Re: log file for free radius 1.1.6 eap-tls authentication
Hi I am getting the following message in log first it satatrts (radiud -X) [EMAIL PROTECTED] radius]# cat radius.log Wed May 30 11:24:14 2007 : Info: Using deprecated naslist file. Support for this will go away soon. Wed May 30 11:24:14 2007 : Info: rlm_exec: Wait=yes but no output defined. Did you mean output=none? Wed May 30 11:24:14 2007 : Info: rlm_eap_tls: Loading the certificate file as a chain Wed May 30 11:24:14 2007 : Info: Ready to process requests. But if again start the server no logs and nothing other than this is coming in the log. regarding users file in navisradius i uesd to do that in EAP_TLS thats why i asked. Regards Anoop -- Message: 5 Date: Tue, 29 May 2007 09:42:52 +0100 From: [EMAIL PROTECTED] Subject: Re: log file for free radius 1.1.6 eap-tls authentication To: \FreeRadius users mailing list\ freeradius-users@lists.freeradius.org Message-ID: [EMAIL PROTECTED] Content-Type: text/plain; charset=ISO-8859-2 1. That\'s not how certificates work. You add those that you want to PREVENT from connecting (for whatever reason) to Certificate Revocation List (CRL). You suposedly do have control over who are certificates issued to. If you have no control over CA then you shouldn\'t be using them. 2. Is anything (reading config files etc.) written to the log when you restart the server? Ivan Kalik Kalik Informatika ISP Dana 29/5/2007, \[EMAIL PROTECTED] [EMAIL PROTECTED] pi?e: Hi 1 I know its eap-tls and certificate based. Earlier i was using Navis radius .In that for eap-tls we have to add certificate name to a specific user file. Like that here also user file is there can i make use of the user file so that only that user get authenticated, 2 Logs are not happening.In config changes required to get the same? Regards Anoop Message: 2 Date: Mon, 28 May 2007 15:07:06 +0100 From: [EMAIL PROTECTED] Subject: Re: log file for free radius 1.1.6 eap-tls authentication To: \FreeRadius users mailing list\ freeradius-users@lists.freeradius.org Message-ID: [EMAIL PROTECTED] Content-Type: text/plain; charset=ISO-8859-2 This is EAP-TLS. This user has a valid user certificate and is accepted. If you don\'t want to go via certificates but use user/password, use EAP-TTLS with MS-CHAPv2 (or PAP or any other auth protocol). Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: log file for free radius 1.1.6 eap-tls authentication
1. RE: Gigaword support ([EMAIL PROTECTED]) 2. Re : Multiple server certificates in EAP-TLS or EAP-TTLS (Eshun Benjamin) 3. Re: log file for free radius 1.1.6 eap-tls authentication ([EMAIL PROTECTED]) 4. problem in autehtication with EAP-MD5 (shantanu choudhary) Hi 2 I am getting the following message in log first it satatrts (radiud -X) [EMAIL PROTECTED] radius]# cat radius.log Wed May 30 11:24:14 2007 : Info: Using deprecated naslist file. Support for this will go away soon. Wed May 30 11:24:14 2007 : Info: rlm_exec: Wait=yes but no output defined. Did you mean output=none? Wed May 30 11:24:14 2007 : Info: rlm_eap_tls: Loading the certificate file as a chain Wed May 30 11:24:14 2007 : Info: Ready to process requests. But if again start the server no logs and nothing other than this is coming in the log. regarding users file in navisradius i uesd to do that in EAP_TLS thats why i asked. Regards Anoop -- Message: 5 Date: Tue, 29 May 2007 09:42:52 +0100 From: [EMAIL PROTECTED] Subject: Re: log file for free radius 1.1.6 eap-tls authentication To: \FreeRadius users mailing list\ freeradius-users@lists.freeradius.org Message-ID: [EMAIL PROTECTED] Content-Type: text/plain; charset=ISO-8859-2 1. That\'s not how certificates work. You add those that you want to PREVENT from connecting (for whatever reason) to Certificate Revocation List (CRL). You suposedly do have control over who are certificates issued to. If you have no control over CA then you shouldn\'t be using them. 2. Is anything (reading config files etc.) written to the log when you restart the server? Ivan Kalik Kalik Informatika ISP Dana 29/5/2007, \[EMAIL PROTECTED] [EMAIL PROTECTED] pi?e: Hi 1 I know its eap-tls and certificate based. Earlier i was using Navis radius .In that for eap-tls we have to add certificate name to a specific user file. Like that here also user file is there can i make use of the user file so that only that user get authenticated, 2 Logs are not happening.In config changes required to get the same? Regards Anoop Message: 2 Date: Mon, 28 May 2007 15:07:06 +0100 From: [EMAIL PROTECTED] Subject: Re: log file for free radius 1.1.6 eap-tls authentication To: \FreeRadius users mailing list\ freeradius-users@lists.freeradius.org Message-ID: [EMAIL PROTECTED] Content-Type: text/plain; charset=ISO-8859-2 This is EAP-TLS. This user has a valid user certificate and is accepted. If you don\'t want to go via certificates but use user/password, use EAP-TTLS with MS-CHAPv2 (or PAP or any other auth protocol). Ivan Kalik Kalik Informatika ISP -- Message: 4 Date: Wed, 30 May 2007 09:23:21 +0100 (BST) From: shantanu choudhary [EMAIL PROTECTED] Subject: problem in autehtication with EAP-MD5 To: freeradius-users@lists.freeradius.org Message-ID: [EMAIL PROTECTED] Content-Type: text/plain; charset=iso-8859-1 hi all, i am trying to get autheticated by radius server using EAP-MD5 but i always get FAILURE and i m not able to figure out the problem, can anyone help me out! my client side shows out put like this:- EAPOL: SUPP_BE entering state RESPONSE EAPOL: txSuppRsp TX EAPOL - hexdump(len=17): 01 00 00 0d 02 00 00 0d 01 74 65 73 74 75 73 65 72 EAPOL: SUPP_BE entering state RECEIVE RX EAPOL from 00:03:7f:09:60:a0 RX EAPOL - hexdump(len=26): 01 00 00 16 01 01 00 16 04 10 e5 b2 63 cb 4e 4f e7 d1 b1 4f 30 95 6c 21 cd a9 EAPOL: Received EAP-Packet frame EAPOL: SUPP_BE entering state REQUEST EAPOL: getSuppRsp EAP: EAP entering state RECEIVED EAP: Received EAP-Request id=1 method=4 vendor=0 vendorMethod=0 EAP: EAP entering state GET_METHOD EAP: Initialize selected EAP method: vendor 0 method 4 (MD5) CTRL-EVENT-EAP-METHOD EAP vendor 0 method 4 (MD5) selected CTRL_IFACE monitor send - hexdump(len=22): 2f 74 6d 70 2f 77 70 61 5f 63 74 72 6c 5f 31 36 32 37 35 2d 31 00 EAP: EAP entering state METHOD EAP-MD5: Challenge - hexdump(len=16): e5 b2 63 cb 4e 4f e7 d1 b1 4f 30 95 6c 21 cd a9 EAP-MD5: Generating Challenge Response EAP-MD5: Response - hexdump(len=16): 4a f8 0b fc 31 7e 27 47 ac 95 4c 77 56 30 bf c6 EAP: method process - ignore=FALSE methodState=DONE decision=UNCOND_SUCC EAP: EAP entering state SEND_RESPONSE EAP: EAP entering state IDLE EAPOL: SUPP_BE entering state RESPONSE EAPOL: txSuppRsp TX EAPOL - hexdump(len=26): 01 00 00 16 02 01 00 16 04 10 4a f8 0b fc 31 7e 27 47 ac 95 4c 77 56 30 bf c6 EAPOL: SUPP_BE entering state RECEIVE RX ctrl_iface - hexdump_ascii(len=4): 50 49 4e 47 PING RX ctrl_iface - hexdump_ascii(len=6): 53 54 41 54 55 53 STATUS ioctl[SIOCGIFADDR]: Cannot assign requested address RX ctrl_iface - hexdump_ascii(len=13): 4c 49 53 54 5f 4e 45 54 57 4f 52 4b 53LIST_NETWORKS RX ctrl_iface - hexdump_ascii(len=4): 50 49 4e 47 PING RX
Re: log file for free radius 1.1.6 eap-tls authentication
1. That's not how certificates work. You add those that you want to PREVENT from connecting (for whatever reason) to Certificate Revocation List (CRL). You suposedly do have control over who are certificates issued to. If you have no control over CA then you shouldn't be using them. 2. Is anything (reading config files etc.) written to the log when you restart the server? Ivan Kalik Kalik Informatika ISP Dana 29/5/2007, [EMAIL PROTECTED] [EMAIL PROTECTED] piše: Hi 1 I know its eap-tls and certificate based. Earlier i was using Navis radius .In that for eap-tls we have to add certificate name to a specific user file. Like that here also user file is there can i make use of the user file so that only that user get authenticated, 2 Logs are not happening.In config changes required to get the same? Regards Anoop Message: 2 Date: Mon, 28 May 2007 15:07:06 +0100 From: [EMAIL PROTECTED] Subject: Re: log file for free radius 1.1.6 eap-tls authentication To: \FreeRadius users mailing list\ freeradius-users@lists.freeradius.org Message-ID: [EMAIL PROTECTED] Content-Type: text/plain; charset=ISO-8859-2 This is EAP-TLS. This user has a valid user certificate and is accepted. If you don\'t want to go via certificates but use user/password, use EAP-TTLS with MS-CHAPv2 (or PAP or any other auth protocol). Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: log file for free radius 1.1.6 eap-tls authentication
Hi all
I have two quieres
1
I have changed the log_auth= yes
Still i am not able to get logs.Pls find my configs
prefix = /usr/local
exec_prefix = ${prefix}
sysconfdir = /etc
localstatedir = ${prefix}/var
sbindir = ${exec_prefix}/sbin
logdir = /usr/local/var/log/radius
raddbdir = ${sysconfdir}/raddb
radacctdir = ${logdir}/radacct
# Location of config and logfiles.
confdir = ${raddbdir}
run_dir = ${localstatedir}/run/radiusd
#
# The logging messages for the server are appended to the
# tail of this file.
#
log_file = /usr/local/var/log/radius/radius.log
log_stripped_names = no
# Log authentication requests to the log file.
#
# allowed values: {no, yes}
#
log_auth = yes
# Log passwords with the authentication requests.
# log_auth_badpass - logs password if it\'s rejected
# log_auth_goodpass - logs password if it\'s correct
2 While i am using Navis radius, ther will be one user file where you have to
add all usernames.In free radius without adding the username also the
authentication is working.I would like to have users file so that only the
users specified in that will authenticate. Wat config change i should make for
the same
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: log file for free radius 1.1.6 eap-tls authentication
Post the radiusd -X output of user not in users file being accepted.
Ivan Kalik
Kalik Informatika ISP
Dana 28/5/2007, [EMAIL PROTECTED] [EMAIL PROTECTED] piše:
Hi all
I have two quieres
1
I have changed the log_auth= yes
Still i am not able to get logs.Pls find my configs
prefix = /usr/local
exec_prefix = ${prefix}
sysconfdir = /etc
localstatedir = ${prefix}/var
sbindir = ${exec_prefix}/sbin
logdir = /usr/local/var/log/radius
raddbdir = ${sysconfdir}/raddb
radacctdir = ${logdir}/radacct
# Location of config and logfiles.
confdir = ${raddbdir}
run_dir = ${localstatedir}/run/radiusd
#
# The logging messages for the server are appended to the
# tail of this file.
#
log_file = /usr/local/var/log/radius/radius.log
log_stripped_names = no
# Log authentication requests to the log file.
#
# allowed values: {no, yes}
#
log_auth = yes
# Log passwords with the authentication requests.
# log_auth_badpass - logs password if it\'s rejected
# log_auth_goodpass - logs password if it\'s correct
2 While i am using Navis radius, ther will be one user file where you have to
add all usernames.In free radius without adding the username also the
authentication is working.I would like to have users file so that only the
users specified in that will authenticate. Wat config change i should make for
the same
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: log file for free radius 1.1.6 eap-tls authentication
group authenticate (returns handled) for request 3
Sending Access-Challenge of id 3 to 192.168.0.50 port 1026
EAP-Message =
0x010400350d80002b14030100010116030100204162186f236f12a6774a934742937f8d6653973dbce3f01ee4c223e78617f9d4
Message-Authenticator = 0x
State = 0x5edb6911600c27ccf2a62bd801e114ab
Finished request 3
Going to the next request
Waking up in 6 seconds...
rad_recv: Access-Request packet from host 192.168.0.50:1026, id=4, length=217
Message-Authenticator = 0x885b78f58d62d0eec96b2535b1e9bfb1
Service-Type = Framed-User
User-Name = \saravanakumar07\
Framed-MTU = 1488
State = 0x5edb6911600c27ccf2a62bd801e114ab
Called-Station-Id = \00-0F-3D-AF-DD-C2:default\
Calling-Station-Id = \00-0E-35-F3-A1-67\
NAS-Identifier = \D-Link Access Point\
NAS-Port-Type = Wireless-802.11
Connect-Info = \CONNECT 54Mbps 802.11g\
EAP-Message = 0x020400060d00
NAS-IP-Address = 192.168.0.50
NAS-Port = 1
NAS-Port-Id = \STA port # 1\
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 4
modcall[authorize]: module \preprocess\ returns ok for request 4
rlm_realm: No \'@\' in User-Name = \saravanakumar07\, looking up realm
NULL
rlm_realm: No such realm \NULL\
modcall[authorize]: module \suffix\ returns noop for request 4
rlm_eap: EAP packet type response id 4 length 6
rlm_eap: No EAP Start, assuming it\'s an on-going EAP conversation
modcall[authorize]: module \eap\ returns updated for request 4
modcall[authorize]: module \files\ returns notfound for request 4
modcall: leaving group authorize (returns updated) for request 4
rad_check_password: Found Auth-Type EAP
auth: type \EAP\
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 4
rlm_eap: Request found, released from the list
rlm_eap: EAP/tls
rlm_eap: processing type tls
rlm_eap_tls: Authenticate
rlm_eap_tls: processing TLS
rlm_eap_tls: Received EAP-TLS ACK message
rlm_eap_tls: ack handshake is finished
eaptls_verify returned 3
eaptls_process returned 3
rlm_eap: Freeing handler
modcall[authenticate]: module \eap\ returns ok for request 4
modcall: leaving group authenticate (returns ok) for request 4
Login OK: [saravanakumar07] (from client private-network-1 port 1 cli
00-0E-35-F3-A1-67)
Sending Access-Accept of id 4 to 192.168.0.50 port 1026
MS-MPPE-Recv-Key =
0xb6e9159f33592da50de909d1f12d8cdfa9b866be2d2b12f90f7edefa4c7af054
MS-MPPE-Send-Key =
0xca94e3cdf69257d148b01ccb582dbb3e45b06dbc4450b07850fb47288111daf0
EAP-Message = 0x03040004
Message-Authenticator = 0x
User-Name = \saravanakumar07\
Finished request 4
Going to the next request
--- Walking the entire request list ---
Waking up in 5 seconds...
--- Walking the entire request list ---
Cleaning up request 0 ID 0 with timestamp 465ac5ef
Cleaning up request 1 ID 1 with timestamp 465ac5ef
Cleaning up request 2 ID 2 with timestamp 465ac5ef
Cleaning up request 3 ID 3 with timestamp 465ac5ef
Waking up in 1 seconds...
--- Walking the entire request list ---
Cleaning up request 4 ID 4 with timestamp 465ac5f0
Nothing to do. Sleeping until we see a request.
[EMAIL PROTECTED] sbin]#
Message: 5
Date: Mon, 28 May 2007 12:08:21 +0100
From: [EMAIL PROTECTED]
Subject: Re: log file for free radius 1.1.6 eap-tls authentication
To: \FreeRadius users mailing list\
freeradius-users@lists.freeradius.org
Message-ID: [EMAIL PROTECTED]
Content-Type: text/plain; charset=ISO-8859-2
Post the radiusd -X output of user not in users file being accepted.
Ivan Kalik
Kalik Informatika ISP
Dana 28/5/2007, \[EMAIL PROTECTED] [EMAIL PROTECTED] pi?e:
Hi all
I have two quieres
1
I have changed the log_auth= yes
Still i am not able to get logs.Pls find my configs
prefix = /usr/local
exec_prefix = ${prefix}
sysconfdir = /etc
localstatedir = ${prefix}/var
sbindir = ${exec_prefix}/sbin
logdir = /usr/local/var/log/radius
raddbdir = ${sysconfdir}/raddb
radacctdir = ${logdir}/radacct
# Location of config and logfiles.
confdir = ${raddbdir}
run_dir = ${localstatedir}/run/radiusd
#
# The logging messages for the server are appended to the
# tail of this file.
#
log_file = /usr/local/var/log/radius/radius.log
log_stripped_names = no
# Log authentication requests to the log file.
#
# allowed values: {no, yes}
#
log_auth = yes
# Log passwords with the authentication requests.
# log_auth_badpass - logs password if it\'s rejected
# log_auth_goodpass - logs password if it\'s correct
2 While i am using Navis radius, ther will be one user file where you
have to add all usernames.In free radius without adding the username
also the authentication is working.I would like to have users file so
that only
Re: log file for free radius 1.1.6 eap-tls authentication
A
rlm_eap_tls: TLS 1.0 Handshake [length 0010], Finished
TLS_accept: SSLv3 write finished A
TLS_accept: SSLv3 flush data
(other): SSL negotiation finished successfully
SSL Connection Established
eaptls_process returned 13
modcall[authenticate]: module \eap\ returns handled for request 3
modcall: leaving group authenticate (returns handled) for request 3
Sending Access-Challenge of id 3 to 192.168.0.50 port 1026
EAP-Message =
0x010400350d80002b14030100010116030100204162186f236f12a6774a934742937f8d6653973dbce3f01ee4c223e78617f9d4
Message-Authenticator = 0x
State = 0x5edb6911600c27ccf2a62bd801e114ab
Finished request 3
Going to the next request
Waking up in 6 seconds...
rad_recv: Access-Request packet from host 192.168.0.50:1026, id=4, length=217
Message-Authenticator = 0x885b78f58d62d0eec96b2535b1e9bfb1
Service-Type = Framed-User
User-Name = \saravanakumar07\
Framed-MTU = 1488
State = 0x5edb6911600c27ccf2a62bd801e114ab
Called-Station-Id = \00-0F-3D-AF-DD-C2:default\
Calling-Station-Id = \00-0E-35-F3-A1-67\
NAS-Identifier = \D-Link Access Point\
NAS-Port-Type = Wireless-802.11
Connect-Info = \CONNECT 54Mbps 802.11g\
EAP-Message = 0x020400060d00
NAS-IP-Address = 192.168.0.50
NAS-Port = 1
NAS-Port-Id = \STA port # 1\
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 4
modcall[authorize]: module \preprocess\ returns ok for request 4
rlm_realm: No \'@\' in User-Name = \saravanakumar07\, looking up realm
NULL
rlm_realm: No such realm \NULL\
modcall[authorize]: module \suffix\ returns noop for request 4
rlm_eap: EAP packet type response id 4 length 6
rlm_eap: No EAP Start, assuming it\'s an on-going EAP conversation
modcall[authorize]: module \eap\ returns updated for request 4
modcall[authorize]: module \files\ returns notfound for request 4
modcall: leaving group authorize (returns updated) for request 4
rad_check_password: Found Auth-Type EAP
auth: type \EAP\
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 4
rlm_eap: Request found, released from the list
rlm_eap: EAP/tls
rlm_eap: processing type tls
rlm_eap_tls: Authenticate
rlm_eap_tls: processing TLS
rlm_eap_tls: Received EAP-TLS ACK message
rlm_eap_tls: ack handshake is finished
eaptls_verify returned 3
eaptls_process returned 3
rlm_eap: Freeing handler
modcall[authenticate]: module \eap\ returns ok for request 4
modcall: leaving group authenticate (returns ok) for request 4
Login OK: [saravanakumar07] (from client private-network-1 port 1 cli
00-0E-35-F3-A1-67)
Sending Access-Accept of id 4 to 192.168.0.50 port 1026
MS-MPPE-Recv-Key =
0xb6e9159f33592da50de909d1f12d8cdfa9b866be2d2b12f90f7edefa4c7af054
MS-MPPE-Send-Key =
0xca94e3cdf69257d148b01ccb582dbb3e45b06dbc4450b07850fb47288111daf0
EAP-Message = 0x03040004
Message-Authenticator = 0x
User-Name = \saravanakumar07\
Finished request 4
Going to the next request
--- Walking the entire request list ---
Waking up in 5 seconds...
--- Walking the entire request list ---
Cleaning up request 0 ID 0 with timestamp 465ac5ef
Cleaning up request 1 ID 1 with timestamp 465ac5ef
Cleaning up request 2 ID 2 with timestamp 465ac5ef
Cleaning up request 3 ID 3 with timestamp 465ac5ef
Waking up in 1 seconds...
--- Walking the entire request list ---
Cleaning up request 4 ID 4 with timestamp 465ac5f0
Nothing to do. Sleeping until we see a request.
[EMAIL PROTECTED] sbin]#
Message: 5
Date: Mon, 28 May 2007 12:08:21 +0100
From: [EMAIL PROTECTED]
Subject: Re: log file for free radius 1.1.6 eap-tls authentication
To: \FreeRadius users mailing list\
freeradius-users@lists.freeradius.org
Message-ID: [EMAIL PROTECTED]
Content-Type: text/plain; charset=ISO-8859-2
Post the radiusd -X output of user not in users file being accepted.
Ivan Kalik
Kalik Informatika ISP
Dana 28/5/2007, \[EMAIL PROTECTED] [EMAIL PROTECTED] pi?e:
Hi all
I have two quieres
1
I have changed the log_auth= yes
Still i am not able to get logs.Pls find my configs
prefix = /usr/local
exec_prefix = ${prefix}
sysconfdir = /etc
localstatedir = ${prefix}/var
sbindir = ${exec_prefix}/sbin
logdir = /usr/local/var/log/radius
raddbdir = ${sysconfdir}/raddb
radacctdir = ${logdir}/radacct
# Location of config and logfiles.
confdir = ${raddbdir}
run_dir = ${localstatedir}/run/radiusd
#
# The logging messages for the server are appended to the
# tail of this file.
#
log_file = /usr/local/var/log/radius/radius.log
log_stripped_names = no
# Log authentication requests to the log file.
#
# allowed values: {no, yes}
#
log_auth = yes
# Log passwords with the authentication requests.
# log_auth_badpass
Re: log file for free radius 1.1.6 eap-tls authentication
Hi 1 I know its eap-tls and certificate based. Earlier i was using Navis radius .In that for eap-tls we have to add certificate name to a specific user file. Like that here also user file is there can i make use of the user file so that only that user get authenticated, 2 Logs are not happening.In config changes required to get the same? Regards Anoop Message: 2 Date: Mon, 28 May 2007 15:07:06 +0100 From: [EMAIL PROTECTED] Subject: Re: log file for free radius 1.1.6 eap-tls authentication To: \FreeRadius users mailing list\ freeradius-users@lists.freeradius.org Message-ID: [EMAIL PROTECTED] Content-Type: text/plain; charset=ISO-8859-2 This is EAP-TLS. This user has a valid user certificate and is accepted. If you don\'t want to go via certificates but use user/password, use EAP-TTLS with MS-CHAPv2 (or PAP or any other auth protocol). Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: log file for free radius 1.1.6 eap-tls authentication
Default radiusd.conf:
# Log authentication requests to the log file.
#
# allowed values: {no, yes}
#
log_auth = no
Change it to yes.
Ivan Kalik
Kalik Informatika ISP
Dana 24/5/2007, Anoop [EMAIL PROTECTED] piše:
Hi
I am using free raidus 1.1.6 with eap-tls authentication.The whole set
up is working fine.
But i am not getting any logs .like user login ok..login filef etc
Pls giude me
How will i get logs and wat configurtion i need to do in the
configuration files.
Regards
Anoop
** DISCLAIMER **
Information contained and transmitted by this E-MAIL is proprietary to
Sify Limited and is intended for use only by the individual or entity to
which it is addressed, and may contain information that is privileged,
confidential or exempt from disclosure under applicable law. If this is a
forwarded message, the content of this E-MAIL may not have been sent with
the authority of the Company. If you are not the intended recipient, an
agent of the intended recipient or a person responsible for delivering the
information to the named recipient, you are notified that any use,
distribution, transmission, printing, copying or dissemination of this
information in any way or in any manner is strictly prohibited. If you have
received this communication in error, please delete this mail notify us
immediately at [EMAIL PROTECTED]
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
log file for free radius 1.1.6 eap-tls authentication
Hi I am using free raidus 1.1.6 with eap-tls authentication.The whole set up is working fine. But i am not getting any logs .like user login ok..login filef etc Pls giude me How will i get logs and wat configurtion i need to do in the configuration files. Regards Anoop ** DISCLAIMER ** Information contained and transmitted by this E-MAIL is proprietary to Sify Limited and is intended for use only by the individual or entity to which it is addressed, and may contain information that is privileged, confidential or exempt from disclosure under applicable law. If this is a forwarded message, the content of this E-MAIL may not have been sent with the authority of the Company. If you are not the intended recipient, an agent of the intended recipient or a person responsible for delivering the information to the named recipient, you are notified that any use, distribution, transmission, printing, copying or dissemination of this information in any way or in any manner is strictly prohibited. If you have received this communication in error, please delete this mail notify us immediately at [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: free radius 1.1.6 -eap-tls authentication
CRL's are not the best way to conduct authorization for EAP-TLS,
their control is too coarse when the goal is to enable/disable the
use of valid certificates use for different purposes and don't let
you assign other authorization info like what VLAN a user should be
assigned to.
The only option that currently works for access to real authorization
with EAP-TLS is to use the:
check_cert_cn = %{User-Name}
option in the tls section of eap.conf so you can be sure the outer
identity (User-Name) matches the inner identity in the certificate,
its then valid to check User-Name against another source for
authorization. If you don't perform this check you can't be sure the
outer identity (User-Name) has any relation to the the identity
represented by the certificate. This is only an option if your user
certificates contain the unique user id you will lookup for
authorization in the Common Name field, not in the Subject
Alternative Name - Principle Name field (which many organizations use
as their User certificate Common Names are not unique user identifiers).
-Keith
On May 17, 2007, at 1:49 AM, Alan DeKok wrote:
[EMAIL PROTECTED] wrote:
1 Where will i find the log of the authentication like
username login ok...or login failed
It's in radius.log
2 One user\'s certificate if I installed in other user\'s laptop
it works.I want one user certificate should work in one laptop only.
There's no real way of doing that. You *could* put the MAC address
into the certificate, and have the RADIUS server check that against
the
MAC address in the RADIUS request, but there's no guarantee that will
work. It can be spoofed, and it can break valid configurations.
3 In users file i havn\'t added any certificate name as it is
eap-tls.So if i want to remove the user from n/w i don\'t have
control.Is ther any method like i can add the certificate names in
users file then only it should work
Certificate revocation lists.
Alan DeKok.
--
http://deployingradius.com - The web site of the book
http://deployingradius.com/blog/ - The blog
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/
users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
free radius 1.1.6 -eap-tls authentication
Dear all My EAPTLS is working with free radisu 1.1.6 as i did every installation starts from zero Thanks for all for the help. I have few quires for free radius as i was using navis radius. 1 Where will i find the log of the authentication like username login ok...or login failed 2 One user\'s certificate if I installed in other user\'s laptop it works.I want one user certificate should work in one laptop only. 3 In users file i havn\'t added any certificate name as it is eap-tls.So if i want to remove the user from n/w i don\'t have control.Is ther any method like i can add the certificate names in users file then only it should work Regards Anoop - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: free radius 1.1.6 -eap-tls authentication
[EMAIL PROTECTED] wrote: 1 Where will i find the log of the authentication like username login ok...or login failed It's in radius.log 2 One user\'s certificate if I installed in other user\'s laptop it works.I want one user certificate should work in one laptop only. There's no real way of doing that. You *could* put the MAC address into the certificate, and have the RADIUS server check that against the MAC address in the RADIUS request, but there's no guarantee that will work. It can be spoofed, and it can break valid configurations. 3 In users file i havn\'t added any certificate name as it is eap-tls.So if i want to remove the user from n/w i don\'t have control.Is ther any method like i can add the certificate names in users file then only it should work Certificate revocation lists. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: free radius 1.1.6 -eap-tls authentication
[EMAIL PROTECTED] wrote: Dear all I am using the same AP,same widows client and same root certificate for testing navis as well as free raduis .Root certificate is also installed. Is ther any clue in the debug message? No. If there was, you would have been told. All I know is that the symptoms you're seeing usually have the same cause. And other people get it to work, so I'm not sure what else to say. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
free radius 1.1.6 -eap-tls authentication
Dear all I am using the same AP,same widows client and same root certificate for testing navis as well as free raduis .Root certificate is also installed. Is ther any clue in the debug message? [EMAIL PROTECTED] wrote: Dear all Thank you for the responses I am using openssl tool for certificate generation.I have inclided the file xpextensions while generating certificates.The same certificates worked well with Navis radius server and windows xp as client.So this may not be the problem here Is it the SAME windows client, with the SAME root certificate, with the SAME access point, going to FreeRADIUS using the SAME certificate? If it really works for Navis using the same certificate, my guess is that your tests for FreeRADIUS are using a different Windows machine, without the root certificate installed. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
free radius 1.1.6 -eap-tls authentication
Hi list While doing eap-tls authentication i am getting the following debug message.Anybody please clarify. TLS_accept: Need to read more data: SSLv3 read client certificate A In SSL Handshake Phase In SSL Accept mode eaptls_process returned 13 eaptls_verify returned 1 eaptls_process returned 13 What is these debug messages indicate... Anoop - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: free radius 1.1.6 -eap-tls authentication
[EMAIL PROTECTED] wrote: While doing eap-tls authentication i am getting the following debug message.Anybody please clarify. ... What is these debug messages indicate... That the server is working as expected. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: free radius 1.1.6 -eap-tls authentication
Dear all
Thanks for the information.I am not able to do successful
authentication still.
These are my configurations
I have copied my root.pem and server.pem to /etc/raddb/certs directory
1.My eap.conf file is like this
eap {
default_eap_type = tls
timer_expire = 60
ignore_unknown_eap_types = no
cisco_accounting_username_bug = no
## EAP-TLS
tls {
private_key_password = password
private_key_file = /etc/raddb/certs/07xwifi.pem
certificate_file = /etc/raddb/certs/07xwifi.pem
CA_file = /etc/raddb/certs/root.pem
dh_file = /etc/raddb/certs/dh
random_file = /etc/raddb/certs/random
fragment_size = 1024
include_length = yes
}
peap {
default_eap_type = tls
}
}
2 radiusd.conf (only authorize and authentication section)
nstantiate {
}
authorize {
preprocess
mschap
eap
files
}
# Authentication.
authenticate {
Auth-Type MS-CHAP {
mschap
}
eap
}
3 I havn;t modified users file since its eap-tls authentication
Giude me any modification required further for eap-tls certificate based
authentication.
Regards
Anoop
That the server is working as expected.
Alan DeKok.
TLS_accept: Need to read more data: SSLv3 read client certificate A
In SSL Handshake Phase
In SSL Accept mode
eaptls_process returned 13
eaptls_verify returned 1
eaptls_process returned 13
What is these debug messages indicate...
Anoop
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: free radius 1.1.6 -eap-tls authentication
The FAQ, README, INSTALL, etc. all say to run the server in debugging
mode to see what\'s going on.
Dear all
I run the radius server in debug mode and the output is as follows.
I didn;t get any clue for the problem.
[EMAIL PROTECTED] raddb]# radiusd -X
Starting - reading configuration files ...
reread_config: reading radiusd.conf
Config: including file: /etc/raddb/proxy.conf
Config: including file: /etc/raddb/clients.conf
Config: including file: /etc/raddb/snmp.conf
Config: including file: /etc/raddb/eap.conf
Config: including file: /etc/raddb/sql.conf
main: prefix = \/usr/local\
main: localstatedir = \/usr/local/var\
main: logdir = \/usr/local/var/log/radius\
main: libdir = \/usr/local/lib\
main: radacctdir = \/usr/local/var/log/radius/radacct\
main: hostname_lookups = no
main: snmp = no
main: max_request_time = 30
main: cleanup_delay = 5
main: max_requests = 1024
main: delete_blocked_requests = 0
main: port = 0
main: allow_core_dumps = no
main: log_stripped_names = no
main: log_file = \/usr/local/var/log/radius/radius.log\
main: log_auth = no
main: log_auth_badpass = no
main: log_auth_goodpass = no
main: pidfile = \/usr/local/var/run/radiusd/radiusd.pid\
main: user = \(null)\
main: group = \(null)\
main: usercollide = no
main: lower_user = \no\
main: lower_pass = \no\
main: nospace_user = \no\
main: nospace_pass = \no\
main: checkrad = \/usr/local/sbin/checkrad\
main: proxy_requests = yes
proxy: retry_delay = 5
proxy: retry_count = 3
proxy: synchronous = no
proxy: default_fallback = yes
proxy: dead_time = 120
proxy: post_proxy_authorize = no
proxy: wake_all_if_all_dead = no
security: max_attributes = 200
security: reject_delay = 1
security: status_server = no
main: debug_level = 0
read_config_files: reading dictionary
read_config_files: reading naslist
Using deprecated naslist file. Support for this will go away soon.
read_config_files: reading clients
read_config_files: reading realms
radiusd: entering modules setup
Module: Library search path is /usr/local/lib
Module: Loaded MS-CHAP
mschap: use_mppe = yes
mschap: require_encryption = no
mschap: require_strong = no
mschap: with_ntdomain_hack = no
mschap: passwd = \(null)\
mschap: ntlm_auth = \(null)\
Module: Instantiated mschap (mschap)
Module: Loaded eap
eap: default_eap_type = \tls\
eap: timer_expire = 60
eap: ignore_unknown_eap_types = no
eap: cisco_accounting_username_bug = no
tls: rsa_key_exchange = no
tls: dh_key_exchange = yes
tls: rsa_key_length = 512
tls: dh_key_length = 512
tls: verify_depth = 0
tls: CA_path = \(null)\
tls: pem_file_type = yes
tls: private_key_file = \/etc/raddb/certs/07xwifi.pem\
tls: certificate_file = \/etc/raddb/certs/07xwifi.pem\
tls: CA_file = \/etc/raddb/certs/root.pem\
tls: private_key_password = \password\
tls: dh_file = \/etc/raddb/certs/dh\
tls: random_file = \/etc/raddb/certs/random\
tls: fragment_size = 1024
tls: include_length = yes
tls: check_crl = no
tls: check_cert_cn = \(null)\
tls: cipher_list = \(null)\
tls: check_cert_issuer = \(null)\
rlm_eap_tls: Loading the certificate file as a chain
rlm_eap: Loaded and initialized type tls
peap: default_eap_type = \tls\
peap: copy_request_to_tunnel = no
peap: use_tunneled_reply = no
peap: proxy_tunneled_request_as_eap = yes
rlm_eap: Loaded and initialized type peap
Module: Instantiated eap (eap)
Module: Loaded preprocess
preprocess: huntgroups = \/etc/raddb/huntgroups\
preprocess: hints = \/etc/raddb/hints\
preprocess: with_ascend_hack = no
preprocess: ascend_channels_per_line = 23
preprocess: with_ntdomain_hack = no
preprocess: with_specialix_jetstream_hack = no
preprocess: with_cisco_vsa_hack = no
preprocess: with_alvarion_vsa_hack = no
Module: Instantiated preprocess (preprocess)
Module: Loaded files
files: usersfile = \/etc/raddb/users\
files: acctusersfile = \/etc/raddb/acct_users\
files: preproxy_usersfile = \/etc/raddb/preproxy_users\
files: compat = \no\
Module: Instantiated files (files)
Module: Loaded Acct-Unique-Session-Id
acct_unique: key = \User-Name, Acct-Session-Id, NAS-IP-Address,
Client-IP-Address, NAS-Port\
Module: Instantiated acct_unique (acct_unique)
Module: Loaded realm
realm: format = \suffix\
realm: delimiter = \@\
realm: ignore_default = no
realm: ignore_null = no
Module: Instantiated realm (suffix)
Module: Loaded detail
detail: detailfile =
\/usr/local/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d\
detail: detailperm = 384
detail: dirperm = 493
detail: locking = no
Module: Instantiated detail (detail)
Module: Loaded System
unix: cache = no
unix: passwd = \(null)\
unix: shadow = \(null)\
unix: group = \(null)\
unix: radwtmp = \/usr/local/var/log/radius/radwtmp\
unix: usegroup = no
unix: cache_reload = 600
Module: Instantiated unix (unix)
Module: Loaded radutmp
radutmp: filename = \/usr/local/var/log/radius/radutmp\
radutmp: username = \%{User-Name}\
radutmp: case_sensitive = yes
radutmp:
Re: free radius 1.1.6 -eap-tls authentication
They also say this:
The most common problem with PEAP is that the client sends a series of
Access-Request messages, the server sends an series of Access-Challenge
responses, and then... nothing happens. After a little wait, it all
starts again.
If you see this happening STOP!
The RAIDUS server certificate has to have special OID's in it, or else
the Microsoft clients will silently fail. etc.
Ivan Kalik
Kalik Informatika ISP
Dana 11/5/2007, [EMAIL PROTECTED] [EMAIL PROTECTED] piše:
The FAQ, README, INSTALL, etc. all say to run the server in debugging
mode to see what\'s going on.
Dear all
I run the radius server in debug mode and the output is as follows.
I didn;t get any clue for the problem.
[EMAIL PROTECTED] raddb]# radiusd -X
Starting - reading configuration files ...
reread_config: reading radiusd.conf
Config: including file: /etc/raddb/proxy.conf
Config: including file: /etc/raddb/clients.conf
Config: including file: /etc/raddb/snmp.conf
Config: including file: /etc/raddb/eap.conf
Config: including file: /etc/raddb/sql.conf
main: prefix = \/usr/local\
main: localstatedir = \/usr/local/var\
main: logdir = \/usr/local/var/log/radius\
main: libdir = \/usr/local/lib\
main: radacctdir = \/usr/local/var/log/radius/radacct\
main: hostname_lookups = no
main: snmp = no
main: max_request_time = 30
main: cleanup_delay = 5
main: max_requests = 1024
main: delete_blocked_requests = 0
main: port = 0
main: allow_core_dumps = no
main: log_stripped_names = no
main: log_file = \/usr/local/var/log/radius/radius.log\
main: log_auth = no
main: log_auth_badpass = no
main: log_auth_goodpass = no
main: pidfile = \/usr/local/var/run/radiusd/radiusd.pid\
main: user = \(null)\
main: group = \(null)\
main: usercollide = no
main: lower_user = \no\
main: lower_pass = \no\
main: nospace_user = \no\
main: nospace_pass = \no\
main: checkrad = \/usr/local/sbin/checkrad\
main: proxy_requests = yes
proxy: retry_delay = 5
proxy: retry_count = 3
proxy: synchronous = no
proxy: default_fallback = yes
proxy: dead_time = 120
proxy: post_proxy_authorize = no
proxy: wake_all_if_all_dead = no
security: max_attributes = 200
security: reject_delay = 1
security: status_server = no
main: debug_level = 0
read_config_files: reading dictionary
read_config_files: reading naslist
Using deprecated naslist file. Support for this will go away soon.
read_config_files: reading clients
read_config_files: reading realms
radiusd: entering modules setup
Module: Library search path is /usr/local/lib
Module: Loaded MS-CHAP
mschap: use_mppe = yes
mschap: require_encryption = no
mschap: require_strong = no
mschap: with_ntdomain_hack = no
mschap: passwd = \(null)\
mschap: ntlm_auth = \(null)\
Module: Instantiated mschap (mschap)
Module: Loaded eap
eap: default_eap_type = \tls\
eap: timer_expire = 60
eap: ignore_unknown_eap_types = no
eap: cisco_accounting_username_bug = no
tls: rsa_key_exchange = no
tls: dh_key_exchange = yes
tls: rsa_key_length = 512
tls: dh_key_length = 512
tls: verify_depth = 0
tls: CA_path = \(null)\
tls: pem_file_type = yes
tls: private_key_file = \/etc/raddb/certs/07xwifi.pem\
tls: certificate_file = \/etc/raddb/certs/07xwifi.pem\
tls: CA_file = \/etc/raddb/certs/root.pem\
tls: private_key_password = \password\
tls: dh_file = \/etc/raddb/certs/dh\
tls: random_file = \/etc/raddb/certs/random\
tls: fragment_size = 1024
tls: include_length = yes
tls: check_crl = no
tls: check_cert_cn = \(null)\
tls: cipher_list = \(null)\
tls: check_cert_issuer = \(null)\
rlm_eap_tls: Loading the certificate file as a chain
rlm_eap: Loaded and initialized type tls
peap: default_eap_type = \tls\
peap: copy_request_to_tunnel = no
peap: use_tunneled_reply = no
peap: proxy_tunneled_request_as_eap = yes
rlm_eap: Loaded and initialized type peap
Module: Instantiated eap (eap)
Module: Loaded preprocess
preprocess: huntgroups = \/etc/raddb/huntgroups\
preprocess: hints = \/etc/raddb/hints\
preprocess: with_ascend_hack = no
preprocess: ascend_channels_per_line = 23
preprocess: with_ntdomain_hack = no
preprocess: with_specialix_jetstream_hack = no
preprocess: with_cisco_vsa_hack = no
preprocess: with_alvarion_vsa_hack = no
Module: Instantiated preprocess (preprocess)
Module: Loaded files
files: usersfile = \/etc/raddb/users\
files: acctusersfile = \/etc/raddb/acct_users\
files: preproxy_usersfile = \/etc/raddb/preproxy_users\
files: compat = \no\
Module: Instantiated files (files)
Module: Loaded Acct-Unique-Session-Id
acct_unique: key = \User-Name, Acct-Session-Id, NAS-IP-Address,
Client-IP-Address, NAS-Port\
Module: Instantiated acct_unique (acct_unique)
Module: Loaded realm
realm: format = \suffix\
realm: delimiter = \@\
realm: ignore_default = no
realm: ignore_null = no
Module: Instantiated realm (suffix)
Module: Loaded detail
detail: detailfile =
\/usr/local/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d\
detail: detailperm =
Re: free radius 1.1.6 -eap-tls authentication
hi, how did you generate your certificates? alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: free radius 1.1.6 -eap-tls authentication
[EMAIL PROTECTED] wrote: Dear all Thanks for the information.I am not able to do successful authentication still. These are my configurations I have copied my root.pem and server.pem to /etc/raddb/certs directory 1.My eap.conf file is like this The FAQ, README, INSTALL, etc. all say to run the server in debugging mode to see what's going on. If there are problems with EAP authentication, read the FAQ. There *is* documentation. It can help you solve these issues. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: free radius 1.1.6 -eap-tls authentication
[EMAIL PROTECTED] wrote: I run the radius server in debug mode and the output is as follows. I didn;t get any clue for the problem. There we messages yesterday on this list describing this exact problem, and how to fix it. The file eap.conf describes this problem and how to fix it. The FAQ says what to do when PEAP or EAP-TLS doesn't work with a Windows client. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: free radius 1.1.6 -eap-tls authentication
Dear all Thank you for the responses I am using openssl tool for certificate generation.I have inclided the file xpextensions while generating certificates.The same certificates worked well with Navis radius server and windows xp as client.So this may not be the problem here Anoop hi, how did you generate your certificates? alan They also say this: \The most common problem with PEAP is that the client sends a series of Access-Request messages, the server sends an series of Access-Challenge responses, and then... nothing happens. After a little wait, it all starts again. If you see this happening STOP! The RAIDUS server certificate has to have special OID\'s in it, or else the Microsoft clients will silently fail. etc.\ There we messages yesterday on this list describing this exact problem, and how to fix it. The file \eap.conf\ describes this problem and how to fix it. The FAQ says what to do when PEAP or EAP-TLS doesn\'t work with a Windows client. Regards Anoop - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: free radius 1.1.6 -eap-tls authentication
[EMAIL PROTECTED] wrote: Dear all Thank you for the responses I am using openssl tool for certificate generation.I have inclided the file xpextensions while generating certificates.The same certificates worked well with Navis radius server and windows xp as client.So this may not be the problem here Is it the SAME windows client, with the SAME root certificate, with the SAME access point, going to FreeRADIUS using the SAME certificate? If it really works for Navis using the same certificate, my guess is that your tests for FreeRADIUS are using a different Windows machine, without the root certificate installed. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
