-----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Saturday, November 22, 2003 04:59 To: [EMAIL PROTECTED] Subject: Freeradius-Users digest, Vol 1 #2552 - 10 msgs
Send Freeradius-Users mailing list submissions to [EMAIL PROTECTED] To subscribe or unsubscribe via the World Wide Web, visit http://lists.cistron.nl/mailman/listinfo/freeradius-users or, via email, send a message with subject or body 'help' to [EMAIL PROTECTED] You can reach the person managing the list at [EMAIL PROTECTED] When replying, please edit your Subject line so it is more specific than "Re: Contents of Freeradius-Users digest..." Today's Topics: 1. Re: 093 Crashes with unknown tokens (Greg G) 2. Re: 093 Crashes with unknown tokens (Alan DeKok) 3. Re: 093 Crashes with unknown tokens (Richard Siddall) 4. Re: 093 Crashes with unknown tokens (Greg G) 5. <newbie alert> Freeradius, EAP-TTLS, and OpenSSL questions (Chris Woodfield) 6. Re: <newbie alert> Freeradius, EAP-TTLS, and OpenSSL questions (Alan DeKok) 7. Re: <newbie alert> Freeradius, EAP-TTLS, and OpenSSL questions (Chris Woodfield) 8. Re: 093 Crashes with unknown tokens (Matt Sapp) 9. Re: 093 Crashes with unknown tokens (Kristina Pfaff-Harris) 10. Re: 0.9.3 has been released (Paul Hampson) --__--__-- Message: 1 Date: Fri, 21 Nov 2003 16:01:59 -0500 From: Greg G <[EMAIL PROTECTED]> To: [EMAIL PROTECTED] Subject: Re: 093 Crashes with unknown tokens Reply-To: [EMAIL PROTECTED] This is a multi-part message in MIME format. --------------060702050606000400090309 Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Alan DeKok wrote: >Greg G <[EMAIL PROTECTED]> wrote: > > >>> Ah, yes. The "you've got to do what I want NOW for FREE!" response. >>> >>> >>> >> No, it's the "Hey, asshole, maybe you know the code better than I do" >>reponse. >> >> > > I *do* know the code better than you, and I disagree with your >position. All else aside, that should tell you something. > It does, but not what you'd hoped. It looks like I'm going to wind up using GNU Radius, because it *doesn't* exit when it encounters something it doesn't understand in the user file. It discards the entry for the invalid user. It doesn't seg fault if I make an acct request. And I don't have to fight with someone whose idea of gathering up new coders is "Fix it" without any help or guidance whatsoever. >The main README file is ever so >applicable to this situation. Go read it, and stop wasting your time >posting baseless complaints on the list. > > So my asking for a feature is a baseless complaint? Riiiight. -Greg G --------------060702050606000400090309 Content-Type: text/html; charset=us-ascii Content-Transfer-Encoding: 7bit <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> <html> <head> <meta http-equiv="Content-Type" content="text/html;charset=ISO-8859-1"> <title></title> </head> <body text="#000000" bgcolor="#ffffff"> <br> <br> Alan DeKok wrote:<br> <blockquote type="cite" cite="[EMAIL PROTECTED]"> <pre wrap="">Greg G <a class="moz-txt-link-rfc2396E" href="mailto:[EMAIL PROTECTED]"><[EMAIL PROTECTED]></a> wrote: </pre> <blockquote type="cite"> <blockquote type="cite"> <pre wrap=""> Ah, yes. The "you've got to do what I want NOW for FREE!" response. </pre> </blockquote> <pre wrap=""> No, it's the "Hey, asshole, maybe you know the code better than I do" reponse. </pre> </blockquote> <pre wrap=""><!----> I *do* know the code better than you, and I disagree with your position. All else aside, that should tell you something.</pre> </blockquote> <br> It does, but not what you'd hoped. It looks like I'm going to wind up using GNU Radius, because it *doesn't* exit when it encounters something it doesn't understand in the user file. It discards the entry for the invalid user. It doesn't seg fault if I make an acct request. And I don't have to fight with someone whose idea of gathering up new coders is "Fix it" without any help or guidance whatsoever.<br> <br> <br> <blockquote type="cite" cite="[EMAIL PROTECTED]"> <pre wrap="">The main README file is ever so applicable to this situation. Go read it, and stop wasting your time posting baseless complaints on the list. </pre> </blockquote> So my asking for a feature is a baseless complaint? Riiiight.<br> <br> -Greg G<br> <br> </body> </html> --------------060702050606000400090309-- --__--__-- Message: 2 From: "Alan DeKok" <[EMAIL PROTECTED]> To: [EMAIL PROTECTED] Subject: Re: 093 Crashes with unknown tokens Date: Fri, 21 Nov 2003 16:13:37 -0500 Reply-To: [EMAIL PROTECTED] Greg G <[EMAIL PROTECTED]> wrote: > It does, but not what you'd hoped. It looks like I'm going to wind > up using GNU Radius, because it *doesn't* exit when it encounters > something it doesn't understand in the user file. It discards the entry > for the invalid user. Meaning that the server doesn't behave as intended, and it's probably difficult for the administrator to figure that out. So you're left with a server which isn't doing what you want... > It doesn't seg fault if I make an acct request. <shrug> You're probably running Solaris. That will get fixed in a future release. > And I don't have to fight with someone whose idea of gathering up new > coders is "Fix it" without any help or guidance whatsoever. No... I told you what my opinion was, and why. You didn't understand me, or didn't care enough to listen to me. Your response was a blind repetition of "YOU fix it!" My response was then simply an echoing of your complaint: No, YOU fix it. I find it instructive that your own words directed at you cause huge amounts of anger and hostility. > So my asking for a feature is a baseless complaint? Riiiight. Not listening to the response makes it baseless. But why am I wasting my time? You've already made it clear that you can't read the documentation, the README, or my replies on this list. Alan DeKok. --__--__-- Message: 3 Date: Fri, 21 Nov 2003 16:36:55 -0500 From: Richard Siddall <[EMAIL PROTECTED]> To: [EMAIL PROTECTED] Subject: Re: 093 Crashes with unknown tokens Reply-To: [EMAIL PROTECTED] Greg G wrote: > Nothing is unclear about it. I would prefer that the daemon not fail > out if there's a data error in one of the files. It should report that > error to a log and continue on. Otherwise, it becomes a fairly trivial > task to crash out the daemon. Our users file is fairly dynamic and if > someone makes a typo putting in a new entry, I don't want the whole > system coming down. > cp users users.old vi users check-radiusd-config if $?; then cp users.old users mail -t ggersh -s "Typo in users file" << startup.log else service radiusd restart fi Or something like that. --__--__-- Message: 4 Date: Fri, 21 Nov 2003 16:51:54 -0500 From: Greg G <[EMAIL PROTECTED]> To: [EMAIL PROTECTED] Subject: Re: 093 Crashes with unknown tokens Reply-To: [EMAIL PROTECTED] This is a multi-part message in MIME format. --------------000009080206030608060504 Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Alan DeKok wrote: >Greg G <[EMAIL PROTECTED]> wrote: > > >> It does, but not what you'd hoped. It looks like I'm going to wind >>up using GNU Radius, because it *doesn't* exit when it encounters >>something it doesn't understand in the user file. It discards the entry >>for the invalid user. >> >> > > Meaning that the server doesn't behave as intended, and it's >probably difficult for the administrator to figure that out. So >you're left with a server which isn't doing what you want... > > No, it's doing just what I want. It's logging the problem with the user entry and getting on with processing. There's no reason that an single authentication item in the users file should halt the server. If it's a problem in the configuration file or something critical like that, absolutely there should be no further action. I understand that you have a different opinion, but that doesn't negate mine, or the fact that this is how I'd like it to work. Pointing me at the readme file isn't much help either, since that boils down to "fix it, or don't. Whatever." -Greg G --------------000009080206030608060504 Content-Type: text/html; charset=us-ascii Content-Transfer-Encoding: 7bit <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> <html> <head> <meta http-equiv="Content-Type" content="text/html;charset=ISO-8859-1"> <title></title> </head> <body text="#000000" bgcolor="#ffffff"> <br> <br> Alan DeKok wrote:<br> <blockquote type="cite" cite="[EMAIL PROTECTED]"> <pre wrap="">Greg G <a class="moz-txt-link-rfc2396E" href="mailto:[EMAIL PROTECTED]"><[EMAIL PROTECTED]></a> wrote: </pre> <blockquote type="cite"> <pre wrap=""> It does, but not what you'd hoped. It looks like I'm going to wind up using GNU Radius, because it *doesn't* exit when it encounters something it doesn't understand in the user file. It discards the entry for the invalid user. </pre> </blockquote> <pre wrap=""><!----> Meaning that the server doesn't behave as intended, and it's probably difficult for the administrator to figure that out. So you're left with a server which isn't doing what you want... </pre> </blockquote> No, it's doing just what I want. It's logging the problem with the user entry and getting on with processing. There's no reason that an single authentication item in the users file should halt the server. If it's a problem in the configuration file or something critical like that, absolutely there should be no further action.<br> I understand that you have a different opinion, but that doesn't negate mine, or the fact that this is how I'd like it to work. Pointing me at the readme file isn't much help either, since that boils down to "fix it, or don't. Whatever."<br> <br> -Greg G<br> <br> </body> </html> --------------000009080206030608060504-- --__--__-- Message: 5 Date: Fri, 21 Nov 2003 17:04:29 -0500 From: Chris Woodfield <[EMAIL PROTECTED]> To: [EMAIL PROTECTED] Subject: <newbie alert> Freeradius, EAP-TTLS, and OpenSSL questions Reply-To: [EMAIL PROTECTED] Hello, I'm trying to set up a radius server here in my office to permit WLAN usage, and I really feel like I'm coming up against my limits of understanding on the technologies involved. I've successfully compiled yesterday's CVS release which include EAP-TTLS support, but I'm running into some serious issues (most likely due to lack of clue on my part) getting it working. The server is a Debian testing install, with openssl compiled from source. The base station is a Linksys WRT-54G, although I haven't gotten to the point were I think there's a problem there. Here's my list of questions: 1. EAP-TTLS is dependent on EAP-TLS, which requires a server cert. So far, I've been unable to successfully create a cert that freeradius likes. In the radiusd.conf file, there's an certificate_file argument, along with a CA_file argument. My understanding of the reason for this is that with EAP-TLS, authentication is done by certs alone - the user must have the server cert's public key loaded, and the user must present a public key signed by the CA. But with TTLS, the client cert does not appear to be a requirement. Does that mean I can use a self-signed cert and not worry about the CA_file, or do I still need to create both? And if so, does anyone have a working openssl recipe to create these? So far I've been unsuccessful in creating anything other than a self-signed key. 2. I think I'm missing some understanding when it comes to the differences between authentication protocols (pap, mschap, etc) and authentication mechanisms (users file, smbpasswd, sql, pam, etc). My ideal scenario is for TTLS to use PAM (which authenticates based on md5 hashes in /etc/shadow), allowing anyone with an account on the server running radiusd to connect to the WLAN, but I'm not quite sure how the auth protocol interacts with auth-types. I have "DEFAULT Auth-Type := Pam" in my users file; do I need to do anything further depending on the auth protocol I use "inside" the ESP-TTLS tunnel (pap, chap, etc)? 3. I'm really, really in the dark when it comes to the key distribution mechanism. with EAP-TTLS and WPA, what system actually generates and distributes the WPA key? Does the radius server handle that, or does it only negotate access and let the base station generate a random key? Is there a knob in the config I need to set up for this? Thank you in advance for your patience. I'm sure I'll have more questions later. Thanks, -Chris --__--__-- Message: 6 From: "Alan DeKok" <[EMAIL PROTECTED]> To: [EMAIL PROTECTED] Subject: Re: <newbie alert> Freeradius, EAP-TTLS, and OpenSSL questions Date: Fri, 21 Nov 2003 17:31:42 -0500 Reply-To: [EMAIL PROTECTED] Chris Woodfield <[EMAIL PROTECTED]> wrote: > 1. EAP-TTLS is dependent on EAP-TLS, which requires a server cert. So > far, I've been unable to successfully create a cert that freeradius > likes. In the radiusd.conf file, there's an certificate_file argument, > along with a CA_file argument. My understanding of the reason for this > is that with EAP-TLS, authentication is done by certs alone - the user > must have the server cert's public key loaded, and the user must > present a public key signed by the CA. Yes. But TTLS still requires a server certificate. > But with TTLS, the client cert does not appear to be a > requirement. Does that mean I can use a self-signed cert and not worry > about the CA_file, or do I still need to create both? You still need a server certificate. > And if so, does anyone have a working openssl recipe to create > these? So far I've been unsuccessful in creating anything other than > a self-signed key. See scripts/CA.all > 2. I think I'm missing some understanding when it comes to the > differences between authentication protocols (pap, mschap, etc) and > authentication mechanisms (users file, smbpasswd, sql, pam, etc). My > ideal scenario is for TTLS to use PAM (which authenticates based on > md5 hashes in /etc/shadow), Huh? Why not just use 'System' authentication? > I have "DEFAULT Auth-Type := Pam" in my users file; do I need to do > anything further depending on the auth protocol I use "inside" the > ESP-TTLS tunnel (pap, chap, etc)? CHAP won't work with passwords from /etc/passwd. See the FAQ. > 3. I'm really, really in the dark when it comes to the key > distribution mechanism. with EAP-TTLS and WPA, what system actually > generates and distributes the WPA key? Does the radius server handle > that, Yes. > Is there a knob in the config I need to set up for this? No. Alan DeKok. --__--__-- Message: 7 Date: Fri, 21 Nov 2003 18:38:38 -0500 From: Chris Woodfield <[EMAIL PROTECTED]> To: [EMAIL PROTECTED] Subject: Re: <newbie alert> Freeradius, EAP-TTLS, and OpenSSL questions Reply-To: [EMAIL PROTECTED] --0OAP2g/MAC+5xKAE Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable > See scripts/CA.all Ran this, and it appears that everything worked right up until the end,=20 when I got these errors: Certificate is to be certified until Nov 20 23:34:06 2004 GMT (365 days) Sign the certificate? [y/n]:y failed to update database TXT_DB error number 2 + openssl pkcs12 -export -in newcert.pem -inkey newreq.pem -out=20 cert-srv.p12 -clcerts -passin pass:whatever -passout pass:whatever No certificate matches private key + openssl pkcs12 -in cert-srv.p12 -out cert-srv.pem -passin pass:whatever= =20 -passout pass:whatever 23118:error:0D07207B:asn1 encoding routines:ASN1_get_object:header too=20 long:asn1_lib.c:140: + openssl x509 -inform PEM -outform DER -in cert-srv.pem -out cert-srv.der unable to load certificate 23119:error:0906D06C:PEM routines:PEM_read_bio:no start=20 line:pem_lib.c:632:Expecting: TRUSTED CERTIFICATE + echo -e '\n\t\t##################\n' ################## tino:/usr/local/ssl/certs# Any idea what's happening? This is OpenSSL 0.9.7c. -C >=20 > > 2. I think I'm missing some understanding when it comes to the > > differences between authentication protocols (pap, mschap, etc) and > > authentication mechanisms (users file, smbpasswd, sql, pam, etc). My > > ideal scenario is for TTLS to use PAM (which authenticates based on > > md5 hashes in /etc/shadow), >=20 > Huh? Why not just use 'System' authentication? >=20 > > I have "DEFAULT Auth-Type :=3D Pam" in my users file; do I need to do > > anything further depending on the auth protocol I use "inside" the > > ESP-TTLS tunnel (pap, chap, etc)? >=20 > CHAP won't work with passwords from /etc/passwd. See the FAQ. >=20 > > 3. I'm really, really in the dark when it comes to the key > > distribution mechanism. with EAP-TTLS and WPA, what system actually > > generates and distributes the WPA key? Does the radius server handle > > that, >=20 > Yes. >=20 > > Is there a knob in the config I need to set up for this? >=20 > No. >=20 > Alan DeKok. >=20 > -=20 > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users= .html --0OAP2g/MAC+5xKAE Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3 (GNU/Linux) iD8DBQE/vqH+qP/YiunDNcERAjUjAKCPfxjKfh1TbjiD59zuP3fdYePOggCgt9fL 5KCewXRWFddxMIvhfpSwAJ0= =SWfl -----END PGP SIGNATURE----- --0OAP2g/MAC+5xKAE-- --__--__-- Message: 8 From: "Matt Sapp" <[EMAIL PROTECTED]> To: [EMAIL PROTECTED] Subject: Re: 093 Crashes with unknown tokens Date: Fri, 21 Nov 2003 18:33:22 -0500 Reply-To: [EMAIL PROTECTED] Greg, While you may have misunderstood Alan's terseness as him being nasty to you, please look at the situation. You're saying that if there was a configuration file error, then by all means, stop the server, but if it's "just" a users file error, then it shouldn't be halted and the server should keep going on with some half-correct information. Personally, I don't see how the users file being in proper shape is any less critical than any other configuration file being correct. You'd be much better off implementing some solution to make sure the users file is correct (perhaps some type checking in whatever system you use to manage your users -- surely you don't have a bunch of type-prone data entry people editing the users file by hand, do you?). The users file has a very specific format, and it's not hard to follow. If you have proper checks in your management system, this is a moot point, and this has been pointed out in reference to the dialup_admin package. However, as has been stated, if you really think it should keep going and skip any users entries that are broken, you do have the source, and you can do whatever you wish with it. This doesn't mean Alan is going to accept it back into the main FR tree, but if you're dead-set on expecting the server to handle your typos rather than dealing with them where they should be corrected elsewhere, it's probably a 5 line change to do so. -Matt MNU Network Administrator --- Original Message Below --- From: Greg G <[EMAIL PROTECTED]> To: [EMAIL PROTECTED] Subject: Re: 093 Crashes with unknown tokens Date: Fri, 21 Nov 2003 16:51:54 -0500 No, it's doing just what I want. It's logging the problem with the user entry and getting on with processing. There's no reason that an single authentication item in the users file should halt the server. If it's a problem in the configuration file or something critical like that, absolutely there should be no further action. I understand that you have a different opinion, but that doesn't negate mine, or the fact that this is how I'd like it to work. Pointing me at the readme file isn't much help either, since that boils down to "fix it, or don't. Whatever." -Greg G --__--__-- Message: 9 Date: Fri, 21 Nov 2003 16:42:37 -0800 (PST) From: Kristina Pfaff-Harris <[EMAIL PROTECTED]> To: [EMAIL PROTECTED] Subject: Re: 093 Crashes with unknown tokens Reply-To: [EMAIL PROTECTED] On Fri, 21 Nov 2003, Matt Sapp wrote: > Personally, I don't see how the users file being in proper shape is any > less critical than any other configuration file being correct. You'd be > much better off implementing some solution to make sure the users file > is correct (perhaps some type checking in whatever system you use to > manage your users -- surely you don't have a bunch of type-prone data > entry people editing the users file by hand, do you?). For what it's worth, it may be better to make this a matter of procedure. For my part, whenever I make any change to Radius configuration files, I follow the following steps: 1) Edit the file and make changes. 2) Run "radiusd -X". This will show any fatal errors in the config without you having to stop your "good" radius. It will quit with a message about radius already running, but up until then, will show you whether or not radius *will* start with the new config. 3) Restart radiusd with the new config if radiusd -X worked out okay. It's probably possible to write a script (and eventually I probably will but am too lazy now) to run this sort of check and only restart radiusd if things are okay, but I think just making sure that people check is a quicker fix than code hacking. Not a better fix, but a quicker fix. :-) I do agree that I don't really want Radius running with a semi-woogly config, although it can be a pain the times where I forget to check it with -X, since those are always the times I've made a mistake. Heh. Kristina --__--__-- Message: 10 Date: Sat, 22 Nov 2003 13:58:30 +1100 To: [EMAIL PROTECTED] Subject: Re: 0.9.3 has been released From: [EMAIL PROTECTED] (Paul Hampson) Reply-To: [EMAIL PROTECTED] On Fri, Nov 21, 2003 at 09:12:31AM -0600, Nick Davis wrote: > On Thursday 20 November 2003 20:07, Paul Hampson wrote: > > As a bonus, the rlm_ippool pod2man call got fixed for perl < 5.6, and > > rlm_eap has been silenced in the case where it is called upon a non-EAP > > packet. > > > > There are pacakges for Debian at > > http://www.tbble.com/freeradius/ > > They're numbered 0.9.2-4 since (a) I'm moving and don't have time to > > muck with the new source archive; and (b) we're >< this close to getting > > into Debian/unstable so I don't want to muck with things too much until > > that's done. > > > > Just to reiterate, the 0.9.2-4 packages at http://www.tbble.com/freeradius/ > > are the same as the 0.9.3 tarball above, but with major Debian packaging > > improvements (biiiig thanks to Steve Langasek for his guidance here) which > > will hopefully go into 1.0.0 and 0.9.4's tarballs. > Paul, > I see that these deb packages have the same dependency issues we discussed in > September with libiodbc2 and libltdl3. The Depends says: > freeradius: Depends: libiodbc2 (>= 3.51.1-3) but 3.51.1-1 is installed > Depends: libltdl3 (>= 1.5-3) but 1.5-2 is installed > freeradius-mysql: Depends: zlib1g (>= 1:1.2.1) but 1:1.1.4-16 is installed To be honest, I don't remember discussing this in September, but my mail archives are currently in transit, so I can't check what I said. According to my local Debian mirror, (mirror.aarnet.edu.au), the current libiodbc2 in sid (/unstable) is 3.51.1-3, the current libltdl3 is 1.5-7, and the current zlib1g is 1:1.2.1-1 > I am running Sarge, and I tried to search through unstable. Where do those > versions of those libraries come from? Several of the debian web servers have > been compromised and are down for inspection, so I am not able to search for > the necessary versions of these libraries. Ah, that's the problem, testing's not up to date on these libraries. Since we're going for Debian archive acceptance, they have to be built against unstable. I may have previously built against testing, but I don't think I put those binaries anywhere, as they were built on a powerpc machine. On Fri, Nov 21, 2003 at 11:00:19AM -0600, Nick Davis wrote: > All, > I posted new versions of my slimed down debian packages: > http://mrtizmo.com/freeradius/index.html > > The big thing I did was to remove the need for iodbc, since it has a lot of > nasty dependencies. Apart from libc6, what other dependancies are you seeing from libiodbc2? (My unstable build machine is currently also in transit, so I can't check that myself. Last time I tried to get iodbc broken out into its own package, the lack of interesting dependancies was the deciding factor. I do intend to readdress this issue once we're in the Debian archive) -- Paul "TBBle" Hampson, from an alternate email client. --__--__-- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html End of Freeradius-Users Digest - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html