Re: Problemes with the mystic of freeradius configuration
Klaus Ethgen wrote: > Phil Mayers schrieb: >> Try this: ... > Doesn't work: >server probes { >+- entering group authorize {...} >++[ok] returns ok >++[handled] returns handled >} # server probes The debug log shows that you did *not* try Phil's suggestion. > I believe that. But I defined a authenticate method: "ok" And I do not > want freeradius to think that it should do some extra work than that > what I told them. Go back and read the default configuration files. The "authenticate" section is composed of a set of *individual* authentication methods. You can't just delete them all and expect them to work. i.e. If you don't understand how the server works, it's not a good idea to butcher the configuration. Go back and try Phil's suggestion. It works. Don't put anything else in the "authorize" section. Don't use an "authenticate" section. > Hmmm.. I'll try. I want to have all configuration concerning one virtual > server to be encapsulated within this server. As I read the > documentation and the examples, that work for some configuration > settings but not for all. Exactly. If you want different configurations for a virtual server, use different configuration files. See raddb/radrelay.conf for an example. > Well, ok, I will the next time. Principle it is all the same that the > documentation about freeradius only covers the standard tasks but if you > need a configuration that is a bit special you are on your own. Exactly. The server includes documentation on how it works, and what each configuration option does. It's left to you to figure out how to translate that into your requirements. The server does *not* include documentation for how to set up your environment. We don't know what you want, and there are millions of possible configurations. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problemes with the mystic of freeradius configuration
Hi, > Another quest for me is to encapsulate the configuration for eduroam > (including the users and proxy.conf(!)) into a complete independent > configuration to use the radius server for more than eduroam. > Unfortunately all tries to us a other file for users and proxy.conf only > in the eduroam virtual server was unsuccessful. the proxy.conf entries are global - so you cannot have a single isolated way - you need to share the file. our current recipe is quite simple, in 'human readable' terms : is this user a local user? yes -> mark realm as local no -> mark realm as eduroam if realm = local then update the control proxy to local if realm = eduroam then update the control proxy to eduroam then, in proxy.conf have your eduroam config as a nice boilerplate. its okay - but I really really wouldnt want to drop such a configuration on top of someone elses server as, the joy of FreeRADIUS , is that people can do whtings in so many ways...and by defining realms and control lgoic you could/may break their internal logic, unlang etc. what we DO suggest is that sites have a virtual server for dealing with things that come from their national proxies - as the proxy would already have checked that the user is theirs etc - so you can skip lots of stuff and go straight to the authorization/authentication stages. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problemes with the mystic of freeradius configuration
On 08/10/10 10:36, Klaus Ethgen wrote: Hello newsgroup, hello Alan DeKok, I tried to solve my problem with Daniel Bertolo from Switch but was not success, so he told me to ask here. I want to configure a virtual server that always return ok to be used as probe for a load balancer (Cisco ACE). So what I tried was to just copy the status server and tried the following: server tests { authorize { ok } authenticate { ok } } Unfortunately I get the following in the debug output: Try this: authorize { update control { Auth-Type := Accept } } No authenticate method (Auth-Type) configuration found for the request: Rejecting the user This is the problem. Another quest for me is to encapsulate the configuration for eduroam (including the users and proxy.conf(!)) into a complete independent configuration to use the radius server for more than eduroam. Unfortunately all tries to us a other file for users and proxy.conf only in the eduroam virtual server was unsuccessful. Do anybody have an idea how to solve that? You'll have to be a bit more specific than that. Also, this is two different issues in the same email; try posting each separate problem individually. Ah, yes. Please excuse that I did not post the full configuration and debug output as there is many confidential stuff inside. If someone need special answers, please tell me and I will see what I can do. We need the debug output, or we can't help you. However - for eduroam setup, including example FreeRadius configs, try googling for "FreeRadius eduroam" - there are white papers and example configs. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius configuration to support EAP-TLS, EAP-TTLS and EAP-PEAP
On Thu, Dec 11, 2008 at 9:16 AM, Attou eric wrote: > Hi Everybody. > > We are having some issues in setting up freeradius to support EAP-TLS, > EAP-TTLS and EAP-PEAP. > Our goal is to have our authentication server providing those three > Auth-Type simultaneously. > To support EAP-TLS, we generate our CA and certificates via TinyCA. > > You can use TinyCA, but you must add the proper extended key usage. Under Openssl-Configuration in TinyCA put the OID 1.3.6.1.5.5.7.3.1 for Server Certificates into Extended Key usage, and 1.3.6.1.5.5.7.3.2 into Client Certificate Extended Key Usage. Jason - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius configuration to support EAP-TLS, EAP-TTLS and EAP-PEAP
>We are having some issues in setting up freeradius to support EAP-TLS, >EAP-TTLS and EAP-PEAP. >Our goal is to have our authentication server providing those three Auth-Type >simultaneously. >To support EAP-TLS, we generate our CA and certificates via TinyCA. > >We also add radius' log after an authentication attempt from windows XP OS > >using windows built in supplicant by supplying a username and password stored >in > >our /etc/passwd file. But the authentication failed with this error message : > >rlm_eap: identity does not match User-Name, setting from EAP identity > >Thu Dec 11 14:59:10 2008 : Debug: radiusd: Loading Realms and Home >Servers >Thu Dec 11 14:59:10 2008 : Debug: proxy server { >Thu Dec 11 14:59:10 2008 : Debug:      retry_delay = 5 >Thu Dec 11 14:59:10 2008 : Debug:      retry_count = 3 >Thu Dec 11 14:59:10 2008 : Debug:      default_fallback = no >Thu Dec 11 14:59:10 2008 : Debug:      dead_time = 120 >Thu Dec 11 14:59:10 2008 : Debug:      wake_all_if_all_dead = no >Thu Dec 11 14:59:10 2008 : Debug: } >Thu Dec 11 14:59:10 2008 : Debug: home_server localhost { >Thu Dec 11 14:59:10 2008 : Debug:      ipaddr = 127.0.0.1 >Thu Dec 11 14:59:10 2008 : Debug:      port = 1812 >Thu Dec 11 14:59:10 2008 : Debug:      type = "auth" >Thu Dec 11 14:59:10 2008 : Debug:      secret = "testing123" >Thu Dec 11 14:59:10 2008 : Debug:      response_window = 20 >Thu Dec 11 14:59:10 2008 : Debug:      max_outstanding = 65536 >Thu Dec 11 14:59:10 2008 : Debug:      zombie_period = 40 >Thu Dec 11 14:59:10 2008 : Debug:      status_check = "status-server" >Thu Dec 11 14:59:10 2008 : Debug:      ping_check = "none" >Thu Dec 11 14:59:10 2008 : Debug:      ping_interval = 30 >Thu Dec 11 14:59:10 2008 : Debug:      check_interval = 30 >Thu Dec 11 14:59:10 2008 : Debug:      num_answers_to_alive = 3 >Thu Dec 11 14:59:10 2008 : Debug:      num_pings_to_alive = 3 >Thu Dec 11 14:59:10 2008 : Debug:      revive_interval = 120 >Thu Dec 11 14:59:10 2008 : Debug:      status_check_timeout = 4 >Thu Dec 11 14:59:10 2008 : Debug: } >Thu Dec 11 14:59:10 2008 : Debug: home_server_pool my_auth_failover { >Thu Dec 11 14:59:10 2008 : Debug:      type = fail-over >Thu Dec 11 14:59:10 2008 : Debug:      home_server = localhost >Thu Dec 11 14:59:10 2008 : Debug: } >Thu Dec 11 14:59:10 2008 : Debug: realm uac.bj { >Thu Dec 11 14:59:10 2008 : Debug:      auth_pool = my_auth_failover >Thu Dec 11 14:59:10 2008 : Debug: } You have configured the server to proxy requests to itself. Don't do that. Configure it as local realm (just {}). .. >rad_recv: Access-Request packet from host 172.21.1.251 port 1035, id=233, >length=145 >       User-Name = "[EMAIL PROTECTED]" >       NAS-IP-Address = 172.21.1.251 >       Connect-Info = "CONNECT 802.11" >       Called-Station-Id = "0060b33573b4" >       Calling-Station-Id = "000e35dfc4c9" >       NAS-Identifier = "ap" >       NAS-Port-Type = Wireless-802.11 >       NAS-Port = 40 >       NAS-Port-Id = "40" >       Framed-MTU = 1400 >       EAP-Message = 0x0269001001746f746f407561632e626a >       Message-Authenticator = 0x4047d95682a4670d24da3c2fa434814e .. >Thu Dec 11 15:00:37 2008 : Debug: rlm_passwd: Added MD5-Password: >'HsrtQesmWHodM:14211::' to config_items That's not going to work with PEAP. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius configuration to support EAP-TLS, EAP-TTLS and EAP-PEAP
Attou eric wrote: > We are having some issues in setting up freeradius to support EAP-TLS, > EAP-TTLS and EAP-PEAP. > Our goal is to have our authentication server providing those three > Auth-Type simultaneously. > To support EAP-TLS, we generate our CA and certificates via TinyCA. Please read eap.conf. You need certain things in the certificates for PEAP to work on Windows. I'm not sure that TinyCA does the right thing here. > We also add radius' log after an authentication attempt from windows XP OS > using windows built in supplicant by supplying a username and password > stored in > our /etc/passwd file. PEAP will NOT work with /etc/passwd. It's impossible. But the authentication failed with this > error message : > > *rlm_eap: identity does not match User-Name, setting from EAP identity* > > Radius logs > ...Thu Dec 11 14:59:10 2008 : Debug: main { Please *follow* the instructions in the FAQ, README, INSTALL, and "man" page. We want "radiusd -X", not "radiusd -xX". Adding the dates makes the debug output harder to read. Note also that the debug output *includes* the configuration. So there's no need to post it separately. And we don't ask for it, either. > Sending Access-Request of id 200 to 127.0.0.1 port 1812 ... > rad_recv: Access-Request packet from host 127.0.0.1 port 1814, id=200, > length=143 Could you explain why you're proxying the packet from the server to itself? This isn't necessary. It's also bad. > Thu Dec 11 15:00:37 2008 : Error: rlm_eap: Identity does not match > User-Name, setting from EAP Identity. Your supplicant is broken. The two fields should match. Or, you're editing the User-Name. Don't do that. > Is there something wrong in our configurations? > Is tit normal that there is no User-Password attribute in Access-Request > packet? Yes. This is how EAP works. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Antwort: Re: Antwort: Re: Antwort: Re: FreeRADIUS configuration
Alan DeKok: ok i will ask the vpn list. thank you!- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Antwort: Re: Antwort: Re: FreeRADIUS configuration
[EMAIL PROTECTED] wrote: > no the documentation doesn't explain it... Well, I don't know anything about the VPN gateway you're using. Maybe they have a mailing list you can ask questions on? i.e. configuring the VPN gateway is a problem for the VPN people. It's not a FreeRADIUS problem. > vpn works. but i want to install a radius server on the vpn-gateway1, > because i want that the client on lan2 have to type username and > password to reach lan1. Yes, you've said that. The VPN gateway is responsible for doing all of this authentication. If it can't be configured to do RADIUS, then no amount of changing FreeRADIUS will make any difference. Go ask questions on the VPN list. It is not a FreeRADIUS problem. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Antwort: Re: Antwort: Re: FreeRADIUS configuration
Alan DeKok: no the documentation doesn't explain it... LAN1 <-> VPN-Gateway <-> VPN-Gateway1 <-> LAN2 this is a site-to-site vpn and a ipsec tunnel (between gateway1 and 2). vpn works. but i want to install a radius server on the vpn-gateway1, because i want that the client on lan2 have to type username and password to reach lan1. if the passwort is incorrect, he cant connect with lan1. clients = windows xp gateways = linux 2.6 i already installed freeradius on the gateway1, but i dont know how to begin.- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Antwort: Re: FreeRADIUS configuration
[EMAIL PROTECTED] wrote: > i installed FreeRADIUS with the packetmanager apt-get.. They haven't upgraded to 1.1.7 yet? > vpn gateway1 is the radius server. > i only want that the clients (lan2) have to type username and password > to use the vpn. > but i dont know how to configure it... Does the VPN gateway documentation explain how to configure RADIUS? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Antwort: Re: FreeRADIUS configuration
Alan DeKok: hmm 1.1.6, why not.. i installed FreeRADIUS with the packetmanager apt-get.. vpn gateway1 is the radius server. i only want that the clients (lan2) have to type username and password to use the vpn. but i dont know how to configure it... thanks, ldapman- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRADIUS configuration
LDAPMAN wrote: > I have installed freeradius 1.1.6 and dont know how to configure it. Why 1.1.6? > My "local networkstructure" looks like this (it is a test) : > > LAN1 (central) <-> VPN Gateway1 <-> VPN Gateway2 <-> LAN2 So... which one is a RADIUS client? > I have installed freeradius on Gateway1. > wiki.freeradius.org looks fine, but i dont know how to begin. > I have written the client IPs with secrets in the clients.conf > hmm.. and now? What do you want to do? Does the VPN gateway have documentation on what it expects from a RADIUS server? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
FreeRADIUS configuration
Hi! I have installed freeradius 1.1.6 and dont know how to configure it. My "local networkstructure" looks like this (it is a test) : LAN1 (central) <-> VPN Gateway1 <-> VPN Gateway2 <-> LAN2 VPN is configured. Both LAN have got 2 Windows XP Clients. VPN Gateway: Linux 2.6 Openswan 2.4 I have installed freeradius on Gateway1. wiki.freeradius.org looks fine, but i dont know how to begin. I have written the client IPs with secrets in the clients.conf hmm.. and now? Can anyone help me? -- View this message in context: http://www.nabble.com/FreeRADIUS-configuration-tp16608592p16608592.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Simple Freeradius configuration
Ok, thanks Nicholas Hall and Scott Lambert. I'd rather use CHAP for the encryption and since the cisco router won't allow PAP through. I guess I'll just have to suck up the management overhead of maintaining a clear text password list. Thanks, On 8/16/07, Scott Lambert <[EMAIL PROTECTED]> wrote: > > On Thu, Aug 16, 2007 at 10:47:58AM +0800, Kelly Ormsby wrote: > > Hi all, > > > > I've installed freeradius 1.1.6 on Fedora core 2 (kernel 2.6.5-1.358) (I > > can't upgrade please don't go there). I did a basic configure/make/make > > install. > > > > The only changes to the default configuration is adding an entry to the > > clients.conf file to allow requests from the Cisco VPN gateway. So far > as I > > can tell CHAP and CHAPv2 should work straight out of the box (as per > this > > page http://deployingradius.com/documents/configuration/auth_type.html). > > The problem is that CHAP requires cleartext or NTLM type passwords. > > Your configuration will likely work if you use PAP rather than CHAP. > > -- > Scott LambertKC5MLE Unix > SysAdmin > [EMAIL PROTECTED] > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > -- Kelly Ormsby Senior Unix Systems Administrator Email: [EMAIL PROTECTED] Mobile: 0417 910 801 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Simple Freeradius configuration
On Thu, Aug 16, 2007 at 10:47:58AM +0800, Kelly Ormsby wrote: > Hi all, > > I've installed freeradius 1.1.6 on Fedora core 2 (kernel 2.6.5-1.358) (I > can't upgrade please don't go there). I did a basic configure/make/make > install. > > The only changes to the default configuration is adding an entry to the > clients.conf file to allow requests from the Cisco VPN gateway. So far as I > can tell CHAP and CHAPv2 should work straight out of the box (as per this > page http://deployingradius.com/documents/configuration/auth_type.html). The problem is that CHAP requires cleartext or NTLM type passwords. Your configuration will likely work if you use PAP rather than CHAP. -- Scott LambertKC5MLE Unix SysAdmin [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Simple Freeradius configuration
Hi, I can't do that the Cisco won't allow it through. Is pap the only way to use /etc/passwd? Thanks, On 8/16/07, Nicholas Hall <[EMAIL PROTECTED]> wrote: > > On 8/15/07, Kelly Ormsby <[EMAIL PROTECTED]> wrote: > > > > Hi all, > > > > I've installed freeradius 1.1.6 on Fedora core 2 (kernel 2.6.5-1.358) (I > > can't upgrade please don't go there). I did a basic configure/make/make > > install. > > > > The only changes to the default configuration is adding an entry to the > > clients.conf file to allow requests from the Cisco VPN gateway. So far > > as I can tell CHAP and CHAPv2 should work straight out of the box (as per > > this page > > http://deployingradius.com/documents/configuration/auth_type.html). > > > > I've tried to authenticate using a local /etc/passwd user, and I get the > > output posted below. Is the default configuration enough for it to consult > > the /etc/passwd files (I thought that is what "DEFAULT Auth-Type = System" > > did?) or is there something else I need to add. Can CHAP (or CHAPv2) use > > /etc/passwd? I'm a little confused about the differences and I'm sure thats > > not helping :) > > > > I'd really rather not list the users individually in the users file, I'd > > like there to still only be one place to add users, so I'd like to use > > /etc/passwd file only. I apologise if there is documentation listed on this, > > I really feel that I've searched everywhere I can and no one seems to give > > real details. > > > > CHAP requires a clear text password. Tell your client to use PAP. I > believe it will work without any configuration on the server. > > -- > Nicholas Hall > [EMAIL PROTECTED] > 262.208.6271 > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > -- Kelly Ormsby Senior Unix Systems Administrator Email: [EMAIL PROTECTED] Mobile: 0417 910 801 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Simple Freeradius configuration
On 8/15/07, Kelly Ormsby <[EMAIL PROTECTED]> wrote: > > Hi all, > > I've installed freeradius 1.1.6 on Fedora core 2 (kernel 2.6.5-1.358) (I > can't upgrade please don't go there). I did a basic configure/make/make > install. > > The only changes to the default configuration is adding an entry to the > clients.conf file to allow requests from the Cisco VPN gateway. So far as > I can tell CHAP and CHAPv2 should work straight out of the box (as per this > page http://deployingradius.com/documents/configuration/auth_type.html). > > I've tried to authenticate using a local /etc/passwd user, and I get the > output posted below. Is the default configuration enough for it to consult > the /etc/passwd files (I thought that is what "DEFAULT Auth-Type = System" > did?) or is there something else I need to add. Can CHAP (or CHAPv2) use > /etc/passwd? I'm a little confused about the differences and I'm sure thats > not helping :) > > I'd really rather not list the users individually in the users file, I'd > like there to still only be one place to add users, so I'd like to use > /etc/passwd file only. I apologise if there is documentation listed on this, > I really feel that I've searched everywhere I can and no one seems to give > real details. > CHAP requires a clear text password. Tell your client to use PAP. I believe it will work without any configuration on the server. -- Nicholas Hall [EMAIL PROTECTED] 262.208.6271 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Simple Freeradius configuration
Hi all, I've installed freeradius 1.1.6 on Fedora core 2 (kernel 2.6.5-1.358) (I can't upgrade please don't go there). I did a basic configure/make/make install. The only changes to the default configuration is adding an entry to the clients.conf file to allow requests from the Cisco VPN gateway. So far as I can tell CHAP and CHAPv2 should work straight out of the box (as per this page http://deployingradius.com/documents/configuration/auth_type.html). I've tried to authenticate using a local /etc/passwd user, and I get the output posted below. Is the default configuration enough for it to consult the /etc/passwd files (I thought that is what "DEFAULT Auth-Type = System" did?) or is there something else I need to add. Can CHAP (or CHAPv2) use /etc/passwd? I'm a little confused about the differences and I'm sure thats not helping :) I'd really rather not list the users individually in the users file, I'd like there to still only be one place to add users, so I'd like to use /etc/passwd file only. I apologise if there is documentation listed on this, I really feel that I've searched everywhere I can and no one seems to give real details. Thanks, rad_recv: Access-Request packet from host 192.168.100.254:1645, id=45, length=152 Framed-Protocol = PPP User-Name = "denvertech" MS-CHAP-Challenge = 0x79c27ab491824ce5 MS-CHAP-Response = 0x010133f6aa08b02f18fa3e3013072a8f8f171469f179b7b7434b NAS-Port-Type = Virtual NAS-Port = 33 NAS-Port-Id = "Uniq-Sess-ID33" Service-Type = Framed-User NAS-IP-Address = 192.168.100.254 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 2 modcall[authorize]: module "preprocess" returns ok for request 2 modcall[authorize]: module "chap" returns noop for request 2 rlm_mschap: Found MS-CHAP attributes. Setting 'Auth-Type = mschap' modcall[authorize]: module "mschap" returns ok for request 2 rlm_realm: No '@' in User-Name = "denvertech", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 2 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module "eap" returns noop for request 2 users: Matched entry DEFAULT at line 153 users: Matched entry DEFAULT at line 172 users: Matched entry DEFAULT at line 184 modcall[authorize]: module "files" returns ok for request 2 rlm_pap: WARNING! No "known good" password found for the user. Authentication may fail because of this. modcall[authorize]: module "pap" returns noop for request 2 modcall: leaving group authorize (returns ok) for request 2 rad_check_password: Found Auth-Type MS-CHAP auth: type "MS-CHAP" Processing the authenticate section of radiusd.conf modcall: entering group MS-CHAP for request 2 rlm_mschap: No User-Password configured. Cannot create LM-Password. rlm_mschap: No User-Password configured. Cannot create NT-Password. rlm_mschap: Told to do MS-CHAPv1 with NT-Password rlm_mschap: FAILED: No NT/LM-Password. Cannot perform authentication. rlm_mschap: MS-CHAP-Response is incorrect. modcall[authenticate]: module "mschap" returns reject for request 2 modcall: leaving group MS-CHAP (returns reject) for request 2 auth: Failed to validate the user. Delaying request 2 for 1 seconds Finished request 2 Going to the next request --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Sending Access-Reject of id 45 to 192.168.100.254 port 1645 Waking up in 4 seconds... --- Walking the entire request list --- Cleaning up request 2 ID 45 with timestamp 46c3b8db Nothing to do. Sleeping until we see a request. -- Kelly Ormsby Senior Unix Systems Administrator Email: [EMAIL PROTECTED] Mobile: 0417 910 801 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius configuration
hi james. really i appreciate ur help but i couldn't get that book u talked about so i still have the problem so i don't know what to do and the project must be done after 2 weeks maximum. so if u help me an other way. u'll do me a favour. as soon as possible, please . thanks alot On 8/21/06, James Wakefield <[EMAIL PROTECTED]> wrote: Have you tried the documentation supplied with the freeradius package?It's not bad...If you need more, try the book "RADIUS" by Jonothan Hassell, published by O'Reilly.affora deeb wrote:> hi free radius users.> i asked u before if any one can help me and send the configuration or> steps of configuration of free radius over linux> and really i'll appreciate u. > thanks--James Wakefield,Unix Administrator, Information Technology Services DivisionDeakin University, Geelong, Victoria 3217 Australia.Phone: 03 5227 8690 International: +61 3 5227 8690 Fax: 03 5227 8866 International: +61 3 5227 8866E-mail: [EMAIL PROTECTED]Website: http://www.deakin.edu.au -List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius configuration
Have you tried the documentation supplied with the freeradius package? It's not bad... If you need more, try the book "RADIUS" by Jonothan Hassell, published by O'Reilly. affora deeb wrote: hi free radius users. i asked u before if any one can help me and send the configuration or steps of configuration of free radius over linux and really i'll appreciate u. thanks -- James Wakefield, Unix Administrator, Information Technology Services Division Deakin University, Geelong, Victoria 3217 Australia. Phone: 03 5227 8690 International: +61 3 5227 8690 Fax: 03 5227 8866 International: +61 3 5227 8866 E-mail: [EMAIL PROTECTED] Website: http://www.deakin.edu.au - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: SUSE freeradius configuration
As always, be sure that your Accees Point is allowed client to connect to the freeradius... Then ( as said on the website you have used ) – start radius with –XAx parameter to see the debugging information ( that is radiusd –XAx )... then try to auth on your access point and look what happens... When you ask a question next time – please include your debugging information, because no mailing list user can actually know what your freeradius server is doing.. Regards, Edvin Seferovic From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Chris Esposito Sent: Sonntag, 23. Oktober 2005 07:41 To: freeradius-users@lists.freeradius.org Subject: SUSE freeradius configuration I’m new to freeRadius and Linux (Suse) and need some help. I apologize but I really don’t know the question to ask because of my limited knowledge of Linux and wireless technology, but I’ll give it a try. I setup freeRadius v1.0.2 on SUSE v9.0. I have another NetWare 6.5 server installed hopefully to be used as the LDAP server that freeRadius will use to get usernames and passwords from eDirectory via LDAP. I followed the following guide for my setup… http://www.novell.com/coolsolutions/tip/15922.html I’m using D-Link DWP-8200 access points which supports WPA2/Enterprise. I’ve setup this access point to point to my SUSE server. I can start Radius on the Linux box, but when I try to connect through the access point, I am getting no response on the Radius server. Everything IP wise is fine, I can ping from everywhere and if I change the Access Point to a Linksys WAP55AG, I get a login screen (not that I know the format to put the username, password, and how domain would be used with NetWare). My client has the D-Link DWP-8200 access points, and I’d like to get it working with this if possible so they don’t have to buy 50 new access points. I believe I’m trying to use EAP/TLS with LDAP authentication. I guess my question is, does the D-Link 8200-AP work with freeRadius, and if so, does anyone know NetWare enough to give me a hand. I understand if that isn’t possible, but I thought I’d at least try. I’m sorry for being so vague, but maybe I can learn a little about wireless security and authentication if anything. The D-Link seems to have the same settings as the Linksys, so I hope it can work. Thanks- Chris -- No virus found in this outgoing message. Checked by AVG Anti-Virus. Version: 7.0.344 / Virus Database: 267.12.4/146 - Release Date: 10/21/2005 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
SUSE freeradius configuration
I’m new to freeRadius and Linux (Suse) and need some help. I apologize but I really don’t know the question to ask because of my limited knowledge of Linux and wireless technology, but I’ll give it a try. I setup freeRadius v1.0.2 on SUSE v9.0. I have another NetWare 6.5 server installed hopefully to be used as the LDAP server that freeRadius will use to get usernames and passwords from eDirectory via LDAP. I followed the following guide for my setup… http://www.novell.com/coolsolutions/tip/15922.html I’m using D-Link DWP-8200 access points which supports WPA2/Enterprise. I’ve setup this access point to point to my SUSE server. I can start Radius on the Linux box, but when I try to connect through the access point, I am getting no response on the Radius server. Everything IP wise is fine, I can ping from everywhere and if I change the Access Point to a Linksys WAP55AG, I get a login screen (not that I know the format to put the username, password, and how domain would be used with NetWare). My client has the D-Link DWP-8200 access points, and I’d like to get it working with this if possible so they don’t have to buy 50 new access points. I believe I’m trying to use EAP/TLS with LDAP authentication. I guess my question is, does the D-Link 8200-AP work with freeRadius, and if so, does anyone know NetWare enough to give me a hand. I understand if that isn’t possible, but I thought I’d at least try. I’m sorry for being so vague, but maybe I can learn a little about wireless security and authentication if anything. The D-Link seems to have the same settings as the Linksys, so I hope it can work. Thanks- Chris -- No virus found in this outgoing message. Checked by AVG Anti-Virus. Version: 7.0.344 / Virus Database: 267.12.4/146 - Release Date: 10/21/2005 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: SV: Postgresql+freeradius configuration
=?iso-8859-1?Q?Erik_=C5gren?= <[EMAIL PROTECTED]> wrote: > Where do I get the rlm_sql_postgresql.so module? I can't find it. You need to install the postgresql development libraries. Then build FreeRADIUS, and the module will automatically be installed. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
SV: Postgresql+freeradius configuration
Hi Where do I get the rlm_sql_postgresql.so module? I can't find it. Thanx /Erik -Ursprungligt meddelande- Från: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] För [EMAIL PROTECTED] Skickat: den 26 september 2005 12:12 Till: freeradius-users@lists.freeradius.org Ämne: Postgresql+freeradius configuration Good morning! I have successfully configured freeradius server with using postgresql database to storage users which i want to authenticate. when i put it in debug mode to test he works well. But when I run it as deamon the server radius don't see the postgresql server. In the radius's log file i look this: Driver rlm_sql_postgresql (module rlm_sql_postgresql) loaded and linked Info: rlm_sql (sql): Attempting to connect to [EMAIL PROTECTED]:/radiusdb Error: rlm_sql_postgresql: Couldn't connect socket to PostgreSQL server [EMAIL PROTECTED]:radiusdb Error: rlm_sql_postgresql: Postgresql error 'could not connect to server: Permission denied ?Is the server running on host "localhost" and accepting ?TCP/IP connections on port 5432? ' Error: rlm_sql (sql): Failed to connect DB handle #0 Info: Ready to process requests. Please help me. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Postgresql+freeradius configuration
Good morning! I have successfully configured freeradius server with using postgresql database to storage users which i want to authenticate. when i put it in debug mode to test he works well. But when I run it as deamon the server radius don't see the postgresql server. In the radius's log file i look this: Driver rlm_sql_postgresql (module rlm_sql_postgresql) loaded and linked Info: rlm_sql (sql): Attempting to connect to [EMAIL PROTECTED]:/radiusdb Error: rlm_sql_postgresql: Couldn't connect socket to PostgreSQL server [EMAIL PROTECTED]:radiusdb Error: rlm_sql_postgresql: Postgresql error 'could not connect to server: Permission denied ?Is the server running on host "localhost" and accepting ?TCP/IP connections on port 5432? ' Error: rlm_sql (sql): Failed to connect DB handle #0 Info: Ready to process requests. I use fedora core4 as Operating System and freeradius 1.0.4-1, postgresql 8.0.3-1. In the postgresql's file pg_hba.conf i make this configuration: #TYPE DATABASEUSER CIDR-ADDRESS METHOD #IPv4 local connections: hostradiusdb radiusadmin 127.0.0.1/32 trust I don't why this dysfonctionnement Please help me and thanks for your assistance. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Postgresql+freeradius configuration
[EMAIL PROTECTED] wrote: > Driver rlm_sql_postgresql (module rlm_sql_postgresql) loaded and > linked > Info: rlm_sql (sql): Attempting to connect to > [EMAIL PROTECTED]:/radiusdb Error: rlm_sql_postgresql: Couldn't > connect socket to PostgreSQL server [EMAIL PROTECTED]:radiusdb > Error: rlm_sql_postgresql: Postgresql error 'could not connect to > server: Permission denied ?Is the server running on host "localhost" > and accepting ?TCP/IP connections on port 5432? ' > Error: rlm_sql (sql): Failed to connect DB handle #0 > Info: Ready to process requests. Try using 127.0.0.1 instead of localhost -- Groeten, Regards, Salutations, Thor Spruyt M: +32 (0)475 67 22 65 E: [EMAIL PROTECTED] W: www.thor-spruyt.com www.salesguide.be www.telenethotspot.be - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Postgresql+freeradius configuration
Good morning! I have successfully configured freeradius server with using postgresql database to storage users which i want to authenticate. when i put it in debug mode to test he works well. But when I run it as deamon the server radius don't see the postgresql server. In the radius's log file i look this: Driver rlm_sql_postgresql (module rlm_sql_postgresql) loaded and linked Info: rlm_sql (sql): Attempting to connect to [EMAIL PROTECTED]:/radiusdb Error: rlm_sql_postgresql: Couldn't connect socket to PostgreSQL server [EMAIL PROTECTED]:radiusdb Error: rlm_sql_postgresql: Postgresql error 'could not connect to server: Permission denied ?Is the server running on host "localhost" and accepting ?TCP/IP connections on port 5432? ' Error: rlm_sql (sql): Failed to connect DB handle #0 Info: Ready to process requests. Please help me. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: questions about a custom freeradius configuration
Jeff Smith <[EMAIL PROTECTED]> wrote: > The custom authentication module I referred to in the first paragraph > basically re-implemented MS-CHAP v2 and talked to the custom servers on > the back end. It would not be easy to wedge into the rlm_eap code. Exactly. The rlm_eap code doesn't do MS-CHAP at *all*. Instead, it calls the mschap module. > Instead, I'd like to find a solution that makes the fewest possible (if > any) modifications to stock freeradius, so we can track releases more > closely. I would like to continue using the custom authentication and > authorization servers. If your existing module takes MS-CHAP attributes & does authentication, then you should be able to hack rlm_eap_mschapv2 to point to your module, rather than the mschap module. That should be a 1-line change to the source. > 1) In the authorization phase, call out to the custom authorization > server and ask a question like "Is this user who claims to be ``joe'' > authorized to use the wireless service?" Write a custom module. > 2) In the authorization phase, also call out to the custom > authentication server to get pack the NT-Password and add that to the > value pairs in the check list in the request packet, so that when > EAP-PEAP finally gets down to the MS-CHAP v2 part, the NT-password is > available. That should be easy. Just write a custom module. :) > I have been having a hard time getting my mind around the complexity of > RADIUS and freeradius. It may be that I'm taking a completely > wrong-headed approach here. If anyone on this list has any thoughts on > how this could be done best, I'd appreciate hearing your ideas. The design goal behind FreeRADIUS was to make things modular, so that you wouldn't have to worry about unrelated issues. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
questions about a custom freeradius configuration
Hi, Our wireless network currently authenticates and authorizes users via freeradius 0.8.1 with a custom module that talks to custom authentication and authorization servers. I'm upgrading the server side to freeradius 1.0.4. At the same time, the people who run the wireless network are switching to using EAP-PEAP with MS-CHAP v2. I'm fairly new to freeradius, but I have been spending a lot of time reading this list, the documents, the O'Reilly book, and experimenting with the server. So far I've been able to do PEAP authentications to the server via the users file. The custom authentication module I referred to in the first paragraph basically re-implemented MS-CHAP v2 and talked to the custom servers on the back end. It would not be easy to wedge into the rlm_eap code. Instead, I'd like to find a solution that makes the fewest possible (if any) modifications to stock freeradius, so we can track releases more closely. I would like to continue using the custom authentication and authorization servers. My thinking on this so far is that I might be able to use the Exec-Program-Wait atribute and/or the rlm_perl modules to call out to the custom servers, which have command-line interfaces. Ideally, I'd be able to do something like this: 1) In the authorization phase, call out to the custom authorization server and ask a question like "Is this user who claims to be ``joe'' authorized to use the wireless service?" I can get back a yes/no answer and send an Access-Reject with an explanation, or continue on if they are authorized. (I don't think Exec-Program-Wait can help here since I understand it only gets called after the user is authenticated. I could make this check after and only if mschap returns success, though.) 2) In the authorization phase, also call out to the custom authentication server to get pack the NT-Password and add that to the value pairs in the check list in the request packet, so that when EAP-PEAP finally gets down to the MS-CHAP v2 part, the NT-password is available. I have been having a hard time getting my mind around the complexity of RADIUS and freeradius. It may be that I'm taking a completely wrong-headed approach here. If anyone on this list has any thoughts on how this could be done best, I'd appreciate hearing your ideas. Thanks in advance! Jeff -- Jeff Smith Security Analyst - ITaP Identity & Access Management Purdue University W. Lafayette IN 47907-1408 Phone: 765-496-8285 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Freeradius Configuration Questions
hello, i would like assistance to configure my freeradius server... i would like to use freeradius in a vpn solution based on LDAP. the LDAP IP is 10.1.1.1 the VPN is 10.1.4.1 they can reach each other no problem I have to edit clients.conf and users to make it work here is the part i have in clients.conf: -- client 127.0.0.1 { ... } client 10.1.4.0/24 { secret "isasecret" shotname = private-network } --- i found a way to auth with a single user using this config in users shark Auth-Type = Local, Password = "secret_pass" Service-Type = Framed-User, Framed-Protocol = PPP, Framed-IP-Address = 10.1.4.22, Framed-MTU = 1492 --- My questions are: how do make some auth for a group (not a single user or the default DEFAULT)? Is there a way to set Framed-IP-Address range to this group? Can you help making the "users" files pls? thanks for you help, shark - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html