Re: Basic question to authenticate switches and Linux boxes
Roberto Carna wrote: Dear, sorry for my confusion...I need to do te following: 1) Autehnticate and authorize users accesing switches through TELNET and/or HTTP 2) Authenticate and authorize users accesing Linux servers through SSH You're about 2 steps removed from RADIUS. First, find out how those systems use RADIUS. Then look at the RADIUS pieces. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Basic question to authenticate switches and Linux boxes
Dear, sorry for my confusion...I need to do te following: 1) Autehnticate and authorize users accesing switches through TELNET and/or HTTP 2) Authenticate and authorize users accesing Linux servers through SSH Thanks again. Roberto 2013/5/9 Edvin Seferovic | Kolpinghaus St. Pölten edvin.sefero...@kolp.at You need to rephrase your question. Do you want to: a.) authenticate and authorize users accessing the console of your switch? b.) authenticate a machine/user connected to a port of a switch (MAC auth or 801.x) c.) Linux boxes are machines... see B d.) authenticate users accessing the boxes... Regards, E:S On 09.05.2013 21:38, Roberto Carna wrote: Dear Matt, my second question is: If I have to authenticate Linux boxes and switches against Freeradius, do I have to use libpam-radius-auth for both devices or what ??? Thanks again, Roberto 2013/5/8 Matt Zagrabelny mzagr...@d.umn.edu On Wed, May 8, 2013 at 3:26 PM, Roberto Carna robertocarn...@gmail.com wrote: Dear, I'm new at Freeredius as an AAA sever in a Linux box and I need to authenticate Allied switches and Debian/Centos boxes. What package/module do I have to install in adition to freeradius ??? For the Debian clients you might want: libpam-radius-auth You can use apt-cache to search for things: % apt-cache search radius pam freeradius - high-performance and highly configurable RADIUS server libpam-radius-auth - The PAM RADIUS authentication module yardradius - YARD Radius Authorization and Accounting Server And what authentication procedure do I have ti use in order to let universal AAA ??? I don't understand this question. -mz - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Basic question to authenticate switches and Linux boxes
Dear Matt, my second question is: If I have to authenticate Linux boxes and switches against Freeradius, do I have to use libpam-radius-auth for both devices or what ??? Thanks again, Roberto 2013/5/8 Matt Zagrabelny mzagr...@d.umn.edu On Wed, May 8, 2013 at 3:26 PM, Roberto Carna robertocarn...@gmail.com wrote: Dear, I'm new at Freeredius as an AAA sever in a Linux box and I need to authenticate Allied switches and Debian/Centos boxes. What package/module do I have to install in adition to freeradius ??? For the Debian clients you might want: libpam-radius-auth You can use apt-cache to search for things: % apt-cache search radius pam freeradius - high-performance and highly configurable RADIUS server libpam-radius-auth - The PAM RADIUS authentication module yardradius - YARD Radius Authorization and Accounting Server And what authentication procedure do I have ti use in order to let universal AAA ??? I don't understand this question. -mz - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Basic question to authenticate switches and Linux boxes
You need to rephrase your question. Do you want to: a.) authenticate and authorize users accessing the console of your switch? b.) authenticate a machine/user connected to a port of a switch (MAC auth or 801.x) c.) Linux boxes are machines... see B d.) authenticate users accessing the boxes... Regards, E:S On 09.05.2013 21:38, Roberto Carna wrote: Dear Matt, my second question is: If I have to authenticate Linux boxes and switches against Freeradius, do I have to use libpam-radius-auth for both devices or what ??? Thanks again, Roberto 2013/5/8 Matt Zagrabelny mzagr...@d.umn.edu mailto:mzagr...@d.umn.edu On Wed, May 8, 2013 at 3:26 PM, Roberto Carna robertocarn...@gmail.com mailto:robertocarn...@gmail.com wrote: Dear, I'm new at Freeredius as an AAA sever in a Linux box and I need to authenticate Allied switches and Debian/Centos boxes. What package/module do I have to install in adition to freeradius ??? For the Debian clients you might want: libpam-radius-auth You can use apt-cache to search for things: % apt-cache search radius pam freeradius - high-performance and highly configurable RADIUS server libpam-radius-auth - The PAM RADIUS authentication module yardradius - YARD Radius Authorization and Accounting Server And what authentication procedure do I have ti use in order to let universal AAA ??? I don't understand this question. -mz - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Basic question to authenticate switches and Linux boxes
On Wed, May 8, 2013 at 3:26 PM, Roberto Carna robertocarn...@gmail.com wrote: Dear, I'm new at Freeredius as an AAA sever in a Linux box and I need to authenticate Allied switches and Debian/Centos boxes. What package/module do I have to install in adition to freeradius ??? For the Debian clients you might want: libpam-radius-auth You can use apt-cache to search for things: % apt-cache search radius pam freeradius - high-performance and highly configurable RADIUS server libpam-radius-auth - The PAM RADIUS authentication module yardradius - YARD Radius Authorization and Accounting Server And what authentication procedure do I have ti use in order to let universal AAA ??? I don't understand this question. -mz - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Basic freeradius set up problem [SOLVED]
Hello Alan,
Thank you for your answer.
I may have not understood what you wrote.
I replaced in /etc/raddb/sql/mysql/dialup.conf
sql_user_name = '%{Stripped-User-Name}'
by
sql_user_name = '%{User-Name}'
Hello lsclrstd,
I have created a second user testuser2 with the password in
'Cleartext-Password'
Hello everyone,
I finally solved my problem. My dialup.conf was empty with the exception of the
statement I added. And dialup.conf is supposed to have some sql queries inside.
For the test to work, the password should be 'Password' and not
'Cleartext-Password'
Thank you to those who helped
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Basic freeradius set up problem [SOLVED]
Mik J wrote: I finally solved my problem. My dialup.conf was empty with the exception of the statement I added. And dialup.conf is supposed to have some sql queries inside. For the test to work, the password should be 'Password' and not 'Cleartext-Password' NO. ABSOLUTELY NOT. Please stop giving erroneous advice. The advice to use Password or User-Password has been INVALID for about 7 years. It's time that people learn. If you have the password in a database, it's Cleartext-Password, ALWAYS. Anything else is WRONG. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Basic freeradius set up problem
Hi,
[sql] expand: %{Stripped-User-Name} -
[sql] sql_set_user escaped user -- ''
rlm_sql (sql): Reserving sql socket id: 3
[sql] expand: -
[sql] Error generating query; rejecting user
rlm_sql (sql): Released sql socket id: 3
++[sql] returns fail
Stripped-User-Name not populated - so a blank expansion. do you need
stripped-user-name? - just use User-Name if not
alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Basic freeradius set up problem
[sql] expand: %{Stripped-User-Name} -
[sql] sql_set_user escaped user -- ''
rlm_sql (sql): Reserving sql socket id: 3
[sql] expand: -
[sql] Error generating query; rejecting user
rlm_sql (sql): Released sql socket id: 3
++[sql] returns fail
Stripped-User-Name not populated - so a blank expansion. do you need
stripped-user-name? - just use User-Name if not
Hello Alan,
Thank you for your answer.
I may have not understood what you wrote.
I replaced in /etc/raddb/sql/mysql/dialup.conf
sql_user_name = '%{Stripped-User-Name}'
by
sql_user_name = '%{User-Name}'
But my authentication is still rejected
[suffix] No '@' in User-Name = testuser, looking up realm NULL
[suffix] No such realm NULL
++[suffix] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
++[files] returns noop
[sql] expand: %{User-Name} - testuser
[sql] sql_set_user escaped user -- 'testuser'
rlm_sql (sql): Reserving sql socket id: 4
[sql] expand: -
[sql] Error generating query; rejecting user
rlm_sql (sql): Released sql socket id: 4
++[sql] returns fail
Invalid user: [testuser] (from client localhost port 1812)
Using Post-Auth-Type Reject
# Executing group from file /etc/raddb/sites-enabled/default
+- entering group REJECT {...}
[attr_filter.access_reject] expand: %{User-Name} - testuser
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 0 for 1 seconds
I would like to have simple logins such as testuser and not testuser@somedomain
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Basic freeradius set up problem
[sql] expand: %{Stripped-User-Name} -
[sql] sql_set_user escaped user -- ''
rlm_sql (sql): Reserving sql socket id: 3
[sql] expand: -
[sql] Error generating query; rejecting user
rlm_sql (sql): Released sql socket id: 3
++[sql] returns fail
Stripped-User-Name not populated - so a blank expansion. do you need
stripped-user-name? - just use User-Name if not
Hello Alan,
Thank you for your answer.
I may have not understood what you wrote.
I replaced in /etc/raddb/sql/mysql/dialup.conf
sql_user_name = '%{Stripped-User-Name}'
by
sql_user_name = '%{User-Name}'
But my authentication is still rejected
[suffix] No '@' in User-Name = testuser, looking up realm
NULL
[suffix] No such realm NULL
++[suffix] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
++[files] returns noop
[sql] expand: %{User-Name} - testuser
[sql] sql_set_user escaped user -- 'testuser'
rlm_sql (sql): Reserving sql socket id: 4
[sql] expand: -
[sql] Error generating query; rejecting user
rlm_sql (sql): Released sql socket id: 4
++[sql] returns fail
Invalid user: [testuser] (from client localhost port 1812)
Using Post-Auth-Type Reject
# Executing group from file /etc/raddb/sites-enabled/default
+- entering group REJECT {...}
[attr_filter.access_reject] expand: %{User-Name} - testuser
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 0 for 1 seconds
I would like to have simple logins such as testuser and not
testuser@somedomain
Hello lsclrstd,
I have created a second user testuser2 with the password in 'Cleartext-Password'
It doesn't work either. I have enabled the logs in Mysql, but I don't see any
sql request that is been made.
I think there's a way to enable additional logs with freeradius and see what
are the queries done to the mysql server. Does anyone knows how to do that ?
I'll search more.
Thank you
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Basic freeradius set up problem
Hi,
[sql] expand: %{User-Name} - testuser
[sql] sql_set_user escaped user -- 'testuser'
rlm_sql (sql): Reserving sql socket id: 4
[sql] expand: -
[sql] Error generating query; rejecting user
seems fair enough - there is no expansion for the query - so I would
now check your sql.conf and dialup file to verify that the query
for authentication/authorization is sane and correct (I've deleted your
previous
email where you gave more details)
alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Basic wifi config
Philippe Schwarz wrote: Ok, but it's useless only; i can keep it that way , right ? useless means confusing, unnecessary, and extra work. You should delete it. .. Failed to authenticate the user. You didn't specify a password for the user. Oh! I should have read more carefully.. I thought i 'd have a popup for login,pass later.. Er... no. The *RADIUS* server doesn't know the correct password, so it can't authenticate the user. OK, but my users are stored in a LDAP/samba Backend; i'll give it a try soon. Take it one simple step at a time. Trying to configure everything all at once is a recipe for disaster. BTW, the password is one-way encrypted, and tried echo -n 'user::Password' | md5 and paste the md5 to the users file, and did not work.. sigh I did stuff not recommended anywhere and it broke. Don't do that. Maybe the null realm is the problem. No. See the FAQ for an example of how to add a password. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Basic wifi config
Philippe Schwarz wrote: I set up the following config, tried to follow the advices of freeradius website (don't touch anything you could break in the raddb directory ;-) ) That's good. The config (in french, sorry) i used : http://www.openbsd-edu.net/index.php/FreeRadius Hmm.. that doesn't look all correct. The certificate stuff isn't necessary in 2.1.3. When i try to use the Wifi, the radiusd -X tells : ...I paste the logs to http://networkradius.com/freeradius.html and only copied the neither white nor blue parts : WARNING: You set Proxy-To-Realm = LOCAL, but the realm does not exist! Cancelling invalid proxy request. No authenticate method (Auth-Type) configuration found for the request: Rejecting the user Failed to authenticate the user. You didn't specify a password for the user. What is the missing magic command which could help me ?? Specify a password, as suggested in: Les fichiers importants users on the OpenBSD page you used. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Basic wifi config
Le 04/05/2010 19:05, Alan DeKok a écrit : Philippe Schwarz wrote: The config (in french, sorry) i used : http://www.openbsd-edu.net/index.php/FreeRadius Hmm.. that doesn't look all correct. The certificate stuff isn't necessary in 2.1.3. Ok, but it's useless only; i can keep it that way , right ? .. Failed to authenticate the user. You didn't specify a password for the user. Oh! I should have read more carefully.. I thought i 'd have a popup for login,pass later.. What is the missing magic command which could help me ?? Specify a password, as suggested in: Les fichiers importants users OK, but my users are stored in a LDAP/samba Backend; i'll give it a try soon. BTW, the password is one-way encrypted, and tried echo -n 'user::Password' | md5 and paste the md5 to the users file, and did not work.. Maybe the null realm is the problem. Thanks. -- Lycée polyvalent Alfred Nobel, Clichy sous Bois http://www.lyceenobel.org - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: BASIC question, but still having conceptual issues
Gary Gatten wrote: I have several different type's of clients/NAS's that will be using FR as the Front End to perform AAA - mostly Authentication, but the Author and Acct are close behind. Use virtual servers. See raddb/sites-available/README Anyway, each of these clients need to perform slightly different backend queries to determine if Authenticate should pass or fail: So, how do I go about this? Configure completely different virtual servers, even if the contents of those servers are mostly the same. This lets you work like each type of NAS has it's own RADIUS server, with it's own policies. I'm currently using NTLM_Auth and that's all working fine, I'm just not sure how to say in FR config: if request of type 1, run this NTLM_Auth command and check for this group; If request of type 2 run this other NTLM_Auth command and check for this other group. You'll also need to configure different instances of the MSCHAP module, too. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: BASIC question, but still having conceptual issues
Seems like with FR this can be accomplished numerous ways. The virtual server sounds like what I'm looking for, ill read up on it. Thanks! Gary - Original Message - From: freeradius-users-bounces+ggatten=waddell@lists.freeradius.org freeradius-users-bounces+ggatten=waddell@lists.freeradius.org To: FreeRadius users mailing list freeradius-users@lists.freeradius.org Sent: Sat Aug 29 04:02:03 2009 Subject: Re: BASIC question, but still having conceptual issues Gary Gatten wrote: I have several different type's of clients/NAS's that will be using FR as the Front End to perform AAA - mostly Authentication, but the Author and Acct are close behind. Use virtual servers. See raddb/sites-available/README Anyway, each of these clients need to perform slightly different backend queries to determine if Authenticate should pass or fail: So, how do I go about this? Configure completely different virtual servers, even if the contents of those servers are mostly the same. This lets you work like each type of NAS has it's own RADIUS server, with it's own policies. I'm currently using NTLM_Auth and that's all working fine, I'm just not sure how to say in FR config: if request of type 1, run this NTLM_Auth command and check for this group; If request of type 2 run this other NTLM_Auth command and check for this other group. You'll also need to configure different instances of the MSCHAP module, too. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html font size=1 div style='border:none;border-bottom:double windowtext 2.25pt;padding:0in 0in 1.0pt 0in' /div This email is intended to be reviewed by only the intended recipient and may contain information that is privileged and/or confidential. If you are not the intended recipient, you are hereby notified that any review, use, dissemination, disclosure or copying of this email and its attachments, if any, is strictly prohibited. If you have received this email in error, please immediately notify the sender by return email and delete this email from your system. /font - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: BASIC question, but still having conceptual issues
$hit - I just remembered. Eventually the Type 1 devices, specifically network switches, will be doing two different types of auth: vty access for admins only and 802.1x auth for all users! So, I can't process simply on NAS IP alone. I'm assuming there will be some diffs in the request packets sent to FR for vty, dot1x, etc. - but haven't got that far yet. I know when I get this figured out it will be SO simple and I'll feel like even a bigger dumb-a$$ than I do already, but at least I'll be a less busy dumb-a$$! :) TIA Gary -Original Message- From: Gary Gatten Sent: Wednesday, August 26, 2009 3:58 PM To: 'FreeRadius users mailing list' Subject: BASIC question, but still having conceptual issues Sorry again for the BASIC question! I *occasionally* slam people on other lists for being well, basically helpless - and here I am asking what I think is a really stupid question! Humble pie anyone? Let me take a sec to thank the development team for a very flexible product! Seems you can do pretty much anything you'd ever need to! Did Ci$co steal your code for ACS 5.0? :)Once I familiarize myself with the in's and out's I hope to contribute to the community where I can, probably with docs, use cases, examples, etc. Now my current issue. I have read a lot of doc (some 3 and 4 times) and am close to getting my head around how FR works and the various process flow, however, I still can't determine the best way to address this problem: I have several different type's of clients/NAS's that will be using FR as the Front End to perform AAA - mostly Authentication, but the Author and Acct are close behind. Anyway, each of these clients need to perform slightly different backend queries to determine if Authenticate should pass or fail: Type 1: Networking Hardware Management Access (VTY) - Routers, switches, VPN concentrators, firewalls, etc. - Auth pass if creds are good AND user is member of NetEng group in AD; else fail Type 2: IPSec VPN Access - RAS to HQ via IPSec (Ci$c0 ASA at HQ) - Several profiles/groups will exist on ASA with different properties: - NetEng, SysAdmins, Basic Users, etc. - Auth pass if creds are good AND user is member of RAS group in AD Type 3 ... etc. So, how do I go about this? I'm currently using NTLM_Auth and that's all working fine, I'm just not sure how to say in FR config: if request of type 1, run this NTLM_Auth command and check for this group; If request of type 2 run this other NTLM_Auth command and check for this other group. Would this be something in the huntgroup file? TIA for replies - back to more reading and trials for me! Gary font size=1 div style='border:none;border-bottom:double windowtext 2.25pt;padding:0in 0in 1.0pt 0in' /div This email is intended to be reviewed by only the intended recipient and may contain information that is privileged and/or confidential. If you are not the intended recipient, you are hereby notified that any review, use, dissemination, disclosure or copying of this email and its attachments, if any, is strictly prohibited. If you have received this email in error, please immediately notify the sender by return email and delete this email from your system. /font - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: BASIC question, but still having conceptual issues
Eventually the Type 1 devices, specifically network switches, will be doing two different types of auth: vty access for admins only and 802.1x auth for all users! So, I can't process simply on NAS IP alone. I'm assuming there will be some diffs in the request packets sent to FR for vty, dot1x, etc. - but haven't got that far yet. I know when I get this figured out it will be SO simple and I'll feel like even a bigger dumb-a$$ than I do already, but at least I'll be a less busy dumb-a$$! :) Service-Type. Type 1 will be Nas-Prompt-User or Administartive-User. 2 should be Framed-User just as 802.1x but NAS-Port-Type will tell you if it is wireless. Construct unlang if statement filters using Service-Type and Ldap-Group (AD group). Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Basic question on rlm_perl
Hi, I have put perl as a module in my radiusd.conf file. I don't file the rlm_perl*.so file in /usr/local/lib/ where all the other rlm_*.so files are located. What am I missing? have you edited experimental.conf to enable PERL and have you included this file in the radiusd.conf or sites-enabled/* files? alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Basic question on rlm_perl
On Dec 17, 2008, at 11:54 PM, al pat wrote: I am trying to use perl module, but when I can't start my server. I have put perl as a module in my radiusd.conf file. I don't file the rlm_perl*.so file in /usr/local/lib/ where all the other rlm_*.so files are located. What am I missing? Maybe you are missing development files for perl. Install them and then rebuild your freeradius. Best Regards, Boian Jordanov SNE Orbitel - Next Generation Telecom tel. +359 2 4004 723 tel. +359 2 4004 002 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Basic question on rlm_perl
Hi - Thanks for the replies. I put libperl-dev and that worked. Rgds -a On Thu, Dec 18, 2008 at 4:42 AM, Boian Jordanov bjorda...@orbitel.bgwrote: On Dec 17, 2008, at 11:54 PM, al pat wrote: I am trying to use perl module, but when I can't start my server. I have put perl as a module in my radiusd.conf file. I don't file the rlm_perl*.so file in /usr/local/lib/ where all the other rlm_*.so files are located. What am I missing? Maybe you are missing development files for perl. Install them and then rebuild your freeradius. Best Regards, Boian Jordanov SNE Orbitel - Next Generation Telecom tel. +359 2 4004 723 tel. +359 2 4004 002 * * - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Basic usage: What do I do next to get this to work?
Doc. Caliban wrote: All of our public workstations are on this interface so the machines are verified at the proxy. Now I just need to get the RADIUS piece in place to validate the users. IPCop can require RADIUS authentication on top of the MAC filter. So... how does it do that? EAP? Then you configure the clients to dp EAP. If it has a captive web page, then that's how the clients authentication. Almost all of the RADIUS magic is in the NAS or AP. It controls much of the access process. The RADIUS server just tells it yes/no for particular users. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Basic usage: What do I do next to get this to work?
On 10/31/07, Doc. Caliban [EMAIL PROTECTED] wrote: [EMAIL PROTECTED] IPCop is actually pretty good for this as it uses one of it's interfaces for wireless access based on granting each node specific access by MAC, but it can be any network node, it doesn't have to be a wireless device. All of our public workstations are on this interface so the machines are verified at the proxy. Now I just need to get the RADIUS piece in place to validate the users. IPCop can require RADIUS authentication on top of the MAC filter. It sounds good on paper, I just need to find the easiest way possible for my users to deal with the RADIUS piece of the model. Alternativley you could install the copspot plugin on ipcop ( http://www.ban-solms.de/t/IPCop-copspot.html ) It implements chillispot and gives you a captive portal which can talk to you radius for AAA. Kind regards Yves - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Basic usage: What do I do next to get this to work?
Alan DeKok wrote: Doc. Caliban wrote: All of our public workstations are on this interface so the machines are verified at the proxy. So... how does it do that? IPCop, the network router, is the NAS in this case. It has 3 interfaces, the WAN, LAN, and WiFi Access. (Known in IPCop as Red, Green, and Blue.) A fourth interface (Orange) can be added as a DMZ, but I don't need that at this time. The Blue interface requires a MAC address for each node allowed to connect. Typically you'd just put the AP's MAC in there and let the AP act as the DHCP server. In reality you can add the MAC for any device you want, which is how the public machines are verified: The only way they can connect in the first place is that I've added their MAC addresses to the access list. IPCop can also require user authentication across both the Green and Blue interfaces (It's all or nothing in that regard) via a local ACL, identd, LDAP, Windows authentication, or RADIUS. My user database already exists in MySQL for other reasons, so using RADIUS to tap into that is the easiest solution. For various reasons, I also do not want to add about 80% of the users to the windows AD. The plus side of this is that anyone using a public machine will have to be a valid user. The downside is that the few people who are on the LAN (Green) interface will also have to deal with RADIUS even though they are already validated in the Windows domain. It had been suggested to add their MAC's to the user database in MySQL and arrange it so that they are allowed to skip the RADIUS process, but dealing with that is well out of my skill set. In January we will receive a bunch of Cisco AP's to replace the rather motley collection that we are using now. At that point I will look at handing the NAS functions to them, but for now it will happen at the router. From the feedback, it sounds like I'm heading in the right direction with PEAP / MS-CHAP-V2, which is what my test laptop came up with automatically. I will also be sure to incorporate the suggestions regarding the proper configuration of the clients in implementing this. This has been a great resource! Thanks to everyone who has responded, and to whoever set up and maintains the mailing list. Regards, -Doc - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Basic usage: What do I do next to get this to work?
[EMAIL PROTECTED] wrote: PS. Time to go to bed. I know the feeling! Thanks for all the info on doing this properly. You've no doubt saved me a bunch of time and frustration. -Doc - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Basic usage: What do I do next to get this to work?
Jon Reynolds wrote: Also, uncheck the Authenticate as computer when information is available and Enable Fast Reconnect, the latter will drive you crazy because it will keep resetting your settings back to default. Jon Perfect, thank you! -Doc - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Basic usage: What do I do next to get this to work?
YvesDM wrote: Alternativley you could install the copspot plugin on ipcop ( http://www.ban-solms.de/t/IPCop-copspot.html ) It implements chillispot and gives you a captive portal which can talk to you radius for AAA. Kind regards Yves That's a great suggestion, and something that I'd looked into at one point. The problem is that CopSpot only allows for HTTP traffic and not HTTPS. That will certainly be a big problem for a lot of my users. If there was an easy way around that, I'd probably try it out. Thank you for the reply! -Doc - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Basic usage: What do I do next to get this to work?
On 10/31/07, Doc. Caliban [EMAIL PROTECTED] wrote: YvesDM wrote: Alternativley you could install the copspot plugin on ipcop ( http://www.ban-solms.de/t/IPCop-copspot.html ) It implements chillispot and gives you a captive portal which can talk to you radius for AAA. Kind regards Yves That's a great suggestion, and something that I'd looked into at one point. The problem is that CopSpot only allows for HTTP traffic and not HTTPS. That will certainly be a big problem for a lot of my users. If there was an easy way around that, I'd probably try it out. Strange, according to the copspot link I've sent you it uses https. (on non-standard port) I never used ipcop myself though. Kind regards Yves - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Basic usage: What do I do next to get this to work?
YvesDM wrote: Strange, according to the copspot link I've sent you it uses https. (on non-standard port) I never used ipcop myself though. Kind regards Yves Oh, weird. It must be in the details somewhere. That's the page I'd looked at and this line had caught my eye: Currently the portal user will only be able to use http (tcp port 80) into the internet. All other access is blocked. I'll read through it more carefully though as this would be a great way to go, thanks again! -Doc - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Basic usage: What do I do next to get this to work?
On 10/31/07, Doc. Caliban [EMAIL PROTECTED] wrote: YvesDM wrote: Strange, according to the copspot link I've sent you it uses https. (on non-standard port) I never used ipcop myself though. Kind regards Yves Oh, weird. It must be in the details somewhere. That's the page I'd looked at and this line had caught my eye: Currently the portal user will only be able to use http (tcp port 80) into the internet. All other access is blocked. I'll read through it more carefully though as this would be a great way to go, thanks again! Oh, i see, now I know what you mean. I thought you meant users weren't able to login through https. If your users need more opened ports this will probably be easy to modify through the firewall rules. But we're going off topic of this list. Good luck Kind regards. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Basic usage: What do I do next to get this to work?
You haven't configured PEAP in eap.conf. You need to configure tls and peap sections. You will also need a server certificate and to export root certificate to XP clients (if you are signing them yourself). Read instructions in eap.conf, /scripts, wiki (about EAP) and howto for AD integration before doing anything. Ivan Kalik Kalik Informatika ISP Dana 30/10/2007, Doc. Caliban [EMAIL PROTECTED] piše: Hello, I hate to ask this, but I'm running out of time on this project and I'm completely new to RADIUS. I would be really happy if someone could just point me to a detailed HOW TO for what I need. I have freeRADIUS set up with an external MySQL user database and it's successfully authorizing requests from NTRadPing. Now I need to actually try it out In the field. I need people running XP, Vista (ugh), and Apple laptops to be able to auth using the MySQL database that I have set up. So far I'm not having any luck, and I don't mind saying that I'm a little over my head at this point. Someone familiar with this will probably see glaring problems. I will provide all the details I can think of, but please let me know if you need more. Server: FreeRADIUS 1.1.7 with MySQL module. Database: Remote MySQL Access Point: D-Link DWL-7100AP (Ciscos coming in January) WPA-EAP TKIP Client Laptop: WPA Enterprise TKIP PEAP (Other options: EAP-SIM, TLS, TTLS, LEAP, EAP-FAST) MS-CHAP-V2 (Other options: GTC, TLS) I set up an AP to use RADIUS, and the requests get through to the RADIUS server, but they always fail. Posted below is the debug output from the failed attempt. Ready to process requests. rad_recv: Access-Request packet from host 192.168.0.1:1030, id=0, length=193 Message-Authenticator = 0xf9c41895a382161a1d31b4a47bd830e0 Service-Type = Framed-User User-Name = testuser Framed-MTU = 1488 Called-Station-Id = 00-11-95-DA-16-A6:SUSOM Calling-Station-Id = 00-1B-77-28-B3-CF NAS-Identifier = D-Link Access Point NAS-Port-Type = Wireless-802.11 Connect-Info = CONNECT 54Mbps 802.11a EAP-Message = 0x020b01746261727468 NAS-IP-Address = 192.168.0.1 NAS-Port = 1 NAS-Port-Id = STA port # 1 rad_lowerpair: User-Name now 'testuser' Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module preprocess returns ok for request 0 modcall[authorize]: module chap returns noop for request 0 modcall[authorize]: module mschap returns noop for request 0 rlm_realm: No '@' in User-Name = testuser, looking up realm NULL rlm_realm: No such realm NULL modcall[authorize]: module suffix returns noop for request 0 rlm_eap: EAP packet type response id 0 length 11 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module eap returns updated for request 0 radius_xlat: 'testuser' rlm_sql (sql): sql_set_user escaped user -- 'testuser' radius_xlat: 'SELECT id, UserName, Attribute, Value, op FROM radcheck WHERE Username = 'testuser' ORDER BY id' rlm_sql (sql): Reserving sql socket id: 4 radius_xlat: 'SELECT radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE usergroup.Username = 'testuser' AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id' radius_xlat: 'SELECT id, UserName, Attribute, Value, op FROM radreply WHERE Username = 'testuser' ORDER BY id' radius_xlat: 'SELECT radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE usergroup.Username = 'testuser' AND usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id' rlm_sql (sql): Released sql socket id: 4 modcall[authorize]: module sql returns ok for request 0 rlm_pap: Found existing Auth-Type, not changing it. modcall[authorize]: module pap returns noop for request 0 modcall: leaving group authorize (returns updated) for request 0 rad_check_password: Found Auth-Type EAP auth: type EAP Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 0 rlm_eap: EAP Identity rlm_eap: processing type md5 rlm_eap_md5: Issuing Challenge modcall[authenticate]: module eap returns handled for request 0 modcall: leaving group authenticate (returns handled) for request 0 Sending Access-Challenge of id 0 to 192.168.0.1 port 1030 Framed-Protocol := PPP Service-Type := Framed-User Framed-MTU := 1500 Framed-Compression := Van-Jacobson-TCP-IP EAP-Message = 0x0101001604104e273ea966f4fb77466b296f9c607385 Message-Authenticator = 0x State = 0x149370a5228b3ae0acdd9dc3fb4a25a4 Finished request 0 Going to the next request ---
Re: Basic usage: What do I do next to get this to work?
Doc. Caliban wrote: I hate to ask this, but I'm running out of time on this project and I'm completely new to RADIUS. I would be really happy if someone could just point me to a detailed HOW TO for what I need. http://www.freeradius.org/doc/EAPTLS.pdf You need EAP-TLS to do PEAP. I have freeRADIUS set up with an external MySQL user database and it's successfully authorizing requests from NTRadPing. Which helps, but isn't enough. Wireless uses a LOT more technologies than just basic RADIUS. So far I'm not having any luck, and I don't mind saying that I'm a little over my head at this point. Someone familiar with this will probably see glaring problems. The debug output tries to be helpful. Honest. Access Point: D-Link DWL-7100AP (Ciscos coming in January) WPA-EAP TKIP Client Laptop: WPA Enterprise TKIP PEAP (Other options: EAP-SIM, TLS, TTLS, LEAP, EAP-FAST) So... that should be an indication that you need PEAP. I set up an AP to use RADIUS, and the requests get through to the RADIUS server, but they always fail. Posted below is the debug output from the failed attempt. ... rlm_eap: EAP-NAK asked for EAP-Type/peap rlm_eap: No such EAP type peap You say that the clients will do PEAP, but you haven't configured PEAP in the server. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Basic usage: What do I do next to get this to work?
Hmm... All good info, but it makes me wonder if I'm going about this the best way. This is my goal: Wireless users and desktop computers on the same subnet (IPCop Blue, for those keeping score at home) will need to log in with a user name and password, which are kept on the MySQL server. I want this to be as easy as possible for as many people as possible. I came up with my client settings by going with the defaults. I would like to use whatever is easiest for the users to implement. I really appreciate you time, Thank you. Alan DeKok wrote: Doc. Caliban wrote: I hate to ask this, but I'm running out of time on this project and I'm completely new to RADIUS. I would be really happy if someone could just point me to a detailed HOW TO for what I need. http://www.freeradius.org/doc/EAPTLS.pdf You need EAP-TLS to do PEAP. I have freeRADIUS set up with an external MySQL user database and it's successfully authorizing requests from NTRadPing. Which helps, but isn't enough. Wireless uses a LOT more technologies than just basic RADIUS. So far I'm not having any luck, and I don't mind saying that I'm a little over my head at this point. Someone familiar with this will probably see glaring problems. The debug output tries to be helpful. Honest. Access Point: D-Link DWL-7100AP (Ciscos coming in January) WPA-EAP TKIP Client Laptop: WPA Enterprise TKIP PEAP (Other options: EAP-SIM, TLS, TTLS, LEAP, EAP-FAST) So... that should be an indication that you need PEAP. I set up an AP to use RADIUS, and the requests get through to the RADIUS server, but they always fail. Posted below is the debug output from the failed attempt. ... rlm_eap: EAP-NAK asked for EAP-Type/peap rlm_eap: No such EAP type peap You say that the clients will do PEAP, but you haven't configured PEAP in the server. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Basic usage: What do I do next to get this to work?
This is my goal: Wireless users and desktop computers on the same subnet (IPCop Blue, for those keeping score at home) will need to log in with a user name and password, which are kept on the MySQL server. Hm, don't know much about IPCop but I would have some doubts about it authenticating wired users on a local network. My guess is that DHCP will just hand them an IP address and they will connect without authentication. Since you want wired clients on the same subnet as wireless ones think about using a captive portal like Chillispot. You are on the right track with wireless. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Basic usage: What do I do next to get this to work?
[EMAIL PROTECTED] wrote: Hm, don't know much about IPCop but I would have some doubts about it authenticating wired users on a local network. IPCop is actually pretty good for this as it uses one of it's interfaces for wireless access based on granting each node specific access by MAC, but it can be any network node, it doesn't have to be a wireless device. All of our public workstations are on this interface so the machines are verified at the proxy. Now I just need to get the RADIUS piece in place to validate the users. IPCop can require RADIUS authentication on top of the MAC filter. It sounds good on paper, I just need to find the easiest way possible for my users to deal with the RADIUS piece of the model. You are on the right track with wireless. That's good to hear. Again, I just need to find the simplest implementation possible for starters. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Basic usage: What do I do next to get this to work?
IPCop can require RADIUS authentication on top of the MAC filter. Fine. Enable it then. I assume it uses 802.1x for wired too. I just need to find the easiest way possible for my users to deal with the RADIUS piece of the model. Simplest thing for your users with Win XP/Vista would be PEAP. Setup is the same for wired and wireless. Connection/Properties/click on Authentication tab/tick enable 802.1x box/select PEAP from the box/click on Properties button/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Basic usage: What do I do next to get this to work?
PS. Time to go to bed. Clear the Automatically use Windows logon blah, blah box. Confirm everything and you are done. Ivan Kalik Kalik Informatika ISP Dana 31/10/2007, Doc. Caliban [EMAIL PROTECTED] piše: [EMAIL PROTECTED] wrote: Hm, don't know much about IPCop but I would have some doubts about it authenticating wired users on a local network. IPCop is actually pretty good for this as it uses one of it's interfaces for wireless access based on granting each node specific access by MAC, but it can be any network node, it doesn't have to be a wireless device. All of our public workstations are on this interface so the machines are verified at the proxy. Now I just need to get the RADIUS piece in place to validate the users. IPCop can require RADIUS authentication on top of the MAC filter. It sounds good on paper, I just need to find the easiest way possible for my users to deal with the RADIUS piece of the model. You are on the right track with wireless. That's good to hear. Again, I just need to find the simplest implementation possible for starters. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Basic usage: What do I do next to get this to work?
[EMAIL PROTECTED] wrote: PS. Time to go to bed. Clear the Automatically use Windows logon blah, blah box. Confirm everything and you are done. Ivan Kalik Kalik Informatika ISP Also, uncheck the Authenticate as computer when information is available and Enable Fast Reconnect, the latter will drive you crazy because it will keep resetting your settings back to default. Jon -- perl -le print scalar reverse qq/ten.ratsed\100rnoj/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Basic usage: What do I do next to get this to work?
PS. Oops, sent mail too early. Authentication method should be EAP-MSCHAPv2/click on Configure button/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: basic handling of multiple EAP-Methods by freerad
Rainer Brinkmann [EMAIL PROTECTED] wrote: we wonder, how a freeradius can request a client to use a fixed EAP-Method: so its defined: Client starts with EAP-Start-Msg Radius wants EAP-Identity Client answers with Username or Hostname NOT using a special EAP-Method That isn't how EAP works. you run in your wireless LAN many SSIDs: SSID1 shall use EAP-TTLS SSID2 shall use EAP-TLS(high-secured Net like personal Data) what logic starts the right inner-EAP-Protocol, cause neither the AccessPoint(WLAN-Controller), nor the radius server know, what Method to use, when there are many enabled. The supplicant. i.e. the laptop, usually. What you can do in the default config is something like the following: DEFAULT SSID == SSID1, Eap-Type != EAP-TTLS, Auth-Type := Reject You'll have to look in the RADIUS packet to see how the SSID comes in, and match that. But that *should* reject anyone on SSID1 who isn't using TTLS. The reason you have to reject the request, rather than forcing people to use TTLS is that you *can't* force people to use TTLS. They use whatever they want, and the server has to deal with it. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: basic handling of multiple EAP-Methods by freerad
On 29 Jun 2006, at 17:23, Rainer Brinkmann wrote: Hello, we wonder, how a freeradius can request a client to use a fixed EAP- Method: so its defined: Client starts with EAP-Start-Msg Radius wants EAP-Identity Client answers with Username or Hostname NOT using a special EAP- Method Radius now starts communiucating with the first EAP-Packet, using the special EAP-Method Question: you run in your wireless LAN many SSIDs: SSID1 shall use EAP-TTLS SSID2 shall use EAP-TLS(high-secured Net like personal Data) I'd personally question the assumption that TLS is any more secure than TTLS, but if you want to do this it is probably easiest to have a single SSID, and allocate a VLAN dynamically depending on whether they've used TTLS or TLS. josh. what logic starts the right inner-EAP-Protocol, cause neither the AccessPoint(WLAN-Controller), nor the radius server know, what Method to use, when there are many enabled. e.g. on a cisco-Radius, that runs with enabled PEAP and TLS, but there's no special attribute defined to control that thanks for reply, Rainer Brinkmann University-Clinicum Hamburg / Germany - List info/subscribe/unsubscribe? See http://www.freeradius.org/ list/users.html Josh Howlett, Networking Specialist, University of Bristol. email: [EMAIL PROTECTED] | phone: +44 (0)7867 907076 | internal: 7850 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: basic handling of multiple EAP-Methods by freerad
Rainer Brinkmann wrote:
Hello,
we wonder, how a freeradius can request a client to use a fixed EAP-Method:
so its defined:
Client starts with EAP-Start-Msg
Radius wants EAP-Identity
Client answers with Username or Hostname NOT using a special EAP-Method
Radius now starts communiucating with the first EAP-Packet, using the
special EAP-Method
For this, it will use the default_eap_type
Question:
you run in your wireless LAN many SSIDs:
SSID1 shall use EAP-TTLS
SSID2 shall use EAP-TLS(high-secured Net like personal Data)
what logic starts the right inner-EAP-Protocol, cause neither the
AccessPoint(WLAN-Controller), nor the
radius server know, what Method to use, when there are many enabled.
e.g. on a cisco-Radius, that runs with enabled PEAP and TLS, but there's no
special attribute defined to control that
Yes there is. Set EAP-Type (see dictionary.freeradius.internal)
e.g.
DEFAULT Your-SSID-AVP = SSID1, EAP-Type := EAP-TTLS
DEFAULT Your-SSID-AVP = SSID2, EAP-Type := EAP-TLS
Note however, the client can still NAK the radius server and request a
different type, and the radius server will allow that. To prevent that,
you'd need to run 1 instance of the eap module and disable the other
eap types. The following is untested and may not work for various
reasons, but is worth a try:
modules {
eap eap_ttlsonly {
default_eap_type = ttls
# only define one eap sub-module
ttls {
# stuff
}
}
eap eap_tlsonly {
default_eap_type = tls
# only define one eap sub-module
tls {
# stuff
}
}
}
authorize {
preprocess
users
Autz-Type TTLS-only {
eap_ttlsonly
}
Autz-Type TLS-only {
eap_tlsonly
}
}
authenticate {
Auth-Type TTLS-only {
eap_ttlsonly
}
Auth-Type TLS-only {
eap_tlsonly
}
}
...the in users:
DEFAULT SSID = ssid1, Autz-Type := TTLS-only, Auth-Type := TTLS-only
DEFAULT SSID = ssid2, Autz-Type := TLS-only, Auth-Type := TLS-only
thanks for reply,
Rainer Brinkmann
University-Clinicum Hamburg / Germany
- List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Basic problems getting things to run
Ah. The include line in raddb/dictionary was wrong (pointing to the dictionary directory, not dictionary/dictionary). Auth-Type := Accept seems to be working now, so hopefully I can manage it from here (if not, I'm sure you'll hear from me again). Thanks a ton! Alan DeKok wrote: Geoff Silver [EMAIL PROTECTED] wrote: Forgive me if I'm missing something incredibly obvious, but I absolutely can't get auth to work. ever. For starters, here's what I see when running 'radiusd -AX': rad_recv: Access-Request packet from host 127.0.0.1:34193, id=136, length=61 Attr-1 = 0x6a617468616e69736d You are not using the dictionaries that come with the server. You've probably got a Gnu RADIUS dictionary installed in /etc/raddb. The make install output has a few lines at the end telling you that it didn't over-write existing dictionaries, and what to do to fix the problem. Read that text. Also, ensure that FreeRADIUS is looking for it's configuration files in a different directory than where the GNU radius configuration files are located. That will solve a lot of problems. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Basic problems getting things to run
Geoff Silver [EMAIL PROTECTED] wrote: Forgive me if I'm missing something incredibly obvious, but I absolutely can't get auth to work. ever. For starters, here's what I see when running 'radiusd -AX': rad_recv: Access-Request packet from host 127.0.0.1:34193, id=136, length=61 Attr-1 = 0x6a617468616e69736d You are not using the dictionaries that come with the server. You've probably got a Gnu RADIUS dictionary installed in /etc/raddb. The make install output has a few lines at the end telling you that it didn't over-write existing dictionaries, and what to do to fix the problem. Read that text. Also, ensure that FreeRADIUS is looking for it's configuration files in a different directory than where the GNU radius configuration files are located. That will solve a lot of problems. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Basic logging problems
tonix (Antonio Nati) [EMAIL PROTECTED] wrote: Or does radtest just test autentication without bothering with accounting or other logging informations? Read the documentation for radtest. It answers your question. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: basic failure from intital install. doesnt make sense
Gingell, Shane [EMAIL PROTECTED] wrote: I have just installed Free-Radius for my first time as a previous FUNK user and I am having stupid errors when testing initial authentication. Here is hat is happeneing: Any help is greatly appreciated. Run the server in debugging mode as suggested in the FAQ, README, and INSTALL. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Basic question
Update: before freeRADIUS states that message, it gives me an certificate: unsupported purpose message. Problem solved. The client certificate needed to be signed as a client certificate (not just simply signed). with an additional file named 'ext' containing [ client ] extendedKeyUsage = 1.3.6.1.5.5.7.3.2 [ server ] extendedKeyUsage = 1.3.6.1.5.5.7.3.1 the certificates are signed with # openssl ca -extensions client -extfile ext -in tempreq.pem -out client_crt.pem # openssl ca -extensions server -extfile ext -in tempreq.pem -out server_crt.pem I still need to know about rekeying and the EAP-TTLS User Configuration. Thank you Robert - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Basic RADIUS network protocol question
Martin Olsson wrote: The length field is 16-bit, but is it big-endian or little-endian? If i receive the two bytes for the length as AB should I use the value 256*A+B or should I use the value A+B*256? You can just convert your short int from host-byte-order to network-byte-order using the function htons and then store it in the lenght field. see man pages for details Aldo - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Basic ?
Before I go jumping off the deep end, what OS would be the best and easiest to use for Free Radius? Fedora Core 2 FreeBSD Debian Mandrake Or ??? I'm a linux and Freeradius newbie and I'm using Freeradius for two month on a mandrake 9.2, it's not to hard to congigure and it works very well...(802.1x, EAP/MD5/TLS). Fred.Evrard - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Basic ?
Joel Eddy [EMAIL PROTECTED] wrote: Before I go jumping off the deep end, what OS would be the best and easiest to use for Free Radius? I'm partial to NetBSD, but that's just me. For most purposes, it doesn't rally matter. Use what you're familiar with. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Basic dialup_admin mods
On Sat, 8 May 2004, Michael Markstaller wrote: Mark, I'm in a similar process right now, setting up a new radius-environment all running on Debian Woody consolidating three old servers. I'm planning to use dialup-admin for individual users to see their account-status and customer-admins to manage their individual scopes/users. I already seen that there're are few things to change, so I'm a) interested in your mods b) like to know how to submit new things created Send a patch to freeradius-devel. Better yet, open a bug report at bugs.freeradius.org and post your patch there. Michael -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Mark Constable Sent: Saturday, May 08, 2004 6:58 AM To: [EMAIL PROTECTED] Subject: Basic dialup_admin mods I'm just starting out with changing over from xtRadius to freeRadius and testing things for the next few days. I'll be looking hard at dialup_admin and just now I've got it up on my own test box and I can see there are a few basic and obvious mods that could be made... that I will be doing anyway, and more, for myself but could be of general interest. . I'd be prepared to find every instance of *.php3 and change then _ALL_ to just *.php . change all $HTTP_*_VARS to just $_SERVER etc . catch all missing isset($var) warnings . ensure error_reporting(E_ALL) compatible . ensure it runs under PHP5 (my test system) Are these changes of any use to anyone else and if so how could I go about supplying the changes to whoever wants them ? --markc - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Basic dialup_admin mods
On Sat, 8 May 2004, Mark Constable wrote: I'm just starting out with changing over from xtRadius to freeRadius and testing things for the next few days. I'll be looking hard at dialup_admin and just now I've got it up on my own test box and I can see there are a few basic and obvious mods that could be made... that I will be doing anyway, and more, for myself but could be of general interest. . I'd be prepared to find every instance of *.php3 and change then _ALL_ to just *.php Hmm ok, but in any case it's mostly a cosmetic change. . change all $HTTP_*_VARS to just $_SERVER etc dialupadmin should use the new variable format in general. I was just waiting for everyone to be using newer versions of PHP. It's much better from a security point of view. . catch all missing isset($var) warnings That would be nice. . ensure error_reporting(E_ALL) compatible . ensure it runs under PHP5 (my test system) Are these changes of any use to anyone else and if so how could I go about supplying the changes to whoever wants them ? Make the changes and open a bug report to bugs.freeradius with the patch. Preferably the .php3 - .php patch should be kept separate. --markc - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
