RE: Radius with SSL
On Wed, 2 Feb 2005, Anderson Alves de Albuquerque wrote: Thanks, My Radius with LDAP is OKAY now. How can I configure the password in LDAP with MD5. Example: in the LDAP I put: rootpw {MD5}aY3BnUicTk23PiinE+qwew== In the Radius.conf I put: ldap { server="ldaps.xxx.com" identity="cn=root,dc=com" password={MD5}aY3BnUicTk23PiinE+qwew== The root password encryption method does matter. You should store it in the password configuration directive unencrypted. . . . } -- But radius don?t get to do authentication. How can I put password LDAP in radius.conf with HAS MD5 or SHA1 ou SSHA? On Mon, 10 Jan 2005, Willey Kurt D wrote: Use port 636 to your ldaps server, and let the radius server do the work. The hardest part is generating the certificate trust. Sample radiusd.conf for ldaps to Win2K AD: server = "127.0.0.1" port = 636 identity = "cn=ldapuser,cn=users,dc=domain,dc=com" password = yourpass basedn = "dc=domain,dc=com" filter = "(&(samaccountname=%{Stripped-User-Name:-%{User-Name}}))" start_tls = no tls_cacertfile = /usr/local/ssl/certs/sslcertificate.pem tls_cacertdir = /usr/local/ssl/certs/ If you can get ldapsearch to work, radiusd is a breeze. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Anderson Alves de Albuquerque Sent: Monday, January 10, 2005 9:18 AM To: freeradius-users@lists.freeradius.org Subject: Radius with SSL I need one manual about Radius + SSL. I have RADIUS making authentication in LDAP Server, but I need to pass the authentication with SSL. How can I make ? How cak I help me ? Please... - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Radius with SSL
Thanks, My Radius with LDAP is OKAY now. How can I configure the password in LDAP with MD5. Example: in the LDAP I put: rootpw {MD5}aY3BnUicTk23PiinE+qwew== In the Radius.conf I put: ldap { server="ldaps.xxx.com" identity="cn=root,dc=com" password={MD5}aY3BnUicTk23PiinE+qwew== . . . } -- But radius don´t get to do authentication. How can I put password LDAP in radius.conf with HAS MD5 or SHA1 ou SSHA? On Mon, 10 Jan 2005, Willey Kurt D wrote: > Use port 636 to your ldaps server, and let the radius server do the > work. The hardest part is generating the certificate trust. > > Sample radiusd.conf for ldaps to Win2K AD: > server = "127.0.0.1" > port = 636 > identity = "cn=ldapuser,cn=users,dc=domain,dc=com" > password = yourpass > basedn = "dc=domain,dc=com" > filter = > "(&(samaccountname=%{Stripped-User-Name:-%{User-Name}}))" > start_tls = no > tls_cacertfile = > /usr/local/ssl/certs/sslcertificate.pem > tls_cacertdir = /usr/local/ssl/certs/ > > If you can get ldapsearch to work, radiusd is a breeze. > > > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of > Anderson Alves de Albuquerque > Sent: Monday, January 10, 2005 9:18 AM > To: freeradius-users@lists.freeradius.org > Subject: Radius with SSL > > > > I need one manual about Radius + SSL. > > I have RADIUS making authentication in LDAP Server, but I need to pass > the authentication with SSL. > How can I make ? > How cak I help me ? Please... > > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Radius with SSL
I created de cacert.pem like http://www.openldap.org/pub/ksoper/OpenLDAP_TLS_howto.html. I don´t understand what is ... There is other good paper in the Internet? On Thu, 13 Jan 2005, Willey Kurt D wrote: > I don't use slapd, but it looks like your CA isn't known (trusted): > "...tlsv1 alert unknown ca" > > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of > Anderson Alves de Albuquerque > Sent: Thursday, January 13, 2005 12:32 PM > To: freeradius-users@lists.freeradius.org > Subject: RE: Radius with SSL > > > > > In option debug of the LDAP I look this: > --- > . > . > . > . > tls_read: want=5, got=5 > : 15 03 01 00 02 . > tls_read: want=2, got=2 > : 02 30 .0 > TLS: can't accept. > TLS: error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca > /usr/src/secure/lib/libssl/../../../crypto/openssl/ssl/s3_pkt.c:1052 > ^Cslapd shutdown: waiting for 0 threads to terminate > slapd stopped. > - > > > > On Thu, 13 Jan 2005, Willey Kurt D wrote: > > > Is your ldap server listening on that port? > > "...Can't contact LDAP server..." > > > > Does ldapsearch work? > > > > > > -Original Message- > > From: [EMAIL PROTECTED] > > [mailto:[EMAIL PROTECTED] On Behalf Of > > Anderson Alves de Albuquerque > > Sent: Thursday, January 13, 2005 12:02 PM > > To: freeradius-users@lists.freeradius.org > > Subject: RE: Radius with SSL > > > > > > > > I created the certificates with > > http://www.freeradius.org/radiusd/doc/rlm_ldap. And I put in my > > radiusd.conf the configs below, but I have problems. look my debug in > > > the radiusd with "-x": > > > > --- > > rad_recv: Access-Request packet from host 146.164.xxx.236:10537, > id=104, > > > > length=132 > > User-Name = "aaa" > > CHAP-Password = 0x658558a664c7032b44818a81b755804a11 > > NAS-IP-Address = 146.164.xxx.236 > > NAS-Identifier = "UFRJGK" > > NAS-Port-Type = Virtual > > Service-Type = Login-User > > CHAP-Challenge = 0x41e6bde1 > > Framed-IP-Address = 146.164.xxx.198 > > Attr-589825 = > > > 0x683332332d6976722d6f75743d7465726d696e616c2d616c6961733a6161612c303235 > > 3938303035343b > > rlm_ldap: - authorize > > rlm_ldap: performing user authorization for aaa > > ldap_get_conn: Got Id: 0 > > rlm_ldap: (re)connect to 146.164.xxx.236:636, authentication 0 > > rlm_ldap: setting TLS mode to 1 > > rlm_ldap: bind as cn=root,dc=voip,dc=nce,dc=ufrj,dc=br/teste to > > 146.164.xxx.236:636 > > rlm_ldap: cn=root,dc=voip,dc=nce,dc=ufrj,dc=br bind to > > 146.164.xxx.236:636 > > failed: Can't contact LDAP server > > rlm_ldap: (re)connection attempt failed > > rlm_ldap: search failed > > ldap_release_conn: Release Id: 0 > > -- > > > > > > > > > > On Mon, 10 Jan 2005, Willey Kurt D wrote: > > > > > Use port 636 to your ldaps server, and let the radius server do the > > > work. The hardest part is generating the certificate trust. > > > > > > Sample radiusd.conf for ldaps to Win2K AD: > > > server = "127.0.0.1" > > > port = 636 > > > identity = "cn=ldapuser,cn=users,dc=domain,dc=com" > > > password = yourpass > > > basedn = "dc=domain,dc=com" > > > filter = > > > "(&(samaccountname=%{Stripped-User-Name:-%{User-Name}}))" > > > start_tls = no > > > tls_cacertfile = > > > /usr/local/ssl/certs/sslcertificate.pem > > > tls_cacertdir = /usr/local/ssl/certs/ > > > > > > If you can get ldapsearch to work, radiusd is a breeze. > > > > > > > > > -Original Message- > > > From: [EMAIL PROTECTED] > > > [mailto:[EMAIL PROTECTED] On Behalf Of > > > Anderson Alves de Albuquerque > > > Sent: Monday, January 10, 2005 9:18 AM > > > To: freeradius-users@lists.freeradius.org > > > Subject: Radius with SSL > &
RE: Radius with SSL
I don't use slapd, but it looks like your CA isn't known (trusted): "...tlsv1 alert unknown ca" -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Anderson Alves de Albuquerque Sent: Thursday, January 13, 2005 12:32 PM To: freeradius-users@lists.freeradius.org Subject: RE: Radius with SSL In option debug of the LDAP I look this: --- . . . . tls_read: want=5, got=5 : 15 03 01 00 02 . tls_read: want=2, got=2 : 02 30 .0 TLS: can't accept. TLS: error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca /usr/src/secure/lib/libssl/../../../crypto/openssl/ssl/s3_pkt.c:1052 ^Cslapd shutdown: waiting for 0 threads to terminate slapd stopped. - On Thu, 13 Jan 2005, Willey Kurt D wrote: > Is your ldap server listening on that port? > "...Can't contact LDAP server..." > > Does ldapsearch work? > > > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of > Anderson Alves de Albuquerque > Sent: Thursday, January 13, 2005 12:02 PM > To: freeradius-users@lists.freeradius.org > Subject: RE: Radius with SSL > > > > I created the certificates with > http://www.freeradius.org/radiusd/doc/rlm_ldap. And I put in my > radiusd.conf the configs below, but I have problems. look my debug in > the radiusd with "-x": > > --- > rad_recv: Access-Request packet from host 146.164.xxx.236:10537, id=104, > > length=132 > User-Name = "aaa" > CHAP-Password = 0x658558a664c7032b44818a81b755804a11 > NAS-IP-Address = 146.164.xxx.236 > NAS-Identifier = "UFRJGK" > NAS-Port-Type = Virtual > Service-Type = Login-User > CHAP-Challenge = 0x41e6bde1 > Framed-IP-Address = 146.164.xxx.198 > Attr-589825 = > 0x683332332d6976722d6f75743d7465726d696e616c2d616c6961733a6161612c303235 > 3938303035343b > rlm_ldap: - authorize > rlm_ldap: performing user authorization for aaa > ldap_get_conn: Got Id: 0 > rlm_ldap: (re)connect to 146.164.xxx.236:636, authentication 0 > rlm_ldap: setting TLS mode to 1 > rlm_ldap: bind as cn=root,dc=voip,dc=nce,dc=ufrj,dc=br/teste to > 146.164.xxx.236:636 > rlm_ldap: cn=root,dc=voip,dc=nce,dc=ufrj,dc=br bind to > 146.164.xxx.236:636 > failed: Can't contact LDAP server > rlm_ldap: (re)connection attempt failed > rlm_ldap: search failed > ldap_release_conn: Release Id: 0 > -- > > > > > On Mon, 10 Jan 2005, Willey Kurt D wrote: > > > Use port 636 to your ldaps server, and let the radius server do the > > work. The hardest part is generating the certificate trust. > > > > Sample radiusd.conf for ldaps to Win2K AD: > > server = "127.0.0.1" > > port = 636 > > identity = "cn=ldapuser,cn=users,dc=domain,dc=com" > > password = yourpass > > basedn = "dc=domain,dc=com" > > filter = > > "(&(samaccountname=%{Stripped-User-Name:-%{User-Name}}))" > > start_tls = no > > tls_cacertfile = > > /usr/local/ssl/certs/sslcertificate.pem > > tls_cacertdir = /usr/local/ssl/certs/ > > > > If you can get ldapsearch to work, radiusd is a breeze. > > > > > > -Original Message- > > From: [EMAIL PROTECTED] > > [mailto:[EMAIL PROTECTED] On Behalf Of > > Anderson Alves de Albuquerque > > Sent: Monday, January 10, 2005 9:18 AM > > To: freeradius-users@lists.freeradius.org > > Subject: Radius with SSL > > > > > > > > I need one manual about Radius + SSL. > > > > I have RADIUS making authentication in LDAP Server, but I need to > pass > > the authentication with SSL. > > How can I make ? > > How cak I help me ? Please... > > > > > > - > > List info/subscribe/unsubscribe? See > > http://www.freeradius.org/list/users.html > > > > - > > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > > > > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Radius with SSL
In option debug of the LDAP I look this: --- . . . . tls_read: want=5, got=5 : 15 03 01 00 02 . tls_read: want=2, got=2 : 02 30 .0 TLS: can't accept. TLS: error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca /usr/src/secure/lib/libssl/../../../crypto/openssl/ssl/s3_pkt.c:1052 ^Cslapd shutdown: waiting for 0 threads to terminate slapd stopped. - On Thu, 13 Jan 2005, Willey Kurt D wrote: > Is your ldap server listening on that port? > "...Can't contact LDAP server..." > > Does ldapsearch work? > > > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of > Anderson Alves de Albuquerque > Sent: Thursday, January 13, 2005 12:02 PM > To: freeradius-users@lists.freeradius.org > Subject: RE: Radius with SSL > > > > I created the certificates with > http://www.freeradius.org/radiusd/doc/rlm_ldap. And I put in my > radiusd.conf the configs below, but I have problems. look my debug in > the radiusd with "-x": > > --- > rad_recv: Access-Request packet from host 146.164.xxx.236:10537, id=104, > > length=132 > User-Name = "aaa" > CHAP-Password = 0x658558a664c7032b44818a81b755804a11 > NAS-IP-Address = 146.164.xxx.236 > NAS-Identifier = "UFRJGK" > NAS-Port-Type = Virtual > Service-Type = Login-User > CHAP-Challenge = 0x41e6bde1 > Framed-IP-Address = 146.164.xxx.198 > Attr-589825 = > 0x683332332d6976722d6f75743d7465726d696e616c2d616c6961733a6161612c303235 > 3938303035343b > rlm_ldap: - authorize > rlm_ldap: performing user authorization for aaa > ldap_get_conn: Got Id: 0 > rlm_ldap: (re)connect to 146.164.xxx.236:636, authentication 0 > rlm_ldap: setting TLS mode to 1 > rlm_ldap: bind as cn=root,dc=voip,dc=nce,dc=ufrj,dc=br/teste to > 146.164.xxx.236:636 > rlm_ldap: cn=root,dc=voip,dc=nce,dc=ufrj,dc=br bind to > 146.164.xxx.236:636 > failed: Can't contact LDAP server > rlm_ldap: (re)connection attempt failed > rlm_ldap: search failed > ldap_release_conn: Release Id: 0 > -- > > > > > On Mon, 10 Jan 2005, Willey Kurt D wrote: > > > Use port 636 to your ldaps server, and let the radius server do the > > work. The hardest part is generating the certificate trust. > > > > Sample radiusd.conf for ldaps to Win2K AD: > > server = "127.0.0.1" > > port = 636 > > identity = "cn=ldapuser,cn=users,dc=domain,dc=com" > > password = yourpass > > basedn = "dc=domain,dc=com" > > filter = > > "(&(samaccountname=%{Stripped-User-Name:-%{User-Name}}))" > > start_tls = no > > tls_cacertfile = > > /usr/local/ssl/certs/sslcertificate.pem > > tls_cacertdir = /usr/local/ssl/certs/ > > > > If you can get ldapsearch to work, radiusd is a breeze. > > > > > > -Original Message- > > From: [EMAIL PROTECTED] > > [mailto:[EMAIL PROTECTED] On Behalf Of > > Anderson Alves de Albuquerque > > Sent: Monday, January 10, 2005 9:18 AM > > To: freeradius-users@lists.freeradius.org > > Subject: Radius with SSL > > > > > > > > I need one manual about Radius + SSL. > > > > I have RADIUS making authentication in LDAP Server, but I need to > pass > > the authentication with SSL. > > How can I make ? > > How cak I help me ? Please... > > > > > > - > > List info/subscribe/unsubscribe? See > > http://www.freeradius.org/list/users.html > > > > - > > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > > > > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Radius with SSL
The is up: -- # netstat -at|grep ldap tcp4 0 0 *.ldaps*.*LISTEN tcp6 0 0 *.ldaps*.*LISTEN tcp4 0 0 *.ldap *.*LISTEN tcp6 0 0 *.ldap *.*LISTEN tcp4 0 0 146.164.247.236.4435 146.164.247.236.ldaps TIME_WAIT tcp4 0 0 146.164.247.236.3299 146.164.247.236.ldaps TIME_WAIT --- On Thu, 13 Jan 2005, Willey Kurt D wrote: > Is your ldap server listening on that port? > "...Can't contact LDAP server..." > > Does ldapsearch work? > > > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of > Anderson Alves de Albuquerque > Sent: Thursday, January 13, 2005 12:02 PM > To: freeradius-users@lists.freeradius.org > Subject: RE: Radius with SSL > > > > I created the certificates with > http://www.freeradius.org/radiusd/doc/rlm_ldap. And I put in my > radiusd.conf the configs below, but I have problems. look my debug in > the radiusd with "-x": > > --- > rad_recv: Access-Request packet from host 146.164.xxx.236:10537, id=104, > > length=132 > User-Name = "aaa" > CHAP-Password = 0x658558a664c7032b44818a81b755804a11 > NAS-IP-Address = 146.164.xxx.236 > NAS-Identifier = "UFRJGK" > NAS-Port-Type = Virtual > Service-Type = Login-User > CHAP-Challenge = 0x41e6bde1 > Framed-IP-Address = 146.164.xxx.198 > Attr-589825 = > 0x683332332d6976722d6f75743d7465726d696e616c2d616c6961733a6161612c303235 > 3938303035343b > rlm_ldap: - authorize > rlm_ldap: performing user authorization for aaa > ldap_get_conn: Got Id: 0 > rlm_ldap: (re)connect to 146.164.xxx.236:636, authentication 0 > rlm_ldap: setting TLS mode to 1 > rlm_ldap: bind as cn=root,dc=voip,dc=nce,dc=ufrj,dc=br/teste to > 146.164.xxx.236:636 > rlm_ldap: cn=root,dc=voip,dc=nce,dc=ufrj,dc=br bind to > 146.164.xxx.236:636 > failed: Can't contact LDAP server > rlm_ldap: (re)connection attempt failed > rlm_ldap: search failed > ldap_release_conn: Release Id: 0 > -- > > > > > On Mon, 10 Jan 2005, Willey Kurt D wrote: > > > Use port 636 to your ldaps server, and let the radius server do the > > work. The hardest part is generating the certificate trust. > > > > Sample radiusd.conf for ldaps to Win2K AD: > > server = "127.0.0.1" > > port = 636 > > identity = "cn=ldapuser,cn=users,dc=domain,dc=com" > > password = yourpass > > basedn = "dc=domain,dc=com" > > filter = > > "(&(samaccountname=%{Stripped-User-Name:-%{User-Name}}))" > > start_tls = no > > tls_cacertfile = > > /usr/local/ssl/certs/sslcertificate.pem > > tls_cacertdir = /usr/local/ssl/certs/ > > > > If you can get ldapsearch to work, radiusd is a breeze. > > > > > > -Original Message- > > From: [EMAIL PROTECTED] > > [mailto:[EMAIL PROTECTED] On Behalf Of > > Anderson Alves de Albuquerque > > Sent: Monday, January 10, 2005 9:18 AM > > To: freeradius-users@lists.freeradius.org > > Subject: Radius with SSL > > > > > > > > I need one manual about Radius + SSL. > > > > I have RADIUS making authentication in LDAP Server, but I need to > pass > > the authentication with SSL. > > How can I make ? > > How cak I help me ? Please... > > > > > > - > > List info/subscribe/unsubscribe? See > > http://www.freeradius.org/list/users.html > > > > - > > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > > > > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Radius with SSL
Is your ldap server listening on that port? "...Can't contact LDAP server..." Does ldapsearch work? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Anderson Alves de Albuquerque Sent: Thursday, January 13, 2005 12:02 PM To: freeradius-users@lists.freeradius.org Subject: RE: Radius with SSL I created the certificates with http://www.freeradius.org/radiusd/doc/rlm_ldap. And I put in my radiusd.conf the configs below, but I have problems. look my debug in the radiusd with "-x": --- rad_recv: Access-Request packet from host 146.164.xxx.236:10537, id=104, length=132 User-Name = "aaa" CHAP-Password = 0x658558a664c7032b44818a81b755804a11 NAS-IP-Address = 146.164.xxx.236 NAS-Identifier = "UFRJGK" NAS-Port-Type = Virtual Service-Type = Login-User CHAP-Challenge = 0x41e6bde1 Framed-IP-Address = 146.164.xxx.198 Attr-589825 = 0x683332332d6976722d6f75743d7465726d696e616c2d616c6961733a6161612c303235 3938303035343b rlm_ldap: - authorize rlm_ldap: performing user authorization for aaa ldap_get_conn: Got Id: 0 rlm_ldap: (re)connect to 146.164.xxx.236:636, authentication 0 rlm_ldap: setting TLS mode to 1 rlm_ldap: bind as cn=root,dc=voip,dc=nce,dc=ufrj,dc=br/teste to 146.164.xxx.236:636 rlm_ldap: cn=root,dc=voip,dc=nce,dc=ufrj,dc=br bind to 146.164.xxx.236:636 failed: Can't contact LDAP server rlm_ldap: (re)connection attempt failed rlm_ldap: search failed ldap_release_conn: Release Id: 0 -- On Mon, 10 Jan 2005, Willey Kurt D wrote: > Use port 636 to your ldaps server, and let the radius server do the > work. The hardest part is generating the certificate trust. > > Sample radiusd.conf for ldaps to Win2K AD: > server = "127.0.0.1" > port = 636 > identity = "cn=ldapuser,cn=users,dc=domain,dc=com" > password = yourpass > basedn = "dc=domain,dc=com" > filter = > "(&(samaccountname=%{Stripped-User-Name:-%{User-Name}}))" > start_tls = no > tls_cacertfile = > /usr/local/ssl/certs/sslcertificate.pem > tls_cacertdir = /usr/local/ssl/certs/ > > If you can get ldapsearch to work, radiusd is a breeze. > > > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of > Anderson Alves de Albuquerque > Sent: Monday, January 10, 2005 9:18 AM > To: freeradius-users@lists.freeradius.org > Subject: Radius with SSL > > > > I need one manual about Radius + SSL. > > I have RADIUS making authentication in LDAP Server, but I need to pass > the authentication with SSL. > How can I make ? > How cak I help me ? Please... > > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Radius with SSL
I created the certificates with http://www.freeradius.org/radiusd/doc/rlm_ldap. And I put in my radiusd.conf the configs below, but I have problems. look my debug in the radiusd with "-x": --- rad_recv: Access-Request packet from host 146.164.xxx.236:10537, id=104, length=132 User-Name = "aaa" CHAP-Password = 0x658558a664c7032b44818a81b755804a11 NAS-IP-Address = 146.164.xxx.236 NAS-Identifier = "UFRJGK" NAS-Port-Type = Virtual Service-Type = Login-User CHAP-Challenge = 0x41e6bde1 Framed-IP-Address = 146.164.xxx.198 Attr-589825 = 0x683332332d6976722d6f75743d7465726d696e616c2d616c6961733a6161612c3032353938303035343b rlm_ldap: - authorize rlm_ldap: performing user authorization for aaa ldap_get_conn: Got Id: 0 rlm_ldap: (re)connect to 146.164.xxx.236:636, authentication 0 rlm_ldap: setting TLS mode to 1 rlm_ldap: bind as cn=root,dc=voip,dc=nce,dc=ufrj,dc=br/teste to 146.164.xxx.236:636 rlm_ldap: cn=root,dc=voip,dc=nce,dc=ufrj,dc=br bind to 146.164.xxx.236:636 failed: Can't contact LDAP server rlm_ldap: (re)connection attempt failed rlm_ldap: search failed ldap_release_conn: Release Id: 0 -- On Mon, 10 Jan 2005, Willey Kurt D wrote: > Use port 636 to your ldaps server, and let the radius server do the > work. The hardest part is generating the certificate trust. > > Sample radiusd.conf for ldaps to Win2K AD: > server = "127.0.0.1" > port = 636 > identity = "cn=ldapuser,cn=users,dc=domain,dc=com" > password = yourpass > basedn = "dc=domain,dc=com" > filter = > "(&(samaccountname=%{Stripped-User-Name:-%{User-Name}}))" > start_tls = no > tls_cacertfile = > /usr/local/ssl/certs/sslcertificate.pem > tls_cacertdir = /usr/local/ssl/certs/ > > If you can get ldapsearch to work, radiusd is a breeze. > > > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of > Anderson Alves de Albuquerque > Sent: Monday, January 10, 2005 9:18 AM > To: freeradius-users@lists.freeradius.org > Subject: Radius with SSL > > > > I need one manual about Radius + SSL. > > I have RADIUS making authentication in LDAP Server, but I need to pass > the authentication with SSL. > How can I make ? > How cak I help me ? Please... > > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Radius with SSL
Use port 636 to your ldaps server, and let the radius server do the work. The hardest part is generating the certificate trust. Sample radiusd.conf for ldaps to Win2K AD: server = "127.0.0.1" port = 636 identity = "cn=ldapuser,cn=users,dc=domain,dc=com" password = yourpass basedn = "dc=domain,dc=com" filter = "(&(samaccountname=%{Stripped-User-Name:-%{User-Name}}))" start_tls = no tls_cacertfile = /usr/local/ssl/certs/sslcertificate.pem tls_cacertdir = /usr/local/ssl/certs/ If you can get ldapsearch to work, radiusd is a breeze. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Anderson Alves de Albuquerque Sent: Monday, January 10, 2005 9:18 AM To: freeradius-users@lists.freeradius.org Subject: Radius with SSL I need one manual about Radius + SSL. I have RADIUS making authentication in LDAP Server, but I need to pass the authentication with SSL. How can I make ? How cak I help me ? Please... - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html