Re: log file for free radius 1.1.6 eap-tls authentication
Hi I am getting the following message in log first it satatrts (radiud -X) [EMAIL PROTECTED] radius]# cat radius.log Wed May 30 11:24:14 2007 : Info: Using deprecated naslist file. Support for this will go away soon. Wed May 30 11:24:14 2007 : Info: rlm_exec: Wait=yes but no output defined. Did you mean output=none? Wed May 30 11:24:14 2007 : Info: rlm_eap_tls: Loading the certificate file as a chain Wed May 30 11:24:14 2007 : Info: Ready to process requests. But if again start the server no logs and nothing other than this is coming in the log. regarding users file in navisradius i uesd to do that in EAP_TLS thats why i asked. Regards Anoop -- Message: 5 Date: Tue, 29 May 2007 09:42:52 +0100 From: [EMAIL PROTECTED] Subject: Re: log file for free radius 1.1.6 eap-tls authentication To: \FreeRadius users mailing list\ freeradius-users@lists.freeradius.org Message-ID: [EMAIL PROTECTED] Content-Type: text/plain; charset=ISO-8859-2 1. That\'s not how certificates work. You add those that you want to PREVENT from connecting (for whatever reason) to Certificate Revocation List (CRL). You suposedly do have control over who are certificates issued to. If you have no control over CA then you shouldn\'t be using them. 2. Is anything (reading config files etc.) written to the log when you restart the server? Ivan Kalik Kalik Informatika ISP Dana 29/5/2007, \[EMAIL PROTECTED] [EMAIL PROTECTED] pi?e: Hi 1 I know its eap-tls and certificate based. Earlier i was using Navis radius .In that for eap-tls we have to add certificate name to a specific user file. Like that here also user file is there can i make use of the user file so that only that user get authenticated, 2 Logs are not happening.In config changes required to get the same? Regards Anoop Message: 2 Date: Mon, 28 May 2007 15:07:06 +0100 From: [EMAIL PROTECTED] Subject: Re: log file for free radius 1.1.6 eap-tls authentication To: \FreeRadius users mailing list\ freeradius-users@lists.freeradius.org Message-ID: [EMAIL PROTECTED] Content-Type: text/plain; charset=ISO-8859-2 This is EAP-TLS. This user has a valid user certificate and is accepted. If you don\'t want to go via certificates but use user/password, use EAP-TTLS with MS-CHAPv2 (or PAP or any other auth protocol). Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: log file for free radius 1.1.6 eap-tls authentication
1. RE: Gigaword support ([EMAIL PROTECTED]) 2. Re : Multiple server certificates in EAP-TLS or EAP-TTLS (Eshun Benjamin) 3. Re: log file for free radius 1.1.6 eap-tls authentication ([EMAIL PROTECTED]) 4. problem in autehtication with EAP-MD5 (shantanu choudhary) Hi 2 I am getting the following message in log first it satatrts (radiud -X) [EMAIL PROTECTED] radius]# cat radius.log Wed May 30 11:24:14 2007 : Info: Using deprecated naslist file. Support for this will go away soon. Wed May 30 11:24:14 2007 : Info: rlm_exec: Wait=yes but no output defined. Did you mean output=none? Wed May 30 11:24:14 2007 : Info: rlm_eap_tls: Loading the certificate file as a chain Wed May 30 11:24:14 2007 : Info: Ready to process requests. But if again start the server no logs and nothing other than this is coming in the log. regarding users file in navisradius i uesd to do that in EAP_TLS thats why i asked. Regards Anoop -- Message: 5 Date: Tue, 29 May 2007 09:42:52 +0100 From: [EMAIL PROTECTED] Subject: Re: log file for free radius 1.1.6 eap-tls authentication To: \FreeRadius users mailing list\ freeradius-users@lists.freeradius.org Message-ID: [EMAIL PROTECTED] Content-Type: text/plain; charset=ISO-8859-2 1. That\'s not how certificates work. You add those that you want to PREVENT from connecting (for whatever reason) to Certificate Revocation List (CRL). You suposedly do have control over who are certificates issued to. If you have no control over CA then you shouldn\'t be using them. 2. Is anything (reading config files etc.) written to the log when you restart the server? Ivan Kalik Kalik Informatika ISP Dana 29/5/2007, \[EMAIL PROTECTED] [EMAIL PROTECTED] pi?e: Hi 1 I know its eap-tls and certificate based. Earlier i was using Navis radius .In that for eap-tls we have to add certificate name to a specific user file. Like that here also user file is there can i make use of the user file so that only that user get authenticated, 2 Logs are not happening.In config changes required to get the same? Regards Anoop Message: 2 Date: Mon, 28 May 2007 15:07:06 +0100 From: [EMAIL PROTECTED] Subject: Re: log file for free radius 1.1.6 eap-tls authentication To: \FreeRadius users mailing list\ freeradius-users@lists.freeradius.org Message-ID: [EMAIL PROTECTED] Content-Type: text/plain; charset=ISO-8859-2 This is EAP-TLS. This user has a valid user certificate and is accepted. If you don\'t want to go via certificates but use user/password, use EAP-TTLS with MS-CHAPv2 (or PAP or any other auth protocol). Ivan Kalik Kalik Informatika ISP -- Message: 4 Date: Wed, 30 May 2007 09:23:21 +0100 (BST) From: shantanu choudhary [EMAIL PROTECTED] Subject: problem in autehtication with EAP-MD5 To: freeradius-users@lists.freeradius.org Message-ID: [EMAIL PROTECTED] Content-Type: text/plain; charset=iso-8859-1 hi all, i am trying to get autheticated by radius server using EAP-MD5 but i always get FAILURE and i m not able to figure out the problem, can anyone help me out! my client side shows out put like this:- EAPOL: SUPP_BE entering state RESPONSE EAPOL: txSuppRsp TX EAPOL - hexdump(len=17): 01 00 00 0d 02 00 00 0d 01 74 65 73 74 75 73 65 72 EAPOL: SUPP_BE entering state RECEIVE RX EAPOL from 00:03:7f:09:60:a0 RX EAPOL - hexdump(len=26): 01 00 00 16 01 01 00 16 04 10 e5 b2 63 cb 4e 4f e7 d1 b1 4f 30 95 6c 21 cd a9 EAPOL: Received EAP-Packet frame EAPOL: SUPP_BE entering state REQUEST EAPOL: getSuppRsp EAP: EAP entering state RECEIVED EAP: Received EAP-Request id=1 method=4 vendor=0 vendorMethod=0 EAP: EAP entering state GET_METHOD EAP: Initialize selected EAP method: vendor 0 method 4 (MD5) CTRL-EVENT-EAP-METHOD EAP vendor 0 method 4 (MD5) selected CTRL_IFACE monitor send - hexdump(len=22): 2f 74 6d 70 2f 77 70 61 5f 63 74 72 6c 5f 31 36 32 37 35 2d 31 00 EAP: EAP entering state METHOD EAP-MD5: Challenge - hexdump(len=16): e5 b2 63 cb 4e 4f e7 d1 b1 4f 30 95 6c 21 cd a9 EAP-MD5: Generating Challenge Response EAP-MD5: Response - hexdump(len=16): 4a f8 0b fc 31 7e 27 47 ac 95 4c 77 56 30 bf c6 EAP: method process - ignore=FALSE methodState=DONE decision=UNCOND_SUCC EAP: EAP entering state SEND_RESPONSE EAP: EAP entering state IDLE EAPOL: SUPP_BE entering state RESPONSE EAPOL: txSuppRsp TX EAPOL - hexdump(len=26): 01 00 00 16 02 01 00 16 04 10 4a f8 0b fc 31 7e 27 47 ac 95 4c 77 56 30 bf c6 EAPOL: SUPP_BE entering state RECEIVE RX ctrl_iface - hexdump_ascii(len=4): 50 49 4e 47 PING RX ctrl_iface - hexdump_ascii(len=6): 53 54 41 54 55 53 STATUS ioctl[SIOCGIFADDR]: Cannot assign requested address RX ctrl_iface - hexdump_ascii(len=13): 4c 49 53 54 5f 4e 45 54 57 4f 52 4b 53LIST_NETWORKS RX ctrl_iface - hexdump_ascii(len=4): 50 49 4e 47 PING RX
Re: log file for free radius 1.1.6 eap-tls authentication
1. That's not how certificates work. You add those that you want to PREVENT from connecting (for whatever reason) to Certificate Revocation List (CRL). You suposedly do have control over who are certificates issued to. If you have no control over CA then you shouldn't be using them. 2. Is anything (reading config files etc.) written to the log when you restart the server? Ivan Kalik Kalik Informatika ISP Dana 29/5/2007, [EMAIL PROTECTED] [EMAIL PROTECTED] piše: Hi 1 I know its eap-tls and certificate based. Earlier i was using Navis radius .In that for eap-tls we have to add certificate name to a specific user file. Like that here also user file is there can i make use of the user file so that only that user get authenticated, 2 Logs are not happening.In config changes required to get the same? Regards Anoop Message: 2 Date: Mon, 28 May 2007 15:07:06 +0100 From: [EMAIL PROTECTED] Subject: Re: log file for free radius 1.1.6 eap-tls authentication To: \FreeRadius users mailing list\ freeradius-users@lists.freeradius.org Message-ID: [EMAIL PROTECTED] Content-Type: text/plain; charset=ISO-8859-2 This is EAP-TLS. This user has a valid user certificate and is accepted. If you don\'t want to go via certificates but use user/password, use EAP-TTLS with MS-CHAPv2 (or PAP or any other auth protocol). Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: log file for free radius 1.1.6 eap-tls authentication
Hi all I have two quieres 1 I have changed the log_auth= yes Still i am not able to get logs.Pls find my configs prefix = /usr/local exec_prefix = ${prefix} sysconfdir = /etc localstatedir = ${prefix}/var sbindir = ${exec_prefix}/sbin logdir = /usr/local/var/log/radius raddbdir = ${sysconfdir}/raddb radacctdir = ${logdir}/radacct # Location of config and logfiles. confdir = ${raddbdir} run_dir = ${localstatedir}/run/radiusd # # The logging messages for the server are appended to the # tail of this file. # log_file = /usr/local/var/log/radius/radius.log log_stripped_names = no # Log authentication requests to the log file. # # allowed values: {no, yes} # log_auth = yes # Log passwords with the authentication requests. # log_auth_badpass - logs password if it\'s rejected # log_auth_goodpass - logs password if it\'s correct 2 While i am using Navis radius, ther will be one user file where you have to add all usernames.In free radius without adding the username also the authentication is working.I would like to have users file so that only the users specified in that will authenticate. Wat config change i should make for the same - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: log file for free radius 1.1.6 eap-tls authentication
Post the radiusd -X output of user not in users file being accepted. Ivan Kalik Kalik Informatika ISP Dana 28/5/2007, [EMAIL PROTECTED] [EMAIL PROTECTED] piše: Hi all I have two quieres 1 I have changed the log_auth= yes Still i am not able to get logs.Pls find my configs prefix = /usr/local exec_prefix = ${prefix} sysconfdir = /etc localstatedir = ${prefix}/var sbindir = ${exec_prefix}/sbin logdir = /usr/local/var/log/radius raddbdir = ${sysconfdir}/raddb radacctdir = ${logdir}/radacct # Location of config and logfiles. confdir = ${raddbdir} run_dir = ${localstatedir}/run/radiusd # # The logging messages for the server are appended to the # tail of this file. # log_file = /usr/local/var/log/radius/radius.log log_stripped_names = no # Log authentication requests to the log file. # # allowed values: {no, yes} # log_auth = yes # Log passwords with the authentication requests. # log_auth_badpass - logs password if it\'s rejected # log_auth_goodpass - logs password if it\'s correct 2 While i am using Navis radius, ther will be one user file where you have to add all usernames.In free radius without adding the username also the authentication is working.I would like to have users file so that only the users specified in that will authenticate. Wat config change i should make for the same - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: log file for free radius 1.1.6 eap-tls authentication
group authenticate (returns handled) for request 3 Sending Access-Challenge of id 3 to 192.168.0.50 port 1026 EAP-Message = 0x010400350d80002b14030100010116030100204162186f236f12a6774a934742937f8d6653973dbce3f01ee4c223e78617f9d4 Message-Authenticator = 0x State = 0x5edb6911600c27ccf2a62bd801e114ab Finished request 3 Going to the next request Waking up in 6 seconds... rad_recv: Access-Request packet from host 192.168.0.50:1026, id=4, length=217 Message-Authenticator = 0x885b78f58d62d0eec96b2535b1e9bfb1 Service-Type = Framed-User User-Name = \saravanakumar07\ Framed-MTU = 1488 State = 0x5edb6911600c27ccf2a62bd801e114ab Called-Station-Id = \00-0F-3D-AF-DD-C2:default\ Calling-Station-Id = \00-0E-35-F3-A1-67\ NAS-Identifier = \D-Link Access Point\ NAS-Port-Type = Wireless-802.11 Connect-Info = \CONNECT 54Mbps 802.11g\ EAP-Message = 0x020400060d00 NAS-IP-Address = 192.168.0.50 NAS-Port = 1 NAS-Port-Id = \STA port # 1\ Processing the authorize section of radiusd.conf modcall: entering group authorize for request 4 modcall[authorize]: module \preprocess\ returns ok for request 4 rlm_realm: No \'@\' in User-Name = \saravanakumar07\, looking up realm NULL rlm_realm: No such realm \NULL\ modcall[authorize]: module \suffix\ returns noop for request 4 rlm_eap: EAP packet type response id 4 length 6 rlm_eap: No EAP Start, assuming it\'s an on-going EAP conversation modcall[authorize]: module \eap\ returns updated for request 4 modcall[authorize]: module \files\ returns notfound for request 4 modcall: leaving group authorize (returns updated) for request 4 rad_check_password: Found Auth-Type EAP auth: type \EAP\ Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 4 rlm_eap: Request found, released from the list rlm_eap: EAP/tls rlm_eap: processing type tls rlm_eap_tls: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Received EAP-TLS ACK message rlm_eap_tls: ack handshake is finished eaptls_verify returned 3 eaptls_process returned 3 rlm_eap: Freeing handler modcall[authenticate]: module \eap\ returns ok for request 4 modcall: leaving group authenticate (returns ok) for request 4 Login OK: [saravanakumar07] (from client private-network-1 port 1 cli 00-0E-35-F3-A1-67) Sending Access-Accept of id 4 to 192.168.0.50 port 1026 MS-MPPE-Recv-Key = 0xb6e9159f33592da50de909d1f12d8cdfa9b866be2d2b12f90f7edefa4c7af054 MS-MPPE-Send-Key = 0xca94e3cdf69257d148b01ccb582dbb3e45b06dbc4450b07850fb47288111daf0 EAP-Message = 0x03040004 Message-Authenticator = 0x User-Name = \saravanakumar07\ Finished request 4 Going to the next request --- Walking the entire request list --- Waking up in 5 seconds... --- Walking the entire request list --- Cleaning up request 0 ID 0 with timestamp 465ac5ef Cleaning up request 1 ID 1 with timestamp 465ac5ef Cleaning up request 2 ID 2 with timestamp 465ac5ef Cleaning up request 3 ID 3 with timestamp 465ac5ef Waking up in 1 seconds... --- Walking the entire request list --- Cleaning up request 4 ID 4 with timestamp 465ac5f0 Nothing to do. Sleeping until we see a request. [EMAIL PROTECTED] sbin]# Message: 5 Date: Mon, 28 May 2007 12:08:21 +0100 From: [EMAIL PROTECTED] Subject: Re: log file for free radius 1.1.6 eap-tls authentication To: \FreeRadius users mailing list\ freeradius-users@lists.freeradius.org Message-ID: [EMAIL PROTECTED] Content-Type: text/plain; charset=ISO-8859-2 Post the radiusd -X output of user not in users file being accepted. Ivan Kalik Kalik Informatika ISP Dana 28/5/2007, \[EMAIL PROTECTED] [EMAIL PROTECTED] pi?e: Hi all I have two quieres 1 I have changed the log_auth= yes Still i am not able to get logs.Pls find my configs prefix = /usr/local exec_prefix = ${prefix} sysconfdir = /etc localstatedir = ${prefix}/var sbindir = ${exec_prefix}/sbin logdir = /usr/local/var/log/radius raddbdir = ${sysconfdir}/raddb radacctdir = ${logdir}/radacct # Location of config and logfiles. confdir = ${raddbdir} run_dir = ${localstatedir}/run/radiusd # # The logging messages for the server are appended to the # tail of this file. # log_file = /usr/local/var/log/radius/radius.log log_stripped_names = no # Log authentication requests to the log file. # # allowed values: {no, yes} # log_auth = yes # Log passwords with the authentication requests. # log_auth_badpass - logs password if it\'s rejected # log_auth_goodpass - logs password if it\'s correct 2 While i am using Navis radius, ther will be one user file where you have to add all usernames.In free radius without adding the username also the authentication is working.I would like to have users file so that only
Re: log file for free radius 1.1.6 eap-tls authentication
A rlm_eap_tls: TLS 1.0 Handshake [length 0010], Finished TLS_accept: SSLv3 write finished A TLS_accept: SSLv3 flush data (other): SSL negotiation finished successfully SSL Connection Established eaptls_process returned 13 modcall[authenticate]: module \eap\ returns handled for request 3 modcall: leaving group authenticate (returns handled) for request 3 Sending Access-Challenge of id 3 to 192.168.0.50 port 1026 EAP-Message = 0x010400350d80002b14030100010116030100204162186f236f12a6774a934742937f8d6653973dbce3f01ee4c223e78617f9d4 Message-Authenticator = 0x State = 0x5edb6911600c27ccf2a62bd801e114ab Finished request 3 Going to the next request Waking up in 6 seconds... rad_recv: Access-Request packet from host 192.168.0.50:1026, id=4, length=217 Message-Authenticator = 0x885b78f58d62d0eec96b2535b1e9bfb1 Service-Type = Framed-User User-Name = \saravanakumar07\ Framed-MTU = 1488 State = 0x5edb6911600c27ccf2a62bd801e114ab Called-Station-Id = \00-0F-3D-AF-DD-C2:default\ Calling-Station-Id = \00-0E-35-F3-A1-67\ NAS-Identifier = \D-Link Access Point\ NAS-Port-Type = Wireless-802.11 Connect-Info = \CONNECT 54Mbps 802.11g\ EAP-Message = 0x020400060d00 NAS-IP-Address = 192.168.0.50 NAS-Port = 1 NAS-Port-Id = \STA port # 1\ Processing the authorize section of radiusd.conf modcall: entering group authorize for request 4 modcall[authorize]: module \preprocess\ returns ok for request 4 rlm_realm: No \'@\' in User-Name = \saravanakumar07\, looking up realm NULL rlm_realm: No such realm \NULL\ modcall[authorize]: module \suffix\ returns noop for request 4 rlm_eap: EAP packet type response id 4 length 6 rlm_eap: No EAP Start, assuming it\'s an on-going EAP conversation modcall[authorize]: module \eap\ returns updated for request 4 modcall[authorize]: module \files\ returns notfound for request 4 modcall: leaving group authorize (returns updated) for request 4 rad_check_password: Found Auth-Type EAP auth: type \EAP\ Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 4 rlm_eap: Request found, released from the list rlm_eap: EAP/tls rlm_eap: processing type tls rlm_eap_tls: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Received EAP-TLS ACK message rlm_eap_tls: ack handshake is finished eaptls_verify returned 3 eaptls_process returned 3 rlm_eap: Freeing handler modcall[authenticate]: module \eap\ returns ok for request 4 modcall: leaving group authenticate (returns ok) for request 4 Login OK: [saravanakumar07] (from client private-network-1 port 1 cli 00-0E-35-F3-A1-67) Sending Access-Accept of id 4 to 192.168.0.50 port 1026 MS-MPPE-Recv-Key = 0xb6e9159f33592da50de909d1f12d8cdfa9b866be2d2b12f90f7edefa4c7af054 MS-MPPE-Send-Key = 0xca94e3cdf69257d148b01ccb582dbb3e45b06dbc4450b07850fb47288111daf0 EAP-Message = 0x03040004 Message-Authenticator = 0x User-Name = \saravanakumar07\ Finished request 4 Going to the next request --- Walking the entire request list --- Waking up in 5 seconds... --- Walking the entire request list --- Cleaning up request 0 ID 0 with timestamp 465ac5ef Cleaning up request 1 ID 1 with timestamp 465ac5ef Cleaning up request 2 ID 2 with timestamp 465ac5ef Cleaning up request 3 ID 3 with timestamp 465ac5ef Waking up in 1 seconds... --- Walking the entire request list --- Cleaning up request 4 ID 4 with timestamp 465ac5f0 Nothing to do. Sleeping until we see a request. [EMAIL PROTECTED] sbin]# Message: 5 Date: Mon, 28 May 2007 12:08:21 +0100 From: [EMAIL PROTECTED] Subject: Re: log file for free radius 1.1.6 eap-tls authentication To: \FreeRadius users mailing list\ freeradius-users@lists.freeradius.org Message-ID: [EMAIL PROTECTED] Content-Type: text/plain; charset=ISO-8859-2 Post the radiusd -X output of user not in users file being accepted. Ivan Kalik Kalik Informatika ISP Dana 28/5/2007, \[EMAIL PROTECTED] [EMAIL PROTECTED] pi?e: Hi all I have two quieres 1 I have changed the log_auth= yes Still i am not able to get logs.Pls find my configs prefix = /usr/local exec_prefix = ${prefix} sysconfdir = /etc localstatedir = ${prefix}/var sbindir = ${exec_prefix}/sbin logdir = /usr/local/var/log/radius raddbdir = ${sysconfdir}/raddb radacctdir = ${logdir}/radacct # Location of config and logfiles. confdir = ${raddbdir} run_dir = ${localstatedir}/run/radiusd # # The logging messages for the server are appended to the # tail of this file. # log_file = /usr/local/var/log/radius/radius.log log_stripped_names = no # Log authentication requests to the log file. # # allowed values: {no, yes} # log_auth = yes # Log passwords with the authentication requests. # log_auth_badpass
Re: log file for free radius 1.1.6 eap-tls authentication
Hi 1 I know its eap-tls and certificate based. Earlier i was using Navis radius .In that for eap-tls we have to add certificate name to a specific user file. Like that here also user file is there can i make use of the user file so that only that user get authenticated, 2 Logs are not happening.In config changes required to get the same? Regards Anoop Message: 2 Date: Mon, 28 May 2007 15:07:06 +0100 From: [EMAIL PROTECTED] Subject: Re: log file for free radius 1.1.6 eap-tls authentication To: \FreeRadius users mailing list\ freeradius-users@lists.freeradius.org Message-ID: [EMAIL PROTECTED] Content-Type: text/plain; charset=ISO-8859-2 This is EAP-TLS. This user has a valid user certificate and is accepted. If you don\'t want to go via certificates but use user/password, use EAP-TTLS with MS-CHAPv2 (or PAP or any other auth protocol). Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: log file for free radius 1.1.6 eap-tls authentication
Default radiusd.conf: # Log authentication requests to the log file. # # allowed values: {no, yes} # log_auth = no Change it to yes. Ivan Kalik Kalik Informatika ISP Dana 24/5/2007, Anoop [EMAIL PROTECTED] piše: Hi I am using free raidus 1.1.6 with eap-tls authentication.The whole set up is working fine. But i am not getting any logs .like user login ok..login filef etc Pls giude me How will i get logs and wat configurtion i need to do in the configuration files. Regards Anoop ** DISCLAIMER ** Information contained and transmitted by this E-MAIL is proprietary to Sify Limited and is intended for use only by the individual or entity to which it is addressed, and may contain information that is privileged, confidential or exempt from disclosure under applicable law. If this is a forwarded message, the content of this E-MAIL may not have been sent with the authority of the Company. If you are not the intended recipient, an agent of the intended recipient or a person responsible for delivering the information to the named recipient, you are notified that any use, distribution, transmission, printing, copying or dissemination of this information in any way or in any manner is strictly prohibited. If you have received this communication in error, please delete this mail notify us immediately at [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
log file for free radius 1.1.6 eap-tls authentication
Hi I am using free raidus 1.1.6 with eap-tls authentication.The whole set up is working fine. But i am not getting any logs .like user login ok..login filef etc Pls giude me How will i get logs and wat configurtion i need to do in the configuration files. Regards Anoop ** DISCLAIMER ** Information contained and transmitted by this E-MAIL is proprietary to Sify Limited and is intended for use only by the individual or entity to which it is addressed, and may contain information that is privileged, confidential or exempt from disclosure under applicable law. If this is a forwarded message, the content of this E-MAIL may not have been sent with the authority of the Company. If you are not the intended recipient, an agent of the intended recipient or a person responsible for delivering the information to the named recipient, you are notified that any use, distribution, transmission, printing, copying or dissemination of this information in any way or in any manner is strictly prohibited. If you have received this communication in error, please delete this mail notify us immediately at [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: free radius 1.1.6 -eap-tls authentication
CRL's are not the best way to conduct authorization for EAP-TLS, their control is too coarse when the goal is to enable/disable the use of valid certificates use for different purposes and don't let you assign other authorization info like what VLAN a user should be assigned to. The only option that currently works for access to real authorization with EAP-TLS is to use the: check_cert_cn = %{User-Name} option in the tls section of eap.conf so you can be sure the outer identity (User-Name) matches the inner identity in the certificate, its then valid to check User-Name against another source for authorization. If you don't perform this check you can't be sure the outer identity (User-Name) has any relation to the the identity represented by the certificate. This is only an option if your user certificates contain the unique user id you will lookup for authorization in the Common Name field, not in the Subject Alternative Name - Principle Name field (which many organizations use as their User certificate Common Names are not unique user identifiers). -Keith On May 17, 2007, at 1:49 AM, Alan DeKok wrote: [EMAIL PROTECTED] wrote: 1 Where will i find the log of the authentication like username login ok...or login failed It's in radius.log 2 One user\'s certificate if I installed in other user\'s laptop it works.I want one user certificate should work in one laptop only. There's no real way of doing that. You *could* put the MAC address into the certificate, and have the RADIUS server check that against the MAC address in the RADIUS request, but there's no guarantee that will work. It can be spoofed, and it can break valid configurations. 3 In users file i havn\'t added any certificate name as it is eap-tls.So if i want to remove the user from n/w i don\'t have control.Is ther any method like i can add the certificate names in users file then only it should work Certificate revocation lists. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/ users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
free radius 1.1.6 -eap-tls authentication
Dear all My EAPTLS is working with free radisu 1.1.6 as i did every installation starts from zero Thanks for all for the help. I have few quires for free radius as i was using navis radius. 1 Where will i find the log of the authentication like username login ok...or login failed 2 One user\'s certificate if I installed in other user\'s laptop it works.I want one user certificate should work in one laptop only. 3 In users file i havn\'t added any certificate name as it is eap-tls.So if i want to remove the user from n/w i don\'t have control.Is ther any method like i can add the certificate names in users file then only it should work Regards Anoop - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: free radius 1.1.6 -eap-tls authentication
[EMAIL PROTECTED] wrote: 1 Where will i find the log of the authentication like username login ok...or login failed It's in radius.log 2 One user\'s certificate if I installed in other user\'s laptop it works.I want one user certificate should work in one laptop only. There's no real way of doing that. You *could* put the MAC address into the certificate, and have the RADIUS server check that against the MAC address in the RADIUS request, but there's no guarantee that will work. It can be spoofed, and it can break valid configurations. 3 In users file i havn\'t added any certificate name as it is eap-tls.So if i want to remove the user from n/w i don\'t have control.Is ther any method like i can add the certificate names in users file then only it should work Certificate revocation lists. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: free radius 1.1.6 -eap-tls authentication
[EMAIL PROTECTED] wrote: Dear all I am using the same AP,same widows client and same root certificate for testing navis as well as free raduis .Root certificate is also installed. Is ther any clue in the debug message? No. If there was, you would have been told. All I know is that the symptoms you're seeing usually have the same cause. And other people get it to work, so I'm not sure what else to say. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
free radius 1.1.6 -eap-tls authentication
Dear all I am using the same AP,same widows client and same root certificate for testing navis as well as free raduis .Root certificate is also installed. Is ther any clue in the debug message? [EMAIL PROTECTED] wrote: Dear all Thank you for the responses I am using openssl tool for certificate generation.I have inclided the file xpextensions while generating certificates.The same certificates worked well with Navis radius server and windows xp as client.So this may not be the problem here Is it the SAME windows client, with the SAME root certificate, with the SAME access point, going to FreeRADIUS using the SAME certificate? If it really works for Navis using the same certificate, my guess is that your tests for FreeRADIUS are using a different Windows machine, without the root certificate installed. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
free radius 1.1.6 -eap-tls authentication
Hi list While doing eap-tls authentication i am getting the following debug message.Anybody please clarify. TLS_accept: Need to read more data: SSLv3 read client certificate A In SSL Handshake Phase In SSL Accept mode eaptls_process returned 13 eaptls_verify returned 1 eaptls_process returned 13 What is these debug messages indicate... Anoop - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: free radius 1.1.6 -eap-tls authentication
[EMAIL PROTECTED] wrote: While doing eap-tls authentication i am getting the following debug message.Anybody please clarify. ... What is these debug messages indicate... That the server is working as expected. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: free radius 1.1.6 -eap-tls authentication
Dear all Thanks for the information.I am not able to do successful authentication still. These are my configurations I have copied my root.pem and server.pem to /etc/raddb/certs directory 1.My eap.conf file is like this eap { default_eap_type = tls timer_expire = 60 ignore_unknown_eap_types = no cisco_accounting_username_bug = no ## EAP-TLS tls { private_key_password = password private_key_file = /etc/raddb/certs/07xwifi.pem certificate_file = /etc/raddb/certs/07xwifi.pem CA_file = /etc/raddb/certs/root.pem dh_file = /etc/raddb/certs/dh random_file = /etc/raddb/certs/random fragment_size = 1024 include_length = yes } peap { default_eap_type = tls } } 2 radiusd.conf (only authorize and authentication section) nstantiate { } authorize { preprocess mschap eap files } # Authentication. authenticate { Auth-Type MS-CHAP { mschap } eap } 3 I havn;t modified users file since its eap-tls authentication Giude me any modification required further for eap-tls certificate based authentication. Regards Anoop That the server is working as expected. Alan DeKok. TLS_accept: Need to read more data: SSLv3 read client certificate A In SSL Handshake Phase In SSL Accept mode eaptls_process returned 13 eaptls_verify returned 1 eaptls_process returned 13 What is these debug messages indicate... Anoop - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: free radius 1.1.6 -eap-tls authentication
The FAQ, README, INSTALL, etc. all say to run the server in debugging mode to see what\'s going on. Dear all I run the radius server in debug mode and the output is as follows. I didn;t get any clue for the problem. [EMAIL PROTECTED] raddb]# radiusd -X Starting - reading configuration files ... reread_config: reading radiusd.conf Config: including file: /etc/raddb/proxy.conf Config: including file: /etc/raddb/clients.conf Config: including file: /etc/raddb/snmp.conf Config: including file: /etc/raddb/eap.conf Config: including file: /etc/raddb/sql.conf main: prefix = \/usr/local\ main: localstatedir = \/usr/local/var\ main: logdir = \/usr/local/var/log/radius\ main: libdir = \/usr/local/lib\ main: radacctdir = \/usr/local/var/log/radius/radacct\ main: hostname_lookups = no main: snmp = no main: max_request_time = 30 main: cleanup_delay = 5 main: max_requests = 1024 main: delete_blocked_requests = 0 main: port = 0 main: allow_core_dumps = no main: log_stripped_names = no main: log_file = \/usr/local/var/log/radius/radius.log\ main: log_auth = no main: log_auth_badpass = no main: log_auth_goodpass = no main: pidfile = \/usr/local/var/run/radiusd/radiusd.pid\ main: user = \(null)\ main: group = \(null)\ main: usercollide = no main: lower_user = \no\ main: lower_pass = \no\ main: nospace_user = \no\ main: nospace_pass = \no\ main: checkrad = \/usr/local/sbin/checkrad\ main: proxy_requests = yes proxy: retry_delay = 5 proxy: retry_count = 3 proxy: synchronous = no proxy: default_fallback = yes proxy: dead_time = 120 proxy: post_proxy_authorize = no proxy: wake_all_if_all_dead = no security: max_attributes = 200 security: reject_delay = 1 security: status_server = no main: debug_level = 0 read_config_files: reading dictionary read_config_files: reading naslist Using deprecated naslist file. Support for this will go away soon. read_config_files: reading clients read_config_files: reading realms radiusd: entering modules setup Module: Library search path is /usr/local/lib Module: Loaded MS-CHAP mschap: use_mppe = yes mschap: require_encryption = no mschap: require_strong = no mschap: with_ntdomain_hack = no mschap: passwd = \(null)\ mschap: ntlm_auth = \(null)\ Module: Instantiated mschap (mschap) Module: Loaded eap eap: default_eap_type = \tls\ eap: timer_expire = 60 eap: ignore_unknown_eap_types = no eap: cisco_accounting_username_bug = no tls: rsa_key_exchange = no tls: dh_key_exchange = yes tls: rsa_key_length = 512 tls: dh_key_length = 512 tls: verify_depth = 0 tls: CA_path = \(null)\ tls: pem_file_type = yes tls: private_key_file = \/etc/raddb/certs/07xwifi.pem\ tls: certificate_file = \/etc/raddb/certs/07xwifi.pem\ tls: CA_file = \/etc/raddb/certs/root.pem\ tls: private_key_password = \password\ tls: dh_file = \/etc/raddb/certs/dh\ tls: random_file = \/etc/raddb/certs/random\ tls: fragment_size = 1024 tls: include_length = yes tls: check_crl = no tls: check_cert_cn = \(null)\ tls: cipher_list = \(null)\ tls: check_cert_issuer = \(null)\ rlm_eap_tls: Loading the certificate file as a chain rlm_eap: Loaded and initialized type tls peap: default_eap_type = \tls\ peap: copy_request_to_tunnel = no peap: use_tunneled_reply = no peap: proxy_tunneled_request_as_eap = yes rlm_eap: Loaded and initialized type peap Module: Instantiated eap (eap) Module: Loaded preprocess preprocess: huntgroups = \/etc/raddb/huntgroups\ preprocess: hints = \/etc/raddb/hints\ preprocess: with_ascend_hack = no preprocess: ascend_channels_per_line = 23 preprocess: with_ntdomain_hack = no preprocess: with_specialix_jetstream_hack = no preprocess: with_cisco_vsa_hack = no preprocess: with_alvarion_vsa_hack = no Module: Instantiated preprocess (preprocess) Module: Loaded files files: usersfile = \/etc/raddb/users\ files: acctusersfile = \/etc/raddb/acct_users\ files: preproxy_usersfile = \/etc/raddb/preproxy_users\ files: compat = \no\ Module: Instantiated files (files) Module: Loaded Acct-Unique-Session-Id acct_unique: key = \User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port\ Module: Instantiated acct_unique (acct_unique) Module: Loaded realm realm: format = \suffix\ realm: delimiter = \@\ realm: ignore_default = no realm: ignore_null = no Module: Instantiated realm (suffix) Module: Loaded detail detail: detailfile = \/usr/local/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d\ detail: detailperm = 384 detail: dirperm = 493 detail: locking = no Module: Instantiated detail (detail) Module: Loaded System unix: cache = no unix: passwd = \(null)\ unix: shadow = \(null)\ unix: group = \(null)\ unix: radwtmp = \/usr/local/var/log/radius/radwtmp\ unix: usegroup = no unix: cache_reload = 600 Module: Instantiated unix (unix) Module: Loaded radutmp radutmp: filename = \/usr/local/var/log/radius/radutmp\ radutmp: username = \%{User-Name}\ radutmp: case_sensitive = yes radutmp:
Re: free radius 1.1.6 -eap-tls authentication
They also say this: The most common problem with PEAP is that the client sends a series of Access-Request messages, the server sends an series of Access-Challenge responses, and then... nothing happens. After a little wait, it all starts again. If you see this happening STOP! The RAIDUS server certificate has to have special OID's in it, or else the Microsoft clients will silently fail. etc. Ivan Kalik Kalik Informatika ISP Dana 11/5/2007, [EMAIL PROTECTED] [EMAIL PROTECTED] piše: The FAQ, README, INSTALL, etc. all say to run the server in debugging mode to see what\'s going on. Dear all I run the radius server in debug mode and the output is as follows. I didn;t get any clue for the problem. [EMAIL PROTECTED] raddb]# radiusd -X Starting - reading configuration files ... reread_config: reading radiusd.conf Config: including file: /etc/raddb/proxy.conf Config: including file: /etc/raddb/clients.conf Config: including file: /etc/raddb/snmp.conf Config: including file: /etc/raddb/eap.conf Config: including file: /etc/raddb/sql.conf main: prefix = \/usr/local\ main: localstatedir = \/usr/local/var\ main: logdir = \/usr/local/var/log/radius\ main: libdir = \/usr/local/lib\ main: radacctdir = \/usr/local/var/log/radius/radacct\ main: hostname_lookups = no main: snmp = no main: max_request_time = 30 main: cleanup_delay = 5 main: max_requests = 1024 main: delete_blocked_requests = 0 main: port = 0 main: allow_core_dumps = no main: log_stripped_names = no main: log_file = \/usr/local/var/log/radius/radius.log\ main: log_auth = no main: log_auth_badpass = no main: log_auth_goodpass = no main: pidfile = \/usr/local/var/run/radiusd/radiusd.pid\ main: user = \(null)\ main: group = \(null)\ main: usercollide = no main: lower_user = \no\ main: lower_pass = \no\ main: nospace_user = \no\ main: nospace_pass = \no\ main: checkrad = \/usr/local/sbin/checkrad\ main: proxy_requests = yes proxy: retry_delay = 5 proxy: retry_count = 3 proxy: synchronous = no proxy: default_fallback = yes proxy: dead_time = 120 proxy: post_proxy_authorize = no proxy: wake_all_if_all_dead = no security: max_attributes = 200 security: reject_delay = 1 security: status_server = no main: debug_level = 0 read_config_files: reading dictionary read_config_files: reading naslist Using deprecated naslist file. Support for this will go away soon. read_config_files: reading clients read_config_files: reading realms radiusd: entering modules setup Module: Library search path is /usr/local/lib Module: Loaded MS-CHAP mschap: use_mppe = yes mschap: require_encryption = no mschap: require_strong = no mschap: with_ntdomain_hack = no mschap: passwd = \(null)\ mschap: ntlm_auth = \(null)\ Module: Instantiated mschap (mschap) Module: Loaded eap eap: default_eap_type = \tls\ eap: timer_expire = 60 eap: ignore_unknown_eap_types = no eap: cisco_accounting_username_bug = no tls: rsa_key_exchange = no tls: dh_key_exchange = yes tls: rsa_key_length = 512 tls: dh_key_length = 512 tls: verify_depth = 0 tls: CA_path = \(null)\ tls: pem_file_type = yes tls: private_key_file = \/etc/raddb/certs/07xwifi.pem\ tls: certificate_file = \/etc/raddb/certs/07xwifi.pem\ tls: CA_file = \/etc/raddb/certs/root.pem\ tls: private_key_password = \password\ tls: dh_file = \/etc/raddb/certs/dh\ tls: random_file = \/etc/raddb/certs/random\ tls: fragment_size = 1024 tls: include_length = yes tls: check_crl = no tls: check_cert_cn = \(null)\ tls: cipher_list = \(null)\ tls: check_cert_issuer = \(null)\ rlm_eap_tls: Loading the certificate file as a chain rlm_eap: Loaded and initialized type tls peap: default_eap_type = \tls\ peap: copy_request_to_tunnel = no peap: use_tunneled_reply = no peap: proxy_tunneled_request_as_eap = yes rlm_eap: Loaded and initialized type peap Module: Instantiated eap (eap) Module: Loaded preprocess preprocess: huntgroups = \/etc/raddb/huntgroups\ preprocess: hints = \/etc/raddb/hints\ preprocess: with_ascend_hack = no preprocess: ascend_channels_per_line = 23 preprocess: with_ntdomain_hack = no preprocess: with_specialix_jetstream_hack = no preprocess: with_cisco_vsa_hack = no preprocess: with_alvarion_vsa_hack = no Module: Instantiated preprocess (preprocess) Module: Loaded files files: usersfile = \/etc/raddb/users\ files: acctusersfile = \/etc/raddb/acct_users\ files: preproxy_usersfile = \/etc/raddb/preproxy_users\ files: compat = \no\ Module: Instantiated files (files) Module: Loaded Acct-Unique-Session-Id acct_unique: key = \User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port\ Module: Instantiated acct_unique (acct_unique) Module: Loaded realm realm: format = \suffix\ realm: delimiter = \@\ realm: ignore_default = no realm: ignore_null = no Module: Instantiated realm (suffix) Module: Loaded detail detail: detailfile = \/usr/local/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d\ detail: detailperm =
Re: free radius 1.1.6 -eap-tls authentication
hi, how did you generate your certificates? alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: free radius 1.1.6 -eap-tls authentication
[EMAIL PROTECTED] wrote: Dear all Thanks for the information.I am not able to do successful authentication still. These are my configurations I have copied my root.pem and server.pem to /etc/raddb/certs directory 1.My eap.conf file is like this The FAQ, README, INSTALL, etc. all say to run the server in debugging mode to see what's going on. If there are problems with EAP authentication, read the FAQ. There *is* documentation. It can help you solve these issues. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: free radius 1.1.6 -eap-tls authentication
[EMAIL PROTECTED] wrote: I run the radius server in debug mode and the output is as follows. I didn;t get any clue for the problem. There we messages yesterday on this list describing this exact problem, and how to fix it. The file eap.conf describes this problem and how to fix it. The FAQ says what to do when PEAP or EAP-TLS doesn't work with a Windows client. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: free radius 1.1.6 -eap-tls authentication
Dear all Thank you for the responses I am using openssl tool for certificate generation.I have inclided the file xpextensions while generating certificates.The same certificates worked well with Navis radius server and windows xp as client.So this may not be the problem here Anoop hi, how did you generate your certificates? alan They also say this: \The most common problem with PEAP is that the client sends a series of Access-Request messages, the server sends an series of Access-Challenge responses, and then... nothing happens. After a little wait, it all starts again. If you see this happening STOP! The RAIDUS server certificate has to have special OID\'s in it, or else the Microsoft clients will silently fail. etc.\ There we messages yesterday on this list describing this exact problem, and how to fix it. The file \eap.conf\ describes this problem and how to fix it. The FAQ says what to do when PEAP or EAP-TLS doesn\'t work with a Windows client. Regards Anoop - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: free radius 1.1.6 -eap-tls authentication
[EMAIL PROTECTED] wrote: Dear all Thank you for the responses I am using openssl tool for certificate generation.I have inclided the file xpextensions while generating certificates.The same certificates worked well with Navis radius server and windows xp as client.So this may not be the problem here Is it the SAME windows client, with the SAME root certificate, with the SAME access point, going to FreeRADIUS using the SAME certificate? If it really works for Navis using the same certificate, my guess is that your tests for FreeRADIUS are using a different Windows machine, without the root certificate installed. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html