the faulty lines (from debug) is :
-START-
Found Auth-Type = EAP
# Executing group from file /usr/local/etc/raddb/sites-enabled/default
+- entering group authenticate {...}
[eap] EAP Identity
[eap] processing type sim
can not initiate sim, no RAND1 attribute
[eap] Default EAP type sim failed in initiate
[eap] Failed in EAP select
-STOP--
Look like The device didn\'t send :
RAND1, RAND2, RAND3
SRES1, SRES2, SRES3
KC1, KC2, KC3
Expected by FreeRadius EAP-SIM
Am I right ?
If so, How to fix it ?
Sincerely
-bino-
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Question : EAP-SIM without RANDs, SRESs, KCs ?
b...@indoakses-online.com wrote: I found same problem of old topic posted back in Feb-2012 For ref : http://lists.freeradius.org/pipermail/freeradius-users/2012-February/058868.html ... Look like The device didn\'t send : ... If so, How to fix it ? Fix the device. You can't fix it by poking FreeRADIUS. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Question : EAP-SIM without RANDs, SRESs, KCs ?
... Look like The device didn\\\'t send : ... If so, How to fix it ? Fix the device. You can\'t fix it by poking FreeRADIUS. Alan DeKok. Dear Alan What I want to know is it common for device telling AAA that it use EAP-SIM but it don\'t send RAND,SRES, and KC ? I Asking this because Gnubie (Back in 2012) and me (Now) found the same case. If it common, I think it\'ll be great if FreeRadius can adjut to this. but if it un-common, I think I\'ll need to find new device. Sincerely -bino- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Question : EAP-SIM without RANDs, SRESs, KCs ?
b...@indoakses-online.com wrote: What I want to know is it common for device telling AAA that it use EAP-SIM but it don\'t send RAND,SRES, and KC ? Read RFC 4186. Those fields are required for EAP-SIM to work. If it common, I think it\'ll be great if FreeRadius can adjut to this. but if it un-common, I think I\'ll need to find new device. Some device manufacturers don't bother reading the specifications. You should ask for your money back. Or, throw the devices in the garbage. If they don't bother to test their device against existing implementations, they might as well be writing code and shipping it as soon as it compiles. They're incompetent, and uncaring. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Question : EAP-SIM without RANDs, SRESs, KCs ?
Read RFC 4186. Those fields are required for EAP-SIM to work. If it common, I think it\\\'ll be great if FreeRadius can adjut to this. but if it un-common, I think I\\\'ll need to find new device. Some device manufacturers don\'t bother reading the specifications. You should ask for your money back. Or, throw the devices in the garbage. Dear Alan and All My Apologize. I think all the needed data is there. I Just need to use some kind of SIM-Reader and software like AGSM to find all the data and put it in my user db Just for ref : ++ Page/slide #23 of http://agsm.sourceforge.net/talk/EAP-SIM.ppt And the screenshoot at http://agsm.sourceforge.net/screenshots/agsm-3gpp-aka.png I Really appreciate your help Sincerely -bino- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Question : EAP-SIM without RANDs, SRESs, KCs ?
b...@indoakses-online.com wrote: My Apologize. I think all the needed data is there. The EAP-SIM code disagrees with you. And since you haven't bothered read the specifications, or the code, or running the server in debugging mode as suggested in the FAQ, web pages, man page, and daily on this list... you're not thinking correctly. I Really appreciate your help No, you don't. I've explained, and you've told me I'm wrong. This isn't being appreciative. This is being argumentative. You're so smart that you know more about EAP-SIM than the code, the specifications, and the people on this list. You don't need any help to solve this problem, as you already know all of the answers. You're wasting everyones time by being rude. Stop it. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Question : EAP-SIM without RANDs, SRESs, KCs ?
Dear Alan and All I Really sorry b...@indoakses-online.com wrote: My Apologize. I think all the needed data is there. The EAP-SIM code disagrees with you. And since you haven\'t bothered read the specifications, or the code, or running the server in debugging mode as suggested in the FAQ, web pages, \man\ page, and daily on this list... you\'re not thinking correctly. May be I have to replace \'I Think\' with \'I Guest\' Yes I read that RFC before I post the question, I Also run the server in debug mode as Sugested. I just didn\'t post my debug to the list since it\'s (more or less) the same as the one posted by gnubie I Really appreciate your help No, you don\'t. I\'ve explained, and you\'ve told me I\'m wrong. This isn\'t being appreciative. This is being argumentative. You\'re so smart that you know more about EAP-SIM than the code, the specifications, and the people on this list. You don\'t need any help to solve this problem, as you already know all of the answers. You\'re wasting everyones time by being rude. Stop it. I don\'t know what and How to say. I Read the specification but I don\'t understand it, thats why I came to this list .. wish to got more knowledge. While waiting response from the list, I keep reading and hunt for more docs. And Sir, Could you please help me to evaluate my manner by point me my rudeness? I really need it. It\'s ok for me if you do it in public, but if you think it\'ll ruin the list I\'ll more then happy if you send me private email. Sincerely -bino- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Question : EAP-SIM without RANDs, SRESs, KCs ?
You see to have a problem understanding me. I will try one last time to explain. If you keep arguing, you will be be unsubscribed, and banned from the list. FreeRADIUS says that data is missing from EAP-SIM. It needs that data to do EAP-SIM. If you don't understand that, then you don't understand anything. If you think the data is really there, you're wrong. You're being rude by asking a question, and then arguing with the answer. You're not a RADIUS expert. You're not an EAP-SIM expert. Yet you refuse to believe the messages from FreeRADIUS, and you refuse to believe the answers I've given you. You're obsessed with believing messages from shitty software that doesn't work. You're refusing to believe messages from the worlds best RADIUS server. You're refusing to believe answers from one of the world experts in RADIUS. You're respecting the author of crappy software more that you're respecting me. That's rude, annoying, and ignorant. Stop it. And don't email me privately. I've already given you my answers, and they won't change in private email. And stop arguing. It will only get you banned. I've had it with people who ask questions and argue about the answers. If you're so damned smart, go fix the problem yourself. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Quick question about RFC 3579 2.6.5
On 25.01.2013 12:10, a.l.m.bu...@lboro.ac.uk wrote: Hi, Well, RFC 3579 2.6.5 says : If EAP-Message, then there MUST not be a Reply-Message. I understand the point on this based on the RFC. check RFC 5080 - which updates that RFC. however, your reply message is not going on as part of the EAP conversationyou are sending the reply message to the outer-tunnel as part of the reject...no within the inner-tunnel EAP session...so there shouldnt be any EAP message around (but hey, who knows? ! ;-) ) Welle there's an EAP-Message in the Access-Reject with code 0x04 for the failure ;) dont worry too much - some RADIUS servers break all the specs with regards to contents of some packets...at least FreeRADIUS gives you the chance to behave ( I assume you are running the attr filter on access requests to keep the contents legal? ;-) ) Yeah I do filter everything that comes from NAS and from outside of my eduroam realm. You can't trust people :p I only allow WISPr-Location-Info as this start to be widely used in switzerland when user are roaming :) Olivier -- Olivier Beytrison Network Security Engineer, HES-SO Fribourg Mail: oliv...@heliosnet.org - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Quick question about RFC 3579 2.6.5
Really? Hmm, the rest of eduroam are using operator-name. Will check about prevalence if the wispr attribute alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Quick question about RFC 3579 2.6.5
On 26.01.2013 18:55, Alan Buxey wrote: Really? Hmm, the rest of eduroam are using operator-name. Will check about prevalence if the wispr attribute Well yeah this would make more sens indeed. The use of WISPr is slowly groing, but i might push the use of operator-name as it seems indeed better suited. Thanks for the information! Olivier -- Olivier Beytrison Network Security Engineer, HES-SO Fribourg Mail: oliv...@heliosnet.org - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Quick question about RFC 3579 2.6.5
Hi, Well, RFC 3579 2.6.5 says : If EAP-Message, then there MUST not be a Reply-Message. I understand the point on this based on the RFC. check RFC 5080 - which updates that RFC. however, your reply message is not going on as part of the EAP conversationyou are sending the reply message to the outer-tunnel as part of the reject...no within the inner-tunnel EAP session...so there shouldnt be any EAP message around (but hey, who knows? ! ;-) ) just run in debug mode (radiusd -X) and check/see what packets and contents you are sending dont worry too much - some RADIUS servers break all the specs with regards to contents of some packets...at least FreeRADIUS gives you the chance to behave ( I assume you are running the attr filter on access requests to keep the contents legal? ;-) ) alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
